Breaking iOS Apps using Cycript

Download Breaking iOS Apps using Cycript

Post on 09-Jun-2015

2.767 views

Category:

Education

8 download

Embed Size (px)

DESCRIPTION

null Hyderabad Chapter - June 2013 Meet

TRANSCRIPT

<ul><li> 1. BREAKING IOS APPS WITH CYCRIPT Satish Bommisetty </li></ul> <p> 2. Agenda ObjectiveCBasics iOSAppArchitecture DecryptingiOSApps BreakingappswithCycript 3. Native iOS Applications ObjectiveCcode DevelopedinXcode 4. Objective C Basics ObjectiveCliesontopoftheClanguage Interface@ile(.h) @interfaceCar:NSObject{ @loat@illLevel;} -(void)addGas; @end Implementation@ile(.m) @implementationCar -(void)addGas{} @end 5. Objective C Basics Methodspassmessages C++ Object-&gt;Method(param1,param2) Objective-C [Objectmethod:param1param2name:param2] 6. iOS App Architecture iOSApp 7. iOS App Architecture Mach-Oformat Header n TargetArchitecture Loadcommands n Locationofsymboltable n SharedLibraries Data n OrganizedinSegments 8. iOS App Architecture Headercanbeviewedusingotool OtoolhBinary Cputype12/6=ARM6 Cputype12/9=ARM7 9. iOS App Architecture Loadcanbeviewedusingotool OtoollBinary 10. Decrypting iOS Apps AppStorebinariesareencrypted Protectsfrompiracy SimilartoFairplayDRMusedoniTunesmusic SelfdistributedAppsarenotencrypted Loaderdecryptstheappswhenloadedintomemory Debuggercanbeusedtodumpthedecryptedappfrommemory Toolsareavailable:Craculous,Clutch,Installous 11. Cycript CombinationofJavaScriptandObjective-Cinterpreter Appruntimecanbeeasilymodi@iedusingCycript Canbehookedtoarunningprocess Givesaccesstoallclassesandinstancevariableswithintheapp Usedforruntimeanalysis Bypasssecuritylocks Accesssensitiveinformationfrommemory AuthenticationBypassattacks Accessingrestrictedareasoftheapplications 12. Class-dump-z Useclass-dump-zondecryptedbinaryandmaptheapplication Retrieveclassdeclarations Analyzetheclassdumpoutputandidentifytheinterestingclass 13. iOS App Execution Flow iOSappcentralizedpointofcontrol(MVC)UIApplicationclass 14. Breaking iOS Apps Createobjectfortheclassanddirectlyaccesstheinstance variablesandinvokemethods Existingmethodscanbeoverwritteneasily </p>