frisky
Instruments to assist in binary application reversing and augmentation, geared towards walled gardens like iOS. Most, if not all, recently tested on iOS 11.1.2 and macOS 10.12.6.
frida-url-interceptor.js - Intercepts all URLs of an iOS/macOS application, allowing you to trace and alter/intercept all network traffic, including https, per app before encryption and after decryption:
- iOS: open app of interest first, e.g. Safari
- macOS:
frida -U -n Safari -l frida-url-interceptor.js
- It will also display a popup window upon the first request in the iOS app to confirm code interception
ldid / ldid2 - When building recent iOS jailbreaks dependent on SHA256 signatures, ldid2
is required. This repo will allow you to easily compile ldid
and ldid2
for signing and modifying an iOS binary's entitlements, and thus jailbreaking a device.
- macOS:
ldid{2} -e MobileSafari
# to dump MobileSafari's entitlements - macOS:
ldid{2} -S cat
# to sign cat
Extract shared libraries used by apps not directly available on iOS filesystem for static analysis:
- Grab the patched dyld-210.2.3-patched (included in this repo) and run the custom dsc_extractor (you may need to compile from the xcodeproject) to dump iOS'
/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm*
into individual dylibs: - macOS:
mkdir -p dylibs && dyld-210.2.3-patched/launch-cache/dsc_extractor /path/to/copied/dyld_shared_cache_arm* dylibs
Frida:
Discover and modify library/framework function call arguments and return codes via- iOS: open app of interest first, e.g. Twitter
- macOS:
frida-trace -U -i "*tls*" Twitter
# hook all calls matching /tls/i for the Twitter app - macOS:
frida-trace -U -f com.atebits.Tweetie2 "-[* *SSL*]" -m "-[* *TLS*]"
# hook obj c calls - macOS: Now
__handlers__/libcoretls.dylib/tls_private_key_create.js
will be generated:onEnter
'sargs[2]
is first argument to the function- Extract string from first argument:
Memory.readUtf8String(args[2])
orObjC.Object(args[2]))
- Adjust args (bool: set true):
args[2] = ptr(1)
- Extract string from first argument:
onLeave
'sretval
is the return value- Print out retval:
log(retval.toInt32())
- Adjust retval:
retval.replace(0)
- Print out retval:
iOS - bypassing TLS certificate pinning / allow untrusted certs in Facebook SocketRocket
- macOS: frida-trace -U -f com.domain.app -m "-[* SSLCert]"
- macOS: update handlers/__SRWebSocket_initWithURLRequest_8e21c6e0.js:
onEnter: function (log, args, state) {
log('-[SRWebSocket initWithURLRequest:' + args[2] + ' protocols:' + args[3] + ' allowsUntrustedSSLCertificates:' + args[4] + ']')
args[4] = ptr(1) // set allowsUntrustedSSLCertificates = true
},
Sniff network traffic from (non-jailbroken/jailbroken) iOS device from your mac:
- macOS:
system_profiler SPUSBDataType|perl -n0e'`rvictl -s $1`if/iP(?:hone|ad):.*?Serial Number: (\S+)/s';sudo tcpdump -i rvi0
- standard tcpdump options/filters apply
dumpdecrypted.dylib:
Decrypt IPA (iOS apps)/Frameworks for static analysis via- iOS:
su mobile && mkdir -p ~/tmp && cd ~/tmp && DYLD_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dylib /var/containers/Bundle/Application/*/AppName.app/AppName
deviceconsole:
View system logs on iOS live using- macOS:
deviceconsole
- macOS:
unbuffer deviceconsole | grep something
# keeps pretty colors - requiresexpect
, can be installed viasudo port install expect
orbrew install expect
Electra: allow jailbroken Tweaks to appear in Settings:
- iOS:
mv /Library/TweakInject /Library/TweakInject.bak && ln -s /Library/MobileSubstrate/DynamicLibraries /Library/TweakInject && killall -HUP SpringBoard
Contact
Shaped by @SamyKamkar / https://samy.pl