App Store中下載的程序是加密后的,為了能夠獲取目標(biāo)程序的類信息以便之后修改源碼狡刘,我們需要對(duì)應(yīng)用程序做一個(gè)解密,也就是砸殼。
硬件設(shè)備需要有一臺(tái)越獄手機(jī)和一臺(tái)裝了開發(fā)環(huán)境的mac電腦易核。
以下以 微信 為例,進(jìn)行操作浪默。
1. 遠(yuǎn)程連接iphone
iphone 本質(zhì)也是一臺(tái)linux設(shè)備牡直,所以可以用登錄服務(wù)器的方式連接iphone缀匕。具體操作如下:
連到同一個(gè)wifi,在 設(shè)置-無線局域網(wǎng) 中查看iphone的ip碰逸,我這里是 192.168.1.116
-
使用 ssh 命令登錄服務(wù)器
ssh root@192.168.1.116登錄過程中需要輸入服務(wù)器密碼乡小,ios 默認(rèn)密碼為
alpine
2. 找到app路徑和Document路徑
-
用ssh連接上iOS設(shè)備后,我們打開想要砸殼的app饵史,輸入
ps -e满钟,就可以在進(jìn)程中找到這個(gè)app的二進(jìn)制文件的地址:9281 ?? 0:02.65 /var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat ``` **9281** 為微信的進(jìn)程名,可執(zhí)行文件目錄為 ***/var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat*** -
用 Cycript 找出 TargetApp 的 Documents 目錄路徑
admin:~ root# cycript -p 9281 cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0] #"file:///var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/"cycript -p processprocess 為第一步中拿到的進(jìn)程名胳喷!
cycript -p processprocess 為第一步中拿到的進(jìn)程名湃番!
cycript -p processprocess 為第一步中拿到的進(jìn)程名!現(xiàn)在得到 微信 的 Document 目錄
file:///var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/也可以用PP助手類的工具直接獲得Document目錄
3. 編譯dumpdecrypted
dumpdecrypted 工具就是要用的砸殼工具吭露。他的原理是讓app預(yù)先加載一個(gè)解密的dumpdecrypted.dylib牵辣,然后在程序運(yùn)行后,將代碼動(dòng)態(tài)解密奴饮,最后在內(nèi)存中dump出來整個(gè)程序纬向。
首先下載dumpdecrypted源代碼,項(xiàng)目地址 https://github.com/stefanesser/dumpdecrypted
切到dumpdecrypted目錄戴卜,直接使用
make命令編譯
Baiya:Ios baiya$ cd dumpdecrypted/
Baiya:dumpdecrypted baiya$ ls
Makefile README dumpdecrypted.c
Baiya:dumpdecrypted baiya$ make
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
即可得到dumpdecrypted.dylib文件逾条。
一般SDK是向下兼容的,保證SDK版本與越獄設(shè)備的版本一致或者高于越獄設(shè)備版本即可投剥。
使用xcrun --sdk iphoneos --show-sdk-path查看SDK版本师脂。
如下:SDK版本是9.3。因?yàn)樵O(shè)備是iOS 8.4江锨,所以沒問題
Baiya:dumpdecrypted baiya$ xcrun --sdk iphoneos --show-sdk-path
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk
-
常見錯(cuò)誤
4. 砸殼
-
將生成的
dumpdecrypted.dylib拷貝到設(shè)備目錄吃警,可以用scp命令或PP助手等Baiya:dumpdecrypted baiya$ scp dumpdecrypted.dylib root@192.168.1.116:/var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/ root@192.168.1.116's password: dumpdecrypted.dylib 100% 193KB 192.9KB/s 00:00 -
進(jìn)入
Document目錄下面,執(zhí)行DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib相關(guān)的命令admin:/var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat mach-o decryption dumper DISCLAIMER: This tool is only meant for security research purposes, not for application crackers. [+] detected 32bit ARM binary in memory. [-] This mach-o file is not encrypted. Nothing was decrypted.因?yàn)椴┲餮b的是沒有加密的23333
正常是:
iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan mach-o decryption dumper DISCLAIMER: This tool is only meant for security research purposes, not for application crackers. [+] Found encrypted data at address 00002000 of length 1826816 bytes - type 1. [+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan for reading. [+] Reading header [+] Detecting header type [+] Executable is a FAT image - searching for right architecture [+] Correct arch is at offset 2408224 in the file [+] Opening Scan.decrypted for writing. [-] Failed opening. Most probably a sandbox issue. Trying something different. [+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/tmp/Scan.decrypted for writing. [+] Copying the not encrypted start of the file [+] Dumping the decrypted data into the file [+] Copying the not encrypted remainder of the file [+] Closing original file [+] Closing dump file會(huì)生成app砸殼后的文件
xx.decrypted. 這里就是WeChat.decrypted啄育。如果是沒有加密的酌心,直接使用WeChat即可
取出解密后程序
還是scp命令或者PP助手
Baiya:dumpdecrypted baiya$ scp root@192.168.1.116:/var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat ~/Desktop/
root@192.168.1.116's password:
WeChat 100% 97MB 2.2MB/s 00:45
查看APP信息
-
查詢架構(gòu)
file appBaiya:Desktop baiya$ file WeChat WeChat: Mach-O universal binary with 2 architectures WeChat (for architecture armv7): Mach-O executable arm WeChat (for architecture arm64): Mach-O 64-bit executable微信支持兩種架構(gòu) armv7 和 arm64
-
查詢下它的加密情況
otool -l 主文件名 | grep cryptBaiya:Desktop baiya$ otool -l WeChat | grep crypt cryptoff 16384 cryptsize 40910848 cryptid 0 cryptoff 16384 cryptsize 43974656 cryptid 0cryptid 1代表加密,cryptid 0代表未加密挑豌。兩個(gè)分別對(duì)應(yīng)著armv7和arm64安券,也就是它們都沒有加密。
參考鏈接:
iOS逆向之dumpdecrypted的使用
iOS逆向 - Cycript基本用法
iOS逆向 - dumpdecrypted工具砸殼
用dumpdecrypted給App砸殼
iOS逆向之IPA脫殼
iOS 冰與火之歌番外篇 - App Hook 答疑以及 iOS 9 砸殼
