Apple

Injecting Reveal With MobileSubstrate

On June 3, 2013 by

Reveal is a cool prototyping tool allowing you to perform runtime inspection of an iOS application. At the moment, its functionality revolved primarily around user interface design, allowing you to manage user interface objects and their behavior. It is my hope that in the future, Reveal will expand to be a full featured debugging tool, allowing pen-testers to inspect and modify instance variables in memory, instantiate new objects, invoke methods, and generally hack on the runtime of an iOS application. At the moment, it’s still a pretty cool user interface design aid. Reveal is designed to be linked with your project, meaning you have to have the source code of the application you want to inspect. This is a quick little instructional on how to link the reveal framework with any existing application on your iOS device, so that you can inspect it without source.

The approach is very straight forward, and uses MobileSubstrate. If you don’t already have MS installed on your iOS device, install it through Cydia, or if you’re using the command-line, simply run:

# apt-get install mobilesubstrate

Once installed, you’ll need to copy the iOS framework over from Reveal. Right click on the app, and select Show Package Contents from the Finder menu. Navigate to Contents/SharedSupport/iOS-Libraries. Now copy the Reveal framework and the supporting library over to the phone using scp:

$ scp -r Reveal.framework root@x.x.x.x:/System/Library/Frameworks

$ scp libReveal.dylib root@x.x.x.x:/Library/MobileSubstrate/DynamicLibraries

As shown above, you’ll want to copy the libReveal.dylib library into the DynamicLibraries directory within /Library/MobileSubstrate, and stick the framework in its usual place inside /System/Library/Frameworks.

Now all you’ll need is a simple MS property list to specify which application(s) you want libReveal to inject into. I would advise against injecting Reveal into every application on the device, as it’s still in beta, and could potentially cause some issues. Create the file /Library/MobileSubstrate/DynamicLibraries/libReveal.plist and edit it with the following contents:

{ Filter = { Bundles = ( "com.yourdomain.yourapp" ); }; }

For example, if you wish to inject Reveal into Pandora, use:

{ Filter = { Bundles = ( "com.pandora" ); }; }

You can get the bundle identifier from the Info.plist file inside the application you are targeting. Once you’ve made this change, give SpringBoard a swift kick and run your application as normal. It should now show up on Reveal’s list. Make sure, of course, that your device is connected to your desktop machine.