Red Teaming and Malware Analysis
@sirpedrotavaresseguranca-informatica.pt0xSI_f33d
Search…
About
Red Teaming
Cheat Sheet
Active Directory 101
Fuzzing and Web
Initial Foothold
Privilege Escalation (Privesc)
Lateral Movement (Pivoting)
Persistence
Command and Control (C&C)
Data Exfiltration
CVE & Exploits / CTF
Tools
Resources
Malware Analysis
Unpacking
Basic tips
Malware instrumentation with frida
Tools
Resources
Mobile
Tools
Reverse iOS ipa
Jailbreak
Install Frida iPhone 5S
Frida instrumentation
Resources / Extra features
Reverse Android APKs
Basic tips
Resources
IoT / Reverse / Firmware
Basic tips
Reverse IoT devices
Tools
Resources
Powered By GitBook
Frida instrumentation

Trace a specific MODULE!OFFSET
frida_venv-14.2.18\Scripts\frida-trace-script.py -U -f 'com.xxx.xxx.xxxx' -a 'Myxxx!0x100000'
If you are getting some troubles, why not using the passionfruit console to get the trace with the offsets. After that, analyze them in IDA or GHIDRA ;)
Tip: press G and paste the full offset => My xxxxx!0x16e794
Or using the frida-trace utility to instrument the execution ... (change the .js file on __handlers__ folder).
frida-trace-script.py -U -f 'com.xxx.xxx.xxxx' -a 'My xxxxx!0x16e794'
After that, you can patch in memory your ipa from, 0x10016E790 to 0x10016E7AC.
/*
__text:000000010016E78C BL sub_1001DC3DC
__text:000000010016E790 BL sub_100361F34
__text:000000010016E794 TBNZ W0, #0, loc_10016E7B0
__text:000000010016E798 BL sub_100362240
__text:000000010016E79C TBNZ W0, #0, loc_10016E7B0
__text:000000010016E7A0 BL sub_100362370
__text:000000010016E7A4 TBNZ W0, #0, loc_10016E7B0
__text:000000010016E7A8 BL sub_100362548
__text:000000010016E7AC TBZ W0, #0, loc_10016E934
*/
​
var addr = Module.getBaseAddress("My xxxx").add("0x16e790");
console.log(Module.findBaseAddress('My xxxx')); //write app base-addr
Memory.protect(addr, 0x1000, "rwx");
var writer = new Arm64Writer(addr);
writer.putNop();
writer.putNop();
writer.putNop();
writer.putNop();
writer.putNop();
writer.putNop();
writer.putNop();
writer.putNop();
writer.flush();
Run it.
frida -U -f 'com.xxxx.xxxx.xxxxx' -l frida.js --no-pause

In order to detect the function are doing jailbreak detection you can use this script available on frida code share repository.
Frida CodeShare
frida -U --codeshare lichao890427/jailbreak-detect-trace -f 'com.xxx.xxx.xxx' --no-pause
After that, you can do the steps executed above: reversing it and patch it in memory.
😎
In addition, You can try to use this script to bypass jailbreak detection.
/*
* usage: frida -l bypass-jailbreak.js -Uf com.foo.bar
*/
​
​
var paths = [
"/etc/apt",
"/Library/MobileSubstrate/MobileSubstrate.dylib",
"/Applications/Cydia.app",
"/Applications/blackra1n.app",
"/Applications/FakeCarrier.app",
"/Applications/Icy.app",
"/Applications/IntelliScreen.app",
"/Applications/MxTube.app",
"/Applications/RockApp.app",
"/Applications/SBSetttings.app",
"/private/var/lib/apt/",
"/Applications/WinterBoard.app",
"/usr/sbin/sshd",
"/private/var/tmp/cydia.log",
"/usr/binsshd",
"/usr/libexec/sftp-server",
"/Systetem/Library/LaunchDaemons/com.ikey.bbot.plist",
"/System/Library/LaunchDaemons/[email protected]",
"/var/log/syslog",
"/bin/bash",
"/var/checkra1n.dmg",
"/bin/sh",
"/Applications/Snoop-itConfig.app",
"/etc/ssh/sshd_config",
"/private/etc/ssh/sshd_config",
"/usr/libexec/ssh-keysign",
"/Library/MobileSubstrate/DynamicLibraries/Veency.plist",
"/System/Library/LaunchDaemons/com.ikey.bbot.plist",
"/private/var/stash",
"/usr/bin/cycript",
"/usr/bin/ssh",
"/usr/bin/sshd",
"/var/cache/apt",
"/var/lib/cydia",
"/var/tmp/cydia.log",
"/Applications/SBSettings.app",
"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",
"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",
"/private/var/lib/apt",
"/private/var/lib/cydia",
"/private/var/mobile/Library/SBSettings/Themes",
"/var/lib/apt",
"/private/jailbreak.txt",
"/bin/su",
"/pguntether",
"/usr/sbin/frida-server",
"/private/Jailbreaktest.txt",
"/var/mobile/Media/.evasi0n7_installed"
];
​
try {
var resolver = new ApiResolver('objc');
​
resolver.enumerateMatches('*[* *jail**]', {
onMatch: function(match) {
var ptr = match["address"];
Interceptor.attach(ptr, {
onEnter: function() {},
onLeave: function(retval) {
retval.replace(0x0);
}
});
},
onComplete: function() {}
});
​
resolver.enumerateMatches('*[* fileExistsAtPath*]', {
onMatch: function(match) {
var ptr = match["address"];
Interceptor.attach(ptr, {
onEnter: function(args) {
var path = ObjC.Object(args[2]).toString();
this.jailbreakCall = false;
for (var i = 0; i < paths.length; i++) {
if (paths[i] == path) {
this.jailbreakCall = true;
}
}
},
onLeave: function(retval) {
if (this.jailbreakCall) {
retval.replace(0x0);
}
}
});
},
onComplete: function() {}
});
​
resolver.enumerateMatches('*[* canOpenURL*]', {
onMatch: function(match) {
var ptr = match["address"];
Interceptor.attach(ptr, {
onEnter: function(args) {
var url = ObjC.Object(args[2]).toString();
this.jailbreakCall = false;
if (url.indexOf("cydia") >= 0) {
this.jailbreakCall = true;
}
},
onLeave: function(retval) {
if (this.jailbreakCall) {
retval.replace(0x0);
}
}
});
},
onComplete: function() {}
});
​
var response = {
type: 'sucess',
data: {
message: "[!] Jailbreak Bypass success"
}
};
send(response);
} catch (e) {
var message = {
type: 'exception',
data: {
message: '[!] Jailbreak bypass script error: '
}
};
send(message);
}
​
​
Previous
Install Frida iPhone 5S
Next
Resources / Extra features
Last modified 1yr ago
Copy link
On this page
Frida trace and memory patch
Jailbreak detector + bypass