├── .gitignore
├── README.md
├── decrypt-strings
    ├── Makefile
    ├── control
    ├── decryptstrings.m
    ├── decryptstrings.plist
    ├── hopper_get_encrypt_func_args.py
    └── hopper_set_decrypted_strings.py
├── integrity-bypass
    └── integrity_bypass.c
└── let-me-debug
    ├── Makefile
    ├── control
    ├── letmedebug.h
    ├── letmedebug.m
    └── letmedebug.plist


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Xcode
 2 | #
 3 | # gitignore contributors: remember to update Global/Xcode.gitignore, Objective-C.gitignore & Swift.gitignore
 4 | 
 5 | ## Build generated
 6 | build/
 7 | DerivedData/
 8 | 
 9 | ## Various settings
10 | *.pbxuser
11 | !default.pbxuser
12 | *.mode1v3
13 | !default.mode1v3
14 | *.mode2v3
15 | !default.mode2v3
16 | *.perspectivev3
17 | !default.perspectivev3
18 | xcuserdata/
19 | 
20 | ## Other
21 | *.moved-aside
22 | *.xcuserstate
23 | 
24 | ## Obj-C/Swift specific
25 | *.hmap
26 | *.ipa
27 | *.dSYM.zip
28 | *.dSYM
29 | 
30 | # CocoaPods
31 | #
32 | # We recommend against adding the Pods directory to your .gitignore. However
33 | # you should judge for yourself, the pros and cons are mentioned at:
34 | # https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
35 | #
36 | # Pods/
37 | 
38 | # Carthage
39 | #
40 | # Add this line if you want to avoid checking in source code from Carthage dependencies.
41 | # Carthage/Checkouts
42 | 
43 | Carthage/Build
44 | 
45 | # fastlane
46 | #
47 | # It is recommended to not store the screenshots in the git repo. Instead, use fastlane to re-generate the 
48 | # screenshots whenever they are needed.
49 | # For more information about the recommended setup visit:
50 | # https://github.com/fastlane/fastlane/blob/master/fastlane/docs/Gitignore.md
51 | 
52 | fastlane/report.xml
53 | fastlane/screenshots
54 | 
55 | #Code Injection
56 | #
57 | # After new code Injection tools there's a generated folder /iOSInjectionProject
58 | # https://github.com/johnno1962/injectionforxcode
59 | 
60 | iOSInjectionProject/
61 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Some iOS tools and scripts from 2014 for iOS reversing.
2 | 
3 | * let-me-debug: Tweak to bypass well-known anti-debugging mechanisms.
4 | * integrity-bypass: Tweak to bypass an anti-code-injection mechanism that constantly checks the integrity of methods and functions using dladdr() to make sure they haven't been hooked/swizzled.
5 | * decrypt-strings: Tweak and Hopper scripts to decrypt obfuscated strings.
6 | 


--------------------------------------------------------------------------------
/decrypt-strings/Makefile:
--------------------------------------------------------------------------------
 1 | TARGET := iphone:7.0
 2 | ARCHS := armv7 arm64
 3 | 
 4 | include theos/makefiles/common.mk
 5 | 
 6 | TWEAK_NAME = DecryptStrings
 7 | DecryptStrings_FILES = decryptstrings.m
 8 | 
 9 | DecryptStrings_FRAMEWORKS = UIKit
10 | include $(THEOS_MAKE_PATH)/tweak.mk
11 | include $(THEOS_MAKE_PATH)/aggregate.mk
12 | 


--------------------------------------------------------------------------------
/decrypt-strings/control:
--------------------------------------------------------------------------------
 1 | Package: com.nabla-c0d3.decryptstrings
 2 | Name: DecryptStrings
 3 | Depends: mobilesubstrate
 4 | Version: 0.0.1
 5 | Architecture: iphoneos-arm
 6 | Description: An awesome MobileSubstrate tweak!
 7 | Maintainer: Alban Diquet
 8 | Author: Alban Diquet
 9 | Section: Tweaks
10 | 


--------------------------------------------------------------------------------
/decrypt-strings/decryptstrings.m:
--------------------------------------------------------------------------------
 1 | //
 2 | //  DecryptStrings.m
 3 | //  DecryptStrings
 4 | //
 5 | //  Created by Alban Diquet on 1/7/14.
 6 | //  Copyright (c) 2014 Nabla-C0d3. All rights reserved.
 7 | //
 8 | 
 9 | 
10 | // Array encrypted string addresses -> secret keys generated using the Hopper scripts
11 | static int stringDecryptionArray[][2] = {
12 |     {0x6a7b1d, 0x10a},
13 |     {0x6a7b35, 0x10a}};
14 | 
15 | 
16 | 
17 | // Do not forget to disable ASLR on the binary
18 | // https://github.com/peterfillmore/removePIE
19 | 
20 | // Find this address in Hopper/IDA
21 | #define DECRYPTION_FUNC_ADDR 0x42ecbc
22 | 
23 | // Location of the decryption function
24 | int (*RE_decrypt_string)(void *plaintext, void *ciphertext, int secretKey) = (int(*)(void*,void*,int))  DECRYPTION_FUNC_ADDR;
25 | 
26 | 
27 | __attribute__((constructor))
28 | static void initialize() {
29 |     // Instead of reversing how the decryption function works, we just call it at runtime on all the strings
30 |     // so we get all of them decrypted, without even knowing how the decryption function works
31 |     NSLog(@"=================DECRYPTION STARTED=================");
32 |     char * decryptedStringBuf = malloc(500);
33 | 
34 |     NSMutableString *decryptedStringList = [NSMutableString string];
35 | 
36 |     // Decrypt each string
37 |     for (int i=0;i<sizeof(stringDecryptionArray)/8;i++) {
38 |         // Get the address of the encrypted string and the corresponding key
39 |         int secretKey = (int)  stringDecryptionArray[i][1];
40 |         char* encryptedString = (char*) (long) stringDecryptionArray[i][0];
41 | 
42 |         RE_decrypt_string(decryptedStringBuf, encryptedString, secretKey);
43 |         [decryptedStringList appendString:[NSString stringWithFormat:@"( 0x%x, ' ", (int)encryptedString]];
44 |         [decryptedStringList appendString:[NSString stringWithCString:decryptedStringBuf encoding:NSUTF8StringEncoding]];
45 |         [decryptedStringList appendString:@" '),\n"];
46 |     }
47 | 
48 |     // Write result to a file
49 |     [decryptedStringList writeToFile:[@"~/Library/decrypted_strings.txt" stringByExpandingTildeInPath] atomically:YES encoding:NSUTF8StringEncoding error:nil];
50 | 
51 |     NSLog(@"=================DECRYPTION DONE=================");
52 |     free(decryptedStringBuf);
53 |   }
54 | 
55 | 


--------------------------------------------------------------------------------
/decrypt-strings/decryptstrings.plist:
--------------------------------------------------------------------------------
1 | { Filter = { Bundles = ( "com.change.this" ); }; }
2 | 


--------------------------------------------------------------------------------
/decrypt-strings/hopper_get_encrypt_func_args.py:
--------------------------------------------------------------------------------
 1 | 
 2 | doc = Document.getCurrentDocument()
 3 | seg = doc.getCurrentSegment()
 4 | decrypt_string_func_addr = 0x42ecbc
 5 | # Get all calls to the string decryption function
 6 | references = seg.getReferencesOfAddress(decrypt_string_func_addr)
 7 | print 'START'
 8 | for addr in references:
 9 |     argAddr = addr
10 |     keyFound = False
11 |     stringAddrFound = False
12 |     nbRounds = 1
13 | 
14 |     while not (stringAddrFound and keyFound) and (nbRounds < 7):
15 |         argAddr = argAddr - 4
16 |         # Recover the key in r2
17 |         instr = seg.getInstructionAtAddress(argAddr)
18 |         if instr.getInstructionString() == 'add':
19 |             if instr.getFormattedArgument(0) == 'r1' and instr.getFormattedArgument(1) == 'pc':
20 |                 stringAddrFound = seg.getInlineCommentAtAddress(argAddr)
21 | 
22 |         # Recover the encrypted string's address
23 |         if instr.getInstructionString() == 'movw':
24 |             if instr.getFormattedArgument(0) == 'r2':
25 |                 keyFound = instr.getFormattedArgument(1)[1:]
26 | 
27 |         if stringAddrFound and keyFound:
28 |             # Print the key and address as a C-style array declaration
29 |             print '{' + stringAddrFound + ', ' + keyFound + '},'
30 | 
31 | 
32 | 
33 | 


--------------------------------------------------------------------------------
/decrypt-strings/hopper_set_decrypted_strings.py:
--------------------------------------------------------------------------------
 1 | DECRYPTED_STRINGS = [
 2 | ( 0x6a7b1d, ' AB_IIViewDeckController '),
 3 | ( 0x6a7b35, ' toggleTopViewAnimated: '),
 4 | ( 0x6a7b4c, ' AB_IIViewDeckController '),
 5 | ( 0x6a7b64, ' openLeftViewBouncing: ')
 6 | ]
 7 | 
 8 | 
 9 | doc = Document.getCurrentDocument()
10 | seg = doc.getCurrentSegment()
11 | 
12 | for addr, decryptedString in DECRYPTED_STRINGS:
13 |     seg.setInlineCommentAtAddress(addr, decryptedString)
14 | 
15 | 


--------------------------------------------------------------------------------
/integrity-bypass/integrity_bypass.c:
--------------------------------------------------------------------------------
 1 | //
 2 | //  integriy_bypass.m
 3 | //  integriy_bypass
 4 | //
 5 | //  Created by Alban Diquet on 1/5/14.
 6 | //  Copyright (c) 2014 Nabla-C0d3. All rights reserved.
 7 | //
 8 | 
 9 | 
10 | 
11 | #include <substrate.h>
12 | #include <sys/sysctl.h>
13 | 
14 | #include <dlfcn.h>
15 | 
16 | 
17 | 
18 | // Don't forget to disable ASLR and update the function addresses for your binary
19 | #define INTEGRITY_CHECKING_FUNC 0x42ea10
20 | 
21 | 
22 | 
23 | // Hook dladdr()
24 | int (* original_dladdr)(void *addr, Dl_info *info);
25 | 
26 | // This path always passes the check
27 | static char * validLibPath = "/System/Library/Frameworks/UIKit.framework/UIKit";
28 | 
29 | // The App uses dladdr() to check the location of the lib for various functions/symbols
30 | static int replaced_dladdr(void *addr, Dl_info *info) {
31 | 
32 |     char * newPath = malloc(strlen(validLibPath) + 1); // memory leak
33 |     strcpy(newPath,validLibPath);
34 | 
35 | 
36 |     int result = original_dladdr(addr, info);
37 | 
38 |     if ((result != 0) && (info != NULL) && (info->dli_fname != NULL)) {
39 |         NSLog(@"======= fname = %s    sname = %s", info->dli_fname, info->dli_sname);
40 | 
41 |         // Replace the name with something that always passes the check
42 |         Dl_info * dlInfo = info;
43 |         dlInfo->dli_fname = newPath;
44 |     }
45 |     return result;
46 | }
47 | 
48 | 
49 | // This function crashes the app instantly when I hook dladdr()
50 | static int (* original_RE_check_func_pointers)(void *arg1);
51 | 
52 | static int (*RE_check_func_pointers)(void *arg1) = (int(*)(void*)) INTEGRITY_CHECKING_FUNC;
53 | static int cancel_function(void *arg1) {
54 |     // I don't understand how this function checks the integrity of arg1
55 |     // which is a function pointer to things like memset, dladdr, etc.
56 |     // So to bypass it I just turn every call into a call with memset
57 |     // as the argument which is a function that I'm not going to mess with
58 |     return original_RE_check_func_pointers(memset);
59 | }
60 | 
61 | 
62 | 
63 | // The constructor: gets executed when the library is loaded
64 | __attribute__((constructor))
65 | static void initialize() {
66 | 
67 |     NSLog(@"=================INTEGRITY BYPASS LOADED=================");
68 | 
69 |     // Hook the functions
70 |     MSHookFunction(dladdr, replaced_dladdr, (void **) &original_dladdr);
71 |     MSHookFunction(RE_check_func_pointers, cancel_function, (void **)&original_RE_check_func_pointers);
72 | }
73 | 
74 | 


--------------------------------------------------------------------------------
/let-me-debug/Makefile:
--------------------------------------------------------------------------------
 1 | TARGET := iphone:7.0
 2 | ARCHS := armv7 arm64
 3 | 
 4 | include theos/makefiles/common.mk
 5 | 
 6 | TWEAK_NAME = LetMeDebug
 7 | LetMeDebug_FILES = letmedebug.m
 8 | 
 9 | LetMeDebug_FRAMEWORKS = UIKit
10 | include $(THEOS_MAKE_PATH)/tweak.mk
11 | include $(THEOS_MAKE_PATH)/aggregate.mk
12 | 


--------------------------------------------------------------------------------
/let-me-debug/control:
--------------------------------------------------------------------------------
 1 | Package: com.nabla-c0d3.letmedebug
 2 | Name: Test
 3 | Depends: mobilesubstrate
 4 | Version: 0.0.1
 5 | Architecture: iphoneos-arm
 6 | Description: An awesome MobileSubstrate tweak!
 7 | Maintainer: Alban Diquet
 8 | Author: Alban Diquet
 9 | Section: Tweaks
10 | 


--------------------------------------------------------------------------------
/let-me-debug/letmedebug.h:
--------------------------------------------------------------------------------
 1 | //
 2 | //  letmedebug.h
 3 | //  letmedebug
 4 | //
 5 | //  Created by Alban Diquet on 1/5/14.
 6 | //  Copyright (c) 2014 Nabla-C0d3. All rights reserved.
 7 | //
 8 | 
 9 | #import <Foundation/Foundation.h>
10 | 
11 | 


--------------------------------------------------------------------------------
/let-me-debug/letmedebug.m:
--------------------------------------------------------------------------------
 1 | //
 2 | //  letmedebug.m
 3 | //  letmedebug
 4 | //
 5 | //  Created by Alban Diquet on 1/5/14.
 6 | //  Copyright (c) 2014 Nabla-C0d3. All rights reserved.
 7 | //
 8 | 
 9 | #import "letmedebug.h"
10 | 
11 | 
12 | #include <substrate.h>
13 | #include <sys/sysctl.h>
14 | 
15 | 
16 | #define PT_DENY_ATTACH 31
17 | 
18 | 
19 | // Anti-debugging method #1: use ptrace to prevent debuggers from being able
20 | // to attach to the App's process
21 | extern long ptrace(int request, pid_t pid, void *addr, void *data);
22 | 
23 | long (* original_ptrace)(int request, pid_t pid, void *addr, void *data);
24 | 
25 | static long replaced_ptrace(int request, pid_t pid, void *addr, void *data) {
26 |     
27 |     // Intercept and cancel the PT_DENY_ATTACH flag
28 |     if (request == PT_DENY_ATTACH) {
29 |         NSLog(@"=================LETMEDEBUG: Denied PT_DENY_ATTACH=================");
30 |         return 0;
31 |     }
32 |     else {
33 |         return original_ptrace(request, pid, addr, data);
34 |     }
35 | }
36 | 
37 | 
38 | // Anti-debugging method #2 - not using it actually
39 | int (* original_sysctl)(const int *name, u_int namelen, void *oldp, size_t *oldlenp, const void *newp, size_t newlen);
40 | 
41 | static int replaced_sysctl(const int *name, u_int namelen, void *oldp, size_t *oldlenp, const void *newp, size_t newlen) {
42 |     int result = -1;
43 |     struct kinfo_proc *info;
44 |     //NSLog(@"=================LETMEDEBUG: In SYSCTL=================");
45 |     
46 |     
47 |     result = original_sysctl(name, namelen, oldp, oldlenp, newp, newlen);
48 |     //NSLog(@"name = %s", oldp);
49 |     //NSLog(@"=================LETMEDEBUG: Denied SYSCTL2=================");
50 |     
51 |     // Remove the P_TRACED flag
52 |     info = oldp;
53 |     if ((result > 0) && (((*info).kp_proc.p_flag & P_TRACED) != 0)) {
54 |         NSLog(@"=================LETMEDEBUG: Denied SYSCTL=================");
55 |         (*info).kp_proc.p_flag = (*info).kp_proc.p_flag & ~P_TRACED;
56 |     }
57 |     
58 |     return result;
59 | }
60 | 
61 | 
62 | __attribute__((constructor))
63 | static void initialize() {
64 |     
65 |     NSLog(@"=================LETMEDEBUG LOADED=================");
66 |     MSHookFunction(ptrace, replaced_ptrace, (void **) &original_ptrace);
67 |     MSHookFunction(sysctl, replaced_sysctl, (void **) &original_sysctl);
68 | }
69 | 
70 | 


--------------------------------------------------------------------------------
/let-me-debug/letmedebug.plist:
--------------------------------------------------------------------------------
1 | { Filter = { Bundles = ( "change.this" ); }; }
2 | 


--------------------------------------------------------------------------------