본문 바로가기
보안 및 개발/MOBILE

[iOS] objection 툴 사용

by CH@3M 2019. 10. 7.

objection :
https://github.com/sensepost/objection

 

objection 툴 실행 : objection -g PID explore

구성 디렉토리 확인 : env

sslpinning 기능 차단 : ios sslpinning disable

현재 실행 목록 : jobs list

C:\Users\chaem
λ objection -g 9652 explore
Using USB device `Apple iPhone`
Agent injected and responds ok!

     _   _         _   _
___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.7.2

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
net.cross-dev.**** on (iPhone: 10.3.3) [usb] #

net.cross-dev.**** on (iPhone: 10.3.3) [usb] # env
BundlePath         /var/containers/Bundle/Application/B3A44A30-ACEE-415A-9C82-668715365D11/Multi.app
CachesDirectory    /var/mobile/Containers/Data/Application/22CB1A2C-34E7-42E5-BD6B-F6843CC86261/Library/Caches
DocumentDirectory  /var/mobile/Containers/Data/Application/22CB1A2C-34E7-42E5-BD6B-F6843CC86261/Documents
LibraryDirectory   /var/mobile/Containers/Data/Application/22CB1A2C-34E7-42E5-BD6B-F6843CC86261/Library

net.cross-dev.**** on (iPhone: 10.3.3) [usb] # ios sslpinning disable
(agent) Hooking common framework methods
(agent) [lskta0jskl] Found NSURLSession based classes. Hooking known pinning methods.
(agent) Hooking lower level SSL methods
(agent) Hooking lower level TLS methods
(agent) Registering job lskta0jskl. Type: ios-sslpinning-disable

net.cross-dev.**** on (iPhone: 10.3.3) [usb] # jobs list
Job ID        Hooks  Type
----------  -------  ----------------------
lskta0jskl       18  ios-sslpinning-disable

 

DB 커넥트 및 확인 방법 ( 커넥트 후 확인 가능함)

net.cross-dev.sbikabu2sp-stg on (iPhone: 10.3.3) [usb] # sqlite connect ADBMobileTimedEventsCache.sqlite
Caching local copy of database file...
Downloading /var/mobile/Containers/Data/Application/D2D3761F-C5BA-4FBC-AF4D-2F263C5FD93E/Library/Caches/ADBMobileTimedEventsCache.sqlite to C:\Users\chaem\AppData\Local\Temp\tmpk1qkddn1objection.sqlite
Streaming file from device...
Writing bytes to destination...
Successfully downloaded /var/mobile/Containers/Data/Application/D2D3761F-C5BA-4FBC-AF4D-2F263C5FD93E/Library/Caches/ADBMobileTimedEventsCache.sqlite to C:\Users\chaem\AppData\Local\Temp\tmpk1qkddn1objection.sqlite
Validating SQLite database format
Connected to SQLite database at: ADBMobileTimedEventsCache.sqlite

net.cross-dev.sbikabu2sp-stg on (iPhone: 10.3.3) [usb] # sqlite execute schema
----------------------------------------------------------------------------------------------------------------------------------------------------------
CREATE TABLE TIMEDACTIONS (ID INTEGER PRIMARY KEY AUTOINCREMENT, NAME TEXT, STARTTIME INTEGER, ADJSTARTTIME INTEGER)
CREATE TABLE sqlite_sequence(name,seq)
CREATE TABLE CONTEXTDATA (ID INTEGER PRIMARY KEY AUTOINCREMENT, ACTIONID INTEGER, KEY TEXT, VALUE TEXT, FOREIGN KEY(ACTIONID) REFERENCES TIMEDACTIONS(ID))
net.cross-dev.**** on (iPhone: 10.3.3) [usb] # sqlite execute schema
-------------------------------------------------------------------------------------
CREATE TABLE HITS (ID INTEGER PRIMARY KEY AUTOINCREMENT, URL TEXT, TIMESTAMP INTEGER)
CREATE TABLE sqlite_sequence(name,seq)
-------------------------------------------------------------------------------------
net.cross-dev.**** on (iPhone: 10.3.3) [usb] # sqlite execute query select * from HITS

net.cross-dev.**** on (iPhone: 10.3.3) [usb] # sqlite execute query select * from sqlite_sequence
----  -
HITS  1
----  -

아니면 sqlite 파일을 SFTP로 빼서 https://sqlitebrowser.org/ 이 툴을 이용해 보는 방법도 있다. 다음과 같이 이쁘게 보여준다.

sqlitebrowser tool

plist 파일 확인 방법

net.cross-dev.sbikabu2sp-stg on (iPhone: 10.3.3) [usb] # ios plist cat .com.apple.mobile_container_manager.metadata.plist
{
    MCMMetadataContentClass = 2;
    MCMMetadataIdentifier = "net.cross-dev.sbikabu2sp-stg";
    MCMMetadataPersona = 501;
    MCMMetadataUUID = "18F0C32B-CF4B-4AEB-B987-DB00ED7884F3";
}

 

사용 영상 참고

https://n0where.net/runtime-mobile-exploration-objection

반응형
저작자표시 비영리 동일조건

'보안 및 개발 > MOBILE' 카테고리의 다른 글

[iOS] otool 사용법  (0) 2019.10.17
[iOS] 탈옥폰에서 분석환경 세팅 (clutch, class-dump)  (0) 2019.10.07
[iOS] 파일시스템 구조  (0) 2019.10.07
[iOS] Frida 사용자함수 hooking  (0) 2019.10.07
[iOS] Frida server 설치 에러  (0) 2019.10.07

관련글

티스토리툴바