IOS 10.3.3 iPhone 5 에서 http://build.frida.re 소스 추가하고, 32bit 용 frida 설치 후, USB 로 연결.
C:UsersUSERAppDataLocalProgramsPythonPython36Scripts>frida -U AntiPiracyDemo
____
/ _ | Frida 10.6.54 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at http://www.frida.re/docs/home/
[iOS Device::AntiPiracyDemo]-> w = ObjC.classes.UIWindow.keyWindow()
{
"handle": "0x1462f0b0"
}
[iOS Device::AntiPiracyDemo]-> desc = w.recursiveDescription().toString()
"<UIWindow: 0x1462f0b0; frame = (0 0; 320 480); gestureRecognizers = <NSArray: 0x14534000>; layer = <UIWindowLayer: 0x1462f460>>
| <UIView: 0x146478d0; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x146479b0>>
| | <UILabel: 0x14574f50; frame = (20 88; 280 65); text = ''; clipsToBounds = YES; opaque = NO; autoresize = RM+BM; userInteractionEnabled = NO; layer = <CALayer: 0x145748f0>>
| | <UIRoundedRectButton: 0x14534450; frame = (100 174; 121 37); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x14531920>>
| | | <UIButtonLabel: 0x14529b10; frame = (12 9; 97 19); text = 'Am I Pirated?'; clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1452ed10>>
| | <UILabel: 0x146482d0; frame = (20 20; 290 21); text = 'SecurityTube Jailbreak / ...'; clipsToBounds = YES; opaque = NO; autoresize = RM+BM; userInteractionEnabled = NO; layer = <CALayer: 0x14648540>>"
[iOS Device::AntiPiracyDemo]->ObjC.classes.AntiPiracyViewController["- isJailbroken"]
[interceptSendMessage.js]
var sendMessage = ObjC.classes.AntiPiracyViewController["- isJailbroken"];
Interceptor.attach(sendMessage.implementation, {
onEnter: function(args) {
// args[0] is self
// args[1] is selector (SEL "isJailbroken")
// args[2] holds the first function argument, an NSString
var message = ObjC.Object(args[2]);
console.log("n[AntiPiracyViewController isJailbroken@""
+ message.toString() + ""]");
}
});
[sw.js]
const method = ObjC.classes.AntiPiracyViewController['- isJailbroken'];
const originalImpl = method.implementation;
method.implementation = ObjC.implement(method, function (self, sel, category, error) {
return false;
});
1) interceptSendMessage
C:UsersUSERAppDataLocalProgramsPythonPython36Scripts>frida -U -l interceptSendMessage.js AntiPiracyDemo
[AntiPiracyViewController isJailbroken@"<UITouchesEvent: 0x16d76fa0> timestamp: 38102.4 touches: {(
<UITouch: 0x16da0190> phase: Ended tap count: 1 force: 0.000 window: <UIWindow: 0x16d88940; frame = (0 0; 320 480); gestureRecognizers = <NSArray: 0x16d898e0>; layer = <UIWindowLayer: 0x16d88c90>> view: <UIRoundedRectButton: 0x16e7ed30; frame = (100 174; 121 37); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x16e81610>> location in window: {146, 207} previous location in window: {146, 207} location in view: {46, 13} previous location in view: {46, 13}
2) sw.js
swizzling을 한 것인데, cycript 처럼 return을 false 정의했기 때문에, not Jailbroken을 볼 수 있다.
http://securitytube4.rssing.com/chan-10995869/all_p1.html
위 사이트에는 gdb 와 cycript 로 실습 가능하고, frida는 없어서
https://webcache.googleusercontent.com/search?q=cache:-3suOJM3DZkJ:https://www.frida.re/docs/presentations/ncn-2015-cross-platform-reversing-with-frida.pdf+&cd=1&hl=ko&ct=clnk&gl=kr
를 참고하여 했더니, 생각보다 빨리 해결했다.
댓글 달기