Skip to content

Intercept all cryptography-related functions on iOS with Frida Api.

License

Notifications You must be signed in to change notification settings

xpko/frida-ios-cipher

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Frida-iOS-Cipher

GitHub Workflow Status (with event)

Introduction

Intercept all cryptography-related functions on iOS with Frida Api.

Support Algorithm

  • AES
  • DES,3DES
  • CAST(What it's?)
  • RC2,RC4
  • Blowfish
  • SHA1,SHA224,SHA256,SHA384,SHA512
  • MD2,MD4,MD5
  • HMAC
  • PBKDF

Preview

image

Instructions for use

  • You can customize the functions you want to intercept printing by turning them on (they are all turned on by default).
  • Print data limit (default maximum 240 bytes for a single piece of data, where there is no limit for key, hash and digest results)
  • and stack information (off by default)
  • Doesn't differentiate between OC or Swift, the api calls for encryption are the same for both languages

Simple to use

  • Spawn mode
frida -U --codeshare Humenger/frida-ios-cipher -f "xxx.xxx.xxx" --no-pause
  • Attach mode
frida -U --codeshare Humenger/frida-ios-cipher -n "app name"

Config

Configuration at the beginning of the script.

//config
const CIPHER_CONFIG={
    "enable":true,//global enable
    "highlighting": true,//syntax highlighting
    "crypto":{
        "enable":true,//crypto enable
        "maxDataLength":240,//Maximum length of single data printout
        "printStack":false,
        "aes":true,
        "des":true,
        "3des":true,
        "cast":true,
        "rc4":true,
        "rc2":true,
        "blowfish":true,
        "filter": []
    },
    "hash":{
        "enable":true,//hash enable
        "maxInputDataLength":240,
        "printStack":false,
        "md2":true,
        "md4":true,
        "md5":true,
        "sha1":true,
        "sha224":true,
        "sha256":true,
        "sha384":true,
        "sha512": true,
        "filter": []
    },
    "hmac":{
        "enable":true,//hmac enable
        "maxInputDataLength":240,
        "printStack":false,
        "sha1":true,
        "md5":true,
        "sha224":true,
        "sha256":true,
        "sha384":true,
        "sha512":true,
        "filter": []
    },
    "pbkdf":{
        "enable":true,
        "printStack":false,
        "filter": []
    }
}

Because printing the stack may lead to program execution exceptions, printStack is off by default, and you can turn it on by yourself if you need to.

Build

npm install 
npm run build

Replenishment

Of course there are a couple of functions that don't do interceptions, as shown below:

CCCryptorStatus
     CCCryptorCreateFromData(CCOperation op, CCAlgorithm alg,
         CCOptions options, const void *key, size_t keyLength, const void *iv,
         const void *data, size_t dataLength, CCCryptorRef *cryptorRef,
         size_t *dataUsed);
  • This function also calls CCCryptorCreate internally, so it doesn't do interceptions
  • Similarly CCCryptorCreateFromDataWithMode
  • There are also a couple of CCDigest functions that are too cold to be added later if encountered
  • There are also a couple of random functions as well as UUIDs, which seem to be strictly within the scope of cryptography, to which I'll add later on
  • As for asymmetric encryption, I can't seem to find an official implementation at the moment

Consultation

Technical Support

Knowledge Planet

About

Intercept all cryptography-related functions on iOS with Frida Api.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published