Breaking iOS Apps using Cycript

Embed Size (px)

DESCRIPTION

null Hyderabad Chapter - June 2013 Meet

Text of Breaking iOS Apps using Cycript

  • 1. BREAKING IOS APPS WITH CYCRIPT Satish Bommisetty

2. Agenda ObjectiveCBasics iOSAppArchitecture DecryptingiOSApps BreakingappswithCycript 3. Native iOS Applications ObjectiveCcode DevelopedinXcode 4. Objective C Basics ObjectiveCliesontopoftheClanguage Interface@ile(.h) @interfaceCar:NSObject{ @loat@illLevel;} -(void)addGas; @end Implementation@ile(.m) @implementationCar -(void)addGas{} @end 5. Objective C Basics Methodspassmessages C++ Object->Method(param1,param2) Objective-C [Objectmethod:param1param2name:param2] 6. iOS App Architecture iOSApp 7. iOS App Architecture Mach-Oformat Header n TargetArchitecture Loadcommands n Locationofsymboltable n SharedLibraries Data n OrganizedinSegments 8. iOS App Architecture Headercanbeviewedusingotool OtoolhBinary Cputype12/6=ARM6 Cputype12/9=ARM7 9. iOS App Architecture Loadcanbeviewedusingotool OtoollBinary 10. Decrypting iOS Apps AppStorebinariesareencrypted Protectsfrompiracy SimilartoFairplayDRMusedoniTunesmusic SelfdistributedAppsarenotencrypted Loaderdecryptstheappswhenloadedintomemory Debuggercanbeusedtodumpthedecryptedappfrommemory Toolsareavailable:Craculous,Clutch,Installous 11. Cycript CombinationofJavaScriptandObjective-Cinterpreter Appruntimecanbeeasilymodi@iedusingCycript Canbehookedtoarunningprocess Givesaccesstoallclassesandinstancevariableswithintheapp Usedforruntimeanalysis Bypasssecuritylocks Accesssensitiveinformationfrommemory AuthenticationBypassattacks Accessingrestrictedareasoftheapplications 12. Class-dump-z Useclass-dump-zondecryptedbinaryandmaptheapplication Retrieveclassdeclarations Analyzetheclassdumpoutputandidentifytheinterestingclass 13. iOS App Execution Flow iOSappcentralizedpointofcontrol(MVC)UIApplicationclass 14. Breaking iOS Apps Createobjectfortheclassanddirectlyaccesstheinstance variablesandinvokemethods Existingmethodscanbeoverwritteneasily