前言
其中用到的砸壳工具就是dumpdecrypted,其原理是让app预先加载一个解密的dumpdecrypted.dylib,然后在程序运行后,将代码动态解密,最后在内存中dump出来整个程序。
iPhone:~ root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/3A5D7F67-04E8-49CF-93CF-5019B11146D6/Documents/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/01ECB9D1-858D-4BC6-90CE-922942460859/WeChat.app/WeChat
先用dumpdecrypted工具先对加过密的ipa包进行砸壳,然后再用class-dump工具去导出它的头文件。
砸壳的步骤:
1、找到app二进制文件对应的目录;
2、找到app document对应的目录;
3、将砸壳工具dumpdecrypt.dylib拷贝到ducument目录下; //目的是为了获取写的权限
4、砸壳;
利用环境变量 DYLD_INSERT_LIBRARY 来添加动态库dumpdecrypted.dylib
接下来要正式的dump可执行文件。
正文
用ssh进入连上的iPhone(确保iPhone和Mac在同一个局域网)。OpenSSH的root密码默认为alpine
1、查找二进制文件对应的目录
iPhone:~ root# ps -e |grep WeChat
405 ?? 0:01.72 /var/mobile/Containers/Bundle/Application/E2B26C47-B989-492B-995C-47EFFA94DAB3/WeChat.app/WeChat
36068 ttys000 0:00.00 grep WeChat
或者
iPhone:~ root# ps -e | grep /var/mobile
7691 ?? 13:22.82 /var/mobile/Containers/Bundle/Application/01ECB9D1-858D-4BC6-90CE-922942460859/WeChat.app/WeChat
7836 ttys000 0:00.01 grep /var/mobile
因为从AppStore中下载安装的应用都会位于/var/mobile/..Applications中,
2、查找app document对应的目录
使用Cycript注入目标进程中
iPhone:~ root# cycript -p WeChat
cy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)[0]
@"/var/mobile/Containers/Data/Application/91E7D6CF-A3D3-435B-849D-31BB53ED185B/Documents"
或者使用:
iPhone:~ root# cycript -p WeChat
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/3A5D7F67-04E8-49CF-93CF-5019B11146D6/Documents/"
NSHomeDirectory() 获取Documents目录,砸壳需要将dumpdecrypted.dylib拷贝到目标app的document目录
dumpdecrypted.dylib 的获取
devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ ls
Makefile README dumpdecrypted.c
devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ make
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o
devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ ls -a
. README dumpdecrypted.o
.. dumpdecrypted.c
Makefile dumpdecrypted.dylib
使用SCP 拷贝文件到iOS设备对应的目录
devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ scp ./dumpdecrypted.dylib root@192.168.2.212://var/mobile/Containers/Data/Application/91E7D6CF-A3D3-435B-849D-31BB53ED185B/Documents
root@192.168.2.212's password:
dumpdecrypted.dylib 100% 193KB 64.0KB/s 00:03
devzkndeMacBook-Pro:dumpdecrypted-master devzkn$
砸壳
利用环境变量 DYLD_INSERT_LIBRARY 来添加动态库dumpdecrypted.dylib
DYLD_INSERT_LIBRARIES=/PathFrom/dumpdecrypted.dylib /PathTo
第一个path为dylib,目标path 为app二进制文件对应的目录
iPhone:~/Documents root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/91E7D6CF-A3D3-435B-849D-31BB53ED185B/Documents/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/E2B26C47-B989-492B-995C-47EFFA94DAB3/WeChat.app/WeChat
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100030ca8(from 0x100030000) = ca8
[+] Found encrypted data at address 00004000 of length 56770560 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/E2B26C47-B989-492B-995C-47EFFA94DAB3/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 62078976 in the file
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3b34ca8
[+] Closing original file
[+] Closing dump file
iPhone:~/Documents root# ls -a
. .. WeChat.decrypted baiduplist cfg vmp
当前目录下会生成砸壳后的文件,即WeChat.decrypted
附
用scp命令把WeChat.decrypted文件拷贝到电脑上,接下来我们要正式的dump、Hopper微信的可执行文件
devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ scp root@192.168.2.212:/var/root/Documents/WeChat.decrypted /Users/devzkn/Downloads/dumpdecrypted-master
root@192.168.2.212's password:
WeChat.decrypted 10% 13MB 1.5MB/s 01:17 ETA^WeChat.decrypted WeChat.decrypted WeChat.dWeChat.decrypted 52% 67MB 1.2MB/s 00:52 ETA
如果没找到文件,就继续执行一次
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/01ECB9D1-858D-4BC6-90CE-922942460859/WeChat.app/WeChat
iOS 9.2 之后以上砸壳会失败,要加上命令 su mobile
1、报错信息
Killed: 9
2、看看吧~~
image
3、解决方案:
参考链接:[http://iosre.com/t/make-dumpdecrypted-work-on-ios-9-3-3/4876](http://iosre.com/t/make-dumpdecrypted-work-on-ios-9-3-3/4876)
远程到自己的设备后,先执行一条命令:su mobile , 接着再砸壳。
A、准备dumpdecrypted,编译好~
B、远程自己的设备:ssh root@设备IP
C、执行命令:su mobile
D、查看砸壳APP路径命令:ps -e | grep AppName。
E、查看APP的Documents路径:先用 cycript -p AppName 钩住 APP, 接着执行命令:[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0] 就可以看到路径了~~~
F、将dumpdecrypted.dylib 拷贝到 用 步骤E 执行的Documents 路径下。
G、执行砸壳,这里以微信为例:
DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/25025AC7-6BFD-4F00-B2A4-67D96AD0D35A/Documents/dumpdecrypted.dylib /var/containers/Bundle/Application/AD21CDC7-208E-48E6-B739-9448C64F7907/WeChat.app/WeChat
当前测试机,砸wechat
app:
/var/containers/Bundle/Application/421BB869-22EE-49E2-81D9-16B861A861C5/WeChat.app/WeChat
document:
/var/mobile/Containers/Data/Application/E2758B49-8B4F-4A9E-884C-B9C177519819/Documents/
砸壳:
DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/E2758B49-8B4F-4A9E-884C-B9C177519819/Documents/dumpdecrypted.dylib /var/containers/Bundle/Application/421BB869-22EE-49E2-81D9-16B861A861C5/WeChat.app/WeChat
开始砸壳,class-dump
1、先把WeChat.decrypted拷贝到Mac上,可以通过iFunBox来拷贝。
2、通过class-dump 把头文件dump出来:
YMMacMini:~ yongming$ classdump/class-dump -SsH classdump/WeChat.decrypted -o /Users/yongming/Downloads/WeChat
安装Theos
https://blog.csdn.net/app_ios/article/details/52596230
结合Hooper和lldb 调试
https://www.cnblogs.com/ludashi/p/5730338.html
通过usbmuxd 连接越狱手机,不需要wifi
https://blog.csdn.net/glt_code/article/details/65444592
此处主要是配置完端口后,要另启一个Terminal 窗口连接 ssh
- python-client目录下,python tcprelay.py -t 22:2222
- 另启窗口 ssh root@localhost -p 2222
网友评论