Para esta sección, se va a utilizar la herramienta Objection.
Comienza obteniendo una sesión de objection ejecutando algo como:

objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore

Puedes ejecutar también frida-ps -Uia para verificar los procesos en ejecución del teléfono.

Enumeración básica de la aplicación

Rutas locales de la aplicación

• env: Encuentra las rutas donde se almacena la aplicación dentro del dispositivo

env

Name               Path
-----------------  -----------------------------------------------------------------------------------------------
BundlePath         /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
CachesDirectory    /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
DocumentDirectory  /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
LibraryDirectory   /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library

Listar bundles, frameworks y bibliotecas

• ios bundles list_bundles: Listar bundles de la aplicación

ios bundles list_bundles
Executable    Bundle                Version    Path
------------  --------------------  ---------  -------------------------------------------
iGoat-Swift   OWASP.iGoat-Swift     1.0        ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
AGXMetalA9    com.apple.AGXMetalA9  172.18.4   ...tem/Library/Extensions/AGXMetalA9.bundle

• ios bundles list_frameworks: Listar frameworks externos utilizados por la aplicación

ios bundles list_frameworks
Executable                      Bundle                                        Version     Path
------------------------------  --------------------------------------------  ----------  -------------------------------------------
ReactCommon                     org.cocoapods.ReactCommon                     0.61.5      ...tle.app/Frameworks/ReactCommon.framework
...vateFrameworks/CoreDuetContext.framework
FBReactNativeSpec               org.cocoapods.FBReactNativeSpec               0.61.5      ...p/Frameworks/FBReactNativeSpec.framework
...ystem/Library/Frameworks/IOKit.framework
RCTAnimation                    org.cocoapods.RCTAnimation                    0.61.5      ...le.app/Frameworks/RCTAnimation.framework
jsinspector                     org.cocoapods.jsinspector                     0.61.5      ...tle.app/Frameworks/jsinspector.framework
DoubleConversion                org.cocoapods.DoubleConversion                1.1.6       ...pp/Frameworks/DoubleConversion.framework
react_native_config             org.cocoapods.react-native-config             0.12.0      ...Frameworks/react_native_config.framework
react_native_netinfo            org.cocoapods.react-native-netinfo            4.4.0       ...rameworks/react_native_netinfo.framework
PureLayout                      org.cocoapods.PureLayout                      3.1.5       ...ttle.app/Frameworks/PureLayout.framework
GoogleUtilities                 org.cocoapods.GoogleUtilities                 6.6.0       ...app/Frameworks/GoogleUtilities.framework
RCTNetwork                      org.cocoapods.RCTNetwork                      0.61.5      ...ttle.app/Frameworks/RCTNetwork.framework
RCTActionSheet                  org.cocoapods.RCTActionSheet                  0.61.5      ....app/Frameworks/RCTActionSheet.framework
react_native_image_editor       org.cocoapods.react-native-image-editor       2.1.0       ...orks/react_native_image_editor.framework
CoreModules                     org.cocoapods.CoreModules                     0.61.5      ...tle.app/Frameworks/CoreModules.framework
RCTVibration                    org.cocoapods.RCTVibration                    0.61.5      ...le.app/Frameworks/RCTVibration.framework
RNGestureHandler                org.cocoapods.RNGestureHandler                1.6.1       ...pp/Frameworks/RNGestureHandler.framework
RNCClipboard                    org.cocoapods.RNCClipboard                    1.5.1       ...le.app/Frameworks/RNCClipboard.framework
react_native_image_picker       org.cocoapods.react-native-image-picker       2.3.4       ...orks/react_native_image_picker.framework
[..]

• memory list modules: Listar módulos cargados en memoria

memory list modules
Name                                 Base         Size                 Path
-----------------------------------  -----------  -------------------  ------------------------------------------------------------------------------
iGoat-Swift                          0x104ffc000  2326528 (2.2 MiB)    /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
SubstrateBootstrap.dylib             0x105354000  16384 (16.0 KiB)     /usr/lib/substrate/SubstrateBootstrap.dylib
SystemConfiguration                  0x1aa842000  495616 (484.0 KiB)   /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
libc++.1.dylib                       0x1bdcfd000  368640 (360.0 KiB)   /usr/lib/libc++.1.dylib
libz.1.dylib                         0x1efd3c000  73728 (72.0 KiB)     /usr/lib/libz.1.dylib
libsqlite3.dylib                     0x1c267f000  1585152 (1.5 MiB)    /usr/lib/libsqlite3.dylib
Foundation                           0x1ab550000  2732032 (2.6 MiB)    /System/Library/Frameworks/Foundation.framework/Foundation
libobjc.A.dylib                      0x1bdc64000  233472 (228.0 KiB)   /usr/lib/libobjc.A.dylib
[...]

• memory list exports <module_name>: Exportaciones de un módulo cargado

memory list exports iGoat-Swift
Type      Name                                                                                                                                    Address
--------  --------------------------------------------------------------------------------------------------------------------------------------  -----------
variable  _mh_execute_header                                                                                                                      0x104ffc000
function  _mdictof                                                                                                                                0x10516cb88
function  _ZN9couchbase6differ10BaseDifferD2Ev                                                                                                    0x10516486c
function  _ZN9couchbase6differ10BaseDifferD1Ev                                                                                                    0x1051648f4
function  _ZN9couchbase6differ10BaseDifferD0Ev                                                                                                    0x1051648f8
function  _ZN9couchbase6differ10BaseDiffer5setupEmm                                                                                               0x10516490c
function  _ZN9couchbase6differ10BaseDiffer11allocStripeEmm                                                                                        0x105164a20
function  _ZN9couchbase6differ10BaseDiffer7computeEmmj                                                                                            0x105164ad8
function  _ZN9couchbase6differ10BaseDiffer7changesEv                                                                                              0x105164de4
function  _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE                                                                                 0x105164fa8
function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE                                                   0x1051651d8
function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE                 0x105165280
variable  _ZTSN9couchbase6differ10BaseDifferE                                                                                                     0x1051d94f0
variable  _ZTVN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0a0
variable  _ZTIN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0f8
[..]

Listar clases de una APP

• ios hooking list classes: Listar clases de la aplicación

ios hooking list classes

AAAbsintheContext
AAAbsintheSigner
AAAbsintheSignerContextCache
AAAcceptedTermsController
AAAccount
AAAccountManagementUIResponse
AAAccountManager
AAAddEmailUIRequest
AAAppleIDSettingsRequest
AAAppleTVRequest
AAAttestationSigner
[...]

• ios hooking search classes <search_term>: Buscar una clase que contenga una cadena. Puedes buscar algún término único que esté relacionado con el nombre del paquete principal de la aplicación para encontrar las clases principales de la aplicación como en el ejemplo:

ios hooking search classes iGoat
iGoat_Swift.CoreDataHelper
iGoat_Swift.RCreditInfo
iGoat_Swift.SideContainmentSegue
iGoat_Swift.CenterContainmentSegue
iGoat_Swift.KeyStorageServerSideVC
iGoat_Swift.HintVC
iGoat_Swift.BinaryCookiesExerciseVC
iGoat_Swift.ExerciseDemoVC
iGoat_Swift.PlistStorageExerciseViewController
iGoat_Swift.CouchBaseExerciseVC
iGoat_Swift.MemoryManagementVC
[...]

Listar métodos de clase

• ios hooking list class_methods: Listar métodos de una clase específica

ios hooking list class_methods iGoat_Swift.RCreditInfo
- cvv
- setCvv:
- setName:
- .cxx_destruct
- name
- cardNumber
- init
- initWithValue:
- setCardNumber:

• ios hooking search methods <search_term>: Buscar un método que contenga una cadena

ios hooking search methods cvv
[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
[iGoat_Swift.RCreditInfo - cvv]
[iGoat_Swift.RCreditInfo - setCvv:]
[iGoat_Swift.RealmExerciseVC - creditCVVTextField]
[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]

Hooking básico

Ahora que has enumerado las clases y módulos utilizados por la aplicación, es posible que hayas encontrado algunos nombres de clases y métodos interesantes.

Hookear todos los métodos de una clase

• ios hooking watch class <class_name>: Hookear todos los métodos de una clase, volcar todos los parámetros iniciales y retornos

ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController

Hookear un solo método

• ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: Hookear un método específico de una clase volcando los parámetros, backtraces y retornos del método cada vez que se llama

ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return

Cambiar el retorno booleano

• ios hooking set return_value "-[<class_name> <method_name>]" false: Esto hará que el método seleccionado retorne el booleano indicado

ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false

Generar plantilla de hooking

• ios hooking generate simple <class_name>:

ios hooking generate simple iGoat_Swift.RCreditInfo

var target = ObjC.classes.iGoat_Swift.RCreditInfo;

Interceptor.attach(target['+ sharedSchema'].implementation, {
onEnter: function (args) {
console.log('Entering + sharedSchema!');
},
onLeave: function (retval) {
console.log('Leaving + sharedSchema');
},
});


Interceptor.attach(target['+ className'].implementation, {
onEnter: function (args) {
console.log('Entering + className!');
},
onLeave: function (retval) {
console.log('Leaving + className');
},
});


Interceptor.attach(target['- cvv'].implementation, {
onEnter: function (args) {
console.log('Entering - cvv!');
},
onLeave: function (retval) {
console.log('Leaving - cvv');
},
});


Interceptor.attach(target['- setCvv:'].implementation, {
onEnter: function (args) {
console.log('Entering - setCvv:!');
},
onLeave: function (retval) {
console.log('Leaving - setCvv:');
},
});