Hi Everyone !
In my previous post, you saw how we can bypass a third party(Rootbeer) root detection mechanism. Now, we will analyze a different third party library on a different platform. The library named JailMonkey is a React Native library for detection if a phone has been jail-broken or rooted for iOS/Android. In this article, I will analyze the library prepared for the iOS operating system, not for the Android version.
I will continue through an application available in the App Store. Therefore, I will not share the package name. I’m not sure, but I remember that the same library is available in DVIAv2. You can also test it yourself through this application;
I divided article into two subheadings. In the first one, we will use Frida to detect the target class in the application through keywords. Then we will detect and hook the value returned on the function and jailbroken device. In the second subheading, we will analyze how the JailMonkey library works and how the functions return.
Let’s start !
First of all, it is useful to learn the format of the executable file superficially…
When you analyze any ipa archive or the directory where an application you downloaded from the App Store is installed, you will see the executable file under the
AppName.app/ directory. That is a type of file called
Mach-O, which can be run on iOS and OS X operating systems. Apple iOS stores multiple executable files in Mach-O format by embedding them in a single file.
Third party libraries, executable files, object code and various file types are compiled in the respective file. Here we will examine the library named JailMonkey among these third libraries.
FIND CLASS AND FUNCTION
The reason I traced using Frida is the
In the screenshot above, I would like to list the classes with the
ObjC.classes property via
ObjC.classes is a method that mapping classes with the
I also want to detect classes that contain only the word “jail” using regexp. When you don’t use it, it will list all the classes in Mach-O file, which means too much output.
Two different classes that contain the word jail were identified. The target function can be in either class. Therefore, it is useful to proceed through two different classes. The second task is to detect the function in the classes.
I have listed the functions that contain the word jail in the classes that pass the relevant if condition using regexp again. The reason I defined the
funcName variable in the
eval('ObjC.classes.' + className + '.$methods');
for (var i = 0; i < funcName.length; i++)
console.log("[*]Function Detected In " + className + "\n" + funcName[i]);
const classj = eva