Hooking an iOS app with Theos

      Nessun commento su Hooking an iOS app with Theos
In this blog, I’ll show how to hook an iOS app with Theos. But what is Theos?
Theos was initially ‘iphone-framework’, a project created to simplify building code at the command line, primarily for jailbroken iOS devices. It later underwent significant changes and became Theos, a flexible Make-based build system targeting jailbreak software development, but also with complete support for building for various other platforms. Theos runs on, and can build projects for, macOS, iOS, Linux, and Windows.

Installation on Jailbroken device

The first step is to connect to the jb device via ssh after that execute the following commands:

  • mkdir /opt
  • export THEOS=/opt/theos
  • git clone --recursive https://github.com/theos/theos.git $THEOS
  • Download an SDK for your device and place it inside /opt/theos/sdks 

Hook an iOS app with Theos

This demo will show how to bypass the jailbreak detection mechanism in an Objective-C application.

First thing download and install the app on the jailbroken device. after that, You need to create a Tweak

  • perl /opt/theos/bin/nic.pl
  • Choose a Template (required): 17
  • Project Name (required): JbBypass
  • Package Name [com.yourcompany.jbbypass]: blank
  • Author/Maintainer Name [System Administrator]: blank
  • MobileSubstrate Bundle filter [com.apple.springboard]: com.diego.certif.aaaa (Insert the bundle id of the app you wish to hook here)
  • List of applications to terminate upon installation (space-separated, ‘-‘ for none) [SpringBoard]: blank

At this point, we can implement the Tweak.

  • cd jbbypass/
  • nano Makefile
ARCHS = armv7 arm64
THEOS_DEVICE_IP=192.168.5.116
TARGET := iphone:clang:latest:10.0
INSTALL_TARGET_PROCESSES = SpringBoard
include $(THEOS)/makefiles/common.mk
TWEAK_NAME = JbBypass
JbBypass_FILES = Tweak.x
JbBypass_CFLAGS = -fobjc-arc
include $(THEOS_MAKE_PATH)/tweak.mk

Our goal is to modify isJailbroken’s behavior

nano Tweak.x

%hook ViewController 
- (BOOL)isJailbroken { 
    return NO; 
} 
%end
  • %hook—Opens a hook block and allows you to hook a given class.
  • %ctor—Injects a new constructor into the application.
  • %orig—Calls the original implementation of a hooked function.
  • %log—Writes details of a method and its arguments to the system log.
  • %end—Used to close a %hook block.
The final step is to compile and install the tweak
  • make package install

As long as everything goes well, we can bypass the jailbreak detection.

Demo 2

In this demo, I’ll show how to bypass the jailbreak detection mechanism in a Swift application. Download

  • Choose a Template (required): 17
  • Project Name (required): swiftjb
  • Package Name [com.yourcompany.swiftjb]:
  • Author/Maintainer Name [System Administrator]:
  • List of applications to terminate upon installation (space-separated, ‘-‘ for none)[SpringBoard]:
  • cd swiftjb
  • nano Makefile
ARCHS = armv7 arm64
THEOS_DEVICE_IP=192.168.5.116
TARGET := iphone:clang:latest:10.0
INSTALL_TARGET_PROCESSES = SpringBoard
include $(THEOS)/makefiles/common.mk
TWEAK_NAME = swiftjb
swiftjb_FILES = Tweak.x
swiftjb_CFLAGS = -fobjc-arc
include $(THEOS_MAKE_PATH)/tweak.mk

nano Tweak.x

#include <substrate.h>
#import <Foundation/Foundation.h>

%hook ViewController

static Boolean (*orig_VC_JB)(void)=NULL;
Boolean hook_ViewController_isJailBroken() {
	return false;
}
%end

%ctor{
	%init(ViewController = objc_getClass("JBDetection.ViewController"));
	MSHookFunction(MSFindSymbol(NULL,"_$s11JBDetection14ViewControllerC12isJailbrokenSbyF"), 
	(void*)hook_ViewController_isJailBroken,
	(void**)orig_VC_JB);
}
  • make package install

As long as everything goes well, we can bypass the jailbreak detection.