{"id":18,"date":"2024-06-23T19:05:04","date_gmt":"2024-06-23T22:05:04","guid":{"rendered":"https:\/\/windowsofender.zip\/?p=18"},"modified":"2024-07-08T16:08:40","modified_gmt":"2024-07-08T19:08:40","slug":"iossecuritysuite-bypass","status":"publish","type":"post","link":"https:\/\/windowsofender.zip\/?p=18","title":{"rendered":"IOSSecuritySuite – Bypass"},"content":{"rendered":"\n


In this blog post, I will show you how to use a script I created to bypass some of IOSSecuritySuite’s features.
IOSSecuritySuite is a common library used perform anti-tampering and increase the security of an IOS application.<\/p>\n\n\n\n

I’ve created a simple APP to test the IOSSecuritySuite functionalities. You can download the IPA file here<\/a>.
To install it just unzip the IPA file and move the .app folder to \/Applications<\/strong> on devices with a Rootfull jailbreak or \/var\/jb\/Applcations<\/strong> on devices with Rootless jailbreak. After it, just run uicache -ar<\/strong> command and the app will show on homescreen. This is a print of the app running on my device. Basically it shows some features that are triggered.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

The script<\/strong><\/p>\n\n\n\n

This is the script that I created. It will be progressively enhanced as time goes by. Download the most recent version from github<\/a>.<\/p>\n\n\n\n

function hook_by_export(module_name, func_name){\n\n    var target_ptr = Module.findExportByName(module_name, func_name); \n\n    if(target_ptr != null){\n          Interceptor.attach(target_ptr, {\n            onEnter:  function(args){\n\t\t\t\tconsole.log(\"[+] Bypassing: \" + func_name)\n            },\n              onLeave: function(retval) {\n\n                  retval.replace(0x0); \/\/ Force return value to be 0x0\n              }\n          });\n      }else{\n        console.log(\"[-] Not found: \" + func_name);\n      }\n}\n\n\n\nsetTimeout(function(){\n\ttry{\n\n\t\tvar moduleName = \"Test_IOSSECURITY\"; \/\/Change it\n\t\tvar amIJailBroken = \"$s16IOSSecuritySuiteAAC13amIJailbrokenSbyFZ\";\n\t\tvar amIReverseengineered = \"$s16IOSSecuritySuiteAAC20amIReverseEngineeredSbyFZ\";\n\t\tvar amIProxied = \"$s16IOSSecuritySuiteAAC10amIProxiedSbyFZ\"\n\t\tvar amIDebugged = \"$s16IOSSecuritySuiteAAC11amIDebuggedSbyFZ\"\n\t\tvar isRunningEmulator = \"$s16IOSSecuritySuiteAAC16amIRunInEmulatorSbyFZ\"\n\t\tvar amITampered = \"$s16IOSSecuritySuiteAAC11amITamperedySb6result_SayAA18FileIntegrityCheckOG9hitCheckstAGFZ\";\n\t\tvar denyDebbuger = \"$s16IOSSecuritySuiteAAC12denyDebuggeryyFZ\";\n\t\thook_by_export(moduleName, amIJailBroken);\n\t\thook_by_export(moduleName, amIReverseengineered);\n\t\thook_by_export(moduleName, amIProxied);\n\t\thook_by_export(moduleName, amIDebugged);\n\t\thook_by_export(moduleName, isRunningEmulator);\n\t\thook_by_export(moduleName, amITampered);\n\t\thook_by_export(moduleName, denyDebbuger);\n\n\t}catch(e){\n\t\tconsole.log(e.emssage)\n\t}\n    \n}, 1);<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
To use this script, you need to first enumerate the module from which IOSSecuritySuite functions are called. To do it, you can follow these steps:

 1 – Start your app using frida, like frida -U -f <your_app<\/strong>>
 2 – Run the following code: Process.enumerateModulesSync();<\/strong>
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This command shows all modules currently loaded inside the application. Now you need to infer which one is the correct module. In most of cases will be something like “IOSSecuritySuite” or “SecuritySuite”. In this case is “Test_IOSSecurity”.
You need to change the variable *moduleName*<\/em> inside the script by the correct module name.<\/strong><\/p>\n\n\n\n
Now you can just run the script as following<\/p>\n\n\n\n
frida -U -f <your application> -l iossecurity.js<\/code><\/pre>\n\n\n\n
All the functions are not triggered<\/p>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
In this blog post, I will show you how to use a script I created to bypass some of IOSSecuritySuite’s features.IOSSecuritySuite is a common library used perform anti-tampering and increase the security of an IOS application. I’ve created a simple APP to test the IOSSecuritySuite functionalities. You can download the IPA file here.To install it […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[],"blocksy_meta":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/windowsofender.zip\/index.php?rest_route=\/wp\/v2\/posts\/18"}],"collection":[{"href":"https:\/\/windowsofender.zip\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/windowsofender.zip\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/windowsofender.zip\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/windowsofender.zip\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=18"}],"version-history":[{"count":20,"href":"https:\/\/windowsofender.zip\/index.php?rest_route=\/wp\/v2\/posts\/18\/revisions"}],"predecessor-version":[{"id":62,"href":"https:\/\/windowsofender.zip\/index.php?rest_route=\/wp\/v2\/posts\/18\/revisions\/62"}],"wp:attachment":[{"href":"https:\/\/windowsofender.zip\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=18"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/windowsofender.zip\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=18"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/windowsofender.zip\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=18"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}