iOS逆向之hook框架frida的安装和使用

一、Frida

  • 利用 Hopper、class-dump、ios-ssl-kill-switch、Keychain-Dumper、MachOParser 可以进行静态分析。
  • 使用 CycriptTricks(Powerful private methods)、UIButton 的sendActionsForControlEvents、DerekSelander LLDB(Python scripts to aid in your debugging sessions)、frida 可以进行动态调试分析。
  • 采用 Theos、MonkeyDev 进行开发调 试iphone/tool、iphone/tweak。
  • Frida 是一款基于 Python + javascript 的 hook 框架,通杀 android\iOS\linux\win\osx 各平台。Frida 原理是手机端安装一个 server 程序把手机端的端口转到 PC 端写的 python 脚本进行通信,而 Python 脚本中采用 javascript 语言编写 hook 代码。

① install frida on device

  • Start Cydia and add Frida’s repository by navigating to Manage -> Sources -> Edit -> Add and entering https://build.frida.re
  • apt-get update:
-rwxr-xr-x 1 root wheel 11292672 Oct 14 00:54 /usr/sbin/frida-server*
-rw-r--r-- 1 root wheel 779 Oct 14 00:54 /Library/LaunchDaemons/re.frida.server.plist

② install frida on mac

  • 安装 pip, pip 是 Python 的包管理工具:
$ sudo easy_install pip
  • 安装:
$ sudo -H pip install frida
  • 升级 frida:
$ sudo pip install --upgrade frida --ignore-installed six
  • 通过 USB 连接设备,确保 Frida 正常工作:
-U, --usb  connect to USB device -a, --applications  list only applications -i, --installed  include all installed applications
$  frida-ps -Uai
PID  Name          Identifier                 
---  ------------  ---------------------------
904  Cydia         com.saurik.Cydia           
856  微信            com.tencent.xin            
858  邮件            com.apple.mobilemail       
App Store     com.apple.AppStore         

③ debug

  • pdb.py can be invoked as a script to debug other scripts:
$ python -m pdb  ./dump.py 微信
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(7)<module>()
-> import sys
  • pdb 常用命令:
(Pdb) h
Documented commands (type help <topic>):
========================================
EOF    bt         cont      enable  jump  pp       run      unt   
a      c          continue  exit    l     q        s        until 
alias  cl         d         h       list  quit     step     up    
args   clear      debug     help    n     r        tbreak   w     
b      commands   disable   ignore  next  restart  u        whatis
break  condition  down      j       p     return   unalias  where 
  • 说明:
break 或 b: 设置断点 设置断点
continue 或 c: 继续执行程序
list 或 l: 查看当前行的代码段
step 或 s: 进入函数
return 或 r: 执行代码直到从当前函数返回
exit 或 q: 中止并退出
next 或 n: 执行下一行
pp : 打印变量的值
(Pdb) pp os.getcwd()
'/Users/devzkn/Downloads/kevin\xef\xbc\x8dsoftware/ios-Reverse_Engineering/frida-ios-dump-master'
  • 打印汉字:
(Pdb) print sys.argv
['./dump.py', '\xe5\xbe\xae\xe4\xbf\xa1']
(Pdb) print sys.argv[1]
微信

④ 利用 frida 进行 dump

  • frida-ios-dump :https://github.com/zhangkn/frida-ios-dump
    • 安装上面步骤 install frida on device and mac;
    • 使用 usbmuxd 进行端口转发,本地端口 2222,转发到 iOS 的 22 端口;
    • 执行 dump.py。
devzkndeMacBook-Pro:bin devzkn$ frida-ps -Uai
 PID  Name          Identifier                 
----  ------------  ---------------------------
1314  App Store     com.apple.AppStore         
2151  微信            com.tencent.xin            
2183  淘宝联盟          com.alimama.moon           
1309  设置            com.apple.Preferences      
  • 必须在 dump.py 所在的目录下执行,即使使用 ln -l 也会失败:
devzkndeMacBook-Pro:frida-ios-dump-master devzkn$ ./dump.py 驱蚊大咖
open target  app......
start dump target app......

二、常见问题

① Operation not permitted

  • Operation not permitted: /var/folders/6t/h404bjcd5tb_4q86tpv_251rv_0h0j/T/pip-sYsqDS-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info;
  • This is because OS X El Capitan ships with six 1.4.1 installed already and when it attempts to uninstall it (because awscli depends on botocore, botocore depends on python-dateutil, and python-dateutil depends on six >= 1.5) it doesn’t have permission to do so because System Integrity Protection doesn’t allow even root to modify those directories.
$ sudo -H pip install --ignore-installed six
  • 检测 frida-server 没有启动:
iPhone:/usr/sbin root# killall SpringBoard
iPhone:/usr/sbin root# ps -e |grep frida-server
 2290 ttys000    0:00.01 grep frida-server

② frida Failed to spawn 的替代方案

  • 先使用 frida-ps -Uai 查看 PID;
  • 使用 frida -p attach:
$ frida -U -p 1262
     ____
    / _  |   Frida 10.6.27 - A world-class dynamic instrumentation framework
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at http://www.frida.re/docs/home/
                                                                                
[iPhone::PID::1262]-> 

③ 使用中文路径导致 frida-ios-dump 失败

  • 具体的问题分析过程:
(Pdb) l
108    script = loadJsFile(session, APP_JS);
109    name = target.decode('utf8');
110    script.post(name);
111    opened.wait();
112    session.detach();
113  ->  createDir(os.getcwd()+"/"+OUTPUT)
114    print "start dump target app......"
115    session = device.attach(name);
116    script = loadJsFile(session, DUMP_JS);
117    script.post("dump");
118    finished.wait();
(Pdb) s
--Return--
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(113)main()->None
-> createDir(os.getcwd()+"/"+OUTPUT)
(Pdb) l
108    script = loadJsFile(session, APP_JS);
109    name = target.decode('utf8');
110    script.post(name);
111    opened.wait();
112    session.detach();
113  ->  createDir(os.getcwd()+"/"+OUTPUT)
114    print "start dump target app......"
115    session = device.attach(name);
116    script = loadJsFile(session, DUMP_JS);
117    script.post("dump");
118    finished.wait();
(Pdb) s
UnicodeDecodeError: UnicodeD...ge(128)')
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(127)<module>()
-> main(sys.argv[1])
(Pdb) l
122    if len(sys.argv) < 2:
123     print "usage: ./dump.py 微信"
124     sys.exit(0)
125    else:
126     try:
127  ->    main(sys.argv[1])
128     except KeyboardInterrupt:
129      if session:
130       session.detach()
131      sys.exit()
132     except:
(Pdb) s
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(128)<module>()
-> except KeyboardInterrupt:
(Pdb) pp UnicodeDecodeError
<type 'exceptions.UnicodeDecodeError'>
  • 创建目录命名最好使用英文,否则脚本不支持中文路径的话,就容易出问题;比如 frida-ios-dump 就不支持存储路径是中文的。

你可能感兴趣的:(iOS逆向安全攻防,Frida的安装,Frida,调试,利用frida进行dump,Frida使用问题的解决)