# Frida instrumentation ## Frida trace and memory patch Trace a specific **MODULE!OFFSET** ``` frida_venv-14.2.18\Scripts\frida-trace-script.py -U -f 'com.xxx.xxx.xxxx' -a 'Myxxx!0x100000' ``` If you are getting some troubles, why not using the passionfruit console to get the trace with the offsets. After that, analyze them in IDA or GHIDRA ;) ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Mf4VHu7OW6kUmKT1xSe%2F-Mf4Vvf_l3lM3uX3BrR7%2Fimage.png?alt=media\&token=b4b3c470-3076-4032-a7f9-9a294ca00f39) ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Mf4VHu7OW6kUmKT1xSe%2F-Mf4WWOy_Jn90K1-MgQP%2Fimage.png?alt=media\&token=78a533d9-c7e5-4d0f-acc1-c4dee5515da7) {% hint style="success" %} T**ip:** press **G** and paste the full offset => **My xxxxx!0x16e794** {% endhint %} ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Mf4VHu7OW6kUmKT1xSe%2F-Mf4VeQP_akRzsE2Esrz%2Fimage.png?alt=media\&token=4a3109ba-355a-4997-9a80-69a49685fb51) Or using the frida-trace utility to instrument the execution ... (change the .js file on \_\_*handlers*\_\_ folder). ``` frida-trace-script.py -U -f 'com.xxx.xxx.xxxx' -a 'My xxxxx!0x16e794' ``` After that, you can patch in memory your ipa from, **0x10016E790** to **0x10016E7AC**. ``` /* __text:000000010016E78C BL sub_1001DC3DC __text:000000010016E790 BL sub_100361F34 __text:000000010016E794 TBNZ W0, #0, loc_10016E7B0 __text:000000010016E798 BL sub_100362240 __text:000000010016E79C TBNZ W0, #0, loc_10016E7B0 __text:000000010016E7A0 BL sub_100362370 __text:000000010016E7A4 TBNZ W0, #0, loc_10016E7B0 __text:000000010016E7A8 BL sub_100362548 __text:000000010016E7AC TBZ W0, #0, loc_10016E934 */ var addr = Module.getBaseAddress("My xxxx").add("0x16e790"); console.log(Module.findBaseAddress('My xxxx')); //write app base-addr Memory.protect(addr, 0x1000, "rwx"); var writer = new Arm64Writer(addr); writer.putNop(); writer.putNop(); writer.putNop(); writer.putNop(); writer.putNop(); writer.putNop(); writer.putNop(); writer.putNop(); writer.flush(); ``` Run it. ``` frida -U -f 'com.xxxx.xxxx.xxxxx' -l frida.js --no-pause ``` ## Jailbreak detector + bypass In order to detect the function are doing jailbreak detection you can use this script available on frida code share repository. {% embed url="" %} ``` frida -U --codeshare lichao890427/jailbreak-detect-trace -f 'com.xxx.xxx.xxx' --no-pause ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-Mf4fkTq_eNSvH_UTfB3%2F-Mf53mKac3OaUAGSEj2Q%2Fimage.png?alt=media\&token=a5361f4e-6d34-4a5c-8261-6c478273a88d) After that, you can do the steps executed above: reversing it and patch it in memory. :sunglasses: In addition, You can try to use this script to bypass jailbreak detection. ``` /* * usage: frida -l bypass-jailbreak.js -Uf com.foo.bar */ var paths = [ "/etc/apt", "/Library/MobileSubstrate/MobileSubstrate.dylib", "/Applications/Cydia.app", "/Applications/blackra1n.app", "/Applications/FakeCarrier.app", "/Applications/Icy.app", "/Applications/IntelliScreen.app", "/Applications/MxTube.app", "/Applications/RockApp.app", "/Applications/SBSetttings.app", "/private/var/lib/apt/", "/Applications/WinterBoard.app", "/usr/sbin/sshd", "/private/var/tmp/cydia.log", "/usr/binsshd", "/usr/libexec/sftp-server", "/Systetem/Library/LaunchDaemons/com.ikey.bbot.plist", "/System/Library/LaunchDaemons/com.saurik.Cy@dia.Startup.plist", "/var/log/syslog", "/bin/bash", "/var/checkra1n.dmg", "/bin/sh", "/Applications/Snoop-itConfig.app", "/etc/ssh/sshd_config", "/private/etc/ssh/sshd_config", "/usr/libexec/ssh-keysign", "/Library/MobileSubstrate/DynamicLibraries/Veency.plist", "/System/Library/LaunchDaemons/com.ikey.bbot.plist", "/private/var/stash", "/usr/bin/cycript", "/usr/bin/ssh", "/usr/bin/sshd", "/var/cache/apt", "/var/lib/cydia", "/var/tmp/cydia.log", "/Applications/SBSettings.app", "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist", "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", "/private/var/lib/apt", "/private/var/lib/cydia", "/private/var/mobile/Library/SBSettings/Themes", "/var/lib/apt", "/private/jailbreak.txt", "/bin/su", "/pguntether", "/usr/sbin/frida-server", "/private/Jailbreaktest.txt", "/var/mobile/Media/.evasi0n7_installed" ]; try { var resolver = new ApiResolver('objc'); resolver.enumerateMatches('*[* *jail**]', { onMatch: function(match) { var ptr = match["address"]; Interceptor.attach(ptr, { onEnter: function() {}, onLeave: function(retval) { retval.replace(0x0); } }); }, onComplete: function() {} }); resolver.enumerateMatches('*[* fileExistsAtPath*]', { onMatch: function(match) { var ptr = match["address"]; Interceptor.attach(ptr, { onEnter: function(args) { var path = ObjC.Object(args[2]).toString(); this.jailbreakCall = false; for (var i = 0; i < paths.length; i++) { if (paths[i] == path) { this.jailbreakCall = true; } } }, onLeave: function(retval) { if (this.jailbreakCall) { retval.replace(0x0); } } }); }, onComplete: function() {} }); resolver.enumerateMatches('*[* canOpenURL*]', { onMatch: function(match) { var ptr = match["address"]; Interceptor.attach(ptr, { onEnter: function(args) { var url = ObjC.Object(args[2]).toString(); this.jailbreakCall = false; if (url.indexOf("cydia") >= 0) { this.jailbreakCall = true; } }, onLeave: function(retval) { if (this.jailbreakCall) { retval.replace(0x0); } } }); }, onComplete: function() {} }); var response = { type: 'sucess', data: { message: "[!] Jailbreak Bypass success" } }; send(response); } catch (e) { var message = { type: 'exception', data: { message: '[!] Jailbreak bypass script error: ' } }; send(message); } ```