[frida] 일단 여기까지

lispro062018.03.16 19:39조회 수 1750댓글 0

IOS 10.3.3 iPhone 5 에서 http://build.frida.re 소스 추가하고, 32bit 용 frida 설치 후, USB 로 연결.

C:UsersUSERAppDataLocalProgramsPythonPython36Scripts>frida -U AntiPiracyDemo

____

/ _ | Frida 10.6.54 - A world-class dynamic instrumentation toolkit

| (_| |

> _ | Commands:

/_/ |_| help -> Displays the help system

. . . . object? -> Display information about 'object'

. . . . exit/quit -> Exit

. . . .

. . . . More info at http://www.frida.re/docs/home/

[iOS Device::AntiPiracyDemo]-> w = ObjC.classes.UIWindow.keyWindow()

{

"handle": "0x1462f0b0"

}

[iOS Device::AntiPiracyDemo]-> desc = w.recursiveDescription().toString()

"<UIWindow: 0x1462f0b0; frame = (0 0; 320 480); gestureRecognizers = <NSArray: 0x14534000>; layer = <UIWindowLayer: 0x1462f460>>

| <UIView: 0x146478d0; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x146479b0>>

| | <UILabel: 0x14574f50; frame = (20 88; 280 65); text = ''; clipsToBounds = YES; opaque = NO; autoresize = RM+BM; userInteractionEnabled = NO; layer = <CALayer: 0x145748f0>>

| | <UIRoundedRectButton: 0x14534450; frame = (100 174; 121 37); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x14531920>>

| | | <UIButtonLabel: 0x14529b10; frame = (12 9; 97 19); text = 'Am I Pirated?'; clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1452ed10>>

| | <UILabel: 0x146482d0; frame = (20 20; 290 21); text = 'SecurityTube Jailbreak / ...'; clipsToBounds = YES; opaque = NO; autoresize = RM+BM; userInteractionEnabled = NO; layer = <CALayer: 0x14648540>>"

[iOS Device::AntiPiracyDemo]->ObjC.classes.AntiPiracyViewController["- isJailbroken"]

[interceptSendMessage.js]

var sendMessage = ObjC.classes.AntiPiracyViewController["- isJailbroken"];

Interceptor.attach(sendMessage.implementation, {

onEnter: function(args) {

// args[0] is self

// args[1] is selector (SEL "isJailbroken")

// args[2] holds the first function argument, an NSString

var message = ObjC.Object(args[2]);

console.log("n[AntiPiracyViewController isJailbroken@""

+ message.toString() + ""]");

}

});

[sw.js]

const method = ObjC.classes.AntiPiracyViewController['- isJailbroken'];

const originalImpl = method.implementation;

method.implementation = ObjC.implement(method, function (self, sel, category, error) {

return false;

});

1) interceptSendMessage

C:UsersUSERAppDataLocalProgramsPythonPython36Scripts>frida -U -l interceptSendMessage.js AntiPiracyDemo

[AntiPiracyViewController isJailbroken@"<UITouchesEvent: 0x16d76fa0> timestamp: 38102.4 touches: {(

<UITouch: 0x16da0190> phase: Ended tap count: 1 force: 0.000 window: <UIWindow: 0x16d88940; frame = (0 0; 320 480); gestureRecognizers = <NSArray: 0x16d898e0>; layer = <UIWindowLayer: 0x16d88c90>> view: <UIRoundedRectButton: 0x16e7ed30; frame = (100 174; 121 37); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x16e81610>> location in window: {146, 207} previous location in window: {146, 207} location in view: {46, 13} previous location in view: {46, 13}

2) sw.js

swizzling을 한 것인데, cycript 처럼 return을 false 정의했기 때문에, not Jailbroken을 볼 수 있다.

http://securitytube4.rssing.com/chan-10995869/all_p1.html

위 사이트에는 gdb 와 cycript 로 실습 가능하고, frida는 없어서

https://webcache.googleusercontent.com/search?q=cache:-3suOJM3DZkJ:https://www.frida.re/docs/presentations/ncn-2015-cross-platform-reversing-with-frida.pdf+&cd=1&hl=ko&ct=clnk&gl=kr

를 참고하여 했더니, 생각보다 빨리 해결했다.

lispro06 (비회원)