# Frida instrumentation ## Frida trace and memory patch Trace a specific **MODULE!OFFSET** ``` frida_venv-14.2.18\Scripts\frida-trace-script.py -U -f 'com.xxx.xxx.xxxx' -a 'Myxxx!0x100000' ``` If you are getting some troubles, why not using the passionfruit console to get the trace with the offsets. After that, analyze them in IDA or GHIDRA ;) ![](/files/-Mf4Vvf_l3lM3uX3BrR7) ![](/files/-Mf4WWOy_Jn90K1-MgQP) {% hint style="success" %} T**ip:** press **G** and paste the full offset => **My xxxxx!0x16e794** {% endhint %} ![](/files/-Mf4VeQP_akRzsE2Esrz) Or using the frida-trace utility to instrument the execution ... (change the .js file on \_\_*handlers*\_\_ folder). ``` frida-trace-script.py -U -f 'com.xxx.xxx.xxxx' -a 'My xxxxx!0x16e794' ``` After that, you can patch in memory your ipa from, **0x10016E790** to **0x10016E7AC**. ``` /* __text:000000010016E78C BL sub_1001DC3DC __text:000000010016E790 BL sub_100361F34 __text:000000010016E794 TBNZ W0, #0, loc_10016E7B0 __text:000000010016E798 BL sub_100362240 __text:000000010016E79C TBNZ W0, #0, loc_10016E7B0 __text:000000010016E7A0 BL sub_100362370 __text:000000010016E7A4 TBNZ W0, #0, loc_10016E7B0 __text:000000010016E7A8 BL sub_100362548 __text:000000010016E7AC TBZ W0, #0, loc_10016E934 */ var addr = Module.getBaseAddress("My xxxx").add("0x16e790"); console.log(Module.findBaseAddress('My xxxx')); //write app base-addr Memory.protect(addr, 0x1000, "rwx"); var writer = new Arm64Writer(addr); writer.putNop(); writer.putNop(); writer.putNop(); writer.putNop(); writer.putNop(); writer.putNop(); writer.putNop(); writer.putNop(); writer.flush(); ``` Run it. ``` frida -U -f 'com.xxxx.xxxx.xxxxx' -l frida.js --no-pause ``` ## Jailbreak detector + bypass In order to detect the function are doing jailbreak detection you can use this script available on frida code share repository. {% embed url="" %} ``` frida -U --codeshare lichao890427/jailbreak-detect-trace -f 'com.xxx.xxx.xxx' --no-pause ``` ![](/files/-Mf53mKac3OaUAGSEj2Q) After that, you can do the steps executed above: reversing it and patch it in memory. :sunglasses: In addition, You can try to use this script to bypass jailbreak detection. ``` /* * usage: frida -l bypass-jailbreak.js -Uf com.foo.bar */ var paths = [ "/etc/apt", "/Library/MobileSubstrate/MobileSubstrate.dylib", "/Applications/Cydia.app", "/Applications/blackra1n.app", "/Applications/FakeCarrier.app", "/Applications/Icy.app", "/Applications/IntelliScreen.app", "/Applications/MxTube.app", "/Applications/RockApp.app", "/Applications/SBSetttings.app", "/private/var/lib/apt/", "/Applications/WinterBoard.app", "/usr/sbin/sshd", "/private/var/tmp/cydia.log", "/usr/binsshd", "/usr/libexec/sftp-server", "/Systetem/Library/LaunchDaemons/com.ikey.bbot.plist", "/System/Library/LaunchDaemons/com.saurik.Cy@dia.Startup.plist", "/var/log/syslog", "/bin/bash", "/var/checkra1n.dmg", "/bin/sh", "/Applications/Snoop-itConfig.app", "/etc/ssh/sshd_config", "/private/etc/ssh/sshd_config", "/usr/libexec/ssh-keysign", "/Library/MobileSubstrate/DynamicLibraries/Veency.plist", "/System/Library/LaunchDaemons/com.ikey.bbot.plist", "/private/var/stash", "/usr/bin/cycript", "/usr/bin/ssh", "/usr/bin/sshd", "/var/cache/apt", "/var/lib/cydia", "/var/tmp/cydia.log", "/Applications/SBSettings.app", "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist", "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", "/private/var/lib/apt", "/private/var/lib/cydia", "/private/var/mobile/Library/SBSettings/Themes", "/var/lib/apt", "/private/jailbreak.txt", "/bin/su", "/pguntether", "/usr/sbin/frida-server", "/private/Jailbreaktest.txt", "/var/mobile/Media/.evasi0n7_installed" ]; try { var resolver = new ApiResolver('objc'); resolver.enumerateMatches('*[* *jail**]', { onMatch: function(match) { var ptr = match["address"]; Interceptor.attach(ptr, { onEnter: function() {}, onLeave: function(retval) { retval.replace(0x0); } }); }, onComplete: function() {} }); resolver.enumerateMatches('*[* fileExistsAtPath*]', { onMatch: function(match) { var ptr = match["address"]; Interceptor.attach(ptr, { onEnter: function(args) { var path = ObjC.Object(args[2]).toString(); this.jailbreakCall = false; for (var i = 0; i < paths.length; i++) { if (paths[i] == path) { this.jailbreakCall = true; } } }, onLeave: function(retval) { if (this.jailbreakCall) { retval.replace(0x0); } } }); }, onComplete: function() {} }); resolver.enumerateMatches('*[* canOpenURL*]', { onMatch: function(match) { var ptr = match["address"]; Interceptor.attach(ptr, { onEnter: function(args) { var url = ObjC.Object(args[2]).toString(); this.jailbreakCall = false; if (url.indexOf("cydia") >= 0) { this.jailbreakCall = true; } }, onLeave: function(retval) { if (this.jailbreakCall) { retval.replace(0x0); } } }); }, onComplete: function() {} }); var response = { type: 'sucess', data: { message: "[!] Jailbreak Bypass success" } }; send(response); } catch (e) { var message = { type: 'exception', data: { message: '[!] Jailbreak bypass script error: ' } }; send(message); } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.seguranca-informatica.pt/mobile/reverse-ios-ipa/frida-instrumentation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.