Frida instrumentation

Frida trace and memory patch

Trace a specific MODULE!OFFSET
1
frida_venv-14.2.18\Scripts\frida-trace-script.py -U -f 'com.xxx.xxx.xxxx' -a 'Myxxx!0x100000'
Copied!
If you are getting some troubles, why not using the passionfruit console to get the trace with the offsets. After that, analyze them in IDA or GHIDRA ;)
Tip: press G and paste the full offset => My xxxxx!0x16e794
Or using the frida-trace utility to instrument the execution ... (change the .js file on __handlers__ folder).
1
frida-trace-script.py -U -f 'com.xxx.xxx.xxxx' -a 'My xxxxx!0x16e794'
Copied!
After that, you can patch in memory your ipa from, 0x10016E790 to 0x10016E7AC.
1
/*
2
__text:000000010016E78C BL sub_1001DC3DC
3
__text:000000010016E790 BL sub_100361F34
4
__text:000000010016E794 TBNZ W0, #0, loc_10016E7B0
5
__text:000000010016E798 BL sub_100362240
6
__text:000000010016E79C TBNZ W0, #0, loc_10016E7B0
7
__text:000000010016E7A0 BL sub_100362370
8
__text:000000010016E7A4 TBNZ W0, #0, loc_10016E7B0
9
__text:000000010016E7A8 BL sub_100362548
10
__text:000000010016E7AC TBZ W0, #0, loc_10016E934
11
*/
12
​
13
var addr = Module.getBaseAddress("My xxxx").add("0x16e790");
14
console.log(Module.findBaseAddress('My xxxx')); //write app base-addr
15
Memory.protect(addr, 0x1000, "rwx");
16
var writer = new Arm64Writer(addr);
17
writer.putNop();
18
writer.putNop();
19
writer.putNop();
20
writer.putNop();
21
writer.putNop();
22
writer.putNop();
23
writer.putNop();
24
writer.putNop();
25
writer.flush();
Copied!
Run it.
1
frida -U -f 'com.xxxx.xxxx.xxxxx' -l frida.js --no-pause
Copied!

Jailbreak detector + bypass

In order to detect the function are doing jailbreak detection you can use this script available on frida code share repository.
1
frida -U --codeshare lichao890427/jailbreak-detect-trace -f 'com.xxx.xxx.xxx' --no-pause
Copied!
After that, you can do the steps executed above: reversing it and patch it in memory.
😎
In addition, You can try to use this script to bypass jailbreak detection.
1
/*
2
* usage: frida -l bypass-jailbreak.js -Uf com.foo.bar
3
*/
4
​
5
​
6
var paths = [
7
"/etc/apt",
8
"/Library/MobileSubstrate/MobileSubstrate.dylib",
9
"/Applications/Cydia.app",
10
"/Applications/blackra1n.app",
11
"/Applications/FakeCarrier.app",
12
"/Applications/Icy.app",
13
"/Applications/IntelliScreen.app",
14
"/Applications/MxTube.app",
15
"/Applications/RockApp.app",
16
"/Applications/SBSetttings.app",
17
"/private/var/lib/apt/",
18
"/Applications/WinterBoard.app",
19
"/usr/sbin/sshd",
20
"/private/var/tmp/cydia.log",
21
"/usr/binsshd",
22
"/usr/libexec/sftp-server",
23
"/Systetem/Library/LaunchDaemons/com.ikey.bbot.plist",
24
"/System/Library/LaunchDaemons/[email protected]",
25
"/var/log/syslog",
26
"/bin/bash",
27
"/var/checkra1n.dmg",
28
"/bin/sh",
29
"/Applications/Snoop-itConfig.app",
30
"/etc/ssh/sshd_config",
31
"/private/etc/ssh/sshd_config",
32
"/usr/libexec/ssh-keysign",
33
"/Library/MobileSubstrate/DynamicLibraries/Veency.plist",
34
"/System/Library/LaunchDaemons/com.ikey.bbot.plist",
35
"/private/var/stash",
36
"/usr/bin/cycript",
37
"/usr/bin/ssh",
38
"/usr/bin/sshd",
39
"/var/cache/apt",
40
"/var/lib/cydia",
41
"/var/tmp/cydia.log",
42
"/Applications/SBSettings.app",
43
"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",
44
"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",
45
"/private/var/lib/apt",
46
"/private/var/lib/cydia",
47
"/private/var/mobile/Library/SBSettings/Themes",
48
"/var/lib/apt",
49
"/private/jailbreak.txt",
50
"/bin/su",
51
"/pguntether",
52
"/usr/sbin/frida-server",
53
"/private/Jailbreaktest.txt",
54
"/var/mobile/Media/.evasi0n7_installed"
55
];
56
​
57
try {
58
var resolver = new ApiResolver('objc');
59
​
60
resolver.enumerateMatches('*[* *jail**]', {
61
onMatch: function(match) {
62
var ptr = match["address"];
63
Interceptor.attach(ptr, {
64
onEnter: function() {},
65
onLeave: function(retval) {
66
retval.replace(0x0);
67
}
68
});
69
},
70
onComplete: function() {}
71
});
72
​
73
resolver.enumerateMatches('*[* fileExistsAtPath*]', {
74
onMatch: function(match) {
75
var ptr = match["address"];
76
Interceptor.attach(ptr, {
77
onEnter: function(args) {
78
var path = ObjC.Object(args[2]).toString();
79
this.jailbreakCall = false;
80
for (var i = 0; i < paths.length; i++) {
81
if (paths[i] == path) {
82
this.jailbreakCall = true;
83
}
84
}
85
},
86
onLeave: function(retval) {
87
if (this.jailbreakCall) {
88
retval.replace(0x0);
89
}
90
}
91
});
92
},
93
onComplete: function() {}
94
});
95
​
96
resolver.enumerateMatches('*[* canOpenURL*]', {
97
onMatch: function(match) {
98
var ptr = match["address"];
99
Interceptor.attach(ptr, {
100
onEnter: function(args) {
101
var url = ObjC.Object(args[2]).toString();
102
this.jailbreakCall = false;
103
if (url.indexOf("cydia") >= 0) {
104
this.jailbreakCall = true;
105
}
106
},
107
onLeave: function(retval) {
108
if (this.jailbreakCall) {
109
retval.replace(0x0);
110
}
111
}
112
});
113
},
114
onComplete: function() {}
115
});
116
​
117
var response = {
118
type: 'sucess',
119
data: {
120
message: "[!] Jailbreak Bypass success"
121
}
122
};
123
send(response);
124
} catch (e) {
125
var message = {
126
type: 'exception',
127
data: {
128
message: '[!] Jailbreak bypass script error: '
129
}
130
};
131
send(message);
132
}
Copied!
​
​
Last modified 2mo ago