iOS Frida Configuration

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

WhiteIntel

WhiteIntel ni injini ya kutafuta inayotumiwa na dark-web ambayo inatoa kazi za bure kuangalia ikiwa kampuni au wateja wake wamekuwa compromised na stealer malwares.

Lengo lao kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulizi ya ransomware yanayotokana na malware inayopora taarifa.

Unaweza kuangalia tovuti yao na kujaribu injini yao kwa bure kwenye:

WhiteIntel

Installing Frida

Hatua za kufunga Frida kwenye kifaa kilichovunjwa:

Fungua programu ya Cydia/Sileo.
Nenda kwa Manage -> Sources -> Edit -> Add.
Ingiza "https://build.frida.re" kama URL.
Nenda kwenye chanzo kipya cha Frida kilichoongezwa.
Sakinisha pakiti ya Frida.

Ikiwa unatumia Corellium utahitaji kupakua toleo la Frida kutoka https://github.com/frida/frida/releases (frida-gadget-[yourversion]-ios-universal.dylib.gz) na kufungua na nakala kwenye eneo la dylib ambalo Frida inahitaji, mfano: /Users/[youruser]/.cache/frida/gadget-ios.dylib

Baada ya kufunga, unaweza kutumia kwenye PC yako amri frida-ls-devices na kuangalia kwamba kifaa kinaonekana (PC yako inahitaji kuwa na uwezo wa kukifikia). Tekeleza pia frida-ps -Uia kuangalia michakato inayoendesha ya simu.

Frida bila kifaa kilichovunjwa & bila kubadilisha programu

Angalia chapisho hili la blog kuhusu jinsi ya kutumia Frida kwenye vifaa visivyovunjwa bila kubadilisha programu: https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07

Frida Client Installation

Sakinisha frida tools:

pip install frida-tools
pip install frida

Na seva ya Frida imewekwa na kifaa kinaendesha na kuunganishwa, angalia ikiwa mteja unafanya kazi:

frida-ls-devices  # List devices
frida-ps -Uia     # Get running processes

Frida Trace

# Functions
## Trace all functions with the word "log" in their name
frida-trace -U <program> -i "*log*"
frida-trace -U <program> -i "*log*" | swift demangle # Demangle names

# Objective-C
## Trace all methods of all classes
frida-trace -U <program> -m "*[* *]"

## Trace all methods with the word "authentication" from classes that start with "NE"
frida-trace -U <program> -m "*[NE* *authentication*]"

# Plug-In
## To hook a plugin that is momentarely executed prepare Frida indicating the ID of the Plugin binary
frida-trace -U -W <if-plugin-bin> -m '*[* *]'

Pata madarasa na mbinu zote

Kukamilisha kiotomatiki: Tekeleza tu frida -U <program>

Pata madarasa yote yanayopatikana (chujio kwa nyuzi)

/tmp/script.js

// frida -U <program> -l /tmp/script.js

var filterClass = "filterstring";

if (ObjC.available) {
for (var className in ObjC.classes) {
if (ObjC.classes.hasOwnProperty(className)) {
if (!filterClass || className.includes(filterClass)) {
console.log(className);
}
}
}
} else {
console.log("Objective-C runtime is not available.");
}

Pata yote mbinu za darasa (chuja kwa nyuzi)

/tmp/script.js

// frida -U <program> -l /tmp/script.js

var specificClass = "YourClassName";
var filterMethod = "filtermethod";

if (ObjC.available) {
if (ObjC.classes.hasOwnProperty(specificClass)) {
var methods = ObjC.classes[specificClass].$ownMethods;
for (var i = 0; i < methods.length; i++) {
if (!filterMethod || methods[i].includes(filterClass)) {
console.log(specificClass + ': ' + methods[i]);
}
}
} else {
console.log("Class not found.");
}
} else {
console.log("Objective-C runtime is not available.");
}

Piga simu kwa kazi

// Find the address of the function to call
const func_addr = Module.findExportByName("<Prog Name>", "<Func Name>");
// Declare the function to call
const func = new NativeFunction(
func_addr,
"void", ["pointer", "pointer", "pointer"], {
});

var arg0 = null;

// In this case to call this function we need to intercept a call to it to copy arg0
Interceptor.attach(wg_log_addr, {
onEnter: function(args) {
arg0 = new NativePointer(args[0]);
}
});

// Wait untill a call to the func occurs
while (! arg0) {
Thread.sleep(1);
console.log("waiting for ptr");
}


var arg1 = Memory.allocUtf8String('arg1');
var txt = Memory.allocUtf8String('Some text for arg2');
wg_log(arg0, arg1, txt);

console.log("loaded");

Frida Fuzzing

Frida Stalker

From the docs: Stalker ni injini ya kufuatilia ya Frida. Inaruhusu nyuzi kufuatwa, ikikamata kila kazi, kila block, hata kila amri inayotekelezwa.

Una mfano wa kutekeleza Frida Stalker katika https://github.com/poxyran/misc/blob/master/frida-stalker-example.py

Huu ni mfano mwingine wa kuunganisha Frida Stalker kila wakati kazi inaitwa:

console.log("loading");
const wg_log_addr = Module.findExportByName("<Program>", "<function_name>");
const wg_log = new NativeFunction(
wg_log_addr,
"void", ["pointer", "pointer", "pointer"], {
});

Interceptor.attach(wg_log_addr, {
onEnter: function(args) {
console.log(`logging the following message: ${args[2].readCString()}`);

Stalker.follow({
events: {
// only collect coverage for newly encountered blocks
compile: true,
},
onReceive: function (events) {
const bbs = Stalker.parse(events, {
stringify: false,
annotate: false
});
console.log("Stalker trace of write_msg_to_log: \n" + bbs.flat().map(DebugSymbol.fromAddress).join('\n'));
}
});
},
onLeave: function(retval) {
Stalker.unfollow();
Stalker.flush();  // this is important to get all events
}
});

Hii ni ya kuvutia kutoka kwa madhumuni ya debugging lakini kwa fuzzing, kuwa na .follow() na .unfollow() kila wakati ni isiyofaa sana.

Fpicker

fpicker ni Frida-based fuzzing suite inayotoa aina mbalimbali za fuzzing modes kwa fuzzing ya ndani, kama vile hali ya AFL++ au hali ya kufuatilia isiyo ya moja kwa moja. Inapaswa kufanya kazi kwenye majukwaa yote yanayoungwa mkono na Frida.

Sakinisha fpicker & radamsa

# Get fpicker
git clone https://github.com/ttdennis/fpicker
cd fpicker

# Get Frida core devkit and prepare fpicker
wget https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-[yourOS]-[yourarchitecture].tar.xz
# e.g. https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-macos-arm64.tar.xz
tar -xf ./*tar.xz
cp libfrida-core.a libfrida-core-[yourOS].a #libfrida-core-macos.a

# Install fpicker
make fpicker-[yourOS] # fpicker-macos
# This generates ./fpicker

# Install radamsa (fuzzer generator)
brew install radamsa

Andaa FS:

# From inside fpicker clone
mkdir -p examples/wg-log # Where the fuzzing script will be
mkdir -p examples/wg-log/out # For code coverage and crashes
mkdir -p examples/wg-log/in # For starting inputs

# Create at least 1 input for the fuzzer
echo Hello World > examples/wg-log/in/0

Fuzzer script (examples/wg-log/myfuzzer.js):

examples/wg-log/myfuzzer.js

// Import the fuzzer base class
import { Fuzzer } from "../../harness/fuzzer.js";

class WGLogFuzzer extends Fuzzer {

constructor() {
console.log("WGLogFuzzer constructor called")

// Get and declare the function we are going to fuzz
var wg_log_addr = Module.findExportByName("<Program name>", "<func name to fuzz>");
var wg_log_func = new NativeFunction(
wg_log_addr,
"void", ["pointer", "pointer", "pointer"], {
});

// Initialize the object
super("<Program nane>", wg_log_addr, wg_log_func);
this.wg_log_addr = wg_log_addr; // We cannot use "this" before calling "super"

console.log("WGLogFuzzer in the middle");

// Prepare the second argument to pass to the fuzz function
this.tag = Memory.allocUtf8String("arg2");

// Get the first argument we need to pass from a call to the functino we want to fuzz
var wg_log_global_ptr = null;
console.log(this.wg_log_addr);
Interceptor.attach(this.wg_log_addr, {
onEnter: function(args) {
console.log("Entering in the function to get the first argument");
wg_log_global_ptr = new NativePointer(args[0]);
}
});

while (! wg_log_global_ptr) {
Thread.sleep(1)
}
this.wg_log_global_ptr = wg_log_global_ptr;
console.log("WGLogFuzzer prepare ended")
}


// This function is called by the fuzzer with the first argument being a pointer into memory
// where the payload is stored and the second the length of the input.
fuzz(payload, len) {
// Get a pointer to payload being a valid C string (with a null byte at the end)
var payload_cstring = payload.readCString(len);
this.payload = Memory.allocUtf8String(payload_cstring);

// Debug and fuzz
this.debug_log(this.payload, len);
// Pass the 2 first arguments we know the function needs and finally the payload to fuzz
this.target_function(this.wg_log_global_ptr, this.tag, this.payload);
}
}

const f = new WGLogFuzzer();
rpc.exports.fuzzer = f;

Kusanya fuzzer:

# From inside fpicker clone
## Compile from "myfuzzer.js" to "harness.js"
frida-compile examples/wg-log/myfuzzer.js -o harness.js

Piga fuzzer fpicker ukitumia radamsa:

# Indicate fpicker to fuzz a program with the harness.js script and which folders to use
fpicker -v --fuzzer-mode active -e attach -p <Program to fuzz> -D usb -o examples/wg-log/out/ -i examples/wg-log/in/ -f harness.js --standalone-mutator cmd --mutator-command "radamsa"
# You can find code coverage and crashes in examples/wg-log/out/

Katika kesi hii haturejeshi programu au kurejesha hali baada ya kila payload. Hivyo, ikiwa Frida itapata crash ingizo linalofuata baada ya payload hiyo linaweza pia kufanya programu ishindwe (kwa sababu programu iko katika hali isiyo thabiti) hata kama ingizo halipaswi kufanya programu ishindwe.

Zaidi ya hayo, Frida itashughulikia ishara za makosa za iOS, hivyo wakati Frida itakapopata crash, labda ripoti za makosa za iOS hazitazalishwa.

Ili kuzuia hili, kwa mfano, tunaweza kurejesha programu baada ya kila crash ya Frida.

Logs & Crashes

Unaweza kuangalia macOS console au log cli kuangalia log za macOS. Unaweza pia kuangalia log kutoka iOS kwa kutumia idevicesyslog. Baadhi ya log zitakosa taarifa kwa kuongeza <private>. Ili kuonyesha taarifa zote unahitaji kufunga profaili kutoka https://developer.apple.com/bug-reporting/profiles-and-logs/ ili kuwezesha hiyo taarifa ya kibinafsi.

Ikiwa hujui cha kufanya:

vim /Library/Preferences/Logging/com.apple.system.logging.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Enable-Private-Data</key>
<true/>
</dict>
</plist>

killall -9 logd

You can check the crashes in:

iOS
Mipangilio → Faragha → Takwimu na Maboresho → Takwimu za Uchambuzi
/private/var/mobile/Library/Logs/CrashReporter/
macOS:
/Library/Logs/DiagnosticReports/
~/Library/Logs/DiagnosticReports

iOS inahifadhi tu ajali 25 za programu moja, hivyo unahitaji kusafisha hiyo au iOS itasitisha kuunda ajali.

Frida Android Tutorials

Frida Tutorial

References

https://www.briskinfosec.com/blogs/blogsdetail/Getting-Started-with-Frida

WhiteIntel

WhiteIntel ni injini ya utafutaji inayotumiwa na dark-web ambayo inatoa kazi za bure kuangalia kama kampuni au wateja wake wamekuwa kuyumbishwa na stealer malwares.

Lengo lao kuu la WhiteIntel ni kupambana na kuchukuliwa kwa akaunti na mashambulizi ya ransomware yanayotokana na malware ya kuiba taarifa.

You can check their website and try their engine for free at:

WhiteIntel

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousiOS Extracting Entitlements From Compiled Application NextiOS Hooking With Objection

Last updated 7 days ago