[3] Deploy method hooks using frida REPL

Previous[2] Perform static analysis to locate some functions of interest Next[4a] Moar Static Analysis

Last updated 4 years ago

Was this helpful?

[3] Deploy method hooks using frida REPL

Alright, so - time to move on to DBI and inject Frida into our app!

Inject Frida

In the command prompt, navigate to the course scripts directory and type the following:

frida -U --runtime=v8 -l privatePhotoVault.js -F

To quickly pick apart the extra arguments we're passing:

-U tells frida to look for a device connected via USB (virtually or otherwise)
--runtime=v8 tells frida to use a newer version of JavaScript which has a number of quality of life improvements. I generally always use it.
-l privatePhotoVault.js tells frida to inject our course script with some pre-made functions useful for reversing.
For more reading on frida command line arguments, see frida.

This should get you to the following terminal view (hereinafter called the REPL):

If you made it here – excellent! Now, we’re ready to have some fun. If you’ve never written code before, that’s about to change! Don’t worry, we’ll take it slow!

Autocomplete / Intellisense

One thing Frida does that can make life a bit easier is provide a bit of good old intellisense. This means when you start typing, an autocomplete box appears which you can navigate with the up and down arrow keys.

In Lab 2, we identified the pinsMatch function as a candidate for method hooking, so let's start with that.

Get your hooks in!

To apply a method hook, we will use the traceMethod command. traceMethod is from the Raptor iOS tracing script and takes the class name as a string.

traceMethod('com.github.browep.privatephotovault.crypto.CryptoUtils.pinsMatch')

If successful, you should see a message from Frida saying:

Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.pinsMatch [1 overload(s)]

If a class has multiple implementations of the same function name (each with different parameters), these are called overloads. This is common when an application has been obfuscated.

Time to see if we are on the right track! Enter the PIN on the device or emulator.

Excellent, so it appears our pinsMatch function is indeed getting called twice. The parameters are the same, except for argument[1] which is "pin" and "pin_decoy".

Now we will head back to our static analysis tool. From here, we have some options. Since our goal is to learn, we'll do a little bit of everything!

Continue to push through via static analysis, building our understanding up as we go. This option may appeal to those with more programming experience. [Lab 4a]
Cast a wider net with method hooks, hooking additional functions of interest, or even an entire class worth of functions. [Lab 4b]
Go full ham and write a PIN bruteforce, because it's fun (and relatively easy!) [Lab 4c]

Previous[2] Perform static analysis to locate some functions of interest Next[4a] Moar Static Analysis

Last updated 4 years ago

Was this helpful?

Alright, so - time to move on to DBI and inject Frida into our app!

Inject Frida

In the command prompt, navigate to the course scripts directory and type the following:

frida -U --runtime=v8 -l privatePhotoVault.js -F

To quickly pick apart the extra arguments we're passing:

-U tells frida to look for a device connected via USB (virtually or otherwise)
--runtime=v8 tells frida to use a newer version of JavaScript which has a number of quality of life improvements. I generally always use it.
-l privatePhotoVault.js tells frida to inject our course script with some pre-made functions useful for reversing.
For more reading on frida command line arguments, see frida.

This should get you to the following terminal view (hereinafter called the REPL):

If you made it here – excellent! Now, we’re ready to have some fun. If you’ve never written code before, that’s about to change! Don’t worry, we’ll take it slow!

Autocomplete / Intellisense

In Lab 2, we identified the pinsMatch function as a candidate for method hooking, so let's start with that.

Get your hooks in!

To apply a method hook, we will use the traceMethod command. traceMethod is from the Raptor iOS tracing script and takes the class name as a string.

traceMethod('com.github.browep.privatephotovault.crypto.CryptoUtils.pinsMatch')

If successful, you should see a message from Frida saying:

Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.pinsMatch [1 overload(s)]

If a class has multiple implementations of the same function name (each with different parameters), these are called overloads. This is common when an application has been obfuscated.

Time to see if we are on the right track! Enter the PIN on the device or emulator.

Excellent, so it appears our pinsMatch function is indeed getting called twice. The parameters are the same, except for argument[1] which is "pin" and "pin_decoy".

Now we will head back to our static analysis tool. From here, we have some options. Since our goal is to learn, we'll do a little bit of everything!

Continue to push through via static analysis, building our understanding up as we go. This option may appeal to those with more programming experience. [Lab 4a]
Cast a wider net with method hooks, hooking additional functions of interest, or even an entire class worth of functions. [Lab 4b]
Go full ham and write a PIN bruteforce, because it's fun (and relatively easy!) [Lab 4c]