ninoz
commented
7 years ago I just deployed the same app on a jailbroken device and it works as expected so I guess a jailbreak is required for the hooking to work :(
Closed ninoz closed 7 years ago
ninoz
commented
7 years ago I just deployed the same app on a jailbroken device and it works as expected so I guess a jailbreak is required for the hooking to work :(
nabla-c0d3
commented
7 years ago I haven't tried myself byt It should work on a non-jailbroken device. Make sure to build the Xcode project (not the Theos/Makefile project).
ninoz
commented
7 years ago Hi, Thanks for the reply.
I was building using the theos make file, just tried with the xcode project.
I'm not sure if your familiar with theos-jailed but it supports injecting in a number of different format (framework/dylib etc)
https://github.com/kabiroberai/theos-jailed/wiki/Usage
Its like a question for it's developer but which method would you recommend?
nabla-c0d3
commented
7 years ago I am not familiar with theos-jailed but it seems like it should work. Personally I just inject the KillSwitch the library using a load command, and re-package the full App with it.
ninoz
commented
7 years ago Hi
I did a little search and found a tutorial on injecting the DYLIB using otool
Within the console I get the following:
Aug 27 13:07:55 iPhoneN DamnVulnerableIOSApp(SSLKillSwitch.dylib)[3473]
So it looks like the dylib injection is working as expected however its using the OS X based fishhook opposed to the substrate hook. I have to admit I'm not entirely sure what I'm doing with it comes to objective C. Im guessing I need to ensure that the preprocessing directive is set to being SUBSTRATE_BUILD using something like "#define SUBSTRATE_BUILD 1" at the top of the class.
When I do I get a whole host of errors which I need to work through, such as:
Undefined symbols for architecture armv7:
"_MSHookFunction", referenced from:
_init in SSLKillSwitch.o
"_MSHookMessageEx", referenced from:
_init in SSLKillSwitch.o
ld: symbol(s) not found for architecture armv7
clang: error: linker command failed with exit code 1 (use -v to see invocation)So I solved he Hookmessage errors by adding a cydiasubstrate.dylib and cydiasubstrate.h to the xcode project
Xcode compiles everything and I inject the dylib using optool into the binary and redeploy it.
I get the following on the console:
Aug 27 19:10:06 iPhoneN ReportCrash(CrashReporterSupport)[3783] <Notice>: Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Description: DYLD, Library not loaded: /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate | Referenced from: /var/containers/Bundle/Application/8B95F04F-857F-4B8F-B233-3E3F0B2D95AC/DamnVulnerableIOSApp.app/SSLKillSwitch.dylib | Reason: image not found
Triggered by Thread: 0
Hi
Firstly thanks for your efforts on this app, its extremely helpful!
I'm using Theos-Jailed to inject your DYLIB into the "Damn Vulnerable iOS App" to bypass the Certificate pinning check within the transport security section.
I have the DYLIB loading and I could initially see that hooking was disabled due to the lack of preference file being present. Within SSLKillSwitch.m I changed line 42 from NO to YES and according to the console the module is loading:
DamnVulnerableIOSApp(SSLKillSwitch2.dylib)[1937]: === SSL Kill Switch 2: Subtrate hook enabled.
However the certificate pinning still seems to be in place, I am running all the traffic through Burp suite and I have the CA loaded and trusted on the device.
Thanks for any insight you can give!
iOS: 10.3.1 iPhone 7+