#Hooking Private Code from Stripped iOS Binaries
As far as the scanner is concerned, I'm finished with it. I'm going to do a final sweep and remove superfluous code and then I'll land the final commit.
Contact: [email protected]
|| @Hexploitable
##Instructions
-
Open your target app in a disassembler, grab first ~16 bytes (customise this as you will) of the method you want to hook and then use these as the signature with the scanner.
-
Compile the scanner and then set the binary's entitlements appropriately:
ldid -Sentitlements.xml <scanner binary>
-
Write the needle to a file:
echo -n -e '\x55\x48\x89\xE5\xB8\x15\x00\x00\x00\x5D' > hex
-
Run the scanner against the target process. It will locate the signature in memory and print it's address. The signature has to be passed in as bytes, not a literal string so use the scanner as shown:
sudo ./scanner <pid> <Path to file containing needle>
e.g:
sudo ./scanner 1337 ./hex
-
Use the returned address in Tweak.xm to hook it.
- If ASLR/PIE is enabled - simply get the address of an import too, calculate the offset and then modify Tweak.xm to use an offset instead of a hardcoded address, this way you can hook it, knowing it'll work 100% of the time.
-
Inject your library into the process as you normally would:
DYLD_INSERT_LIBRARIES=/Library/MobileSubstrate/DynamicLibraries/<libName>.dylib ./<binary>
##Notes This is a fork from the original repository at https://reconditorium.uk/Hexploitable/memscan . It has been edited to fit another purpose but has not been rebranded. After contacting the author the Public Domain License has been applied.
This work (memscan, by Grant Douglas) is free of known copyright restrictions.