iOS Jailbreak

Jailbreak News jailbreak me iDownloadBlog Can I Jailbreak? 固件 苹果iOS固件下载…

Bypass SSLPinning on FB iOS App

GitHub - phwd/OneForAllFacebook 讲述了一个 如何bypass fb iOS sslpinning 的方法. 但仅是工具, 没有细节介绍原理. 查看介绍, 需要先入会 fb 小组. 演示视频: https://www.facebook.com/113702895386410/videos/1466262083463811/ NIN: 本文可学习的地方,包括: 如何使用dumpdecrpted IPAPatch的运用 (需要另文再讨论) 1. 获取破解 IPA 1.1 Make dumpdecrpted // on Tab 1 $ git clone https://github.com/conradev/dumpdecrypted $ cd dumpdecrypted $ make…

Free Space from Filza Trash

由于未明原因, Filza中.Trash的文件占据了 iPhone 的大部分文件(利用 Disk Pie 得知). 要删除它,可以点击 Filza 底部的 favorite icon - Trash. 长按 Folder 删除即可. Ref [Tutorial] Quick tip to Filza users to remove trash by tapping favourite button at the bottom to free up some space : jailbreak…

Frida on non-jb device

1. Method 1 - Appmon How to install Appmon and Frida on a Mac – The sh3llc0d3r's blog 2. Method 2 - Objection sensepost/objection: objection - runtime mobile exploration NIN: 推荐 objection, 其内置了很多 tweaks. 假如在 JB device 上使用, 可以不 patch app. // `frida-ps -U` to get <name> objection -g…

cydia - dpkg : status database area is locked by another process

假如遇到标题的错误 nino-iPhone:~ root# ps ax | grep dpkg 5677 s000 S+ 0:00.01 grep dpkg 2782 s001 Ss+ 0:00.05 /usr/bin/dpkg --status-fd 54 --no-triggers --unpack --auto-deconfigure /var/mobile/Library/Caches/com.saurik.Cydia/archives/com.rheard.reveal-loader_1.0.0-1_iphoneos-arm.deb 2792 s001 S+ 0:06.…

Enpublic Apps: Security Threats Using iOS Enterprise and Developer Certificates

Ad Hoc distribution 开发者需要注册测试机,并且测试机的数目<=100. 通过iTunes 或者 iOS RPC communication library (e.g.libimobiledevice) 安装ipa. In-house distribution 无设备数目限制 支持OTA安装 (e.g. iPA + XML manifest file) <a href="itms-services://?action=downloadmanifest&url=http://www.example.com/manifest.plist">Install App</a> Device访问ocsp.…

TouchID Bypass with Frida

TouchID authentication有两种方式: LAContext - Using only the Local Authentication framework to authenticate the user User Presence - Using Keychain access control lists (ACLs) 第一种方法是可以用 frida bypass 的, 只需要 override 方法LAContextevaluatePolicy:localizedReason:reply即可. Example - Github 第二种方法因为Keychain data management在 Secure enclave 中进行, hooking framework(e.g. frida, cycript)都无法circumvent. Ref Useful…

Uncovering OWASP’s Mobile Risks in iOS Apps - Patrick Wardle - OWASP AppSec California 2015

On YouTube Synack at AppSec California with Patrick Wardle from Synack Slide 讲座中提及的Tools iOSOpenDev filemon - An FSEvents client 讲座中提及的exploit PuffChat Steal WhatsApp database (PoC) | Bas Bosschert Snapchat Security Disclosure - Gibson Security iOS App File Structure App Binary App Binary Decryption GitHub - dumpdecrypted 未知与Clutch有何不同. iOS Reverse Engineering Techniques…

cycript使用方法

1. Basics $ ssh root@IP_ADDRESS $ cycript -p APPNAME // Dump all classes cy# ObjectiveC.classes 2. 枚举现时controller的view // display output nicely $ ?expand $ [[UIApp keyWindow] recursiveDescription] Update 6 Nov 2017: 枚举Current View $ [[[UIWindow keyWindow] rootViewController] _printHierarchy].toString() 3. 获取现时View的controller 方法1: visibleViewController cy# UIApp.keyWindow.rootViewController.visibleViewController 方法2: nextResponder // Using the “nextResponder” ObjectiveC…