iOS逆向dumpdecrypted的使用

iOS逆向之dumpdecrypted的使用

dumpdecrypted使用:

dumpdecrypted 是个出色的app脱壳开源工具，它的原理是：将应用程序运行起来（iOS系统会先解密程序再启动），然后将内存中的解密结果dump写入文件中，得到一个新的可执行程序。

1.下载与安装：

下载地址：

https://github.com/stefanesser/dumpdecrypted/archive/master.zip

编译安装:

在终端中进入到刚刚下载解压的目录。可以发现如下文件:

Shuangquan:RevertProject Wade$ cd dumpdecrypted-master

Shuangquan:dumpdecrypted-master Wade$ ls

Makefile        README          dumpdecrypted.c

Shuangquan:dumpdecrypted-master Wade$

直接make, 就可以生成dumpdecrypted.dylib文件了

- 常见问题

①错误

xcrun --sdk iphoneos --find gcc -Os -Wimplicit -isysroot xcrun --sdk iphoneos --show-sdk-path -Fxcrun --sdk iphoneos --show-sdk-path/System/Library/Frameworks -Fxcrun --sdk iphoneos --show-sdk-path/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c/bin/sh: /Applications/Xcode: No such file or directorymake: *** [dumpdecrypted.o] Error 127

说明是Xcode 路径有问题

需要执行 xcode-select 设置Xcode的路径

Shuangquan:Desktop Wade$ sudo xcode-select -p

/Applications/Xcode.app/Contents/Developer

Shuangquan:Desktop Wade$ sudo xcode-select -p

Password:***

/Applications/Xcode.app/Contents/Developer

Shuangquan:Desktop Wade$ sudo xcode-select -r

Password:***

Shuangquan:Desktop Wade$ sudo xcode-select -p

/Applications/Xcode.app/Contents/Developer

② 一般SDK是向下兼容的，如果保证SDK版本与越狱设备的版本一致或者高于越狱设备版本,使用xcrun --sdk iphoneos --show-sdk-path查看SDK版本。如下：SDK版本是8.3，设备是iOS 8.1

Shuangquan:Desktop Wade$ xcrun --sdk iphoneos --show-sdk-path

/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.3.sdk

2.砸壳:

- 为设备安装ssh服务，可以ssh登陆设备

在越狱设备中用Cydia搜索OpenSSH,安装改软件，安装完成后， 在OpenSSH软件中有 OpenSSH Access How-To，可以查看登陆选项。一般使用ssh命令登陆设备：

/Users/Wade/Documents/workspace/sample/ios_sample

Shuangquan:ios_sample Wade$ ssh root@192.168.199.203

root@192.168.199.203's password:

iPhone:~ root# ls

Library Media

iPhone:~ root#

- 将生成的dumpdecrypted.dylib拷贝到设备目录，可以用scp命令或其他工具

Shuangquan:dumpdecrypted-master Wade$ ls

Makefile README dumpdecrypted.c dumpdecrypted.dylib dumpdecrypted.o

Shuangquan:dumpdecrypted-master Wade$ scp ./dumpdecrypted.dylib root@192.168.199.203:/User

root@192.168.199.203's password:

dumpdecrypted.dylib 100% 193KB 192.9KB/s 00:00

Shuangquan:dumpdecrypted-master Wade$

- 查找目标文件

登陆越狱设备后，利用cycript查找目标App路径， 在设备中运行目标App(要运行),然后利用(ps -e | grep 目标App)命令查找路径和进程ID。

使用（cycript -p 进程ID）进入目标App 执行环境， 利用 [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]获取目标App的Document路径。

为什么需要目标App的Document路径，因为只有在Document路径，目标App才有读写权限。这样目标App的App路径和Document路径都获取到了。例如获取Twitter的路径。

Shuangquan:ios_sample Wade$ ssh root@192.168.199.203

root@192.168.199.203's password:

iPhone:~ root# ls

Library Media

iPhone:~ root# ps -e | grep Twitter

666 ?? 0:06.75 /var/mobile/Containers/Bundle/Application/905D5843-B934-4130-9954-77CEEF255A0A/Twitter.app/Twitter

671 ttys001 0:00.01 grep Twitter

iPhone:~ root# cycript -p 666

cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]

"file:///var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents/"

cy#

- 砸壳

将dumpdecrypted.dylib拷贝到目标文件的Document目录，例如砸壳Twitter，确定Document路径有dumpdecrypted.dylib文件

Shuangquan:ios_sample Wade$ ssh root@192.168.199.203

root@192.168.199.203's password:

iPhone:~ root# ls

Library Media

iPhone:~ root# cd /var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents/

iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root# ls

com.atebits.tweetie.application-important-state

com.atebits.tweetie.application-state

com.atebits.tweetie.authorizationmanager

com.atebits.tweetie.authorizationmanagerTFNAuthorizationManagerData.data

com.atebits.tweetie.authorizationmanagerTFNAuthorizationManagerRequestCounts.data

com.atebits.tweetie.configuration

com.atebits.tweetie.sentinel

com.twitter.TFSFeatureSwitches.config

dumpdecrypted.dylib

iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root#

然后执行 (DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib 目标App)

iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/905D5843-B934-4130-9954-77CEEF255A0A/Twitter.app/Twitter

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 32bit ARM binary in memory.

[+] offset to cryptid found: @0x24a90(from 0x24000) = a90

[+] Found encrypted data at address 00004000 of length 17432576 bytes - type 1.

[+] Opening /private/var/mobile/Containers/Bundle/Application/905D5843-B934-4130-9954-77CEEF255A0A/Twitter.app/Twitter for reading.

[+] Reading header

[+] Detecting header type

[+] Executable is a FAT image - searching for right architecture

[+] Correct arch is at offset 16384 in the file

[+] Opening Twitter.decrypted for writing.

[+] Copying the not encrypted start of the file

[+] Dumping the decrypted data into the file

[+] Copying the not encrypted remainder of the file

[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a90

[+] Closing original file

[+] Closing dump file

iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root#