fih

Frida-iOS-Hook

A script that helps you trace classes, functions, and modify the return values of methods on iOS platform

Showing:

Popularity

Downloads/wk

0

GitHub Stars

244

Maintenance

Last Commit

20d ago

Contributors

5

Package

Dependencies

0

License

Categories

Readme

image

Frida iOS hook

A script that helps you trace classes, functions, and modify the return values of methods on iOS platform.

For Android platform: https://github.com/noobpk/frida-android-hook

Currently I'm moving the intercept api functionality to a separate repository : https://github.com/noobpk/frida-ios-intercept-api

Env OS Support

OSSupportedNoted
MacOSmain
Linuxsub
Windowssub

Compatible with

iOSFridaSupported
13.2.314.2.13
14.4.214.2.13
14.4.215.0.18

Feature

Running with python3.x

Support both spawn & attach script to process.

[+] Options:

    -p(--package)           Identifier of application ex: com.apple.AppStore
    -n(--name)          Name of application ex: AppStore
    -s(--script)            Using script format script.js
    -c(--check-version)         Check for the newest version
    -u(--upadte)            Update to the newest version
    
    [*] Dump decrypt IPA:
    
        -d, --dump         Dump decrypt application.ipa
        -o OUTPUT_IPA, --output=OUTPUT_IPA
                           Specify name of the decrypted IPA
    
    [*] Dump memory of Application:
    
    --dump-memory       Dump memory of application
    
    [*] HexByte Scan IPA:
    --hexbyte-scan      Scan or Patch IPA with byte patterns
    -t TASK, --task=TASK
                    Task for hexbytescan
    
    [*] Information:

    --list-devices    List All Devices
    --list-apps       List The Installed apps
    --list-appinfo    List Info of Apps on Itunes
    --list-scripts    List All Scripts

    [*] Quick method:

    -m(--method)            Support commonly used methods
                - app-static(-n)
                - bypass-jb(-p)
                - bypass-ssl(-p)
                - i-url-req(-p)
                - i-crypto(-n)

Update

Version: 3.5-beta

    [+] Change:
    
        [-] Update example usage
        
        [-] Optimize core hook.py
        
        [-] Update README.md
        
        
    [+] New:
    
        [-] Add new new option hexbytescan
    

Install & Usage

    [+] Latest version
    
        https://github.com/noobpk/frida-ios-hook/releases
        
    [+] Develop version
    
        1. Git clone https://github.com/noobpk/frida-ios-hook
        2. cd frida-ios-hook/frida-ios-hook
        3. chmod +x ioshook
        4. ./ioshook --help(-h)
        5. rebellion :))

If you run the script but it doesn't work, you can try the following: frida -U -f package -l script.js

Demo Feature

  1. Part 1 [List application, Dump decrypt application, Dump Memory application] : https://youtu.be/7D5OuKAUQ_s
  2. Part 2 [Static Analysis Application, Intercept URL Request] : https://youtu.be/xd685sCMqSw
  3. Part 3 [Bypass Jailbreak Detection] : https://youtu.be/DAJywMZ9nHg

Frida-Script

Updated some frida scripts to help you with the pentest ios app. Filter script using spawn(S) or attach(A)

NSpawn/AttachScript NameScript Description
1Sbypass-jailbreak-1.jsBasic bypass jailbreak detection
2Sdump-ios-url-scheme.jsDump iOS url scheme when "openURL" is called
3Sdump-ui.jsDump the current on-screen User Interface structure
4S+Afind-all-classes.jsDump all classes used by the app
5S+Afind-all-methods-all-classes.jsDump all methods inside all classes
6S+Afind-specific-method.jsFind a specific method in all classes
7S+Ahook-all-methods-of-specific-class.jsHook all the methods of a particular class
8S+Ahook-specific-method-of-class.jsHook a particular method of a specific class
9S+Aios-app-static-analysis.jsiOS app static analysis
10S+Aios-list-apps.jsiOS list information application
11S+Aios-url-scheme-fuzzing.jsiOS url scheme fuzzing
12Spasteboard-monitoring.jsMonitor usage of pasteboard. Useful to show lack of secure attribute on sensitive fields allowing data copying.
13Aread-nsuserdefaults.jsShow contents fo NSUserDefaults
14S+Ashow-all-methods-of-specific-class.jsDump all methods of a particular class
15S+Ashow-argument-type-count-and-return-value-type.jsShow argument type & count and type of return value for a function in a class
16S+Ashow-instance-variables-for-specific-class.jsShow all instance variables of a particular class
17S+Ashow-modify-function-arguments.jsShow and modify arguments of a function inside a class
18S+Ashow-modify-method-return-value.jsShow and modify return value of a particular method inside a class
19Ashow_binarycookies.jsShow contents of Cookies.binarycookies file
20Sbypass-ssl-ios13.jsiOS13 bypass ssl pinning
21Sflutter_trace_function.jsiOS flutter trace function
22S+Aios-intercept-crypto.jsIntercepts Crypto Operations
23S+Aios-intercept-crypto-2.jsIntercepts Crypto Operations 2
24Sbypass-flutter-ssl.jsFlutter bypass ssl pinning

Hexbytescan-Task

NTask NameTask Description
1openssl_hook.jsonOpenSSL 1.0.2 certificate pinning hook on arm64
2openssl_1_1_0_hook.jsonOpenSSL 1.1.0 certifiate pinning hook for arm64, it modifies cmp instruction in tls_process_server_certificate method
3openssl_hook_v2.jsonOpenSSL 1.0.2 certificate pinning hook on arm64, improved pattern, possibly for different compiler version or slighlty updated OpenSSL, use if first version does not find patch location. These hooks patch call to ssl_verify_cert_chain in ssl3_get_server_certificate.

Disclaimer

Because I am not a developer, so my coding skills might not be the best. Therefore, if this tool have any issue or not working for you, create an issue and i will try to fix it. Any suggestions for new feature and discussions are welcome!

Rate & Review

Great Documentation0
Easy to Use0
Performant0
Highly Customizable0
Bleeding Edge0
Responsive Maintainers0
Poor Documentation0
Hard to Use0
Slow0
Buggy0
Abandoned0
Unwelcoming Community0
100