Frida Scripts
# Function Hook with Imagebase Offset
# Hook a func, BL manipulation with changed register x0
var realBase = Module.findBaseAddress('DVIA-v2');
console.log(realBase);
var jb_address = realBase.add('0x1cbdd0');
console.log(jb_address);
Interceptor.attach(jb_address, {
onEnter: function(args) {
this.context.x0 = 0x0;
console.log(JSON.stringify(this.context));
}
})
# ObjC examples
# enum classes
if (ObjC.available) {
for(var classname in ObjC.classes)
console.log(classname)
}
# enum methods
if (ObjC.available) {
var classname = "JailbreakDetection"
var methods = ObjC.classes[classname].$ownMethods
console.log(methods)
}
# hook ObjC func
if (ObjC.available) {
var classname = "JailbreakDetection"
var methodname = "isJailbroken"
Interceptor.attach(ObjC.classes[classname][methodname].implementation, {
onLeave: function(retval) {
retval.replace(ptr('0x0'));
console.log('Return value : ' + retval);
}
});
}# brute-force digit code
# against
# cmp x9,x8
# b.ne
var realBase = Module.findBaseAddress('DVIA-v2');
console.log("Base : " + realBase);
var hook = realBase.add('0x15e3e4');
console.log("Func : " + hook);
Interceptor.attach(hook, {
onEnter: function(args) {
for(var i=0; i < 10000; i++) {
console.log("i: " + i + ", x8: " + this.context.x8);
if (i == this.context.x8) {
console.log("FOUND i: " + i);
break;
}
}
}
})
// frida -U DVIA-v2 -l bruteforce.js
Frida Console : One-Two-Liners
# iOS Objective-C
// Enum Objective-C classes
-> for (var cls in ObjC.classes) console.log(cls)
// Enum Class Methods
-> ObjC.classes['func_name'].$ownMethods
// Return value check
-> var hook = Objc.classes['LoginValidate']['IsLoginValidated'];
-> Interceptor.attach(hook.implementation, {\
-> onLeave: function(retval) { console.log(retval) } } )
// Return value change
-> var hook = Objc.classes['LoginValidate']['IsLoginValidated'];
-> Interceptor.attach(hook.implementation, {\
-> onLeave: function(retval) { retval.replace(ptr('0x1')); } } )
// Get func with ghidra Imagebase Offset
-> var hook = Module.findBaseAddress('DVIA-v2').add('0x1bded4')
// Change register onEnter
-> Interceptor.attach(hook, {\
... onEnter: function (args) { this.context.x8 = 0x1; } })
# Side-Channel Data leakage
# PasteBoard
[iOS Device::DVIA-v2]-> ObjC.classes.UIPasteboard.generalPasteboard().string().toString()
참고할 iOS PATH
Containers
OS app or JB app PATH:/Aplications
Bundle Container PATH: /var/containers/Bundle/Application/
Data Container PATH: /var/mobile/Containers/Data/Application/
iCould Container PATH:/private/var/mobile/Library/Mobile Documents/
iOS Keychain PATH:/var/Keychains/keychain-2.db # use DB Browser on win
root user PATH:/var/root
BundleID:[Bundle Container]/name.App/Info.plist - CFBundleIdentifier
- $ frida -Ua
App Screenshot (Background): [Bundle Container]/Library/Caches/Snapshots (Deprecated)
Keystroke Log:/var/mobile/Library/Keyboard/en-dynamic.lm/ .dat
Cookies:[Data Container]/Library/Cookies/Cookies.binarycookies
- use BinaryCookieReader