1.介绍
dumpdecrypted 是一个开源的工具,它会注入可执行文件中,动态的从内存中dump解密后的内容。
2.原始版dumpdecrypted使用
2.1下载以及编译dumpdecrypted
从github下载源代码并且编译:
MacBookPro:dumpdecrypted lemon$ git clone https://github.com/stefanesser/dumpdecrypted.git
Cloning into 'dumpdecrypted'...
remote: Counting objects: 31, done.
remote: Total 31 (delta 0), reused 0 (delta 0), pack-reused 31
Unpacking objects: 100% (31/31), done.
MacBookPro:dumpdecrypted lemon$ cd dumpdecrypted/
MacBookPro:dumpdecrypted lemon$ make
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c
2.2 用PS命令定位待解密的可执行文件
MacBookPro:~ lemon$ ssh 5s
lemons-iPhone5S:~ root# ps -e | grep /var
481 ?? 0:05.44 /usr/libexec/pkd -d/var/db/PlugInKit-Annotations
6707 ?? 0:06.07 /var/containers/Bundle/Application/4503A878-7B82-46C3-B938-8D8719A6D78E/Friday.app/Friday
6715 ttys000 0:00.01 grep /var
2.3 获取目标APP的document目录
lemons-iPhone5S:~ root# cat /var/containers/Bundle/Application/4503A878-7B82-46C3-B938-8D8719A6D78E/Friday.app/Info.plist | grep CFBundleIdentifier -A 1
<key>CFBundleIdentifier</key>
<string>com.xtuone.Friday</string>
2.4 将dylib复制到document目录
2.4.1 通过私有api获取目标app的document目录
新建一个xcode项目,将以下代码复制到APPDelegate的application:didfinishLaunchingWithOptions:下,然后运行项目,就可以在控制器输出document的目录
NSString *bundleId = @"com.xtuone.Friday";
NSURL *url = [[NSClassFromString(@"LSApplicationProxy") performSelector:@selector(applicationProxyForIdentifier:) withObject:bundleId]performSelector:@selector(dataContainerURL)];
NSLog(@"%@",[url.absoluteString stringByAppendingString:@"/Documents"]);
通过以上代码获得的document目录是:/var/mobile/Containers/Data/Application/06B16FDB-4EA1-4093-A729-613111061798/Documents
2.4.2 通过cycript获取目标app的document目录
lemons-iPhone5S:~ root# cycript -p 6707
cy# [[NSBundle mainBundle]bundleIdentifier]
@"com.xtuone.Friday"
cy# NSHomeDirectory()
@"/var/mobile/Containers/Data/Application/06B16FDB-4EA1-4093-A729-613111061798"
cy#
2.4.3 复制dumpdecrypted.dylib到上述的document路径中
scp -P 2222 dumpdecrypted.dylib root@localhost:/var/mobile/Containers/Data/Application/06B16FDB-4EA1-4093-A729-613111061798/Documents
2.5 解密
通过DYLD_INSERT_LIBRARIES注入解密
3 通过frida-ios-dump 来给应用脱壳
4 Clutch
clutch同样是一个开源解密工具,与dumpdecrypted不同的是,Clutch会生成一个新的进程,然后暂停进程并且dump内存来生成新的ipa。
4.1 下载并编译Clutch
git clone https://github.com/KJCracks/Clutch
下载完成之后用xcode打开工程,设置Debug生成所有的架构,设置Build Active Architecture 为 NO ,选择真机设备 command+B 编译。编译完成之后在本地的Build文件夹里面会有一个Clutch的命令行文件
4.2 将文件复制到设备中
使用如下命令,把生成的Build/Clutch复制到设备/usr/bin目录下,并且设置可执行权限。
scp -P 2222 root@localhost:/usr/bin
ssh 5s
chmod +x /usr/bin/Cluch
4.3 Clutch解密
SSH到越狱设备,使用Clutch -i 运行获取目标target的BundleID
使用Clutch -b target.BundleID来解密
lemons-iPhone5S:~ root# Clutch -b com.xtuone.Friday
2018-06-21 16:46:11.732 Clutch[6958:1126993] command: Only dump binary files from specified bundleID
Zipping Friday.app
Dumping <FridayExtensionOC> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
2018-06-21 16:46:12.872 clutch[6960:1127016] command: Only dump binary files from specified bundleID
Failed to dump framework (null) :(
Dumping <Friday> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Zipping lame.framework
Zipping FridayExtensionOC.appex
DONE: /private/var/mobile/Documents/Dumped/com.xtuone.Friday-iOS8.0-(Clutch-(null)).ipa
Finished dumping com.xtuone.Friday in 20.8 seconds
5 总结
给应用砸壳实际上有两种方法,一种是基于DYLD_INSERT_LIBRARIES环境变量将动态库注入到目标进程,然后dump内存。另外一种是通过posix_spawnp创建一个进程,然后dump内存。
网友评论