vtky edited this page Oct 16, 2016 · 8 revisions

Swizzler 2

With stable jailbreaks becoming some sort of a rare commodity, anyone who wants to tinker with and understand what's going on with a mobile app may struggle to get a proper setup up and working. Especially if one wants to test the app on newer versions of iOS. Swizzler 2 and the guide in this wiki aims to help by detailing step-by-step on how to go about setting up and analysing a mobile app on a non-jailbroken iOS device.

Tested to work with:

  • Frida 8.1 and above
  • iOS 9.0, 10.0, 10.1b3

###Table of Contents

  1. Non-Jailbroken Device Setup
  2. Modifying The App
  3. git clone https://github.com/vtky/resign.git
  4. Install the App
  5. Running Frida!

Non-Jailbroken Device Setup

There are somethings which you'll need for the setup to work properly,

  1. iOS Developer Account
  2. XCode
  3. Decrypted .ipa of the app you want to analyse
  4. FridaGadget dylib or CydiaSubstrate Binary
  • CydiaSubstrate - Extract out the CydiaSubstrate binary in the following path of the deb data.tar.lzma/Library/Frameworks/CydiaSubstrate.framework
  1. ios-deploy binary

Modifying The App

In order to get Frida or CydiaSubstrate working with the app you'll need to modify the app binary and insert new load commands. In this example I will use Frida, because it is much faster at instrumentation as compared to CydiaSubstrate.

It is possible to use existing tweaks that make use of CydiaSubstrate, however it will require converting them into a dylib for insertion into the app binary. More on how to do that later.

1. git clone https://github.com/vtky/resign.git

resign is an XCode project that will help easily modify a ipa file, include the new Frida or CydiaSubstrate dylibs and resign everything for you.

  1. Copy the .ipa that you want to modify into the ipa_to_resign folder.
  2. Copy dylibs you want inserted into the dylibs_to_insert.
  3. Change the following to suit your needs,
  • Bundle Identifier
  • Signing Team
  • Deployment Target
  1. Build it! Product -> Build or Command-B
  2. Your build will result in a .app file which can be found in the build folder of the resign project

2. Install the App

There are 2 ways of installing the app, either through XCode or via ios-deploy

XCode

  1. Window -> Devices
  2. Select your iOS device
  3. Drag and drop the .app file into the Installed Apps section of the devices window.

ios-deploy

I prefer this because we will still need to use ios-deploy later on to get Frida working

  1. ios-deploy -b /path/to/your/new/resign.app -d

3. Running Frida!

In order for FridaGadget dylib to run properly and perform C/C++ function hooking, the app needs to be run with lldb (unless you have the run-unsigned-code entitlement in your provisioning profile, if so, please ping me, I want to know how you got it)

By installing the app with ios-deploy and the -d option, you will already be installing and starting the app for debugging. Nothing else needs to be done.

There is another option in ios-deploy ios-deploy -b /path/to/your/new/resign.app -m. -m will skip the installation and just start the app for debugging.

If everything worked, you should see a log message

Frida: Listening on TCP port XXXX

Start Frida!

⚡ frida-ps -U
 PID  Name
----  ------
1518  Gadget

⚡ frida -U Gadget
     ____
    / _  |   Frida 8.1.0 - A world-class dynamic instrumentation framework
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at http://www.frida.re/docs/home/

[USB::iPhone::Gadget]->

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.