Dumping Class Information for Encrypted iOS Applications

 

This article will outline using runtime hacking to dump classes of iOS applications even if the application is still encrypted. (cross-posted from my blog at Fortify On Demand)

One big step in auditing or hacking iOS applications is viewing the binaries class information. This gives us a map to view hidden classes and methods defined in the complied source. What do we do with this? Well since we can control the underlining iOS operating system API’s with Cycript and MobileSubtrate we can edit those hidden functions or the system functions they rely on to do whatever we want at runtime. Our previous iOS application hacking blog showed doing this for defeating jailbreak detection, basically replacing the developers “isJailbroken” function to always return false.

Usually we can dump a binaries class information by using a tool called class-dump-z. In the last blog that’s where we found the boolean “isJailbroken” method.

In order to use class-dump-z our application binary must be decrypted. The decryption of iOS applications, at the low level, uses GDB to remove out the unencrypted segment of the binary after the phone decrypts it for us.

A small and inconvenient roadblock to our testing and peeking into the binary is a security conscious developer who might have built in anti-debugging techniques. These techniques (sometimes) prevent us even from attaching GDB to the binary. There are also other protection techniques that foil application decryption.

So in this scenario, how does one peek inside the binary at that class information with the app still encrypted?

The answer is Cycript.

As we explained before Cycript is a runtime tool we use. Basically it has the ability to attach to a running application on the phone and replace functions original intent with whatever we choose. Besides that it has many extensible uses (dumping headers live), one of which we will show you now. It can do these things because of the reflective nature of Objective-C and it’s MVC architecture. You can learn more about the baseline language from Stanford University’s free iOS programming course… Anyway, on to the hacking.

 

To utilize this technique you will need a jailbroken phone, cycript, wget, and a cycript extension called weak_classdump by @limneos.

 

  1. On your jailbroken device use cydia to install cycript and wget
  2. Download weak_classdump to your phone –  wget –no-check-certificate https://raw.github.com/limneos/weak_classdump/master/weak_classdump.cy
  3. Invoke cycript and the extension by pointing it at your target application: cycript -p [APP_NAME] weak_classdump.cy; cycript -p [APP_NAME]
  4. while in the cy# prompt type: weak_classdump_bundle([NSBundle mainBundle],”/tmp/APPNAME”)
  5. wait… it takes a bit…
  6. Check your /tmp/APPNAME directory for the whole application bundles class information (see an example below)

 

1-11-2013 3-01-06 PM

From here you inspect the dump information to further your understanding of the application. Hopefully you find some hidden security related methods that you can hook in Cycript later!

Happy hacking!

-Jason

References:

8bit from ininjas: http://ininjas.com/forum/index.php?topic=4781.0;theme=12

One thought on “Dumping Class Information for Encrypted iOS Applications

  1. Cool! I think Chrome on iOS kinda does such anti-class-dump protections, and failing to dump it used to frustrate me ;P Will try this Cycript method, thanks for your tip!

Leave a Reply

Your email address will not be published. Required fields are marked *