Language
한국어

[frida] 일단 여기까지

2018.03.16 10:39

lispro06 조회 수:653

IOS 10.3.3 iPhone 5 에서 http://build.frida.re 소스 추가하고, 32bit 용 frida 설치 후, USB 로 연결.

C:\Users\USER\AppData\Local\Programs\Python\Python36\Scripts>frida -U AntiPiracyDemo
     ____
    / _  |   Frida 10.6.54 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at http://www.frida.re/docs/home/

[iOS Device::AntiPiracyDemo]-> w = ObjC.classes.UIWindow.keyWindow()
{
    "handle": "0x1462f0b0"
}
[iOS Device::AntiPiracyDemo]-> desc = w.recursiveDescription().toString()
"<UIWindow: 0x1462f0b0; frame = (0 0; 320 480); gestureRecognizers = <NSArray: 0x14534000>; layer = <UIWindowLayer: 0x1462f460>>
   | <UIView: 0x146478d0; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x146479b0>>
   |    | <UILabel: 0x14574f50; frame = (20 88; 280 65); text = ''; clipsToBounds = YES; opaque = NO; autoresize = RM+BM; userInteractionEnabled = NO; layer = <CALayer: 0x145748f0>>
   |    | <UIRoundedRectButton: 0x14534450; frame = (100 174; 121 37); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x14531920>>
   |    |    | <UIButtonLabel: 0x14529b10; frame = (12 9; 97 19); text = 'Am I Pirated?'; clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1452ed10>>
   |    | <UILabel: 0x146482d0; frame = (20 20; 290 21); text = 'SecurityTube Jailbreak / ...'; clipsToBounds = YES; opaque = NO; autoresize = RM+BM; userInteractionEnabled = NO; layer = <CALayer: 0x14648540>>"
[iOS Device::AntiPiracyDemo]->ObjC.classes.AntiPiracyViewController["- isJailbroken"]

[interceptSendMessage.js]

var sendMessage = ObjC.classes.AntiPiracyViewController["- isJailbroken"];

Interceptor.attach(sendMessage.implementation, {
  onEnter: function(args) {
    // args[0] is self
    // args[1] is selector (SEL "isJailbroken")
    // args[2] holds the first function argument, an NSString
    var message = ObjC.Object(args[2]);
    console.log("\n[AntiPiracyViewController isJailbroken@\""
        + message.toString() + "\"]");
  }
});

[sw.js]

const method = ObjC.classes.AntiPiracyViewController['- isJailbroken'];
const originalImpl = method.implementation;
method.implementation = ObjC.implement(method, function (self, sel, category, error) {
return false;
});

1) interceptSendMessage

C:\Users\USER\AppData\Local\Programs\Python\Python36\Scripts>frida -U -l interceptSendMessage.js AntiPiracyDemo

[AntiPiracyViewController isJailbroken@"<UITouchesEvent: 0x16d76fa0> timestamp: 38102.4 touches: {(
    <UITouch: 0x16da0190> phase: Ended tap count: 1 force: 0.000 window: <UIWindow: 0x16d88940; frame = (0 0; 320 480); gestureRecognizers = <NSArray: 0x16d898e0>; layer = <UIWindowLayer: 0x16d88c90>> view: <UIRoundedRectButton: 0x16e7ed30; frame = (100 174; 121 37); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x16e81610>> location in window: {146, 207} previous location in window: {146, 207} location in view: {46, 13} previous location in view: {46, 13}

2) sw.js

swizzling을 한 것인데, cycript 처럼 return을 false 정의했기 때문에, not Jailbroken을 볼 수 있다.

http://securitytube4.rssing.com/chan-10995869/all_p1.html

위 사이트에는 gdb 와 cycript 로 실습 가능하고, frida는 없어서 

https://webcache.googleusercontent.com/search?q=cache:-3suOJM3DZkJ:https://www.frida.re/docs/presentations/ncn-2015-cross-platform-reversing-with-frida.pdf+&cd=1&hl=ko&ct=clnk&gl=kr


를 참고하여 했더니, 생각보다 빨리 해결했다.