Workshop: iOS app pentesting (Miguel Ángel Arroyo Moreno) CyberCamp 2016 (English)

  • Application Binary Folder: /private/var/mobile/Containers/Bundle/Application
  • Application Data Folder: /private/var/mobile/Containers/Data/Application

Find App

$ cd /private/var/mobile/Containers/Bundle/Application

$ ls -ltr  // last installed app

$ ls * | grep -i soccer -B5  // up 5 lines

find db

//inside app folder

$ find . -name *.db
$ file Library/Cache/com.nino.app/Cache.db

plist

$ find . -name "*" -exec file {} \; | grep -i plist

$ plutil user.plist

Binary

$ cd <Application_folder>
$ rabin2 -I DamnVulnerableIOSApp

// Architecture
$ otool -Vh DamnVulnerableIOSApp


// Symbols
$ rabin2 -s AppBinary

// strings
$ rabin2 -z AppBinary

Lipo

对于一个 fat binary, 需要借助 Lipo 将其变 thin, 然后才使用class-dump获取code

NIN: 演讲是西班牙文, 同声传译为英文, 翻译未必准确, 以上是笔者个人的理解. 有可能不准确.

Example

演讲中, Miguel 展示了一次如何使用 cycript 的案例.

App 是一个 Game, 通过 class-dump 得知其中有两个方法, 并且是 void:

  • setCoins
  • setCash



ps xau | grep -l soccer获取 PID.

cycript hook 该 App, 进行 client side 篡改

Show Comments