Neuebits

A blog by Graham Smith

An Introduction to Cycript: Bypassing iPGMail's Lockscreen

I had promised myself earlier in the year I would find the time to learn more about reverse-engineering iOS applications. For convenience, I use iOS when capturing packets, and Android for static analysis, instrumentation, and swizzling. With a little post-Thanksgiving free time on my hands, I figured why not spend some of it playing around with Cycript.I thought I would write a simple introduction based off of my own first experience with Cycript.

I decided to target iPGMail, a PGP client for iOS that hides behind its own lockscreen.

I began by launching iPGMail, which prompted me for my previously established PIN in order to access the rest of the app. At this point, I tested to make sure that an invalid PIN would be rejected. Wanting to find the function call that performed this validation, I created a dump of the decrypted binary using Clutch iPGMail. Clutch is a tool to dump a decrypted binary for third-party apps. I then unzipped the resulting .IPA to a new folder with unzip iPGMail.ipa -d iPGMail.

From here, I used class-dump-z -H iPGMail/Payload/ipgmail.app/ipgmail -o iPGMailHeaders to dump the class headers to a new folder. Searching through the contents of the resulting headers, I discovered the function responsible for PIN validation (-(BOOL)checkPin:(id)pin) within iPGMailAppDelegate.h. I swizzled its message implementation by using cycript -p ipgmail to attach and iPGMailAppDelegate.messages['checkPin:'] = function() { return true; } to guarantee that any provided PIN would suffice.

Overall, Cycript is an extremely helpful tool to have around and is great for testing jailbreak tweaks among other things. Also, check out Frida. Both can be used without a jailbreak and I definitely see myself becoming a frequent user of these tools.