Setting Up an iOS Hacking Environment

Introduction

For my first post I am going to walk you through setting up your iOS device for iOS app hacking. You will need a jailbroken iDevice, and although I am going to use my MacBook during this setup you can mostly follow along directly from your device. I am not going to walk you through jailbreaking your device in this article as there are many tutorials available. However, If you are using any device except for iPhone 7/7+, and running iOS 10.x-10.2 you can refer to a tutorial I wrote on Cybrary here You can also use the extra_recipe jailbreak for iPhone 7/7+ on iOS 10.x-10.1.1.

Setup

Once you have jailbroken you will need to setup SSH so you can interact with your device from your computer. In previous jailbreaks you could just install OpenSSH via Cydia. Yalu102 however comes with DropbearSSH preinstalled and installing OpenSSH will break SSH on your device. To setup SSH on your device I recommend following this. After you have setup SSH plug your phone into your computer and open a terminal and SSH into the device by running ssh root@localhost -p 2222 the default password is alpine which I highly recommend changing by running passwd

On Device Tools

ClassDump

The first tool we are going to setup is ClassDump. ClassDump is according to the author “a command-line utility for examining the Objective-C runtime information stored in Mach-O files. It generates declarations for the classes, categories and protocols.” Unfortunately the version of ClassDump on Cydia doesn’t support 64bit apps so we will need to download the Mac/Linux version from here . After you have installed it open up your terminal and make sure it works.

You can also use ClassDumpZ which is said to be faster, however regular ClassDump has always worked just fine for me.

Clutch

The next tool we are going to install is Clutch, which is used to decrypt iOS AppStore IPA’s. You can install Clutch through this Cydia repo, or compile it yourself from the previous link. After you have installed it SSH into your device and make sure it works.

After you run Clutch on an APP you will need to delete and redownload through the app store before you can execute it again.

Cycript

Cycript is a tool developed by Saurik (Creator of Cydia), which can be used to “explore and modify running applications on either iOS or Mac OS X using a hybrid of Objective-C++ and JavaScript syntax through an interactive console that features syntax highlighting and tab completion.” You can again install through the hackyouriphone repo we’ve already added or the Cycript site. Once again lets verify everything is running properly by SSHing into our device and running

Frida

Frida is a tool that’s a lot like Cycript, and has a ton of plugins for more functionality. The frida website describes it as “It’s Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.” You can setup frida from here or through the cydia repo. Since frida communicated with your device over USB you will need to plugin your device, then open a shell on your computer and once again, verify that it works.

radare2

Radare2 is a very useful debugger, a lot like gdb. You can use gdb if you prefer, although last time I checked the version ported to iOS is old and hasn’t been updated in a while. To install add the radare2 repo in Cydia.  When I installed last time I had to manually sign a few files with ldid, however this might be fixed by now. After you have installed SSH into your device and run

macOS Specific Tools

Hopper Disassembler

We are now going to look at a couple disassemblers which are a must have during iOS reverse engineering. The first one I am going to introduce you to is Hopper. You can either download a trial version or buy the full version which is fairly cheap compared to the next disassembler we are going to look at (ida pro). Either way you can get hopper from here. For sake of this article I am going to load DVIA into both so you can see what they look like.

IDA Pro

IDA pro is probably the most used disassembler in reverse engineering. The only issue is the free version is old and outdated, and only supports limited CPU architectures. The pro version of IDA costs thousands of dollars and can be a little tricky to buy. There are tons of plugins available and even a couple books dedicated to the use of IDA.

Conclusion

If you made it to the end you now have a capable setup for iOS hacking and Reverse Engineering. There are many more tools that I didn’t cover in this article for sake of it not becoming too long, But I’ll likely do a part 2 and talk about those in a later post. I’ll also be showing you how to use the tools we’ve just installed in future posts by completing challenges in OWASPs iGoat app. To make sure you know when these new posts are live please follow me on twitter at 0xff7 as well as follow the Together We Hack account.

 

Leave a Reply

Your email address will not be published. Required fields are marked *