{% hint style="success" %}
Learn & practice AWS Hacking:
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: 
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** ЁЯТм [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ЁЯРж [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
рдЗрд╕ рдЕрдиреБрднрд╛рдЧ рдХреЗ рд▓рд┐рдП рдЙрдкрдХрд░рдг [**Objection**](https://github.com/sensepost/objection) рдХрд╛ рдЙрдкрдпреЛрдЧ рдХрд┐рдпрд╛ рдЬрд╛рдПрдЧрд╛ред\
рдХреБрдЫ рдЗрд╕ рддрд░рд╣ рд╕реЗ рдПрдХ objection рдХрд╛ рд╕рддреНрд░ рд╢реБрд░реВ рдХрд░реЗрдВ:
```bash
objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore
```
You can execute also `frida-ps -Uia` to check the running processes of the phone.
# Basic Enumeration of the app
## Local App Paths
* `env`: рдбрд┐рд╡рд╛рдЗрд╕ рдХреЗ рдЕрдВрджрд░ рдПрдкреНрд▓рд┐рдХреЗрд╢рди рдХреЗ рд╕рдВрдЧреНрд░рд╣рд┐рдд рдкрдереЛрдВ рдХреЛ рдЦреЛрдЬреЗрдВ
```bash
env
Name Path
----------------- -----------------------------------------------------------------------------------------------
BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
CachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
DocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
```
## List Bundles, frameworks and libraries
* `ios bundles list_bundles`: рдПрдкреНрд▓рд┐рдХреЗрд╢рди рдХреЗ рдмрдВрдбрд▓реЛрдВ рдХреА рд╕реВрдЪреА рдмрдирд╛рдПрдВ
```bash
ios bundles list_bundles
Executable Bundle Version Path
------------ -------------------- --------- -------------------------------------------
iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
AGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundle
```
* `ios bundles list_frameworks`: рдПрдкреНрд▓рд┐рдХреЗрд╢рди рджреНрд╡рд╛рд░рд╛ рдЙрдкрдпреЛрдЧ рдХрд┐рдП рдЬрд╛рдиреЗ рд╡рд╛рд▓реЗ рдмрд╛рд╣рд░реА рдлреНрд░реЗрдорд╡рд░реНрдХ рдХреА рд╕реВрдЪреА рдмрдирд╛рдПрдВ
```bash
ios bundles list_frameworks
Executable Bundle Version Path
------------------------------ -------------------------------------------- ---------- -------------------------------------------
ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework
...vateFrameworks/CoreDuetContext.framework
FBReactNativeSpec org.cocoapods.FBReactNativeSpec 0.61.5 ...p/Frameworks/FBReactNativeSpec.framework
...ystem/Library/Frameworks/IOKit.framework
RCTAnimation org.cocoapods.RCTAnimation 0.61.5 ...le.app/Frameworks/RCTAnimation.framework
jsinspector org.cocoapods.jsinspector 0.61.5 ...tle.app/Frameworks/jsinspector.framework
DoubleConversion org.cocoapods.DoubleConversion 1.1.6 ...pp/Frameworks/DoubleConversion.framework
react_native_config org.cocoapods.react-native-config 0.12.0 ...Frameworks/react_native_config.framework
react_native_netinfo org.cocoapods.react-native-netinfo 4.4.0 ...rameworks/react_native_netinfo.framework
PureLayout org.cocoapods.PureLayout 3.1.5 ...ttle.app/Frameworks/PureLayout.framework
GoogleUtilities org.cocoapods.GoogleUtilities 6.6.0 ...app/Frameworks/GoogleUtilities.framework
RCTNetwork org.cocoapods.RCTNetwork 0.61.5 ...ttle.app/Frameworks/RCTNetwork.framework
RCTActionSheet org.cocoapods.RCTActionSheet 0.61.5 ....app/Frameworks/RCTActionSheet.framework
react_native_image_editor org.cocoapods.react-native-image-editor 2.1.0 ...orks/react_native_image_editor.framework
CoreModules org.cocoapods.CoreModules 0.61.5 ...tle.app/Frameworks/CoreModules.framework
RCTVibration org.cocoapods.RCTVibration 0.61.5 ...le.app/Frameworks/RCTVibration.framework
RNGestureHandler org.cocoapods.RNGestureHandler 1.6.1 ...pp/Frameworks/RNGestureHandler.framework
RNCClipboard org.cocoapods.RNCClipboard 1.5.1 ...le.app/Frameworks/RNCClipboard.framework
react_native_image_picker org.cocoapods.react-native-image-picker 2.3.4 ...orks/react_native_image_picker.framework
[..]
```
* `memory list modules`: рдореЗрдореЛрд░реА рдореЗрдВ рд▓реЛрдб рдХрд┐рдП рдЧрдП рдореЙрдбреНрдпреВрд▓ рдХреА рд╕реВрдЪреА рдмрдирд╛рдПрдВ
```bash
memory list modules
Name Base Size Path
----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------
iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylib
SystemConfiguration 0x1aa842000 495616 (484.0 KiB) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
libc++.1.dylib 0x1bdcfd000 368640 (360.0 KiB) /usr/lib/libc++.1.dylib
libz.1.dylib 0x1efd3c000 73728 (72.0 KiB) /usr/lib/libz.1.dylib
libsqlite3.dylib 0x1c267f000 1585152 (1.5 MiB) /usr/lib/libsqlite3.dylib
Foundation 0x1ab550000 2732032 (2.6 MiB) /System/Library/Frameworks/Foundation.framework/Foundation
libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib
[...]
```
* `memory list exports `: рд▓реЛрдб рдХрд┐рдП рдЧрдП рдореЙрдбреНрдпреВрд▓ рдХреЗ рдПрдХреНрд╕рдкреЛрд░реНрдЯ
```bash
memory list exports iGoat-Swift
Type Name Address
-------- -------------------------------------------------------------------------------------------------------------------------------------- -----------
variable _mh_execute_header 0x104ffc000
function _mdictof 0x10516cb88
function _ZN9couchbase6differ10BaseDifferD2Ev 0x10516486c
function _ZN9couchbase6differ10BaseDifferD1Ev 0x1051648f4
function _ZN9couchbase6differ10BaseDifferD0Ev 0x1051648f8
function _ZN9couchbase6differ10BaseDiffer5setupEmm 0x10516490c
function _ZN9couchbase6differ10BaseDiffer11allocStripeEmm 0x105164a20
function _ZN9couchbase6differ10BaseDiffer7computeEmmj 0x105164ad8
function _ZN9couchbase6differ10BaseDiffer7changesEv 0x105164de4
function _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE 0x105164fa8
function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE 0x1051651d8
function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE 0x105165280
variable _ZTSN9couchbase6differ10BaseDifferE 0x1051d94f0
variable _ZTVN9couchbase6differ10BaseDifferE 0x10523c0a0
variable _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8
[..]
```
## List classes of an APP
* `ios hooking list classes`: рдРрдк рдХреА рдХрдХреНрд╖рд╛рдУрдВ рдХреА рд╕реВрдЪреА рдмрдирд╛рдПрдВ
```bash
ios hooking list classes
AAAbsintheContext
AAAbsintheSigner
AAAbsintheSignerContextCache
AAAcceptedTermsController
AAAccount
AAAccountManagementUIResponse
AAAccountManager
AAAddEmailUIRequest
AAAppleIDSettingsRequest
AAAppleTVRequest
AAAttestationSigner
[...]
```
* `ios hooking search classes `: рдПрдХ рдХрдХреНрд╖рд╛ рдЦреЛрдЬреЗрдВ рдЬрд┐рд╕рдореЗрдВ рдПрдХ рд╕реНрдЯреНрд░рд┐рдВрдЧ рд╣реЛред рдЖрдк **рдореБрдЦреНрдп рдРрдк рдкреИрдХреЗрдЬ** рдирд╛рдо рд╕реЗ рд╕рдВрдмрдВрдзрд┐рдд рдХреБрдЫ рдЕрджреНрд╡рд┐рддреАрдп рд╢рдмреНрдж рдЦреЛрдЬ рд╕рдХрддреЗ рд╣реИрдВ рддрд╛рдХрд┐ рдРрдк рдХреА рдореБрдЦреНрдп рдХрдХреНрд╖рд╛рдУрдВ рдХреЛ рдкрд╛рдпрд╛ рдЬрд╛ рд╕рдХреЗ рдЬреИрд╕реЗ рдЙрджрд╛рд╣рд░рдг рдореЗрдВ:
```bash
ios hooking search classes iGoat
iGoat_Swift.CoreDataHelper
iGoat_Swift.RCreditInfo
iGoat_Swift.SideContainmentSegue
iGoat_Swift.CenterContainmentSegue
iGoat_Swift.KeyStorageServerSideVC
iGoat_Swift.HintVC
iGoat_Swift.BinaryCookiesExerciseVC
iGoat_Swift.ExerciseDemoVC
iGoat_Swift.PlistStorageExerciseViewController
iGoat_Swift.CouchBaseExerciseVC
iGoat_Swift.MemoryManagementVC
[...]
```
## List class methods
* `ios hooking list class_methods`: рдПрдХ рд╡рд┐рд╢рд┐рд╖реНрдЯ рдХрдХреНрд╖рд╛ рдХреЗ рддрд░реАрдХреЛрдВ рдХреА рд╕реВрдЪреА рдмрдирд╛рдПрдВ
```bash
ios hooking list class_methods iGoat_Swift.RCreditInfo
- cvv
- setCvv:
- setName:
- .cxx_destruct
- name
- cardNumber
- init
- initWithValue:
- setCardNumber:
```
* `ios hooking search methods `: рдПрдХ рд╡рд┐рдзрд┐ рдЦреЛрдЬреЗрдВ рдЬрд┐рд╕рдореЗрдВ рдПрдХ рд╕реНрдЯреНрд░рд┐рдВрдЧ рд╣реЛ
```bash
ios hooking search methods cvv
[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
[iGoat_Swift.RCreditInfo - cvv]
[iGoat_Swift.RCreditInfo - setCvv:]
[iGoat_Swift.RealmExerciseVC - creditCVVTextField]
[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
```
# Basic Hooking
рдЕрдм рдЬрдм рдЖрдкрдиреЗ **рдХрдХреНрд╖рд╛рдУрдВ рдФрд░ рдореЙрдбреНрдпреВрд▓реЛрдВ рдХреА рдЧрдгрдирд╛ рдХреА рд╣реИ** рдЬреЛ рдПрдкреНрд▓рд┐рдХреЗрд╢рди рджреНрд╡рд╛рд░рд╛ рдЙрдкрдпреЛрдЧ рдХрд┐рдП рдЬрд╛рддреЗ рд╣реИрдВ, рддреЛ рдЖрдк рдХреБрдЫ **рджрд┐рд▓рдЪрд╕реНрдк рдХрдХреНрд╖рд╛ рдФрд░ рд╡рд┐рдзрд┐ рдирд╛рдо** рдкрд╛ рд╕рдХрддреЗ рд╣реИрдВред
## Hook all methods of a class
* `ios hooking watch class `: рдПрдХ рдХрдХреНрд╖рд╛ рдХреЗ рд╕рднреА рддрд░реАрдХреЛрдВ рдХреЛ рд╣реБрдХ рдХрд░реЗрдВ, рд╕рднреА рдкреНрд░рд╛рд░рдВрднрд┐рдХ рдкреИрд░рд╛рдореАрдЯрд░ рдФрд░ рд░рд┐рдЯрд░реНрди рдХреЛ рдбрдВрдк рдХрд░реЗрдВ
```bash
ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
```
## Hook a single method
* `ios hooking watch method "-[ ]" --dump-args --dump-return --dump-backtrace`: рдПрдХ рдХрдХреНрд╖рд╛ рдХреА рд╡рд┐рд╢рд┐рд╖реНрдЯ рд╡рд┐рдзрд┐ рдХреЛ рд╣реБрдХ рдХрд░реЗрдВ, рдкреНрд░рддреНрдпреЗрдХ рдмрд╛рд░ рдЗрд╕реЗ рдХреЙрд▓ рдХрд░рдиреЗ рдкрд░ рд╡рд┐рдзрд┐ рдХреЗ рдкреИрд░рд╛рдореАрдЯрд░, рдмреИрдХрдЯреНрд░реЗрд╕ рдФрд░ рд░рд┐рдЯрд░реНрди рдХреЛ рдбрдВрдк рдХрд░реЗрдВ
```bash
ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
```
## Change Boolean Return
* `ios hooking set return_value "-[ ]" false`: рдпрд╣ рдЪрдпрдирд┐рдд рд╡рд┐рдзрд┐ рдХреЛ рдирд┐рд░реНрджрд┐рд╖реНрдЯ рдмреВрд▓рд┐рдпрди рд▓реМрдЯрд╛рдиреЗ рдХреЗ рд▓рд┐рдП рдмрдирд╛рдПрдЧрд╛
```bash
ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
```
## Generate hooking template
* `ios hooking generate simple `:
```bash
ios hooking generate simple iGoat_Swift.RCreditInfo
var target = ObjC.classes.iGoat_Swift.RCreditInfo;
Interceptor.attach(target['+ sharedSchema'].implementation, {
onEnter: function (args) {
console.log('Entering + sharedSchema!');
},
onLeave: function (retval) {
console.log('Leaving + sharedSchema');
},
});
Interceptor.attach(target['+ className'].implementation, {
onEnter: function (args) {
console.log('Entering + className!');
},
onLeave: function (retval) {
console.log('Leaving + className');
},
});
Interceptor.attach(target['- cvv'].implementation, {
onEnter: function (args) {
console.log('Entering - cvv!');
},
onLeave: function (retval) {
console.log('Leaving - cvv');
},
});
Interceptor.attach(target['- setCvv:'].implementation, {
onEnter: function (args) {
console.log('Entering - setCvv:!');
},
onLeave: function (retval) {
console.log('Leaving - setCvv:');
},
});
```
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** ЁЯТм [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ЁЯРж [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}