This article will outline using runtime hacking to dump classes of iOS applications even if the application is still encrypted.
One big step in auditing or hacking iOS applications is viewing the binaries class information. This gives us a map to view hidden classes and methods defined in the complied source. What do we do with this? Well since we can control the underlining iOS operating system API's with Cycript and MobileSubtrate we can edit those hidden functions or the system functions they rely on to do whatever we want at runtime. Our previous iOS application hacking blog showed doing this for defeating jailbreak detection, basically replacing the developers "isJailbroken" function to always return false.
Usually we can dump a binaries class information by using a tool called class-dump-z. In the last blog that’s where we found the boolean "isJailbroken" method.
In order to use class-dump-z our application binary must be decrypted. The decryption of iOS applications, at the low level, uses GDB to remove out the unencrypted segment of the binary after the phone decrypts it for us.
A small and inconvenient roadblock to our testing and peeking into the binary is a security conscious developer who might have built in anti-debugging techniques. These techniques (sometimes) prevent us even from attaching GDB to the binary. There are also other protection techniques that foil application decryption.
So in this scenario, how does one peek inside the binary at that class information with the app still encrypted?
The answer is Cycript.
read more.........http://h30499.www3.hp.com/t5/Application-Security-Fortify-on/Inspecting-Class-Information-at-runtime-for-Encrypted-iOS/ba-p/5929531