Home

Awesome

<img width="538" alt="image" src="https://user-images.githubusercontent.com/31820707/103606590-5f006380-4f49-11eb-9f57-c1c78c76a506.png">

Frida iOS hook

CodeQL python frida

📍 A tool that helps you can easy using frida. It support script for trace classes, functions, and modify the return values of methods on iOS platform.

👉 For Android platform: frida-android-hook

👉 For Intercept Api was encrypted on iOS application: frida-ios-intercept-api

Env OS Support

OSSupportedNoted
MacOS:white_check_mark:main
Linux:white_check_mark:sub
Windows:white_check_mark:sub

Compatible with

iOSFridaFrida-toolsSupported
15.7.416.1.312.2.1:white_check_mark:

Feature

Running with python3.x

Support both spawn & attach script to process.

[+] Options:

	-p(--package)			Identifier of application ex: com.apple.AppStore
	-n(--name) 			Name of application ex: AppStore
	-s(--script) 			Using script format script.js
	-c(--check-version) 		Check for the newest version
	-u(--update) 			Update to the newest version

	[*] Dump decrypt IPA:

    	-d, --dump         Dump decrypt application.ipa
    	-o OUTPUT_IPA, --output=OUTPUT_IPA
                           Specify name of the decrypted IPA

	[*] Dump memory of Application:

	--dump-memory		Dump memory of application

	[*] HexByte Scan IPA:
	--hexbyte-scan		Scan or Patch IPA with byte patterns
	--pattern=PATTERN   Pattern for hexbytescan
	--address=ADDRESS   Address for hexbytescan
	-t TASK, --task=TASK
          			Task for hexbytescan

	[*] Information:

	--list-devices    List All Devices
	--list-apps       List The Installed apps
	--list-scripts    List All Scripts
	--logcat          Show system log of device
    	--shell, --ssh      Get the shell of connect device

	[*] Quick method:

	-m(--method)	  Support commonly used methods
				app-static(-n)
				bypass-jb(-p)
				bypass-ssl(-p)
				i-url-req(-n)
				i-crypto(-p)
	[*] reFlutter:

	--reflutter=FLUTTERFILE
                        File Flutter.ipa

📜 ChangeLog

Version: 3.9

	[+] Add:
		- Add backtrace to hooking.js
	[+] Change:
		- Update frida version
		- Update readme, changelog, requirement
	[+] Fix
		- Fix issue #85

See Full ChangeLog

Install

	[+] Latest version

		https://github.com/noobpk/frida-ios-hook/releases

	[+] Develop version

		git clone -b dev https://github.com/noobpk/frida-ios-hook

Environment

[+] Python >= v3.0 (Recommend to use pyenv or virtualenv)

1. cd frida-ios-hook/
2. python3 -m venv py-env
3. source py-env/bin/active

Build

1. pip3 install -r requirements.txt
3. python3 setup.py
4. cd frida-ios-hook
5. ./ioshook -h (--help)

Usage

See Full Usage as Wiki

If you run the script but it doesn't work, you can try the following: frida -U -f package -l script.js

📺 Demo Feature

TitleLink
Frida iOS Hook | Basic Usage | Install - List devices - List apps - List scripts - Logcat - Shellhttps://youtu.be/xSndHgTdv4w
Frida iOS Hook | Basic Usage | Dump Decrypt IPA - Dump Memory App - Hexbyte-Scan IPAhttps://youtu.be/AUsJ9_gnWAI
Frida iOS Hook | Basic Usage | App Static - Bypass Jailbreak - Bypass SSL - Intercept URL + Cryptohttps://youtu.be/nWhKDSzArf8
Frida iOS Hook | Advance Usage | Memory Dump - Radare2 - Iaitohttps://youtu.be/nUqE4EYWiEc

Frida-Script

Updated some frida scripts to help you with the pentest ios app. Filter script using spawn(S) or attach(A)

NSpawn/AttachScript NameScript DescriptionScript Version
1Sbacktrace.jsBacktrace1.0
2Sbypass-flutter-ssl.jsFlutter bypass ssl pinning1.0
3Sbypass-jailbreak-1.jsBasic bypass jailbreak detection1.0
4Sbypass-ssl-ios13.jsiOS 13 bypass ssl pinning1.0
5Sdump-ios-url-scheme.jsDump iOS url scheme when "openURL" is called1.0
6Sdump-ui.jsDump the current on-screen User Interface structure1.0
7S+Afind-all-classes-methods.jsDump all methods inside all classes1.0
8S+Afind-all-classes.jsDump all classes used by the app1.0
9S+Afind-app-classes-methods.jsDump all methods inside classes owned by the app only1.0
10S+Afind-app-classes.jsDump classes owned by the app only1.0
11S+Afind-specific-method.jsFind a specific method in all classes1.0
12S+Aflutter_trace_function.jsiOS flutter trace function1.0
13S+Ahook-all-methods-of-all-classes-app-only.jsHook all the methods of all the classes owned by the app1.0
14S+Ahook-all-methods-of-specific-class.jsHook all the methods of a particular class1.0
15S+Ahook-specific-method-of-class.jsHook a particular method of a specific class1.0
16S+Aintercept-nslog.jsIntercept calls to Apple's NSLog logging function1.0
17S+Aios-app-static-analysis.jsiOS app static analysis1.0
18Sios-biometric-bypass.jsiOS Biometric Bypass1.0
19S+Aios-intercept-crypto-2.jsiOS Intercepts Crypto Operations 21.0
20S+Aios-intercept-crypto.jsiOS Intercepts Crypto Operations1.0
21S+Aios-list-apps.jsiOS List Application1.0
22S+Aios-url-scheme-fuzzing.jsiOS URL Scheme Fuzzing1.0
23S+Apasteboard-monitoring.jsMonitor usage of pasteboard. Useful to show lack of secure attribute on sensitive fields allowing data copying.1.0
24S+Araptor_frida_ios_autoIntercept.jsRaptor frida ios auto intercept1.0
25S+Araptor_frida_ios_bypass1.jsRaptor frida ios bypass 11.0
26S+Araptor_frida_ios_bypass2.jsRaptor frida ios bypass 21.0
27S+Araptor_frida_ios_call.jsRaptor frida ios call1.0
28S+Araptor_frida_ios_debug.jsRaptor frida ios debug1.0
29S+Araptor_frida_ios_enum.jsRaptor frida ios enum1.0
30S+Araptor_frida_ios_lowlevel1.jsRaptor frida ios low level 11.0
31S+Araptor_frida_ios_lowlevel2.jsRaptor frida ios low level 21.0
32S+Araptor_frida_ios_stalker.jsRaptor frida ios stalker1.0
33S+Araptor_frida_ios_touchid.jsRaptor frida ios touchid1.0
34S+Araptor_frida_ios_trace.jsRaptor frida ios trace1.0
35S+Aread-nsuserdefaults.jsShow contents of NSUserDefaults1.0
36S+Aread-plist-file.jsShow contents of a Plist file1.0
37Sreplace-exported-method.jsReplace a module's exported function1.0
38S+Ashow-all-methods-of-specific-class.jsDump all methods of a particular class1.0
39S+Ashow-argument-type-count-and-return-value-type.jsShow argument type & count and type of return value for a function in a class1.0
40S+Ashow-instance-variables-for-specific-class.jsShow all instance variables of a particular class1.0
41S+Ashow-modify-function-arguments.jsShow and modify arguments of a function inside a class1.0
42S+Ashow-modify-method-return-value.jsShow and modify return value of a particular method inside a class1.0
43S+Ashow_binarycookies.jsShow contents of Cookies.binarycookies file1.0

Hexbytescan-Task

NTask NameTask Description
1openssl_hook.jsonOpenSSL 1.0.2 certificate pinning hook on arm64
2openssl_1_1_0_hook.jsonOpenSSL 1.1.0 certificate pinning hook for arm64, it modifies cmp instruction in tls_process_server_certificate method
3openssl_hook_v2.jsonOpenSSL 1.0.2 certificate pinning hook on arm64, improved pattern, possibly for different compiler version or slightly updated OpenSSL, use if first version does not find patch location. These hooks patch call to ssl_verify_cert_chain in ssl3_get_server_certificate.

Disclaimer

Because I am not a developer, so my coding skills might not be the best. Therefore, if this tool have any issue or not working for you, create an issue and i will try to fix it. Any suggestions for new feature and discussions are welcome!