#iOS #frida #WiFi #proxy #系统相关
最近研究一个App时顺便研究了下如何给iOS系统WiFi挂代理,并将相关功能整理成函数,方便调试时使用。
需要注意的是,可以使用 frida 注入到 SpringBoard 进程内,并且要确保 WiFiKit.framework
已经装入,以下是测试代码:
frida 命令
全文完
function toggleAirplaneMode(mode) {
var p
=
ObjC.classes.RadiosPreferences.alloc().init();
p.setAirplaneMode_(mode)
p.synchronize()
p.release();
}
function toggleAirplaneMode(mode) {
var p
=
ObjC.classes.RadiosPreferences.alloc().init();
p.setAirplaneMode_(mode)
p.synchronize()
p.release();
}
function toggleWifiMode(mode) {
var wfc
=
ObjC.classes.WFClient.sharedInstance();
wfc.setPowered_(mode);
}
function toggleWifiMode(mode) {
var wfc
=
ObjC.classes.WFClient.sharedInstance();
wfc.setPowered_(mode);
}
function readWifiPasswords() {
var knownNet
=
ObjC.classes.WFKnownNetworkStore.sharedInstance();
var nets
=
knownNet.knownNetworks();
var objs
=
nets.allObjects();
var count
=
objs.count();
var result
=
[]
for
(var n
=
0
; n < count; n
+
+
) {
var networkProfile
=
objs.objectAtIndex_(n);
result.push(
{
HS20AccountName: networkProfile.HS20AccountName(),
HS20Badge: networkProfile.HS20Badge(),
isHS20Network: networkProfile.isHS20Network(),
isHS20NetworkProvisioned: networkProfile.isHS20NetworkProvisioned(),
TLSIdentity: networkProfile.TLSIdentity()
+
'',
addedDate: networkProfile.addedDate()
+
'',
adhoc: networkProfile.isAdhoc(),
autoJoinEnabled: networkProfile.isAutoJoinEnabled(),
autoLoginEnabled: networkProfile.isAutoLoginEnabled(),
bssid: networkProfile.bssid()
+
'',
canExposeIMSI: networkProfile.canExposeIMSI(),
captive: networkProfile.isCaptive(),
carPlay: networkProfile.isCarPlay(),
carPlayType: networkProfile.carPlayType(),
carPlayUUID: networkProfile.carPlayUUID(),
carrierBased: networkProfile.isCarrierBased(),
certificateChain: networkProfile.certificateChain(),
enterpriseProfile: networkProfile.enterpriseProfile(),
fetchedPassword: networkProfile.fetchedPassword(),
hidden: networkProfile.isHidden(),
lastAutoJoinDate: networkProfile.lastAutoJoinDate()
+
'',
managed: networkProfile.isManaged(),
originatorBundleIdentifier: networkProfile.originatorBundleIdentifier(),
password: networkProfile.password()
+
'',
policyUUID: networkProfile.policyUUID(),
previousPassword: networkProfile.previousPassword(),
requiresPassword: networkProfile.requiresPassword(),
scanAttributes: valueOf(networkProfile.scanAttributes()),
securityMode: networkProfile.securityMode()
+
'',
ssid: networkProfile.ssid()
+
'',
username: networkProfile.username()
+
''
}
);
}
return
result;
}
function readWifiPasswords() {
var knownNet
=
ObjC.classes.WFKnownNetworkStore.sharedInstance();
var nets
=
knownNet.knownNetworks();
var objs
=
nets.allObjects();
var count
=
objs.count();
var result
=
[]
for
(var n
=
0
; n < count; n
+
+
) {
var networkProfile
=
objs.objectAtIndex_(n);
result.push(
{
HS20AccountName: networkProfile.HS20AccountName(),
HS20Badge: networkProfile.HS20Badge(),
isHS20Network: networkProfile.isHS20Network(),
isHS20NetworkProvisioned: networkProfile.isHS20NetworkProvisioned(),
TLSIdentity: networkProfile.TLSIdentity()
+
'',
addedDate: networkProfile.addedDate()
+
'',
adhoc: networkProfile.isAdhoc(),
autoJoinEnabled: networkProfile.isAutoJoinEnabled(),
autoLoginEnabled: networkProfile.isAutoLoginEnabled(),
bssid: networkProfile.bssid()
+
'',
canExposeIMSI: networkProfile.canExposeIMSI(),
captive: networkProfile.isCaptive(),
carPlay: networkProfile.isCarPlay(),
carPlayType: networkProfile.carPlayType(),
carPlayUUID: networkProfile.carPlayUUID(),
carrierBased: networkProfile.isCarrierBased(),
certificateChain: networkProfile.certificateChain(),
enterpriseProfile: networkProfile.enterpriseProfile(),
fetchedPassword: networkProfile.fetchedPassword(),
hidden: networkProfile.isHidden(),
lastAutoJoinDate: networkProfile.lastAutoJoinDate()
+
'',
managed: networkProfile.isManaged(),
originatorBundleIdentifier: networkProfile.originatorBundleIdentifier(),
password: networkProfile.password()
+
'',
policyUUID: networkProfile.policyUUID(),
previousPassword: networkProfile.previousPassword(),
requiresPassword: networkProfile.requiresPassword(),
scanAttributes: valueOf(networkProfile.scanAttributes()),
securityMode: networkProfile.securityMode()
+
'',
ssid: networkProfile.ssid()
+
'',
username: networkProfile.username()
+
''
}
);
}
return
result;
}
function currentWifiSSID() {
return
currentNetwork().ssid();
}
function currentWifiSSID() {
return
currentNetwork().ssid();
}
function currentNetwork() {
return
ObjC.classes.WFClient.sharedInstance().interface().currentNetwork();
}
function currentNetwork() {
return
ObjC.classes.WFClient.sharedInstance().interface().currentNetwork();
}
function readWifiSettings(_ssid) {
/
/
读取配置
var WFGetSettingsOperation
=
ObjC.classes.WFGetSettingsOperation.alloc();
/
/
10684
ms
-
[WFGetSettingsOperation initWithSSID:xxxWiFiSSID]
var wfGetSet
=
WFGetSettingsOperation.initWithSSID_(_ssid);
/
*
TID
0x23c2f
*
/
/
/
10732
ms
-
[WFGetSettingsOperation start]
wfGetSet.start();
/
/
10737
ms |
-
[WFGetSettingsOperation ssid]
/
/
10740
ms |
-
[WFGetSettingsOperation keychainQueue]
/
*
TID
0x303
*
/
/
/
10759
ms
-
[WFGetSettingsOperation settings]
/
/
10759
ms
-
[WFGetSettingsOperation dealloc]
/
/
10759
ms |
-
[WFGetSettingsOperation .cxx_destruct]
console.log(
'WIFI-SSID'
, wfGetSet.ssid());
console.log(
'keychainQueue'
, wfGetSet.keychainQueue());
var settings
=
wfGetSet.settings();
return
settings;
/
/
__NSArrayM
}
function readWifiSettings(_ssid) {
/
/
读取配置
var WFGetSettingsOperation
=
ObjC.classes.WFGetSettingsOperation.alloc();
/
/
10684
ms
-
[WFGetSettingsOperation initWithSSID:xxxWiFiSSID]
var wfGetSet
=
WFGetSettingsOperation.initWithSSID_(_ssid);
/
*
TID
0x23c2f
*
/
/
/
10732
ms
-
[WFGetSettingsOperation start]
wfGetSet.start();
/
/
10737
ms |
-
[WFGetSettingsOperation ssid]
/
/
10740
ms |
-
[WFGetSettingsOperation keychainQueue]
/
*
TID
0x303
*
/
/
/
10759
ms
-
[WFGetSettingsOperation settings]
/
/
10759
ms
-
[WFGetSettingsOperation dealloc]
/
/
10759
ms |
-
[WFGetSettingsOperation .cxx_destruct]
console.log(
'WIFI-SSID'
, wfGetSet.ssid());
console.log(
'keychainQueue'
, wfGetSet.keychainQueue());
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2022-11-11 23:47
被chinasf编辑
,原因: