ios 逆向工程
刚进一个新公司,公司的大牛直接分给一个课题研究任务,直接懵逼了,/(ㄒoㄒ)/~~ 想哭,世界就是这么酷酷的,硬着头上呗,一切行动听指挥-----> 就研究了下,在此分享下,有需要的看下,有不足之处请指点一二,谢谢各位大大,O(∩_∩)O哈哈~
前言
- ios逆向工程指的是在软件层面上进行逆向分析的一个过程。如果想要达到对ios软件较强的逆向分析能力,最好能非常熟悉ios设备的硬件构成、ios系统的运行原理,还要具备丰富的ios开发经验,比如:拿到一个App之后能清晰的推断出这个App使用的技术,包括引用了那些FrameWork,那些经典的第三方代码,以及整个App工程大致的文件个数等。
- 逆向工程的主要两个作用:首先是攻破目标程序,拿到关键信息,可以归类于安全相关的逆向工程,其次是借鉴他人的程序功能来开发自己的软件,可以归类于开发相关的逆向工程
- 与安全相关的ios逆向工程
ios 逆向工程最突出的应用领域就是与安全相关的,比如:通过逆向一个金融App,来评定这个软件的安全等级,安全专家通过逆向ios病毒,来找到杀毒的方法,安全公司通过逆向ios系统电话、短信功能,来构建一个手机防火墙
a.评定安全等级
ios中那些具有交易功能的App一般会先加密敏感数据,然后将加密过的数据存储在本地或通过互联网传输,而如果安全意识不够强,就完全有可能将重要信息直接用明文保存或传输,安全隐患极大。App虽然可以将低维的攻击防守得如铜墙铁壁一般,但是挡不住高维的逆向攻击,不过不可以据此得出App不安全的结论,因为ios逆向工程的使用均来自一个前提:ios越狱,在这种环境下,我们使用这些逆向工程技术来分析评估目标App中可被攻击点有多少,可攻击点越少的自然就越安全。
b. 逆向恶意软件
ios 是只能移动终端操作系统,它同计算机操作系统没有本质区别,恶意软件就是通过逆向工程定位系统和软件漏洞,利用漏洞渗透进目标主机,获取敏感数据
- 与开发相关的ios逆向工程
开发者可以逆向系统调用,在自己的程序里使用一些文档中没有提及的私有功能,还可以逆向一些经典的软件等
a.逆向系统调用
开发者编写的软件能够运行在操作系统中,提供各种各样的功能,是因为操作系统本身已经内嵌了这些功能,软件只是拿来重组使用。绝大多数的App的实现都源于公开的开发文档,而不能使用诸如锁屏,关机等文档中不涉及的功能,如果你的程序面向Cydia,那么不采用非公开功能将导致程序几乎没有竞争力,故可以通过逆向ios系统调用,还原系统实现相应功能的代码,并应用到自己的程序中。
b.借鉴别的软件
逆向工程最受欢迎的应用场合就是“借鉴”他人的软件功能。
一 、ios 越狱
ios 完美越狱和不完美越狱
完美越狱,越狱后的iPhone可以正常关机和重启
不完美越狱,iPhone一旦关机后再开机时,屏幕就会一直停留在启动画面,也就是“白苹果”状态。或者能正常开机,但已经安装的破解软件都无法正常使用,需要将设备与PC连接后,使用软件进行引导才能使用。一般说来,在苹果发布新的iOS固件后,针对该固件的不完美越狱会先发布,随后完美越狱才可能发布,一般较新的系统版本,均为不完美越狱
越狱方法推荐
PP助手:http://jailbreak.25pp.com/
ps:不同机型,不同系统,有的可以越狱,有的不可以
http://jailbreak.25pp.com/iphone5syueyu/
如何判断是否越狱成功?
-
桌面是否有cydia
15236944156815.jpg
...(image-3e9116-1525501609346)]
2.工具判断(比如pp助手)
15236944569928.jpg
使用cydia安装软件
image.png
二、 Mac远程登录到iphone
我们经常在Mac的终端上,通过敲一下命令来完成一些操作,iOS 和Mac OSX 都是基于Drawin(苹果的一个基于Unix的开源系统内核),所以ios中同样支持终端的命令行操作,在逆向工程中,可以使用命令行来操纵iphone。
15236973344002.jpg
为了建立连接需要用到 SSH 和OpenSSH
SSH: Secure Shell的缩写,表示“安全外壳协议”,是一种可以为远程登录提供安全保障的协议,使用SSH,可以把所有传输的数据进行加密,"中间人"攻击方式就不可能实现,能防止DNS 欺骗和IP欺骗
OpenSSH: 是SSH协议的免费开源实现,可以通过OpenSSH的方式让Mac远程登录到iphone,此时进行访问时,Mac 是客户端 iphone是服务器
使用OpenSSH远程登录步骤如下
- 在iphone上安装cydia 安装OpenSSH工具(软件源http://apt.saurik.com)
- OpenSSH的具体使用步骤可以查看Description中的描述
第一种登录方式可以使用WIFI
具体使用步骤
- 确保Mac和iphone在同一个局域网下(连接同一个WIFI)
- 在Mac的终端输入ssh账户名@服务器主机地址,比如ssh root@10.1.1.168(这里服务器是手机) 初始密码 alpine
- 登录成功后就可以使用终端命令行操作iphone
- 退出登录 exit
ps:ios下2个常用账户 root、moblie
- root: 最高权限账户,HOME是 /var/root
- moblie :普通权限账户,只能操作一些普通文件,不能操作别的文件,HOME是/var/mobile
- 登录moblie用户:root moblie@服务器主机地址
root和mobli用户的初始登录密码都是alpine
第二种登录方式 通过USB进行SSH登录
- 22端口
- 端口就是设备对外提供服务的窗口,每个端口都有个端口号,范围是0--65535,共2^16个
- 有些端口是保留的,已经规定了用途,比如 21端口提供FTP服务,80端口是提供HTTP服务,22端口提供SSH服务,更多保留端口号课参考 链接
- iphone 默认是使用22端口进行SSH通信,采用的是TCP协议
- 默认情况下,由于SSH走的是TCP协议,Mac是通过网络连接的方式SSH登录到iphone,要求iPhone连接WIFI,为了加快传输速度,也可以通过USB连接的方式进行SSH登录,Mac上有个服务程序usbmuxd(开机自动启动),可以将Mac的数据通过USB传输到iphone,路径是/System/Library/PrivateFrameworks/mobileDevice.framework/Resources/usbmuxd
- usbmuxd的使用
- 下载usbmuxd工具包,下载v1.0.8版本,主要用到里面的一个python脚本: tcprelay.py, 下载链接
- 将iphone的22端口(SSH端口)映射到Mac本地的10010端口
cd ~/Documents/usbmux-1.08/python-client
python tcprelay.py -t 22:10010
加上 -t 参数是为了能够同时支持多个SSH连接,端口映射完毕后,以后如果想跟iphone的22端口通信,直接跟Mac本地的10010端口通信就可以了,新开一个终端界面,SSH登录到Mac本地的10010端口,usbmuxd会将Mac本地10010端口的TCP协议数据,通过USB连接转发到iphone的22 端口,远程拷贝文件也可以直接跟Mac本地的10010端口通信,如:scp -p 10010 ~/Desktop/1.txt root@localhost:~/test 将Mac上的/Desktop/1.txt文件,拷贝到iphone上的/test路径。
- 先开一个终端,先完成端口映射
*cd 到usbmuxd文件夹路径 - python tcprelay.py -t 22:10010
15237725002208.jpg
- 再开一个端口
注入手机
- ssh root@localhost -p 10010
-
Zhanghua123:~ root# cycript -p SpringBoard
15237725473159.jpg
ps: 切记第一个终端不可以关闭,才可以保持端口映射状态
三、 Cycript的使用
Cycript 是Objective-C++ JavaScript Java等语法的混合物,可以用来探索,修改,调试正在运行的Mac\ios App
官网:http://www.cycript.org/
文档: http://www.cycript.org/manual
通过Cycdia 安装Cycript,就可以在iphone上调试运行中的APP
使用上面usb链接的方式进入iphone
Zhanghua123:~ root# ps -e
会出现很多进程
看var开头的,可以看到开的进程
- cycript 基本语法
- 定义变量
- var 变量名 = 变量值
- 用内存地址获取对象
-
内存地址
- 查看已经加载的所有OC类
- ObjectiveC.classes
- 查看对象的所有成员变量
- *对象
- 递归打印view的所有子控件
- view.recursiveDescription().toString()
- 筛选出某种类型的对象
- choose(UIViewController)
- choose(UITableViewCell)
注入手机
cycript Zhanghua123:~ root# cycript -p SpringBoard
创建一个弹框
cy# alertView = [[UIAlertView alloc] initWithTitle:@"di yi ge niinag" message:'cai kei djd' delegate:nil cancelButtonTitle:@"OK"otherButtonTitles:nil]
#"<UIAlertView: 0x10b8d3e80; frame = (0 0; 0 0); layer = <CALayer: 0x170a21100>>"
cy# [alertView show]
cy#
cy# UIApp.keyWindow.rootViewController
#"<DFNavigationController: 0x10603e000>"
cy# #0x10603e000.visibleViewController
#"<ALULoginContainerController: 0x105740200>"
cy# visible = #0x105740200
#"<ALULoginContainerController: 0x105740200>"
cy# visible.childViewController
cy# *visible
{isa:ALULoginContainerController,_hasOverrideClient:false,_hasOverrideHost:false,_hasInputAssistantItem:false,_overrideTransitioningDelegate:null,_view:#"<UIView: 0x105789110; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x17022fa40>>",_tabBarItem:null,_navigationItem:#"<<UINavigationItem: 0x1741c2ee0>: title:'(null)'>",_toolbarItems:null,_title:null,_nibName:null,_nibBundle:#"NSBundle </var/containers/Bundle/Application/BBAD7933-C1F3-4839-AFF0-49B2A34C81B0/AlipayWallet.app> rideUseCustomPresentation:false,_modalPresentationCapturesStatusBarAppearance:false,_disablesAutomaticKeyboardDismissal:false,_ignoresParentMargins:false,_childViewControllers:@[#"<aluAlipayLoginViewController: 0x10f62a130>"],_customNavigationInteractiveTransitionDuration:0,_customNavigationInteractiveTransitionPercentComplete:0,_customTransitioningView:null,_lastNotifiedTraitCollection:#"<UITraitCollection: 0x1740d7ca0; _UITraitNameUserInterfaceIdiom = Phone, _UITraitNameDisplayScale = 2.000000,
cy# vv = #0x10f62a130
#"<aluAlipayLoginViewController: 0x10f62a130>"
cy# vv.subViews
cy# *vv
{isa:aluAlipayLoginViewController,_hasOverrideClient:false,_hasOverrideHost:false,_hasInputAssistantItem:false,_overrideTransitioningDelegate:null,_view:#"<UIView: 0x1103c4c50; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x1059898c0>>",_tabBarItem:null,_navigationItem:#"<<UINavigationIt5510; frame = (0 275; 320 293); autoresize = W; layer = <CALayer: 0x1100aa760>>",_languageBtn:#"<aluLinkButton: 0x110305fa0; baseClass = UIButton; frame = (272 12; 33 19.5); opaque = NO; layer = <CALayer: 0x1059e0940>>",_moreBtn:#"<aluLinkButton: 0x110a34e50; baseClass = UIButton; frame = (16 243; 288 45); opaque = NO; layer = <CALayer: 0x110a55ca0>>",_extraInfo:null,_actionSheet:null,_apRDS:#"<APSecRDS: 0x1740d42e0>",_rdsGotData:null,_backDelegate:null,_monitorPageRef:@"fromloginpw",_intentHandlers:null,_expireTime:null,_isRegBtnOut:false,_smsLoginBtn:#"<aluLinkButton: 0x1103ea3e0; baseClass = UIButton; frame = (189 75; 115 19.5); opaque = NO; tag = 3; layer = <CALayer: 0x1103cd420>>",_findbackPwdBtn:#"<aluLinkButton: 0x1100949d0; baseClass = UIButton; frame = (16 75; 75 19.5); opaque = NO; tag = 3; layer = <CALayer: 0x1100f9270>>",_alipayLoginRPC:null,_alipayLoginResult:null}
cy#
cy# choose(UITextField)
[#"<aluTextField: 0x1103e1660; baseClass = UITextField; frame = (83 0; 207 45); text = ''; opaque = NO; autoresize = W; tintColor = UIExtendedSRGBColorSpace 0.0627451 0.556863 0.913725 1; gestureRecognizers = <NSArray: 0x11000e850>; layer = <CALayer: 0x10fdbf1d0>>",#"<aluTextField: 0x1103e2c40; baseClass = UITextField; frame = (83 0; 176 45); text = ''; opaque = NO; autoresize = W; tintColor = UIExtendedSRGBColorSpace 0.0627451 0.556863 0.913725 1; gestureRecognizers = <NSArray: 0x1100c2ff0>; layer = <CALayer: 0x1059cb4f0>>"]
cy# #0x1103e1660.text = 'ge bi lao wang'
"ge bi lao wang"
cy# #0x1103e2c40.text = '1234'
"1234"
cy#
如果输入中文,要转码一次
http://tool.chinaz.com/tools/unicode.aspx
添加一个view
cy# v2 = [[UIView alloc]init]
#"<UIView: 0x111b90ab0; frame = (0 0; 0 0); layer = <CALayer: 0x11002fe40>>"
cy# v2.frame
(extern "C" struct CGRect ":frame"(id, SEL))
cy# [v2 frame]
{0:{0:0,1:0},1:{0:0,1:0}}
cy# v2.frame = {0:{0:0,1:0},1:{0:320,1:200}}
{0:{0:0,1:0},1:{0:320,1:200}}
cy# [view addSubview: v2]
cy# v2
#"<UIView: 0x111b90ab0; frame = (0 0; 320 200); layer = <CALayer: 0x11002fe40>>"
cy# v2.backgroundColor = [UIColor redColor]
#"UIExtendedSRGBColorSpace 1 0 0 1"
cy#
Cycript 封装的一些库
从下面地址下载资源
https://github.com/CoderMJLee/mjcript
然后安装在手机的 Device/usr/lib路径下
具体使用如下:
Zhanghua123:~ root# cycript -p SpringBoard
cy# @import mjcript
{}
cy# MJAppId
@"com.apple.springboard"
cy# MJAppPath
@"/System/Library/CoreServices/SpringBoard.app"
cy# MJDocPath
@"/var/mobile/Documents"
cy# MJCachesPath
@"/var/mobile/Library/Caches"
cy#
实现清楚SpringBoard 上面app的推送通知数目
- 登录
- 看是否是脱壳的(没有打印出,表示已经脱壳)
cuilinhaodeMacBook-Pro:~ cuilinhao$ cd Desktop/SpringBoard/
cuilinhaodeMacBook-Pro:SpringBoard cuilinhao$ ls
Headers SpringBoard
cuilinhaodeMacBook-Pro:SpringBoard cuilinhao$ otool -l Springboard | grep cycpt
cuilinhaodeMacBook-Pro:SpringBoard cuilinhao$ class-dump -H SpringBoard -o Headers
cuilinhaodeMacBook-Pro:SpringBoard cuilinhao$
- 进入SpringBoard并引入 库
Zhanghua123:~ root# cycript -p SpringBoard
cy# @import mjcript
{}
3.查找
cy# MJRootVc()
#"<SBHomeScreenViewController: 0x100cb1390>"
cy# MJChildVcs(#0x100cb1390)
`<SBHomeScreenViewController 0x100cb1390>, state: appeared, view: <SBHomeScreenView 0x10ac0c700>
| <SBIconController 0x101067200>, state: appeared, view: <SBIconContentView 0x100eb4cd0>
| | <SBRootFolderController 0x10189e800>, state: disappeared, view: <SBFolderContainerView 0x10af2fcd0>
| | | <SBHomeScreenPullDownSearchViewController 0x10ac24c10>, state: disappeared, view: <_SBMultiplexingView 0x10ac25a70>
| | | <SBHomeScreenSearchableTodayViewController 0x10ac25130>, state: disappeared, view: <_SBMultiplexingView 0x10af2ad40>`
cy# MJSubviews (#0x100cb1390)
throw new Error("Invalid parameter") /*
MJSubviews */
cy# MJSubviews (#0x100cb1390.view)
`<SBHomeScreenView: 0x10ac0c700; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x1702338e0>>
| <SBIconContentView: 0x100eb4cd0; frame = (0 0; 320 568); clipsToBounds = YES; autoresize = W+H; layer = <CALayer: 0x170426920>>
| | <SBFolderContainerView: 0x10af2fcd0; frame = (0 0; 320 568); clipsToBounds = YES; layer = <CALayer: 0x174437de0>>
| | | <SBRootFolderView: 0x10af2c200; frame = (0 0; 320 568); layer = <CALayer: 0x174436080>>
| | | | <SBSearchBlurEffectView: 0x10af2e920; variant: static; style: LightTintedBlur; frame = (0 0; 320 568); clipsToBounds = YES; alpha = 0; layer = <CALayer: 0x174437b40>>
| | | | | <_SBFakeBlurView: 0x10af2ed50; style: LightTintedBlur; frame = (0 0; 320 568); animations = { AlignFakeWallpaperToLayer-0x174231ce0=<CAMatchMoveAnimation: 0x174a29920>; }; layer = <CALayer: 0x174437b60>>
| | | | | | <SBFWallpaperView: 0x10af2f160; frame = (0 0; 320 568); layer = <CALayer: 0x174437b80>>
| | | | | | | <UIView: 0x10af2f5b0; frame = (0 0; 320 568); layer = <CALayer: 0x174437ba0>>
| | | | | | | | <UIImageView: 0x10af2f750; frame = (-26 -64; 372 696); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174437c80>>
| | | | | <UIView: 0x10af2f930; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174437d40>>
| | | | <UIView: 0x10af2c5f0; frame = (0 0; 320 568); layer = <CALayer: 0x1744360c0>>
| | | | | <SBIconScrollView: 0x10187d800; baseClass = UIScrollView; frame = (0 20; 320 436); autoresize = W+H; gestureRecognizers = <NSArray: 0x174c5dd90>; layer = <CALayer: 0x174436160>; contentOffset: {640, 0}; contentSize: {1280, 436}>
| | | | | | <SBSearchScrollView: 0x10184d400; baseClass = UIScrollView; frame = (0 0; 0 0); clipsToBounds = YES; hidden = YES; gestureRecognizers = <NSArray: 0x174e41b00>; layer = <CALayer: 0x174437860>; contentOffset: {0, 94}; contentSize: {0, 94}>
| | | | | | | <UIImageView: 0x10ac5a020; frame = (-39 88.5; 36 2.5); alpha = 0; opaque = NO; autoresize = TM; userInteractionEnabled = NO; layer = <CALayer: 0x170431b20>>
| | | | | | <_SBRootFolderLayoutWrapperView: 0x100c78430; frame = (0 -20; 320 568); layer = <CALayer: 0x174437a20>>
| | | | | | | <_SBMultiplexingView: 0x10af2ad40; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174437a40>>
| | | | | | | | <_SBMultiplexedHostView: 0x10af2e750; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174437a60>>
| | | | | | <SBRootIconListView 0x10db31310: frame = {{320, 0}, {320, 436}}; Model = <SBIconListModel: 0x174e61780; 19 icons; folder = <SBRootFolderWithDock: 0x174504b60, (null)>>>
| | | | | | | <SBIconView: 0x10af3a110; frame = (16 7; 60 74); opaque = NO; layer = <CALayer: 0x174438e00>>
| | | | | | | | <SBIconLegibilityLabelView: 0x10ac2c950; baseClass = _UILegibilityView; frame = (15.5 62.5; 29 19); userInteractionEnabled = NO; layer = <CALayer: 0x17042e240>>
| | | | | | | | | <_UILegibilityImageView: 0x10af3a660; frame = (-12 -12; 53 43); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174438580>>
| | | | | | | | | <_UILegibilityImageView: 0x100c997c0; frame = (0 0; 29 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174438f40>>
| | | | | | | | <SBIconImageView: 0x10b4098a0; frame = (-1 -1; 62 62); userInteractionEnabled = NO; layer = <CALayer: 0x170820a40>>
| | | | | | | <SBIconView: 0x10af36740; frame = (92 7; 60 74); opaque = NO; layer = <CALayer: 0x174438b00>>
| | | | | | | | <SBIconLegibilityLabelView: 0x10af36a00; baseClass = _UILegibilityView; frame = (15.5 62.5; 29 19); userInteractionEnabled = NO; layer = <CALayer: 0x17443ac00>>
| | | | | | | | | <_UILegibilityImageView: 0x10af34500; frame = (-12 -12; 53 43); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174439100>>
| | | | | | | | | <_UILegibilityImageView: 0x10af37d50; frame = (0 0; 29 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1744396c0>>
| | | | | | | | <SBIconImageView: 0x10af36be0; frame = (-1 -1; 62 62); userInteractionEnabled = NO; layer = <CALayer: 0x17443a180>>
| | | | | | | <SBIconView: 0x10af45b80; frame = (168 7; 60 74); opaque = NO; layer = <CALayer: 0x174439800>>
| | | | | | | | <SBIconLegibilityLabelView: 0x10af47600; baseClass = _UILegibilityView; frame = (15.5 62.5; 29 19); userInteractionEnabled = NO; layer = <CALayer: 0x17443a340>>
| | | | | | | | | <_UILegibilityImageView: 0x10ac3ae80; frame = (-12 -12; 53 43); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042edc0>>
| | | | | | | | | <_UILegibilityImageView: 0x10ac3aca0; frame = (0 0; 29 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042eda0>>
| | | | | | | | <SBIconImageView: 0x10af477e0; frame = (-1 -1; 62 62); userInteractionEnabled = NO; layer = <CALayer: 0x174439fc0>>
| | | | | | | <SBIconView: 0x10af32000; frame = (244 7; 60 74); opaque = NO; layer = <CALayer: 0x1744392e0>>
| | | | | | | | <SBIconLegibilityLabelView: 0x10ac25870; baseClass = _UILegibilityView; frame = (15.5 62.5; 29 19); userInteractionEnabled = NO; layer = <CALayer: 0x17042d6c0>>
| | | | | | | | | <_UILegibilityImageView: 0x10ac2bad0; frame = (-12 -12; 53 43); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042dec0>>
| | | | | | | | | <_UILegibilityImageView: 0x10ac2b8f0; frame = (0 0; 29 19); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042dee0>>
| | | | | | | | <SBIconImageView: 0x10b37d980; frame = (-1 -1; 62 62); userInteractionEnabled = NO; layer = <CALayer: 0x17463b220>>
| | | | | | | <SBIconView: 0x10af74db0; frame = (16 95; 60 74); opaque = NO; layer = <CALayer: 0x17443d260>>
- 测试查找,通过显示与隐藏的方式看红色数目是哪个类
cy# #0x10ac11980.hidden = 1
1
cy# #0x10ac11980.hidden = 1
1
cy# #0x10ac11980.hidden = 0
四、sh脚本文件
- 将经常执行的一系列终端命令行放到sh脚本文件中(shell),然后执行脚本文件,可以通过sh、bash、source命令来执行sh脚本文件
- sh bash
- 当前shell环境会启动一个子进程来执行脚本文件,执行后返回到父进程的shell环境,执行cd时,在子进程中会进入到cd目录,但是在父进程中环境并没有改变,也就是说目录没有改变
- source
- 在当前的shell环境下执行脚本文件,执行cd后会跳转到cd的目录,source可以用一个点.来代替,比如“.test.sh”
五、 ios 脱壳
- 脱壳就是摘掉壳程序,加未加密的可执行文件还原出来,脱壳主要有2种方法:硬脱壳,动态脱壳
硬脱壳就是直接执行解密算法,动态脱壳,执行壳程序,将真实的内容解密出来,即热内存中的可执行文件是已经解密过的,则我们可以直接导出,由于手机程序比较复杂,ios 中常用的是硬脱壳。
15243683631725.jpg
15243683877457.jpg
- ios 中有很多好用的脱壳工具
- Clutch:https://github.com/KJCracks/Clutch
- dumpdecrypted: https://github.com/stefanesser/dumpdecrypted/
- class-dump
class-dump的作用就是把Mach-O文件的class信息给dump出来(把类信息给导出来),生成对应的.h头文件
官方网址: http://stevenygard.com/projects/class-dump/
下载完工具包以后将class-dump文件复制到Mac的/usr/local/bin目录,这样在终端就能识别class-dump命令了
常用的格式:class-dump -H Mach-O文件路径 -o 头文件存放目录
ps: -H表示要生成头文件 -O用于制定头文件的存放目录
权限问题:
cuilinhaodeMacBook-Pro:脱壳 cuilinhao$ class-dump -H To-Do -o Headers
-bash: /usr/local/bin/class-dump: Permission denied
解决:cuilinhaodeMacBook-Pro:脱壳 cuilinhao$ chmod +x /usr/local/bin/class-dump
六、Clutch
Clutch的配置
- 下载最新的Release版: https://github.com/KJCracks/Clutch/releases
- 去掉版本号,改名为Clutch
- 将clutch文件拷贝到iphone的/usr/btn目录
4.如果在iphone上执行Clutch指令,权限不够,赋予“可执行的权限”
屏幕快照 2018-05-09 上午9.47.25.png
Clutch - 使用
- 列出已经安装的APP:Clutch -i
Zhanghua123:~ root# Clutch -i
Installed apps:
1: WiFi伴侣-安全上网管家 <com.eldxin7.wifibanlv>
2: 华夏万家金服 <com.hxwj.WJJF>
3: 智仟汇 <com.zhidou.smart>
4: 悟空问答 - 超火爆全民问答讨论社区 <com.ss.iphone.article.wenda>
5: 爱思加强版 <com.pd.A4Player>
6: 喜马拉雅FM「听书社区」电台有声小说相声评书 <com.gemd.iting>
7: 联璧金融-安全靠谱的理财平台 <com.lincomb.licai>
8: Microsoft To-Do <com.microsoft.to-do>
Zhanghua123:~ root#
- 输入APP序号或者Bundle Id进行脱壳操作: clutch -d APP序号BundleId
屏幕快照 2018-05-09 上午9.49.19.png
- 脱壳成功后会生成一个ipa文件且会有一个ipa存放的路径
屏幕快照 2018-05-09 上午9.49.26.png
4.检验一下是否脱壳成功
otool -l To-Do | grep crypt
cryptoff 16384
cycptsize 2490368
cryptid 0
当 cryptid 为0 时表示已经脱壳成功
- 导出头文件
class-dump -H To-Do -o Headers
dumpdecrypted 使用
- 下载源代码,然后在源代码目录执行make指令进行编译,获得dylib动态库文件
下载地址:https://github.com/stefanesser/dumpdecrypted/archive/master.zip
cuilinhaodeMacBook-Pro:~ cuilinhao$ cd /Users/cuilinhao/Desktop/dumpdecrypted-master
cuilinhaodeMacBook-Pro:dumpdecrypted-master cuilinhao$ ls
Makefile README dumpdecrypted.c
cuilinhaodeMacBook-Pro:dumpdecrypted-master cuilinhao$ make
image.png
- 将dylib文件拷贝到iphone上,放到/var/root目录
- 终端进入dylib所在的目录
- 使用环境变量DYLD_INSERT_LIBARIES将dylib注入到需要脱壳的可执行文件(可执行文件路径可以通过ps -A查看获取)
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib + 可执行文件路径 -
.decrpted文件就是脱壳后的可执行文件
ps: 在使用过程可能会遇到错误
屏幕快照 2018-05-09 上午9.52.05.png
错误主要是因为对dylib所在的文件夹权限不够
解决方案:将dylib放在用户所在文件夹,如果是root用户,就放在/var/root目录,如果是moblie用户,将dylib放在/var/moblie目录
七、 Reveal 安装
-
Reveal 是一款调试ios程序UI界面的神器
-
破解版 https://pan.baidu.com/s/1lz9lwTKXD9bS8DnvT9gkBQ 提取密码:b31u 【建议直接装破解的,不然有坑】
-
建议下载至少Reveal4版本,支持USB连接调试
-
调试环境配置
-
iphone上安装Reveal Loader
-
软件源: http://apt.so/codermjlee,不要安装其他源的版本,有可能不支持新版Reveal
-
安装完Reveal Loader后,打开[设置], 选择需要调试的APP
[图片上传失败...(image-b2610e-1525830769359)] -
找到Mac的Reveal中RevealServer文件,覆盖iphone的/Library/RHRevealLoader/RevealServer文件
15247951245035.jpg
15247951081453.jpg
ps: 在iPhone上没有RHRevealLoader文件夹,可以自己创建
- 重启SpringBoard killall SpringBoard
有问题请参考下面链接
https://www.jianshu.com/p/51c539f61ab0
https://blog.csdn.net/qq_30513483/article/details/51820525
https://blog.csdn.net/u013538542/article/details/70860013
http://blog.sina.com.cn/s/blog_894d45e20102wtbo.html
八、Hopper 安装
直接百度下载
屏幕快照 2018-05-09 上午9.36.29.png
九、安装theos
一、 安装签名工具ldid
1.先确保安装了brew, https://brew.sh
$ /usr/bin/ruby -e "$(curl -fsSL
https://raw.githubusercontent.com/Homebrew/install/master/install)"
- 利用brew 安装ldid
brew install ldid
二、 修改环境变量
- 编辑用户的配置文件
vim ~/.bash_profile
- 在.bash_profile 文件后面加入以下2行
vim ~/.bash_profile
- 让.bash_profile配置的环境变量立即生效
vim ~/.bash_profile
三、 下载theos
- 建议在$THEOS目录下载代码(就是上面配置的~/theos目录)
git clone --recursive https://github.com/theos/theos.git $THEOS
四、 新建tweak项目
cd 到一个存放项目代码的文件夹
cd ~/Desktop
nic.pl
选择 iphone/tweak
填写项目信息
Project Name
项目名称
Package Name
项目ID (随便写)
Author/Maintainer Name
作者, 直接敲回车按照默认
[iphone/tweak] MobileSubstrate Bundle filter
需要修改APP的Bundle Identifier (喜马拉雅的是com.gemd.iting )
可以通过Cycript 查看APP 的Bundle Identifier
[iphone/tweak] List of applications to terminate upon installation
直接敲回车就可以
Project Name (required): ting_tweak
Package Name [com.yourcompany.ting_tweak]: com.mj.ting
Author/Maintainer Name [MJ Lee]:
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]:
com.gemd.iting
[iphone/tweak] List of applications to terminate upon installation (space-
separated, '-' for none) [SpringBoard]:
Instantiating iphone/tweak in ting_tweak/...
Done.
五、编辑Makefile
在前面加入环境变量, 写清楚通过那个ip和端口访问手机
THEOS_DEVICE_IP
THEOS_DEVICE_PORT
export THEOS_DEVICE_IP=127.0.0.1
export THEOS_DEVICE_PORT=10010
include $(THEOS)/makefiles/common.mk
TWEAK_NAME = ting_tweak
ting_tweak_FILES = Tweak.xm
include $(THEOS_MAKE_PATH)/tweak.mk
after-install::
install.exec "killall -9 SpringBoard"
如果不希望每个项目的Makefile都编写环境变量,也可以添加到用户配置文件中,编辑完毕之后 source ~/.bash_profile 让配置生效
$ vim ~/.bash_profile
export THEOS=~/theos
export PATH=$THEOS/bin:$PATH
export THEOS_DEVICE_IP=127.0.0.1
export THEOS_DEVICE_PORT=10010
$ source ~/.bash_profile
安装完成之后
cuilinhaodeMacBook-Pro:~ cuilinhao$ cd theos/
cuilinhaodeMacBook-Pro:theos cuilinhao$ ls
LICENSE.md bin lib package.json toolchain
Prefix.pch extras makefiles sdks vendor
README.md include mod templates
cuilinhaodeMacBook-Pro:theos cuilinhao$ ls -l
total 96
-rw-r--r-- 1 cuilinhao staff 35367 4 26 10:04 LICENSE.md
-rw-r--r-- 1 cuilinhao staff 754 4 26 10:04 Prefix.pch
-rw-r--r-- 1 cuilinhao staff 829 4 26 10:04 README.md
drwxr-xr-x 19 cuilinhao staff 608 4 26 10:04 bin
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 extras
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 include
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 lib
drwxr-xr-x 25 cuilinhao staff 800 4 26 10:04 makefiles
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 mod
-rw-r--r-- 1 cuilinhao staff 655 4 26 10:04 package.json
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 sdks
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 templates
drwxr-xr-x 3 cuilinhao staff 96 4 26 10:04 toolchain
drwxr-xr-x 7 cuilinhao staff 224 4 26 10:04 vendor
进入bin 进行查看
cuilinhaodeMacBook-Pro:theos cuilinhao$ cd bin
cuilinhaodeMacBook-Pro:bin cuilinhao$ ls -l
total 80
-rwxr-xr-x 1 cuilinhao staff 491 4 26 10:04 deb_build_num.sh
lrwxr-xr-x 1 cuilinhao staff 29 4 26 10:04 denicify.pl -> ../vendor/nic/bin/denicify.pl
lrwxr-xr-x 1 cuilinhao staff 21 4 26 10:04 dm.pl -> ../vendor/dm.pl/dm.pl
-rwxr-xr-x 1 cuilinhao staff 892 4 26 10:04 fakeroot.sh
-rwxr-xr-x 1 cuilinhao staff 148 4 26 10:04 install.copyFile
-rwxr-xr-x 1 cuilinhao staff 313 4 26 10:04 install.exec
-rwxr-xr-x 1 cuilinhao staff 213 4 26 10:04 install.mergeDir
lrwxr-xr-x 1 cuilinhao staff 29 4 26 10:04 logify.pl -> ../vendor/logos/bin/logify.pl
lrwxr-xr-x 1 cuilinhao staff 28 4 26 10:04 logos.pl -> ../vendor/logos/bin/logos.pl
lrwxr-xr-x 1 cuilinhao staff 24 4 26 10:04 nic.pl -> ../vendor/nic/bin/nic.pl
lrwxr-xr-x 1 cuilinhao staff 27 4 26 10:04 nicify.pl -> ../vendor/nic/bin/nicify.pl
-rwxr-xr-x 1 cuilinhao staff 980 4 26 10:04 package_version.sh
-rwxr-xr-x 1 cuilinhao staff 801 4 26 10:04 post-update
-rwxr-xr-x 1 cuilinhao staff 437 4 26 10:04 target.pl
lrwxr-xr-x 1 cuilinhao staff 12 4 26 10:04 update-git-repo -> update-theos
-rwxr-xr-x 1 cuilinhao staff 1030 4 26 10:04 update-theos
-rwxr-xr-x 1 cuilinhao staff 552 4 26 10:04 vercmp.pl
cuilinhaodeMacBook-Pro:bin cuilinhao$
配置路径,使nic.pl 让在任何地方访问到
export THEOS=~/theos
export PATH=$THEOS/bin:$PATH
配置完之后查看
cuilinhaodeMacBook-Pro:~ cuilinhao$ echo $PATH
/Users/cuilinhao/.rvm/gems/ruby-2.2.2/bin:/Users/cuilinhao/.rvm/gems/ruby-2.2.2@global/bin:/Users/cuilinhao/.rvm/rubies/ruby-2.2.2/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users/cuilinhao/.rvm/bin
cuilinhaodeMacBook-Pro:~ cuilinhao$
ps: 如果配置完之后,还没有出现路径,执行命令 source .bash_profile 使路径生效
六、编写代码
打开tweak.xm 文件
%hook SBIconParallaxBadgeView
- (id)init
{
return nil;
}
%end
七、 编译-打包-安装
- 编译
make
- 打包成deb
make package
- 安装(默认会自动重启Springboard)
make install
八、可能遇到的问题
- -make package的错误
Can't locate IO/Compress/Lzma.pm in @INC (you may need to install the
IO::Compress::Lzma module) (@INC contains: /Library/Perl/5.18/darwin-
thread-multi-2level /Library/Perl/5.18 /Network/Library/Perl/5.18/darwin-
thread-multi-2level /Network/Library/Perl/5.18 /Library/Perl/Updates/5.18.2
/System/Library/Perl/5.18/darwin-thread-multi-2level
/System/Library/Perl/5.18 /System/Library/Perl/Extras/5.18/darwin-thread-
multi-2level /System/Library/Perl/Extras/5.18 .) at
/Users/mj/theos/bin/dm.pl line 12.
BEGIN failed--compilation aborted at /Users/mj/theos/bin/dm.pl line 12.
make: *** [internal-package] Error 2
- 错误是因为打包压缩方式有问题,改成gzip压缩就可以了
- 修改dm.pl 文件,用#号注释掉下面两句
vim $THEOS/vendor/dm.pl/dm.pl
#use IO::Compress::Lzma;
#use IO::Compress::Xz;
- 修改deb.mk 文件第6行的压缩方式为gzp
vim $THEOS/makefiles/package/deb.mk
_THEOS_PLATFORM_DPKG_DEB_COMPRESSION ?= gzip
2 -make 错误
Error: You do not have an SDK in
/Library/Developer/CommandLineTools/Platforms/iPhoneOS.platform/Developer/S
DKs
- 是因为xcode 导致路径(有可能安装了好几个xcode),需要指定一下xcode
sudo xcode-select --switch
/Applications/Xcode.app/Contents/Developer/
- 在make是出现Nothing
> Making all for tweak xxx...
make[2]: Nothing to be done for `internal-library-compile'.
- 是因为之前已经编译过,有缓存导致的,clean一下即可
make clean
make
实现腾讯视频播放去除广告
- 找到腾讯ipa,进行砸壳处理
- 使用class-dump 导出头文件
-
通过Reveal查看播放视图view
15254160859306.jpg
15254161622130.jpg
15254161076614.jpg
4.如果只去除广告的view,可能会清除广告不完善,故清除整个vc,但在QNBPlayerVideoAdsViewController控制器中没有找到对应的init方法,那只能去找对应的父类
#import <UIKit/UIViewController.h>
#import "QNBBasePlayerViewControllerEventDelegate-Protocol.h"
#import "QNBEventDelegate-Protocol.h"
@class NSMutableArray, NSObject, NSString, QNBPlayerInfo;
@protocol QNBEventProxy;
@interface QNBBasePlayerViewController : UIViewController <QNBEventDelegate, QNBBasePlayerViewControllerEventDelegate>
{
_Bool _alreadyAddToParent;
QNBPlayerInfo *_playerInfo;
QNBBasePlayerViewController *_parentEventController;
UIViewController *_parentUIController;
UIViewController *_pageViewController;
NSMutableArray *_childEventControllers;
SEL _interceptReceiveSEL;
NSObject<QNBEventProxy> *_proxy;
}
@property(nonatomic) _Bool alreadyAddToParent; // @synthesize alreadyAddToParent=_alreadyAddToParent;
@property(nonatomic) __weak NSObject<QNBEventProxy> *proxy; // @synthesize proxy=_proxy;
@property(nonatomic) SEL interceptReceiveSEL; // @synthesize interceptReceiveSEL=_interceptReceiveSEL;
@property(retain, nonatomic) NSMutableArray *childEventControllers; // @synthesize childEventControllers=_childEventControllers;
@property(nonatomic) __weak UIViewController *pageViewController; // @synthesize pageViewController=_pageViewController;
@property(nonatomic) __weak UIViewController *parentUIController; // @synthesize parentUIController=_parentUIController;
@property(nonatomic) __weak QNBBasePlayerViewController *parentEventController; // @synthesize parentEventController=_parentEventController;
@property(nonatomic) __weak QNBPlayerInfo *playerInfo; // @synthesize playerInfo=_playerInfo;
- (void).cxx_destruct;
- (void)excuteEvent:(id)arg1 forEventNode:(id)arg2;
- (id)didReceivePlayerEventInUI:(id)arg1;
- (void)shouldSetConstraintsForViews;
- (void)shouldSetupViews;
- (void)addChildEventController:(id)arg1;
- (void)addToParentViewController;
- (void)viewDidLayoutSubviews;
- (id)eventProxy;
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2 withParentViewController:(id)arg3 withPageViewController:(id)arg4 withAddToParenViewControllerNow:(_Bool)arg5;
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2 withParentViewController:(id)arg3 withParentEventViewController:(id)arg4 withAddToParenViewControllerNow:(_Bool)arg5;
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2 withParentViewController:(id)arg3 withAddToParenViewControllerNow:(_Bool)arg4;
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2 withParentViewController:(id)arg3 withParentEventViewController:(id)arg4;
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2 withParentViewController:(id)arg3;
// Remaining properties
@property(readonly, copy) NSString *debugDescription;
@property(readonly, copy) NSString *description;
@property(readonly) unsigned long long hash;
@property(readonly) Class superclass;
@end
5.重写父类的init方法
- 获取bundle ID MJAppId = [NSBundle mainBundle].bundleIdentifier
Zhanghua123:~ root# cycript -p live4iphone
cy# @import mjcript
{}
cy# [Nsbundle mainBundle]
throw new ReferenceError("Can't find variable: Nsbundle")
cy# [NSbundle mainBundle]
throw new ReferenceError("Can't find variable: NSbundle")
cy# MJAppId
@"com.tencent.live4iphone"
cy#
- 创建tweak
cuilinhaodeMacBook-Pro:TengXun cuilinhao$ nic.pl
NIC 2.0 - New Instance Creator
------------------------------
cuilinhaodeMacBook-Pro:TengXun cuilinhao$ nic.pl
NIC 2.0 - New Instance Creator
------------------------------
[1.] iphone/activator_event
[2.] iphone/application_modern
[3.] iphone/cydget
[4.] iphone/flipswitch_switch
[5.] iphone/framework
[6.] iphone/ios7_notification_center_widget
[7.] iphone/library
[8.] iphone/notification_center_widget
[9.] iphone/preference_bundle_modern
[10.] iphone/tool
[11.] iphone/tweak
[12.] iphone/xpc_service
Choose a Template (required): 11
Project Name (required): tweak_test
Package Name [com.yourcompany.tweak_test]: com.lh.test
Author/Maintainer Name [崔林豪]:
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.tencent.live4iphone
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]:
Instantiating iphone/tweak in tweak_test/...
Done.
- 写tweak.xm 文件
%hook QNBPlayerVideoAdsViewController
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2
withParentViewController:(id)arg3 withPageViewController:(id)arg4 withAddToParenViewControllerNow:(_Bool)arg5
{
return nil;
}
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2
withParentViewController:(id)arg3 withParentEventViewController:(id)arg4
withAddToParenViewControllerNow:(_Bool)arg5
{
return nil;
}
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2
withParentViewController:(id)arg3 withAddToParenViewControllerNow:(_Bool)arg4
{
return nil;
}
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2
withParentViewController:(id)arg3 withParentEventViewController:(id)arg4
{
return nil;
}
- (id)initWithEventProxy:(id)arg1 withPlayerInfo:(id)arg2
withParentViewController:(id)arg3
{
return nil;
}
%end
- 编译-运行-安装
cuilinhaodeMacBook-Pro:~ cuilinhao$ cd /Users/cuilinhao/Desktop/tencenttest
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ ls
Makefile control packages
Tweak.xm obj tencentTest.plist
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ make
> Making all for tweak tencentTest…
make[2]: Nothing to be done for `internal-library-compile'.
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ make clean
==> Cleaning…
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ make
> Making all for tweak tencentTest…
==> Preprocessing Tweak.xm…
==> Compiling Tweak.xm (armv7)…
==> Linking tweak tencentTest (armv7)…
clang: warning: libstdc++ is deprecated; move to libc++ with a minimum deployment target of iOS 7 [-Wdeprecated]
==> Generating debug symbols for tencentTest…
rm /Users/cuilinhao/Desktop/tencenttest/.theos/obj/debug/armv7/Tweak.xm.mm
==> Preprocessing Tweak.xm…
==> Compiling Tweak.xm (arm64)…
==> Linking tweak tencentTest (arm64)…
clang: warning: libstdc++ is deprecated; move to libc++ with a minimum deployment target of iOS 7 [-Wdeprecated]
==> Generating debug symbols for tencentTest…
rm /Users/cuilinhao/Desktop/tencenttest/.theos/obj/debug/arm64/Tweak.xm.mm
==> Merging tweak tencentTest…
==> Signing tencentTest…
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ make package
> Making all for tweak tencentTest…
make[2]: Nothing to be done for `internal-library-compile'.
> Making stage for tweak tencentTest…
dm.pl: building package `com.lh.test:iphoneos-arm' in `./packages/com.lh.test_0.0.1-5+debug_iphoneos-arm.deb'
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$ make install
==> Installing…
root@127.0.0.1's password:
(Reading database ... 3664 files and directories currently installed.)
Preparing to unpack /tmp/_theos_install.deb ...
Unpacking com.lh.test (0.0.1-5+debug) over (0.0.1-3+debug) ...
Setting up com.lh.test (0.0.1-5+debug) ...
install.exec "killall -9 SpringBoard"
root@127.0.0.1's password:
cuilinhaodeMacBook-Pro:tencenttest cuilinhao$
十、逆向简单应用
- 对WIFI伴侣 和WIFI万能钥匙进行逆向分析
. 参考 https://www.jianshu.com/p/e2eef5f9a09d
APPId com.eldxin7.wifibanlv - 一步一步实现iOS微信自动抢红包(非越狱)
找到CMessageMgr.h和WCRedEnvelopesLogicMgr.h这两文件,其中我们注意到有这两个方法:- (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2; ,- (void)OpenRedEnvelopesRequest:(id)arg1;。没错,接下来我们就是要利用这两个方法来实现微信自动抢红包功能。其实现原理是,通过hook微信的新消息函数,我们判断是否为红包消息,如果是,我们就调用微信的打开红包方法。这样就能达到自动抢红包的目的了。
参考大神的链接:https://www.jianshu.com/p/189afbe3b429
网友评论
如果没有打印,只能说明那个hook的方法没有走