📔
HackTricks - Boitatech
  • HackTricks
  • About the author
  • Getting Started in Hacking
  • Pentesting Methodology
  • External Recon Methodology
    • Github Leaked Secrets
  • Phishing Methodology
    • Clone a Website
    • Detecting Phising
    • Phishing Documents
  • Exfiltration
  • Tunneling and Port Forwarding
  • Brute Force - CheatSheet
  • Search Exploits
  • Shells
    • Shells (Linux, Windows, MSFVenom)
      • MSFVenom - CheatSheet
      • Shells - Windows
      • Shells - Linux
      • Full TTYs
  • Linux/Unix
    • Checklist - Linux Privilege Escalation
    • Linux Privilege Escalation
      • PAM - Pluggable Authentication Modules
      • SELinux
      • Logstash
      • AppArmor
      • Containerd (ctr) Privilege Escalation
      • Docker Breakout
      • electron/CEF/chromium debugger abuse
      • Escaping from Jails
      • Cisco - vmanage
      • D-Bus Enumeration & Command Injection Privilege Escalation
      • Interesting Groups - Linux PE
        • lxd/lxc Group - Privilege escalation
      • ld.so exploit example
      • Linux Capabilities
      • NFS no_root_squash/no_all_squash misconfiguration PE
      • Payloads to execute
      • RunC Privilege Escalation
      • Seccomp
      • Splunk LPE and Persistence
      • SSH Forward Agent exploitation
      • Socket Command Injection
      • Wildcards Spare tricks
    • Useful Linux Commands
      • Bypass Bash Restrictions
    • Linux Environment Variables
  • MacOS
    • MacOS Security & Privilege Escalation
      • Mac OS Architecture
      • MacOS MDM
        • Enrolling Devices in Other Organisations
      • MacOS Protocols
      • MacOS Red Teaming
      • MacOS Serial Number
      • MacOS Apps - Inspecting, debugging and Fuzzing
  • Windows
    • Checklist - Local Windows Privilege Escalation
    • Windows Local Privilege Escalation
      • AppendData/AddSubdirectory permission over service registry
      • Create MSI with WIX
      • DPAPI - Extracting Passwords
      • SeImpersonate from High To System
      • Access Tokens
      • ACLs - DACLs/SACLs/ACEs
      • Dll Hijacking
      • From High Integrity to SYSTEM with Name Pipes
      • Integrity Levels
      • JAWS
      • JuicyPotato
      • Leaked Handle Exploitation
      • MSI Wrapper
      • Named Pipe Client Impersonation
      • PowerUp
      • Privilege Escalation Abusing Tokens
      • Privilege Escalation with Autoruns
      • RottenPotato
      • Seatbelt
      • SeDebug + SeImpersonate copy token
      • Windows C Payloads
    • Active Directory Methodology
      • Abusing Active Directory ACLs/ACEs
      • AD information in printers
      • ASREPRoast
      • BloodHound
      • Constrained Delegation
      • Custom SSP
      • DCShadow
      • DCSync
      • DSRM Credentials
      • Golden Ticket
      • Kerberos Authentication
      • Kerberoast
      • MSSQL Trusted Links
      • Over Pass the Hash/Pass the Key
      • Pass the Ticket
      • Password Spraying
      • Force NTLM Privileged Authentication
      • Privileged Accounts and Token Privileges
      • Resource-based Constrained Delegation
      • Security Descriptors
      • Silver Ticket
      • Skeleton Key
      • Unconstrained Delegation
    • NTLM
      • Places to steal NTLM creds
      • PsExec/Winexec/ScExec
      • SmbExec/ScExec
      • WmicExec
      • AtExec / SchtasksExec
      • WinRM
    • Stealing Credentials
      • Credentials Protections
      • Mimikatz
    • Authentication, Credentials, UAC and EFS
    • Basic CMD for Pentesters
    • Basic PowerShell for Pentesters
      • PowerView
    • AV Bypass
  • Mobile Apps Pentesting
    • Android APK Checklist
    • Android Applications Pentesting
      • Android Applications Basics
      • Android Task Hijacking
      • ADB Commands
      • APK decompilers
      • AVD - Android Virtual Device
      • Burp Suite Configuration for Android
      • content:// protocol
      • Drozer Tutorial
        • Exploiting Content Providers
      • Exploiting a debuggeable applciation
      • Frida Tutorial
        • Frida Tutorial 1
        • Frida Tutorial 2
        • Frida Tutorial 3
        • Objection Tutorial
      • Google CTF 2018 - Shall We Play a Game?
      • Inspeckage Tutorial
      • Intent Injection
      • Make APK Accept CA Certificate
      • Manual DeObfuscation
      • React Native Application
      • Reversing Native Libraries
      • Smali - Decompiling/[Modifying]/Compiling
      • Spoofing your location in Play Store
      • Webview Attacks
    • iOS Pentesting Checklist
    • iOS Pentesting
      • Basic iOS Testing Operations
      • Burp Suite Configuration for iOS
      • Extracting Entitlements From Compiled Application
      • Frida Configuration in iOS
      • iOS App Extensions
      • iOS Basics
      • iOS Custom URI Handlers / Deeplinks / Custom Schemes
      • iOS Hooking With Objection
      • iOS Protocol Handlers
      • iOS Serialisation and Encoding
      • iOS Testing Environment
      • iOS UIActivity Sharing
      • iOS Universal Links
      • iOS UIPasteboard
      • iOS WebViews
  • Pentesting
    • Pentesting Network
      • Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
      • Spoofing SSDP and UPnP Devices with EvilSSDP
      • Wifi Attacks
        • Evil Twin EAP-TLS
      • Pentesting IPv6
      • Nmap Summary (ESP)
      • Network Protocols Explained (ESP)
      • IDS and IPS Evasion
      • DHCPv6
    • Pentesting JDWP - Java Debug Wire Protocol
    • Pentesting Printers
      • Accounting bypass
      • Buffer Overflows
      • Credentials Disclosure / Brute-Force
      • Cross-Site Printing
      • Document Processing
      • Factory Defaults
      • File system access
      • Firmware updates
      • Memory Access
      • Physical Damage
      • Software packages
      • Transmission channel
      • Print job manipulation
      • Print Job Retention
      • Scanner and Fax
    • Pentesting SAP
    • Pentesting Kubernetes
      • Enumeration from a Pod
      • Hardening Roles/ClusterRoles
      • Pentesting Kubernetes from the outside
    • 7/tcp/udp - Pentesting Echo
    • 21 - Pentesting FTP
      • FTP Bounce attack - Scan
      • FTP Bounce - Download 2ºFTP file
    • 22 - Pentesting SSH/SFTP
    • 23 - Pentesting Telnet
    • 25,465,587 - Pentesting SMTP/s
      • SMTP - Commands
    • 43 - Pentesting WHOIS
    • 53 - Pentesting DNS
    • 69/UDP TFTP/Bittorrent-tracker
    • 79 - Pentesting Finger
    • 80,443 - Pentesting Web Methodology
      • 403 & 401 Bypasses
      • AEM - Adobe Experience Cloud
      • Apache
      • Artifactory Hacking guide
      • Buckets
        • Firebase Database
        • AWS-S3
      • CGI
      • Code Review Tools
      • Drupal
      • Flask
      • Git
      • Golang
      • GraphQL
      • H2 - Java SQL database
      • IIS - Internet Information Services
      • JBOSS
      • Jenkins
      • JIRA
      • Joomla
      • JSP
      • Laravel
      • Moodle
      • Nginx
      • PHP Tricks (SPA)
        • PHP - Useful Functions & disable_functions/open_basedir bypass
          • disable_functions bypass - php-fpm/FastCGI
          • disable_functions bypass - dl function
          • disable_functions bypass - PHP 7.0-7.4 (*nix only)
          • disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
          • disable_functions - PHP 5.x Shellshock Exploit
          • disable_functions - PHP 5.2.4 ionCube extension Exploit
          • disable_functions bypass - PHP <= 5.2.9 on windows
          • disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
          • disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
          • disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
          • disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
          • disable_functions bypass - PHP 5.2 - FOpen Exploit
          • disable_functions bypass - via mem
          • disable_functions bypass - mod_cgi
          • disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
      • Python
      • Special HTTP headers
      • Spring Actuators
      • Symphony
      • Tomcat
      • Uncovering CloudFlare
      • VMWare (ESX, VCenter...)
      • Web API Pentesting
      • WebDav
      • werkzeug
      • Wordpress
      • XSS to RCE Electron Desktop Apps
    • 88tcp/udp - Pentesting Kerberos
      • Harvesting tickets from Windows
      • Harvesting tickets from Linux
    • 110,995 - Pentesting POP
    • 111/TCP/UDP - Pentesting Portmapper
    • 113 - Pentesting Ident
    • 123/udp - Pentesting NTP
    • 135, 593 - Pentesting MSRPC
    • 137,138,139 - Pentesting NetBios
    • 139,445 - Pentesting SMB
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
      • SNMP RCE
    • 194,6667,6660-7000 - Pentesting IRC
    • 264 - Pentesting Check Point FireWall-1
    • 389, 636, 3268, 3269 - Pentesting LDAP
    • 500/udp - Pentesting IPsec/IKE VPN
    • 502 - Pentesting Modbus
    • 512 - Pentesting Rexec
    • 513 - Pentesting Rlogin
    • 514 - Pentesting Rsh
    • 515 - Pentesting Line Printer Daemon (LPD)
    • 548 - Pentesting Apple Filing Protocol (AFP)
    • 554,8554 - Pentesting RTSP
    • 623/UDP/TCP - IPMI
    • 631 - Internet Printing Protocol(IPP)
    • 873 - Pentesting Rsync
    • 1026 - Pentesting Rusersd
    • 1080 - Pentesting Socks
    • 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
    • 1433 - Pentesting MSSQL - Microsoft SQL Server
    • 1521,1522-1529 - Pentesting Oracle TNS Listener
      • Oracle Pentesting requirements installation
      • TNS Poison
      • Remote stealth pass brute force
      • Oracle RCE & more
    • 1723 - Pentesting PPTP
    • 1883 - Pentesting MQTT (Mosquitto)
    • 2049 - Pentesting NFS Service
    • 2301,2381 - Pentesting Compaq/HP Insight Manager
    • 2375, 2376 Pentesting Docker
    • 3128 - Pentesting Squid
    • 3260 - Pentesting ISCSI
    • 3299 - Pentesting SAPRouter
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 3632 - Pentesting distcc
    • 3690 - Pentesting Subversion (svn server)
    • 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
    • 5000 - Pentesting Docker Registry
    • 5353/UDP Multicast DNS (mDNS)
    • 5432,5433 - Pentesting Postgresql
    • 5601 - Pentesting Kibana
    • 5671,5672 - Pentesting AMQP
    • 5800,5801,5900,5901 - Pentesting VNC
    • 5984,6984 - Pentesting CouchDB
    • 5985,5986 - Pentesting WinRM
    • 6000 - Pentesting X11
    • 6379 - Pentesting Redis
    • 8009 - Pentesting Apache JServ Protocol (AJP)
    • 8089 - Splunkd
    • 9000 - Pentesting FastCGI
    • 9001 - Pentesting HSQLDB
    • 9042/9160 - Pentesting Cassandra
    • 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
    • 9200 - Pentesting Elasticsearch
    • 10000 - Pentesting Network Data Management Protocol (ndmp)
    • 11211 - Pentesting Memcache
    • 15672 - Pentesting RabbitMQ Management
    • 27017,27018 - Pentesting MongoDB
    • 44818/UDP/TCP - Pentesting EthernetIP
    • 47808/udp - Pentesting BACNet
    • 50030,50060,50070,50075,50090 - Pentesting Hadoop
  • Pentesting Web
    • Web Vulnerabilities Methodology
    • Reflecting Techniques - PoCs and Polygloths CheatSheet
      • Web Vulns List
    • 2FA/OTP Bypass
    • Abusing hop-by-hop headers
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Command Injection
    • Content Security Policy (CSP) Bypass
    • Cookies Hacking
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • Cross-site WebSocket hijacking (CSWSH)
    • CSRF (Cross Site Request Forgery)
    • Dangling Markup - HTML scriptless injection
    • Deserialization
      • NodeJS - __proto__ & prototype Pollution
      • Java JSF ViewState (.faces) Deserialization
      • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
      • Basic Java Deserialization (ObjectInputStream, readObject)
      • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
      • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
      • Exploiting __VIEWSTATE knowing the secrets
      • Exploiting __VIEWSTATE without knowing the secrets
    • Domain/Subdomain takeover
    • Email Header Injection
    • File Inclusion/Path traversal
      • phar:// deserialization
    • File Upload
      • PDF Upload - XXE and CORS bypass
    • Formula Injection
    • HTTP Request Smuggling / HTTP Desync Attack
    • H2C Smuggling
    • IDOR
    • JWT Vulnerabilities (Json Web Tokens)
    • NoSQL injection
    • LDAP Injection
    • Login Bypass
      • Login bypass List
    • OAuth to Account takeover
    • Open Redirect
    • Parameter Pollution
    • PostMessage Vulnerabilities
    • Race Condition
    • Rate Limit Bypass
    • Registration Vulnerabilities
    • Regular expression Denial of Service - ReDoS
    • Reset/Forgotten Password Bypass
    • SAML Attacks
      • SAML Basics
    • Server Side Inclusion/Edge Side Inclusion Injection
    • SQL Injection
      • MSSQL Injection
      • Oracle injection
      • PostgreSQL injection
        • dblink/lo_import data exfiltration
        • PL/pgSQL Password Bruteforce
        • Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
        • Big Binary Files Upload (PostgreSQL)
        • RCE with PostgreSQL Extensions
      • MySQL injection
        • Mysql SSRF
      • SQLMap - Cheetsheat
        • Second Order Injection - SQLMap
    • SSRF (Server Side Request Forgery)
    • SSTI (Server Side Template Injection)
      • EL - Expression Language
    • Reverse Tab Nabbing
    • Unicode Normalization vulnerability
    • Web Tool - WFuzz
    • XPATH injection
    • XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
    • XXE - XEE - XML External Entity
    • XSS (Cross Site Scripting)
      • PDF Injection
      • DOM XSS
      • Server Side XSS (Dynamic PDF)
      • XSS Tools
    • XSSI (Cross-Site Script Inclusion)
    • XS-Search
  • Forensics
    • Basic Forensic Methodology
      • Baseline Monitoring
      • Anti-Forensic Techniques
      • Docker Forensics
      • Image Adquisition & Mount
      • Linux Forensics
      • Malware Analysis
      • Memory dump analysis
        • Volatility - CheatSheet
      • Partitions/File Systems/Carving
        • EXT
        • File/Data Carving & Recovery Tools
        • NTFS
      • Pcap Inspection
        • DNSCat pcap analysis
        • USB Keystrokes
        • Wifi Pcap Analysis
        • Wireshark tricks
      • Specific Software/File-Type Tricks
        • .pyc
        • Browser Artifacts
        • Desofuscation vbs (cscript.exe)
        • Local Cloud Storage
        • Office file analysis
        • PDF File analysis
        • PNG tricks
        • Video and Audio file analysis
        • ZIPs tricks
      • Windows Artifacts
        • Windows Processes
        • Interesting Windows Registry Keys
  • A.I. Exploiting
    • BRA.I.NSMASHER Presentation
      • Basic Bruteforcer
      • Basic Captcha Breaker
      • BIM Bruteforcer
      • Hybrid Malware Classifier Part 1
  • Blockchain
    • Blockchain & Crypto Currencies
  • Courses and Certifications Reviews
    • INE Courses and eLearnSecurity Certifications Reviews
  • Cloud Security
    • Cloud security review
    • AWS Security
  • Physical attacks
    • Physical Attacks
    • Escaping from KIOSKs
      • Show file extensions
  • Reversing
    • Reversing Tools & Basic Methods
      • Angr
        • Angr - Examples
      • Z3 - Satisfiability Modulo Theories (SMT)
      • Cheat Engine
      • Blobrunner
    • Common API used in Malware
    • Cryptographic/Compression Algorithms
      • Unpacking binaries
    • Word Macros
  • Exploiting
    • Linux Exploiting (Basic) (SPA)
      • Format Strings Template
      • ROP - call sys_execve
      • ROP - Leaking LIBC address
        • ROP - Leaking LIBC template
      • Bypassing Canary & PIE
      • Ret2Lib
      • Fusion
    • Exploiting Tools
      • PwnTools
    • Windows Exploiting (Basic Guide - OSCP lvl)
  • Cryptography
    • Certificates
    • Cipher Block Chaining CBC-MAC
    • Crypto CTFs Tricks
    • Electronic Code Book (ECB)
    • Hash Length Extension Attack
    • Padding Oracle
    • RC4 - Encrypt&Decrypt
  • BACKDOORS
    • Merlin
    • Empire
    • Salseo
    • ICMPsh
  • Stego
    • Stego Tricks
    • Esoteric languages
  • MISC
    • Basic Python
      • venv
      • Bypass Python sandboxes
      • Magic Methods
      • Web Requests
      • Bruteforce hash (few chars)
    • Other Big References
  • TODO
    • More Tools
    • MISC
    • Pentesting DNS
  • Burp Suite
  • Other Web Tricks
  • Interesting HTTP
  • Emails Vulnerabilities
  • Android Forensics
  • TR-069
  • 6881/udp - Pentesting BitTorrent
  • CTF Write-ups
    • challenge-0521.intigriti.io
    • Try Hack Me
      • hc0n Christmas CTF - 2019
      • Pickle Rick
  • 1911 - Pentesting fox
  • Online Platforms with API
  • Stealing Sensitive Information Disclosure from a Web
  • Post Exploitation
Powered by GitBook
On this page
  • Basic Enumeration of the app
  • Local App Paths
  • List Bundles, frameworks and libraries
  • List classes of an APP
  • List class methods
  • Basic Hooking
  • Hook all methods of a class
  • Hook a single method
  • Change Boolean Return
  • Generate hooking template

Was this helpful?

  1. Mobile Apps Pentesting
  2. iOS Pentesting

iOS Hooking With Objection

PreviousiOS Custom URI Handlers / Deeplinks / Custom SchemesNextiOS Protocol Handlers

Last updated 3 years ago

Was this helpful?

For this section the tool is going to be used. Start by getting an objection's session executing something like:

objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore

Basic Enumeration of the app

Local App Paths

  • env: Find the paths where the application is stored inside the device

    env
    
    Name               Path
    -----------------  -----------------------------------------------------------------------------------------------
    BundlePath         /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
    CachesDirectory    /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
    DocumentDirectory  /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
    LibraryDirectory   /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library

List Bundles, frameworks and libraries

  • ios bundles list_bundles: List bundles of the application

    ios bundles list_bundles
    Executable    Bundle                Version    Path
    ------------  --------------------  ---------  -------------------------------------------
    iGoat-Swift   OWASP.iGoat-Swift     1.0        ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
    AGXMetalA9    com.apple.AGXMetalA9  172.18.4   ...tem/Library/Extensions/AGXMetalA9.bundle
  • ios bundles list_frameworks: List external frameworks used by the application

    ios bundles list_frameworks
    Executable                      Bundle                                        Version     Path
    ------------------------------  --------------------------------------------  ----------  -------------------------------------------
    ReactCommon                     org.cocoapods.ReactCommon                     0.61.5      ...tle.app/Frameworks/ReactCommon.framework
                                                                                              ...vateFrameworks/CoreDuetContext.framework
    FBReactNativeSpec               org.cocoapods.FBReactNativeSpec               0.61.5      ...p/Frameworks/FBReactNativeSpec.framework
                                                                                              ...ystem/Library/Frameworks/IOKit.framework
    RCTAnimation                    org.cocoapods.RCTAnimation                    0.61.5      ...le.app/Frameworks/RCTAnimation.framework
    jsinspector                     org.cocoapods.jsinspector                     0.61.5      ...tle.app/Frameworks/jsinspector.framework
    DoubleConversion                org.cocoapods.DoubleConversion                1.1.6       ...pp/Frameworks/DoubleConversion.framework
    react_native_config             org.cocoapods.react-native-config             0.12.0      ...Frameworks/react_native_config.framework
    react_native_netinfo            org.cocoapods.react-native-netinfo            4.4.0       ...rameworks/react_native_netinfo.framework
    PureLayout                      org.cocoapods.PureLayout                      3.1.5       ...ttle.app/Frameworks/PureLayout.framework
    GoogleUtilities                 org.cocoapods.GoogleUtilities                 6.6.0       ...app/Frameworks/GoogleUtilities.framework
    RCTNetwork                      org.cocoapods.RCTNetwork                      0.61.5      ...ttle.app/Frameworks/RCTNetwork.framework
    RCTActionSheet                  org.cocoapods.RCTActionSheet                  0.61.5      ....app/Frameworks/RCTActionSheet.framework
    react_native_image_editor       org.cocoapods.react-native-image-editor       2.1.0       ...orks/react_native_image_editor.framework
    CoreModules                     org.cocoapods.CoreModules                     0.61.5      ...tle.app/Frameworks/CoreModules.framework
    RCTVibration                    org.cocoapods.RCTVibration                    0.61.5      ...le.app/Frameworks/RCTVibration.framework
    RNGestureHandler                org.cocoapods.RNGestureHandler                1.6.1       ...pp/Frameworks/RNGestureHandler.framework
    RNCClipboard                    org.cocoapods.RNCClipboard                    1.5.1       ...le.app/Frameworks/RNCClipboard.framework
    react_native_image_picker       org.cocoapods.react-native-image-picker       2.3.4       ...orks/react_native_image_picker.framework
    [..]
  • memory list modules: List loaded modules in memory

    memory list modules
    Name                                 Base         Size                 Path
    -----------------------------------  -----------  -------------------  ------------------------------------------------------------------------------
    iGoat-Swift                          0x104ffc000  2326528 (2.2 MiB)    /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
    SubstrateBootstrap.dylib             0x105354000  16384 (16.0 KiB)     /usr/lib/substrate/SubstrateBootstrap.dylib
    SystemConfiguration                  0x1aa842000  495616 (484.0 KiB)   /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
    libc++.1.dylib                       0x1bdcfd000  368640 (360.0 KiB)   /usr/lib/libc++.1.dylib
    libz.1.dylib                         0x1efd3c000  73728 (72.0 KiB)     /usr/lib/libz.1.dylib
    libsqlite3.dylib                     0x1c267f000  1585152 (1.5 MiB)    /usr/lib/libsqlite3.dylib
    Foundation                           0x1ab550000  2732032 (2.6 MiB)    /System/Library/Frameworks/Foundation.framework/Foundation
    libobjc.A.dylib                      0x1bdc64000  233472 (228.0 KiB)   /usr/lib/libobjc.A.dylib
    [...]
  • memory list exports <module_name>: Exports of a loaded module

    memory list exports iGoat-Swift
    Type      Name                                                                                                                                    Address
    --------  --------------------------------------------------------------------------------------------------------------------------------------  -----------
    variable  _mh_execute_header                                                                                                                      0x104ffc000
    function  _mdictof                                                                                                                                0x10516cb88
    function  _ZN9couchbase6differ10BaseDifferD2Ev                                                                                                    0x10516486c
    function  _ZN9couchbase6differ10BaseDifferD1Ev                                                                                                    0x1051648f4
    function  _ZN9couchbase6differ10BaseDifferD0Ev                                                                                                    0x1051648f8
    function  _ZN9couchbase6differ10BaseDiffer5setupEmm                                                                                               0x10516490c
    function  _ZN9couchbase6differ10BaseDiffer11allocStripeEmm                                                                                        0x105164a20
    function  _ZN9couchbase6differ10BaseDiffer7computeEmmj                                                                                            0x105164ad8
    function  _ZN9couchbase6differ10BaseDiffer7changesEv                                                                                              0x105164de4
    function  _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE                                                                                 0x105164fa8
    function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE                                                   0x1051651d8
    function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE                 0x105165280
    variable  _ZTSN9couchbase6differ10BaseDifferE                                                                                                     0x1051d94f0
    variable  _ZTVN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0a0
    variable  _ZTIN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0f8
    [..]

List classes of an APP

  • ios hooking list classes: List classes of the app

    ios hooking list classes
    
    AAAbsintheContext
    AAAbsintheSigner
    AAAbsintheSignerContextCache
    AAAcceptedTermsController
    AAAccount
    AAAccountManagementUIResponse
    AAAccountManager
    AAAddEmailUIRequest
    AAAppleIDSettingsRequest
    AAAppleTVRequest
    AAAttestationSigner
    [...]
  • ios hooking search classes <search_term>: Search a class that contains a string. You can search some uniq term that is related to the main app package name to find the main classes of the app like in the example:

    ios hooking search classes iGoat
    iGoat_Swift.CoreDataHelper
    iGoat_Swift.RCreditInfo
    iGoat_Swift.SideContainmentSegue
    iGoat_Swift.CenterContainmentSegue
    iGoat_Swift.KeyStorageServerSideVC
    iGoat_Swift.HintVC
    iGoat_Swift.BinaryCookiesExerciseVC
    iGoat_Swift.ExerciseDemoVC
    iGoat_Swift.PlistStorageExerciseViewController
    iGoat_Swift.CouchBaseExerciseVC
    iGoat_Swift.MemoryManagementVC
    [...]

List class methods

  • ios hooking list class_methods: List methods of a specific class

    ios hooking list class_methods iGoat_Swift.RCreditInfo
    - cvv
    - setCvv:
    - setName:
    - .cxx_destruct
    - name
    - cardNumber
    - init
    - initWithValue:
    - setCardNumber:
  • ios hooking search methods <search_term>: Search a method that contains a string

    ios hooking search methods cvv
    [AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
    [AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
    [AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
    [iGoat_Swift.RCreditInfo - cvv]
    [iGoat_Swift.RCreditInfo - setCvv:]
    [iGoat_Swift.RealmExerciseVC - creditCVVTextField]
    [iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
    [iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
    [iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
    [iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
    [iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]

Basic Hooking

Now that you have enumerated the classes and modules used by the application you may have found some interesting class and method names.

Hook all methods of a class

  • ios hooking watch class <class_name>: Hook all the methods of a class, dump all the initial parameters and returns

    ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController

Hook a single method

  • ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called

    ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return

Change Boolean Return

  • ios hooking set return_value "-[<class_name> <method_name>]" false: This will make the selected method return the indicated boolean

    ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false

Generate hooking template

  • ios hooking generate simple <class_name>:

    ```bash ios hooking generate simple iGoat_Swift.RCreditInfo

    var target = ObjC.classes.iGoat_Swift.RCreditInfo;

    Interceptor.attach(target['+ sharedSchema'].implementation, { onEnter: function (args) { console.log('Entering + sharedSchema!'); }, onLeave: function (retval) { console.log('Leaving + sharedSchema'); }, });

Interceptor.attach(target['+ className'].implementation, { onEnter: function (args) { console.log('Entering + className!'); }, onLeave: function (retval) { console.log('Leaving + className'); }, });

Interceptor.attach(target['- cvv'].implementation, { onEnter: function (args) { console.log('Entering - cvv!'); }, onLeave: function (retval) { console.log('Leaving - cvv'); }, });

Interceptor.attach(target['- setCvv:'].implementation, { onEnter: function (args) { console.log('Entering - setCvv:!'); }, onLeave: function (retval) { console.log('Leaving - setCvv:'); }, });

```

Objection