-
frida iOS hookingPentesting/iOS 2019. 8. 11. 01:17
iOS 후킹 원리 정리도 나중에..
스터디 참고 URL은 아래와 같음
https://blog.attify.com/bypass-jailbreak-detection-frida-ios-applications/
Bypass Jailbreak Detection with Frida in iOS applications
In this blog post, we will have a look at Frida, which is one of the really interesting tools for mobile application security analysis. This is also something we cover in-depth in our Advanced Android and iOS Exploitation training for which you can registe
blog.attify.com
iOS Anti-Reversing Defenses
mobile-security.gitbook.io
실제 삽질할 때 코드..
if (ObjC.available) { try { var className = "mVaccine"; var funcName = "- mvc"; var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]'); var newretval = ptr("0x0") Interceptor.attach(hook.implementation, { onLeave: function(retval) { console.log("[*] Class Name: " + className); console.log("[*] Method Name: " + funcName); console.log("\t[-] Type of return value: " + typeof retval); console.log("\t[-] Original Return Value: " + retval); retval.replace(newretval) console.log("\t[-] New Return Value: " + newretval) } }); var className2 = "cc_Util"; var funcName2 = "+checkJailBreakStatus"; var hook2 = eval('ObjC.classes.' + className + '["' + funcName + '"]'); Interceptor.attach(hook2.implementation, { onLeave: function(retval) { console.log("[*] Class Name: " + className); console.log("[*] Method Name: " + funcName); console.log("\t[-] Type of return value: " + typeof retval); console.log("\t[-] Original Return Value: " + retval); newretval = ptr("0x0") retval.replace(newretval) console.log("\t[-] New Return Value: " + newretval) } }); var className3 = "cc_IntroViewController"; var funcName3 = "- prepareAppStateCheck"; var hook3 = eval('ObjC.classes.' + className + '["' + funcName + '"]'); Interceptor.attach(hook3.implementation, { onLeave: function(retval) { console.log("[*] Class Name: " + className); console.log("[*] Method Name: " + funcName); console.log("\t[-] Type of return value: " + typeof retval); console.log("\t[-] Original Return Value: " + retval); newretval = ptr("0x0") retval.replace(newretval) console.log("\t[-] New Return Value: " + newretval) } }); } catch(err) { console.log("[!] Exception2: " + err.message); } } else { console.log("Objective-C Runtime is not available!"); }관건은...내가 후킹하고 싶은
클래스명, 메소드명을 찾아서..
해당 메소드명의 값을 출력해보고
반환 값을 replace하면 된다. 잘되는 것을 확인.
'Pentesting > iOS' 카테고리의 다른 글
frida-ios-dump (0) 2019.08.11 frida-ipa-dump (0) 2019.08.11 iOS 콘솔 로그 출력(Console log) (1) 2019.02.14 댓글