On-Demand Training

iOS Reversing & Exploitation ARM64

98 lessons • 365-day access

$1950

Buy Now

Course Syllabus

89Videos

18Labs

40+Hours of Content

Introduction to the Course

Course Labs and Downloads

iOS Exploitation Labs Files

ARM64 Fundamentals

Video Links

Introduction to ARM64

ARM64 Registers

ARM64 Instructions

ARM64 Calling Conventions

iOS Syscalls

iOS Syscalls Demo

Memory Management (Load/Store)

iOS Internals, Anti-Debug Bypasses & Patching Apps

Video Links

Jailbreaking iOS

iOS Jailbreak Using Unc0ver

Setting up LLDB, SSH & Debugserver

iOS Architecture Filesystem and Sandboxing

iOS Security Model

Static Analysis of IPAs

LAB: Static Analysis of IPAs

SOLUTION: Static Analysis of IPA

Loading IPAs Onto Jailbroken iOS [Demo]

Jailbreak Protections Methods

LAB: Bypassing Jailbreak Protections

SOLUTION: Bypassing Jailbreak Protections

Anti-Debugging Protections on iOS

LAB: Anti-Debugging Ptrace Bypass

SOLUTION: Anti-Debugging Ptrace Bypass

LAB: Anti-Debugging In-line ASM Ptrace Bypass

SOLUTION: Anti-Debugging In-line ASM Ptrace Bypass

LAB: Patching iOS Applications

SOLUTION: Patching iOS Applications

Exploitation

Video Links

iOS Vulnerabilities Overview

Exploit Mitigations on iOS

Compiling Code for iOS Using Theos

Stack Overflows

Stack Overflow Calculating Runtime Address [Demo]

LAB: Stack Overflow

SOLUTION: Stack Overflow

Integer Overflow and Underflows

LAB: Integer Overflow

SOLUTION: Integer Overflow

LAB: Integer Underflow

SOLUTION: Integer Underflow

iOS Heap Exploitation

Video Links

Heap Overflow

LAB: Simple Heap Overflow

SOLUTION: Simple Heap Overflow

Use-After and Free Heap Spraying

LAB: UAF Heap Spray

SOLUTION: UAF Heap Spray

iOS Kernel Heap

Heap Feng Shui / Grooming

LAB: Heap Feng Shui / Grooming

SOLUTION: Heap Feng Shui / Grooming

Constructing Real World JOP/ROP on iOS

Video Links

ROP Chains

LAB: Simple ROP Chain

SOLUTION: Simple ROP Chain

Finding ROP Gadgets in iOS Dylibs

JOP Chains

LAB: JOP Challenge

SOLUTION: JOP Challenge [Part 1]

SOLUTION: JOP Challenge [Part 2] - PREVIEW

SOLUTION: JOP Challenge [Part 3]

Stack Pivoting using ROP/JOP

LAB: Real World iOS JOP/ROP Stack Pivot

SOLUTION: Real World iOS JOPROP Stack Pivot

CVE-2021-30807 - OUT OF BOUND READ/WRITE

Video Links

CVE-2021-30807 Vulnerability Overview

iOS Symbolicated Kernelcache

iOS External Methods

Accessing iOS External Methods - PREVIEW

Out of Bounds Read/Write

Vulnerability Analysis

Kernelcache Source Code Analysis [Bug Demo]

LAB: PoC Trigger Construction

SOLUTION: PoC Trigger Construction

CVE-2020-27950 - KERNEL MEMORY LEAK

Video Links

CVE-2020-27950 Vulnerability Overview

Extracting IPSW

IDA Bindiff Export

Ghidra Bindiff Export

Diffing the iOS Kernelcaches

XNU Source Code Analysis

Mach Messages [Part 1]

Mach Messages [Part 2]

LAB: Mach Send & Receive

SOLUTION: Mach Send & Receive

Bug Analysis

LAB: Exploiting Kernel Leak

SOLUTION: Exploiting Kernel Leak

CVE-2021-30860 - FORCEDENTRY (NSO Zero-Click)

Video Links

CVE-2021-30860 Vulnerability Analysis

Setting Up A Debug Environment

Interacting with JBIG2

LAB: Building a PoC

LAB: Triggering the Overflow

Exploitation

Course Trainers

𝕏

Trainer

Lina Lau (@InverseCos)

Founder of XINTRA, Lina is a security researcher, Black Hat trainer, SANS advisory board member and has presented at several international conferences and authored a book on cybersecurity. She currently holds the following certifications: GXPN, GASF, GREM, GCFA and OSCP.

𝕏

Guest Trainer

Billy Ellis

Billy Ellis is an iOS security researcher focusing on kernel & userland vulnerability discovery. His professional career has involved various reverse engineering, vulnerability discovery and exploit development related tasks on mobile platforms. He also has a history of providing training content in the form of YouTube videos and in-person trainings

𝕏

We’ve got you covered

Frequently Asked Questions

What tools are required for this course?

To follow along completely with this course, you will need:

iOS Device (iPhone 5S or later, NOT earlier) Running version 14.0 or 14.1 (compatible with unc0ver jailbreak, ARM64)

A computer (Mac or Windows with Ghidra/IDA/Hopper installed

There are two options for the iOS device - a physical or virtual phone:

Virtual iPhone Sign up for the Corellium “Explorer” option. Make sure the device is running version 14.0 or 14.1. I am not affiliated with Corellium; I do not work for them and I am not sponsored, so please pass questions about Corellium to the Corellium team. https://www.corellium.com/pricing

Physical iPhone You can use a physical iPhone (iPhone 5S and later), running versions 14.0 or 14.1. Please DO NOT come with a different version as the real world exploits and JOP/ROP sections solutions and exploits may not affect those versions.

I use an iPhone 7 plus running 14.1 for the course. On eBay second hand versions of the iPhone are going for around $80 USD. Please make sure your phone has the right iOS version.

What are the course prerequisites?

No prior knowledge of iOS or ARM64 required. Students are required to have some prior knowledge of C.

How much content is in the course?

There are 84 videos, 18 labs. Lab content is over 40 hours. Video content is over 11 hours.

Do you offer this course live?

Only to select customers. Please reach out to [email protected]

Do you offer discounts for corporate bulk purchases?

Yes, for large corporate groups we offer discounts on the sale price. Please email [email protected]

Do you issue certificates of completion?

Yes, once you complete all the modules and mark all videos as complete. A certificate of completion will be generated.

How do I access the course invoice?

You can download your tax invoice by going to "Manage Account"

If the tax invoice requires more details, please email us at [email protected].

On-Demand Training

iOS Reversing & Exploitation ARM64

98 lessons • 365-day access

$1950

Buy Now

Back to All Courses