Tip

AWS 해킹 배우기 및 연습하기:HackTricks Training AWS Red Team Expert (ARTE)
GCP 해킹 배우기 및 연습하기: HackTricks Training GCP Red Team Expert (GRTE) Azure 해킹 배우기 및 연습하기: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks 지원하기

• 구독 계획 확인하기!
• **💬 디스코드 그룹 또는 텔레그램 그룹에 참여하거나 트위터 🐦 @hacktricks_live를 팔로우하세요.
• HackTricks 및 HackTricks Cloud 깃허브 리포지토리에 PR을 제출하여 해킹 트릭을 공유하세요.

이 섹션에서는 도구 Objection를 사용할 것입니다.
먼저 다음과 같은 명령을 실행하여 objection의 세션을 시작합니다:

objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore

당신은 또한 frida-ps -Uia를 실행하여 전화의 실행 중인 프로세스를 확인할 수 있습니다.

앱의 기본 열거

로컬 앱 경로

• env: 장치 내에서 애플리케이션이 저장된 경로를 찾습니다.

env

Name               Path
-----------------  -----------------------------------------------------------------------------------------------
BundlePath         /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
CachesDirectory    /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
DocumentDirectory  /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
LibraryDirectory   /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library

번들, 프레임워크 및 라이브러리 목록

• ios bundles list_bundles: 애플리케이션의 번들을 나열합니다.

ios bundles list_bundles
Executable    Bundle                Version    Path
------------  --------------------  ---------  -------------------------------------------
iGoat-Swift   OWASP.iGoat-Swift     1.0        ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
AGXMetalA9    com.apple.AGXMetalA9  172.18.4   ...tem/Library/Extensions/AGXMetalA9.bundle

• ios bundles list_frameworks: 애플리케이션에서 사용하는 외부 프레임워크를 나열합니다.

ios bundles list_frameworks
Executable                      Bundle                                        Version     Path
------------------------------  --------------------------------------------  ----------  -------------------------------------------
ReactCommon                     org.cocoapods.ReactCommon                     0.61.5      ...tle.app/Frameworks/ReactCommon.framework
...vateFrameworks/CoreDuetContext.framework
FBReactNativeSpec               org.cocoapods.FBReactNativeSpec               0.61.5      ...p/Frameworks/FBReactNativeSpec.framework
...ystem/Library/Frameworks/IOKit.framework
RCTAnimation                    org.cocoapods.RCTAnimation                    0.61.5      ...le.app/Frameworks/RCTAnimation.framework
jsinspector                     org.cocoapods.jsinspector                     0.61.5      ...tle.app/Frameworks/jsinspector.framework
DoubleConversion                org.cocoapods.DoubleConversion                1.1.6       ...pp/Frameworks/DoubleConversion.framework
react_native_config             org.cocoapods.react-native-config             0.12.0      ...Frameworks/react_native_config.framework
react_native_netinfo            org.cocoapods.react-native-netinfo            4.4.0       ...rameworks/react_native_netinfo.framework
PureLayout                      org.cocoapods.PureLayout                      3.1.5       ...ttle.app/Frameworks/PureLayout.framework
GoogleUtilities                 org.cocoapods.GoogleUtilities                 6.6.0       ...app/Frameworks/GoogleUtilities.framework
RCTNetwork                      org.cocoapods.RCTNetwork                      0.61.5      ...ttle.app/Frameworks/RCTNetwork.framework
RCTActionSheet                  org.cocoapods.RCTActionSheet                  0.61.5      ....app/Frameworks/RCTActionSheet.framework
react_native_image_editor       org.cocoapods.react-native-image-editor       2.1.0       ...orks/react_native_image_editor.framework
CoreModules                     org.cocoapods.CoreModules                     0.61.5      ...tle.app/Frameworks/CoreModules.framework
RCTVibration                    org.cocoapods.RCTVibration                    0.61.5      ...le.app/Frameworks/RCTVibration.framework
RNGestureHandler                org.cocoapods.RNGestureHandler                1.6.1       ...pp/Frameworks/RNGestureHandler.framework
RNCClipboard                    org.cocoapods.RNCClipboard                    1.5.1       ...le.app/Frameworks/RNCClipboard.framework
react_native_image_picker       org.cocoapods.react-native-image-picker       2.3.4       ...orks/react_native_image_picker.framework
[..]

• memory list modules: 메모리에 로드된 모듈을 나열합니다.

memory list modules
Name                                 Base         Size                 Path
-----------------------------------  -----------  -------------------  ------------------------------------------------------------------------------
iGoat-Swift                          0x104ffc000  2326528 (2.2 MiB)    /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
SubstrateBootstrap.dylib             0x105354000  16384 (16.0 KiB)     /usr/lib/substrate/SubstrateBootstrap.dylib
SystemConfiguration                  0x1aa842000  495616 (484.0 KiB)   /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
libc++.1.dylib                       0x1bdcfd000  368640 (360.0 KiB)   /usr/lib/libc++.1.dylib
libz.1.dylib                         0x1efd3c000  73728 (72.0 KiB)     /usr/lib/libz.1.dylib
libsqlite3.dylib                     0x1c267f000  1585152 (1.5 MiB)    /usr/lib/libsqlite3.dylib
Foundation                           0x1ab550000  2732032 (2.6 MiB)    /System/Library/Frameworks/Foundation.framework/Foundation
libobjc.A.dylib                      0x1bdc64000  233472 (228.0 KiB)   /usr/lib/libobjc.A.dylib
[...]

• memory list exports <module_name>: 로드된 모듈의 내보내기

memory list exports iGoat-Swift
Type      Name                                                                                                                                    Address
--------  --------------------------------------------------------------------------------------------------------------------------------------  -----------
variable  _mh_execute_header                                                                                                                      0x104ffc000
function  _mdictof                                                                                                                                0x10516cb88
function  _ZN9couchbase6differ10BaseDifferD2Ev                                                                                                    0x10516486c
function  _ZN9couchbase6differ10BaseDifferD1Ev                                                                                                    0x1051648f4
function  _ZN9couchbase6differ10BaseDifferD0Ev                                                                                                    0x1051648f8
function  _ZN9couchbase6differ10BaseDiffer5setupEmm                                                                                               0x10516490c
function  _ZN9couchbase6differ10BaseDiffer11allocStripeEmm                                                                                        0x105164a20
function  _ZN9couchbase6differ10BaseDiffer7computeEmmj                                                                                            0x105164ad8
function  _ZN9couchbase6differ10BaseDiffer7changesEv                                                                                              0x105164de4
function  _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE                                                                                 0x105164fa8
function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE                                                   0x1051651d8
function  _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE                 0x105165280
variable  _ZTSN9couchbase6differ10BaseDifferE                                                                                                     0x1051d94f0
variable  _ZTVN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0a0
variable  _ZTIN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0f8
[..]

앱의 클래스 목록

• ios hooking list classes: 앱의 클래스를 나열합니다.

ios hooking list classes

AAAbsintheContext
AAAbsintheSigner
AAAbsintheSignerContextCache
AAAcceptedTermsController
AAAccount
AAAccountManagementUIResponse
AAAccountManager
AAAddEmailUIRequest
AAAppleIDSettingsRequest
AAAppleTVRequest
AAAttestationSigner
[...]

• ios hooking search classes <search_term>: 문자열을 포함하는 클래스를 검색합니다. 주요 앱 패키지 이름과 관련된 고유한 용어를 검색하여 앱의 주요 클래스를 찾을 수 있습니다. 예:

ios hooking search classes iGoat
iGoat_Swift.CoreDataHelper
iGoat_Swift.RCreditInfo
iGoat_Swift.SideContainmentSegue
iGoat_Swift.CenterContainmentSegue
iGoat_Swift.KeyStorageServerSideVC
iGoat_Swift.HintVC
iGoat_Swift.BinaryCookiesExerciseVC
iGoat_Swift.ExerciseDemoVC
iGoat_Swift.PlistStorageExerciseViewController
iGoat_Swift.CouchBaseExerciseVC
iGoat_Swift.MemoryManagementVC
[...]

클래스 메서드 목록

• ios hooking list class_methods: 특정 클래스의 메서드를 나열합니다.

ios hooking list class_methods iGoat_Swift.RCreditInfo
- cvv
- setCvv:
- setName:
- .cxx_destruct
- name
- cardNumber
- init
- initWithValue:
- setCardNumber:

• ios hooking search methods <search_term>: 문자열을 포함하는 메서드를 검색합니다.

ios hooking search methods cvv
[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
[iGoat_Swift.RCreditInfo - cvv]
[iGoat_Swift.RCreditInfo - setCvv:]
[iGoat_Swift.RealmExerciseVC - creditCVVTextField]
[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]

기본 후킹

이제 애플리케이션에서 사용되는 클래스와 모듈을 열거했으므로 흥미로운 클래스 및 메서드 이름을 찾았을 수 있습니다.

클래스의 모든 메서드 후킹

• ios hooking watch class <class_name>: 클래스의 모든 메서드를 후킹하고 모든 초기 매개변수와 반환값을 덤프합니다.

ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController

단일 메서드 후킹

• ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: 매개변수, 백트레이스 및 반환값을 덤프하여 클래스의 특정 메서드를 후킹합니다.

ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return

불리언 반환 변경

• ios hooking set return_value "-[<class_name> <method_name>]" false: 선택한 메서드가 지정된 불리언을 반환하도록 합니다.

ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false

후킹 템플릿 생성

• ios hooking generate simple <class_name>:

ios hooking generate simple iGoat_Swift.RCreditInfo

var target = ObjC.classes.iGoat_Swift.RCreditInfo;

Interceptor.attach(target['+ sharedSchema'].implementation, {
onEnter: function (args) {
console.log('Entering + sharedSchema!');
},
onLeave: function (retval) {
console.log('Leaving + sharedSchema');
},
});


Interceptor.attach(target['+ className'].implementation, {
onEnter: function (args) {
console.log('Entering + className!');
},
onLeave: function (retval) {
console.log('Leaving + className');
},
});


Interceptor.attach(target['- cvv'].implementation, {
onEnter: function (args) {
console.log('Entering - cvv!');
},
onLeave: function (retval) {
console.log('Leaving - cvv');
},
});


Interceptor.attach(target['- setCvv:'].implementation, {
onEnter: function (args) {
console.log('Entering - setCvv:!');
},
onLeave: function (retval) {
console.log('Leaving - setCvv:');
},
});

Tip

AWS 해킹 배우기 및 연습하기:HackTricks Training AWS Red Team Expert (ARTE)
GCP 해킹 배우기 및 연습하기: HackTricks Training GCP Red Team Expert (GRTE) Azure 해킹 배우기 및 연습하기: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks 지원하기

• 구독 계획 확인하기!
• **💬 디스코드 그룹 또는 텔레그램 그룹에 참여하거나 트위터 🐦 @hacktricks_live를 팔로우하세요.
• HackTricks 및 HackTricks Cloud 깃허브 리포지토리에 PR을 제출하여 해킹 트릭을 공유하세요.