Results in:

dpkg-deb: file `/tmp/_theos_install.deb' contains ununderstood data member data.tar.xz , giving up
dpkg: error processing /tmp/_theos_install.deb (--install):
subprocess dpkg-deb --fsys-tarfile returned error exit status 2
Errors were encountered while processing:
/tmp/_theos_install.deb

Explicitly setting the compression type (-Zgzip) in the makefile fixes it.

iSECPartners-introspy-83c3efc/tracer/theos/makefiles/package/deb.mk, line 34:

$(ECHO_NOTHING)COPYFILE_DISABLE=1 $(FAKEROOT) -r dpkg-deb -Zgzip -b "$(THEOS_STAGING_DIR)" "$(THEOS_PACKAGE_DIR)/$(THEOS_PACKAGE_FILENAME).deb" $(STDERR_NULL_REDIRECT)$(ECHO_END)

Add signature filtering functionality back into the python client.

A few Theos features we use (such as xmi files) have been broken for months and we now have to use an unofficial fork just to build our tweak. We should stop relying on logos (and perhaps theos eventually).

I created a demo iOS app. Pretty much the only thing it does is call [NSString stringWithFormat:@"asd"];. When I set up a custom tracer to hook into this method, the app crashes when called.

I've run it through Xcode, put down Exception Breakpoints and grabbed the backtrace using LLDB. Here's the trace of the crashing thread. As you can see, it results in an EXC_BAD_ACCESS.

Upon further testing it appears that this is only occurring for methods with variadic parameters. If I hook +stringWithString: and create a sample app which uses that method, the tracer works fine and all the data I ask is logged.

Has anyone else run into this?

https://developer.apple.com/library/mac/documentation/Cocoa/Reference/Foundation/Classes/NSURLRequest_Class/Reference/Reference.html#jumpTo_6

Instead of just call matching why dont we have command line options that parse out useful information, e.g.,

• deduped list of all URLs accessed by the app
• deduped list of all files accessed by the app
  ...

I'm trying to add a tracer for a custom class in my app. Is there a wiki entry somewhere on how to do this?

I have one IPhone 6 plus with ios v 8.3 . I don't want to upgrade it to ios 10 as jailbreak is not available currently . Will it work ?

The arguments filter fails open. For example, if i commit a keychain item and don't pass in a kSecAttrAccessible value then the pdm value won't exist in the arguments plist and it won't get caught by the analyzer.

Wherever a new CallTracer is instantiated, wouldn't it be cleaner to simply use ...forClass:NSStringFromClass([self class]) andMethod:NSStringFromSelector(_cmd)]; ?

It could easily be macro'd out this way.

Pasteboard hooks need to be able to handle an NSURL object.

Add a list option to the CLI so that regardless of analysis (i.e., Signatures) all calls will be printed (optionally filtered by group / subgroup).

Add a command line option to specify subgroup filtering.

https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man3/CC_MD5.3cc.html

So that I don't forget:

• Cookie leaking to 3rd party domains through HTTP redirections
• HTTPS to HTTP redirection
• DP APIs with UnlessOpen attribute
• Null IV

Does Introspy still work with iOS 9?

just for tracking.

The filter is purely a bitwise AND with 1 ... so it does nothing. I think we should either just support it in the ArgumentsFilter (like i did previously) or just remove the mask comparison and worry about it if we come across a mask that actually makes a difference... also reintroduction broke all of my code :(

Examine the Objective-C segment of application binaries to identify structure and then dynamically hook methods so we can produce a call graph. This may be an uber pita... but something to think about.

I created a new file with this content:

%hook NSURLSession
- (NSURLSessionDataTask *)dataTaskWithRequest:(NSURLRequest *)request completionHandler:(void (^)(NSData *data, NSURLResponse *response, NSError *error))completionHandler {    
    NSLog(@"Hooked");
    return %orig(request, completionHandler);
}
%end

And added this file in one of the %group #include's in Tweak.xmi. I don't understand why this doesn't get hooked. What's wrong here? I understand this may not be specific to Introspy but I just thought I'd try asking here.

Right now the only way to erase the introspy DBs stored on the device is to manually SSH into the device and erase them. We should add something to the analyzer to quickly erase all DBs.

If the user provides the app name we can probably just run a find on the device and grab the right db. This will be much cleaner than requiring the user to scp the db off of the device in some other fashion. make it just work.

Setup:
Xcode 5.1.1
Build version 5B1008
Mac OS X 10.9.4
DHowett theos 330c79022bccab58c09f85d907c92e1c0e989200

I'm encountering this error when I run make in src:

Making all for tweak introspy...
 Preprocessing Tweak.xmi...
clang: error: cannot use 'objective-c++-cpp-output' output with multiple -arch options
make[2]: *** [obj/Tweak.xmi.04299979.o] Error 1
make[1]: *** [internal-library-all_] Error 2
make: *** [introspy.all.tweak.variables] Error 2

I am not sure how to move forward with this. Any tip?

convert tabs to spaces. when you did this initially it conflicted with a bunch of additions i made so i just overwrote them back (sorry that was pretty lazy). need to convert them back and do whatever else to be pep8 compliant (make sure have 4 space indentation ubiquitiously).

Hey guys I would like to know if I can hook introspy to to system daemons like itunesstored?
Thanks

Use this: https://github.com/eligrey/FileSaver.js

Took me a while to find the problem. Kept editing NSURLConnectionDelegateProx.h/m to add new delegates to proxy but it turns out, the NSURLConnectionDelegateProx that NSURLConnection has been using all along is the one declared in DelegateProxies.h/m.

make package goes good
but install get error as below,what's the problem

Selecting previously deselected package com.isecpartners.introspy.
(Reading database ... 2222 files and directories currently installed.)
Unpacking com.isecpartners.introspy (from /tmp/_theos_install.deb) ...
dpkg: dependency problems prevent configuration of com.isecpartners.introspy:
com.isecpartners.introspy depends on applist; however:
Package applist is not installed.
dpkg: error processing com.isecpartners.introspy (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
com.isecpartners.introspy
make: *** [internal-install] Error 1

Hey guys,

Currently using a slightly out-of-date copy, so maybe this is already done in a newer release.

When grabbing return values, many have known meanings. For example, if SecItemCopyMatching returns -25300, it means that the value wasn't found.

Another example: SecItemAdd with attribute pdmn=aku corresponds to a specific protection type (I think this is only when unlocked, this device only)

It would be cool to have these baked into introspy somehow so the user doesn't have to know/look up these values.

Seems this repository isn't maintained anymore, but it's worth to mention in case it will be at some point.
In iOS 10 and later there are no NSLogs displayed in system log. So it would be nice to have a switch in settings to allow either NSLog or OSLog for logging.

Logging to db is unaffected.

Objective-C has no namespacing capabilities so any App that uses the same class names (SQLiteStorage? ) as Introspy is in for a rough ride.

In order to track calls to custom URL schemes registered by an application we need to hook

• application:openURL:sourceApplication:annotation:
• application:handleOpenURL: (if the previous is not implemented this will be called)

I'm testing on:
iPad Air
iOS 7.1.2

Some apps crashed while using Introspy, some didn't. So I narrowed it down to the rand() hook and narrowed it down to 64-bit only. As an example, I am using Apple's SimpleURLConnections project and added this simple call NSLog(@"Calling C Rand() - %d", rand()); in -[GetController startReceive] method and it crashes when building the app for 64-bit. If built for 32-bit, it works just fine.

Went into replaced_rand() in hooks/LibCHooks.m and found that it crashes at the call to original_rand(). I logged the value of the original_rand() pointer and it isn't null.

I am not sure how to proceed here.

Here's the backtrace if it helps any.

* thread #1: tid = 0x0b0d, 0x0000000106497d38, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x106497d38)
    frame #0: 0x0000000106497d38
    frame #1: 0x0000000101a8001c
  * frame #2: 0x000000010006a180 URLConnect`-[GetController startReceive](self=0x0000000147d16120, _cmd=0x000000010009b8f6) + 20 at GetController.m:140
    frame #3: 0x000000010006bd64 URLConnect`-[GetController viewDidLoad](self=0x0000000147d16120, _cmd=0x000000018b8e3285) + 1264 at GetController.m:371
    frame #4: 0x000000018b5a6f50 UIKit`-[UINib instantiateWithOwner:options:] + 1616
    frame #5: 0x000000018b5a8b50 UIKit`-[NSBundle(UINSBundleAdditions) loadNibNamed:owner:options:] + 160
    frame #6: 0x000000018b49341c UIKit`-[UIApplication _loadMainNibFileNamed:bundle:] + 52
    frame #7: 0x000000018b2598d4 UIKit`-[UIApplication _runWithURL:payload:launchOrientation:statusBarStyle:statusBarHidden:] + 516
    frame #8: 0x000000018b1ed8b4 UIKit`-[UIApplication handleEvent:withNewEvent:] + 3316
    frame #9: 0x000000018b1ecab8 UIKit`-[UIApplication sendEvent:] + 104
    frame #10: 0x000000018b25902c UIKit`_UIApplicationHandleEvent + 672
    frame #11: 0x000000018ddc3504 GraphicsServices`_PurpleEventCallback + 676
    frame #12: 0x000000018ddc3030 GraphicsServices`PurpleEventCallback + 48
    frame #13: 0x00000001881e3040 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ + 56
    frame #14: 0x00000001881e2fa0 CoreFoundation`__CFRunLoopDoSource1 + 444
    frame #15: 0x00000001881e11c4 CoreFoundation`__CFRunLoopRun + 1620
    frame #16: 0x0000000188121dd0 CoreFoundation`CFRunLoopRunSpecific + 452
    frame #17: 0x000000018b2581b0 UIKit`-[UIApplication _run] + 784
    frame #18: 0x000000018b252fc4 UIKit`UIApplicationMain + 1156
    frame #19: 0x00000001000675d4 URLConnect`main(argc=1, argv=0x000000016fd9fc30) + 64 at main.m:61
    frame #20: 0x00000001951f3aa0 libdyld.dylib`start + 4

I've created a custom hook to trace NSString's +stringWithFormat method. Seeing as there is no README or wiki post on how to do this, I followed the UIPasteboard hook. Here are the steps I have taken:

1. Create an NSStringHooks.xm in the /hooks directory. That file looks like this.
2. Added a method to PlistObjectConverter to convert NSString data. Those files look like this. Line 527 is the beginning of the implementation of +convertNSString:.
3. Added the NSStringHooks to Tweak.xmi. That file looks like this. Line 159 is where I am initialising the NSStringHooks group.

When I run make package in the /src directory, a deb file is successfully created. I can SFTP that to my device and successfully run dpkg -i introspy.deb to install the custom build onto my device. But when I open an app for which I have enabled tracing, it crashes on launch.

Troubleshooting

• I have removed the NSStringHooks tweak altogether, built it using make package and then installed it. That works fine. No crashes when launching a traced app.
• I have added NSStringHooks back in (using the above steps), except I removed all tracing logic from NSStringHooks.xm. So all it was doing was intercepting the call and then passing it straight to the original method. This still causes a crash on the device.

I feel like I am missing a step, because I can't get my custom trace's toggle to show up under the Introspy Settings. The Introspy2.plist files seem to be generated by the make routine, so any changes I make there to add a toggle are overwritten.

Can any contributors see what I am missing in my setup of a custom hook?

Once I've got all this figured out, I'll create a concise list of steps and add it to the README/Wiki.

Printing the value of the pointer to the data is not very useful.
https://developer.apple.com/library/mac/documentation/security/Reference/keychainservices/Reference/reference.html#//apple_ref/c/func/SecItemCopyMatching