If you are using Corellium you will need to download the Frida release from https://github.com/frida/frida/releases (frida-gadget-[yourversion]-ios-universal.dylib.gz) and unpack and copy to the dylib location Frida asks for, e.g.: /Users/[youruser]/.cache/frida/gadget-ios.dylib
After installed, you can use in your PC the command frida-ls-devices and check that the device appears (your PC needs to be able to access it).
Execute also frida-ps -Uia to check the running processes of the phone.
Frida without Jailbroken device & without patching the app
With the Frida server installed and the device running and connected, check if the client is working:
frida-ls-devices# List devicesfrida-ps-Uia# Get running processes
Frida Trace
# Functions## Trace all functions with the word "log" in their namefrida-trace-U<program>-i"*log*"frida-trace-U<program>-i"*log*"|swiftdemangle# Demangle names# Objective-C## Trace all methods of all classesfrida-trace-U<program>-m"*[* *]"## Trace all methods with the word "authentication" from classes that start with "NE"frida-trace-U<program>-m"*[NE* *authentication*]"# Plug-In## To hook a plugin that is momentarely executed prepare Frida indicating the ID of the Plugin binaryfrida-trace-U-W<if-plugin-bin>-m'*[* *]'
// frida -U <program> -l /tmp/script.jsvar specificClass ="YourClassName";var filterMethod ="filtermethod";if (ObjC.available) {if (ObjC.classes.hasOwnProperty(specificClass)) {var methods =ObjC.classes[specificClass].$ownMethods;for (var i =0; i <methods.length; i++) {if (!filterMethod || methods[i].includes(filterClass)) {console.log(specificClass +': '+ methods[i]); } } } else {console.log("Class not found."); }} else {console.log("Objective-C runtime is not available.");}
Call a function
// Find the address of the function to callconstfunc_addr=Module.findExportByName("<Prog Name>","<Func Name>");// Declare the function to callconstfunc=newNativeFunction( func_addr,"void", ["pointer","pointer","pointer"], {});var arg0 =null;// In this case to call this function we need to intercept a call to it to copy arg0Interceptor.attach(wg_log_addr, {onEnter:function(args) { arg0 =newNativePointer(args[0]); }});// Wait untill a call to the func occurs while (! arg0) {Thread.sleep(1);console.log("waiting for ptr");}var arg1 =Memory.allocUtf8String('arg1');var txt =Memory.allocUtf8String('Some text for arg2');wg_log(arg0, arg1, txt);console.log("loaded");
Frida Fuzzing
Frida Stalker
From the docs: Stalker is Frida’s code tracing engine. It allows threads to be followed, capturing every function, every block, even every instruction which is executed.
This is another example to attach Frida Stalker every time a function is called:
console.log("loading");constwg_log_addr=Module.findExportByName("<Program>","<function_name>");constwg_log=newNativeFunction( wg_log_addr,"void", ["pointer","pointer","pointer"], {});Interceptor.attach(wg_log_addr, {onEnter:function(args) {console.log(`logging the following message: ${args[2].readCString()}`);Stalker.follow({ events: {// only collect coverage for newly encountered blocks compile:true, },onReceive:function (events) {constbbs=Stalker.parse(events, { stringify:false, annotate:false }); console.log("Stalker trace of write_msg_to_log: \n" + bbs.flat().map(DebugSymbol.fromAddress).join('\n'));
} }); },onLeave:function(retval) {Stalker.unfollow();Stalker.flush(); // this is important to get all events }});
This is interesting from debugging purposes but for fuzzing, to be constantly .follow() and .unfollow() is very inefficient.
fpicker is a Frida-based fuzzing suite that offers a variety of fuzzing modes for in-process fuzzing, such as an AFL++ mode or a passive tracing mode. It should run on all platforms that are supported by Frida.
# Get fpickergitclonehttps://github.com/ttdennis/fpickercdfpicker# Get Frida core devkit and prepare fpickerwget https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-[yourOS]-[yourarchitecture].tar.xz
# e.g. https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-macos-arm64.tar.xz tar-xf./*tar.xzcplibfrida-core.alibfrida-core-[yourOS].a#libfrida-core-macos.a# Install fpickermakefpicker-[yourOS]# fpicker-macos# This generates ./fpicker# Install radamsa (fuzzer generator)brewinstallradamsa
Prepare the FS:
# From inside fpicker clonemkdir-pexamples/wg-log# Where the fuzzing script will bemkdir-pexamples/wg-log/out# For code coverage and crashesmkdir-pexamples/wg-log/in# For starting inputs# Create at least 1 input for the fuzzerechoHelloWorld>examples/wg-log/in/0
Fuzzer script (examples/wg-log/myfuzzer.js):
examples/wg-log/myfuzzer.js
// Import the fuzzer base classimport { Fuzzer } from"../../harness/fuzzer.js";classWGLogFuzzerextendsFuzzer {constructor() {console.log("WGLogFuzzer constructor called")// Get and declare the function we are going to fuzzvar wg_log_addr =Module.findExportByName("<Program name>","<func name to fuzz>");var wg_log_func =newNativeFunction( wg_log_addr,"void", ["pointer","pointer","pointer"], { });// Initialize the objectsuper("<Program nane>", wg_log_addr, wg_log_func);this.wg_log_addr = wg_log_addr; // We cannot use "this" before calling "super"console.log("WGLogFuzzer in the middle");// Prepare the second argument to pass to the fuzz functionthis.tag =Memory.allocUtf8String("arg2");// Get the first argument we need to pass from a call to the functino we want to fuzzvar wg_log_global_ptr =null;console.log(this.wg_log_addr);Interceptor.attach(this.wg_log_addr, {onEnter:function(args) {console.log("Entering in the function to get the first argument"); wg_log_global_ptr =newNativePointer(args[0]); } });while (! wg_log_global_ptr) {Thread.sleep(1) }this.wg_log_global_ptr = wg_log_global_ptr;console.log("WGLogFuzzer prepare ended") }// This function is called by the fuzzer with the first argument being a pointer into memory// where the payload is stored and the second the length of the input.fuzz(payload, len) {// Get a pointer to payload being a valid C string (with a null byte at the end)var payload_cstring =payload.readCString(len);this.payload =Memory.allocUtf8String(payload_cstring);// Debug and fuzzthis.debug_log(this.payload, len);// Pass the 2 first arguments we know the function needs and finally the payload to fuzzthis.target_function(this.wg_log_global_ptr,this.tag,this.payload); }}constf=newWGLogFuzzer();rpc.exports.fuzzer = f;
Compile the fuzzer:
# From inside fpicker clone## Compile from "myfuzzer.js" to "harness.js"frida-compileexamples/wg-log/myfuzzer.js-oharness.js
Call fuzzer fpicker using radamsa:
# Indicate fpicker to fuzz a program with the harness.js script and which folders to usefpicker -v --fuzzer-mode active -e attach -p <Program to fuzz> -D usb -o examples/wg-log/out/ -i examples/wg-log/in/ -f harness.js --standalone-mutator cmd --mutator-command "radamsa"
# You can find code coverage and crashes in examples/wg-log/out/
In this case we aren't restarting the app or restoring the state after each payload. So, if Frida finds a crash the next inputs after that payload might also crash the app (because the app is in a unstable state) even if the input shouldn't crash the app.
Moreover, Frida will hook into exception signals of iOS, so when Frida finds a crash, probably an iOS crash reports won't be generated.
To prevent this, for example, we could restart the app after each Frida crash.
Logs & Crashes
You can check the macOS console or the log cli to check macOS logs.
You can check also the logs from iOS using idevicesyslog.
Some logs will omit information adding <private>. To show all the info you need to install some profile from https://developer.apple.com/bug-reporting/profiles-and-logs/ to enable that private info.
