Skip to content

Tools

Tools

otool: From Xcode iPhoneSDK
debug_server: From Xcode iPhoneSDK instructions described here
cydiaimpactor: From cydiaimpactor
FileDP: from FileDP
fsmon: From fsmon and made with make ios
keychain_dumper: From keychain_dumper
frida: From Frida

  • Test machine running OS X / macOS
  • Native Code Reversing Tools

Repos

http://cydia.iphonecake.com
http://apt.saurik.com/
http://repo.nesolabs.de/
https://build.frida.re/
http://appsec-labs.com/cydia/
http://cydia.zodttd.com/repo/cydia/
http://mobiletools.mwrinfosecurity.com/cydia/
http://repo666.ultrasn0w.com/
http://apt.thebigboss.org/repofiles/cydia/
http://cydia.radare.org/
http://apt.modmyi.com/
http://coolstar.org/publicrepo/
http://getdelta.co/ < Flex3 working
http://julioverne.github.io/
http://brunonfl.github.io/
http://apt.bingner.com/
http://repo.dynastic.co/
http://mcapollo.github.io/Public/
http://apt.hackcn.net/
http://repo.chariz.io/
http://cydia.ichitaso.com/
https://level3tjg.github.io < bfdecrypt (ios11/ios12)
http://ryleyangus.com/repo < Liberty Lite (beta) for JB bypass

  • adv-cmds: Advanced command line, which includes tools such as finger, fingerd, last, lsvfs, md, and ps.
  • AppList: Allows developers to query the list of installed apps and provides a preference pane based on the list.
  • AppSync Unified: Allows you to sync and install unsigned iOS applications.
  • class-dump: A command line tool for examining the Objective-C runtime information stored in Mach-O files and generating header files with class interfaces.
  • class-dump-z: A command line tool for examining the Swift runtime information stored in Mach-O files and generating header files with class interfaces. This is not available via Cydia, therefore please refer to installation steps in order to get class-dump-z running on your iOS device. Note that class-dump-z is not maintained and does not work well with Swift. It is recommended to use dsdump instead.
  • Clutch: Used to decrypt an app executable.
  • Cycript: Is an inlining, optimizing, Cycript-to-JavaScript compiler and immediate-mode console environment that can be injected into running processes (associated to Substrate).
  • Cydia Substrate: A platform that makes developing third-party iOS add-ons easier via dynamic app manipulation or introspection.
  • cURL: Is a well known http client which you can use to download packages faster to your device. This can be a great help when you need to install different versions of Frida-server on your device for instance.
  • IPA Installer Console: Tool for installing IPA application packages from the command line. After installing two commands will be available installipa and ipainstaller which are both the same.
  • Grep: Handy tool to filter lines.
  • Gzip: A well known ZIP utility.
  • SOcket CAT: a utility with which you can connect to sockets to read and write messages. This can come in handy if you want to trace the syslog on iOS 12 devices.

Xcode

frida-ios-dump

SSL-Kill-Switch2

ClassDump

The new New Classdump for iOS 12+ works on ObjC and Swift now.

How the new Classdump works

Example:

iOS8-jailbreak:~ root# class-dump DVIA32

@interface FlurryUtil : ./DVIA/DVIA/DamnVulnerableIOSApp/DamnVulnerableIOSApp/YapDatabase/Extensions/Views/Internal/
{
}
+ (BOOL)appIsCracked;
+ (BOOL)deviceIsJailbroken;

AltDeploy

Sign IPA files on device basically the new ipainstaller for 12+.

fsmon

git clone https://github.com/coolstar/electra/issues/175

tcpdump

Add Cydia repo

https://starwarsfan2099.github.io/
http://apt.saurik.com/
https://midnightchip.github.io/repo/
http://beta.cpdigitaldarkroom.com/
https://r3st1t0u.github.io/
https://cydia.angelxwind.net/
https://cydia.hbang.ws/
http://rpetri.ch/repo/
https://repo.thireus.com/
http://apt.thebigboss.org/repofiles/cydia/
http://saj0vie.github.io/
https://dannyglover.github.io/repo/
https://legitcomputerwhisperer.github.io/
https://gmoran.me/repo/
https://imkpatil.github.io/repo/
https://jb365.github.io/
http://www.harrisonapps.com/repo/
http://cydia.jerryen.com/
https://ib-soft.net/cydia/
http://repo.tetherme.net/
http://cydia.ichitaso.com/
http://www.tateu.net/repo/
https://ib-soft.net/cydia/beta/
http://repo.sparkservers.co.uk/
https://creaturesurvive.github.io/
http://jakeashacks.com/cydia/
http://repo666.ultrasn0w.com/
https://packix.ioscreatix.com/
http://tigisoftware.com/cydia/
http://smokin1337.github.io/
http://beta.sparkservers.co.uk/
https://beta.unlimapps.com/
http://limneos.net/repo/
https://reddestdream.github.io/
http://repo.auxiliumdev.com/
https://seiterseiter.github.io/
https://cydia.ianburns.co/
http://ios11central.yourepo.com/
http://apt.modmyi.com/
http://randompacks.yourepo.com/
http://julioverne.github.io/
http://repo.jed.bz/
http://repo.mehulrao.com/
http://repo.m4cs.xyz/
http://cydia.zodttd.com/repo/cydia/
http://cydiageek.yourepo.com/
http://artikushg.yourepo.com/
https://electrarepo64.coolstar.org/substrate
https://electrarepo64.coolstar.org/

Future Store

https://github.com/encounter/futurerestore

Install Objection

python3 -m venv objection
source objection/bin/activate
pip3 install objection

Using Objection

https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial

Troubleshooting

If the process is killed that means that the exec does not have the right entitlements.

Changing Entitlements:

#Example Entitlements file
GDS-iPhone6s-3:~ root# cat keychain_ent.xml 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>keychain-access-groups</key>
    <array>
      <string>*</string>
    </array>
    <key>platform-application</key> <true/>
    <key>com.apple.private.security.no-container</key>  <true/>
  </dict>
</plist>

GDS-iPhone6s-3:~ root# ldid -Sentitlements.xml keychain_dumper