• Save
Andreas Kurtz "Pentesting iOS Apps - Runtime Analysis and Manipulation"
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Andreas Kurtz "Pentesting iOS Apps - Runtime Analysis and Manipulation"



Security testing of mobile apps and their environment has become increasingly important in recent years. However, there is still a lack of testing methodologies and supporting tools. Accordingly, the ...

Security testing of mobile apps and their environment has become increasingly important in recent years. However, there is still a lack of testing methodologies and supporting tools. Accordingly, the objective of this presentation is to close that gap. As in any kind of software security assessment two different approaches do exist: static and dynamic analysis. While static analysis gives detailed insights into a mobile app, it is not always the most practicable way. To evaluate the security level of a mobile app within an economically reasonable timeframe, it is worthwhile to combine both, static and dynamic analysis. During this talk, I will explain the basic concepts of Objective-C and its runtime. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime. Based on this dynamic nature of the Objective-C runtime, I will show how runtime analysis and manipulation eases security assessments of mobile apps. For this purpose, I will discuss the backgrounds, techniques, problems and solutions to Objective-C runtime analysis and manipulation. I will demonstrate how running applications can be extended with additional debugging and runtime tracing capabilities, and how this facilitates both dynamic and static analysis of Apple iOS apps. Moreover, a new tool to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated. This tool allows on-the-fly manipulations of arbitrary iOS Apps with an easy-to-use graphical user interface. Thus, bypassing client-side restrictions or unlocking additional features and premium content of Apps is going to be a child's play.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Andreas Kurtz "Pentesting iOS Apps - Runtime Analysis and Manipulation" Presentation Transcript

  • 1. Pentes&ng  iOS  Apps   Run&me  Analysis  and  Manipula&on     Andreas  Kurtz  
  • 2. 2   About   •  PhD  candidate  at  the  Security  Research  Group,   Department  of  Computer  Science,   University  of  Erlangen-­‐Nuremberg   –  Security  of  mobile  devices  &  mobile  Apps   –  Dynamic  analysis  of  iOS  Apps     •  Co-­‐Founder  of  NESO  Security  Labs  GmbH   –  SoJware  security   –  PenetraLon  tesLng,  staLc  code  analysis    
  • 3. 3   PentesLng  iOS  Apps   •  Status  quo:  Focus  on  backend  services   – Well-­‐known  methodologies  and  techniques     – Numerous  tools  available     •  So  far  only  liRle  informaLon  on     mobile  App  assessments   •  Lack  of  tools   Backend     Services   Mobile  App   (Frontend)  
  • 4. 4   What  this  talk  is  about   •  IntroducLon  to  the  ObjecLve-­‐C  RunLme     – Backgrounds,  techniques  and  tools  for   manipulaLng  iOS  Apps  at  runLme     •  Use  cases  and  impacts   – Pentesters  should  be  able  to  explore  the  aRack   surface  of  iOS  Apps  more  efficiently   – Developers  might  prefer  to  avoid  client-­‐side  logic   and  security  measures  in  the  future  
  • 5. INTRODUCTION   ObjecLve-­‐C  RunLme  
  • 6. 6   ObjecLve-­‐C   •  Provides  a  set  of  extensions  to  the  C   programming  language     •  AddiLons  are  mostly  based  on  Smalltalk   – Object-­‐oriented   – Messaging   – Dynamic  typing   – ReflecLon   These  concepts  make  ObjecLve-­‐C   quite  aRracLve  from  a  hacking   perspecLve  
  • 7. 7   ObjecLve-­‐C   •  Sample  Code:     HelloWorld  *hello  =  [[HelloWorld  alloc]  init];   [hello  sayHello:@"Shakacon"];   -­‐  (void)  sayHello:  (NSString  *)  string  {        printf("Hello  %s!",  [string  UTF8String]);   }  
  • 8. 8   ObjecLve-­‐C  RunLme   •  Apps  are  linked  to  libobjc.A.dylib     #  otool  -­‐L  HelloWorld     HelloWorld:     /System/Library/Frameworks/Foundation.framework/Foundation   (compatibility  version  300.0.0,  current  version  890.1.0)   /usr/lib/libobjc.A.dylib  (compatibility  version  1.0.0,   current  version  228.0.0)   [..]     This  library  provides  all  runLme   funcLonaliLes  of  the     ObjecLve-­‐C  RunLme  
  • 9. 9   ObjecLve-­‐C  RunLme   •  Most  important  funcLon:  objc_msgSend   •  Example     Class  class  =  objc_getClass("HelloWorld");   id  receiver  =  [[class  alloc]  init];   SEL  selector  =  NSSelectorFromString(@"sayHello:");       objc_msgSend(theReceiver,theSelector,@"Shakacon");       Pointer  to  an  instance  of  the  class,   whose  method  we  want  to  call  
  • 10. 10   ObjecLve-­‐C  RunLme   •  Most  important  funcLon:  objc_msgSend   •  Example     Class  class  =  objc_getClass("HelloWorld");   id  receiver  =  [[class  alloc]  init];   SEL  selector  =  NSSelectorFromString(@"sayHello:");       objc_msgSend(theReceiver,theSelector,@"Shakacon");       The  selector  of  the  method  that   handles  the  message  
  • 11. 11   ObjecLve-­‐C  RunLme   •  Most  important  funcLon:  objc_msgSend   •  Example     Class  class  =  objc_getClass("HelloWorld");   id  receiver  =  [[class  alloc]  init];   SEL  selector  =  NSSelectorFromString(@"sayHello:");       objc_msgSend(theReceiver,theSelector,@"Shakacon");       A  variable  argument  list   containing  the  arguments  to  the   method  
  • 12. 12   StaLc  vs.  Dynamic  Analysis   •  During  staLc  analysis,  control  flow  is  lost  when   objc_msgSend  is  called     •  CharacterisLcs  of  the  ObjecLve-­‐C  RunLme   enables  comprehensive  dynamic  analysis             Technique   Usage   §  Intercept  messages   §  Trace  internal  control  flow     §  Send  arbitrary  messages  to   exisLng  objects     §  Rewrite  implementaLons  of   arbitrary  methods   §  Manipulate  internal  state  and   processing  logic  of  an  iOS   App    
  • 13. RUNTIME  MANIPULATION   Backgrounds  &  Techniques  
  • 14. 14   StarLng  Point   •  Goal:  Black  box  analysis  of  an  arbitrary  iOS  App   –  Enterprise  or  AppStore  App   –  Binary  format  (no  source  code  available)   •  Approach:  Examine  the  iOS  App  on  a  jailbroken   device   –  Removes  the  limitaLons  imposed  by  Apple   –  Provides  root  access  to  the  operaLng  system   –  Enables  the  installaLon  of  addiLonal  soJware   –  Enables  access  to  the  ObjecLve-­‐C  RunLme!  
  • 15. 15   RunLme  ManipulaLon   •  ObjecLve-­‐C  RunLme  [1]  offers  a  wide   range  of  opportuniLes  to  manipulate  exisLng   iOS  Apps     •  Two  different  approaches   – InjecLng  a  staLc  library  with  new  funcLonaliLes   – InjecLng  an  interpreter  for  on-­‐the-­‐fly   manipulaLons  
  • 16. 16   Dynamic  Library  InjecLon   •  Advise  the  dynamic  linker  to  load  a  dynamic   shared  library  (DYLD_INSERT_LIBRARIES)  [2]   File  System   iOS  App  Address  Space   Dynamic  Linker   ..   Foundation   CoreFoundation   libobjc.A.dylib   debug.dylib   ..   Foundation   CoreFoundation   libobjc.A.dylib   debug.dylib  
  • 17. 17   RunLme  Patching   •  Replace  exisLng  methods  and  reroute   program  control  during  library  iniLalizaLon       App   API  Method   Replacement   call  API  method   redirect  to   call  original  code   return   return  
  • 18. 18   Hooking  in  PracLce   •  MobileSubstrate  [3]   –  MobileLoader  loads  3rd-­‐party  patching  code  into  the   running  applicaLon   –  MobileHooker  is  used  to  hook  and  replace                                       system  methods  and  funcLons     IMP  MSHookMessage(Class  class,  SEL  selector,  IMP  replacement,  const   char*  prefix);     void  MSHookFunction(void*  function,  void*  replacement,  void**   p_original);     •  RecommendaLon:  Theos  suite  eases  the  development   of  MobileSubstrate  extensions  (Tweaks)  [4]  
  • 19. 19   Example:  Fake  Device  InformaLon     #include  "substrate.h"   #import  <Foundation/Foundation.h>     NSString  *replaced_UIDevice_uniqueIdentifier()  {          return  @"Shakacon";   }     __attribute__((constructor))   static  void  initialize()  {          MSHookMessage(objc_getClass("UIDevice"),                  @selector(uniqueIdentifier),                                (IMP)replaced_UIDevice_uniqueIdentifier,   NULL);   }  
  • 20. 20   RunLme  ManipulaLon   •  ObjecLve-­‐C  RunLme  [1]  offers  a  wide   range  of  opportuniLes  to  manipulate  exisLng   iOS  Apps     •  Two  different  approaches   – InjecLng  a  staLc  library  with  new  funcLonaliLes   – InjecLng  an  interpreter  for  on-­‐the-­‐fly   manipulaLons   ü  
  • 21. 21   Cycript:  ObjecLve-­‐JavaScript  [5]           •  Injects  a  JavaScript  interpreter  into  a  running  App   –  Based  on  MobileSubstrate     •  Enables  runLme  manipulaLons  in  a  flexible  way   [6],  [7]   “A  programming  language  designed  to  blend   the  barrier  between  ObjecHve-­‐C  and   JavaScript.”   “  
  • 22. 22   Example:  Fake  Device  InformaLon   •  Step  1:  ARach  to  the  App  process     #  cycript  -­‐p  <PID>       •  Step  2:  Determine  the  current  UDID     cy#  [[UIDevice  currentDevice]  uniqueIdentifier];   @"768f0c93a69276d190b6…"  
  • 23. 23   Example:  Fake  Device  InformaLon   •  Step  3:  Replace  the  implementaLon  of  the     API  method     cy#  UIDevice.messages['uniqueIdentifier']  =          function()  {  return  @"Shakacon";  }       •  Step  4:  Query  the  UDID  again     cy#  [[UIDevice  currentDevice]  uniqueIdentifier];   @"Shakacon"  
  • 24. 24   Example:  Fake  Device  InformaLon  
  • 25. 25   Example:  Fake  Device  InformaLon   •  Example  demonstrates  the  diverse  possibiliLes  of   iOS  runLme  injecLon   •  This  might  be  useful  in  different  scenarios   –  Apps  that  rely  on  hardware  idenLfier  for   authenLcaLon   –  Apps  that  use  binary  or  any  proprietary  protocols   •  Easier  to  manipulate  the  App  endpoint,   compared  to  modificaLons  at  protocol-­‐level  
  • 26. USE  CASES  
  • 27. 27   Advantages  of  RunLme  ManipulaLon   •  By  using  these  techniques,  running  Apps  can   be  extended  with  addiLonal  debugging  and   runLme  tracing  capabiliLes     •  This  assists  security  assessments  of  iOS  Apps   – Eases  the  discovery  of  vulnerabiliLes   – Simplifies  bypassing  client-­‐side  limitaLons  and   restricLons  
  • 28. 28   Evaluate  EncrypLon  Schemes   •  Typical  quesLon:  Which  App  methods  are   called  aJer  the  “Login”  buRon  is  pressed?     •  Idea:  Make  use  of  dynamic  analysis  to   reconstruct  the  control  flow  of  an  App   – Use  the  results  to  navigate  through  staLc  code     •  SoluLon:  Log  all  messages  to  objc_msgSend  
  • 29. 29   The  gdb  way   (gdb)  exec-­‐file  /var/mobile/Applications/<APP-­‐EXECUTABLE>   Reading  symbols  for  shared  libraries  .  done   (gdb)  attach  <PID>   Attaching  to  program:  `/private/var/mobile/Applications/...',  process  PID.   Reading  symbols  for  shared  libraries  .  done   Reading  symbols  for  shared  libraries  ................................  done   Reading  symbols  for  shared  libraries  +  done   0x364d7004  in  mach_msg_trap  ()   (gdb)  break  objc_msgSend   Breakpoint  1  at  0x32ce2f68   (gdb)  commands   Type  commands  for  when  breakpoint  1  is  hit,  one  per  line.   End  with  a  line  saying  just  "end".   >printf  "-­‐[%s  %s]n",  (char  *)class_getName($r0),$r1   >c   >end   (gdb)  c   Continuing.  
  • 30. 30   The  gdb  way   Breakpoint  1,  0x32ce2f68  in  objc_msgSend  ()   -­‐[UIStatusBarServer  _receivedStatusBarData:actions:]     Breakpoint  1,  0x32ce2f68  in  objc_msgSend  ()   -­‐[UIStatusBar  statusBarServer:didReceiveStatusBarData:withActions:]     Breakpoint  1,  0x32ce2f68  in  objc_msgSend  ()   -­‐[UIStatusBar  _currentComposedData]     Breakpoint  1,  0x32ce2f68  in  objc_msgSend  ()   -­‐[UIStatusBar  _currentComposedDataForStyle:]     Breakpoint  1,  0x32ce2f68  in  objc_msgSend  ()   -­‐[UIStatusBarComposedData  alloc]     [..]   Very  noisy!    All  background   acLviLes  of  the  runLme  are   shown  as  well.  
  • 31. 31   App  Tracing   •  Preferred  approach:  Intercept  messages  to   objc_msgSend  within  the  runLme     •  Apply  filters  with  different  granularity   –  Enumerate  registered  App  classes  and  methods  using   the  ObjecLve-­‐C  RunLme  API  (objc_getClassList,   class_copyMethodList,  etc.)   –  Output  a  trace  of  only  matching  items   •  Inspired  by  AspecLve-­‐C  [8]  and  SubjecLve-­‐C  [9]  
  • 32. 32   App  Tracing   •  Tricky  part  is  to  handle  all  parameters  and  to   conLnue  normal  execuLon   –  Logging  itself  modifies  CPU  registers  and  the  stack     •  Current  execuLon  state  has  to  be  preserved   –  Allocate  an  alternate  stack  within  heap  memory   –  Backup  r0  -­‐  r3  and  lr  registers  to  alternate  stack   –  Do  the  logging  and  filtering   –  Restore  r0  -­‐  r3  and  lr   –  ConLnue  execuLon  
  • 33. 33   Sample  Output   +  [SyncManager  sharedSyncManager]   -­‐  [SyncManager  init]   -­‐  [SyncManager  setSynDocumentOpen:],  args:  0   +  [DataModel  setSynchManager:],  args:  <0x1102ce30>   +  [DataModel  initFromFile]   +  [DataModel  securityModelFilePath]   +  [DataModel  securityModelFilePath]   +  [PBKDF2  getKeyForPassphrase:],  args:  <__NSCFConstantString  0x15e2e4:  >   +  [CryptoUtils  decrypt]   +  [DataModel  sharedModel]   +  [CryptoUtils  md5:],  args:  <__NSCFConstantString  0x15dea4:  >   +  [DataModel  sharedModel]   EncrypLon  scheme  is  based  on  a     hardcoded  key  within  the  App  
  • 34. 34   Sample  Output   +  [SyncManager  sharedSyncManager]   -­‐  [SyncManager  init]   -­‐  [SyncManager  setSynDocumentOpen:],  args:  0   +  [DataModel  setSynchManager:],  args:  <0x1102ce30>   +  [DataModel  initFromFile]   +  [DataModel  securityModelFilePath]   +  [DataModel  securityModelFilePath]   +  [PBKDF2  getKeyForPassphrase:],  args:  <__NSCFConstantString  0x15e2e4:  >   +  [CryptoUtils  decrypt]   +  [DataModel  sharedModel]   +  [CryptoUtils  md5:],  args:  <__NSCFConstantString  0x15dea4:  >   +  [DataModel  sharedModel]  
  • 35. 35   Advantages  of  RunLme  ManipulaLon   •  The  ability  to  manipulate  Apps  at  runLme   strikes  out  new  paths   – Discover  weak/missing  encrypLon   – Bypassing  client-­‐side  restricLons   – ExecuLon  of  hidden  funcLonality,  which  was  not   supposed  to  be  accessible   – Unlock  addiLonal  features  and  premium  content   – Dump  copyright-­‐protected  content   – Etc.  
  • 36. 36   Lack  of  Tools   “Security  will  not  get  beOer  unHl  tools  for   pracHcal  exploraHon  of  the  aOack  surface   are  made  available”     -­‐  Josh  Wright   “  
  • 37. 37   Closing  the  Gap   •  Retrofiqng  exisLng  apps  with  debugging  and   runLme  tracing  capabiliLes   App Library Debugging GWT  GUI   XML-RPC Webserver
  • 38. 38   Introducing  Snoop-­‐it   •  A  tool  to  assist  security  assessments  and   dynamic  analysis  of  iOS  Apps  
  • 39. 39   Features   Monitoring   File  system  access  (print  data  protecLon  classes)   Keychain  access   HTTP(S)  connecLons   Access  to  sensiLve  API  (address  book,  photos  etc.)   Debug  outputs   Tracing  App  internals  (objc_msgSend)  
  • 40. 40   Features   Analysis  /   ManipulaLon   Fake  hardware  idenLfier  (UDID,  Wireless  MAC,  etc.)   Fake  locaLon/GPS  data   Explore  and  force  display  of  available  ViewControllers   List  custom  URL  schemes   List  available  ObjecLve-­‐C  classes,  objects  and  methods   Invoke  and  replace  arbitrary  methods  at  runLme  
  • 41. 41   Features   Other   Simple  installaLon  and  configuraLon   Easy  to  use  graphical  user  interface   Plenty  of  filter  and  search  opLons   Detailed  descripLon  of  the  XML-­‐RPC  web  service  interface   Freely  available  soon  (beta  version  available  on  request)  
  • 42. 42   Geqng  Started   •  There’s  an  App  for  That!™       Œ  Open  the  Snoop-­‐it  ConfiguraHon  App       Select  Apps  (System/Cydia/AppStore)              to  analyze     Ž  Adjust  seqngs  (GUI,  AuthenLcaLon,  …)       Run  app  &  point  your  browser  to  the  Snoop-­‐it              web  interface  
  • 43. 43   Geqng  Started   •  There’s  an  App  for  That!™     Œ  Open  the  Snoop-­‐it  ConfiguraHon  App       Select  Apps  (System/Cydia/AppStore)              to  analyze     Ž  Adjust  seqngs  (GUI,  AuthenLcaLon,  …)       Run  app  &  point  your  browser  to  the  Snoop-­‐it              web  interface  
  • 44. 44   Geqng  Started   •  There’s  an  App  for  That!™     Œ  Open  the  Snoop-­‐it  ConfiguraHon  App       Select  Apps  (System/Cydia/AppStore)              to  analyze     Ž  Adjust  seqngs  (GUI,  AuthenLcaLon,  …)       Run  app  &  point  your  browser  to  the  Snoop-­‐it              web  interface  
  • 45. 45   Geqng  Started   •  There’s  an  App  for  That!™     Œ  Open  the  Snoop-­‐it  ConfiguraHon  App       Select  Apps  (System/Cydia/AppStore)              to  analyze     Ž  Adjust  seqngs  (GUI,  AuthenLcaLon,  …)       Run  app  &  point  your  browser  to  the  Snoop-­‐it              web  interface  
  • 46. 46   Geqng  Started   •  There’s  an  App  for  That!™     Œ  Open  the  Snoop-­‐it  ConfiguraHon  App       Select  Apps  (System/Cydia/AppStore)              to  analyze     Ž  Adjust  seqngs  (GUI,  AuthenLcaLon,  …)       Run  App  &  point  your  browser  to  the  Snoop-­‐it              web  interface  
  • 47. DEMO   Please  follow  me  on  TwiRer  (@aykay)     to  stay  up-­‐to-­‐date  with  the  latest  news  on  Snoop-­‐it    
  • 48. 48   User  Feedback   “I'm  totally  impressed  by  the  way  Snoop-­‐it   has  eased  down  on  assessing  iOS  apps.     I  managed  to  idenHfy  flaws  on  client-­‐side   implementaHon  in  no  Hme.     The  Method  Tracing  feature  is  a  blessing!!!”     -­‐  Arjun  Pednekar,  NCC  Group   “  
  • 49. 49   Filesystem  Monitor  
  • 50. 50   LocaLon  Faker  
  • 51. 51   App  Tracing  
  • 52. 52   Keychain  Monitor  
  • 53. 53   RunLme  ManipulaLon  
  • 54. 54   The  Case  of  iOS  Wi-­‐Fi  Hotspots   •  Apple  iOS  generates  weak  default  passwords,   when  an  iPhone  is  used  as  mobile  hotspot  
  • 55. 55   The  Case  of  iOS  Wi-­‐Fi  Hotspots   •  Default  passwords  are  derived  from  an   English-­‐language  dicLonary   – Only  1.842  entries  are  taken  into  consideraLon   – Process  of  selecLng  words  from  that  dicLonary  is   not  random   •  Possibility  to  compromise  a  hotspot   connecLon  in  less  than  50  seconds  
  • 56. 56   The  Case  of  iOS  Wi-­‐Fi  Hotspots  
  • 57. 57   The  Case  of  iOS  Wi-­‐Fi  Hotspots  
  • 58. 58   The  Case  of  iOS  Wi-­‐Fi  Hotspots   •  Full  report  at  hRp://www1.cs.fau.de/hotspot     •  Fixed  in  iOS  7:  
  • 59. 59   Jailbreak  DetecLon   •  Purpose:  VerificaLon  of  playorm  integrity   •  Common  checks   –  Suspicious  files  and  directories   –  File  system  permissions   –  Mount  opLons   –  Symbolic  links   –  Dynamic  shared  libraries   –  SSH  Loopback   –  Sandbox  integrity  (fork)  
  • 60. 60   Jailbreak  DetecLon  
  • 61. 61   Jailbreak  DetecLon   •  In  order  to  assess  the  security  of  an  iOS  App,     at  first  the  jailbreak  detecLon  mechanisms  have   to  be  bypassed     –  Binary  /  Run-­‐Lme  patching  to  remove  all  checks   (specific,  Lme-­‐consuming)     Delegate.messages['isJailbroken']  =                                      function()  {  return  NO;  }     –  Intercept  system  calls  to  simulate  an  unmodified   execuLon  environment  (generic)    
  • 62. 62   Jailbreak  DetecLon  Bypass           •  Snoop-­‐it  supports  generic  bypass  of  the  most   common  jailbreak  detecLon  mechanisms   –  Simple  configuraLon  switch  in  the  ConfiguraLon  App  
  • 63. DEMO   Bypassing  Jailbreak  DetecLon  
  • 64. 64   AppMinder  Jailbreak  DetecLon   •  Advanced  jailbreak  detecLon  to  be  integrated   into  Apple  iOS  Apps   –  WriRen  in  pure  assembly  code   –  Various  code  obfuscaLon  techniques   –  Self-­‐integrity  checks   –  AnL-­‐debugging  measures     •  Web  service  freely  available  at:          hOp://appminder.nesolabs.de    
  • 65. 65   AppMinder  Jailbreak  DetecLon  
  • 66. 66   Securing  the  RunLme   •  Minimum  of  data/logic  on  the  client-­‐side   •  Preferred  use  of  C,  at  least  for  security-­‐criLcal   implementaLons   – Inline  FuncLons   – ObfuscaLon   •  Advanced  Jailbreak  DetecLon     •  RunLme  Integrity  Checks  (dladdr()[10])   At  least  try  to,     it’s  worth  a  shot.  
  • 67. 67   Summary   •  RunLme  Analysis  and  ManipulaLon  facilitates   both,  dynamic  and  staHc  analysis  of  iOS  Apps     •  ARack  surface  of  iOS  Apps  can  be  explored   more  efficiently        
  • 68. Weipertstraße  8-­‐10  ·∙  74076  Heilbronn   ( +49  (7131)  7669-­‐541   info@nesolabs.de   www.nesolabs.de    
  • 69. 69   References   [1]   ObjecLve  C  RunLme  Reference   hRp://developer.apple.com/library/mac/#documentaLon/Cocoa/Reference/ ObjCRunLmeRef/Reference/reference.html     [2]   dyld  -­‐  the  dynamic  link  editor  (DYLD_INSERT_LIBRARIES)   hRp://developer.apple.com/library/mac/#documentaLon/Darwin/Reference/ Manpages/man1/dyld.1.html     [3]   Mobile  Substrate   hRp://iphonedevwiki.net/index.php/MobileSubstrate     [4]   Theos   hRp://iphonedevwiki.net/index.php/Theos     [5]   Cycript   hRp://www.cycript.org    
  • 70. 70   References   [6]   Cycript  Overview   hRp://iphonedevwiki.net/index.php/Cycript     [7]   Cycript  Tips   hRp://iphonedevwiki.net/index.php/Cycript_Tricks     [8]   AspecLve-­‐C  by  saurik   hRp://svn.saurik.com/repos/menes/trunk/aspecLvec/AspecLveC.mm       [9]   SubjecLve-­‐C  by  KennyTM~   hRp://networkpx.blogspot.de/2009/09/introducing-­‐subjecLve-­‐c.html       [10]   dladdr  -­‐  find  the  image  containing  a  given  address   hRp://developer.apple.com/library/Mac/#documentaLon/Darwin/Reference/ ManPages/man3/dladdr.3.html