1
00:00:00,300 --> 00:00:04,170
‫-: Hi. Within this lecture, we are going to take a look

2
00:00:04,170 --> 00:00:08,130
‫at the Swift version of this jailbreaking app.

3
00:00:08,130 --> 00:00:11,760
‫So, we have this Swift version over here, right?

4
00:00:11,760 --> 00:00:14,250
‫We have downloaded it from GitHub.

5
00:00:14,250 --> 00:00:16,320
‫So, I'm going to close this down

6
00:00:16,320 --> 00:00:18,720
‫and I'm going to delete everything related

7
00:00:18,720 --> 00:00:23,720
‫to objective C and I'm going to bring in the Swift version.

8
00:00:23,850 --> 00:00:26,520
‫So, there are challenges in Swift version.

9
00:00:26,520 --> 00:00:29,970
‫Cycript doesn't properly work in this case.

10
00:00:29,970 --> 00:00:34,350
‫So, we're going to see how that goes.

11
00:00:34,350 --> 00:00:37,080
‫So, let me close this down and here you go.

12
00:00:37,080 --> 00:00:40,530
‫Here is our DetectJailSwift.

13
00:00:40,530 --> 00:00:44,550
‫So, I'm going to take the IPA from here as well

14
00:00:44,550 --> 00:00:46,440
‫and I'm going to copy and paste it

15
00:00:46,440 --> 00:00:51,440
‫on my desktop and I'm going to use Hopper disassembler

16
00:00:51,810 --> 00:00:56,370
‫and other tools that we have used in the previous section.

17
00:00:56,370 --> 00:00:59,550
‫For example, we can use Cydia Impacter

18
00:00:59,550 --> 00:01:03,090
‫in order to upload it to our jailbroken device.

19
00:01:03,090 --> 00:01:06,210
‫And you don't have to do that by now, by the way.

20
00:01:06,210 --> 00:01:09,240
‫You can just watch me do this stuff

21
00:01:09,240 --> 00:01:14,130
‫and take notes if you want for this particular lecture.

22
00:01:14,130 --> 00:01:15,240
‫And if you don't want,

23
00:01:15,240 --> 00:01:18,060
‫you can always practice along with me.

24
00:01:18,060 --> 00:01:21,480
‫So, I'm going to delete the objective C version

25
00:01:21,480 --> 00:01:26,070
‫and I'm going to upload this version over here.

26
00:01:26,070 --> 00:01:28,980
‫So, it asks me for my email.

27
00:01:28,980 --> 00:01:33,000
‫I'm going to give it and it asks me for my password.

28
00:01:33,000 --> 00:01:35,700
‫I'm gonna give it one more time.

29
00:01:35,700 --> 00:01:38,790
‫So, here it is, I'm going to copy it

30
00:01:38,790 --> 00:01:41,160
‫and I'm going to paste it

31
00:01:41,160 --> 00:01:45,360
‫so that I can upload it to my iPad.

32
00:01:45,360 --> 00:01:48,300
‫So, it asks me for my profile.

33
00:01:48,300 --> 00:01:53,250
‫I'm gonna say, okay, and then it will be uploaded.

34
00:01:53,250 --> 00:01:54,570
‫So, here you go.

35
00:01:54,570 --> 00:01:56,790
‫I believe now it's done.

36
00:01:56,790 --> 00:01:57,623
‫Here you go.

37
00:01:57,623 --> 00:01:58,680
‫Now it works.

38
00:01:58,680 --> 00:02:01,290
‫Now if I open this and if I hit test,

39
00:02:01,290 --> 00:02:04,590
‫as you can see it says that hacker jail break.

40
00:02:04,590 --> 00:02:06,750
‫So, it works. Great.

41
00:02:06,750 --> 00:02:08,520
‫So, let me close this down

42
00:02:08,520 --> 00:02:12,630
‫and let me open the Hopper disassembler.

43
00:02:12,630 --> 00:02:16,710
‫So, let me close this down because it's still showing me

44
00:02:16,710 --> 00:02:20,070
‫the old version objective C version.

45
00:02:20,070 --> 00:02:24,390
‫Let me open the Swift version in this Hopper disassembler.

46
00:02:24,390 --> 00:02:25,740
‫Here you go.

47
00:02:25,740 --> 00:02:29,850
‫Now it will disassemble the application

48
00:02:29,850 --> 00:02:34,770
‫and we will see the functions and other stuff as it is,

49
00:02:34,770 --> 00:02:38,730
‫as we have seen in the objective C version as well.

50
00:02:38,730 --> 00:02:41,070
‫So, if we come over here, for example,

51
00:02:41,070 --> 00:02:43,680
‫if we search for something like test,

52
00:02:43,680 --> 00:02:47,850
‫we can still see test button clicked function over here

53
00:02:47,850 --> 00:02:52,590
‫and it takes us to the test button function

54
00:02:52,590 --> 00:02:55,230
‫and we can see what it does.

55
00:02:55,230 --> 00:02:59,370
‫We can come over here and take a look at the diagram

56
00:02:59,370 --> 00:03:02,220
‫and try to make sense out of it

57
00:03:02,220 --> 00:03:07,110
‫and see the related functions and related paths.

58
00:03:07,110 --> 00:03:12,110
‫So, it starts like this as we have seen in the objective C.

59
00:03:12,180 --> 00:03:15,630
‫It's a little bit different, but we can still understand

60
00:03:15,630 --> 00:03:20,340
‫that there is a second view controller over here

61
00:03:20,340 --> 00:03:24,930
‫and we can see the other stuff like this.

62
00:03:24,930 --> 00:03:29,010
‫Like there is a selector performing some segway

63
00:03:29,010 --> 00:03:30,480
‫and if that's the case,

64
00:03:30,480 --> 00:03:32,520
‫we are seeing the second view controller.

65
00:03:32,520 --> 00:03:34,140
‫If that's not the case,

66
00:03:34,140 --> 00:03:37,500
‫we are seeing hacker jailbreak, right?

67
00:03:37,500 --> 00:03:40,380
‫We can still search for a second view controller

68
00:03:40,380 --> 00:03:44,130
‫and we can see it actually exists in the app.

69
00:03:44,130 --> 00:03:49,130
‫So, we can follow along the previous one.

70
00:03:49,260 --> 00:03:52,020
‫Like we can do the same thing like we did

71
00:03:52,020 --> 00:03:56,670
‫before we can see every step as it was.

72
00:03:56,670 --> 00:04:00,180
‫So, we can try to understand this thing.

73
00:04:00,180 --> 00:04:04,920
‫We can see the set text function over here

74
00:04:04,920 --> 00:04:08,550
‫and unfortunately demo version has expired.

75
00:04:08,550 --> 00:04:11,400
‫So, let me open it one more time

76
00:04:11,400 --> 00:04:16,400
‫and let me just bring this again and disassemble it.

77
00:04:17,670 --> 00:04:21,090
‫So, since we are using free version,

78
00:04:21,090 --> 00:04:23,370
‫it can do this sometime.

79
00:04:23,370 --> 00:04:24,390
‫So, don't worry.

80
00:04:24,390 --> 00:04:26,640
‫Let me just find it one more time.

81
00:04:26,640 --> 00:04:28,230
‫Let's go for a test.

82
00:04:28,230 --> 00:04:30,180
‫Let me click on test button clicked

83
00:04:30,180 --> 00:04:35,070
‫and the second diagram, a second tab, the diagram tab.

84
00:04:35,070 --> 00:04:38,820
‫Now we're here, we still see the hacker jailbreak

85
00:04:38,820 --> 00:04:40,530
‫and set text functions.

86
00:04:40,530 --> 00:04:43,290
‫So, this is a path that it takes us

87
00:04:43,290 --> 00:04:46,260
‫and this is other path that we go

88
00:04:46,260 --> 00:04:50,670
‫to second view controller and now we can understand.

89
00:04:50,670 --> 00:04:54,930
‫We can still see the same clues over here.

90
00:04:54,930 --> 00:04:58,680
‫Okay? So it really doesn't matter for us if it's swift

91
00:04:58,680 --> 00:05:03,000
‫or objective C when it comes to assembly, when it comes

92
00:05:03,000 --> 00:05:07,140
‫to Hopper disassembler, we still can make sense out

93
00:05:07,140 --> 00:05:09,060
‫of this functions.

94
00:05:09,060 --> 00:05:14,060
‫As you can see, there are two paths like we have seen before

95
00:05:14,760 --> 00:05:16,680
‫and we can see the result label,

96
00:05:16,680 --> 00:05:19,560
‫we can see the second view controller,

97
00:05:19,560 --> 00:05:23,910
‫we can see the segways and we can see all the functions

98
00:05:23,910 --> 00:05:26,793
‫and all the other variables and stuff.

99
00:05:27,720 --> 00:05:32,720
‫So, assume that you have seen all this information

100
00:05:32,820 --> 00:05:36,510
‫and you gathered what you need

101
00:05:36,510 --> 00:05:38,880
‫in order to manipulate the app.

102
00:05:38,880 --> 00:05:43,440
‫But, the challenge starts where actually you go

103
00:05:43,440 --> 00:05:47,370
‫and run Cycript because Cycript doesn't do

104
00:05:47,370 --> 00:05:50,670
‫a good job on Swift applications.

105
00:05:50,670 --> 00:05:54,480
‫And believe me, I'm not going to show you very good things

106
00:05:54,480 --> 00:05:56,760
‫over here because there isn't

107
00:05:56,760 --> 00:06:00,450
‫a very good alternative to Cycript right now.

108
00:06:00,450 --> 00:06:03,450
‫So, I'm going to SSH into that

109
00:06:03,450 --> 00:06:06,660
‫and I'm gonna run Cycript like we have done before.

110
00:06:06,660 --> 00:06:11,660
‫So, make sure your application is running like this, okay?

111
00:06:12,690 --> 00:06:16,620
‫And then you can run Cycript like this and say,

112
00:06:16,620 --> 00:06:21,620
‫P DetectJailSwift and then you're in DetectJailSwift app.

113
00:06:23,340 --> 00:06:27,840
‫Now, if you run UIApp.keyWindow.rootViewController,

114
00:06:27,840 --> 00:06:30,960
‫you can still get the information like this.

115
00:06:30,960 --> 00:06:35,310
‫As you can see, we still see the view controller over here.

116
00:06:35,310 --> 00:06:38,610
‫So, it says that DetectJailSwift.ViewController.

117
00:06:38,610 --> 00:06:43,290
‫You can still gather information using Cycript

118
00:06:43,290 --> 00:06:45,570
‫from Swift applications.

119
00:06:45,570 --> 00:06:48,390
‫But, if you try doing some manipulation

120
00:06:48,390 --> 00:06:51,690
‫like this second view controller, for example,

121
00:06:51,690 --> 00:06:54,870
‫and it didn't work at the first time I know

122
00:06:54,870 --> 00:06:58,650
‫but we can try it for the second time as well.

123
00:06:58,650 --> 00:06:59,760
‫As you can see, it says

124
00:06:59,760 --> 00:07:02,790
‫that can't find variables second view controller

125
00:07:02,790 --> 00:07:04,650
‫but we know it's there, right?

126
00:07:04,650 --> 00:07:05,580
‫So, if we search

127
00:07:05,580 --> 00:07:08,730
‫for second view controller, we will see it.

128
00:07:08,730 --> 00:07:12,000
‫Even though it's there, it doesn't show up.

129
00:07:12,000 --> 00:07:16,020
‫So, we are certain that there is a second view controller

130
00:07:16,020 --> 00:07:19,860
‫and it doesn't give us any other error.

131
00:07:19,860 --> 00:07:22,530
‫It says that it doesn't exist.

132
00:07:22,530 --> 00:07:24,210
‫So, let me try this way,

133
00:07:24,210 --> 00:07:26,060
‫DetectJailSwift.SecondViewController,

134
00:07:28,260 --> 00:07:30,090
‫like it says over here.

135
00:07:30,090 --> 00:07:32,790
‫But, it doesn't find that either.

136
00:07:32,790 --> 00:07:35,310
‫So, it doesn't work.

137
00:07:35,310 --> 00:07:39,300
‫And the thing is that it, it cannot find the variable.

138
00:07:39,300 --> 00:07:40,800
‫So, no matter what we do,

139
00:07:40,800 --> 00:07:44,250
‫no matter what we write, it doesn't find the variable.

140
00:07:44,250 --> 00:07:47,640
‫So, let's try to get the methods like this.

141
00:07:47,640 --> 00:07:49,200
‫So, I'm going to copy and paste

142
00:07:49,200 --> 00:07:53,340
‫this function one more time and try to print the methods.

143
00:07:53,340 --> 00:07:56,190
‫So, I'm gonna hit enter and say print methods

144
00:07:56,190 --> 00:07:59,070
‫and I'm going to give view controller

145
00:07:59,070 --> 00:08:01,170
‫as parameter over here.

146
00:08:01,170 --> 00:08:04,950
‫So, I'm going to try view controller first.

147
00:08:04,950 --> 00:08:08,820
‫And as you can see, it gives us an empty array,

148
00:08:08,820 --> 00:08:10,380
‫so it doesn't find it.

149
00:08:10,380 --> 00:08:12,240
‫So rather than view controller,

150
00:08:12,240 --> 00:08:17,240
‫if I try DetectJailSwift.ViewController and it crashes.

151
00:08:17,940 --> 00:08:21,600
‫So, I cannot seem to get along with this.

152
00:08:21,600 --> 00:08:26,340
‫So, I cannot just get the information

153
00:08:26,340 --> 00:08:30,030
‫or I cannot get or manipulate

154
00:08:30,030 --> 00:08:35,030
‫the view controller like it works in objective C.

155
00:08:35,610 --> 00:08:38,910
‫And this didn't work in objective C as well.

156
00:08:38,910 --> 00:08:40,890
‫Maybe you can think something like that.

157
00:08:40,890 --> 00:08:45,570
‫Yeah, we have seen the method name in Hopper disassembler.

158
00:08:45,570 --> 00:08:48,060
‫So, why not we change it like we did

159
00:08:48,060 --> 00:08:50,310
‫in the view controller right?

160
00:08:50,310 --> 00:08:53,370
‫Yeah, you can't try that, but it won't work either.

161
00:08:53,370 --> 00:08:58,370
‫So, let me open the jail, DetectJailSwift codes for you.

162
00:08:58,380 --> 00:09:03,300
‫Even if we see the function name like this is jailbroken.

163
00:09:03,300 --> 00:09:08,300
‫Even if we get it from this assembler, okay?

164
00:09:08,610 --> 00:09:11,640
‫Now if we try to change it like this,

165
00:09:11,640 --> 00:09:16,640
‫ViewController.prototype.isJailbroken, okay?

166
00:09:17,790 --> 00:09:20,910
‫And if we try to make this equal to function

167
00:09:20,910 --> 00:09:25,830
‫and then say return false, and if we hit enter

168
00:09:25,830 --> 00:09:28,800
‫it will still won't find,

169
00:09:28,800 --> 00:09:32,760
‫it will still not find the view controller.

170
00:09:32,760 --> 00:09:35,910
‫So, maybe you can try something like,

171
00:09:35,910 --> 00:09:40,463
‫DetectJailSwift.ViewController, it won't still work again.

172
00:09:41,400 --> 00:09:45,690
‫Yep. As you can see, it cannot find the variable.

173
00:09:45,690 --> 00:09:49,200
‫So, at this point there is only one thing left

174
00:09:49,200 --> 00:09:52,020
‫for you to do and it's editing the hacks,

175
00:09:52,020 --> 00:09:54,630
‫it's editing the assembly code.

176
00:09:54,630 --> 00:09:57,210
‫And I'm not gonna go into that.

177
00:09:57,210 --> 00:09:59,610
‫All I wanted to show you is

178
00:09:59,610 --> 00:10:03,540
‫that Cycript doesn't work properly in Swift applications.

179
00:10:03,540 --> 00:10:08,280
‫So, maybe in your case you can find a Swift app

180
00:10:08,280 --> 00:10:12,090
‫that you can actually manipulate with Cycript

181
00:10:12,090 --> 00:10:17,090
‫but more often than not it won't work

182
00:10:17,130 --> 00:10:21,210
‫and there isn't a very good alternative at this point.

183
00:10:21,210 --> 00:10:24,060
‫So, if I find an alternative in some time,

184
00:10:24,060 --> 00:10:28,680
‫of course I'm gonna add it here and you can get ahold of it.

185
00:10:28,680 --> 00:10:33,450
‫But, at this point there isn't a very good way to do so.

186
00:10:33,450 --> 00:10:38,450
‫However, there, the percentage of objective C apps

187
00:10:38,700 --> 00:10:42,330
‫are actually, actually higher at this point.

188
00:10:42,330 --> 00:10:44,640
‫Like more than 50% of the apps

189
00:10:44,640 --> 00:10:47,940
‫are written in objective C rather than Swift.

190
00:10:47,940 --> 00:10:49,650
‫And it will change in years.

191
00:10:49,650 --> 00:10:52,410
‫Of course, Swift apps will try,

192
00:10:52,410 --> 00:10:56,070
‫will increase in percentage from some point.

193
00:10:56,070 --> 00:11:00,900
‫And I believe the security apps are Cycript

194
00:11:00,900 --> 00:11:04,140
‫like penetration tests tools, like Cycript,

195
00:11:04,140 --> 00:11:05,730
‫will increase as well.

196
00:11:05,730 --> 00:11:07,920
‫So, if there is an update,

197
00:11:07,920 --> 00:11:12,240
‫I will add it on the section of this course.

198
00:11:12,240 --> 00:11:13,680
‫So, I hope you enjoy

199
00:11:13,680 --> 00:11:16,980
‫the iOS reverse engineering section as well.

200
00:11:16,980 --> 00:11:20,763
‫We're going to stop here and continue within the next one.