-
Notifications
You must be signed in to change notification settings - Fork 870
Using objection
This article will walk through some sample usage of objection. A few assumptions are made:
- You have successfully followed the installation guide and have the
objectioncommand available in yourPATH. - You have successfully patched your application (ie: an IPA or an APK), or added the FridaGadget to your project and deployed it to a device.
The objection command contains a number of subcommands. Certain subcommands may contain flags to set various configurations and options. To get a list of available options, run any objection command with the --help flag. For example:
$ objection --help
Usage: objection [OPTIONS] COMMAND [ARGS]...
_ _ _ _
___| |_ |_|___ ___| |_|_|___ ___
| . | . | | | -_| _| _| | . | |
|___|___|_| |___|___|_| |_|___|_|_|
|___|(object)inject(ion)
Runtime Mobile Exploration
by: @leonjza from @sensepost
By default, communications will happen over USB, unless the --network
option is provided.
Options:
-N, --network Connect using a network connection instead of USB.
[default: False]
-h, --host TEXT [default: 127.0.0.1]
-p, --port INTEGER [default: 27042]
-g, --gadget TEXT Name of the Frida Gadget/Process to connect to.
[default: Gadget]
--help Show this message and exit.
Commands:
device_type Get information about an attached device.
explore Start the objection exploration REPL.
patchapk Patch an APK with the frida-gadget.so.
patchipa Patch an IPA with the FridaGadget dylib.
version Prints the current version and exists.The most commonly used subcommand is explore, which will start the objection exploration REPL. Considering the options in the above --help output, to connect to a Frida gadget hosted on the network, one would execute objection -N explore.
The exploration REPL will autocomplete commands when the [TAB] key is pressed whenever possible. If you need some help, prefixing your full command with the help keyword will print documentation and usage examples for the command in question.
With objection installed, a patched IPA installed to your iOS device and with the device connected authorized to your computer via USB, the objection REPL may be started with the objection explore command:
$ objection explore
_ _ _ _
___| |_ |_|___ ___| |_|_|___ ___
| . | . | | | -_| _| _| | . | |
|___|___|_| |___|___|_| |_|___|_|_|
|___|(object)inject(ion)
Runtime Mobile Exploration
by: @leonjza from @sensepost
[tab] for command suggestions
com.sensepost.ipewpew on (iPad: 10.2.1) [usb] #When a patched iOS application is started for the first time it will be in a paused state until you start the objection REPL, which will resume execution of the target application. If you need to do early instrumentation, the explore subcommand has the --startup-command and --startup-script arguments to help with that. Refer to the early instrumentation article for more information.
At this stage, you may now enter commands into the REPL as needed. For example, issuing the ls command will display a directory listing of the current directory. By default, starting the objection REPL will start in your applications main bundle path:
com.sensepost.ipewpew on (iPad: 10.2.1) [usb] # ls
NSFileType Perms NSFileProtection Read Write Owner Group Size Creation Name
------------ ------- ------------------ ------ ------- -------------- -------------- --------- ------------------------- ------------------------
Regular 420 None True False _installd (33) _installd (33) 7.9 KiB 2017-08-25 05:33:48 +0000 AppIcon40x40@2x.png
Regular 420 None True False _installd (33) _installd (33) 187.5 KiB 2017-08-25 05:33:49 +0000 Assets.car
Directory 493 None True False _installd (33) _installd (33) 102.0 B 1970-01-01 00:00:00 +0000 Base.lproj
Directory 493 None True False _installd (33) _installd (33) 102.0 B 1970-01-01 00:00:00 +0000 Frameworks
Regular 420 None True False _installd (33) _installd (33) 1.3 KiB 2017-08-25 05:33:49 +0000 Info.plist
Directory 493 None True False _installd (33) _installd (33) 68.0 B 1970-01-01 00:00:00 +0000 META-INF
Regular 493 None True False _installd (33) _installd (33) 915.0 KiB 2017-09-14 06:18:04 +0000 PewPew
Regular 420 None True False _installd (33) _installd (33) 8.0 B 2017-08-25 05:33:49 +0000 PkgInfo
Directory 493 None True False _installd (33) _installd (33) 102.0 B 1970-01-01 00:00:00 +0000 _CodeSignature
Regular 420 None True False _installd (33) _installd (33) 9.3 KiB 2017-09-14 06:18:03 +0000 embedded.mobileprovision
Regular 420 None True False _installd (33) _installd (33) 1.6 KiB 2017-08-16 17:05:01 +0000 swapi.co.der
Readable: Yes Writable: Yes
The files in the main bundle are all available by just extracting the IPA you already have, so that in itself might not be as interesting. However, other interesting directories that relate to the application in question may be enumerated using the env command. This will print out the locations of the applications Library, Caches and Documents directories:
sensepost’s iPad on (iPad: 10.2.1) [usb] # env
Name System Model Version
---------------- -------- ------- ---------
sensepost’s iPad iOS iPad 10.2.1
Name Path
----------------------------- ------------------------------------------------------------------------------------------------------------
DocumentDirectory /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Documents
LibraryDirectory /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Library
CachesDirectory /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Library/Caches
BundlePath /var/containers/Bundle/Application/9FCE7485-EE1B-462E-8FC5-A49974D73F4F/PewPew.app
ApplicationDirectory /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Applications
DemoApplicationDirectory /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Applications/Demos
DeveloperApplicationDirectory /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Developer/Applications
UserDirectory
CoreServiceDirectory
AutosavedInformationDirectory /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Library/Autosave Information
DesktopDirectory /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Desktop
ApplicationSupportDirectory /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Library/Application Support
ReceiptPath /private/var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/StoreKit/sandboxReceipt
ResourcePath /var/containers/Bundle/Application/9FCE7485-EE1B-462E-8FC5-A49974D73F4F/PewPew.app
It is now possible to see that the Documents directory lives at /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Documents, so we cd to that and inspect its contents:
sensepost’s iPad on (iPad: 10.2.1) [usb] # cd /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Documents
/var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Documents
sensepost’s iPad on (iPad: 10.2.1) [usb] # ls
Read Access
Write Access
Type Perms Read Write Owner Group Size Creation Name
----------------- ------- ------ ------- ------------ ------------ ------ ------------------------- -----------------
NSFileTypeRegular 420 True True mobile (501) mobile (501) 276 2017-07-09 08:01:08 +0000 credentials.plist
NSFileTypeRegular 420 True True mobile (501) mobile (501) 12288 2017-07-05 19:48:01 +0000 pewpew.sqlite
Interesting, a plist file named 'credentials' and a sqlite database. Let take a look at whats inside the plist. It is possible to download the raw .plist file from the mobile devices filesystem to your local filesystem and inspect it that way (In the example below, commands prefixed with a ! are run as OS commands):
sensepost’s iPad on (iPad: 10.2.1) [usb] # download credentials.plist creds.plist
Downloading /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Documents/credentials.plist to creds.plist
sensepost’s iPad on (iPad: 10.2.1) [usb] # !cat creds.plist
Running OS command: cat creds.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>password</key>
<string>snek</string>
<key>username</key>
<string>help</string>
</dict>
</plist>
Or, you can use the inline helper tool that will parse the plist and dump its contents. This is useful as it is not always possible to easily read the raw file:
sensepost’s iPad on (iPad: 10.2.1) [usb] # ios plist cat credentials.plist
{
password = snek;
username = help;
}
We can query the sqlite database as well to get an idea of its table structure and contents. Lets connect and have a look at the table structure first:
sensepost’s iPad on (iPad: 10.2.1) [usb] # sqlite connect pewpew.sqlite
Caching local copy of database file...
Downloading /var/mobile/Containers/Data/Application/E2933EE7-4805-4411-A764-B1CDBFA5127C/Documents/pewpew.sqlite to /var/folders/nn/7rzmzs_920n8qvff8n9nf1rm0000gn/T/tmpo88npganobjection.sqlite
Validating SQLite database format
Connected to SQLite database at: pewpew.sqlite
sensepost’s iPad on (iPad: 10.2.1) [usb] # sqlite execute schema
------------------------------------------------------------------
CREATE TABLE data ( key text NOT NULL UNIQUE, value text NOT NULL)
------------------------------------------------------------------
As you can see, the database contains a single table called data, with two columns. Lets execute a query to have a look at the data itself:
sensepost’s iPad on (iPad: 10.2.1) [usb] # sqlite execute query select * from data;
----------- -------------------------------------
credentials {"username":"help","password":"snek"}
----------- -------------------------------------
Coming soon™