Red Teaming
Malware Analysis
IoT / Reverse / Firmware
Resources
Recommended Toolkits and Scripts
The Raptor scripts by 0xdea (Marco Ivaldi) are an excellent starting point for a base script. The 'trace' line of scripts provide prebuilt method hooking functions which greatly simplify the hooking process. There are both Android and iOS variants available. If you browse to the bottom of any of these scripts, you will see some commented out examples of how to use these scripts, included here for quick reference:
android_trace.js
android_enum.js
ios_trace.js
ios_enum.js
1
// usage examples
2
setTimeout(function() { // avoid java.lang.ClassNotFoundException
3
​
4
Java.perform(function() {
5
​
6
// trace("com.target.utils.CryptoUtils.decrypt");
7
// trace("com.target.utils.CryptoUtils");
8
// trace("CryptoUtils");
9
// trace(/crypto/i);
10
// trace("exports:*!open*");
11
​
12
});
13
}, 0
Copied!
1
// usage examples
2
setTimeout(function() { // avoid java.lang.ClassNotFoundException
3
​
4
Java.perform(function() {
5
​
6
// enumerate all classes
7
/*
8
var a = enumAllClasses();
9
a.forEach(function(s) {
10
console.log(s);
11
});
12
*/
13
​
14
// find classes that match a pattern
15
/*
16
var a = findClasses(/password/i);
17
a.forEach(function(s) {
18
console.log(s);
19
});
20
*/
21
​
22
// enumerate all methods in a class
23
/*
24
var a = enumMethods("com.target.app.PasswordManager")
25
a.forEach(function(s) {
26
console.log(s);
27
});
28
*/
29
​
30
});
31
}, 0);
Copied!
1
// usage examples
2
if (ObjC.available) {
3
​
4
// trace("-[CredManager setPassword:]");
5
// trace("*[CredManager *]");
6
// trace("*[* *Password:*]");
7
// trace("exports:libSystem.B.dylib!CCCrypt");
8
// trace("exports:libSystem.B.dylib!open");
9
// trace("exports:*!open*");
10
11
} else {
12
send("error: Objective-C Runtime is not available!");
13
}
Copied!
1
// usage examples
2
if (ObjC.available) {
3
​
4
// enumerate all classes
5
/*
6
var a = enumAllClasses();
7
a.forEach(function(s) {
8
console.log(s);
9
});
10
*/
11
​
12
// find classes that match a pattern
13
/*
14
var a = findClasses(/password/i);
15
a.forEach(function(s) {
16
console.log(s);
17
});
18
*/
19
​
20
// enumerate all methods in a class
21
/*
22
var a = enumMethods("PasswordManager")
23
a.forEach(function(s) {
24
console.log(s);
25
});
26
*/
27
​
28
// enumerate all methods
29
/*
30
var d = enumAllMethods();
31
for (k in d) {
32
console.log(k);
33
d[k].forEach(function(s) {
34
console.log("\t" + s);
35
});
36
}
37
*/
38
​
39
// find methods that match a pattern
40
/*
41
var d = findMethods(/password/i);
42
for (k in d) {
43
console.log(k);
44
d[k].forEach(function(s) {
45
console.log("\t" + s);
46
});
47
}
48
*/
49
​
50
} else {
51
send("error: Objective-C Runtime is not available!");
52
}
Copied!
Once one of these scripts is loaded into a REPL session, you can access the
trace methods directly from the REPL. Alternatively, you may add them directly to the raptor script. Remember, making changes to a script while it is loaded will cause Frida to reload that script.frida-awesome
Another great resource for scripts is "frida-awesome", a repo maintained by David Weinstein at NowSecure containing a large number of links that include: talks, papers, videos, blog posts,
GitHub - dweinstein/awesome-frida: Awesome Frida - A curated list of Frida resources http://www.frida.re/ (https://github.com/frida/frida)
GitHub
Root Android device
- Rename .apk to .zip
- adb.exe push magisk.zip to /sdcard
- Activate Developer settings, (i): enable: Advanced reboot; (ii) disable update recovery with system updates. After that, select reboot mode, and the TWRP app starts.
- Restart Android device "recovery mood"
- Install magisk via TWRP
- Open Magisk and update it if necessary
- Use Root Checker or Super#SU app to check if the device is rooted!
​
Bonus: Install lineage OS ;)
LineageOS Downloads
iOS
Can I Jailbreak? - Home
checkra1n
checkra1n
​
​
Others
0x01-Foreword
Mobile Security Testing Guide
frida
Android Reversing with Frida for Examiners
​
Last modified 9mo ago
Copy link