☠️
       ██╗██████╗ ██╗     ███████╗███████╗███████╗██╗███╗   ██╗ ██████╗
       ██║██╔══██╗██║     ██╔════╝██╔════╝██╔════╝██║████╗  ██║██╔════╝
       ██║██████╔╝██║     █████╗  ███████╗███████╗██║██╔██╗ ██║██║  ███╗
       ██║██╔══██╗██║     ██╔══╝  ╚════██║╚════██║██║██║╚██╗██║██║   ██║
       ██║██████╔╝███████╗███████╗███████║███████║██║██║ ╚████║╚██████╔╝
       ╚═╝╚═════╝ ╚══════╝╚══════╝╚══════╝╚══════╝╚═╝╚═╝  ╚═══╝ ╚═════╝

iblessing

• iblessing is an iOS security exploiting toolkit, it mainly includes application information gathering, static analysis and dynamic analysis.
• iblessing is based on unicorn engine, capstone engine and keystone engine.

Features

• [x] 🔥 Cross-platform: Tested on macOS and Ubuntu.

• [x] iOS App static info extract, including metadata, deeplinks, urls, etc.

• [x] Mach-O parser and dyld symbol bind simulator

• [x] Objective-C class realizing and parsing

• [x] Scanners making dynamic analysis for arm64 assembly code and find key information or attack surface

• [x] Scanners using unicorn to partially simulate Mach-O arm64 code execution and find some features

• [x] Generators that can provide secondary processing on scanner's report to start a query server, or generate script for IDA

• Super objc_msgSend xrefs scanner 😄

  • [x] objc methods and subs (such as blocks) emulation to generate xrefs like flare-emu
  • [x] objc function wrapper detect and ida usercall generate
  • [x] objc_msgSend sub functions analysis
  • [x] objc block to objc_msgSend xrefs in args and capture list
  • [x] report format including json, etc.
  • [ ] Swift class and method parsing
  • [ ] following branches and calls
  • [ ] SimProcedures for extern symbols

• [x] Tests

• [ ] Android Scanners Suport

• [ ] Diagnostic logs

• [ ] More flexible scanner infrastructure for new scanner plugins

Support

In case you need support regarding iblessing or anything associated with it, you can:

• create an issue and provide necessary information
• contact Sou1gh0st on Twitter
• send mail to xiuyutong1994#163.com
• send mail to xiuyutong1994#gmail.com

Changelog

• 2021.06.27 - New arch (Shell Programm + Core Library) and plugin support (beta)
• 2021.01.23 - Add method signatures for system libraries (Foundation, UIKit), further enhanced analytical capabilities (https://github.com/Soulghost/iblessing/wiki/System-Libraries-(Foundation,-UIKit)-Simple-SimProcedure)
• 2020.11.30 - Objc reflection info (https://github.com/Soulghost/iblessing/wiki/Objc-Reflection-Info)
• 2020.10.24 - Objc call snapshots (https://github.com/Soulghost/iblessing/wiki/Objc-Call-Snapshots)
• 2020.10.04 - Objc category list support
• 2020.09.28 - Static library and fat mach-o support
• 2020.09.22 - Basic program state and condition branching
• 2020.09.04 - Method validation, infering, objc_msgSendSuper support
• 2020.08.11 - Now iblessing is a cross-platform tool, support both macOS and Linux 😆
• 2020.08.08 - Improve objc_msgSend xref scanner, add sub xref supoort, including block arguments and capture list
• 2020.07.30 - Improve symbol-wrapper scanner, and add ida scripts for symbol wrapper rename and prototype modification
• 2020.07.21 - First release

Get started

⚠️⚠️⚠️ Binary Scanners require 12GB of virtual memory space to loading a mach-o file, but won't consume so much. So you need to ensure that the physical memory of your working machine is greater than 12GB, or ensure that allocatable virtual memory is greater than 12GB through the swap file mechanism.

1. You can download the pre-released iblessing binary and enjoy it.
2. run chmod +x for the binary
3. For more tutorails, please check the Documentation & Help below.

How to Use

• Releases https://github.com/Soulghost/iblessing/releases

All in One Binary

• iblessing-darwin-all/iblessing-linux

Shell Program + Dylib

• untar iblessing-framework.tar.gz
• iblessing-darwin/iblessing-linux + libiblessing-core.dylib/libiblessing-core.so

Develop Your Own Tools based on iblessing Framework

• untar iblessing-framework.tar.gz
• your binary + libiblessing-core.dylib/libiblessing-core.so + include/iblessing-core
• sample code: iblessing-core/otool.cpp

How to Build

CMake

• Platform: macOS, Linux

To get started compiling iblessing, please follow the steps below:

git clone --recursive -j4 https://github.com/Soulghost/iblessing
cd iblessing
./compile-cmake.sh

Shortcuts

• Basic Concepts

• Scanners

  • Scan for AppInfos ⚠️ Not currently available on Linux
  • Scan for Class XREFs
  • Scan for All objc_msgSend XREFs
  • Scan for Simple Symbol Wrappers

• Generators

  • Generate objc_msgSend Xrefs Query Server
  • Generate IDA Scripts for objc_msgSend xrefs
  • Generate IDA Scripts for objc function wrapper rename and prototype modification

If there are any errors, you can manully compile capstone and unicorn, then drag libcapstone.a and libunicorn.a to the Xcode project's vendor/libs.

If all of this run successfully, you can find the binary in build directory:

> ls ./build
iblessing

> file ./build/iblessing
./build/iblessing: Mach-O 64-bit executable x86_64

Documentation & Help

Preview

$ iblessing -h

           ☠️
           ██╗██████╗ ██╗     ███████╗███████╗███████╗██╗███╗   ██╗ ██████╗
           ██║██╔══██╗██║     ██╔════╝██╔════╝██╔════╝██║████╗  ██║██╔════╝
           ██║██████╔╝██║     █████╗  ███████╗███████╗██║██╔██╗ ██║██║  ███╗
           ██║██╔══██╗██║     ██╔══╝  ╚════██║╚════██║██║██║╚██╗██║██║   ██║
           ██║██████╔╝███████╗███████╗███████║███████║██║██║ ╚████║╚██████╔╝
           ╚═╝╚═════╝ ╚══════╝╚══════╝╚══════╝╚══════╝╚═╝╚═╝  ╚═══╝ ╚═════╝

[***] iblessing iOS Security Exploiting Toolkit Beta 0.1.1 (http://blog.asm.im)
[***] Author: Soulghost (高级页面仔) @ (https://github.com/Soulghost)

Usage: iblessing [options...]
Options:
    -m, --mode             mode selection:
                                * scan: use scanner
                                * generator: use generator
    -i, --identifier       choose module by identifier:
                                * <scanner-id>: use specific scanner
                                * <generator-id>: use specific generator
    -f, --file             input file path
    -o, --output           output file path
    -l, --list             list available scanners
    -d, --data             extra data
    -h, --help             Shows this page

Basic Concepts

Scanner

A scanner is a component used to output analysis report through static and dynamic analysis of binary files, for example, the objc-msg-xref scanner can dynamiclly analyze most objc_msgSend cross references.

[*] Scanner List:
    - app-info: extract app infos
    - objc-class-xref: scan for class xrefs
    - objc-msg-xref: generate objc_msgSend xrefs record
    - predicate: scan for NSPredicate xrefs and sql injection surfaces
    - symbol-wrapper: detect symbol wrappers

Generator

A generator is a component that performs secondary processing on the report generated by the scanner, for example, it can generate IDA scripts based on the the objc-msg-xref scanner's cross references report.

[*] Generator List:
    - ida-objc-msg-xref: generator ida scripts to add objc_msgSend xrefs from objc-msg-xref scanner's report
    - objc-msg-xref-server: server to query objc-msg xrefs
    - objc-msg-xref-statistic: statistics among objc-msg-send reports

Basic Usage

Scan for AppInfos

⚠️ Because some of the dependence on Cocoa has not been lifted (such as bplist parser), it is not currently available on Linux.

> iblessing -m scan -i app-info -f <path-to-app-bundle>

Let's take WeChat as an example:

> iblessing -m scan -i app-info -f WeChat.app
[*] set output path to /opt/one-btn/tmp/apps/WeChat/Payload
[*] input file is WeChat.app
[*] start App Info Scanner
[+] find default plist file Info.plist!
[*] find version info: Name: 微信(WeChat)
Version: 7.0.14(18E226)
ExecutableName: WeChat
[*] Bundle Identifier: com.tencent.xin
[*] the app allows HTTP requests **without** exception domains!
[+] find app deeplinks
 |-- wechat://
 |-- weixin://
 |-- fb290293790992170://
 |-- weixinapp://
 |-- prefs://
 |-- wexinVideoAPI://
 |-- QQ41C152CF://
 |-- wx703://
 |-- weixinULAPI://
[*] find app callout whitelist
 |-- qqnews://
 |-- weixinbeta://
 |-- qqnewshd://
 |-- qqmail://
 |-- whatsapp://
 |-- wxwork://
 |-- wxworklocal://
 |-- wxcphonebook://
 |-- mttbrowser://
 |-- mqqapi://
 |-- mqzonev2://
 |-- qqmusic://
 |-- tenvideo2://
 ...
[+] find 507403 string literals in binary
[*] process with string literals, this maybe take some time
[+] find self deeplinks URLs:
 |-- weixin://open