Updated for iOS 12.

Author: ivRodriguezCA

Module-1/README.md

@@ -7,10 +7,8 @@ _Note: If you need help jailbreaking your device, there are many resources onlin
 #### On your computer
 
 - Download the latest version of [iTunnel](https://code.google.com/archive/p/iphonetunnel-usbmuxconnectbyport/downloads): iTunnel will allow you to [SSH over USB](https://iphonedevwiki.net/index.php/SSH_Over_USB).
-- Download the latest version of [Clutch](https://github.com/KJCracks/Clutch/releases): Clutch will allow you to decrypt iOS applications on iOS < 10.0.
 - Download the latest version of [Cydia Impactor](http://www.cydiaimpactor.com/): Impactor will allow you install iOS applications on your device, signed with a developer account's certificate.
 - Download and install [Hopper](https://www.hopperapp.com/): Hopper is a reverse engineering tool that lets you disassemble, decompile and debug ARM applications, it supports other architectures but in this course I'll focus just on ARM-based binaries. The trial version is enough.
-- Download the latest version of [bfinject's](https://github.com/BishopFox/bfinject) `bfinject.tar`: bfinject will allow you to use `Cycript` and `Clutch` on iOS >= 11.0.
 - Download the latest version of [Cycript](http://www.cycript.org/): Cycript will allow you to modify the applications' behaviour at runtime via an interactive console.
 - Download the latest version of [Frida](https://www.frida.re/docs/ios/): Frida will allow you to write scripts to change the applications' behaviour at runtime.
     - To install `Frida`:
@@ -20,6 +18,15 @@ _Note: If you need help jailbreaking your device, there are many resources onlin
 - Download the latest version of [Bettercap](https://www.bettercap.org/installation/): Bettercap will allow you to perform MitM attacks remotely to a device.
 - Download the latest version of [class-dump-z](https://code.google.com/archive/p/networkpx/downloads): class-dump-z will allow you to dump Objc classes. There's a Swift version but you won't needed since my vulnerable app is written in Objc.
 - Download the latest version of [Ghidra](https://ghidra-sre.org/): Ghidra is another reverse engineering tool, which will let you do some of the same tasks as Hopper.
+  ##### If your device is on iOS 10.x
+  - Download the latest version of [Clutch](https://github.com/KJCracks/Clutch/releases): Clutch will allow you to decrypt iOS applications.
+
+  ##### If your device is on >= iOS 11
+  - Download the latest version of [bfinject's](https://github.com/BishopFox/bfinject) `bfinject.tar`: bfinject will allow you to use `Cycript` and `Clutch` to decrypt iOS applications.
+
+  ##### If your device is on iOS 12.x
+  - Download the latest version of [frida-ios-dump](https://github.com/AloneMonkey/frida-ios-dump): `frida-ios-dump` will allow you to decrypt iOS applications and transfer them automatically to your computer.
+  - Install its dependencies `sudo pip install -r requirements.txt --upgrade`.
 
 #### On your device with iOS version < 11.0
 
@@ -47,7 +54,7 @@ In some cases a jailbreak tool for iOS < 11.0 might not come with a SSH client,
 
 If your device asks for a `root` password then it _already_ has SSH working, thus you can skip this step.
 
-#### On your device with iOS version >= 11.0
+#### On your device with iOS > 11
 
 - Connect your device to your computer.
 - On your computer, open a terminal window and run `iTunnel` with the following parameters:
@@ -82,6 +89,14 @@ If your device asks for a `root` password then it _already_ has SSH working, thu
     tar xvf bfinject.tar
     ```
 
+#### On your device with iOS 12.x
+- Open Cydia and search `frida` and install it:
+    - Tap the `Sources` tab.
+    - Add a source: `https://build.frida.re`
+    - Now you can go to the `Search` tab and search for `frida`.
+
+(*Note: Since I've only used the Unc0ver jailbreaks I don't know if you're jailbroken with [Chimera](https://chimera.sh/) and/or use `Sileo` as your package manager if you can install Frida.*)
+
 ### Conclusions
 
 - Now you should have a device ready to start reversing. Gladly you'll need to perform all these steps only once per device, even when you lose your jailbreak state if your device runs out of batter or restarts for whatever reason[^1]. Don't worry if you don't know some of these tools, in the following modules I'll explain what's their purpose and how to use them.

Module-2/README.md

@@ -31,7 +31,7 @@ _Note: In case you missed it, you'll only need a jailbroken device for this modu
     ```
 - Now you have a decrypted version of the app.
 
-#### If your device's iOS version >= 11.0
+#### If your device is on iOS 11.x
 - Download any application from the App Store.
 - Run `iTunnel` to forward your SSH traffic via USB:
     ```bash
@@ -61,6 +61,29 @@ _Note: In case you missed it, you'll only need a jailbroken device for this modu
     ```
 - Now you have a decrypted version of the app.
 
+#### If your device is on iOS 12.x
+- Download any application from the App Store.
+- Run `iTunnel` to forward your SSH traffic via USB:
+    ```bash
+    itnl --lport 2222 --iport 22
+    ```
+- On your computer, navigate to where you stored `frida-ios-dump`.
+  ```bash
+  cd ~/Downloads/frida-ios-dump/
+  ```
+- Edit `dump.py` to match your device's settings like root password (default is `alpine`) and SSH forwarding port (in this case it'd be `2222`).
+- List the installed applications by running:
+    ```bash
+    ./dump.py -l
+    ```
+- Copy the application's `Identifier`.
+- Decrypt the application by running:
+    ```bash
+    ./dump.py <identifier>
+    ```
+- You'll see the application will be launched on your device and then, if all goes well, you should have a `.ipa` bundle on the same directory where you ran the script.
+- Now you have a decrypted version of the app.
+
 #### Extra information
 
 To keep the step-by-step instructions as clean and straightforward as possible, I omitted some details in some steps. Here's some information that hopefully will clarify any doubts you may have:

Module-4/README.md

@@ -260,7 +260,7 @@ Since you need a jailbroken device for this exercise, I'm assuming you've been u
         ```
 - You have now an interactive console that you can use to send commands to the `CoinZa` application.
 
-**If your device's iOS version >= 11.0**
+**If your device is on iOS 11.x**
 - Run `iTunnel` to forward your SSH traffic via USB:
     ```bash
     itnl --lport 2222 --iport 22
@@ -298,6 +298,8 @@ Abort trap: 6
   cp /usr/local/Cellar/ruby\@2.0/2.0.0-p648_7/lib/libruby.2.0.0.dylib /usr/local/bin/Cycript.lib/
   ```
 
+  *Note: Haven't been able to get cycript/BFInject to work on iOS 12.x but runtime manipulation on Cycript can be done on Frida (see below).*
+
 **Any version of iOS**
 - Now that you have an interactive console via `Cycript` we can start by removing that annoying popup. First we are going to use the `choose` function to get all the instances of the `UIAlertController` class. The `choose` function reads the provided class signature and searches the memory for objects that have a similar signature and returns an array of all the objects it can find:
     ```bash