Decompiling Encrypted iOS binaries

Introduction:

In my previous article, i had described how you would normally go about decompiling an iOS application. That method would be working for a majority of applications. However, many a times the developers push in security feature to prevent the attackers from decompiling/debugging the application.

In our case, though we are the developers friends and are testing the application, it would be good if we actually follow the same route as an attacker would. That way, we can understand what exact information is disclosed and how the application can be compromised.


Requirements:
  • iOS device must be jailbroken.
  • OpenSSH should be installed on the iOS device.
  • SSH Client on your machine.
  • "Class Dump" should be installed on the iOS device via "Cydia"
  • "Cycript" should be installed on the iOS device via "Cydia".
Detailed Steps:

First we will try and use the same step as used in our previous post to dump the class file information via "class dump".
Below screenshot shows one of such an instances when we use classdump to decompile an application. The command run is of the same syntax as used earlier but the content is unreadable.


In such a case, using class dump alone would not be fruitful. We have to use a tool called as "Cycript" along with “weak_classdump” by Elias Limneos which is Cycript script that generates a header file for the class passed to the function.

It can be used as follows.

Step 1: Get the process id of the running application to be decryped and decompiled using the command "ps -ax | grep "App"".


The above screenshot shows that the process id was "3785".

Step 2: Download the latest copy of "weak_classdump.cy" from "weak_classdump" on to the working folder.

Then, use the below command to inject weak_classdump into the application to be decrypted and decompiled:
cycript -p 3785 weak_classdump.cy; cycript -p 3785

If, the injection was successfull, you will get the message as 'Added weak_classdump to "TWCTV" (3785)' where "TWCTV" is the application to be decrypted and decompiled.


Step 3: Now, you will get cy# where you will have to enter the below command to do the actual decompilation and to dump the required info.
weak_classdump_bundle([NSBundle mainBundle],"/tmp/3847_decrypted_application")

This step takes a lot of time and you would get somthing like the screenbelow when the process is complete.


Step 4: Now, exit cycript and you can access the complete decompiled cleartext source at "/tmp/3847_decrypted_application".



The above screenshot shows that the source code is in cleartext and can be easily analysed and the function names and values can be hooked in the runtime using Mobile Substrate or Cycript to force the application to perform various malicious activities.

References:

Komentar

Posting Komentar

Postingan populer dari blog ini

All India BSNL Nodal officer Contact Information..!!!

Gambar
Hi All,   BSNL is very good Telecom service provider but sometime its customer care service are very poor and we are unable to resolve our issue satisfactory. As customer care sometime unable to resolve our important isuue. So in this case you should not loose hope and contact the Circle Nodal officer to resolve the issue. So here I have decided to provide All India BSNL Circle Nodal officer Contact Information which will help you to solve your issue on high priority. Click here to download All India BSNL Nodal officer Contact Information.
Baca selengkapnya

Video & Photo Gallery: Unboxing ORICO D10000 Scharge Polymer Power Bank

Gambar
You can buy ORICO D10000 Scharge Polymer Power Bank from Amazon .com for only $28.99 . Meet ORICO D10000 Scharge Polymer Power Bank The power bank has a micro USB charge input port, and two USB charge output port, 4 small blue LED lights for power status and a on and off power button. The charge speed of this power bank is good and faster than the market average and you can do number of charges before the power bank needing a recharge. The design is compact and smart. It has Nice status LED's that tell you the level of charge. The included cable was actually really nice. It comes with 18 months warranty. Newly updated polymer A + cell Safer than before. Polymer A + cell is better than other cells in terms of safety and size. Newly updated polymer A + cell Safer than before Polymer A + cell is better than other cells in terms of safety and size. Scharge smart precision chip Intelligent delivery of current. Adopts Scharge smart precision chip which enables it to automatically dete...
Baca selengkapnya

How to Automatically Shrink url of ADF.ly || Earn Money By ADF.ly

Gambar
Every one want to  earn online  as a hobby to use its time in a good way.There are too much sources available online which allows you to earn money. Facebook,twitter, pinterest  are social media which you used in daily routine source of  earning .Blogging, Google adsense  and  bubblews  are others powerful source of earning. If you think tough these job and in search of easy job to earn handsome amount of money,then this post is for you. In this post you will learn   how to earn money by shrinking URL's .   Why need to shirink URL's: It’s not easy to remember long URLs. Writing long URLs give a bad look in a text so we shrink URLs to have a good look,.Best advantage is that its easy to remember  short URL's. ADF.ly is best URL Shirinking site: Also Read:  Top 5 websites to Earn money by URL shortening There are many sites which allows you to shrink URL's.But all are not work as good as AD...
Baca selengkapnya