iOS逆向-砸殼上(ⅩI)

軟件脫殼撒轮，顧名思義巩掺，就是對軟件加殼的逆操作汹来，把軟件上存在的殼去掉（解密）续膳。

砸殼原理

應(yīng)用加殼（加密)
提交給Appstore發(fā)布的App，都經(jīng)過官方保護而加密收班，這樣可以保證機器上跑的應(yīng)用是蘋果審核過的坟岔，也可以管理軟件授權(quán)。經(jīng)過App Store加密的應(yīng)用摔桦，我們無法通過Hopper等反編譯靜態(tài)分析社付，也無法Class-Dump，在逆向分析過程中需要對加密的二進制文件進行解密才可以進行靜態(tài)分析邻耕，這一過程就是大家熟知的砸殼（脫殼）
應(yīng)用砸殼（解密）

靜態(tài)砸殼
靜態(tài)砸殼就是在已經(jīng)掌握和了解到了殼應(yīng)用的加密算法和邏輯后在不運行殼應(yīng)用程序的前提下將殼應(yīng)用程序進行解密處理鸥咖。靜態(tài)脫殼的方法難度大，而且加密方發(fā)現(xiàn)應(yīng)用被破解后就可能會改用更加高級和復(fù)雜的加密技術(shù)
動態(tài)砸殼
動態(tài)砸殼就是從運行在進程內(nèi)存空間中的可執(zhí)行程序映像(image)入手兄世，來將內(nèi)存中的內(nèi)容進行轉(zhuǎn)儲(dump)處理來實現(xiàn)脫殼處理啼辣。這種方法實現(xiàn)起來相對簡單，且不必關(guān)心使用的是何種加密技術(shù)御滩。

Clutch

Clutch是由KJCracks開發(fā)的一款開源砸殼工具鸥拧。工具支持iPhone党远、iPod Touch、iPad富弦，該工具需要使用iOS8.0以上的越獄手機應(yīng)用沟娱。

找到releases版本

下載最新的版本

查看Clutch文件類型，可以看到Clutch是一個可執(zhí)行文件腕柜，而且是iOS架構(gòu)济似，要copy到手機。

$ file Clutch-2.0.4 
Clutch-2.0.4: Mach-O universal binary with 3 architectures: [arm_v7:Mach-O executable arm_v7] [arm64:Mach-O 64-bit executable arm64]
Clutch-2.0.4 (for architecture armv7):  Mach-O executable arm_v7
Clutch-2.0.4 (for architecture armv7s): Mach-O executable arm_v7s
Clutch-2.0.4 (for architecture arm64):  Mach-O 64-bit executable arm64

Clutch的使用

在砸殼之前請看iOS逆向-越獄(Ⅹ)媳握，不然不清楚下面的命令
1. 映射端口

$ sh usbConnect.sh
Forwarding local port 10010 to remote port 22

2. Command+t新開終端頁面碱屁，拷貝Clutch-2.0.4工具到手機

$ cd /Users/niujf/Desktop/xxxx   //Clutch-2.0.4文件
$ ls
AliPayHeaders       dumpdecrypted-master    hank.cy         越獄SSH.pdf
Clutch-2.0.4        frida-ios-dump      越獄SSH.html
$ scp -P 10010 Clutch-2.0.4 root@127.0.0.1:/usr/bin
Clutch-2.0.4                                                        100% 1204KB   6.9MB/s   00:00

手機端查看Clutch-2.0.4工具,發(fā)現(xiàn)沒有可執(zhí)行權(quán)限

$ sh usbLogin.sh
iPhone:~ root# cd /usr/bin
iPhone:/usr/bin root# ls -l Clutch-2.0.4 
-rw-r--r-- 1 root  wheel        1232832 Nov 14 16:31 Clutch-2.0.4

添加可執(zhí)行權(quán)限

iPhone:/usr/bin root# chmod +x Clutch-2.0.4 
iPhone:/usr/bin root# ls -l Clutch-2.0.4
-rwxr-xr-x 1 root  wheel        1232832 Nov 14 16:31 Clutch-2.0.4

3. 列出可以砸殼的應(yīng)用列表

iPhone:/usr/bin root# cd ~
iPhone:~ root# pwd
/var/root
iPhone:~ root# Clutch-2.0.4 
Usage: Clutch-2.0.4 [OPTIONS]
-b --binary-dump <value> Only dump binary files from specified bundleID 
-d --dump <value>        Dump specified bundleID into .ipa file 
-i --print-installed     Print installed applications 
   --clean               Clean /var/tmp/clutch directory 
   --version             Display version and exit 
-? --help                Display this help and exit 
-n --no-color            Print with colors disabled 

iPhone:~ root# Clutch-2.0.4 -I
Installed apps:
1:   支付寶 - 讓生活更簡單 <com.alipay.iphoneclient>
2:   WeChat <com.tencent.xin>
3:   TestFlight <com.apple.TestFlight>
4:   愛思加強版 <com.pd.A4Player>
5:   抖音短視頻 <com.ss.iphone.ugc.Aweme>
6:   Messenger <com.facebook.Messenger>
7:   PG Client - a better client for dribbble <com.az.azdribbble>
8:   こつこつ家計簿-無料のカレンダー家計簿 <com.doubibi74.money76>
9:   火山小視頻 - 分享生活磷脯，讓世界為你點贊 <com.ss.iphone.ugc.Live>
10:  應(yīng)用兔 <hk.itools.apper>
11:  微信讀書 <com.tencent.weread>
12:  QQ <com.tencent.mqq>
13:  騰訊新聞-事實派的熱點資訊閱讀軟件 <com.tencent.info>
14:  五條-每日五條看盡世界 <com.kingnet.wutiao>

4. 砸殼

iPhone:~ root# Clutch-2.0.4 -d 2    //2是應(yīng)用id對應(yīng)是第三步應(yīng)用列表的序列號

下面是砸殼過程

com.tencent.xin contains watchOS 2 compatible application. It's not possible to dump watchOS 2 apps with Clutch 2.0.4 at this moment.
Zipping WeChat.app
ASLR slide: 0x100040000
Dumping <WeChatShareExtensionNew> (arm64)
Patched cryptid (64bit segment)
ASLR slide: 0x1000e0000
Dumping <WeChatSiriExtension> (arm64)
Patched cryptid (64bit segment)
ASLR slide: 0x100050000
Dumping <WeChatSiriExtensionUI> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Writing new checksum
Writing new checksum
Dumping <ProtobufLite> arm64
Successfully dumped framework ProtobufLite!
Child exited with status 0
Dumping <matrixreport> arm64
Dumping <marsbridgenetwork> arm64
Successfully dumped framework matrixreport!
Child exited with status 0
Dumping <mars> arm64
Successfully dumped framework marsbridgenetwork!
Child exited with status 0
Successfully dumped framework mars!
Child exited with status 0
ASLR slide: 0x100048000
Dumping <WeChat> (arm64)
Patched cryptid (64bit segment)
Zipping ProtobufLite.framework
Zipping mars.framework
Zipping marsbridgenetwork.framework
Zipping matrixreport.framework
Zipping WeChatShareExtensionNew.appex
Zipping WeChatSiriExtension.appex
Zipping WeChatSiriExtensionUI.appex
Writing new checksum
DONE: /private/var/mobile/Documents/Dumped/com.tencent.xin-iOS9.0-(Clutch-2.0.4).ipa
Finished dumping com.tencent.xin in 78.7 seconds

我們可以看到砸殼后的ipa包的路徑

DONE: /private/var/mobile/Documents/Dumped/com.tencent.xin-iOS9.0-(Clutch-2.0.4).ipa

根據(jù)上面的路徑蛾找，通過iFunBox查看砸殼后的ipa包

將ipa包導(dǎo)出到電腦,解壓縮，查看WeChat可執(zhí)行文件是否脫殼

$ otool -l WeChat | grep crypt
     cryptoff 16384
    cryptsize 99434496
      cryptid 0

可以看到脫殼成功了!??

插入動態(tài)庫

1. 新建一個動態(tài)庫insertLib赵誓，添加類InjectCode,并加入如下代碼

#import "InjectCode.h"

@implementation InjectCode

+(void)load
{
    NSLog(@"??????????????");
}

@end

2. command+B編譯打毛，生成insertLib.framework
3. 將insertLib.framework拷貝到手機中
映射端口

$ sh usbConnect.sh
Forwarding local port 10010 to remote port 22

Command+t新開終端頁面,拷貝insertLib.framework到手機~/目錄

cd /Users/niujf/Desktop/xxxxxx
$ ls
alipaypwddemo       insertLib       insertLib.framework
$ scp -r -P 10010 insertLib.framework/ root@127.0.0.1:~/
insertLib                                                     100%   66KB   2.3MB/s   00:00    
insertLib.h                                                   100%  489   240.1KB/s   00:00    
module.modulemap                                              100%   99    53.0KB/s   00:00    
Info.plist                                                    100%  750   265.9KB/s   00:00

在手機根目錄查看

$ sh usbLogin.sh
iPhone:~ root# cd ~
iPhone:~ root# ls
Application Support  Library  Media  insertLib.framework

如何讓insertLib.framework在手機端執(zhí)行?可以通過DYLD_INSERT_LIBRARIES環(huán)境變量，讓insertLib.framework臨時附加在一個進程中

4. 查看當(dāng)前手機進程

iPhone:~ root# ps -A
  PID TTY           TIME CMD
    1 ??         2:28.91 /sbin/launchd
  239 ??         2:16.00 /usr/sbin/syslogd
  242 ??         0:02.22 /usr/sbin/WirelessRadioManagerd
  245 ??         0:47.66 /usr/libexec/securityd
  247 ??         0:03.42 /System/Library/PrivateFrameworks/DataAccess.framework/Support/dataacc
  251 ??         0:06.67 /usr/sbin/wirelessproxd
  253 ??         0:07.34 /usr/libexec/atc
...

5. 隨便附加在一個當(dāng)前進程執(zhí)行如下命令

iPhone:~ root# DYLD_INSERT_LIBRARIES=insertLib.framework/insertLib  /usr/sbin/syslogd
2019-11-14 19:38:29.181 syslogd[2500:220293] ??????????????

可以看到insertLib.framework的代碼執(zhí)行了

dumpdecrypted

Github開源工具俩功。 dumpdecrypted這個工具就是通過建立一個名為dumpdecrypted.dylib的動態(tài)庫幻枉，插入目標(biāo)應(yīng)用實現(xiàn)脫殼。

1. 先Git Clone诡蜓，然后cd到下載的文件熬甫，make編譯

cd /Users/niujf/Desktop/xxxxx/dumpdecrypted-master 
$ ls
Makefile    README      dumpdecrypted.c
$ make
....
$ ls
Makefile        dumpdecrypted.c     dumpdecrypted.o
README          dumpdecrypted.dylib

編譯后發(fā)現(xiàn)生成了dumpdecrypted.dylib和dumpdecrypted.o

生成的dumpdecrypted.dylib可能有問題,這里有處理過的dumpdecrypted

2. 把dumpdecrypted.dylib遠(yuǎn)程拷貝到手機

先映射端口

$ sh usbConnect.sh
Forwarding local port 10010 to remote port 22

Command+t新開終端頁面,拷貝dumpdecrypted.dylib到手機的~/目錄

cd /Users/niujf/Desktop/xxx/dumpdecrypted-master 
$ ls
Makefile        dumpdecrypted.c     dumpdecrypted.o
README          dumpdecrypted.dylib
$ scp -P 10010 dumpdecrypted.dylib root@127.0.0.1:~/
dumpdecrypted.dylib                                             100%  209KB   4.4MB/s   00:00

Command+t新開終端頁面，在手機端查看,發(fā)現(xiàn)拷貝成功

$ cd ~
$ sh usbLogin.sh
iPhone:~ root# ls
Application Support  Library  Media  dumpdecrypted.dylib  insertLib.framework

3. 查看當(dāng)前手機進程

$ ps -A
...
 2461 ??         0:06.68 /var/mobile/Containers/Bundle/Application/9DB7C1F3-C795-48CB-AE6B-A739E82885CA/WeChat.app/WeChat
...

4. 砸殼

iPhone:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/9DB7C1F3-C795-48CB-AE6B-A739E82885CA/WeChat.app/WeChat

下面是砸殼過程

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x1000a0cf8(from 0x1000a0000) = cf8
[+] Found encrypted data at address 00004000 of length 99434496 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/9DB7C1F3-C795-48CB-AE6B-A739E82885CA/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset cf8
[+] Closing original file
[+] Closing dump file

在當(dāng)前手機端~/目錄查看,發(fā)現(xiàn)生成了WeChat.decrypted的可執(zhí)行文件

iPhone:~ root# ls
Application Support  Library  Media  WeChat.decrypted  dumpdecrypted.dylib

5. 拷貝WeChat.decrypted到桌面的文件夾

scp -P 10010 root@127.0.0.1:~/WeChat.decrypted /Users/niujf/Desktop/xxx
WeChat.decrypted                              100%  118MB  12.9MB/s   00:09

查看WeChat.decrypted蔓罚，發(fā)現(xiàn)cryptid 0椿肩，砸殼完成

$ cd /Users/niujf/Desktop/xxx 
$ ls
WeChat.decrypted
$ otool -l WeChat.decrypted | grep crypt
WeChat.decrypted:
     cryptoff 16384
    cryptsize 99434496
      cryptid 0

frida-ios-dump(一條命令脫殼??)

該工具基于frida提供的強大功能通過注入js實現(xiàn)內(nèi)存dump然后通過python自動拷貝到電腦生成ipa文件。

1. 查看python版本豺谈，Mac都是自帶的

$ python -V
Python 2.7.10

2. 安裝pip

$sudo easy_install pip
...
$ pip -V
pip 19.3.1 from /Library/Python/2.7/site-packages/pip-19.3.1-py2.7.egg/pip (python 2.7)

3. 安裝frida

$ sudo pip install frida-tools

如果碰到如下錯誤

ERROR: Cannot uninstall 'six'. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.

執(zhí)行如下命令

$ sudo pip install six --upgrade --ignore-installed six

然后再次安裝即可

$ sudo pip install frida-tools
...
Successfully installed frida-tools-5.2.0 prompt-toolkit-2.0.10 pygments-2.4.2

4. 手機安裝Frida插件

5. Mac配置frida-ios-dump
下載腳本

sudo mkdir /opt/dump && cd /opt/dump && sudo git clone https://github.com/AloneMonkey/frida-ios-dump

添加依賴

sudo pip install -r /opt/dump/frida-ios-dump/requirements.txt --upgrade

6. 修改dump.py配置

$ sudo  vim /opt/dump/frida-ios-dump/dump.py

配置修改如下(跟上一章節(jié)iOS逆向-越獄(Ⅹ)配置ssh登錄的別名類似):

User = 'root'
Password = 'alpine'
Host = 'localhost'
Port = 10010

7. 映射端口

$ sh usbConnect.sh
Forwarding local port 10010 to remote port 22

8. 查看運行的進程

$ frida-ps -U
 PID  Name
----  --------------------------------------------------------
2290  Cydia
2789  SafariViewService
2311  ScreenshotServicesService
2883  微信
2536  支付寶
2534  設(shè)置
2505  郵件

9. 砸殼

$ cd /xxx        //隨便在桌面建一個文件夾郑象，保存生成的ipa文件
$ /opt/dump/frida-ios-dump/dump.py 微信

下面是砸殼過程

Start the target app 微信
Dumping 微信 to /var/folders/2r/gswfk35n5938fbdhf6s4xw_c0000gp/T
[frida-ios-dump]: mars.framework has been loaded. 
[frida-ios-dump]: OpenSSL.framework has been loaded. 
[frida-ios-dump]: andromeda.framework has been loaded. 
[frida-ios-dump]: matrixreport.framework has been loaded. 
[frida-ios-dump]: ProtobufLite.framework has been loaded. 
[frida-ios-dump]: marsbridgenetwork.framework has been loaded. 
start dump /var/containers/Bundle/Application/765305E6-F74E-4371-8255-E378BBD747FA/WeChat.app/WeChat
WeChat.fid: 100%|██████████| 122M/122M [00:05<00:00, 21.9MB/s] 
start dump /private/var/containers/Bundle/Application/765305E6-F74E-4371-8255-E378BBD747FA/WeChat.app/Frameworks/OpenSSL.framework/OpenSSL
OpenSSL.fid: 100%|██████████| 2.38M/2.38M [00:00<00:00, 14.8MB/s]
start dump /private/var/containers/Bundle/Application/765305E6-F74E-4371-8255-E378BBD747FA/WeChat.app/Frameworks/ProtobufLite.framework/ProtobufLite
ProtobufLite.fid: 100%|██████████| 137k/137k [00:00<00:00, 2.09MB/s]
start dump /private/var/containers/Bundle/Application/765305E6-F74E-4371-8255-E378BBD747FA/WeChat.app/Frameworks/marsbridgenetwork.framework/marsbridgenetwork
marsbridgenetwork.fid: 100%|██████████| 2.40M/2.40M [00:00<00:00, 14.2MB/s]
start dump /private/var/containers/Bundle/Application/765305E6-F74E-4371-8255-E378BBD747FA/WeChat.app/Frameworks/matrixreport.framework/matrixreport
matrixreport.fid: 100%|██████████| 469k/469k [00:00<00:00, 7.17MB/s]
start dump /private/var/containers/Bundle/Application/765305E6-F74E-4371-8255-E378BBD747FA/WeChat.app/Frameworks/andromeda.framework/Andromeda
andromeda.fid: 100%|██████████| 8.61M/8.61M [00:00<00:00, 20.5MB/s]
start dump /private/var/containers/Bundle/Application/765305E6-F74E-4371-8255-E378BBD747FA/WeChat.app/Frameworks/mars.framework/mars
mars.fid: 100%|██████████| 9.70M/9.70M [00:00<00:00, 15.6MB/s]
Expression_46@2x.png: 230MB [00:19, 12.2MB/s]                      
0.00B [00:00, ?B/s]Generating "微信.ipa"
0.00B [00:00, ?B/s]

10. 查看生成的ipa文件,解壓，查看生成可執(zhí)行文件是否脫殼

$ ls
微信.ipa
$ otool -l WeChat | grep crypt
     cryptoff 16384
    cryptsize 99434496
      cryptid 0

脫殼成功!??

frida配置腳本文件

1. 將frida-ios-dump文件夾拷貝如下目錄

2. 創(chuàng)建腳本文件

3. 配置環(huán)境變量（已配置不用管）

$ cd ~/
$ vim .bash_profile

添加如下環(huán)境變量

export NJSHELL=/Users/niujf/NJShell
export PATH=$CY_PATH_ROOT:$PATH:$NJSHELL
如果以前沒有配置環(huán)境變量就是
export PATH=$NJSHELL

4. 映射端口

$ sh usbConnect.sh
Forwarding local port 10010 to remote port 22

5. 腳本砸殼

$ cd /Users/niujf/Desktop/xxxx    保存生成的ipa的文件
$ sh dumpIPA.sh 微信