Skip to content
A tool to read the binarycookie format of Cookies on iOS applications
Python
Branch: master
Clone or download
murphy murphy
murphy and murphy Readme updated
Latest commit 2d4844b Apr 11, 2015
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
BinaryCookieReader.py Binary Cookies forked Apr 11, 2015
README.md Readme updated Apr 11, 2015

README.md

BinaryCookieReader

Cloned from http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py

##Usage

Python BinaryCookieReader.py [Cookie.binarycookies-file-path]

##Cookies.binarycookies Format

Cookies.binarycookies file is composed of several pages and each page can have one or more cookies. The complete file format is explained below:

###File Format:

  1. The file starts with a 4 byte magic string: cook. It is used to identify the file type.
  2. Next four bytes is an integer specifying the number of pages in the file.
  3. Following that, a 4 byte integer for each page, represents the page size.
  4. Next to that, the file contains the actual page content. Each page is of length corresponding to the page size. Page format is explained below.
  5. The file ends with an 8 byte value and it might be file checksum.`

###Page Format:

  1. Every page starts with a 4 byte page header: 0x00000100.
  2. Next four bytes is an integer specifying the number of cookies in the page.
  3. Following that, a 4 byte integer for each cookie, represents the cookie offset. Offset specifies the start of the cookie in bytes from the start of the page.
  4. Next to that, the page contains the actual cookie contents. Each cookie is of variable length. Cookie format is explained below.
  5. Page ends with a 4 byte value and it is always 0x00000000.

###Cookie Format:

  1. First 4 bytes in the cookie is the size of the cookie.
  2. The next 4 bytes are unknown (may be related to cookies flags).
  3. The next four bytes are the cookie flags. This is an integer value (1=Secure, 4=HttpOnly, 5= Secure+HttpOnly).
  4. The next 4 bytes are unknown.
  5. The next 4 bytes is an integer specifying the start of the url field in bytes from the start of the cookie record.
  6. The next 4 bytes is an integer specifying the start of the name field in bytes from the start of the cookie record.
  7. The next 4 bytes is an integer specifying the start of the path field in bytes from the start of the cookie record.
  8. The next 4 bytes is an integer specifying the start of the value field in bytes from the start of the cookie record.
  9. The next 8 bytes represents the end of the cookie and it is always 0x0000000000000000.
  10. The next 8 bytes are the cookie expiration date. Date is in Mac epoch format (Mac absolute time). Mac epoch format starts from Jan 2001.
  11. The next 8 bytes are the cookie creation date.
  12. Next to that, the cookie contains the actual cookie domain, name, path & value. The order is not specific and they can appear in any order.
You can’t perform that action at this time.