20.7 C
New York
Monday, September 2, 2024

r2frida for iOS App Runtime Manipulation


You may already know a good bit about r2frida by now – its definition, utilization, options, set up, and examples – one thing we mentioned within the earlier weblog of this sequence. 

In case you missed out on it, you will discover it right here.

On this weblog, we’ll discover how r2frida will be instrumental in manipulating an iOS app’s runtime.

Loading an iOS Utility for evaluation

Right now, we’ll Look into the evaluation of the DVIA-v2 (Rattling Weak iOS Utility) and use the facility of r2frida to finish the login problem via runtime manipulation. First off, I might want to set up the DVIA-v2 utility on my gadget. I’ll use a instrument known as ios-deploy to put in the ipa file onto the gadget. It’s good follow to have AppSync Unified put in on the gadget if you wish to cope with app signing points, because it bypasses Installd’s signature checks.

Let’s use frida-ps to get the listing of apps put in on the iOS gadget.

frida-ps -Uai

An image of all the apps installed on a given iOS device by using the command frida-ps

When executing the command frida-ps -Uai, you’ll obtain important data such because the energetic and put in utility’s Course of ID (PID), title, and identifier.

As soon as we get hold of the applying identifier, we will proceed to spawn the applying utilizing r2frida for additional evaluation.

r2 frida://spawn/usb//com.appknox.DVIAswiftv2

A screenshot showing how you can spawn an iOS application and pause its execution flow.

Executing this command spawns the applying and pauses its execution stream. To renew the applying’s execution, enter the :dc command within the r2frida session.

Entering the :dc command to resume the execution of an iOS application

Moreover, the :i command helps get hold of details about the goal (pid, title, dwelling, arch, bits, and so on.).

the :i command helps get information about the iOS application's target

 

Analyzing the login problem

In case you go to the “Runtime Manipulation” portion of the DVIA utility, you will notice the login problem. This problem has an easy-to-use interface with two sorts of login buttons and fields for coming into a username and password.

An image showing the login challenge of runtime manipulation on the DVIA application

To research the lessons for this problem, you possibly can listing the lessons within the utility with the :ic command. To slim down the outcomes, use the filter :ic~+String. Let’s verify the lessons associated to the runtime manipulation problem by filtering the lessons listing with :ic~+runtimemanip

Checking the runtime manipulation-related classes by filtering them with the :ic~+runtimemanip command

As you possibly can see, there’s a class known as DVIA_v2.RuntimeManipulationDetailsViewController. Let’s verify the strategies within the class, so working :ic DVIA_v2.RuntimeManipulationDetailsViewController provides the listing of strategies current within the class.

List of methods present in a class (DVIA_v2.RuntimeManipulationDetailsViewController) in the iOS application

This class does not include any strategies associated to validating the login, so we will ignore this class and verify different class names associated to the login problem. Let’s verify if there are any lessons with names having a login.

Checking whether there are any classes with the name "login" in the iOS application

As you possibly can see, there’s a LoginValidate class. This may very well be liable for the logic of the login problem. Let’s verify if there are any strategies to verify the login validation.

The presence of the "loginvalidate class" proves the logic of the iOS app login challenge

The LoginValidate class has a way named isLoginValidated. Let’s verify if this technique actually checks the validation of the login problem by tracing the strategy utilizing :dtf command. As noticed within the earlier part, the handle of isLoginValidated is represented by 0x00000001007d6080. The next command will be executed to hint the execution of this technique.

:dtf 0x00000001007d6080

Using a command to check the validation of the login challenge in the iOS application

This command returns a real response, which implies it’s executed accurately. Now, let’s enter the flawed credentials and attempt to log in utilizing Login technique 1.

An image showing the login failure due to wrong credentials

As you possibly can see, the hint command returned 0x0, which implies the login failed because of incorrect credentials.

Hooking with r2Frida

Now we all know that the isLoginValidated technique returns 0x0 for incorrect credentials. With all the information we’d like, we will simply mess around with the isLoginValidated technique. By altering the return worth to 0x1, we will make the app suppose the flawed credentials are right. There are two methods we will modify the return worth of a way. The primary one makes use of Frida Interceptor API, and the opposite one makes use of the r2frida command :dif

The Interceptor API permits us to simply hook capabilities or code sections supplied they’ve a sound reminiscence handle. It takes NativePointers matching the goal perform handle and lets us connect them to some attention-grabbing callbacks onEnter and onLeave.

:eval Interceptor.connect(ptr(0x00000001007d6080), {onLeave: perform (retval) {retval.exchange(0x1)}})

Are you questioning what this command does? We’re utilizing the :eval command in r2frida to run JavaScript code. This JavaScript code hooks into the perform at a particular reminiscence handle (0x00000001007d6080). When this perform finishes working, it modifications the perform’s return worth to 1 earlier than it really returns.

Using the :eval command in r2frida to run the JavaScript code

Once more, log in with the flawed credentials and observe the r2frida. The return worth is modified to 0x1, making the login successful.

Observing r2frida by logging in with the wrong credentials

So, utilizing :eval to run javascript code with interceptor API, we had been in a position to bypass the login problem. Let’s look into one other technique to change the return worth of a perform utilizing the r2frida inbuilt command :dif

Changing the function's return value using the r2frida inbuilt command :dif to check if the login challenge can be bypassed

Utilizing :dif1, we will exchange the perform return worth with 1 and bypass the login problem.

Bypassing an iOS app's login challenge by using the :dif1 command to replace the function return value with 1

And there you might have it: we efficiently bypassed the login problem utilizing two strategies.

Conclusion

As we draw the curtains on our exploration of r2frida, it is evident that this instrument is a drive to be reckoned with in iOS safety. By seamlessly mixing static evaluation and dynamic instrumentation strategies, r2frida empowers researchers to uncover vulnerabilities and strengthen defenses. So, this is to harnessing the facility of r2frida and making our digital world a safer place, one app at a time.

 

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles