Categories: Kali Linux

Frisky – Tools To Assist Binary App Reversing & Augmentation

Frisky is an instruments to assist in binary application reversing and augmentation, geared towards walled gardens like iOS. Most, if not all, recently tested on iOS 11.1.2 and macOS 10.12.6.

frida-url-interceptor.js(Frisky)

Intercepts all URLs of an iOS/macOS application, allowing you to trace and alter/intercept all network traffic, including https, per app before encryption and after decryption:

  1. iOS: open app of interest first, e.g. Safari
  2. macOS: frida -U -n Safari -l frida-url-interceptor.js
  3. It will also display a popup window upon the first request in the iOS app to confirm code interception

Also Read Dejavu – Open Source Deception Framework

ldid / ldid2

When building recent iOS jailbreaks dependent on SHA256 signatures, ldid2 is required. This repo will allow you to easily compile ldid and ldid2 for signing and modifying an iOS binary’s entitlements, and thus jailbreaking a device.

  1. macOS: ldid{2} -e MobileSafari # to dump MobileSafari’s entitlements
  2. macOS: ldid{2} -S cat # to sign cat
Extract shared libraries used by apps not directly available on iOS filesystem for static analysis:
  • Grab the patched dyld-210.2.3-patched (included in this repo) and run the custom dsc_extractor (you may need to compile from the xcodeproject) to dump iOS’ /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm* into individual dylibs:
  • macOS: mkdir -p dylibs && dyld-210.2.3-patched/launch-cache/dsc_extractor /path/to/copied/dyld_shared_cache_arm* dylibs
Discover and modify library/framekwork function call arguments and return codes via Frida:
  • iOS: open app of interest first, e.g. Twitter
  • macOS: frida-trace -U -i "*tls*" Twitter # hook all calls matching /tls/i for the Twitter app
  • macOS: Now __handlers__/libcoretls.dylib/tls_private_key_create.js will be generated:
    • onEnter‘s args[2] is first argument to the function
      • Extract string from first argument: Memory.readUtf8String(args[2]) or ObjC.Object(args[2]))
    • onLeave‘s retval is the return value
      • Print out retval: log(retval.toInt32())
      • Adjust retval: retval.replace(0)
Sniff network traffic from (non-jailbroken/jailbroken) iOS device from your mac:
  1. macOS: system_profiler SPUSBDataType|perl -n0e'`rvictl -s $1`if/iP(?:hone|ad):.*?Serial Number: (\S+)/s';sudo tcpdump -i rvi0
  2. standard tcpdump options/filters apply
Decrypt IPA (iOS apps)/Frameworks for static analysis via dumpdecrypted.dylib:
  1. iOS: su mobile && mkdir -p ~/tmp && cd ~/tmp && DYLD_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dylib /var/containers/Bundle/Application/*/AppName.app/AppName
View system logs on iOS live using deviceconsole:
  1. macOS: deviceconsole
  2. macOS: unbuffer deviceconsole | grep something # keeps pretty colors- requiresexpect, can be installed viasudo port install expectorbrew install expect`
Electra: allow jailbroken Tweaks to appear in Settings:
  1. iOS: mv /Library/TweakInject /Library/TweakInject.bak && ln -s /Library/MobileSubstrate/DynamicLibraries /Library/TweakInject && killall -HUP SpringBoard

R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

2 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

2 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

2 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

2 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

2 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

2 weeks ago