Created
July 1, 2024 17:48
-
-
Save omarzl/89bf82dd6113b08f6425770feb26da05 to your computer and use it in GitHub Desktop.
slack_debugging.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 1.- Download an unsigned IPA. I got it from https://decrypt.day | |
| # 2.- Create and download a provisioning profile in App Store Connect | |
| # 3.- Replace the bundle identifier in the Info.plist | |
| plutil -replace CFBundleIdentifier -string TEAMID.com.debugging.slack Slack.app/Info.plist | |
| # 4.- Get the entitlements from the original binary and save them to /path/to/entitlement.xml | |
| codesign -d --entitlements :/some/path/entitlement.xml Slack.app/Slack | |
| # 5.- Get the xml representation from the provisioning profile | |
| security cms -D -i "/path/to/provisioning_profile.mobileprovision" > /path/to/provisioning_profile.xml | |
| # Note: It is important that it has the entitlement "get-task-allow" so the debugger can attach to the app | |
| # 6.- Copies the entitlements from the provisioning profile xml | |
| xpath -e '//*[text() = "Entitlements"]/following-sibling::dict' /path/to/provisioning_profile.xml | pbcopy | |
| # 7.- Manually replace the entitlements into the file /path/to/entitlement.xml | |
| # 8.- Validate that the xml is correct | |
| plutil -convert xml1 /tmp/ent.xml | |
| # Now we are ready to re-sign the app with our certificate and custom entitlements. | |
| # 9.- Re-sign the frameworks with your certificate | |
| codesign -f -s "Apple Development: My Name (TEAMID)" Slack.app/Frameworks/* | |
| # 10.- Remove the Plugins directory so we don't need to generate provisioning profiles for them | |
| rm -rf Slack.app/Plugins | |
| # 11.- Re-sign the app with the new entitlements and your certificate | |
| codesign --entitlements /path/to/entitlement.xml -f -s "Apple Development: My Name (TEAMID)" Slack.app | |
| # 12.- Copy the app to your device using Xcode | |
| # 13.- Use Xcode to attach the debugger to the app | |
| # 14.- Run the following LLDB commands. First, I looked at the UI hierarchy: | |
| po [[[[UIWindow keyWindow] rootViewController] view] recursiveDescription] | |
| # Example output: | |
| # ... | |
| # <SlackKit.SKLabel: 0x147ebef20; frame = (0 24; 37.3333 22); userInteractionEnabled = NO; layer = <CALayer: 0x30094c480>> | |
| # | <UIView: 0x147ebf940; frame = (0 0; 37.3333 22); layer = <CALayer: 0x30089bee0>> | |
| # | | <UILabel: 0x147ebf4c0; frame = (0 0; 37.3333 22); text = 'General'; userInteractionEnabled = NO; backgroundColor = UIExtendedGrayColorSpace 0 0; layer = <_UILabelLayer: 0x302ce3d80>> | |
| # ... | |
| # 15.- I found out the labels use a custom view named SKLabel, so I used an existing object, in this case 0x147ebef20 | |
| # 16.- Using _methodDescription I looked for a method that I could use to inject my custom text | |
| po [0x147ebef20 _methodDescription] | |
| # Example output: | |
| # <SlackKit.SKLabel: 0x147ebef20>: | |
| # in SlackKit.SKLabel: | |
| # Properties: | |
| # @property (nonatomic, readonly) UIView* viewForFirstBaselineLayout; | |
| # @property (nonatomic, readonly) UIView* viewForLastBaselineLayout; | |
| # @property (nonatomic) BOOL userInteractionEnabled; | |
| # Instance Methods: | |
| # - (id) viewForFirstBaselineLayout; (0x103e44224) | |
| # - (BOOL) isUserInteractionEnabled; (0x103e44538) | |
| # - (void) layoutSubviews; (0x103e477e4) | |
| # ... | |
| # 17.- I used the method layoutSubviews as an intercepting point to change the text. Finally, I set the breakpoint to that address, and I run a command to get to the underlying UILabel and modify it. | |
| br set -a 0x103e477e4 -C "po [((NSArray *)[((NSArray *)[$x0 subviews])[0] subviews])[0] setText: @\"Omar\"]" -G1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment