Enhancing iOS Debugging: Creating a Custom FLEX Loader to any 3rd party iOS application

0x0 What is FLEX debugger?

The FLEX Debugger is an impressive tool for debugging iOS applications, and it can be activated directly on your iOS device. You can find more details about it here: FLEX GitHub Repository.

This tool is especially useful for developing app tweaks. However, the official website doesn’t provide instructions for debugging third-party applications.

0x1 FLEXing or FLEXList?

Both of these tools are great and can load the FLEX Debugger into any iOS app. However, I found two major drawbacks:

  • They use an older version of the FLEX Debugger (version 4.7.0, as far as I know).
  • They become unusable if you can’t jailbreak your device.

That’s why I decided to create my own FLEX loader, which can be activated and injected into any iOS application.

0x2 Compiling FLEX

First, I cloned the FLEX repository and compiled it using Xcode without any issues. It generated a FLEX.framework folder, which can be linked in a tweak’s makefile like this:

autoflex_LDFLAGS += -framework FLEX -F../build

This works, but both the .deb file and the FLEX.framework folder need to be injected into the .ipa file, which isn’t ideal.

So, can we directly compile FLEX into our .deb file?

0x3 FLEX into deb

FLEX stores its source code in the Classes folder. To compile it, you’ll need to copy all the files and run the compilation. Here are a few issues you might encounter:

  • Use clang++ instead of clang, as FLEX is written in C++.
  • You need to compile all .m, .mm, and .c files.
  • FLEX relies on multiple frameworks (UIKit, CoreGraphics, QuartzCore, ImageIO, WebKit, Security, SceneKit, AVFoundation, UserNotifications), and you need to link all of them.
  • Several compiler flags (-Wno-deprecated-declarations, -Wno-strict-prototypes, -Wno-unsupported-availability-guard) need to be turned off for a successful compilation.

FLEXSwiftInternal.mm Issues

I was puzzled when FLEXSwiftInternal.mm gave me two errors, even though it compiled successfully in Xcode. The issue was caused by two lines involving atomic types. To fix this, I removed the atomic qualifiers in the file:

FILE="src/FLEXSwiftInternal.mm"
# Replace "std::atomic<mask_t> _maybeMask;" with "mask_t _maybeMask;" on line 59
sed -i '' '59s/std::atomic<mask_t> _maybeMask;/mask_t _maybeMask;/' "$FILE"

# Replace "std::atomic<preopt_cache_t *> _originalPreoptCache;" with "preopt_cache_t * _originalPreoptCache;" on line 65
sed -i '' '65s/std::atomic<preopt_cache_t \*> _originalPreoptCache;/preopt_cache_t \* _originalPreoptCache;/' "$FILE"

After this fix, your .deb file will be ready!

0x4 AutoFLEX

I created a GitHub repository to automate this process. With proper GitHub actions, you’ll have the latest version of FLEX compiled whenever you need it!

To use this .deb file, you’ll need to use Sideloadly or another .ipa editing tool to inject the .deb into your .ipa and install it on your device. This .deb file cannot be installed directly!