1
00:00:00,120 --> 00:00:02,370
‫Instructor: Hi, within this lecture

2
00:00:02,370 --> 00:00:05,130
‫we're going to see how we can use these iHex

3
00:00:05,130 --> 00:00:09,840
‫that we have downloaded in order to edit the IPA file.

4
00:00:09,840 --> 00:00:12,450
‫And then later on we are going to continue looking

5
00:00:12,450 --> 00:00:17,450
‫for clues or hints in our Hopper Disassembler as well.

6
00:00:17,730 --> 00:00:21,810
‫So we are not gonna do any assembly editing

7
00:00:21,810 --> 00:00:26,100
‫actually in this section, but if you need to do

8
00:00:26,100 --> 00:00:28,443
‫some kind of editing in future

9
00:00:28,443 --> 00:00:31,800
‫then you should know this because a free version

10
00:00:31,800 --> 00:00:35,760
‫of Hopper Disassemble won't allow you to edit

11
00:00:35,760 --> 00:00:40,290
‫and then export the file afterwards.

12
00:00:40,290 --> 00:00:43,680
‫So first of all, we are going to have to convert

13
00:00:43,680 --> 00:00:46,800
‫this IPA into a .zip file

14
00:00:46,800 --> 00:00:50,700
‫because we want to get the contents out of it.

15
00:00:50,700 --> 00:00:54,480
‫So if you change the extension like this to, Zip

16
00:00:54,480 --> 00:00:57,240
‫then it will be a zip file.

17
00:00:57,240 --> 00:00:58,800
‫It's very simple.

18
00:00:58,800 --> 00:01:03,360
‫Make sure you spell it right, Z IP

19
00:01:03,360 --> 00:01:06,030
‫and then make sure you say, Use zip.

20
00:01:06,030 --> 00:01:09,780
‫And then if you don't have any WinZip or WinRAR

21
00:01:09,780 --> 00:01:13,380
‫in your MacBook, then you should go and download it.

22
00:01:13,380 --> 00:01:15,420
‫It's for free, all you have to do

23
00:01:15,420 --> 00:01:19,590
‫is just go to winzip.com and just download it.

24
00:01:19,590 --> 00:01:21,030
‫Actually, it's not free,

25
00:01:21,030 --> 00:01:24,570
‫but it has a free trial version as well.

26
00:01:24,570 --> 00:01:26,700
‫So it will be sufficient for you.

27
00:01:26,700 --> 00:01:29,100
‫Just download it and install it,

28
00:01:29,100 --> 00:01:33,000
‫and then you can use it by double clicking on it.

29
00:01:33,000 --> 00:01:35,880
‫If you double click on this zip file right now,

30
00:01:35,880 --> 00:01:40,880
‫you are gonna have to see this payload and you can just copy

31
00:01:41,010 --> 00:01:46,010
‫or drag and drop it to your desktop and try to use it, okay?

32
00:01:47,370 --> 00:01:52,320
‫That's it, that's how you get content out of IPA files.

33
00:01:52,320 --> 00:01:56,370
‫Now, if you right click on it and say Show package contents,

34
00:01:56,370 --> 00:01:58,530
‫you can actually see the package contents

35
00:01:58,530 --> 00:02:01,140
‫of the IPA file as well.

36
00:02:01,140 --> 00:02:05,760
‫And as you can see, we see the executable of IPA inside

37
00:02:05,760 --> 00:02:07,650
‫of this content.

38
00:02:07,650 --> 00:02:12,510
‫So yeah, as you can see, we still get the info.plist

39
00:02:12,510 --> 00:02:17,510
‫and other signatures and stuff in here also.

40
00:02:17,790 --> 00:02:21,510
‫And we are going to have to work with this executable file

41
00:02:21,510 --> 00:02:24,600
‫in order to to edit it in iHex.

42
00:02:24,600 --> 00:02:28,230
‫But it doesn't allow me to drag and drop onto the desktop

43
00:02:28,230 --> 00:02:32,190
‫because we already have Detect Jail on desktop.

44
00:02:32,190 --> 00:02:35,010
‫So let me close this down and show you a better way.

45
00:02:35,010 --> 00:02:38,250
‫And as you can see, Hopper Dissembler stopped working

46
00:02:38,250 --> 00:02:42,900
‫because it's a free version and it only allows us to use it

47
00:02:42,900 --> 00:02:44,970
‫for 30 minutes per session.

48
00:02:44,970 --> 00:02:48,810
‫Of course, we can open it later on one more time.

49
00:02:48,810 --> 00:02:52,170
‫And I'm gonna come over here and say Open file

50
00:02:52,170 --> 00:02:56,670
‫then I go to my desktop, if I choose this payload, okay?

51
00:02:56,670 --> 00:02:58,860
‫If I double click on it, it will show me

52
00:02:58,860 --> 00:03:00,720
‫the executable one more time

53
00:03:00,720 --> 00:03:02,610
‫and I can just double click on it

54
00:03:02,610 --> 00:03:06,240
‫and see the hexadecimal code.

55
00:03:06,240 --> 00:03:08,580
‫And maybe you can think right now

56
00:03:08,580 --> 00:03:11,280
‫that, yeah, we see this hexadecimal code

57
00:03:11,280 --> 00:03:14,100
‫in Hopper Disassembler as well.

58
00:03:14,100 --> 00:03:17,160
‫So why are we bothering about this?

59
00:03:17,160 --> 00:03:20,970
‫The first reason is to teach you how to get content

60
00:03:20,970 --> 00:03:23,310
‫out of IPA files, okay?

61
00:03:23,310 --> 00:03:25,140
‫And the second reason is that

62
00:03:25,140 --> 00:03:29,280
‫you can just start editing this in here.

63
00:03:29,280 --> 00:03:31,380
‫Now, this is in override mode.

64
00:03:31,380 --> 00:03:34,890
‫If I write something, it will just edit it like this.

65
00:03:34,890 --> 00:03:39,890
‫If I change something, like if I'm just typing random keys

66
00:03:40,020 --> 00:03:44,070
‫on my keyboard, it just edits it, okay?

67
00:03:44,070 --> 00:03:48,030
‫So maybe there might be a time for you in future

68
00:03:48,030 --> 00:03:51,420
‫that you should edit the hexadecimal code

69
00:03:51,420 --> 00:03:54,750
‫or you should edit the assembly code,

70
00:03:54,750 --> 00:03:59,430
‫now you can find the related section on your iHex

71
00:03:59,430 --> 00:04:04,430
‫and then edit it and then can save it like this, okay?

72
00:04:05,250 --> 00:04:09,240
‫File, Save, and it will be saved.

73
00:04:09,240 --> 00:04:14,240
‫And then you can try to actually see and match

74
00:04:15,000 --> 00:04:19,200
‫the important parts from the Hopper Disassembler as well.

75
00:04:19,200 --> 00:04:22,470
‫So let me open the Hopper disassembler, here you go.

76
00:04:22,470 --> 00:04:25,860
‫So let me just close this down.

77
00:04:25,860 --> 00:04:28,860
‫Okay, let me just bring this down

78
00:04:28,860 --> 00:04:32,130
‫so we can actually see the Hopper Disassembler

79
00:04:32,130 --> 00:04:34,650
‫because I want to come over here

80
00:04:34,650 --> 00:04:37,560
‫and bring this into my Hopper Disassembler

81
00:04:37,560 --> 00:04:41,850
‫in order to decompile it like this, okay?

82
00:04:41,850 --> 00:04:46,740
‫And then if I go to this hexadecimal tab,

83
00:04:46,740 --> 00:04:50,220
‫if I find someone, I find some code

84
00:04:50,220 --> 00:04:52,860
‫that I want to edit from here,

85
00:04:52,860 --> 00:04:55,710
‫for example, let me find the beginning

86
00:04:55,710 --> 00:04:59,280
‫of a procedure or let me find a function or method.

87
00:04:59,280 --> 00:05:03,327
‫Suppose that I want to change that function, okay?

88
00:05:03,327 --> 00:05:07,320
‫And I found the line that I want to change,

89
00:05:07,320 --> 00:05:11,250
‫if I highlight it, and if I go back to my hexadecimal,

90
00:05:11,250 --> 00:05:13,230
‫I can see where it starts.

91
00:05:13,230 --> 00:05:18,230
‫So if I know this is where I should actually edit on iHex,

92
00:05:18,810 --> 00:05:22,410
‫I can come over here and hit Control F or Command F

93
00:05:22,410 --> 00:05:25,830
‫and find the related hexadecimal code

94
00:05:25,830 --> 00:05:29,070
‫and then I can change it if I want.

95
00:05:29,070 --> 00:05:31,200
‫And then I can save it.

96
00:05:31,200 --> 00:05:33,780
‫So this is how you do hex editing.

97
00:05:33,780 --> 00:05:37,770
‫Of course you should know about assembly

98
00:05:37,770 --> 00:05:39,870
‫in order to do that, okay?

99
00:05:39,870 --> 00:05:43,290
‫After you're done, you can just double click on this

100
00:05:43,290 --> 00:05:46,320
‫one more time and just replace the file

101
00:05:46,320 --> 00:05:50,190
‫with the new edited file and then close this down

102
00:05:50,190 --> 00:05:53,220
‫and then change Zip to IPA.

103
00:05:53,220 --> 00:05:55,920
‫So let me delete this and come over here

104
00:05:55,920 --> 00:05:58,470
‫and change the extension to IPA.

105
00:05:58,470 --> 00:06:01,350
‫And here you go, here is your edited IPA.

106
00:06:01,350 --> 00:06:05,220
‫However, this is not what we are looking for in this lecture

107
00:06:05,220 --> 00:06:10,220
‫because we should have a good understanding of assembly

108
00:06:10,230 --> 00:06:12,810
‫in order to do that, okay?

109
00:06:12,810 --> 00:06:15,390
‫And by the way, I didn't change anything.

110
00:06:15,390 --> 00:06:20,390
‫I have just hit Command Z in order to undo what I have done.

111
00:06:21,930 --> 00:06:24,930
‫Now, we are looking at the original file.

112
00:06:24,930 --> 00:06:27,360
‫Rather than doing this, we are going to focus

113
00:06:27,360 --> 00:06:29,460
‫on finding clues and hints

114
00:06:29,460 --> 00:06:33,540
‫in order to manipulate our app in a way that we want.

115
00:06:33,540 --> 00:06:35,190
‫So what do we do?

116
00:06:35,190 --> 00:06:38,430
‫We just opened the Hopper Disassembler and disassembled

117
00:06:38,430 --> 00:06:40,110
‫our IPA file.

118
00:06:40,110 --> 00:06:41,190
‫And here you go.

119
00:06:41,190 --> 00:06:45,420
‫One of the first things that I actually focus over here

120
00:06:45,420 --> 00:06:47,790
‫is the second view controller.

121
00:06:47,790 --> 00:06:50,880
‫Now, if I don't know anything about source code,

122
00:06:50,880 --> 00:06:54,090
‫now I know that there is a second view controller.

123
00:06:54,090 --> 00:06:59,090
‫And if it was a real CTF and if I was trying to get the flag

124
00:07:00,930 --> 00:07:04,860
‫out of this app, if I click over here to Test,

125
00:07:04,860 --> 00:07:07,800
‫it says that Jailbreak hacker,

126
00:07:07,800 --> 00:07:10,230
‫then I should probably understand

127
00:07:10,230 --> 00:07:12,540
‫that there is a second view controller.

128
00:07:12,540 --> 00:07:15,210
‫And if it wasn't a jail broken device

129
00:07:15,210 --> 00:07:18,870
‫then I should have seen the second view controller.

130
00:07:18,870 --> 00:07:21,390
‫Now I have to focus on

131
00:07:21,390 --> 00:07:25,020
‫how to get into the second view controller.

132
00:07:25,020 --> 00:07:29,430
‫Of course, the Hex editing might be a idea for this,

133
00:07:29,430 --> 00:07:31,860
‫it might be a solution for this as well.

134
00:07:31,860 --> 00:07:34,470
‫But again, we are not gonna do that.

135
00:07:34,470 --> 00:07:37,680
‫Rather, we are going to learn something called Cycript

136
00:07:37,680 --> 00:07:41,160
‫or script, and it's very fantastic

137
00:07:41,160 --> 00:07:44,340
‫because you get to edit or you get to manipulate the app

138
00:07:44,340 --> 00:07:48,900
‫in a way that you want very easily using that tool.

139
00:07:48,900 --> 00:07:50,310
‫That's what we are going to do.

140
00:07:50,310 --> 00:07:53,880
‫But before we do that, we have to gather clues,

141
00:07:53,880 --> 00:07:57,390
‫we have to gather hints from our IPA,

142
00:07:57,390 --> 00:08:01,020
‫from our assembly code like this.

143
00:08:01,020 --> 00:08:02,550
‫So we're going to stop here

144
00:08:02,550 --> 00:08:04,533
‫and continue within the next lecture.