You may already know a good bit about r2frida by now – its definition, utilization, options, set up, and examples – one thing we mentioned within the earlier weblog of this sequence.
In case you missed out on it, you will discover it right here.
On this weblog, we’ll discover how r2frida will be instrumental in manipulating an iOS app’s runtime.
Loading an iOS Utility for evaluation
Right now, we’ll Look into the evaluation of the DVIA-v2 (Rattling Weak iOS Utility) and use the facility of r2frida to finish the login problem via runtime manipulation. First off, I might want to set up the DVIA-v2 utility on my gadget. I’ll use a instrument known as ios-deploy to put in the ipa file onto the gadget. It’s good follow to have AppSync Unified put in on the gadget if you wish to cope with app signing points, because it bypasses Installd’s signature checks.
Let’s use frida-ps to get the listing of apps put in on the iOS gadget.
frida-ps -Uai
When executing the command frida-ps -Uai, you’ll obtain important data such because the energetic and put in utility’s Course of ID (PID), title, and identifier.
As soon as we get hold of the applying identifier, we will proceed to spawn the applying utilizing r2frida for additional evaluation.
r2 frida://spawn/usb//com.appknox.DVIAswiftv2
.png?width=1600&height=946&name=2(1).png)
Executing this command spawns the applying and pauses its execution stream. To renew the applying’s execution, enter the :dc command within the r2frida session.
.png?width=1600&height=946&name=3(1).png)
Moreover, the :i command helps get hold of details about the goal (pid, title, dwelling, arch, bits, and so on.).
Analyzing the login problem
In case you go to the “Runtime Manipulation” portion of the DVIA utility, you will notice the login problem. This problem has an easy-to-use interface with two sorts of login buttons and fields for coming into a username and password.
To research the lessons for this problem, you possibly can listing the lessons within the utility with the :ic command. To slim down the outcomes, use the filter :ic~+String. Let’s verify the lessons associated to the runtime manipulation problem by filtering the lessons listing with :ic~+runtimemanip
As you possibly can see, there’s a class known as DVIA_v2.RuntimeManipulationDetailsViewController. Let’s verify the strategies within the class, so working :ic DVIA_v2.RuntimeManipulationDetailsViewController provides the listing of strategies current within the class.
This class does not include any strategies associated to validating the login, so we will ignore this class and verify different class names associated to the login problem. Let’s verify if there are any lessons with names having a login.
As you possibly can see, there’s a LoginValidate class. This may very well be liable for the logic of the login problem. Let’s verify if there are any strategies to verify the login validation.
The LoginValidate class has a way named isLoginValidated. Let’s verify if this technique actually checks the validation of the login problem by tracing the strategy utilizing :dtf command. As noticed within the earlier part, the handle of isLoginValidated is represented by 0x00000001007d6080. The next command will be executed to hint the execution of this technique.
:dtf 0x00000001007d6080
This command returns a real response, which implies it’s executed accurately. Now, let’s enter the flawed credentials and attempt to log in utilizing Login technique 1.
As you possibly can see, the hint command returned 0x0, which implies the login failed because of incorrect credentials.
Hooking with r2Frida
Now we all know that the isLoginValidated technique returns 0x0 for incorrect credentials. With all the information we’d like, we will simply mess around with the isLoginValidated technique. By altering the return worth to 0x1, we will make the app suppose the flawed credentials are right. There are two methods we will modify the return worth of a way. The primary one makes use of Frida Interceptor API, and the opposite one makes use of the r2frida command :dif
The Interceptor API permits us to simply hook capabilities or code sections supplied they’ve a sound reminiscence handle. It takes NativePointers matching the goal perform handle and lets us connect them to some attention-grabbing callbacks onEnter and onLeave.
:eval Interceptor.connect(ptr(0x00000001007d6080), {onLeave: perform (retval) {retval.exchange(0x1)}})
Are you questioning what this command does? We’re utilizing the :eval command in r2frida to run JavaScript code. This JavaScript code hooks into the perform at a particular reminiscence handle (0x00000001007d6080). When this perform finishes working, it modifications the perform’s return worth to 1 earlier than it really returns.
Once more, log in with the flawed credentials and observe the r2frida. The return worth is modified to 0x1, making the login successful.
So, utilizing :eval to run javascript code with interceptor API, we had been in a position to bypass the login problem. Let’s look into one other technique to change the return worth of a perform utilizing the r2frida inbuilt command :dif
Utilizing :dif1, we will exchange the perform return worth with 1 and bypass the login problem.
And there you might have it: we efficiently bypassed the login problem utilizing two strategies.
Conclusion
As we draw the curtains on our exploration of r2frida, it is evident that this instrument is a drive to be reckoned with in iOS safety. By seamlessly mixing static evaluation and dynamic instrumentation strategies, r2frida empowers researchers to uncover vulnerabilities and strengthen defenses. So, this is to harnessing the facility of r2frida and making our digital world a safer place, one app at a time.