-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Sven Schleier
committed
Oct 6, 2024
1 parent
c3fb86c
commit 8cc3725
Showing
5 changed files
with
84 additions
and
73 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,32 +1,25 @@ | ||
--- | ||
title: Library Injection | ||
title: Patching automated | ||
platform: ios | ||
--- | ||
|
||
If you want to use Frida on non-jailbroken devices you'll need to include `FridaGadget.dylib`. Download it first: | ||
If you want to use Frida on non-jailbroken devices you'll need to include the `FridaGadget.dylib` into the IPA. | ||
|
||
```bash | ||
curl -O https://build.frida.re/frida/ios/lib/FridaGadget.dylib | ||
``` | ||
The tool @MASTG-TOOL-0038 will automate this task for you. Follow the instructions in the wiki for [patching iOS Applications](https://github.com/sensepost/objection/wiki/Patching-iOS-Applications). | ||
|
||
Afterwards, you can [run the patched iOS app](https://github.com/sensepost/objection/wiki/Running-Patched-iOS-Applications). | ||
|
||
Copy `FridaGadget.dylib` into the app directory and use @MASTG-TOOL-0059 to add a load command to the "UnCrackable Level 1" binary. | ||
If everything went well, the app should start in debugging mode with LLDB attached. Frida should then be able to attach to the app as well. You can verify this via the `frida-ps` command: | ||
|
||
```bash | ||
$ unzip UnCrackable-Level1.ipa | ||
$ cp FridaGadget.dylib Payload/UnCrackable\ Level\ 1.app/ | ||
$ optool install -c load -p "@executable_path/FridaGadget.dylib" -t Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1 | ||
Found FAT Header | ||
Found thin header... | ||
Found thin header... | ||
Inserting a LC_LOAD_DYLIB command for architecture: arm | ||
Successfully inserted a LC_LOAD_DYLIB command for arm | ||
Inserting a LC_LOAD_DYLIB command for architecture: arm64 | ||
Successfully inserted a LC_LOAD_DYLIB command for arm64 | ||
Writing executable to Payload/UnCrackable Level 1.app/UnCrackable Level 1... | ||
$ frida-ps -U | ||
PID Name | ||
--- ------ | ||
499 Gadget | ||
``` | ||
|
||
## Patching Example: Making an App Debuggable | ||
## Starting with iOS 17 and Xcode 15 | ||
|
||
By default, an app available on the Apple App Store is not debuggable. In order to debug an iOS application, it must have the `get-task-allow` entitlement enabled. This entitlement allows other processes (like a debugger) to attach to the app. Xcode is not adding the `get-task-allow` entitlement in a distribution provisioning profile; it is only whitelisted and added in a development provisioning profile. | ||
Since Xcode 15 and iOS 17 the tool @MASTG-TOOL-0054 will [not work anymore to start an app in debug mode](https://github.com/ios-control/ios-deploy/issues/588). | ||
|
||
Thus, to debug an iOS application obtained from the App Store, it needs to be re-signed with a development provisioning profile with the `get-task-allow` entitlement. How to re-sign an application is discussed in the next section. | ||
A workaround to start the re-packaged app with the `FridaGadget.dylib` in debug mode (without using @MASTG-TOOL-0054) can be found [here](https://github.com/ios-control/ios-deploy/issues/588#issuecomment-1907913430). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,56 +1,18 @@ | ||
--- | ||
title: Repackaging and Re-Signing | ||
title: Re-Signing | ||
platform: ios | ||
--- | ||
|
||
Tampering an app invalidates the main executable's code signature, so this won't run on a non-jailbroken device. You'll need to replace the provisioning profile and sign both the main executable and the files you've made include (e.g. `FridaGadget.dylib`) with the certificate listed in the profile. | ||
Tampering an app invalidates the code signature of the main executable, so it won't run on a non-jailbroken device. | ||
|
||
## Repackaging | ||
You'll need to re-sign the IPA with your provisioning profile. This can be done in various ways with different tools: | ||
|
||
First, let's add our own provisioning profile to the package: | ||
- @MASTG-TOOL-0114 | ||
- @MASTG-TOOL-0113 | ||
- @MASTG-TOOL-0102 | ||
|
||
```bash | ||
cp AwesomeRepackaging.mobileprovision Payload/UnCrackable\ Level\ 1.app/embedded.mobileprovision | ||
``` | ||
|
||
Next, we need to make sure that the Bundle ID in `Info.plist` matches the one specified in the profile because the codesign tool will read the Bundle ID from `Info.plist` during signing; the wrong value will lead to an invalid signature. | ||
|
||
```bash | ||
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier sg.vantagepoint.repackage" Payload/UnCrackable\ Level\ 1.app/Info.plist | ||
``` | ||
|
||
## Re-Signing | ||
|
||
Finally, we use the @MASTG-TOOL-0114 tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`. | ||
|
||
```bash | ||
$ rm -rf Payload/UnCrackable\ Level\ 1.app/_CodeSignature | ||
$ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938 Payload/UnCrackable\ Level\ 1.app/FridaGadget.dylib | ||
Payload/UnCrackable Level 1.app/FridaGadget.dylib: replacing existing signature | ||
``` | ||
|
||
`entitlements.plist` is the file you created for your empty iOS project. | ||
|
||
```bash | ||
$ /usr/bin/codesign --force --sign 8004380F331DCA22CC1B47FB1A805890AE41C938 --entitlements entitlements.plist Payload/UnCrackable\ Level\ 1.app/UnCrackable\ Level\ 1 | ||
Payload/UnCrackable Level 1.app/UnCrackable Level 1: replacing existing signature | ||
``` | ||
|
||
Now you should be ready to run the modified app. Deploy and run the app on the device using @MASTG-TOOL-0054: | ||
After re-signing you should be ready to run the modified app. Install the app on the device using @MASTG-TOOL-0054 and start the app by clicking on the app icon: | ||
|
||
```bash | ||
ios-deploy --debug --bundle Payload/UnCrackable\ Level\ 1.app/ | ||
ios-deploy -b <name>.ipa | ||
``` | ||
|
||
If everything went well, the app should start in debugging mode with LLDB attached. Frida should then be able to attach to the app as well. You can verify this via the frida-ps command: | ||
|
||
```bash | ||
$ frida-ps -U | ||
PID Name | ||
--- ------ | ||
499 Gadget | ||
``` | ||
|
||
<img src="Images/Chapters/0x06b/fridaStockiOS.png" width="100%" /> | ||
|
||
When something goes wrong (and it usually does), mismatches between the provisioning profile and code-signing header are the most likely causes. Reading the [official documentation](https://developer.apple.com/support/code-signing/ "Code Signing") helps you understand the code-signing process. Apple's [entitlement troubleshooting page](https://developer.apple.com/library/content/technotes/tn2415/_index.html "Entitlements Troubleshooting") is also a useful resource. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
--- | ||
title: fastlane | ||
platform: ios | ||
source: https://github.com/fastlane/fastlane | ||
alternatives: | ||
- MASTG-TOOL-0114 | ||
- MASTG-TOOL-0102 | ||
--- | ||
|
||
[fastlane](https://github.com/fastlane/fastlane) is a tool for iOS and Android developers to automate tasks like dealing with provisioning profiles, and releasing mobile apps. Once setup it can be used to resign IPA files with your Xcode provisioning profile. | ||
|
||
Before executing fastlane: | ||
|
||
- install fastlane via brew (`brew install fastlane`) | ||
- [get a developer provisioning profile and certificate](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0079/#getting-a-developer-provisioning-profile-and-certificate) | ||
- create a directory `fastlane` and create a `Fastfile` file as described in the documentation for [resigning](https://docs.fastlane.tools/actions/resign/). | ||
|
||
Example: | ||
Check failure on line 18 in tools/ios/MASTG-TOOL-0113.md GitHub Actions / markdown-lint-checkTrailing spaces
|
||
|
||
```yaml | ||
lane :resignipa do | ||
resign( | ||
ipa: "<PATH-to-IPA/filename.ipa", | ||
signing_identity: "Apple Development: Foobar (STGXYCETF3)", | ||
provisioning_profile: "~/Library/MobileDevice/Provisioning Profiles/<FILE-NAME>.mobileprovision", | ||
) | ||
end | ||
``` | ||
|
||
Afterwards execute the `fastlane resignipa` command. | ||
Check failure on line 30 in tools/ios/MASTG-TOOL-0113.md GitHub Actions / markdown-lint-checkTrailing spaces
|
||
|
||
```bash | ||
$ fastlane resignipa | ||
[✔] 🚀 | ||
[15:21:51]: Get started using a Gemfile for fastlane https://docs.fastlane.tools/getting-started/ios/setup/#use-a-gemfile | ||
[15:21:52]: Driving the lane 'resignipa' 🚀 | ||
[15:21:52]: -------------------- | ||
[15:21:52]: --- Step: resign --- | ||
[15:21:52]: -------------------- | ||
... | ||
[15:22:03]: Successfully signed /test.ipa! | ||
[15:22:03]: Successfully re-signed .ipa 🔏. | ||
|
||
+-----------------------------+ | ||
| fastlane summary | | ||
+------+--------+-------------+ | ||
| Step | Action | Time (in s) | | ||
+------+--------+-------------+ | ||
| 1 | resign | 11 | | ||
+------+--------+-------------+ | ||
|
||
[15:22:03]: fastlane.tools finished successfully 🎉 | ||
``` | ||
|
||
After having this setup once, you only need to change the path in the `Fastfile` for the IPA you want to resign and execute the command again. | ||
|
||
Learn more: | ||
|
||
- ["Codesign an existing ipa file with fastlane resign"](https://docs.fastlane.tools/actions/resign/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters