Welcome to the iOS-Pentesting wiki!

Reversing/Patching with Hopper:

Decrypt app:

Clutch 2

Either grab Clutch by adding repository http://cydia.iphonecake.com to Cydia or from git https://github.com/KJCracks/Clutch

root# Clutch2 -b 2 Dumps to: /var/tmp/clutch/app-dir

Fix for Clutch’s cracked Apps crashing on ARMv7s Devices

To be performed on Mac OS X

Extract the IPA file 2. Go into Payload/whatevername.app 3. Open up Terminal 4. Run this command lipo binary -thin armv7 -output newbinary mv newbinary binary

Rasticrac

Grab from cydia. ldone will also be installed. rc.sh -m

Dump class info (for debugging using gdb/cycript)

root# class-dump Spotify > /spotify-dump.txt

Patch app using Hopper and place it back on device.

Resigning the iOS Binary

Place binary back on app directory and do the following:

ldone spotify -s chmod 755 spotify chown mobile.mobile spotify

Runtime debugging:

##Cycript:

var app = [ UIApplication sharedApplication ] app.delegate !# you can also just use UIApp.delegate var delegate = new Instance(0x2315f0)

!#call delegate [ delegate pinLockControllerDidFinishUnlocking ] for bool values: [ UIApp.delegate userIsLogged: YES ]

Show current view

cy# UIApp.keyWindow.rootViewController.topViewController.visibleViewController

Get an array of existing objects of a certain class

cy# choose(UIViewController)

List method at runtime

cy# [classname].messages or cy# function printMethods(className) { var count = new new Type("I"); var methods = class_copyMethodList(objc_getClass(className), count); var methodsArray = []; for(var i = 0; i < *count; i++) { var method = methods[i]; methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)}); } free(methods); free(count); return methodsArray; } cy# printMethods("[classname]")

Prints out all the instance variables

cy# function tryPrintIvars(a){ var x={}; for(i in a){ try{ x[i] = (a)[i]; } catch(e){} } return x; } cy# a=#0x15d0db80 cy# tryPrintIvars(a)

Manipulating through property

cy# [a pinCode] cy# [a setPinCode: @"1234"] cy# [a isValidPin] cy# a->isa.messages['isValidPin'] = function(){return 1;}

Random Stuff

Restart SpringBoard

killall -HUP SpringBoard

Connect via USB to JB iPhone

iproxy 2222 22

Connect over Wi-Fi

For iOS 10 yalu JB run on device dropbear -R -p 2222

Downloads folder for iFunbox iOS 10 JB

/User/Media/Downloads or /var/mobile/Media

Needle installation on Kali Rolling

git clone https://github.com/mwrlabs/needle.git

apt-get install python2.7 python2.7-dev sshpass sqlite3 lib32ncurses5-dev

If kali has'nt been updated in a while will have to update apt source and gpg key

wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add

In needle to install all dependencies on device:

use device/dependency_installer

Install lipo from org.coolstar.cctools

Once stash is installed Dropbear is moved to stash location below

/var/db/stash/_.cBfT4d/bin