Request for help: trying to dump parameters from a function


#1

Hi there,

I’m new to reverse engineering world, so this might be a silly question. Anyway, I’m trying for a few days to successfully implement this without success.

I’m trying to discover how an application creates a checksum that is sent on every request to a remote server. I’ve already decrypted the application with dumpdecrypted, dumped the classes with class-dump-z and disassembled the code both in IDA Free and Hopper. I found where is the point that I need to hook:

__attribute__((visibility("hidden"))) @interface Util : NSObject { } +(id)gerarcheckSum:(id)sum; }

Inside this method, there are calls to this other one:

__attribute__((visibility("hidden"))) @interface JFBCrypt : NSObject { int* _p; int* _s; } +(id)generateSaltWithNumberOfRounds:(long)rounds; +(id)hashPassword:(id)password withSalt:(id)salt; +(int*)integerArrayWithOriginal:(int*)original ofLength:(long)length; +(long)streamToWord:(id)word off:(int*)off; +(id)decode_base64:(id)a64 ofMaxLength:(long)maxLength; +(BOOL)char64of:(unsigned short)of; +(id)encodeData:(id)data ofLength:(long)length; +(id)bCrypt; -(id)hashPassword:(id)password withSalt:(id)salt rounds:(long)rounds; -(void)enhanceKeyScheduleWithData:(id)data key:(id)key; -(void)key:(id)key; -(void)initKey; -(void)encipher:(int*)encipher off:(long)off; -(void)dealloc; @end

Based on the disassembled code (available here), I think I might need to hook the “hashPassword:withSalt:” to dump the passed parameters. The problem is, when I attach to process using cycript, although I can find the class, I can’t find any instance of JFBCrypt:

cy# JFBCrypt JFBCrypt cy# choose(JFBCrypt) []

Another question that I was wondering, is it possible to determine which parameters are passed to this method with only static tools like IDA, or a dynamic analysis tool like Cycript is required?

Thanks in advance,
a newbie reverser


#2

because this is a class method


#3

Thanks for the reply.

Yeah, now I see I was making confusion between the class method and instance method. Really I have to hook the class method.

But now I found a new issue: I’m trying to hook using instructions found on this link, but className->isa.messages doesn’t seem to work:

cy# JFBCrypt->isa object_getClass(JFBCrypt) cy# JFBCrypt->isa.messages cy# JFBCrypt->isa.messages["generateSaltWithNumberOfRounds"] throw new TypeError("'undefined' is not an object (evaluating 'JFBCrypt.$cyi.isa.messages.generateSaltWithNumberOfRounds')")

I also tried with instructions from here but result was even worse: program crashed

cy# function printMethods(className, isa) { var count = new new Type("I"); var classObj = (isa != undefined) ? objc_getClass(className)->isa : objc_getClass(className); var methods = class_copyMethodList(classObj, count); var methodsArray = []; for(var i = 0; i < *count; i++) { var method = methods[i]; methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)}); } free(methods); return methodsArray; } cy# printMethods("JFBCrypt", true) MS:Error: _krncall(mach_vm_read_overwrite(task, data, sizeof(*baton), reinterpret_cast<mach_vm_address_t>(baton), &error)) =4 *** _assert(status == 0):../Inject.cpp(143):InjectLibrary

So, any direction would be appreciated :slight_smile: Thanks again


#4

No idea, I suggest Tweak :slight_smile: