Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Frida trace and memory patch
  • Jailbreak detector + bypass

Was this helpful?

  1. Mobile
  2. Reverse iOS ipa

Frida instrumentation

PreviousInstall Frida iPhone 5SNextResources / Extra features

Last updated 3 years ago

Was this helpful?

Frida trace and memory patch

Trace a specific MODULE!OFFSET

frida_venv-14.2.18\Scripts\frida-trace-script.py -U -f 'com.xxx.xxx.xxxx' -a 'Myxxx!0x100000'

If you are getting some troubles, why not using the passionfruit console to get the trace with the offsets. After that, analyze them in IDA or GHIDRA ;)

Tip: press G and paste the full offset => My xxxxx!0x16e794

Or using the frida-trace utility to instrument the execution ... (change the .js file on __handlers__ folder).

frida-trace-script.py -U -f 'com.xxx.xxx.xxxx' -a 'My xxxxx!0x16e794'

After that, you can patch in memory your ipa from, 0x10016E790 to 0x10016E7AC.

/*
__text:000000010016E78C                 BL              sub_1001DC3DC
__text:000000010016E790                 BL              sub_100361F34
__text:000000010016E794                 TBNZ            W0, #0, loc_10016E7B0
__text:000000010016E798                 BL              sub_100362240
__text:000000010016E79C                 TBNZ            W0, #0, loc_10016E7B0
__text:000000010016E7A0                 BL              sub_100362370
__text:000000010016E7A4                 TBNZ            W0, #0, loc_10016E7B0
__text:000000010016E7A8                 BL              sub_100362548
__text:000000010016E7AC                 TBZ             W0, #0, loc_10016E934
*/

var addr = Module.getBaseAddress("My xxxx").add("0x16e790");
console.log(Module.findBaseAddress('My xxxx')); //write app base-addr
Memory.protect(addr, 0x1000, "rwx");
var writer = new Arm64Writer(addr);
writer.putNop();
writer.putNop();
writer.putNop();
writer.putNop();
writer.putNop();
writer.putNop();
writer.putNop();
writer.putNop();
writer.flush();

Run it.

 frida -U -f 'com.xxxx.xxxx.xxxxx' -l frida.js --no-pause

Jailbreak detector + bypass

In order to detect the function are doing jailbreak detection you can use this script available on frida code share repository.

frida -U --codeshare lichao890427/jailbreak-detect-trace -f 'com.xxx.xxx.xxx' --no-pause

In addition, You can try to use this script to bypass jailbreak detection.

/*
 * usage: frida -l bypass-jailbreak.js -Uf com.foo.bar
 */


var paths = [
    "/etc/apt",
    "/Library/MobileSubstrate/MobileSubstrate.dylib",
    "/Applications/Cydia.app",
    "/Applications/blackra1n.app",
    "/Applications/FakeCarrier.app",
    "/Applications/Icy.app",
    "/Applications/IntelliScreen.app",
    "/Applications/MxTube.app",
    "/Applications/RockApp.app",
    "/Applications/SBSetttings.app",
    "/private/var/lib/apt/",
    "/Applications/WinterBoard.app",
    "/usr/sbin/sshd",
    "/private/var/tmp/cydia.log",
    "/usr/binsshd",
    "/usr/libexec/sftp-server",
    "/Systetem/Library/LaunchDaemons/com.ikey.bbot.plist",
    "/System/Library/LaunchDaemons/com.saurik.Cy@dia.Startup.plist",
    "/var/log/syslog",
    "/bin/bash",
	"/var/checkra1n.dmg",
    "/bin/sh",
	"/Applications/Snoop-itConfig.app",
    "/etc/ssh/sshd_config",
	"/private/etc/ssh/sshd_config",
    "/usr/libexec/ssh-keysign",
    "/Library/MobileSubstrate/DynamicLibraries/Veency.plist",
    "/System/Library/LaunchDaemons/com.ikey.bbot.plist",
    "/private/var/stash",
    "/usr/bin/cycript",
    "/usr/bin/ssh",
    "/usr/bin/sshd",
    "/var/cache/apt",
    "/var/lib/cydia",
    "/var/tmp/cydia.log",
    "/Applications/SBSettings.app",
    "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",
    "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",
    "/private/var/lib/apt",
    "/private/var/lib/cydia",
    "/private/var/mobile/Library/SBSettings/Themes",
    "/var/lib/apt",
    "/private/jailbreak.txt",
    "/bin/su",
    "/pguntether",
    "/usr/sbin/frida-server",
    "/private/Jailbreaktest.txt",
    "/var/mobile/Media/.evasi0n7_installed"
];

try {
    var resolver = new ApiResolver('objc');

    resolver.enumerateMatches('*[* *jail**]', {
        onMatch: function(match) {
            var ptr = match["address"];
            Interceptor.attach(ptr, {
                onEnter: function() {},
                onLeave: function(retval) {
                    retval.replace(0x0);
                }
            });
        },
        onComplete: function() {}
    });

    resolver.enumerateMatches('*[* fileExistsAtPath*]', {
        onMatch: function(match) {
            var ptr = match["address"];
            Interceptor.attach(ptr, {
                onEnter: function(args) {
                    var path = ObjC.Object(args[2]).toString();
                    this.jailbreakCall = false;
                    for (var i = 0; i < paths.length; i++) {
                        if (paths[i] == path) {
                            this.jailbreakCall = true;
                        }
                    }
                },
                onLeave: function(retval) {
                    if (this.jailbreakCall) {
                        retval.replace(0x0);
                    }
                }
            });
        },
        onComplete: function() {}
    });

    resolver.enumerateMatches('*[* canOpenURL*]', {
        onMatch: function(match) {
            var ptr = match["address"];
            Interceptor.attach(ptr, {
                onEnter: function(args) {
                    var url = ObjC.Object(args[2]).toString();
                    this.jailbreakCall = false;
                    if (url.indexOf("cydia") >= 0) {
                        this.jailbreakCall = true;
                    }
                },
                onLeave: function(retval) {
                    if (this.jailbreakCall) {
                        retval.replace(0x0);
                    }
                }
            });
        },
        onComplete: function() {}
    });

    var response = {
        type: 'sucess',
        data: {
            message: "[!] Jailbreak Bypass success"
        }
    };
    send(response);
} catch (e) {
    var message = {
        type: 'exception',
        data: {
            message: '[!] Jailbreak bypass script error: '
        }
    };
    send(message);
}

After that, you can do the steps executed above: reversing it and patch it in memory.

😎
LogoFrida CodeShare