Skip to content

Instantly share code, notes, and snippets.

@iddoeldor

iddoeldor/ios_ssh_over_usb_and_ipa_extractor.md

Last active June 4, 2024 18:10
Show Gist options
  • Save iddoeldor/5d55e9a7514757ce2c3cfcc58963561b to your computer and use it in GitHub Desktop.
Save iddoeldor/5d55e9a7514757ce2c3cfcc58963561b to your computer and use it in GitHub Desktop.
Download ZIP
and iOS related tips&tricks
Raw
ios_ssh_over_usb_and_ipa_extractor.md

extract db

PASS=alpine; PORT=2222; sshpass -p $PASS ssh -p $PORT root@localhost -t "cp \$(find /var/mobile/Containers/Data/Application/ -name s4l*db) /private/var/tmp/skype.db" && sshpass -p $PASS scp -P $PORT root@localhost:/private/var/tmp/skype.db .

pull & read plist

/tmp$ scp -P 2222 root@localhost:/private/var/mobile/Containers/Data/Application/F8C7294C-2B60-48EC-A987-D46B9FE4DEAE/Library/Preferences/com.skype.skype.plist .
/tmp$ sudo apt-get install libplist-utils
/tmp$ plistutil -i com.skype.skype.plist | less

get app UUID

iPhone:/ root# for p in $(find /var/mobile/Containers/ -type f -name *plist); do if grep -qi skype $p 2>/dev/null; then echo $p; fi; done
/var/mobile/Containers/Shared/AppGroup/F791CE65-68AF-4293-9FC6-CEB502B77BC6/.com.apple.mobile_container_manager.metadata.plist
/var/mobile/Containers/Data/Application/F8C7294C-2B60-48EC-A987-D46B9FE4DEAE/.com.apple.mobile_container_manager.metadata.plist
/var/mobile/Containers/Data/PluginKitPlugin/D04E5836-CE88-4883-A1E2-FE529F7D2139/.com.apple.mobile_container_manager.metadata.plist
/var/mobile/Containers/Data/PluginKitPlugin/47C6588E-344B-497C-9C6D-2397B834101F/Library/Preferences/com.apple.AppPredictionWidget.extension.plist

iPhone SSH over USB on Linux·

mkdir ~/ios_ssh && cd "$_"
sudo apt-get install libgcrypt20-doc gnutls-doc gnutls-bin usbmuxd libimobiledevice*
git clone https://github.com/rcg4u/iphonessh
cd iphonessh/python-client/
chmod +x *
python tcprelay.py -t 22:2222

open new terminal and execute

ssh -p 2222 root@localhost

default password: alpine

scp -P 2222 tcpdump root@localhost:/tmp/tcpdump

Extract IPA

after ssh is enabled

git clone https://github.com/AloneMonkey/frida-ios-dump.git && cd frida-ios-dump && git checkout origin/3.x && sudo -H pip3 install -r requirements.txt --upgrade && sudo python3.6 dump.py com.app.bundle.id

find out the app bundle id

$ frida-ps -Uai | grep -i {app name}

mitmproxy

https://docs.mitmproxy.org/stable/howto-transparent/ https://docs.mitmproxy.org/stable/concepts-certificates/

$ truncate -s0 SSLKEYLOGFILE.txt && SSLKEYLOGFILE="/tmp/SSLKEYLOGFILE.txt" ./mitmproxy --mode transparent --showhost -v

app data

$ frida -U Skype --codeshare dki/ios-app-info
[iOS Device::Skype]-> appInfo()
{
    "Binary": "/var/containers/Bundle/Application/5248EE27-AC28-427D-AAA9-000F1DDAFB95/Skype4Life.app/Skype4Life",
    "Bundle": "/var/containers/Bundle/Application/5248EE27-AC28-427D-AAA9-000F1DDAFB95/Skype4Life.app",
    "Bundle ID": "com.skype.skype",
    "Data": "/private/var/mobile/Containers/Data/Application/F8C7294C-2B60-48EC-A987-D46B9FE4DEAE",
    "Name": "Skype4Life",
    "Version": "8.41.0.54"
}
[iOS Device::Skype]-> infoDictionary()                                                                                                                     {
    "Appboy": "{
    ApiToken = "aaaa-bbbb...";
    Endpoint = "spica.iad-03.braze.com";
    SessionTimeoutInSeconds = 600;
}",
    "BuildMachineOSBuild": "18B75",
    "CFBundleDevelopmentRegion": "en",
    "CFBundleDisplayName": "Skype",
    "CFBundleExecutable": "Skype4Life",
    "CFBundleIcons": "{
    CFBundlePrimaryIcon =     {
        CFBundleIconFiles =         (
            AppIcon29x29,
            AppIcon40x40,
            AppIcon60x60
        );
        CFBundleIconName = AppIcon;
    };
}",
    "CFBundleIdentifier": "com.skype.skype",
    "CFBundleInfoDictionaryVersion": "6.0",
    "CFBundleName": "Skype4Life",
    "CFBundleNumericVersion": "0",
    "CFBundlePackageType": "APPL",
    "CFBundleShortVersionString": "8.41.54",
    "CFBundleSignature": "????",
    "CFBundleSupportedPlatforms": "(
    iPhoneOS
)",
    "CFBundleURLTypes": "(
        {
        CFBundleURLName = "com.skype.join";
        CFBundleURLSchemes =         (
            skype
        );
    }
)",
    "CFBundleVersion": "8.41.0.54",
    "DTAppStoreToolsBuild": "10B63",
    "DTCompiler": "com.apple.compilers.llvm.clang.1_0",
    "DTPlatformBuild": "16B91",
    "DTPlatformName": "iphoneos",
    "DTPlatformVersion": "12.1",
    "DTSDKBuild": "16B91",
    "DTSDKName": "iphoneos12.1",
    "DTXcode": "1010",
    "DTXcodeBuild": "10B61",
    "LSApplicationQueriesSchemes": "(
    msauth
)",
    "LSRequiresIPhoneOS": "1",
    "MinimumOSVersion": "10.0",
    "NSAppTransportSecurity": "{
    NSAllowsArbitraryLoadsInWebContent = 1;
}",
    "NSCalendarsUsageDescription": "To add the scheduled call, we need access to your calendar.",
    "NSCameraUsageDescription": "For people to see you during calls, we need access to your camera.",
    "NSContactsUsageDescription": "We'll upload your contacts to Microsoft's servers to easily connect you with your friends.",
    "NSLocationAlwaysAndWhenInUseUsageDescription": "Cortana will use your location to send you better reminders.",
    "NSLocationAlwaysUsageDescription": "Cortana will use your location to send you better reminders.",
    "NSLocationWhenInUseUsageDescription": "Allow location in order to find nearby places.",
    "NSMicrophoneUsageDescription": "For people to hear you during calls, we need access to your microphone.",
    "NSMotionUsageDescription": "We need to access accelerometer data to get right orientation for the camera",
    "NSPhotoLibraryUsageDescription": "To share photos, we need access to your photo library.",
    "NSUserActivityTypes": "(
    INStartAudioCallIntent,
    INSendMessageIntent
)",
    "UIAppFonts": "(
    "SegoeUI-Regular.ttf",
    "SegoeUI-Bold.ttf",
    "SkypeUISymbol-Regular.ttf",
    "SkypeUISymbol-Bold.ttf",
    "SkypeAssets-Regular.ttf",
    "SkypeAssets-Light.ttf",
    "SkypeAssets-Medium.ttf",
    "SkypeAssets-Bold.ttf",
    "AddinAssets-Todo.ttf"
)",
    "UIBackgroundModes": "(
    audio,
    "remote-notification",
    voip
)",
    "UIDeviceFamily": "(
    1
)",
    "UILaunchStoryboardName": "LaunchScreen",
    "UIRequiredDeviceCapabilities": "(
    armv7
)",
    "UISupportedDevices": "(
    "iPhone7,1",
    "iPhone8,2"
)",
    "UISupportedInterfaceOrientations": "(
)",
    "UIViewControllerBasedStatusBarAppearance": "0"
}
[iOS Device::Skype]->  infoLookup("NSAppTransportSecurity")                                                                                               {
    "NSAllowsArbitraryLoadsInWebContent": "1"
}

extract ipa (old)

#!/bin/bash
# extracting IPA from jailbroken +frida iOS device
mkdir /tmp/ios_ssh
cd "$_"
sudo apt-get install libgcrypt20-doc gnutls-doc gnutls-bin usbmuxd libimobiledevice*
git clone https://github.com/rcg4u/iphonessh
cd iphonessh/python-client/
chmod +x *
python2.7 tcprelay.py -t 22:2222 &
TCP_RELAY_PID=$! # saving the pid of last background process to kill in the end
git clone https://github.com/AloneMonkey/frida-ios-dump.git
cd frida-ios-dump
git checkout origin/3.x
sudo -H pip3 install -r requirements.txt --upgrade
sudo python3.6 dump.py $1  # com.app.bundle.id
# the ipa will be @ /tmp/ios_ssh/iphonessh/python-client/frida-ios-dump/AppName.ipa
# cleanup.. no need to clean the rest because it's on /tmp :)
kill $TCP_RELAY_PID
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment