-
-
Save AkshayJainG/ae59cabeac59b2e992664483bca5cd90 to your computer and use it in GitHub Desktop.
Simple Bypass iOS anti-tamper ptrace,systctl,strstr,getppid
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Rodolfo 'rodnt' Tavares | |
| * twitter @rodntt | |
| * github rodnt | |
| */ | |
| if(ObjC.available) { | |
| const tamperLibs = [ | |
| "Substrate", | |
| "cycript", | |
| "frida", | |
| "SSLKillSwitch2", | |
| "SSLKillSwitch", | |
| ] | |
| console.log('* ObjC is avaliable'); | |
| const isPtrace = Module.findExportByName(null, 'ptrace'); | |
| Interceptor.attach(isPtrace, { | |
| onEnter: function(args) { | |
| let arg0 = args[0]; | |
| let arg1 = args[1]; | |
| let arg2 = args[2]; | |
| console.log('> ptrace was called\n'); | |
| console.log('> Arg0 value is: ' + arg0[0] + "\n") | |
| console.log('> Arg1 value is: ' + arg1[1] + "\n") | |
| console.log('> Arg2 value is: ' + args[2] + "\n") | |
| args[0] = ptr(-1) | |
| console.log('> Modified args 0 ' + args[0] + ' Args 1 ' + args[1] + ' Args 2 ' + arg2[2]) | |
| } | |
| }); | |
| const isGetppid = Module.findExportByName(null, "getppid") | |
| Interceptor.attach(isGetppid, { | |
| onLeave: function(retval) { | |
| console.log('> getppid was called\n') | |
| console.log('> getppid value before: ' + retval) | |
| retval.replace(0x01) | |
| console.log('> getppid value after: ' + retval) | |
| } | |
| }) | |
| const isSysCtl = Module.findExportByName(null, "__sysctl") | |
| Interceptor.attach(isSysCtl, { | |
| onEnter: function(args) { | |
| this.info = this.context.x2; | |
| }, | |
| onLeave: function(retval) { | |
| const pointer01 = this.info.add(32) | |
| const pointerFlag = pointer01.readInt() & 0x800; | |
| if (pointerFlag === 0x800 ) { | |
| console.log('> __sysctl was called and was disabled') | |
| pointer01.writeInt(0) | |
| } | |
| } | |
| }) | |
| const ptrStrStr = Module.findExportByName(null, 'strstr'); | |
| Interceptor.attach(ptrStrStr, { | |
| onEnter: function (args) { | |
| let index = tamperLibs.length; | |
| this.libIsTampared = false; | |
| while (index--) { | |
| var lib = args[1].readUtf8String(); | |
| if (lib == tamperLibs[index]) { | |
| console.log("> strstr called: " + lib + " overwrite return"); | |
| this.libIsTampared = true; | |
| } | |
| } | |
| }, | |
| onLeave: function (retval) { | |
| if (this.libIsTampared) { | |
| retval.replace(0x00); | |
| } | |
| } | |
| }); | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment