iOS Hooking With Objection

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

For this section the tool Objection is going to be used. Start by getting an objection's session executing something like:

objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore

You can execute also frida-ps -Uia to check the running processes of the phone.

Basic Enumeration of the app

Local App Paths

env: Find the paths where the application is stored inside the device

env

Name               Path
-----------------  -----------------------------------------------------------------------------------------------
BundlePath         /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
CachesDirectory    /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
DocumentDirectory  /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
LibraryDirectory   /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library

List Bundles, frameworks and libraries

ios bundles list_bundles: List bundles of the application

ios bundles list_bundles
Executable    Bundle                Version    Path
------------  --------------------  ---------  -------------------------------------------
iGoat-Swift   OWASP.iGoat-Swift     1.0        ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
AGXMetalA9    com.apple.AGXMetalA9  172.18.4   ...tem/Library/Extensions/AGXMetalA9.bundle

ios bundles list_frameworks: List external frameworks used by the application

ios bundles list_frameworks
Executable                      Bundle                                        Version     Path
------------------------------  --------------------------------------------  ----------  -------------------------------------------
ReactCommon                     org.cocoapods.ReactCommon                     0.61.5      ...tle.app/Frameworks/ReactCommon.framework
                                                                                          ...vateFrameworks/CoreDuetContext.framework
FBReactNativeSpec               org.cocoapods.FBReactNativeSpec               0.61.5      ...p/Frameworks/FBReactNativeSpec.framework
                                                                                          ...ystem/Library/Frameworks/IOKit.framework
RCTAnimation                    org.cocoapods.RCTAnimation                    0.61.5      ...le.app/Frameworks/RCTAnimation.framework
jsinspector                     org.cocoapods.jsinspector                     0.61.5      ...tle.app/Frameworks/jsinspector.framework
DoubleConversion                org.cocoapods.DoubleConversion                1.1.6       ...pp/Frameworks/DoubleConversion.framework
react_native_config             org.cocoapods.react-native-config             0.12.0      ...Frameworks/react_native_config.framework
react_native_netinfo            org.cocoapods.react-native-netinfo            4.4.0       ...rameworks/react_native_netinfo.framework
PureLayout                      org.cocoapods.PureLayout                      3.1.5       ...ttle.app/Frameworks/PureLayout.framework
GoogleUtilities                 org.cocoapods.GoogleUtilities                 6.6.0       ...app/Frameworks/GoogleUtilities.framework
RCTNetwork                      org.cocoapods.RCTNetwork                      0.61.5      ...ttle.app/Frameworks/RCTNetwork.framework
RCTActionSheet                  org.cocoapods.RCTActionSheet                  0.61.5      ....app/Frameworks/RCTActionSheet.framework
react_native_image_editor       org.cocoapods.react-native-image-editor       2.1.0       ...orks/react_native_image_editor.framework
CoreModules                     org.cocoapods.CoreModules                     0.61.5      ...tle.app/Frameworks/CoreModules.framework
RCTVibration                    org.cocoapods.RCTVibration                    0.61.5      ...le.app/Frameworks/RCTVibration.framework
RNGestureHandler                org.cocoapods.RNGestureHandler                1.6.1       ...pp/Frameworks/RNGestureHandler.framework
RNCClipboard                    org.cocoapods.RNCClipboard                    1.5.1       ...le.app/Frameworks/RNCClipboard.framework
react_native_image_picker       org.cocoapods.react-native-image-picker       2.3.4       ...orks/react_native_image_picker.framework
[..]

memory list modules: List loaded modules in memory

memory list modules
Name                                 Base         Size                 Path
-----------------------------------  -----------  -------------------  ------------------------------------------------------------------------------
iGoat-Swift                          0x104ffc000  2326528 (2.2 MiB)    /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
SubstrateBootstrap.dylib             0x105354000  16384 (16.0 KiB)     /usr/lib/substrate/SubstrateBootstrap.dylib
SystemConfiguration                  0x1aa842000  495616 (484.0 KiB)   /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
libc++.1.dylib                       0x1bdcfd000  368640 (360.0 KiB)   /usr/lib/libc++.1.dylib
libz.1.dylib                         0x1efd3c000  73728 (72.0 KiB)     /usr/lib/libz.1.dylib
libsqlite3.dylib                     0x1c267f000  1585152 (1.5 MiB)    /usr/lib/libsqlite3.dylib
Foundation                           0x1ab550000  2732032 (2.6 MiB)    /System/Library/Frameworks/Foundation.framework/Foundation
libobjc.A.dylib                      0x1bdc64000  233472 (228.0 KiB)   /usr/lib/libobjc.A.dylib
[...]

memory list exports <module_name>: Exports of a loaded module

memory list exports iGoat-Swift
Type      Name                                                                                                                                    Address
--------  --------------------------------------------------------------------------------------------------------------------------------------  -----------
variable  _mh_execute_header                                                                                                                      0x104ffc000
function  _mdictof                                                                                                                                0x10516cb88
function  _ZN9couchbase6differ10BaseDifferD2Ev                                                                                                    0x10516486c
function  _ZN9couchbase6differ10BaseDifferD1Ev                                                                                                    0x1051648f4
function  _ZN9couchbase6differ10BaseDifferD0Ev                                                                                                    0x1051648f8
function  _ZN9couchbase6differ10BaseDiffer5setupEmm                                                                                               0x10516490c
function  _ZN9couchbase6differ10BaseDiffer11allocStripeEmm                                                                                        0x105164a20
function  _ZN9couchbase6differ10BaseDiffer7computeEmmj                                                                                            0x105164ad8
function  _ZN9couchbase6differ10BaseDiffer7changesEv                                                                                              0x105164de4
function  _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE                                                                                 0x105164fa8
function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE                                                   0x1051651d8
function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE                 0x105165280
variable  _ZTSN9couchbase6differ10BaseDifferE                                                                                                     0x1051d94f0
variable  _ZTVN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0a0
variable  _ZTIN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0f8
[..]

List classes of an APP

ios hooking list classes: List classes of the app

ios hooking list classes

AAAbsintheContext
AAAbsintheSigner
AAAbsintheSignerContextCache
AAAcceptedTermsController
AAAccount
AAAccountManagementUIResponse
AAAccountManager
AAAddEmailUIRequest
AAAppleIDSettingsRequest
AAAppleTVRequest
AAAttestationSigner
[...]

ios hooking search classes <search_term>: Search a class that contains a string. You can search some uniq term that is related to the main app package name to find the main classes of the app like in the example:

ios hooking search classes iGoat
iGoat_Swift.CoreDataHelper
iGoat_Swift.RCreditInfo
iGoat_Swift.SideContainmentSegue
iGoat_Swift.CenterContainmentSegue
iGoat_Swift.KeyStorageServerSideVC
iGoat_Swift.HintVC
iGoat_Swift.BinaryCookiesExerciseVC
iGoat_Swift.ExerciseDemoVC
iGoat_Swift.PlistStorageExerciseViewController
iGoat_Swift.CouchBaseExerciseVC
iGoat_Swift.MemoryManagementVC
[...]

List class methods

ios hooking list class_methods: List methods of a specific class

ios hooking list class_methods iGoat_Swift.RCreditInfo
- cvv
- setCvv:
- setName:
- .cxx_destruct
- name
- cardNumber
- init
- initWithValue:
- setCardNumber:

ios hooking search methods <search_term>: Search a method that contains a string

ios hooking search methods cvv
[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
[iGoat_Swift.RCreditInfo - cvv]
[iGoat_Swift.RCreditInfo - setCvv:]
[iGoat_Swift.RealmExerciseVC - creditCVVTextField]
[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]

Basic Hooking

Now that you have enumerated the classes and modules used by the application you may have found some interesting class and method names.

Hook all methods of a class

ios hooking watch class <class_name>: Hook all the methods of a class, dump all the initial parameters and returns
```
ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
```

Hook a single method

ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called
```
ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
```

Change Boolean Return

ios hooking set return_value "-[<class_name> <method_name>]" false: This will make the selected method return the indicated boolean
```
ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
```

Generate hooking template

ios hooking generate simple <class_name>:

ios hooking generate simple iGoat_Swift.RCreditInfo

var target = ObjC.classes.iGoat_Swift.RCreditInfo;

Interceptor.attach(target['+ sharedSchema'].implementation, {
  onEnter: function (args) {
    console.log('Entering + sharedSchema!');
  },
  onLeave: function (retval) {
    console.log('Leaving + sharedSchema');
  },
});


Interceptor.attach(target['+ className'].implementation, {
  onEnter: function (args) {
    console.log('Entering + className!');
  },
  onLeave: function (retval) {
    console.log('Leaving + className');
  },
});


Interceptor.attach(target['- cvv'].implementation, {
  onEnter: function (args) {
    console.log('Entering - cvv!');
  },
  onLeave: function (retval) {
    console.log('Leaving - cvv');
  },
});


Interceptor.attach(target['- setCvv:'].implementation, {
  onEnter: function (args) {
    console.log('Entering - setCvv:!');
  },
  onLeave: function (retval) {
    console.log('Leaving - setCvv:');
  },
});

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousiOS Frida Configuration NextiOS Protocol Handlers

Last updated 1 year ago