/fridare

Fridare 是一个用于修改和定制 Frida-server 的魔改工具,专为 iOS 越狱设备设计。Fridare is a custom modification tool designed for modifying and customizing Frida-server, specifically for jailbroken iOS devices.

Primary LanguageShellMIT LicenseMIT

Fridare

English | 中文

GitHub Streak

Github stars Github forks Github watchers Github license Github issues Github pull requests Github contributors Github last commit Github repo size Github code size Github language count Github top language Github tag GitHub followers Twitter Follow

Fridare 是一个用于修改和定制 Frida-server 的魔改工具,专为 iOS 越狱设备设计。它允许用户更改名称和端口,以增强安全性和灵活性。免除了很多越狱检测frida的情况。 CHANGELOG

特性

  • 自动下载并修改指定版本的 frida-server
  • 随机生成新的 frida-server 名称
  • 自定义 frida-server 端口
  • 支持 arm 和 arm64 架构
  • 二进制替换修改
    • frida-server
    • frida-agent.dylib
    • frida-tools
  • 生成可直接安装的修改版 .deb 包

新增特性 v2.2.0 (仅测试 macOS arm 架构,其它架构未测试)

  • 新增加 frida-tools 补丁,适配 frida:rpc 特征魔改
    • 解决 Android 内存扫描该字符串问题
    • 自动扫描本地 pip 安装 frida-tools 的位置,对 core.py 文件进行魔改,对 _frida.abi3.so 文件进行魔改
  • 新增加 frida-agent.dylib 魔改,从文件名称,加载位置进行隐藏
    • 解决 agent 加载未隐藏问题

新增特性 v2.1.1

  • 引入 autoinstall.sh 脚本,实现 Frida 插件的自动部署。
  • 引入 Makefile,简化项目的构建和部署流程。
  • 运行之前请确保本机已经安装了 issh 命令。并配置好了 ssh 的免密登录。

    配置 issh 的 ssh 免密登陆

    # 生成 keygen 密钥,如果已生成可以跳过
    ssh-keygen -t rsa -b 4096 -C "<EMAIL>"
    # 配置手机IP,如果USB连接可以不配置
    issh ip set <iPhone-IP>     
    # 拷贝公钥到手机 /var/root ,需要 root 密码 alpine
    issh scp ~/.ssh/id_rsa.pub  
    # 远程服务器添加公钥到 authorized_keys 文件
    issh run "mkdir -p ~/.ssh && cat /var/root/id_rsa.pub >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh"

前提条件

  • macOS 操作系统(用于运行构建脚本)
  • Homebrew
  • dpkg(将通过 Homebrew 自动安装,如果尚未安装)
  • 越狱的 iOS 设备
  • 在 iOS 设备上安装 OpenSSH

使用方法

  1. 克隆此仓库:
git clone https://github.com/suifei/fridare.git
cd fridare
  1. 使用 Makefile 构建和部署:
make build       # 构建项目
make deploy      # 部署项目
  1. 运行构建脚本:
./build.sh [FRIDA_VERSION] [FRIDA_SERVER_PORT] [CURL_PROXY]

例如:

./build.sh 16.3.3 8899 http://127.0.0.1:1081

如果不指定参数,脚本将使用默认值(Frida 版本 16.3.3,端口 8899)。 CURL_PROXY 为可以访问github的代理地址,如果不需要代理,可以不传递。

  1. 脚本将下载指定版本的 Frida,修改它,并在 dist 目录中生成新的 .deb 包。
$ ./build.sh 16.3.1 8888 http://127.0.0.1:1081

build setup

  1. 将生成的 .deb 包传输到您的 iOS 设备:
scp ./dist/frida_16.3.3_iphoneos-arm_tcp.deb root@<iPhone-IP>:/var/root/
  1. SSH 进入您的 iOS 设备并安装修改后的包:
ssh root@<iPhone-IP>
dpkg -i /var/root/frida_16.3.3_iphoneos-arm_tcp.deb

安装兼容版本的 Frida 工具

为确保兼容性,请安装与修改后的服务器版本相匹配的 Frida 工具:

pip install frida-tools==12.4.3

对于 Node.js 用户:

npm install frida@16.3.3

使用

如果不使用usb数据线时,可以使用以下命令连接到远程 frida-server :

frida -H <iPhone-IP>:8899 -U
frida-trace -H <iPhone-IP>:8899 ...
frida-ps -H <iPhone-IP>:8899
frida-inject -H <iPhone-IP>:8899 ...

原理

Fridare 项目的核心原理:

1. frida-server 修改原理

Fridare 的核心**是修改 frida-server ,使其更难被检测。这主要通过以下几个方面实现:

  • 重命名服务器文件: 将 frida-server 重命名为随机生成的名称(如 abcde),这样可以避免简单的名称检测。

  • 修改启动配置: 更新 LaunchDaemons plist 文件,使其使用新的服务器名称和自定义端口。这样可以改变服务器的启动方式和监听端口。

  • 二进制文件修改: 使用二进制替换技术,将服务器二进制文件中的 "frida" 相关字符串替换为自定义字符串。这可以避免通过扫描二进制文件来检测 Frida。

2. deb 包修改和重打包

项目使用 dpkg-deb 工具解包和重新打包 deb 文件。这允许我们修改包的内容,包括:

  • 更新 DEBIAN/control 文件中的包名
  • 修改 DEBIAN/extrainst_ 和 DEBIAN/prerm 脚本以使用新的服务器名称
  • 替换和重命名实际的服务器二进制文件

3. 自动化流程

build.sh 脚本自动化了整个过程:

  • 下载指定版本的 frida-server
  • 生成随机名称
  • 修改所有必要的文件
  • 重新打包 deb 文件

4. 兼容性考虑

脚本同时处理 arm 和 arm64 架构的包,确保在不同的 iOS 设备上的兼容性。

5. 安全性增强

通过更改服务器名称、端口和内部字符串,这个项目使得通过常规方法检测 Frida 的存在变得更加困难。这对于在某些可能会主动检测和阻止 Frida 的应用中使用 Frida 非常有用。

6. 灵活性

通过允许用户指定 Frida 版本和端口,该工具提供了很大的灵活性,可以适应不同的需求和环境。

7. 二进制修改技术

使用 hexreplace 来执行二进制替换,在不重新编译 Frida 的情况下修改二进制文件。这种方法虽然有效,但也有局限性,因为它只能替换固定长度的字符串。

注意事项

  • 默认的 root 用户密码为 "alpine"。出于安全考虑,强烈建议更改此密码。
  • 请确保您的 iOS 设备已越狱并安装了 OpenSSH。
  • 此工具仅用于教育和研究目的。请遵守所有适用的法律和条款。

贡献

欢迎提交问题和拉取请求。对于重大更改,请先开issue讨论您想要更改的内容。

许可证

MIT LICENSE


Features

  • Automatically download and modify specified versions of frida-server
  • Randomly generate new frida-server names
  • Customize frida-server ports
  • Support for arm and arm64 architectures
  • Binary replacement modification
    • frida-server
    • frida-agent.dylib
    • frida-tools
  • Generate modified .deb packages ready for direct installation

New Features v2.2.0 (Only tested on macOS arm architecture, other architectures not tested)

  • Added frida-tools patch, adapting to the frida:rpc characteristic modification
    • Resolves the issue of Android memory scanning for this string
    • Automatically scans the local pip installation location of frida-tools, modifies the core.py file, and modifies the _frida.abi3.so file
  • Added frida-agent.dylib modification, hiding from filename and load location
    • Resolves the issue of unhidden agent loading

New Features v2.1.1

  • Introduced autoinstall.sh script for automatic deployment of Frida plugins.
  • Introduced Makefile to simplify the project build and deployment process.
  • Before running, please ensure that the issh command is installed on your machine. And configure password-free SSH login.

    Configure password-free SSH login for issh

    # Generate keygen, skip if already generated
    ssh-keygen -t rsa -b 4096 -C "<EMAIL>"
    # Configure iPhone IP, can be skipped if using USB connection
    issh ip set <iPhone-IP>     
    # Copy public key to /var/root on the phone, requires root password alpine
    issh scp ~/.ssh/id_rsa.pub  
    # Add public key to authorized_keys file on remote server
    issh run "mkdir -p ~/.ssh && cat /var/root/id_rsa.pub >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh"

Prerequisites

  • macOS operating system (for running build scripts)
  • Homebrew
  • dpkg (will be automatically installed via Homebrew if not already installed)
  • Jailbroken iOS device
  • OpenSSH installed on iOS device

Usage

  1. Clone this repository:
git clone https://github.com/suifei/fridare.git
cd fridare
  1. Use Makefile to build and deploy:
make build       # Build the project
make deploy      # Deploy the project
  1. Run the build script:
./build.sh [FRIDA_VERSION] [FRIDA_SERVER_PORT] [CURL_PROXY]

For example:

./build.sh 16.3.3 8899 http://127.0.0.1:1081

If no parameters are specified, the script will use default values (Frida version 16.3.3, port 8899). CURL_PROXY is the proxy address that can access GitHub. If no proxy is needed, it can be omitted.

  1. The script will download the specified version of Frida, modify it, and generate a new .deb package in the dist directory.
$ ./build.sh 16.3.1 8888 http://127.0.0.1:1081

build setup

  1. Transfer the generated .deb package to your iOS device:
scp ./dist/frida_16.3.3_iphoneos-arm_tcp.deb root@<iPhone-IP>:/var/root/
  1. SSH into your iOS device and install the modified package:
ssh root@<iPhone-IP>
dpkg -i /var/root/frida_16.3.3_iphoneos-arm_tcp.deb

Install Compatible Version of Frida Tools

To ensure compatibility, install Frida tools that match the modified server version:

pip install frida-tools==12.4.3

For Node.js users:

npm install frida@16.3.3

Usage

If not using a USB data cable, you can use the following commands to connect to the remote frida-server:

frida -H <iPhone-IP>:8899 -U
frida-trace -H <iPhone-IP>:8899 ...
frida-ps -H <iPhone-IP>:8899
frida-inject -H <iPhone-IP>:8899 ...

Principle

Core principles of the Fridare project:

1. frida-server Modification Principle

The core idea of Fridare is to modify frida-server to make it harder to detect. This is mainly achieved through the following aspects:

  • Renaming the server file: Rename frida-server to a randomly generated name (e.g., abcde), which avoids simple name detection.

  • Modifying startup configuration: Update the LaunchDaemons plist file to use the new server name and custom port. This changes the way the server starts and the port it listens on.

  • Binary file modification: Use binary replacement techniques to replace "frida" related strings in the server binary file with custom strings. This can avoid detection of Frida by scanning the binary file.

2. deb Package Modification and Repackaging

The project uses the dpkg-deb tool to unpack and repack deb files. This allows us to modify the contents of the package, including:

  • Updating the package name in the DEBIAN/control file
  • Modifying DEBIAN/extrainst_ and DEBIAN/prerm scripts to use the new server name
  • Replacing and renaming the actual server binary file

3. Automated Process

The build.sh script automates the entire process:

  • Downloading the specified version of frida-server
  • Generating random names
  • Modifying all necessary files
  • Repacking the deb file

4. Compatibility Considerations

The script handles packages for both arm and arm64 architectures, ensuring compatibility on different iOS devices.

5. Enhanced Security

By changing the server name, port, and internal strings, this project makes it more difficult to detect the presence of Frida through conventional methods. This is particularly useful for using Frida in applications that might actively detect and block Frida.

6. Flexibility

By allowing users to specify the Frida version and port, the tool provides great flexibility to adapt to different needs and environments.

7. Binary Modification Technique

Using hexreplace to perform binary replacements, modifying binary files without recompiling Frida. While effective, this method has limitations as it can only replace fixed-length strings.

Notes

  • The default root user password is "alpine". For security reasons, it is strongly recommended to change this password.
  • Please ensure your iOS device is jailbroken and has OpenSSH installed.
  • This tool is for educational and research purposes only. Please comply with all applicable laws and terms.

Contributing

Issues and pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

License

MIT LICENSE