Create ObjC_Unppining_Helper.js
This commit is contained in:
parent
130aacd5f6
commit
3097a877e4
112
ObjC_Unppining_Helper.js
Normal file
112
ObjC_Unppining_Helper.js
Normal file
@ -0,0 +1,112 @@
|
|||||||
|
/*
|
||||||
|
=========================
|
||||||
|
ObjC Unppining Helper
|
||||||
|
By Lotem
|
||||||
|
=========================
|
||||||
|
|
||||||
|
This is a frida script for unpinning and reversing of ObjC applications.
|
||||||
|
It is used to list and intercept methods in moudles by regexs.
|
||||||
|
|
||||||
|
You may change the following regex arrays to match your needs:
|
||||||
|
*/
|
||||||
|
|
||||||
|
// The list of regexs for the moudle name
|
||||||
|
var moduleKeyWords = [/.*/]; // (It is not recommended to search all the moudles)
|
||||||
|
|
||||||
|
// The list of regexs for the method name
|
||||||
|
var methodKeyWords = [/cert/i, /trust/i, /ssl/i, /verify/i, /509/];
|
||||||
|
|
||||||
|
// The list of regexs for the method to override their return value with "1"
|
||||||
|
var overrideKeyWords = [];
|
||||||
|
|
||||||
|
/*
|
||||||
|
To run this script with frida on iPhone, follow these steps:
|
||||||
|
1. Make sure the iPhone is jailbreaked
|
||||||
|
2. Download the frida server from Cydia (package: re.frida.server)
|
||||||
|
3. Connect the iPhone to your computer with USB and open the application
|
||||||
|
4. Type in console "frida-ps -U" to get the list of running proccess on the iPhone, and find the proccess name of your app
|
||||||
|
5. Type in console "frida -U <APP PROCCESS NAME> -l <PATH TO THIS SCRIPT>" to run this script
|
||||||
|
6. Now you should use the app to trigger some of the intercepted methods
|
||||||
|
*/
|
||||||
|
|
||||||
|
// The "main" method. Going over all the moudles and all the methods, and trying to intercept each one which matches the regexs.
|
||||||
|
setImmediate(function () {
|
||||||
|
if (!ObjC.available) {
|
||||||
|
console.log("[-] Objective-C Runtime is not available!");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
console.log("=======================================================\n");
|
||||||
|
console.log("[*] Searching methods...");
|
||||||
|
|
||||||
|
var moduleUsed = false;
|
||||||
|
|
||||||
|
Process.enumerateModules({
|
||||||
|
onMatch: function(module) {
|
||||||
|
|
||||||
|
if (!matchesRegex(moduleKeyWords, module.name)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
moduleUsed = false;
|
||||||
|
Module.enumerateSymbols(module.name, {
|
||||||
|
onMatch: function(exp) {
|
||||||
|
if (matchesRegex(methodKeyWords, exp.name)) {
|
||||||
|
if (!moduleUsed) {
|
||||||
|
console.log("[*] In module \"" + module.name + "\"");
|
||||||
|
moduleUsed = true;
|
||||||
|
}
|
||||||
|
console.log("\t[*] Matching method: \"" + exp.name + "\", Address: " + Module.findExportByName(module.name, exp.name));
|
||||||
|
|
||||||
|
if (intercept(module.name, exp.name)) {
|
||||||
|
console.log("\t\t[+] Now intercepting " + exp.name);
|
||||||
|
} else {
|
||||||
|
console.log("\t\t[-] Could not intercept " + exp.name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
onComplete: function (retval) {}
|
||||||
|
});
|
||||||
|
},
|
||||||
|
onComplete: function (retval) {}
|
||||||
|
});
|
||||||
|
|
||||||
|
|
||||||
|
console.log("[*] Completed!");
|
||||||
|
console.log("=======================================================\n\n");
|
||||||
|
});
|
||||||
|
|
||||||
|
// Return if 'str' match any of the regexs in the array 'regexList'
|
||||||
|
function matchesRegex(regexList, str) {
|
||||||
|
for (var i = 0; i < regexList.length; i++) {
|
||||||
|
if (str.search(regexList[i]) != -1) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try to intercept a method by moudle name and function name.
|
||||||
|
// Return 'true' on success and 'false' on failor.
|
||||||
|
function intercept(module, func) {
|
||||||
|
try {
|
||||||
|
Interceptor.attach(Module.findExportByName(module, func), {
|
||||||
|
onEnter: function(args) {
|
||||||
|
console.log("[*] Method CALL:\t\"" + func + "\" called!");
|
||||||
|
},
|
||||||
|
onLeave: function (retval) {
|
||||||
|
console.log("[*] Method RETURN:\t\"" + func + "\" (return value: " + retval + ")");
|
||||||
|
|
||||||
|
if (matchesRegex(overrideKeyWords, func)) {
|
||||||
|
console.log("[!] CHANGED RETURN VALUE of method:\t\"" + func + "\" (new value: " + 1 + ")");
|
||||||
|
retval.replace(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
return true;
|
||||||
|
} catch(err) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user