In this module you'll learn how to setup your device(s) with all the tools you'll need to decrypt apps, transfer them to your computer and perform static and dynamic analysis on them. I'm assuming you already have a jailbroken device. If you don't have a device, you can skip to module 3.
Note: If you need help jailbreaking your device, there are many resources online. One of my favourite sites is iDownloadblog.
- Download the latest version of iTunnel: iTunnel will allow you to SSH over USB.
- Download the latest version of Clutch: Clutch will allow you to decrypt iOS applications on iOS < 10.0.
- Download the latest version of Cydia Impactor: Impactor will allow you install iOS applications on your device, signed with a developer account's certificate.
- Download and install Hopper: Hopper is a reverse engineering tool that lets you disassemble, decompile and debug ARM applications, it supports other architectures but in this course I'll focus just on ARM-based binaries. The trial version is enough.
- Download the latest version of bfinject's
bfinject.tar
: bfinject will allow you to useCycript
andClutch
on iOS >= 11.0. - Download the latest version of Cycript: Cycript will allow you to modify the applications' behaviour at runtime via an interactive console.
- Download the latest version of Frida: Frida will allow you to write scripts to change the applications' behaviour at runtime.
- To install
Frida
:
sudo pip install frida-tools
- To install
- Download the latest version of Bettercap: Bettercap will allow you to perform MitM attacks remotely to a device.
- Download the latest version of class-dump-z: class-dump-z will allow you to dump Objc classes. There's a Swift version but you won't needed since my vulnerable app is written in Objc.
- Download the latest version of Ghidra: Ghidra is another reverse engineering tool, which will let you do some of the same tasks as Hopper.
- Open Cydia and search
cycript
and install it. - Open Cydia and search
Apple File Conduit "2"
and install it. - Open Cydia and search
frida
and install it:- Tap the
Sources
tab. - Add a source:
https://build.frida.re
- Now you can go to the
Search
tab and search forfrida
.
- Tap the
In some cases a jailbreak tool for iOS < 11.0 might not come with a SSH client, you might have to install it yourself. To test if your device already has a working SSH:
- Connect your device to your computer.
- On your computer, open a terminal window and run
iTunnel
with the following parameters:itnl --lport 2222 --iport 22
lport
: Stands forLocal port
and it's the port iTunnel will be locally listening. This can be any port you want.iport
: Stands foriPhone port
and it's the port iTunnel will use to forward all the packets sent tolport
. This has to be22
, since that's theSSH
default port.
- On a different terminal window SSH into your device:
ssh -p 2222 root@localhost
p
: Stands forport
, this is the port iTunnel is listening on.
If your device asks for a root
password then it already has SSH working, thus you can skip this step.
- Connect your device to your computer.
- On your computer, open a terminal window and run
iTunnel
with the following parameters:itnl --lport 2222 --iport 22
lport
: Stands forLocal port
and it's the port iTunnel will be locally listening. This can be any port you want.iport
: Stands foriPhone port
and it's the port iTunnel will use to forward all the packets sent tolport
. This has to be22
, since that's theSSH
default port.
- On a different terminal window SSH into your device:
ssh -p 2222 root@localhost
p
: Stands forport
, this is the port iTunnel is listening on.- Your device will ask you for the
root
password. The default password isalpine
, but I'd advice you to change it.
- Create a
jb
folder on your root directory:- Note: If you use LiberiOS there's already a
/jb
folder, just change directories.
cd / && mkdir jb
- Note: If you use LiberiOS there's already a
- Create a
bfinject
folder inside/jb
and change directories:mkdir /jb/bfinject && cd /jb/bfinject
- In a different terminal window, copy the
bfinject.tar
archive to the device:scp -P 2222 ~/Downloads/bfinject.tar root@localhost:/jb/bfinject
P
: Stands forport
and it should be the same port iTunnel is listening on. Note: This is a capitalP
.- Your device will ask you for the
root
password.
- Extract the .tar file contents:
tar xvf bfinject.tar
- Now you should have a device ready to start reversing. Gladly you'll need to perform all these steps only once per device, even when you lose your jailbreak state if your device runs out of batter or restarts for whatever reason[^1]. Don't worry if you don't know some of these tools, in the following modules I'll explain what's their purpose and how to use them.
[^1] On tether and semi-tether jailbreaks, every time you restart your device you'll need to re-jailbreak it because the jailbreak exploit is not persisted after reboot.