Skip to content

Latest commit

 

History

History
106 lines (88 loc) · 6.93 KB

README.md

File metadata and controls

106 lines (88 loc) · 6.93 KB

Module 1 - Environment Setup

In this module you'll learn how to setup your device(s) with all the tools you'll need to decrypt apps, transfer them to your computer and perform static and dynamic analysis on them. I'm assuming you already have a jailbroken device. If you don't have a device, you can skip to module 3.

Note: If you need help jailbreaking your device, there are many resources online. One of my favourite sites is iDownloadblog.

On your computer

  • Download the latest version of iTunnel: iTunnel will allow you to SSH over USB.

  • Download the latest version of Cydia Impactor: Impactor will allow you install iOS applications on your device, signed with a developer account's certificate.

  • Download and install Hopper: Hopper is a reverse engineering tool that lets you disassemble, decompile and debug ARM applications, it supports other architectures but in this course I'll focus just on ARM-based binaries. The trial version is enough.

  • Download the latest version of Cycript: Cycript will allow you to modify the applications' behaviour at runtime via an interactive console.

  • Download the latest version of Frida: Frida will allow you to write scripts to change the applications' behaviour at runtime.

    • To install Frida:
    sudo pip install frida-tools
  • Download the latest version of Bettercap: Bettercap will allow you to perform MitM attacks remotely to a device.

  • Download the latest version of class-dump-z: class-dump-z will allow you to dump Objc classes. There's a Swift version but you won't needed since my vulnerable app is written in Objc.

  • Download the latest version of momdec: momdec will allow you to decompile CoreData models.

  • Download the latest version of Ghidra: Ghidra is another reverse engineering tool, which will let you do some of the same tasks as Hopper.

    If your device is on iOS 10.x
    • Download the latest version of Clutch: Clutch will allow you to decrypt iOS applications.
    If your device is on >= iOS 11
    • Download the latest version of bfinject's bfinject.tar: bfinject will allow you to use Cycript and Clutch to decrypt iOS applications.
    If your device is on iOS 12.x
    • Download the latest version of frida-ios-dump: frida-ios-dump will allow you to decrypt iOS applications and transfer them automatically to your computer.
    • Install its dependencies sudo pip install -r requirements.txt --upgrade.

On your device with iOS version < 11.0

  • Open Cydia and search cycript and install it.
  • Open Cydia and search Apple File Conduit "2" and install it.
  • Open Cydia and search frida and install it:
    • Tap the Sources tab.
    • Add a source: https://build.frida.re
    • Now you can go to the Search tab and search for frida.

(Optional) On your device with iOS version < 11.0

In some cases a jailbreak tool for iOS < 11.0 might not come with a SSH client, you might have to install it yourself. To test if your device already has a working SSH:

  • Connect your device to your computer.
  • On your computer, open a terminal window and run iTunnel with the following parameters:
    itnl --lport 2222 --iport 22
    • lport: Stands for Local port and it's the port iTunnel will be locally listening. This can be any port you want.
    • iport: Stands for iPhone port and it's the port iTunnel will use to forward all the packets sent to lport. This has to be 22, since that's the SSH default port.
  • On a different terminal window SSH into your device:
    ssh -p 2222 root@localhost
    • p: Stands for port, this is the port iTunnel is listening on.

If your device asks for a root password then it already has SSH working, thus you can skip this step.

On your device with iOS > 11

  • Connect your device to your computer.
  • On your computer, open a terminal window and run iTunnel with the following parameters:
    itnl --lport 2222 --iport 22
    • lport: Stands for Local port and it's the port iTunnel will be locally listening. This can be any port you want.
    • iport: Stands for iPhone port and it's the port iTunnel will use to forward all the packets sent to lport. This has to be 22, since that's the SSH default port.
  • On a different terminal window SSH into your device:
    ssh -p 2222 root@localhost
    • p: Stands for port, this is the port iTunnel is listening on.
    • Your device will ask you for the root password. The default password is alpine, but I'd advice you to change it.
  • Create a jb folder on your root directory:
    • Note: If you use LiberiOS there's already a /jb folder, just change directories.
    cd / && mkdir jb
  • Create a bfinject folder inside /jb and change directories:
    mkdir /jb/bfinject && cd /jb/bfinject
  • In a different terminal window, copy the bfinject.tar archive to the device:
    scp -P 2222 ~/Downloads/bfinject.tar root@localhost:/jb/bfinject
    • P: Stands for port and it should be the same port iTunnel is listening on. Note: This is a capital P.
    • Your device will ask you for the root password.
  • Extract the .tar file contents:
    tar xvf bfinject.tar

On your device with iOS 12.x

  • Open Cydia and search frida and install it:
    • Tap the Sources tab.
    • Add a source: https://build.frida.re
    • Now you can go to the Search tab and search for frida.

(Note: Since I've only used the Unc0ver jailbreaks I don't know if you're jailbroken with Chimera and/or use Sileo as your package manager if you can install Frida.)

Conclusions

  • Now you should have a device ready to start reversing. Gladly you'll need to perform all these steps only once per device, even when you lose your jailbreak state if your device runs out of batter or restarts for whatever reason[^1]. Don't worry if you don't know some of these tools, in the following modules I'll explain what's their purpose and how to use them.

[^1] On tether and semi-tether jailbreaks, every time you restart your device you'll need to re-jailbreak it because the jailbreak exploit is not persisted after reboot.