hacktricks/mobile-apps-pentesting/ios-pentesting/ios-hooking-with-objection.md
2022-01-16 18:11:15 +00:00

13 KiB

iOS Hooking With Objection

For this section the tool Objection is going to be used.
Start by getting an objection's session executing something like:

objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore

You can execute also frida-ps -Uia to check the running processes of the phone.

Basic Enumeration of the app

Local App Paths

  • env: Find the paths where the application is stored inside the device

    env
    
    Name               Path
    -----------------  -----------------------------------------------------------------------------------------------
    BundlePath         /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
    CachesDirectory    /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
    DocumentDirectory  /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
    LibraryDirectory   /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
    

List Bundles, frameworks and libraries

  • ios bundles list_bundles: List bundles of the application

    ios bundles list_bundles
    Executable    Bundle                Version    Path
    ------------  --------------------  ---------  -------------------------------------------
    iGoat-Swift   OWASP.iGoat-Swift     1.0        ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
    AGXMetalA9    com.apple.AGXMetalA9  172.18.4   ...tem/Library/Extensions/AGXMetalA9.bundle
    
  • ios bundles list_frameworks: List external frameworks used by the application

    ios bundles list_frameworks
    Executable                      Bundle                                        Version     Path
    ------------------------------  --------------------------------------------  ----------  -------------------------------------------
    ReactCommon                     org.cocoapods.ReactCommon                     0.61.5      ...tle.app/Frameworks/ReactCommon.framework
                                                                                              ...vateFrameworks/CoreDuetContext.framework
    FBReactNativeSpec               org.cocoapods.FBReactNativeSpec               0.61.5      ...p/Frameworks/FBReactNativeSpec.framework
                                                                                              ...ystem/Library/Frameworks/IOKit.framework
    RCTAnimation                    org.cocoapods.RCTAnimation                    0.61.5      ...le.app/Frameworks/RCTAnimation.framework
    jsinspector                     org.cocoapods.jsinspector                     0.61.5      ...tle.app/Frameworks/jsinspector.framework
    DoubleConversion                org.cocoapods.DoubleConversion                1.1.6       ...pp/Frameworks/DoubleConversion.framework
    react_native_config             org.cocoapods.react-native-config             0.12.0      ...Frameworks/react_native_config.framework
    react_native_netinfo            org.cocoapods.react-native-netinfo            4.4.0       ...rameworks/react_native_netinfo.framework
    PureLayout                      org.cocoapods.PureLayout                      3.1.5       ...ttle.app/Frameworks/PureLayout.framework
    GoogleUtilities                 org.cocoapods.GoogleUtilities                 6.6.0       ...app/Frameworks/GoogleUtilities.framework
    RCTNetwork                      org.cocoapods.RCTNetwork                      0.61.5      ...ttle.app/Frameworks/RCTNetwork.framework
    RCTActionSheet                  org.cocoapods.RCTActionSheet                  0.61.5      ....app/Frameworks/RCTActionSheet.framework
    react_native_image_editor       org.cocoapods.react-native-image-editor       2.1.0       ...orks/react_native_image_editor.framework
    CoreModules                     org.cocoapods.CoreModules                     0.61.5      ...tle.app/Frameworks/CoreModules.framework
    RCTVibration                    org.cocoapods.RCTVibration                    0.61.5      ...le.app/Frameworks/RCTVibration.framework
    RNGestureHandler                org.cocoapods.RNGestureHandler                1.6.1       ...pp/Frameworks/RNGestureHandler.framework
    RNCClipboard                    org.cocoapods.RNCClipboard                    1.5.1       ...le.app/Frameworks/RNCClipboard.framework
    react_native_image_picker       org.cocoapods.react-native-image-picker       2.3.4       ...orks/react_native_image_picker.framework
    [..]
    
  • memory list modules: List loaded modules in memory

    memory list modules
    Name                                 Base         Size                 Path
    -----------------------------------  -----------  -------------------  ------------------------------------------------------------------------------
    iGoat-Swift                          0x104ffc000  2326528 (2.2 MiB)    /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
    SubstrateBootstrap.dylib             0x105354000  16384 (16.0 KiB)     /usr/lib/substrate/SubstrateBootstrap.dylib
    SystemConfiguration                  0x1aa842000  495616 (484.0 KiB)   /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
    libc++.1.dylib                       0x1bdcfd000  368640 (360.0 KiB)   /usr/lib/libc++.1.dylib
    libz.1.dylib                         0x1efd3c000  73728 (72.0 KiB)     /usr/lib/libz.1.dylib
    libsqlite3.dylib                     0x1c267f000  1585152 (1.5 MiB)    /usr/lib/libsqlite3.dylib
    Foundation                           0x1ab550000  2732032 (2.6 MiB)    /System/Library/Frameworks/Foundation.framework/Foundation
    libobjc.A.dylib                      0x1bdc64000  233472 (228.0 KiB)   /usr/lib/libobjc.A.dylib
    [...]
    
  • memory list exports <module_name>: Exports of a loaded module

    memory list exports iGoat-Swift
    Type      Name                                                                                                                                    Address
    --------  --------------------------------------------------------------------------------------------------------------------------------------  -----------
    variable  _mh_execute_header                                                                                                                      0x104ffc000
    function  _mdictof                                                                                                                                0x10516cb88
    function  _ZN9couchbase6differ10BaseDifferD2Ev                                                                                                    0x10516486c
    function  _ZN9couchbase6differ10BaseDifferD1Ev                                                                                                    0x1051648f4
    function  _ZN9couchbase6differ10BaseDifferD0Ev                                                                                                    0x1051648f8
    function  _ZN9couchbase6differ10BaseDiffer5setupEmm                                                                                               0x10516490c
    function  _ZN9couchbase6differ10BaseDiffer11allocStripeEmm                                                                                        0x105164a20
    function  _ZN9couchbase6differ10BaseDiffer7computeEmmj                                                                                            0x105164ad8
    function  _ZN9couchbase6differ10BaseDiffer7changesEv                                                                                              0x105164de4
    function  _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE                                                                                 0x105164fa8
    function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE                                                   0x1051651d8
    function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE                 0x105165280
    variable  _ZTSN9couchbase6differ10BaseDifferE                                                                                                     0x1051d94f0
    variable  _ZTVN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0a0
    variable  _ZTIN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0f8
    [..]
    

List classes of an APP

  • ios hooking list classes: List classes of the app

    ios hooking list classes
    
    AAAbsintheContext
    AAAbsintheSigner
    AAAbsintheSignerContextCache
    AAAcceptedTermsController
    AAAccount
    AAAccountManagementUIResponse
    AAAccountManager
    AAAddEmailUIRequest
    AAAppleIDSettingsRequest
    AAAppleTVRequest
    AAAttestationSigner
    [...]
    
  • ios hooking search classes <search_term>: Search a class that contains a string. You can search some uniq term that is related to the main app package name to find the main classes of the app like in the example:

    ios hooking search classes iGoat
    iGoat_Swift.CoreDataHelper
    iGoat_Swift.RCreditInfo
    iGoat_Swift.SideContainmentSegue
    iGoat_Swift.CenterContainmentSegue
    iGoat_Swift.KeyStorageServerSideVC
    iGoat_Swift.HintVC
    iGoat_Swift.BinaryCookiesExerciseVC
    iGoat_Swift.ExerciseDemoVC
    iGoat_Swift.PlistStorageExerciseViewController
    iGoat_Swift.CouchBaseExerciseVC
    iGoat_Swift.MemoryManagementVC
    [...]
    

List class methods

  • ios hooking list class_methods: List methods of a specific class

    ios hooking list class_methods iGoat_Swift.RCreditInfo
    - cvv
    - setCvv:
    - setName:
    - .cxx_destruct
    - name
    - cardNumber
    - init
    - initWithValue:
    - setCardNumber:
    
  • ios hooking search methods <search_term>: Search a method that contains a string

    ios hooking search methods cvv
    [AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
    [AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
    [AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
    [iGoat_Swift.RCreditInfo - cvv]
    [iGoat_Swift.RCreditInfo - setCvv:]
    [iGoat_Swift.RealmExerciseVC - creditCVVTextField]
    [iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
    [iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
    [iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
    [iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
    [iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
    

Basic Hooking

Now that you have enumerated the classes and modules used by the application you may have found some interesting class and method names.

Hook all methods of a class

  • ios hooking watch class <class_name>: Hook all the methods of a class, dump all the initial parameters and returns

    ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
    

Hook a single method

  • ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called

    ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
    

Change Boolean Return

  • ios hooking set return_value "-[<class_name> <method_name>]" false: This will make the selected method return the indicated boolean

    ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
    

Generate hooking template

  • ios hooking generate simple <class_name>:

    ios hooking generate simple iGoat_Swift.RCreditInfo
    
    var target = ObjC.classes.iGoat_Swift.RCreditInfo;
    
    Interceptor.attach(target['+ sharedSchema'].implementation, {
      onEnter: function (args) {
        console.log('Entering + sharedSchema!');
      },
      onLeave: function (retval) {
        console.log('Leaving + sharedSchema');
      },
    });
    
    
    Interceptor.attach(target['+ className'].implementation, {
      onEnter: function (args) {
        console.log('Entering + className!');
      },
      onLeave: function (retval) {
        console.log('Leaving + className');
      },
    });
    
    
    Interceptor.attach(target['- cvv'].implementation, {
      onEnter: function (args) {
        console.log('Entering - cvv!');
      },
      onLeave: function (retval) {
        console.log('Leaving - cvv');
      },
    });
    
    
    Interceptor.attach(target['- setCvv:'].implementation, {
      onEnter: function (args) {
        console.log('Entering - setCvv:!');
      },
      onLeave: function (retval) {
        console.log('Leaving - setCvv:');
      },
    });