A tool that helps you easy trace classes, functions, and modify the return values of methods on iOS platform

Frida iOS hook
๐ A tool that helps you can easy using frida. It support script for trace classes, functions, and modify the return values of methods on iOS platform.
๐ For Android platform: frida-android-hook
๐ For Intercept Api was encrypted on iOS application: frida-ios-intercept-api
Env OS Support
| OS | Supported | Noted | | ------- | ------------------ | ------- | | MacOS | :whitecheckmark: | Stable | | Linux | :whitecheckmark: | Stable | | Windows | :whitecheckmark: | Unstable|Compatible with
| iOS | Frida | Frida-tools | Supported | Stable Version | | -------- | ------- | ----------- |----------------- | -------------- | | 16.7.11 | 16.7.14 | 13.7.1 | :whitecheckmark:| | | 16.7.11 | 16.1.4 | 12.2.1 | :whitecheckmark:| :whitecheckmark:|Note: Using stable versions to fix the ObjC not defined issue present in frida 17.0.1.
Feature
Running with python3.x. Support both spawn & attach script to process. All options from ./ioshook -h:
| Category | Option | Description | |----------|--------|-------------| | General | -h, --help | Show help message and exit | | | --cli | Launch iOSHook interactive CLI | | | -p, --package PACKAGE | Bundle identifier of target app (spawn) | | | -n, --name NAME | Display name of target app (attach) | | | --pid PID | Process ID of target app (attach) | | | -s, --script SCRIPT.JS | Path to Frida JavaScript hooking script | | | -c, --check-version | Check for iOSHook updates | | | -u, --update | Update iOSHook to latest version | | Quick Method | -m, --method METHOD | app-static, bypass-jb, bypass-ssl, i-url-req, i-crypto (use -n or -p as required) | | Information | --list-devices | List all connected Frida devices | | | --list-apps | List all installed applications on device | | | --list-scripts | List all available Frida scripts | | | --logcat | Show system log of device (idevicesyslog) | | | --conf | Open and edit hook.conf file | | | --shell, --ssh | Open SSH shell to device (default: USB via iproxy) | | | --ssh-port-forward LOCAL:DEVICE | Forward port from local to device (ssh -R) | | | --network HOST:PORT | Connect via network SSH (default port 22) | | | --local | Connect via USB using iproxy | | Dump decrypt IPA | -d, --dump-app | Dump and decrypt application IPA file | | | -o, --output OUTPUT_IPA | Output filename for decrypted IPA (without .ipa) | | | --dump-output-dir DIR | Output directory for dumped IPA (default: workspaces/dumps) | | Dump memory | --dump-memory OPTS | Dump memory of running application (e.g. --string, --read-only) | | HexByte Scan IPA | --hexbyte-scan MODE | Mode: help, scan, patch, json | | | --file FILE.IPA | IPA file to scan/patch | | | --pattern PATTERN | Hex pattern to search (e.g. E103??AA????E0) | | | --address ADDRESS | Address for patch (format: address,bytes,distance) | | | --task TASK.json | JSON task file for hexbyte scan | | reFlutter | --reflutter FLUTTER.IPA | Path to Flutter IPA for reFlutter analysis |
๐ ChangeLog
Install
[+] Latest version
https://github.com/noobpk/frida-ios-hook/releases
[+] Develop version
git clone -b dev https://github.com/noobpk/frida-ios-hook
Environment
[+] Python >= v3.0 (Recommend to use pyenv or virtualenv)
- cd frida-ios-hook/
- python3 -m venv py-env
- source py-env/bin/active
Build
1. pip3 install -r requirements.txt
- python3 setup.py
- cd frida-ios-hook
- ./ioshook -h (--help)
Usage
If you run the script but it doesn't work, you can try the following:
-U -f package -l script.js
๐บ Demo Feature
|Title|Link| |:---|:---| |Frida iOS Hook | Basic Usage | Install - List devices - List apps - List scripts - Logcat - Shell|https://youtu.be/xSndHgTdv4w| |Frida iOS Hook | Basic Usage | Dump Decrypt IPA - Dump Memory App - Hexbyte-Scan IPA|https://youtu.be/AUsJ9_gnWAI| |Frida iOS Hook | Basic Usage | App Static - Bypass Jailbreak - Bypass SSL - Intercept URL + Crypto|https://youtu.be/nWhKDSzArf8| |Frida iOS Hook | Advance Usage | Memory Dump - Radare2 - Iaito|https://youtu.be/nUqE4EYWiEc|