dumpOnce you start looking into iOS applications one of the first things you will want to do is dump the class information. Dumping the class headers of an application will give you a lot of good information and understanding of what an application is doing. It also will be extremely valuable once you start attacking the application with cycript or your other favorite real-time hooking tool.   To do this you just need to unencrypt the binary run class-dump-z and start pouring through the results. Since iOS applications are written in Objective-C you will need a little understanding of the language. Pretty simple but a crucial step in understanding how an application works and how you can attack it.

1. Decrypt Binary

To dump the class information we will first need to decrypt the binary. In this example we will not decrypt the binary manually but use a tool to do the work for us. The tool of choice will be clutch. To install clutch just add http://cydia.xsellize.com to your cydia sources and install it from there. If you have a preferred source for clutch feel free to add it from there instead. Once clutch is installed it pretty easy to decrypt an application. On the phone just run clutch and you will see all of your installed applications. From there you just run clutch with the application name like below.

clutch
usage: clutch [application name] [...]
Applications available: Cor.kz Free Chess
clutch Free\ Chess
Cracking Free Chess...
	/var/root/Documents/Cracked/Free Chess-v1.0.1.ipa

Your unencrypted application will now be in /var/root/Documents/Cracked/. Now we just want to install this version over the encrypted one

2. Install Unencrypted Binary

Now that we have an unencrypted ipa we need to install it. This can bee done many ways. Some people like to do it with iFunBox but I will just use ipainstaller. You can install IPA Installer Console from the default BigBoss source. You will also need to install AppSync which is also available in the xsellize source above. Once you install both packages you can install the unencrypted binary. Example below.

ipainstaller -c Free\ Chess-v1.0.1.ipa 
Clean installation enabled.
Will not restore any saved documents and other resources.
 
Analyzing Free Chess-v1.0.1.ipa...
Installing Free Chess (v1.0.1)...
Installed Free Chess (v1.0.1) successfully.
Cleaning old contents of Free Chess...

3. Class Dump
We have the unencrypted version of the application installed we can now dump the class headers. To do this you will need to have Class-Dump-Z installed. I installed mine from the cydia.radare.org source. Once installed we can proceed to dump the class information. To do this go in to your application directory located in /private/var/mobile/Applications/UID your UID will be different than the example below. Once in the directory you can just run class-dump-z against the binary file, I typically pipe the output to a file.

cd /private/var/mobile/Applications/25261D1C-3942-412C-9228-33B253307EA0/Free\ Chess.app
class-dump-z Free\ Chess > class-dump.txt

You now have all the class headers of the application in a txt file. From here you can analyze them on the phone or pull it down start pouring though it. You want to look for interesting functions you may want to hook when doing real-time analysis. Things to look for a will depend on the application but some ideas are remove passwords, decrypt data, intercept traffic or remove jail break detection. Within the class dump headers you will see @interface and @protocol. @interface will have the declaration of methods and the properties and @protocol will related methods it may use. Typically we will want to look for @interface areas.  From the chess app I dumped, below are some interesting functions to get an idea of things you will see.

__attribute__((visibility("hidden")))
@interface PromotionView : SafeTouchesView {
@private
	NSMutableArray* arrayImages;
	BOOL backPressed;
	CGRect backRect;
	CGRect arrayRects[5];
	BOOL _hitQueen;
	BOOL _hitBishop;
	BOOL _hitKnight;
	BOOL _hitRook;
}
__attribute__((visibility("hidden")))
@interface AdvertisingView : UIView {
@private
	int m_nCurrentScene;
	int m_nCurrentSoftAd;
	bool m_bDrawDef;
	NSTimer* m_Timer;
	NSTimer* m_TimerSoftAd;
	NSMutableData* _receivedData;
}
-(id)initWithFrame:(CGRect)frame;
-(void)copyResourceImageToDocumentFolder;
-(void)copyResourceConfigToDocumentFolder;
-(void)autoDownloadConfig;
-(void)saveAdImage:(id)image;
-(void)loadConfig:(int)config;
-(void)loadImage;
-(void)isFinishThread;
-(void)switchSoftAd;
-(void)switchScene;
-(void)doTransition:(basic_string<char,std::char_traits,std::allocator >)transition;
-(void)callLinkCountProduct;
-(void)touchesBegan:(id)began withEvent:(id)event;
-(void)touchesEnded:(id)ended withEvent:(id)event;
-(void)connection:(id)connection didReceiveResponse:(id)response;
-(void)connection:(id)connection didReceiveData:(id)data;
-(void)connection:(id)connection didFailWithError:(id)error;
-(void)connectionDidFinishLoading:(id)connection;
-(void)drawRect:(CGRect)rect;
-(void)drawView:(CGRect)view;
-(void)dealloc;
@end

This is not the best example since you basically will just win at chess but it gives you a good idea of what you will see in the class headers and how much it helps you understand the application for further testing.

References:

 

*****UPDATE 12/29/13*****

A new version of clutch has been released for armv7, armv7s, & arm64. You can download the latest release from https://github.com/KJCracks/Clutch-dl/ . Once you download the git file simply scp it over to the phone and give it execute permission. Below is the output when run against an app. All other steps are the same once it creates the unencrypted ipa file in /var/root/Documents/Cracked/.

chmod +x Clutch-1.3-3.2-git4
./Clutch-1.3-3.2-git4 -C Cor.kz
You\'re using a Clutch development build, checking for updates..
Your version of Clutch is up to date!
Downloading config files..
Clutch configuration
===============
ProgressBar
 - Do you want to show progress bar (YES) yes
MetadataEmail
 - What email should we patch in metadata? (steve@rim.jobs) bah@bah.com
RemoveMetadata
 - Do you want to remove metadata (NO) 
Using default value..
VerboseLogging
 - Do you want to enable verbose logging (NO) 
Using default value..
NumberBasedMenu
 - Do you want a number based menu? (NO) 
Using default value..
Not enabled entry MetadataPurchaseDate
CheckMinOS
 - Do you want to check minimum OS? (adds minimum OS version to file name) (NO) 
Using default value..
CrackerName
 - What\'s your name? () test
CreditFile
 - Do you want a credit file in the IPA? (NO) 
Using default value..
ListWithDisplayName
 - Do you want a show the application display name on lists? (NO) 
Using default value..
CompressionLevel
 - What do you want the compression level to be? Use -1 for default compression (-1) 
Using default value..
FilenameCredit
 - Do you want your name in the IPA\'s name? (NO) 
Using default value..
CheckMetadata
 - Do you want to check metadata (NO) 
Using default value..

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation