- checkra1n
- A7 - A10 devices (iPhone 5s - iPhone X), iOS 12.0+
- Dropbear SSH, port 44, root:alpine
- USB multiplexing daemon
usbmuxd(available viabrew) - Use
scpto copy file to/from device
Forward remote (iDevice) port 44 (Dropbear SSH) to local (Mac) 2222
iproxy 2222 44
- dumpdecrypted
- Inject through
DYLD_INSERT_LIBRARIESenv var
- Inject through
Sign the lib before injection
ldid -S dumpdecrypted.dylib
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/$APP_UUID/$APP_NAME.app/$APP_BIN
- find
debugserverat/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/$VER/DeveloperDiskImage.dmg - Resign with debug server entitlements
- Remember about ASLR slide
- Basic code injection with
dlopenorlldb process load
Fake sign debugserver with ent.xml entitlements (on device)
ldid -Sent.xml debugserver
Forward debugserver ’s device port to computer
iproxy 1111 1111
Run debugserver on device
debugserver localhost:1111 -x backboard $APP_BIN_PATH
Run lldb on computer
lldb
platform select remote-ios
process connect connect://localhost:1111
Can be put into .lldbinit
- Debugging iOS binaries with LLDB - @kov4l3nko
- Debugging Swift code with LLDB | by Ahmed Sulaiman | Flawless iOS | Medium
- GitHub - DerekSelander/LLDB: A collection of LLDB aliases/regexes and Python scripts to aid in your debugging sessions
- LLDB command map
- arm64 assembly crash course by @Siguza
- ARMv8 A64 Quick Reference
- Writing ARM64 Code for Apple Platforms
- GitHub - FLEXTool/FLEX: An in-app debugging and exploration tool for iOS
- GitHub - nabla-c0d3/ssl-kill-switch2: Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps
- GitHub - kasketis/netfox: A lightweight, one line setup, iOS / OSX network debugging library! 🦊
- Native binaries only
Find
gbdserverat$ANDROID_SDK/ndk/$VER/prebuilt/android-$ARCH/gdbserver/gdbserver
Find gdb frontend at $ANDROID_SDK/ndk/$VER/prebuilt/darwin-x86_64/bin/gdb
Forward gdbserver ’s device port to computer
adb forward tcp:1111 tcp:1111
Run gdb on device
gdbserver localhost:1111 --attach $PID
Run gdb on computer
gdb
target remote localhost:1111
adb shell pm list packages
adb shell pm path com.example.someapp
adb pull /data/app/.../base.apk
- Apktool
- Works with aapt2
- backsmalis dex files by default
java -jar apktool.jar d com.example.someapp -o someapp/
grepall the things!grep -ir $QUERY . --include="*.smali"
- Set
android:debuggable="true"to theAndroidManifest.xml- Non optimal solution
- Requires repacking of apks
- Set
ro.debuggable 1globally in prop file- All app become visible as debuggable in ADM (deprecated)
adb shellsumagisk resetprop ro.debuggable 1stop; start;
- All app become visible as debuggable in ADM (deprecated)
- Port forwarding
adb shell ps -A | grep $PACKAGE_IDadb forward tcp:8700 jdwp:$PID
Reset
adb forward —-remove-all
- Any JDWP capable debugger
- Intellij IDEA CE + smalidea
- Import Project - small source code folder
- Register *.smali extension under “Editor -> File types”
- Configure remote debugging
- Dex to Java decompiler
jadx-gui
Start waiting for debugger
adb shell
am start-activity -D -W com.example.someapp/com.example.someapp.MainActivity
- JS scriptable debugger backend for all platform
- start
frida-server/data/local/tmp/fida-server & - traces all the classes matching pattern
frida-trace -U -f com.example.someapp -j '*someclass*!*/is'
- Debugging third-party machine code in Android - @kov4l3nko
- Android Reverse Engineering: Debugging Smali in Smalidea | Alexander Molochko
- Static analysis and debugging on Android using Smalidea, JDWP and ADB. | by Ghxst | Medium
- Debug Decompiled Smali Code in Android Studio 3.2 · malacupa.com
- Smali: Assembler for Android’s VM | Medium
- Dalvik bytecode | Android Open Source Project
- Dalvik Executable format | Android Open Source Project
- Registers · JesusFreke/smali Wiki · GitHub
- TypesMethodsAndFields · JesusFreke/smali Wiki · GitHub
- GitHub - skylot/jadx: Dex to Java decompiler