competition-ios-runtime
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCompetition iOS Runtime
竞赛iOS运行时分析
Use this skill only as a downstream specialization after is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to first.
$ctf-sandbox-orchestrator$ctf-sandbox-orchestratorUse this skill when the decisive path runs through live iOS trust boundaries rather than static strings or plist values alone.
Reply in Simplified Chinese unless the user explicitly requests English.
仅可在已激活并建立沙箱假设、节点归属和证据优先级后,作为下游专项技能使用本工具。如果还未完成上述前置步骤,请先返回执行相关操作。
$ctf-sandbox-orchestrator$ctf-sandbox-orchestrator当问题的解决路径需要突破iOS实时信任边界,而不是仅依靠静态字符串或plist值分析时,使用本技能。
除非用户明确要求英文回复,否则请使用简体中文回复。
Quick Start
快速开始
- Preserve the original IPA, extracted bundle, and any decrypted or re-signed copy as separate artifacts.
- Start with , entitlements, URL schemes, frameworks, Keychain usage, and local app storage before broad runtime hooks.
Info.plist - Choose the narrowest runtime boundary that proves behavior: signer, trust evaluator, Keychain accessor, Objective-C or Swift method, or network request builder.
- Correlate static bundle evidence and live hook output before claiming the trust path is understood.
- Reproduce the accepted request, token, or gated branch from the smallest hook set.
- 将原始IPA、解压后的应用包、所有解密或重签名的副本作为独立产物保存。
- 在执行大范围的运行时hook之前,先分析、权限配置、URL schemes、依赖框架、Keychain使用情况和本地应用存储。
Info.plist - 选择能够验证行为的最小范围运行时边界:签名器、信任评估器、Keychain访问器、Objective-C或Swift方法、或者网络请求构造器。
- 在确认信任路径已理清之前,需关联静态应用包证据和实时hook输出交叉验证。
- 用最少的hook集合复现可通过验证的请求、令牌或者受限制的分支逻辑。
Workflow
工作流
1. Static iOS Triage
1. iOS静态排查
- Map bundle structure, , entitlements, URL schemes, universal links, embedded frameworks, and app group paths.
Info.plist - Record likely trust boundaries: request signers, device binding, certificate checks, jailbreak checks, Keychain access, or local cache loading.
- Note whether sensitive logic sits in Objective-C, Swift, embedded frameworks, or a bundled web surface.
- 梳理应用包结构、、权限配置、URL schemes、通用链接、内置框架和应用组路径。
Info.plist - 记录可能的信任边界:请求签名器、设备绑定、证书校验、越狱检测、Keychain访问或者本地缓存加载。
- 标注敏感逻辑所处的位置:Objective-C、Swift、内置框架或者内置web页面。
2. Hook The Runtime Boundary
2. Hook运行时边界
- Prefer hooking request builders, crypto helpers, trust evaluators, Keychain reads, or Objective-C selectors instead of broad UI handlers.
- Record plaintext inputs, headers, nonces, signed strings, and outputs at the boundary that changes server acceptance.
- Patch or bypass pinning or environment checks only enough to expose the real request path.
- 优先hook请求构造器、加密工具、信任评估器、Keychain读取或者Objective-C选择器,而非大范围的UI处理器。
- 记录会影响服务端验证结果的边界处的明文输入、请求头、随机数、签名字符串和输出内容。
- 仅对pinning或者环境检测做最小程度的补丁或绕过,以暴露真实的请求路径即可。
3. Replay The Accepted Path
3. 重放可通过验证的路径
- Rebuild the smallest stateful sequence: local token, device identifier, request body, signature, headers, and trust checks.
- Keep hook logs, bundle paths, plist keys, and local storage artifacts tied to the same session or account state.
- If the task becomes mostly about transform recovery instead of iOS runtime, switch back to the broader crypto or mobile skill.
- 复现最小的有状态序列:本地令牌、设备标识符、请求体、签名、请求头和信任校验。
- 将hook日志、应用包路径、plist键、本地存储产物和同一会话或账号状态关联保存。
- 如果任务主要变成转换逻辑还原而非iOS运行时分析,请切回更通用的加密或移动技能。
Read This Reference
参考文档
- Load for hook targets, storage checklist, and evidence packaging.
references/ios-runtime.md
- 加载查看hook目标、存储检查清单和证据打包说明。
references/ios-runtime.md
What To Preserve
需要保存的内容
- Bundle paths, entitlements, plist keys, selectors, class names, hook points, and header names
- Keychain items, local DB or plist paths, URL schemes, and app-group storage locations
- The smallest replayable request or branch that proves the iOS trust boundary
- 应用包路径、权限配置、plist键、选择器、类名、hook点和请求头名称
- Keychain条目、本地数据库或plist路径、URL schemes和应用组存储位置
- 可证明iOS信任边界的最小可重放请求或分支逻辑