Objection

Objection is a framework built on top of Frida by SensePost and can be found on GitHub.

Installing Objection

Installing Objection is easy and here is an exerpt from the official SensePost/Objection GitHub page:

Installation is simply a matter of pip3 install objection. This will give you the objection command. You can update an existing objection installation with pip3 install --upgrade objection.

Method Hooking with Objection

Hooking methods is an easy way to determine whether the class or method is being called. It can also provide easy access to manipulate the return values or the functionality of the method or class.

List all classes

ios hooking list classes

Listing all methods

ios hooking list class_methods

Search for classes

ios hooking search classes example_class

Search for methods in class

ios hooking list class_methods example_class

Watching a method

ios hooking watch class example_class

Overwriting return values

ios hooking set return_value "*[LoginValidate isLoginValidated]" true

---- 

....highaltitudehacks.DVIAswiftv2 on (iPad: 13.3.1) [usb] # ios hooking set return_value "*[LoginValidate isLoginValidated]" true
(agent) Found selector at 0x104e4238c as +[LoginValidate isLoginValidated]
(agent) Registering job z04v8rh682n. Type: set-method-return for: *[LoginValidate isLoginValidated]
....highaltitudehacks.DVIAswiftv2 on (iPad: 13.3.1) [usb] # (agent) [8crjffqm67y] Called: [LoginValidate isLoginValidated] (Kind: class) (Super: NSObject)
(agent) [z04v8rh682n] *[LoginValidate isLoginValidated] Return value was: 0x0, overriding to 0x1
....highaltitudehacks.DVIAswiftv2 on (iPad: 13.3.1) [usb] #

Monitor Crypto Functions

ios monitor crypto

...

algorithm : kCCPBKDF2
  password : @daloq3as$qweasdlasasjdnj
  saltBytes : a27a47abad534580
  prf : kCCPRFHmacAlgSHA1
  rounds : 10000
  derivedKey : e3ae68203b0018b1d85565fe15a6e6ece38f1f436c60c19eb02b0ecb649a8bee
)
(agent) [874535] [CCKeyDerivationPBKDF] (
  algorithm : kCCPBKDF2
  password : @daloq3as$qweasdlasasjdnj
  saltBytes : bda84205d53b8cc3
  prf : kCCPRFHmacAlgSHA1
  rounds : 10000
  derivedKey : 69a1d4f08f3a667511c963e0dd77174afa5e9a22b12939fe489e6db0efa4333d
)
(agent) [874535] [CCCryptorCreate] (
  op : kCCDecrypt
  alg : kCCAlgorithmAES128
  options : kCCOptionPKCS7Padding
  keyLength : 32
  key : e3ae68203b0018b1d85565fe15a6e6ece38f1f436c60c19eb02b0ecb649a8bee
  iv : 360695187db3eab33612d9ac73bcc01f
)

Bypass Biometric Scanner

Using objection you can bypass the biometric lock screen by using the following command:

ios ui biometrics_bypass

PreviousWeak Cryptography NextFrida

Last updated 3 years ago

ios hooking set return_value "*[LoginValidate isLoginValidated]" true ---- ....highaltitudehacks.DVIAswiftv2 on (iPad: 13.3.1) [usb] # ios hooking set return_value "*[LoginValidate isLoginValidated]" true (agent) Found selector at 0x104e4238c as +[LoginValidate isLoginValidated] (agent) Registering job z04v8rh682n. Type: set-method-return for: *[LoginValidate isLoginValidated] ....highaltitudehacks.DVIAswiftv2 on (iPad: 13.3.1) [usb] # (agent) [8crjffqm67y] Called: [LoginValidate isLoginValidated] (Kind: class) (Super: NSObject) (agent) [z04v8rh682n] *[LoginValidate isLoginValidated] Return value was: 0x0, overriding to 0x1 ....highaltitudehacks.DVIAswiftv2 on (iPad: 13.3.1) [usb] #

ios monitor crypto ... algorithm : kCCPBKDF2 password : @daloq3as$qweasdlasasjdnj saltBytes : a27a47abad534580 prf : kCCPRFHmacAlgSHA1 rounds : 10000 derivedKey : e3ae68203b0018b1d85565fe15a6e6ece38f1f436c60c19eb02b0ecb649a8bee ) (agent) [874535] [CCKeyDerivationPBKDF] ( algorithm : kCCPBKDF2 password : @daloq3as$qweasdlasasjdnj saltBytes : bda84205d53b8cc3 prf : kCCPRFHmacAlgSHA1 rounds : 10000 derivedKey : 69a1d4f08f3a667511c963e0dd77174afa5e9a22b12939fe489e6db0efa4333d ) (agent) [874535] [CCCryptorCreate] ( op : kCCDecrypt alg : kCCAlgorithmAES128 options : kCCOptionPKCS7Padding keyLength : 32 key : e3ae68203b0018b1d85565fe15a6e6ece38f1f436c60c19eb02b0ecb649a8bee iv : 360695187db3eab33612d9ac73bcc01f )