mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 12:43:23 +00:00
GITBOOK-4115: change request with no subject merged in GitBook
This commit is contained in:
parent
06502cc441
commit
4e747159b1
8 changed files with 134 additions and 10 deletions
|
@ -313,13 +313,13 @@
|
|||
* [Webview Attacks](mobile-pentesting/android-app-pentesting/webview-attacks.md)
|
||||
* [iOS Pentesting Checklist](mobile-pentesting/ios-pentesting-checklist.md)
|
||||
* [iOS Pentesting](mobile-pentesting/ios-pentesting/README.md)
|
||||
* [Basic iOS Testing Operations](mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md)
|
||||
* [Burp Suite Configuration for iOS](mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md)
|
||||
* [Extracting Entitlements From Compiled Application](mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md)
|
||||
* [Frida Configuration in iOS](mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md)
|
||||
* [iOS App Extensions](mobile-pentesting/ios-pentesting/ios-app-extensions.md)
|
||||
* [iOS Basics](mobile-pentesting/ios-pentesting/ios-basics.md)
|
||||
* [iOS Basic Testing Operations](mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md)
|
||||
* [iOS Burp Suite Configuration](mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md)
|
||||
* [iOS Custom URI Handlers / Deeplinks / Custom Schemes](mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md)
|
||||
* [iOS Extracting Entitlements From Compiled Application](mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md)
|
||||
* [iOS Frida Configuration](mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md)
|
||||
* [iOS Hooking With Objection](mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md)
|
||||
* [iOS Protocol Handlers](mobile-pentesting/ios-pentesting/ios-protocol-handlers.md)
|
||||
* [iOS Serialisation and Encoding](mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md)
|
||||
|
|
|
@ -165,6 +165,16 @@ LC 01: LC_SEGMENT_64 Mem: 0x100000000-0x100028000 __TEXT
|
|||
|
||||
You can find further information about the [**information stored in these section in this blog post**](https://knight.sc/reverse%20engineering/2019/07/17/swift-metadata.html).
|
||||
|
||||
Moreover, **Swift binaries might have symbols** (for example libraries need to store symbols so its functions can be called). The **symbols usually have the info about the function name** and attr in a ugly way, so they are very useful and there are "**demanglers"** that can get the original name:
|
||||
|
||||
```bash
|
||||
# Ghidra plugin
|
||||
https://github.com/ghidraninja/ghidra_scripts/blob/master/swift_demangler.py
|
||||
|
||||
# Swift cli
|
||||
swift demangle
|
||||
```
|
||||
|
||||
### Packed binaries
|
||||
|
||||
* Check for high entropy
|
||||
|
|
|
@ -39,6 +39,10 @@ The ARM64 calling convention specifies that the **first eight parameters** to a
|
|||
|
||||
When reading a function in assembly, look for the **function prologue and epilogue**. The **prologue** usually involves **saving the frame pointer (`x29`)**, **setting** up a **new frame pointer**, and a**llocating stack space**. The **epilogue** usually involves **restoring the saved frame pointer** and **returning** from the function.
|
||||
|
||||
### Calling Convention in Swift
|
||||
|
||||
Swift have its own **calling convention** that can be found in [**https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64**](https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64)
|
||||
|
||||
### **Common Instructions**
|
||||
|
||||
ARM64 instructions generally have the **format `opcode dst, src1, src2`**, where **`opcode`** is the **operation** to be performed (such as `add`, `sub`, `mov`, etc.), **`dst`** is the **destination** register where the result will be stored, and **`src1`** and **`src2`** are the **source** registers. Immediate values can also be used in place of source registers.
|
||||
|
|
|
@ -38,6 +38,10 @@ The x64 calling convention varies between operating systems. For instance:
|
|||
|
||||
If the function has more than six inputs, the **rest will be passed on the stack**. **RSP**, the stack pointer, has to be **16 bytes aligned**, which means that the address it points to must be divisible by 16 before any call happens. This means that normally we would need to ensure that RSP is properly aligned in our shellcode before we make a function call. However, in practice, system calls work many times even if this requirement is not met.
|
||||
|
||||
### Calling Convention in Swift
|
||||
|
||||
Swift have its own **calling convention** that can be found in [**https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#x86-64**](https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#x86-64)
|
||||
|
||||
### **Common Instructions**
|
||||
|
||||
x64 instructions have a rich set, maintaining compatibility with earlier x86 instructions and introducing new ones.
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../../../.gitbook/assets/i3.png" alt="" data-size="original">
|
||||
<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
|
@ -208,7 +208,7 @@ Java.choose("com.example.a11x256.frida_test.my_activity" , {
|
|||
});
|
||||
```
|
||||
|
||||
<img src="../../../.gitbook/assets/i3.png" alt="" data-size="original">
|
||||
<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
|
|
|
@ -230,6 +230,19 @@ DocumentDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8E
|
|||
LibraryDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library
|
||||
```
|
||||
|
||||
You could also search for the app name inside **`/private/var/containers`**:
|
||||
|
||||
```bash
|
||||
find /private/var/containers -name "Progname*"
|
||||
```
|
||||
|
||||
Or using **`ps`** and **`lsof`**:
|
||||
|
||||
```bash
|
||||
ps -ef | grep -i <app-name>
|
||||
lsof -p <pid> | grep -i "/containers" | head -n 1
|
||||
```
|
||||
|
||||
As you can see, apps have two main locations:
|
||||
|
||||
* The **Bundle** **directory** (`/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/`).
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Basic iOS Testing Operations
|
||||
# iOS Basic Testing Operations
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -347,6 +347,14 @@ flexdump list #List apps
|
|||
flexdump dump Twitter.app #Create .ipa file from app
|
||||
```
|
||||
|
||||
#### bagbak
|
||||
|
||||
Yet another frida based App decryptor. Requires jailbroken iOS device and [frida.re](https://www.frida.re/)
|
||||
|
||||
```bash
|
||||
bagbak --raw Chrome
|
||||
```
|
||||
|
||||
#### r2flutch
|
||||
|
||||
[**r2flutch**](https://github.com/as0ler/r2flutch) is a tool that uses **radare** and **frida** to **decrypt** and **dump ios apps>**
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Frida Configuration in iOS
|
||||
# iOS Frida Configuration
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -14,16 +14,101 @@
|
|||
|
||||
## Installing Frida
|
||||
|
||||
Go to **Cydia** app and add Frida’s repository by going to **Manage -> Sources -> Edit -> Add** and enter [**https://build.frida.re** ](https://build.frida.re). It will add a new source in the source list. Go to the **frida** **source**, now you should **install** the **Frida** package.
|
||||
Go to **Cydia/Sileo** app in your Jailbroken device and add Frida’s repository by going to **Manage -> Sources -> Edit -> Add** and enter [**https://build.frida.re** ](https://build.frida.re). It will add a new source in the source list. Go to the F**rida** **source**, now you should **install** the **Frida** package.
|
||||
|
||||
![](https://miro.medium.com/max/614/0\*qSD26kBtgt\_UIZk1.png)
|
||||
|
||||
After installed, you can use in your PC the command `frida-ls-devices` and check that the device appears (your PC needs to be able to access it). Execute also `frida-ps -Uia` to check the running processes of the phone.
|
||||
If you are using **Corellium** you will need to download the Frida release from [https://github.com/frida/frida/releases](https://github.com/frida/frida/releases) (`frida-gadget-[yourversion]-ios-universal.dylib.gz`) and unpack and copy to the dylib location Frida asks for, e.g.: `/Users/[youruser]/.cache/frida/gadget-ios.dylib`
|
||||
|
||||
After installed, you can use in your PC the command **`frida-ls-devices`** and check that the device appears (your PC needs to be able to access it).\
|
||||
Execute also **`frida-ps -Uia`** to check the running processes of the phone.
|
||||
|
||||
## Frida without Jailbroken device & without patching the app
|
||||
|
||||
Check this blog post about how to use Frida in non-jailbroken devices without patching the app: [https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07](https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07)
|
||||
|
||||
## Frida Client Installation
|
||||
|
||||
Install **frida tools**:
|
||||
|
||||
```bash
|
||||
pip install frida-tools
|
||||
pip install frida
|
||||
```
|
||||
|
||||
With the Frida server installed and the device running and connected, **check** if the client is **working**:
|
||||
|
||||
```bash
|
||||
frida-ls-devices # List devices
|
||||
frida-ps -Uia # Get running processes
|
||||
```
|
||||
|
||||
## Frida Trace
|
||||
|
||||
```bash
|
||||
# Trace all methods of all classes
|
||||
frida-trace -U <program> -m "*[* *]"
|
||||
|
||||
# Trace all methods with the word "authentication" from classes that start with "NE"
|
||||
frida-trace -U <program> -m "*[NE* *authentication*]"
|
||||
```
|
||||
|
||||
### Get all classes and methods
|
||||
|
||||
* Get **all** available **classes** (filter by string)
|
||||
|
||||
{% code title="/tmp/script.js" %}
|
||||
```javascript
|
||||
// frida -U <program> -l /tmp/script.js
|
||||
|
||||
var filterClass = "filterstring";
|
||||
|
||||
if (ObjC.available) {
|
||||
for (var className in ObjC.classes) {
|
||||
if (ObjC.classes.hasOwnProperty(className)) {
|
||||
if (!filterClass || className.includes(filterClass)) {
|
||||
console.log(className);
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
console.log("Objective-C runtime is not available.");
|
||||
}
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
* Get **all** **methods** of a **class** (filter by string)
|
||||
|
||||
{% code title="/tmp/script.js" %}
|
||||
```javascript
|
||||
// frida -U <program> -l /tmp/script.js
|
||||
|
||||
var specificClass = "YourClassName";
|
||||
var filterMethod = "filtermethod";
|
||||
|
||||
if (ObjC.available) {
|
||||
if (ObjC.classes.hasOwnProperty(specificClass)) {
|
||||
var methods = ObjC.classes[specificClass].$ownMethods;
|
||||
for (var i = 0; i < methods.length; i++) {
|
||||
if (!filterMethod || methods[i].includes(filterClass)) {
|
||||
console.log(specificClass + ': ' + methods[i]);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
console.log("Class not found.");
|
||||
}
|
||||
} else {
|
||||
console.log("Objective-C runtime is not available.");
|
||||
}
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
## Frida Android Tutorials
|
||||
|
||||
{% content-ref url="../android-app-pentesting/frida-tutorial/" %}
|
||||
[frida-tutorial](../android-app-pentesting/frida-tutorial/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
|
Loading…
Reference in a new issue