in this example will take a look at the weather app and make a modification to the label on the view controller. And then we'll make an alert message displaying the springboard. First, I'm going to log into my iPhone and then we'll inject our script framework into the weather application. So let me log in.
Okay, so we're in there. Let's clear the screen.
So then what we want to do is launch this script framework into our weather application. So let's launch the weather application, and now we need to inject it into the process I d. So let's find out what the process ideas by writing the P s command,
and we inject the process with the peace which so it's processed 7764 to see my scene
Okay, great. We've successfully injected our script framework into the weather application. When script injects itself into an application, it hooks you y application and then we can generate through all the other objects in that class. In our instance, we're going to look at the views of the application we can do that using the choose command.
This allows us to interact with all the other objects,
and the choose command scours the entire memory region for all the different views that we might want. So let's go ahead and choose
So as you can see, there's five or six different views here. If we were to find a view that were interested in, we could navigate to the sub class and look at all the different properties and methods that that class has. Okay, so what does our application have? What? We've got three sections there with Madrid, Barcelona
and West Haven. So let's go ahead and look for labels. We can use the choose command to look for labels as well
Choose you. I label. Okay.
Equals were making a new instance
of this particular memory dress. This was what holds the string? Barcelona.
So now we can adjust properties of the Barcelona label so we'll say
Let's see, where should we be?
So now we should see the label for Barcelona Change. So take a look at the iPhone
and there we go. Now it does. So using script, you can modify the different properties and the methods of different classes to see how that affects your program during your dynamic analysis.
Okay, so next let's just do another quick example. Let's send an alert to the springboard. So in this example, will use the U I alert view class to display a message box. So what we want to do is we want to go to the springboard.
Okay, so we got the springboard. And so what we want to do is get out of our
see script. Let's clear the screen because we want to go into the springboard now.
Okay, so now we're into the springboard.
So what we can do here is create new alert and we'll use the u I alert view class and allocate a message that gets popped to the springboard so we can do that by creating a variable.
equals the nice thing about
script as we can use
Okay, so that's her.
So we're gonna initialize it,
the title label will be
the time it's a title sell. We need
All right. And the message in the dialogue is gonna be
Delegate is nil. Villa delegates now, which means it doesn't require in a hand off or anything like that.
So now and we'll give it a cancel button,
which is actually one button.
Okay, so now this should create a new alert of you. Object.
So now we have a new u Y. Alert. You object. So what we can do is we can use wth e show method off this object to display a message on the screen. So alert.
So now you should see a message pop up on your springboard or on my spring partner. I should say so. Take a look at the iPhone.
So the ego there is our alert box
escapes agrees. Learning what's Ibori will change your life? Yes, one button changed my life,
so, unfortunately, that's all the time. I have to be able to show you this particular framework, but what you can do is you can go online. You can grab some third party applications, go through the static analysis process, then find some classes that you're interested in.
Load the application to your eye device, and then you can use script to go through dynamic analysis process.
The next step you should attempt it during your dynamic announces process is running your application in a debunker.
The bugger is a computer program that's used to test and a bug. Other programs.
The buggers are an essential tool firm our analysts because they offer code inspection a deeper level. The bugger available for Apple is L L D P and L L D. Be offers a variety of advanced debugging features for your IOS or Mac OS applications.
It's available via X code or the remote. The bugger server on a jail broken device. Unfortunately, debugging out IA West usually comes with some limitations.
Typically the X Code bugger will only allow you to debug homegrown applications. However, there are some open source tools that will allow you to debug applications on your device. The toe I recommend and have used is I p a patch with i p a patchy. Simply download the I p A patch project rename the I P. A patch you wish to debug
and then launched the iPod patch project.
Then, with just a few changes in your build settings, your target application will run with X code on your connected device. The nice thing is, is that you can run this application with X code on a non jail broken device. So there are some benefits to using this approach.
So if you don't want to buy developers license for X code and you want a little bit more power when it comes into bugging, I'm gonna show you how to get an L. D be remote debugging session set up on your eye device. The set of is fairly simple. However, you need a jail broken device. I proxy and your Mac, the eye proxy software will allow you to ford all your connections from the debunker client
to the dim bugger server on your eye device.
The first thing you're gonna want to do is set up the two proxies. The first is for S S H, and the second is for the debugging traffic. Once we've confirmed the connections there set up correctly, then we can start running commands.
Okay, so let's go ahead and set up some proxies.
We'll start with the iPhone proxy Proxy,
this is for sshh. Okay, let's verify it's working. Shh. Route.
Okay, we're in our iPhone, so we'll get rid of
Don't need that anymore. Okay, so let's go ahead and do our proxy for the debugging server.
The ports don't matter Here.
Okay, so that's it, huh?
Don't need that window anymore. Okay, so now it's started the bugging server,
but first, we need a process to inject into. So what we can do is here's what I thought
we wanted to bug the weather app. So
Okay, so now it's listening for a connection, so that seems good to go. So let's
No, no, The window. Here. Let's watch. R l D B.
Okay. What we want to do is tell the remote platform that we're using IOS. So we'll use platform.
Okay, so that's good. So now we'll connect
using the process. Command
should connect us. Just takes. There we go. Okay. Looks like we're good to go. So now you might say yourself. Okay, we're good to go, but what are we doing? Where are we going? What are we doing? So debunkers allow you to move around the program.
We can look at memory registers, print variables, objects, methods, properties. The list goes on.
But first, let's explore weather app. Why? It's debug. Okay, so what can we do? While the first thing we can do is look at the main function of the program, but we have to locate it first is like this big bowl of memory, right? So let's see where the images and memory we can run a command to do that
now, because I os utilizes, ***, are we need to calculate the offset of the address to where main is located. Well, okay. How do we know remain is well, let's grab the offset by taking the difference. The paid zero in the text containers, memory dresses. This is the SLR shift. Let me show you where that is.
So here's our paid zero container. And here's our text container. So what we'll do is we will take this address this address right here. We'll subtract it by this address
and that will give us our SLR shift.
So you get the address is here.
OK, so that's our SLR shift.
So now what we can do is we can set this up as a variable,
a delta variable, so that we always can use it. When we need to find offsets, off work functions are located and we can do that. Rain here too.
this address right here.
Okay, So now we can always use that delta variable when we need to look at where offsets are in memory.
Okay, So, back to our question, where's the main function? Well, that's where a handy dandy disassembly comes in. Let's see where the hopper says. Our entry point of the program is So what we have to do is let's just close all this out here
so spring the hopper up the hopper happens to say that the main function here is our main function here. Right? The main function is that this offset here.
So what we can do is go back into our deep Bulger,
and now we'll use our delta variable to calculate the SLR shift
Oops. Oh, my bad. Yeah, And he's the whole address,
He's a decimal. I mean, his hacks.
the Harry. OK, I was going crazy. So now what we can do is use this address will disassemble it this address and see if this is where the main function is. So let's do that.
So disassemble. We use this address,
but you can even use us three there,
Oh, what did I do wrong?
Okay, let's see if this matches up.
So we've got unnamed symbols.
Get the symbol stub here at application. You I
Let's go back to the hopper.
Okay. So let's just call it a couple of things that you see it so you can see it. Okay, so we've got at application, so let's go to our hopper wanted to see if this is what this looks like. Here's our U U Y application main, so it looks promising.
Let's go to the hopper.
There's our main function. So we've accurately calculated the SLR shift. Okay, so now that we know our programs entry point, we can go back.
Yeah, we could do a lot of things at this point. We could set a break point at this address if we wanted to.
Where Main is do that
so that we had a break point there.
he read it registers. We can go back to the hopper, and we confined interesting functions that we want to look at war methods.
So any time you see a let's see if we can find one.
So any time you see this object message send,
that means a method is getting implemented. So what you could do is you could go through Hopper and find all the methods you're interested in. And then all you would have to do is calculate the *** are offset and jump to these addresses and check him out. So now that you have a feel for the do bugger a bit. You could go find an application you curious about pulled off your device,
then dump the classes and play around with it in the jar. Bugger, while you have it open in the hopper.
All right, so I hope that was helpful for you. So remember, we've only just scratched the surface here with the bunker, but now you can get your own debugging server set up. You can calculate the SLR shift to locate portions of your program you wish to investigate.
And while the bugging you can make use of break points and other execution commands to navigate and step through the program and determine the functionality
Now doing your Mauer analysis, remember to combine the stack analysis process by looking for interesting classes, finding the methods for those classes and then setting break points on them during run time to see what values, arguments and other properties they hold.
While performing your dynamic analysis, you should monitor the network connections and application is making to uncover any malicious network traffic to command control servers, ad networks, et cetera. During the static analysis phase, you should be able to get some clues to the network functionality by dumping the network relieving classes and you're executed ble
or often simply by viewing strings.
Now, while there are many tools that allow you to set a minute where proxies you the data and manipulate responses for our purposes, we have a very simple option that does the job very nicely. And it's easy to set up
with TCP dump. We can set the iPhones networking adapter in promiscuous mode to intercept all the traffic. If we have a suspicious your Ellen mind, we can also use grab to filter out other network noise and to dump this to a peak cap file, which we can then view later in wire shark.
Okay, so let me show you how to do this really quick. It's really fast, actually. So the first thing we want to do is we want to log into our I device so we can do that using SS age,
Okay, so now what we want to do is we want to set up TCP dumb toe. Listen on our network adapter, so are networking, and after is e n zero and we'll dump all of the malicious traffic to a peak cap file. So we can do that using the TCP dumped command. So TCP dump
The interface is ian zero,
and the W switch will allow us to dump it to a file.
was caught. Now, that pea cap
for our malicious you are. Well, in this case, it's going to be hex keeps.
Okay, so now we're listening on our device. So what we need to do is generate some traffic. So let's go to
Google, and then we'll go to heck scapes.
so now that generated some web traffic. So at this point, what we can do is we could let the monitor run for a while and let our application connected to any your ills that we think it's connecting to. In this particular instance, we're just going to stop it.
And now we should have a file
mel dot decaf, which we d'oh. Okay, so what we can do is we can take this and we can move it over to our Callie limits machine, and we can investigate it. So let's look at our Callie machine.
Now I've gone ahead and move this file just to save some time.
But what we can do is just open it and wire shark.
So as you can see you, we've got our http, get request. And if we look down here at the while, we can just
There's our hex capes. You Earl. So that's how we can view the network traffic using TCP dump on her iPhone.
In the dynamic analysis section, we briefly touched on some strategies detailing how you could run your applications that run time and determine its functionality. Now, although some of the tools require some in depth knowledge of swift and objective C
using some of the frameworks and tools we outlined, shouldn't you be a good start with which you'll be able to create your own process
and dig into mobile now, where more effectively