Source:https://blog.netspi.com/ios-tutorial-dumping-the-application-memory-part-2/

In my previous blog, iOS Tutorial – Dumping the Application Heap from Memory, I covered how to dump sensitive information from the heap of an iOS application using GDB. This time we will be covering how to use Cycript to accomplish the same goal but using the class-dump-z output to specifically pull out properties or instance variables. This round will be in a more automated fashion by automatically parsing a class dump of the binary and generating the necessary Cycript scripts to pull the specific properties from memory. I will also be releasing another tool to do all of this for you in the near future. Keep an eye on our NetSPI GitHub repo for the latest tools and scripts for when we release it.

If we do not have access to the source code then we must first decrypt the binary. We do this first to dump the class information about the binary. There are several guides out there for decryption but Clutch is my go-to tool for ease of use as it also regenerates an IPA file with the decrypted binary in it so you can install it again on a different device if you have to. After we extract/install the new decrypted binary, we can now run class-dump-z to get the header information with all the classes, properties, class methods, instance methods, etc.

 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
 
MAPen-iPad-000314:~root# ./class-dump-z -z TestApp
 
[TRUNCATED]
 
@interfaceCryptoManager:XXUnknownSuperclass{
@private
NSData*key;
}
@property(retain,nonatomic)NSData*key;
+(id)CryptoManager;
-(id)init;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context withIV:(BOOL)iv;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context withIV:(BOOL)iv usingIV:(id)iv5;
-(id)cipher:(id)cipher key:(id)key context:(unsigned)context withIV:(BOOL)iv usingIV:(id)iv5 withPad-ding:(BOOL)padding;
-(void)clearKey;
-(void)dealloc;
-(id)decryptData:(id)data;
-(id)decryptData:(id)data usingIV:(id)iv;
-(id)decryptData:(id)data usingIV:(id)iv withPadding:(BOOL)padding;
-(id)decryptData:(id)data withIV:(BOOL)iv;
-(id)decryptData:(id)data withIV:(BOOL)iv withHeader:(BOOL)header;
-(id)decryptData:(id)data withKey:(id)key;
-(id)decryptString:(id)string;
-(id)decryptString:(id)stringwithIV:(BOOL)iv;
-(id)decryptString:(id)stringwithIV:(BOOL)iv withHeader:(BOOL)header;
-(id)decryptString:(id)stringwithIV:(BOOL)iv withHeader:(BOOL)header withKey:(id)key;
-(id)decryptString:(id)stringwithKey:(id)key;
-(id)encryptData:(id)data;
-(int)encryptData:(id)data AndAppendToFileAtPath:(id)path initiatedByUnlockOperation:(BOOL)operation error:(id*)error;
-(id)encryptData:(id)data usingIV:(id)iv;
-(id)encryptData:(id)data withKey:(id)key;
-(id)encryptString:(id)string;
-(id)encryptString:(id)stringwithKey:(id)key;
-(id)hashString:(id)string;
-(id)hashString:(id)stringsalt:(id)salt;
-(BOOL)isHashOfString:(id)stringequalToHash:(id)hash;
-(BOOL)isHeaderValid:(id)valid;
-(id)newHeader;
-(unsignedlong)readEncryptedData:(void**)data atPath:(id)path offset:(long)offset length:(unsignedlong)length initiatedByUnlockOperation:(BOOL)operation error:(id*)error;
@end
 
[TRUNCATED]
 

So you can see above that TestApp has a class called “CryptoManager” and has a property called “key”. This looks interesting as there could be an encryption key sitting there in memory. We will now use Cycript now to grab that specific property from memory. Note during runtime, the “CryptoManager” class is instantiated before login but only after a valid user has successfully logged in once before on the device. Also, the class is never cleared out even when it is no longer needed, such as a user logged out, which is where the vulnerability lies. In this instance, we have already logged in successfully during a previous session and therefore the class is already in memory before the user logs in.

First we will hook into the running TestApp process from an SSH session so we can leave the application running on the iOS device.

 
1
2
3
4
 
MAPen-iPad-000314:~root# cycript -p TestApp
cy#
 

Now that we are hooked in, let’s go ahead and talk about the “choose” method in cycript. The “choose” method scans the heap for the matching class name and returns an array of objects that match that class’ structure. So, if we type “choose(MyClass)”. It is going to contain an indexed array of all instantiated classes of MyClass that are currently in memory (or that match that structure). The below output is just calling out the first indexed object which is index “0” and storing it into a variable called “a”. If you like GDB more, we can also take the memory location returned and go back to GDB for dumping out everything from that sub-region in memory or set breakpoints and watch the registers. See my previous blog on how to scan the heap here (https://blog.netspi.com/ios-tutorial-dumping-the-application-heap-from-memory/). Note however, that there can be more than one class instantiated in this array and you will to go through each index to get the properties of that instantiated class.

 
1
2
3
4
 
cy# a=choose(CryptoManager)
[#"< CryptoManager: 0x17dcc340>",#"< CryptoManager: 0x17f42ba0>"]
 

Now let’s dump the “key” property from memory so we can grab the key and decrypt any data in the app later on.

 
1
2
3
4
 
cy# a[0].key.hexString
@"6D2268CFFDDC16E890B365910543833190C9C02C4DCA2342A9AEED68428EF9B6"
 

Bingo! We now have the hexadecimal of the key we need to decrypt anything this application wants to keep encrypted.

Now let’s talk about how to automate this and go over what we know and what we have to figure out programmatically as we go. We know that the class-dump-z output contains the output of all the classes and their properties. What we don’t know is whether or not those classes are currently instantiated or not. We also don’t know how many times the classes are instantiated in memory. What we can do is parse the class-dump-z output and create a map of classes and their properties. Now that we have a map we can now create Cycript scripts to pull the information out for us. Note however, that this technique is for classes that are already instantiated and we won’t be covering how to make a new instance of an object in Cycript as there are many tutorials and books on how to do this.

So we have to read Cycript’s output from the choose method to figure out how many times the object is instantiated in memory. To do that we can use JavaScript to get the array length:

 
1
2
3
4
5
 
cy# choose(CryptoManager).length
2
cy#
 

Cool, now we know how many times to loop through the array to pull out all instantiated “CryptoManager” objects. Now let’s move on to cycript scripting.

Cycript can take a script as a parameter and a basic script just has to contain the commands we want to run like so:

 
1
2
3
4
5
6
7
8
 
MAPen-iPad-000314:~root# cat dump.cy
a=choose(CryptoManager)[0]
a.key.hexString
 
MAPen-iPad-000314:~root# cycript -p TestApp dump.cy
@"6D2268CFFDDC16E890B365910543833190C9C02C4DCA2342A9AEED68428EF9B6"
 

One issue that I can’t seem to figure out is Cycript only returns the last line of output to the terminal when you run a script and doesn’t return all output. So to pull out multiple classes and their properties from the terminal, you have to create a new script for each class and property combination.  If anyone knows how to get around this limitation, please feel free to reach out to me on how to accomplish this. Or you can write everything in Cycript JavaScript if that is your preferred language.

[转]iOS Tutorial – Dumping the Application Memory Part 2的更多相关文章

  1. [转]iOS Tutorial – Dumping the Application Heap from Memory

     Source:https://blog.netspi.com/ios-tutorial-dumping-the-application-heap-from-memory/ An essential ...

  2. ios 10 sticker pack application

    看了WWDC2016直播,我们发现变得谨慎而开放的苹果在新一版四大平台系统中展示了很多变化,当然重中之重还是伟大的iOS.通过试用iOS10beta版,除了长大了的更强大的Siri主要感受到iMess ...

  3. ios理解 -- Pro Mutlithreading and Memory Management for iOS and OS X with ARC, Grand Central Dispatch, and Blocks

    Capturing automatic variables Next, you need to learn what the “together with automatic (local) vari ...

  4. 【iOS】No suitable application records found

    昨天提交 Apple 审核时遇到这个问题,如图: 原来是还没在 iTunes Connect 创建 APP ... 一时着急大意了…… 后来想想还真是脑子一时没反应过来……

  5. IOS XE-show memory

    有些时候,我们可能会遇到IOS XE设备的high memory的情况.我们可以使用的命令去查看相关信息. 例如: Router# show version Router# show memory R ...

  6. 25条提高iOS App性能的建议和技巧

    这篇文章来自iOS Tutorial Team 成员 Marcelo Fabri, 他是 Movile 的一个iOS开发者. Check out his personal website or fol ...

  7. Send Push Notifications to iOS Devices using Xcode 8 and Swift 3, APNs Auth Key

    Send Push Notifications to iOS Devices using Xcode 8 and Swift 3 OCT 6, 2016 Push notifications are ...

  8. 25条提高iOS app性能的方法和技巧

    以下这些技巧分为三个不同那个的级别---基础,中级,高级. 基础 这些技巧你要总是想着实现在你开发的App中. 1. 用ARC去管理内存(Use ARC to Manage Memory) 2.适当的 ...

  9. iOS应用性能调优建议

    本文来自iOS Tutorial Team 的 Marcelo Fabri,他是Movile的一名 iOS 程序员.这是他的个人网站:http://www.marcelofabri.com/,你还可以 ...

随机推荐

  1. javascript系列之DOM(三)---事件

    原文:javascript系列之DOM(三)---事件 事件是javascript跳动的心脏,是DOM所有成分结合的万金油.当我们在WEB 上进行某些交互时,事件也就发生了.点击某些内容,鼠标经过特定 ...

  2. crawler_http关闭连接

    1:ps aux|grep Spider4Test.jar 查看端口 2: lsof  -p [端口号] 在爬虫运行期间如果看到 大量的 TIME_WAIT  WAIT_CLOSE 说明请求关闭阻塞[ ...

  3. 基于ip san的iscsi操作执行过程

    SAN它是storage area network(存储区域网络)速记,早期san光纤通道技术被用于.当迟到iscsi协议后出现,为了在这两者之间区分.它分IP SAN和FC SAN.FC SAN由于 ...

  4. SoC嵌入式软件架构设计II:否MMU的CPU虚拟内存管理的设计与实现方法

    大多数的程序代码是必要的时,它可以被加载到内存中运行.手术后,可直接丢弃或覆盖其他代码.我们PC然在同一时间大量的应用,能够整个线性地址空间(除了部分留给操作系统或者预留它用),能够觉得每一个应用程序 ...

  5. nginx的五种负载算法模式

    nginx 负载均衡5种配置方式 1.轮询(默认) 每个请求按时间顺序逐一分配到不同的后端服务器,如果后端服务器down掉,能自动剔除. 2.weight  指定轮询几率,weight和访问比率成正比 ...

  6. 高性能双端js模板---simplite

    simplite是一款js实现的模板引擎,它能够完成浏览器端js模版和node服务器端js模板的数据渲染,渲染性能达到引擎的极限. 渲染性能十分突出. 支持浏览器端和node服务器端模板渲染. 它简单 ...

  7. ResultSet取结果集多少条记录方法及分页概要

    allst=toconn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,ResultSet.CONCUR_READ_ONLY); allsql = ...

  8. js+css3动态时钟-------Day66

    昨天,有一天招,宽带到底没装上.相当恼火,不过包了一天租新房,有很多想法下来,其中,率先实现了--动态时钟(它已上载的资源,一些粗略的全貌.汗...) 这里记录.这个看似简单的功能,以达到良好的,我在 ...

  9. SQL点滴34—SQL中的大小写

    原文:SQL点滴34-SQL中的大小写 默认情况下,SQL Server不区分大小写,如果数据表TEST的TNAME列中有数据“abcd”和“Abcd”, 如果使用查询语句:select * from ...

  10. Cocos2d-x3.0 Json解析

    2dx3.0下一个JSON解析库官员以及集成.我们参考一下吧OK. JSON文件hello.json内容 {"pets":["dog","cat&qu ...