iOS逆向

作者: East_Coast | 来源:发表于2019-11-19 12:31 被阅读0次
$ ssh root@192.168.4.166 #ssh wifi登录手机初始化密码alpine
SSH安全连接存储服务器公钥
  1. 客户端存储服务器ssh公钥文件路径~/.ssh/known_hosts
  2. 服务器端的ssh
    2.1 公钥路径/etc/ssh/ssh_host_rsa_key.pub
    2.2 私钥路径/etc/ssh/ssh_host_rsa_key
  3. 连接过程中提示中间人攻击,是因为IP 和公钥信息发生改变,想要连接删除公钥信息
    3.1解决1: vim ~/.ssh/known_hosts 删除对应的IP公钥信息。vim删除指令 dd
    3.2解决2: ssh-kengen -R 192.168.4.166 192.168.4.166服务器IP
SSH基于密钥的客户端认证
  1. 客户端的密钥生成,指令ssh-keygen
    1.1 公钥路径~/.ssh/id_rsa.pub
    1.2私钥路径~/.ssh/id_rsa
  2. 将公钥追加到服务器端的授权文件里
    2.1 授权文件路径~/.ssh/authorized_keys
    2.2将客户端的公钥追加到服务器授权文件 ssh-copy-id root@192.168.4.166
  3. 手动将客户端的公钥追加到服务器授权文件
    3.1 scp ~/.ssh/id_rsa.pub root@192.168.4.166:~/.ssh拷贝公钥到服务器.ssh目录下
    3.2 cat id_rsa.pub >> authorized_keys将公钥内容追加到authorized_keys授权文件
    3.3 rm id_rsa.pub删除公钥文件
通过USB进行SSH登录
  1. 下载usbmuxd工具包https://cgit.sukimashita.com/usbmuxd.Git/snapshot/usbmuxd-1.0.8.tar.gz
  2. 将iPhone的22端口映射到Mac本地的10010端口python Desktop/USB/tcprelay.py -t 22:10010
  3. 登录iPhonessh root@localhost -p 10010
  4. 注意 步骤2后执行步骤3
Cycript基本用法
  1. 开启
    1.1 cycript
    1.2 cycript -p 进程ID
    1.3 cycript -p 进程名称建议使用
  2. 关闭退出control+d
  3. 变量var app = UIApp.keyWindown
  4. 通过内存地址访问对象#0x13f181290
  5. APP加载的所有的OC类ObjectiveC.classes
  6. 查看对象的成员变量*UIApp*#0x13f181290
  7. 递归打印View的所有子控件recursiveDescription()
  8. 筛选choose(UIViewController)
PS
  1. ps -A 当前所有进程
  2. ps -A | grep music监听music相关进程
安装deb

scp -P 10010 RevealLoader.deb root@Localhost:/var/root/Media/Cydia/AutoInstall
重启手机安装插件killall SpringBoard

脱壳
  1. 验证是否加壳 MachOView->load commands->LCENCRIPTION_INFO ->Cript ID(加密ID) : 0未加密
  2. 验证是否加壳 otool -l To-Do | grep scrypt crypt id: 0未加密
  3. Clutch 脱壳工具
    3.1 下载https://github.com/KJCracks/Clutch/releases
    3.2 拖拽到手机/usr/bin/目录下
    3.3 权限问题chmod +x /usr/bin/Clutch
  4. Dumpdecrypted脱壳工具
    4.1 下载https://github.com/stefanesser/dumpdecrypted
    4.2 使用make指令,获取动态库
    4.3将生成的动态库copy到iPhone/var/root目录
Clutch使用
ahs-zjshebei:~ root# Clutch -i #查看手机需脱壳APP列表
Installed apps:
1:   京东-挑好物,上京东 <com.360buy.jdmobile>
2:   拼多多 <com.xunmeng.pinduoduo>
3:   爱思加强版 <com.pd.A4Player>
ahs-zjshebei:~ root# Clutch -d 3 #导出脱壳后的可执行文件
Dumpdecrypted使用⚠️有问题待解决
ahs-zjshebei:~ root# ps -A | grep pin
 1702 ??         0:05.42 /var/mobile/Containers/Bundle/Application/F3B24116-D9F7-4B4A-B500-B9E4F4689036/pinduoduo.app/pinduoduo
 1712 ttys000    0:00.01 grep pin
ahs-zjshebei:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/F3B24116-D9F7-4B4A-B500-B9E4F4689036/pinduoduo.app/pinduoduo
dyld: Symbol not found: ___chkstk_darwin
  Referenced from: dumpdecrypted.dylib
  Expected in: /usr/lib/libSystem.B.dylib
 in dumpdecrypted.dylib
Trace/BPT trap: 5
ahs-zjshebei:~ root# 
Theos
安装
  1. brew install dyid
  2. 编辑.base_profile
    2.1 vim ~/.base_profile
    2.2 在.base_profile添加环境变量
    export THEOS=~/theos
    export PATH=$THEOS/bin:$PATH
    2.3 source ~/.base_profile环境变量生效
  3. 下载theos
    git clone --recursive https://github.com/theos/theos.git $THEOS
nic.pl创建Tweak
localhost:AQY zhangheng$ mkdir IQYTweak
localhost:AQY zhangheng$ cd IQYTweak/
localhost:IQYTweak zhangheng$ nic.pl 
NIC 2.0 - New Instance Creator
------------------------------
  [1.] iphone/activator_event
  [2.] iphone/application_modern
  [3.] iphone/application_swift
  [4.] iphone/flipswitch_switch
  [5.] iphone/framework
  [6.] iphone/library
  [7.] iphone/preference_bundle_modern
  [8.] iphone/tool
  [9.] iphone/tool_swift
  [10.] iphone/tweak
  [11.] iphone/xpc_service
Choose a Template (required): 10
Project Name (required): iqytweak
Package Name [com.yourcompany.iqytweak]: com.hy.iqy
Author/Maintainer Name [张恒]: 
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.qiyi.iphone
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: 
Instantiating iphone/tweak in iqytweak/...
Done.
Tweak配置编写

makefile文件


export THEOS_DEVICE_IP=127.0.0.1
export THEOS_DEVICE_PORT=10010

INSTALL_TARGET_PROCESSES = SpringBoard

include $(THEOS)/makefiles/common.mk

TWEAK_NAME = iqytweak

iqytweak_FILES = Tweak.x
iqytweak_CFLAGS = -fobjc-arc

include $(THEOS_MAKE_PATH)/tweak.mk

Tweak.x文件


%hook QYResourcePopView

- (id)initWithFrame:(struct CGRect)arg1{
    return nil;
}


%end

执行命令安装插件

  1. make
  2. make package
  3. make install
localhost:iqytweak zhangheng$ make
> Making all for tweak iqytweak…
==> Preprocessing Tweak.x…
==> Compiling Tweak.x (armv7)…
==> Linking tweak iqytweak (armv7)…
ld: warning: OS version (6.0.0) too small, changing to 7.0.0
ld: warning: building for iOS, but linking in .tbd file (/Users/zhangheng/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator
==> Generating debug symbols for iqytweak…
rm /Users/zhangheng/Desktop/AQY/IQYTweak/iqytweak/.theos/obj/debug/armv7/Tweak.x.m
==> Preprocessing Tweak.x…
==> Compiling Tweak.x (arm64)…
==> Linking tweak iqytweak (arm64)…
ld: warning: OS version (6.0.0) too small, changing to 7.0.0
ld: warning: building for iOS, but linking in .tbd file (/Users/zhangheng/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator
==> Generating debug symbols for iqytweak…
rm /Users/zhangheng/Desktop/AQY/IQYTweak/iqytweak/.theos/obj/debug/arm64/Tweak.x.m
==> Preprocessing Tweak.x…
==> Compiling Tweak.x (arm64e)…
==> Linking tweak iqytweak (arm64e)…
ld: warning: OS version (6.0.0) too small, changing to 7.0.0
ld: warning: building for iOS, but linking in .tbd file (/Users/zhangheng/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator
==> Generating debug symbols for iqytweak…
rm /Users/zhangheng/Desktop/AQY/IQYTweak/iqytweak/.theos/obj/debug/arm64e/Tweak.x.m
==> Merging tweak iqytweak…
==> Signing iqytweak…
localhost:iqytweak zhangheng$ make package
> Making all for tweak iqytweak…
make[2]: Nothing to be done for `internal-library-compile'.
> Making stage for tweak iqytweak…
dm.pl: building package `com.hy.iqy:iphoneos-arm' in `./packages/com.hy.iqy_0.0.1-6+debug_iphoneos-arm.deb'
localhost:iqytweak zhangheng$ make install
==> Installing…
The authenticity of host '[127.0.0.1]:10010 ([127.0.0.1]:10010)' can't be established.
RSA key fingerprint is SHA256:4p2uNUxuMsg7xdx45xlpzKzoCZy5NYR/gzyT9+qSxbo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:10010' (RSA) to the list of known hosts.
Selecting previously deselected package com.hy.iqy.
(Reading database ... 5503 files and directories currently installed.)
Unpacking com.hy.iqy (from /tmp/_theos_install.deb) ...
Setting up com.hy.iqy (0.0.1-6+debug) ...
==> Unloading SpringBoard…
localhost:iqytweak zhangheng$ 
动态调试
  1. debugserver环境搭建
  1. debugserver在手机上的路径/Developer/usr/bin拷贝到电脑
  2. 权限签名
    2.1 ldid -e debugserver > debugserver.entitlements导出权限签名
    2.2 debugserver.entitlements添加get-task-allowtask_for_pid-allow权限
    2.3 赋权ldid -Sdebugserver.entitlements debugserver
    2.4 赋权后的debugserver放到手机的/usr/bin/目录下
    2.5 ⚠️-sh: /usr/bin/debugserver: Permission denied解决方式chmod +x /usr/bin/debugserver
  1. debugserver使用

debugserver *:10011 -a WeChat

localhost:usb zhangheng$ sh login.sh 
ahs-zjshebei:~ root# debugserver *:10011 -a WeChat
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-340.3.51.1
 for arm64.
Attaching to process WeChat...
Listening to port 10011 for a connection from *...
^C
ahs-zjshebei:~ root# debugserver *:10011 -a WeChat
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-340.3.51.1
 for arm64.
Attaching to process WeChat...
Listening to port 10011 for a connection from *...
Waiting for debugger instructions for process 0.

  1. LLDB使用
  1. 使用USB端口映射python tcprelay.py -t 10011:10011
  2. 进入LLBDlldb
  3. process connect connect://localhost:10011
localhost:usb zhangheng$ lldb
(lldb) process connect connect://localhost:10011
Process 1180 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x000000019b8e4c30 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x19b8e4c30 <+8>: ret    

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x19b8e4c34 <+0>: mov    x16, #-0x20
    0x19b8e4c38 <+4>: svc    #0x80
    0x19b8e4c3c <+8>: ret    
Target 0: (WeChat) stopped.
(lldb) c
Process 1180 resuming
(lldb) 

相关文章

网友评论

      本文标题:iOS逆向

      本文链接:https://www.haomeiwen.com/subject/vnbfbctx.html