Memory Dumps

There are many applications and scripts available to dump the process memory. The easiest way is to use the Fridump tool.

fridump

Connect your iOS device to the Mac via the USB cable.

1. Run frida-ps to get the exact name of the app you are testing.

   % frida-ps -Uai

2. Run fridump against the mobile app.

   % python3 fridump.py -U 'AppName'

3. This will dump all of the memory regions associated with the app. The files will be named something like 0x1a7400000_dump.data and will be binary files. You can run the strings command against these files, or instruct fridump to perform this step for you.

   Command Options:

   -o output directory

   -s (automatically run the strings command against the output files)

   -U (connect to the device over the USB cable)

4. The strings.txt file will also be stored in the output directory that was specified. Review that file for sensitive information.

Attack Vector

Be careful what you report from the memory dump. If an attacker gets physical access to a device, and that device is not already jailbroken, then the attacker will not be able to access memory contents. To jailbreak the device requires a complete restart of the device, which will clear any active memory pages.

Memory Search using Objection

If you want to search memory for a specific string, then you can use Objection. It will allow you to search memory, show you the offset address where the string was found, and then allow you to dump that information out.

% objection -g 'Example App' explore

exampleapp on (iPhone: 12.4) [usb] ## memory search steve --string
Searching for: 75 33 38 37 39 33 32
11179fb03  75 33 38 37 39 33 32 00 00 00 00 00 00 10 f4 99  steve.........
11179fb13  b2 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00  ................
11179fb23  00 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Pattern matched at 1 address
exampleapp on (iPhone: 12.4) [usb] #

If you want to dump the memory address where the data was found:

exampleapp on (iPhone: 12.4) [usb] ## memory dump from_base 0x11179fb03 1024 username.bin
Dumping 1.0 KiB from 0x11179fb03 to username.bin
Memory dumped to file: username.bin

exampleapp on (iPhone: 12.4) [usb] ## !strings username.bin
Running OS command: strings username.bin

steve
https://host.exampleapp.com/ExampleApp/ds/users/STEVE
content-type: application/json;charset=UTF-8

exampleapp on (iPhone: 12.4) [usb] #

Memory Dump -- Objection Style

Objection can also be used to dump all memory segments allocated to the running process. Keep in mind that this process sometimes kills the app when it accesses the memory segments.

exampleapp on (iPhone: 12.4) [usb] ## memory dump all appMemoryDump
Will dump 569 rw- images, totalling 859.6 MiB
Dumping 512.0 MiB from base: 0x280000000  [####################################]  100%
Memory dumped to file: appMemoryDump

exampleapp on (iPhone: 12.4) [usb] ## !ls appMemoryDump
Running OS command: ls appMemoryDump

appMemoryDump

exampleapp on (iPhone: 12.4) [usb] #

At this point, you can run strings against the output file (which will be in binary format) and review the information that it contains.

% strings appMemoryDump > appMemoryDump.txt

memscan

In some cases, the app under test could implement some anti-frida code to prevent the Frida client attaching to the running process on the device. In this case, both fridump and Objection would fail to dump the memory since they both rely on Frida.

So, I have included memscan in the Jailbreak Utilities package, and it should be available at /jbutils/usr/bin/memscan on the device. Memscan is a memory scanner which uses mach_vm* to either dump memory from a process or search for a specific sequence of bytes.

iPhone:~ root# memscan
 __   __  _______  __   __  _______  _______  _______  __    _ 
|  |_|  ||       ||  |_|  ||       ||       ||   _   ||  |  | |
|       ||    ___||       ||  _____||       ||  |_|  ||   |_| |
|       ||   |___ |       || |_____ |       ||       ||       |
|       ||    ___||       ||_____  ||      _||       ||  _    |
| ||_|| ||   |___ | ||_|| | _____| ||     |_ |   _   || | |   |
|_|   |_||_______||_|   |_||_______||_______||__| |__||_|  |__|

Author: Grant Douglas (@Hexploitable)
Blog: https://hexplo.it
Version: 1.4-dirty

Usage:
-------
Verbose mode: -v
Dump memory to a file: memscan [-p <PID>] -d [-o <outputFile>]
Search memory for a sequence of bytes: memscan [-p <PID>] -s <INPUT_FILE>

Dump Process Memory with Memscan

The simplest thing to do is to dump the entire memory region of the process. This will be a fairly large, binary file that you will need to process using the 'strings' command. File sizes of 1.5 gigabytes are common with memscan.

In the example below, we will dump the memory regions of the application with PID 7388. You can use the 'ps' command on the device to get the correct PID for your specific application.

iPhone:~ root# memscan -p 7388 -d
 __   __  _______  __   __  _______  _______  _______  __    _ 
|  |_|  ||       ||  |_|  ||       ||       ||   _   ||  |  | |
|       ||    ___||       ||  _____||       ||  |_|  ||   |_| |
|       ||   |___ |       || |_____ |       ||       ||       |
|       ||    ___||       ||_____  ||      _||       ||  _    |
| ||_|| ||   |___ | ||_|| | _____| ||     |_ |   _   || | |   |
|_|   |_||_______||_|   |_||_______||_______||__| |__||_|  |__|

Author: Grant Douglas (@Hexploitable)
Blog: https://hexplo.it
Version: 1.4-dirty

Progress: 100%
Finished.
Dump written to: memscan_output_7388.bin

In this case, we did not specify the "-o" flag, so it used the default output file naming convention.

As mentioned before, and evident from the file extension, this is a binary file. So, use the strings command to process it to a readable version that you can then search.

iPhone:~ root# strings -n 6 memscan_output_7388.bin >> memscan7388.txt

iPhone:~ root# grep -Ei ‘steve|P@ssw0rd’ memscan7388.txt

You can also search the binary file if you really want to. But your search string must be in hexadecimal form. Use the xxd command to dump the hex output of the file.

iPhone:~ root# xxd memscan_output_7388.bin | grep '\x45\x78\x61\x6d\x70\x6c\x65\x41\x70\x70\x0a'

00dc0b00: 0057 656c 6c73 2046 6172 676f 2041 6476  .ExampleApp Adv
00dc0b20: 0057 656c 6c73 2046 6172 676f 2054 6865  .ExampleApp The
00dd01a0: 0057 656c 6c73 2046 6172 676f 2041 6476  .ExampleApp Adv
00ddf3e0: 0057 656c 6c73 2046 6172 676f 204d 6f62  .ExampleApp Mob

In the above example, I used the search string of \x45\x78\x61\x6d\x70\x6c\x65\x41\x70\x70\x0a which is hex for "ExampleApp". The output shows the offset in memory, and the strings.