引言

上篇九講到了靜態(tài)砸殼的過程，砸殼安裝到手機(jī)上面的文件直接copy出來末盔，大家都知道appstore下載的ipa包是加密過的筑舅，當(dāng)安裝到手機(jī)上的時(shí)候，iOS手機(jī)系統(tǒng)會(huì)對(duì)這個(gè)ipa包進(jìn)行解密陨舱，解密完成以后才能安裝到手機(jī)上面翠拣。

擴(kuò)展說明

動(dòng)態(tài)庫的加載？
dyld去加載游盲，動(dòng)態(tài)庫加載的時(shí)候肯定要依附到一個(gè)進(jìn)程上面
so需要將動(dòng)態(tài)庫copy到手機(jī)中才能正常的加載這個(gè)動(dòng)態(tài)庫

PS：在iOS系統(tǒng)中DYLD 中有個(gè)環(huán)境變量 DYLD_INSERT_LIBRARIES
是告訴某個(gè)應(yīng)用進(jìn)程我要加載這個(gè)動(dòng)態(tài)庫

DYLD_INSERT_LIBRARIES的使用

自己創(chuàng)建一個(gè)動(dòng)態(tài)庫Dumpryptedtest.framework,然后將這個(gè)動(dòng)態(tài)庫

/**添加代碼**/
+(void)load{
    NSLog(@"??????????????????????????");
}

copy到手機(jī)误墓，用usb訪問copy

$ scp -r -P xxxx/Dumpryptedtest.framework root@localhost:~/

訪問手機(jī)然后配置DYLD的環(huán)境變量 DYLD_INSERT_LIBRARIES,并且找到某個(gè)應(yīng)用進(jìn)程，可以使用 ps -A來查看

xxxx-iPhone:~ root# DYLD_INSERT_LIBRARIES=DumpdecryptedTest.framework/DumpdecryptedTest /var/containers/Bundle/Application/84BADE72-308A-4267-B071-BFAFA5DF7AF8/xxx.app/xxx
2018-06-14 00:01:27.138 Keep[14090:743264] ??????????????????????????
Abort trap: 6

在iOS系統(tǒng)中可以這么加載這個(gè)動(dòng)態(tài)庫益缎，只不過加載了一個(gè)動(dòng)態(tài)庫并沒有修改應(yīng)用程序的源代碼

動(dòng)態(tài)庫砸殼的原理：
已經(jīng)在執(zhí)行的程序谜慌，已經(jīng)放入到了內(nèi)存,運(yùn)行中的程序肯定是解密過的，寫一個(gè)動(dòng)態(tài)庫莺奔，依附到這個(gè)程序欣范，將這個(gè)程序的MachO文件Copy出來

下載、安裝dumpdecrypted 令哟、copy到手機(jī) ～/目錄

首先下載dumpdecrypted
下載完成進(jìn)入當(dāng)前目錄直接編譯

dumpdecrypted目錄$ make

生成了一個(gè)dumpdecrypted.dylib文件

dumpdecrypted砸殼正題

xxx-iPhone:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib  /var/containers/Bundle/Application/84BADE72-308A-4267-B071-BFAFA5DF7AF8/xxx.app/xxx
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100018f78(from 0x100018000) = f78
[+] Found encrypted data at address 00004000 of length 44007424 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/84BADE72-308A-4267-B071-BFAFA5DF7AF8/xxx.app/xxx for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening Keep.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset f78
[+] Closing original file
[+] Closing dump file

xxx-iPhone:~ root# ls
Application\ Support/  Containers/  DumpdecryptedTest.framework/  xxx.decrypted  Library/  Media/  dumpdecrypted.dylib*

多了一個(gè)xxx.decrypted 這個(gè)就是你要的MachO文件解密過的.
將這個(gè)MachO移動(dòng)到你的mobile用戶下的Media文件夾恼琼，方便ifunboxCopy到桌面

xxxx-iPhone:~ root# mv xxx.decrypted /User/Media/

拖到桌面
當(dāng)然也可以使用命令copy

xxx $ scp -P 3456 root@localhost:/User/Media/xxx.decrypted ~/Desktop
xxx.decrypted 100% 52MB 11.3MB/s 00:04

檢查加密的信息

 xxx $ otool -l xxx.decrypted | grep crypt
xxx.decrypted:
     cryptoff 16384
    cryptsize 44007424
      cryptid 0

cryptid 0 檢查完成已經(jīng)解密

遇到的坑

生成的dumpdecrypted.dylib 動(dòng)態(tài)庫不能正常使用
錯(cuò)誤信息

xxx-iPhone:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib  /var/containers/Bundle/Application/84BADE72-308A-4267-B071-BFAFA5DF7AF8/xxx.app/xxx
/**報(bào)錯(cuò)誤**/
dyld: could not load inserted library 'dumpdecrypted.dylib' because no suitable image found.  Did find:
    dumpdecrypted.dylib: required code signature missing for 'dumpdecrypted.dylib'

    /private/var/root/dumpdecrypted.dylib: required code signature missing for '/private/var/root/dumpdecrypted.dylib'


Abort trap: 6

解決方案
對(duì)這個(gè)動(dòng)態(tài)庫進(jìn)行簽名

 xxx $ security find-identity -v -p codesigning
.....
 xxx $ codesign -fs "Phone Developer: edwards wen (LLG76ELTRW)" DumpdecryptedTest.framework
DumpdecryptedTest.framework: replacing existing signature

有可能大家會(huì)疑惑拿到MachO文件了以后沒法在IPhone中安裝呀？

$ ps -A  
/private/var/containers/Bundle/Application/84BADE72-308A-4267-B071-BFAFA5DF7AF8/xxx.app

將這個(gè)*.appCopy出來就成上面有打印的信息ok屏富？