iOS Hooking With Objection

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!

• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

For this section the tool Objection is going to be used. Start by getting an objection's session executing something like:

objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore

You can execute also frida-ps -Uia to check the running processes of the phone.

Basic Enumeration of the app

Local App Paths

• env: Find the paths where the application is stored inside the device

  env
  
  Name               Path
  -----------------  -----------------------------------------------------------------------------------------------
  BundlePath         /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
  CachesDirectory    /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
  DocumentDirectory  /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
  LibraryDirectory   /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library

List Bundles, frameworks and libraries

• ios bundles list_bundles: List bundles of the application

  ios bundles list_bundles
  Executable    Bundle                Version    Path
  ------------  --------------------  ---------  -------------------------------------------
  iGoat-Swift   OWASP.iGoat-Swift     1.0        ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
  AGXMetalA9    com.apple.AGXMetalA9  172.18.4   ...tem/Library/Extensions/AGXMetalA9.bundle

• ios bundles list_frameworks: List external frameworks used by the application

  ios bundles list_frameworks
  Executable                      Bundle                                        Version     Path
  ------------------------------  --------------------------------------------  ----------  -------------------------------------------
  ReactCommon                     org.cocoapods.ReactCommon                     0.61.5      ...tle.app/Frameworks/ReactCommon.framework
                                                                                            ...vateFrameworks/CoreDuetContext.framework
  FBReactNativeSpec               org.cocoapods.FBReactNativeSpec               0.61.5      ...p/Frameworks/FBReactNativeSpec.framework
                                                                                            ...ystem/Library/Frameworks/IOKit.framework
  RCTAnimation                    org.cocoapods.RCTAnimation                    0.61.5      ...le.app/Frameworks/RCTAnimation.framework
  jsinspector                     org.cocoapods.jsinspector                     0.61.5      ...tle.app/Frameworks/jsinspector.framework
  DoubleConversion                org.cocoapods.DoubleConversion                1.1.6       ...pp/Frameworks/DoubleConversion.framework
  react_native_config             org.cocoapods.react-native-config             0.12.0      ...Frameworks/react_native_config.framework
  react_native_netinfo            org.cocoapods.react-native-netinfo            4.4.0       ...rameworks/react_native_netinfo.framework
  PureLayout                      org.cocoapods.PureLayout                      3.1.5       ...ttle.app/Frameworks/PureLayout.framework
  GoogleUtilities                 org.cocoapods.GoogleUtilities                 6.6.0       ...app/Frameworks/GoogleUtilities.framework
  RCTNetwork                      org.cocoapods.RCTNetwork                      0.61.5      ...ttle.app/Frameworks/RCTNetwork.framework
  RCTActionSheet                  org.cocoapods.RCTActionSheet                  0.61.5      ....app/Frameworks/RCTActionSheet.framework
  react_native_image_editor       org.cocoapods.react-native-image-editor       2.1.0       ...orks/react_native_image_editor.framework
  CoreModules                     org.cocoapods.CoreModules                     0.61.5      ...tle.app/Frameworks/CoreModules.framework
  RCTVibration                    org.cocoapods.RCTVibration                    0.61.5      ...le.app/Frameworks/RCTVibration.framework
  RNGestureHandler                org.cocoapods.RNGestureHandler                1.6.1       ...pp/Frameworks/RNGestureHandler.framework
  RNCClipboard                    org.cocoapods.RNCClipboard                    1.5.1       ...le.app/Frameworks/RNCClipboard.framework
  react_native_image_picker       org.cocoapods.react-native-image-picker       2.3.4       ...orks/react_native_image_picker.framework
  [..]

• memory list modules: List loaded modules in memory

  memory list modules
  Name                                 Base         Size                 Path
  -----------------------------------  -----------  -------------------  ------------------------------------------------------------------------------
  iGoat-Swift                          0x104ffc000  2326528 (2.2 MiB)    /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
  SubstrateBootstrap.dylib             0x105354000  16384 (16.0 KiB)     /usr/lib/substrate/SubstrateBootstrap.dylib
  SystemConfiguration                  0x1aa842000  495616 (484.0 KiB)   /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
  libc++.1.dylib                       0x1bdcfd000  368640 (360.0 KiB)   /usr/lib/libc++.1.dylib
  libz.1.dylib                         0x1efd3c000  73728 (72.0 KiB)     /usr/lib/libz.1.dylib
  libsqlite3.dylib                     0x1c267f000  1585152 (1.5 MiB)    /usr/lib/libsqlite3.dylib
  Foundation                           0x1ab550000  2732032 (2.6 MiB)    /System/Library/Frameworks/Foundation.framework/Foundation
  libobjc.A.dylib                      0x1bdc64000  233472 (228.0 KiB)   /usr/lib/libobjc.A.dylib
  [...]

• memory list exports <module_name>: Exports of a loaded module

  memory list exports iGoat-Swift
  Type      Name                                                                                                                                    Address
  --------  --------------------------------------------------------------------------------------------------------------------------------------  -----------
  variable  _mh_execute_header                                                                                                                      0x104ffc000
  function  _mdictof                                                                                                                                0x10516cb88
  function  _ZN9couchbase6differ10BaseDifferD2Ev                                                                                                    0x10516486c
  function  _ZN9couchbase6differ10BaseDifferD1Ev                                                                                                    0x1051648f4
  function  _ZN9couchbase6differ10BaseDifferD0Ev                                                                                                    0x1051648f8
  function  _ZN9couchbase6differ10BaseDiffer5setupEmm                                                                                               0x10516490c
  function  _ZN9couchbase6differ10BaseDiffer11allocStripeEmm                                                                                        0x105164a20
  function  _ZN9couchbase6differ10BaseDiffer7computeEmmj                                                                                            0x105164ad8
  function  _ZN9couchbase6differ10BaseDiffer7changesEv                                                                                              0x105164de4
  function  _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE                                                                                 0x105164fa8
  function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE                                                   0x1051651d8
  function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE                 0x105165280
  variable  _ZTSN9couchbase6differ10BaseDifferE                                                                                                     0x1051d94f0
  variable  _ZTVN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0a0
  variable  _ZTIN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0f8
  [..]

List classes of an APP

• ios hooking list classes: List classes of the app

  ios hooking list classes
  
  AAAbsintheContext
  AAAbsintheSigner
  AAAbsintheSignerContextCache
  AAAcceptedTermsController
  AAAccount
  AAAccountManagementUIResponse
  AAAccountManager
  AAAddEmailUIRequest
  AAAppleIDSettingsRequest
  AAAppleTVRequest
  AAAttestationSigner
  [...]

• ios hooking search classes <search_term>: Search a class that contains a string. You can search some uniq term that is related to the main app package name to find the main classes of the app like in the example:

  ios hooking search classes iGoat
  iGoat_Swift.CoreDataHelper
  iGoat_Swift.RCreditInfo
  iGoat_Swift.SideContainmentSegue
  iGoat_Swift.CenterContainmentSegue
  iGoat_Swift.KeyStorageServerSideVC
  iGoat_Swift.HintVC
  iGoat_Swift.BinaryCookiesExerciseVC
  iGoat_Swift.ExerciseDemoVC
  iGoat_Swift.PlistStorageExerciseViewController
  iGoat_Swift.CouchBaseExerciseVC
  iGoat_Swift.MemoryManagementVC
  [...]

List class methods

• ios hooking list class_methods: List methods of a specific class

  ios hooking list class_methods iGoat_Swift.RCreditInfo
  - cvv
  - setCvv:
  - setName:
  - .cxx_destruct
  - name
  - cardNumber
  - init
  - initWithValue:
  - setCardNumber:

• ios hooking search methods <search_term>: Search a method that contains a string

  ios hooking search methods cvv
  [AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
  [AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
  [AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
  [iGoat_Swift.RCreditInfo - cvv]
  [iGoat_Swift.RCreditInfo - setCvv:]
  [iGoat_Swift.RealmExerciseVC - creditCVVTextField]
  [iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
  [iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
  [iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
  [iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
  [iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]

Basic Hooking

Now that you have enumerated the classes and modules used by the application you may have found some interesting class and method names.

Hook all methods of a class

• ios hooking watch class <class_name>: Hook all the methods of a class, dump all the initial parameters and returns

  ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController

Hook a single method

• ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called

  ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return

Change Boolean Return

• ios hooking set return_value "-[<class_name> <method_name>]" false: This will make the selected method return the indicated boolean

  ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false

Generate hooking template

• ios hooking generate simple <class_name>:

  ios hooking generate simple iGoat_Swift.RCreditInfo
  
  var target = ObjC.classes.iGoat_Swift.RCreditInfo;
  
  Interceptor.attach(target['+ sharedSchema'].implementation, {
    onEnter: function (args) {
      console.log('Entering + sharedSchema!');
    },
    onLeave: function (retval) {
      console.log('Leaving + sharedSchema');
    },
  });
  
  
  Interceptor.attach(target['+ className'].implementation, {
    onEnter: function (args) {
      console.log('Entering + className!');
    },
    onLeave: function (retval) {
      console.log('Leaving + className');
    },
  });
  
  
  Interceptor.attach(target['- cvv'].implementation, {
    onEnter: function (args) {
      console.log('Entering - cvv!');
    },
    onLeave: function (retval) {
      console.log('Leaving - cvv');
    },
  });
  
  
  Interceptor.attach(target['- setCvv:'].implementation, {
    onEnter: function (args) {
      console.log('Entering - setCvv:!');
    },
    onLeave: function (retval) {
      console.log('Leaving - setCvv:');
    },
  });

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.