I am analyzing a malicious android application from memory dump of an android device. I need to find the code of the malicious application in memory. I have been able to find .odex file. Please guide of this file contains the runtime in-execution code of application or I need to look into some other file.
Thanks
Related
For a native iOS application we are integrating a C++ library which is writing some logs to disk to json file.
During debugging, we would like to access to this logs, but currently we can only do it by downloading the whole app container to the macOS machine and searching for the file there.
Since this a very time consuming operation we were hoping that there would be some solution that would allows us to get this file quickly. I did take a look to the lldb commands, but none of them seem to let you extract a file from the phone.
Is there anyway to do this in a quick way?
Thank you
Couple options...
1 - Add debug-only code in your app to share the log file (via AirDrop would probably be a good option).
or
2 - During debug, set these two keys (in project settings / info) to Yes:
Application supports iTunes file sharing
Supports opening documents in place
Once you've done that, you can open / copy files from your app's Documents directory (assuming that's where the logs are being written) from Finder on your Mac.
I want to see the code of an iOS app.
The app I downloaded is .deb.
First question: Is it possible to install .deb file on iOS or I downloaded a wrong file?
After unpacking the .deb file, I got some files, including .nib, .storyboard and some other files.
My main question is, How to decompile these .nib files?
I tried to decompile these files using NibToXibConverter, but I didn't succeed.
Answer to your first question:
I think you downloaded the wrong file. .deb files for iOS are common for jailbreak community and not for apps, I think all of the Cydia stuffs are packed into .deb's. If your app is especially made for the jailbreak scene then you may try to install it using Cydia's auto install feature on a jailbroken device.
Answer to your main question:
This is general info about decompiling and modifying iOS apps (not specific for nibs, but you may still find it useful).
iOS apps are distibuted in .ipa archives, which are ordinary zip archives. They contain, usually one executable in the form of Mach-O file, and resources like .plist, sounds, images - every resource you include in your xcode project. Decompiling the executable file is only possible on jailbroken iDevice, because it is encrypted especially for the current device and the magic key to decrypt the binary is burned inside the device CPU and as far as I know there is no software way to read that key. The encryption system here is called FairPlay.
Briefly described, one way to decrypt that binary is to have the app installed on a jailbroken device, and launch it from command line using a debugger (gdb) which you can download from Cydia. You have to set a breakpoint somewhere, and when your code execution pauses at the breakpoint, you are doing a memory dump of the device ram - and that is your decrypted bin.
So when you have the decrypted binary, you can run one tool called "class-dump", and get the information for declared classes and their methods if the app is written in Objective C. Once you know this information you can alter the implementation of given method from some class used in your app using "Cydia Subtstrate" a.k.a "Mobile Substrate". In fact that is the way all of the jailbroken iOS tweaks are made. Basically you are hooking a method call, and when that method get invoked, it uses your implementation. Furthermore your implementation can call the original implementation, and that is really useful if you want to make some small code addition.
I am not sure whether those things possible in Swift, but if you are dealing with a Hybrid app like the ones done with cordova, phonegap, etc., then you can see all of its javascript source because it is persisted as a resource inside the "ipa" file. In addition you can alter that javascript code directly if you have a jailbroken device and find where the app is installed on file system (usually /var/containers/Bundle/Application/uuid_for_your_app/). However, I think there is no way to get that patched version and redistribute it (correct me if I'm wrong).
I'm using Qt5.5 for iOS development.
I'm wondering how to find and open a file in an iOS device to read and write using Qt5.5. As I know, there's no such file tree structure in iOS. When I download a picture, for example, I even do not know where it locates. But I can see it in apps.
Is there anyone can help? Thanks very much.
I am no expert with Qt, but I believe you need the QStandardPaths class.
iOS is no different to any other platform that stores files in certain pre-defined locations.
I am interested in getting a readable stack-trace when my iPhone/iPad crashes. I would like to send this information to our server once it is trapped. I know there are tools like Crashlytics that do this very well, but we would like to stay away from any 3rd party tools if at all possible. The only way I know to get this info is to manually do it by retrieving the and then have that file symbolicated on a Mac before it can be analyzed. Even doing this can be troublesome if you don't have a copy of the original application binary and the .dSYM file that was generated when that binary was built. I believe Crashlytics does this somehow without the actual binary or the .dSYM file which leads me to believe that a simple stack trace can be generate programmatically. Has anyone done this or have any pointers as to how I could do this within Objective C so that I could send that information to our servers for Error reporting?
Is it at all possible to get a create a readable stack-trace within Objective C on my iOS device without having to first send that file to a Mac with both the actual binary or the .dSYM file?
Just use
[NSThread callStackSymbols]
I was trying to get the header files from the ToneKit framework on iOS7.1, but I found that I cannot use class-dump because there are no executable files inside the framework. From what I have found after some research, it seems as if the actual executable file is inside the dyld_shared_cache on the device. After reading this article, it seems as if there are some tools to decrypt the cache, but since iOS 3, Apple has implemented ASLR which has made the decryption tools not work. How can I extract the Frameworks from inside the dyld_shared_cache on iOS7.1?
I am very new to jailbroken ios development so please bear with me.
If you're interested in how they got those headers then the answer is very simple - iOS SDK. SDK contains ARM binaries of public and private frameworks because they are required to compile iOS applications. Class-dump them and you will get headers you need. ToneKit.framework binary is also in there.
Usually you don't need dyld_shared_cache, almost everything you need is either in iOS SDK or on a device itself like SpringBoard, other system applications etc.
Of course there are rare cases when dyld_shared_cache is the only place you can find certain binaries as they are missing from both iOS SDK and device. In that case I use IDA. It has free demo version that can open dyld_shared_cache files - you can even open individual binaries inside it rather than dump everything. You just need to copy dyld_shared_cache on your PC.
I think Elias Limneos's classdump-dyld can help you. If not, check out RuntimeBrowser. Failing that, even, weak-classdump has proven to be a very useful runtime tool for me.