1
00:00:00,330 --> 00:00:01,440
‫Instructor: Hi.

2
00:00:01,440 --> 00:00:05,010
‫Within this lecture we are going to manipulate our app

3
00:00:05,010 --> 00:00:08,520
‫so that it won't detect the jail break, but it will take us

4
00:00:08,520 --> 00:00:11,010
‫to the second view controller every time we

5
00:00:11,010 --> 00:00:12,420
‫hit the test button.

6
00:00:12,420 --> 00:00:14,250
‫And as you can see, even

7
00:00:14,250 --> 00:00:18,390
‫though we don't know anything about assembly, okay

8
00:00:18,390 --> 00:00:21,480
‫even if you don't know, you can still find some clues.

9
00:00:21,480 --> 00:00:23,430
‫You can still find some hints

10
00:00:23,430 --> 00:00:27,270
‫that you can use in real reverse engineering process.

11
00:00:27,270 --> 00:00:30,660
‫And if this has worked, like we called

12
00:00:30,660 --> 00:00:33,090
‫we tried to call this print methods.

13
00:00:33,090 --> 00:00:36,360
‫If this has printed out the methods

14
00:00:36,360 --> 00:00:40,350
‫then we would have seen the SGL broken method

15
00:00:40,350 --> 00:00:43,680
‫and we would have understood it in a better way.

16
00:00:43,680 --> 00:00:47,340
‫But even though it didn't work, it doesn't still matter

17
00:00:47,340 --> 00:00:51,060
‫because we can't see it in our hyper disassembler.

18
00:00:51,060 --> 00:00:56,040
‫So just try to understand where you should look.

19
00:00:56,040 --> 00:00:58,290
‫Okay, we have seen the test button.

20
00:00:58,290 --> 00:01:01,770
‫We search for test and now we

21
00:01:01,770 --> 00:01:05,730
‫then we knew that there is a function called test click

22
00:01:05,730 --> 00:01:07,983
‫and then we focused on that.

23
00:01:09,030 --> 00:01:11,610
‫So make sure you open your detect jail

24
00:01:11,610 --> 00:01:14,790
‫and run CYC repeat detect jail one more time.

25
00:01:14,790 --> 00:01:16,710
‫And I'm going to call this

26
00:01:16,710 --> 00:01:20,310
‫UIapp.keywindow.routeviewcontroller again.

27
00:01:20,310 --> 00:01:22,920
‫And as you can see our view controller

28
00:01:22,920 --> 00:01:24,900
‫is named view controller.

29
00:01:24,900 --> 00:01:29,820
‫And then I'm going to say viewController.prototype.

30
00:01:29,820 --> 00:01:33,300
‫So if we want to manipulate any method

31
00:01:33,300 --> 00:01:36,150
‫like this is jail broken, rather

32
00:01:36,150 --> 00:01:40,340
‫than saying view controller dot jail is jail broken,

33
00:01:40,340 --> 00:01:42,324
‫we are gonna have to say

34
00:01:42,324 --> 00:01:47,324
‫viewController.prototype and then .isJailbroken.

35
00:01:48,450 --> 00:01:53,010
‫And of course this is jailbroken should be spelled exactly

36
00:01:53,010 --> 00:01:57,390
‫the same as we see in the assembler like this.

37
00:01:57,390 --> 00:02:01,560
‫So viewController.prototype.isJailbroken.

38
00:02:01,560 --> 00:02:05,490
‫Now I can make this equal to anything I want.

39
00:02:05,490 --> 00:02:08,307
‫Now I can write some new JavaScript code

40
00:02:08,307 --> 00:02:12,510
‫in order to replace this function in run time.

41
00:02:12,510 --> 00:02:16,860
‫Now my iPad is connected to the internet

42
00:02:16,860 --> 00:02:21,480
‫and I am connecting it to it via SSH

43
00:02:21,480 --> 00:02:25,890
‫and I am actually manipulating it in the wrong time.

44
00:02:25,890 --> 00:02:29,820
‫So I'm going to assign this function to

45
00:02:29,820 --> 00:02:34,820
‫return zero, return false to me every time it's called.

46
00:02:36,450 --> 00:02:41,100
‫So I'm going to say function and open and close parentheses.

47
00:02:41,100 --> 00:02:44,370
‫Then I'm going to use curly braces to actually

48
00:02:44,370 --> 00:02:46,170
‫write the code itself.

49
00:02:46,170 --> 00:02:50,251
‫So all I'm going to do is to say return false

50
00:02:50,251 --> 00:02:53,070
‫and then semicolon

51
00:02:53,070 --> 00:02:57,060
‫and then close the curly braces like this.

52
00:02:57,060 --> 00:03:00,390
‫So maybe it looks very simple to you.

53
00:03:00,390 --> 00:03:01,223
‫Okay?

54
00:03:01,223 --> 00:03:03,000
‫And maybe you think that this

55
00:03:03,000 --> 00:03:07,320
‫is actually a very simple exercise

56
00:03:07,320 --> 00:03:12,320
‫but this will work pretty much in every app.

57
00:03:12,360 --> 00:03:17,160
‫If you find related application related method

58
00:03:17,160 --> 00:03:20,040
‫and related view controller like this.

59
00:03:20,040 --> 00:03:21,000
‫Here you go.

60
00:03:21,000 --> 00:03:24,060
‫Now, when I hit on the test button, it actually

61
00:03:24,060 --> 00:03:26,640
‫takes me to the second view controller where

62
00:03:26,640 --> 00:03:28,980
‫I can see the flag itself.

63
00:03:28,980 --> 00:03:32,040
‫Flag is Barley and Barley's, my dog.

64
00:03:32,040 --> 00:03:35,370
‫And we managed to complete the CTF.

65
00:03:35,370 --> 00:03:38,250
‫And again, maybe you're thinking right now.

66
00:03:38,250 --> 00:03:39,930
‫Yeah, it was too easy.

67
00:03:39,930 --> 00:03:43,530
‫All you had to do is just write to return false

68
00:03:43,530 --> 00:03:48,030
‫and you knew that it's returning either true or false

69
00:03:48,030 --> 00:03:50,910
‫but it shouldn't be necessarily the case.

70
00:03:50,910 --> 00:03:55,680
‫Maybe we could have returned 10 or returned five in a game

71
00:03:55,680 --> 00:03:57,840
‫or maybe we could have returned true

72
00:03:57,840 --> 00:04:01,770
‫in a game in order to do some cheating.

73
00:04:01,770 --> 00:04:03,390
‫And I have seen a lot

74
00:04:03,390 --> 00:04:08,390
‫of examples where people actually manage to hack into games

75
00:04:08,520 --> 00:04:10,200
‫hack into other apps

76
00:04:10,200 --> 00:04:14,550
‫or big projects using exactly this method

77
00:04:14,550 --> 00:04:17,910
‫by manipulating the function and it

78
00:04:17,910 --> 00:04:20,760
‫it really works in real life.

79
00:04:20,760 --> 00:04:23,940
‫It's a matter of digging deeper.

80
00:04:23,940 --> 00:04:28,920
‫So you have to be a proficient in SWIFT or in objective

81
00:04:28,920 --> 00:04:30,930
‫see in any programming language

82
00:04:30,930 --> 00:04:33,570
‫in order to understand where to look.

83
00:04:33,570 --> 00:04:38,340
‫For example, if you're looking for a hack in a game, like

84
00:04:38,340 --> 00:04:42,030
‫if you're trying to find some vulnerabilities in a game

85
00:04:42,030 --> 00:04:46,800
‫maybe game is using a function in order to define

86
00:04:46,800 --> 00:04:51,270
‫if you made a purchase for some extra life or extra items.

87
00:04:51,270 --> 00:04:52,320
‫I don't know.

88
00:04:52,320 --> 00:04:57,300
‫And most probably this function is returning zero

89
00:04:57,300 --> 00:05:00,360
‫or one or like false and true.

90
00:05:00,360 --> 00:05:02,250
‫Then you can change it

91
00:05:02,250 --> 00:05:05,160
‫to false or true in order to manipulate it

92
00:05:05,160 --> 00:05:08,280
‫exactly using this method, right?

93
00:05:08,280 --> 00:05:12,390
‫So all you have to do is just around the hopper disassembler

94
00:05:12,390 --> 00:05:17,250
‫against the IPA and try to locate the related function.

95
00:05:17,250 --> 00:05:20,664
‫And it's not very easy to do so, okay?

96
00:05:20,664 --> 00:05:23,640
‫As you can see, if I run it one more time

97
00:05:23,640 --> 00:05:26,910
‫it'll return to the original state.

98
00:05:26,910 --> 00:05:29,820
‫You are not changing the app itself

99
00:05:29,820 --> 00:05:32,790
‫you're manipulating it in runtime.

100
00:05:32,790 --> 00:05:37,170
‫However, you can do whatever you wanna do with this.

101
00:05:37,170 --> 00:05:41,400
‫For example, if you're playing an online game

102
00:05:41,400 --> 00:05:45,690
‫you can manipulate your score and if your score gets sent

103
00:05:45,690 --> 00:05:49,380
‫to the server, then your score will be recorded

104
00:05:49,380 --> 00:05:52,200
‫so in that server, okay?

105
00:05:52,200 --> 00:05:55,050
‫And make sure you try to get familiarized

106
00:05:55,050 --> 00:05:57,210
‫with this hopper disassembler.

107
00:05:57,210 --> 00:05:59,670
‫Make sure you try to read the lines

108
00:05:59,670 --> 00:06:02,610
‫make sure you try Cyc reps.

109
00:06:02,610 --> 00:06:04,920
‫Make sure you do the jail breaking

110
00:06:04,920 --> 00:06:08,190
‫in a proper way in order to understand

111
00:06:08,190 --> 00:06:11,850
‫and comprehend all of those things in a better way.

112
00:06:11,850 --> 00:06:14,820
‫Make sure you try to build your,

113
00:06:14,820 --> 00:06:17,130
‫build your apps on your own.

114
00:06:17,130 --> 00:06:20,580
‫Make sure you purchase an iOS course

115
00:06:20,580 --> 00:06:23,310
‫like mine or anyone else's on Udemy.

116
00:06:23,310 --> 00:06:27,210
‫You order to understand this in a better way

117
00:06:27,210 --> 00:06:31,134
‫so that you can actually find vulnerabilities

118
00:06:31,134 --> 00:06:35,940
‫security breaches in most efficient way.

119
00:06:35,940 --> 00:06:37,920
‫So now we're going to take a look

120
00:06:37,920 --> 00:06:40,680
‫at challenges in SWIFT applications

121
00:06:40,680 --> 00:06:43,113
‫and then we are going to end this section.