Snoop-it
添加Cydia source:
http://repo.nesolabs.de/
Cydia sources
http://www.bestcydiasources.com/
Introspy
iOS 9 unsupported
https://github.com/iSECPartners/Introspy-iOS/issues/38
SSL Killswitch 2
https://github.com/nabla-c0d3/ssl-kill-switch2
isrs-iPad:~ root# dpkg -i com.nablac0d3.SSLKillSwitch2_0.10.deb
Selecting previously deselected package com.nablac0d3.sslkillswitch2.
(Reading database ... 4846 files and directories currently installed.)
Unpacking com.nablac0d3.sslkillswitch2 (from com.nablac0d3.SSLKillSwitch2_0.10.deb) ...
Setting up com.nablac0d3.sslkillswitch2 (0.10-2) ...
isrs-iPad:~ root# killall -HUP SpringBoard
Apple File Conduit "2"
安装后,iFunbox才能看到var folder内容
Clutch2
Add cydia source
http://cydia.iphonecake.com
If permission error
isrs-iPad:~ root# Clutch2
-sh: /usr/bin/Clutch2: Permission denied
isrs-iPad:~ root# chmod 755 /usr/bin/Clutch
NIN: iphonecake repo已没有了Clutch2.
Ref: mwrlabs/needle
$ curl -ksL "http://cydia.iphonecake.com/Clutch2.0.4.deb" -o /var/root/kill.deb
$ dpkg -i /var/root/kill.deb && rm -f /var/root/kill.deb
$ killall -HUP SpringBoard
A Quick Guide to Using Clutch 2.0 to Decrypt iOS Apps | Digital Forensics Tips
PList Edit Pro
➜ A6889CA1-CB53-42D1-A59A-42D2BCBCACFE pledit .com.apple.mobile_container_manager.metadata.plist
class-dump, class-dump-z & class-dump-dyld
class-dump & class-dump-z
From a given executable, class-dump and class_dump_z will generate header files with class interfaces. (class-dump may produce better headers than class-dump-z for recent binaries.) This allows for an analysis of what methods exist in the executable, which can help you guess which ones to hook to get given functionality.
- Download class-dump - Steve Nygard.
- Download class-dump-z
两者都可以安装在 iPhone 上.
// Update class-dump-z binary to iphone with cyberduck
ninos-iPhone:~ root# cp class-dump-z /usr/bin/
ninos-iPhone:~ root# chmod 755 /usr/bin/class-dump-z
安装 class-dump, 方法如上.
- 使用
class-dump-z xxxx > ./xxxx-classdump.txt可以将目标程序的代码信息导出到单个文本文件中方便查找。 - 使用
class-dump-z -H -o xxxx ./SourceCode可以将目标程序的所有代码信息以头文件的形式输出到指定目录,每个类一个文件。
class-dump-dyld
Installation: Cydia. (Github)
ninos-iPhone:~/lipo-nino root# otool -Vh your_app
your_app (architecture armv7):
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC ARM V7 0x00 EXECUTE 48 5112 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE
your_app (architecture arm64):
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 48 5696 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE
// Need to thin app
ninos-iPhone:~/lipo-nino root# lipo your_app -thin armv7 -o your_app_thin
ninos-iPhone:~/lipo-nino root# classdump-dyld -o classdump/ your_app_thin
Dumping /private/var/root/lipo_nino/your_app_thin...(543 classes) (injected with libclassdumpdyld.dylib)
80% [======================================== ] 435/543 <ADEumBeaconBuilder>
Done. Check "output" directory.
NIN: Output似乎说可以了, 但是 folder 中没有. 原因未明.