Reverse Engineering iOS Mobile Applications Why should I reverse Engineering a iOS App? There are thousand reasons for Reverse Engineering an iOS App: Maybe you are just want to find security holes in an app, or you want to retrieve sensitive informations about it.

Requirements : First of all you need to have an jailbroken iPad or iPhone/iPod. In my case I use an iPad 4 running with iOS 8, jailbroken with Pangu. To follow this tutorial you need to have to need some Cydia packets installed. To disassemble the file on you computer/mac you will need Hopper ( http://www.hopperapp.com )

Rasticrac You need to have Rasticrac installed because every iOS Binary is encrypted with FairPlay DRM. Rasticrac is an easy to use tool that decrypt the iOS Binary, otherwise you can not disassemble it with Hopper. Repo Source

You can install Rasticrac with Cydia ,just addd the following Repo source in Cydia: http://cydia.iphonecake.com

Now just search for it and install it.

Ldone With Ldone you can resign the iOS Binary so you be able to run it after modifying. Repo Source

To install it you have to add the insanely Repo: http://repo.insanelyi.com

Now just search for it and install it.

REVERSE ENGINEERING IOS

!1

NewTerm You need to have NewTerm installed to set up Rasticarc and ldone. Just search for NewTerm in Cydia, you will find it in the already added iPhoneCake repo. Just search for it and install it.

Decrypting the iOS App binary. Open NewTerm (its on the Springboard ) and enter following commands :

su enter your root password (standard: alpine )

rasticrac.sh -m The Rastcrac menu will be shown. Rasicrac will list the installed Apps on you device, it will list the Apps with a number or a letter. You have to enter the corresponding letter/number for the app you want to decrypt. Example: m: Clash of Clans In this case you have to enter ‚m‘, if you want to decrypt the Clash of Clans binary. Rasticrac will put the decrypted .ipa of the App in:

/var/root/Documents/Cracked

How can I disassemble the decrypted iOS App on the computer? You can copy the .ipa file with ifunbox or iexplorer on your computer (path to file: /var/root/ Documents/Cracked). Now you have to replace the Filename extension from [app_name].ipa in [app_name].zip. Now open the [app_name].zip file and navigate to the Payload-> [app_name].app folder. Open the [app_name].app folder (on mac you have to right click and choose „show packets contents“ ) , and find the binary (the binary is named like the app but without any filename extension ). Open the Hopper dissembler and go to file->Read Executable to Disassemble.

REVERSE ENGINEERING IOS

!2

REVERSE ENGINEERING IOS

!3

Now you can see the disassembly of the iOS Binary you can do now changes on the Binary!

Happy modding !

Copying the modified iOS App binary back to the device. After you modded the Binary you can replace with ifunbox or iexplorer the original Binary of the app with your modded Binary (Do not reinstall the App!). To do this just navigate with your favorite iOS file explorer in the .app directory of the app (iOS 8) and replace the old Binary!

var/mobile/Containers/Bundle/Applications/[app_name]/ [app_name].app

ReSigning the new app binary After you have done this you need to resigning the new binary. To do this open NewTerm again and type in following commands:

su Enter your root password (standard: alpine )

REVERSE ENGINEERING IOS

!4

cd var/mobile/Containers/Bundle/Applications/[app_name]/ [app_name].app Now you are in the app directory .

ldone [app_name] -s You have resigned the Binary with ldone!

chmod 755 [app_name] This command set the permissions of the Binary.

chown mobile.mobile [app_name] This was the last commend it sets the file owner If you done all steps you can now run the modded app ! Thank you for reading and happy modding ! If you have any questions just write me on twitter (@iappsdevlopers)

REVERSE ENGINEERING IOS

!5