issuhub.com

Microsoft Word - iOSAppReverseEngineering.docx

(Romina) #1

  1. Locate the executable to be decrypted with “ps” command


On iOS 8, all StoreApps are under /var/mobile/Containers/, and TargetApp.app’s


executable is under /var/mobile/Containers/Bundle/Application/XXXXXXXX-XXXX-XXXX-


XXXX-XXXXXXXXXXXX/TargetApp.app/. Since X is unknown, it’d be a great amount of work


to locate the executable manually. But a simple trick will save our days: First close all StoreApps


on iOS, then launch TargetApp and ssh into iOS to print all processes:


snakeninnysiMac:~ snakeninny$ ssh root@iOSIP

FunMaker-5:~ root# ps - e

PID TTY TIME CMD

1 ?? 3:28.32 /sbin/launchd

......

5717 ?? 0:00.21

/System/Library/PrivateFrameworks/MediaServices.framework/Support/mediaartworkd

5905 ?? 0:00.20 sshd: root@ttys000

5909 ?? 0:01.86 /var/mobile/Containers/Bundle/Application/03B61840- 2349 - 4559 -

B28E-0E2C6541F879/TargetApp.app/TargetApp

5911 ?? 0:00.07 /System/Library/Frameworks/UIKit.framework/Support/pasteboardd

5907 ttys000 0:00.03 - sh

5913 ttys000 0:00.01 ps – e

Because now there is only one running StoreApp, the only path that contains

“/var/mobile/Containers/Bundle/Application/” is the full path of TargetApp’s executable.



  1. Find out TargetApp’s Documents directory via Cycript


All StoreApps’ Documents directories are under


/var/mobile/Containers/Data/Application/ YYYYYYYY-YYYY-YYYY-YYYY–


YYYYYYYYYYYY/. Note that these Ys are different from those previous Xs, and they are not


obtainable via “ps”. So this time we need to mak use of Cycript to reveal the Documents


directory of TargetApp. The commands we use are as follows:


FunMaker-5:~ root# cycript - p TargetApp

cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory

inDomains:NSUserDomainMask][0]

#”file:///var/mobile/Containers/Data/Application/D41C4343-63AA-4BFF-904B-

2146128611EE/Documents/”


  1. Copy dumpdecrypted.dylib to TargetApp’s Documents directory:


snakeninnysiMac:~ snakeninny$ scp

/Users/snakeninny/Code/dumpdecrypted/dumpdecrypted.dylib

root@iOSIP:/var/mobile/Containers/Data/Application/D41C4343-63AA-4BFF-904B-

2146128611EE/Documents/

dumpdecrypted.dylib

100% 193KB 192.9KB/s 00:00

Here we’re using scp instead of iFunBox, anyway tools don’t matter.

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.