20.1 关于ldid的一个知识

2018-06-15  本文已影响34人  _顺_1896

对于ldid的重点是:
是可执行文件进行签名,以便在iPhone上面执行。
另外需要比较与codesign的区别;

On the newer versions of iOS (v5) running this tool ends up with killed 9 error.
The problem here is iOS kernel signature checks the binary file at several places. Jailbreak tools cannot patch all these signature checks because it is difficult for them to patch each and every signature check. When we copy keychaindumper to iPhone, it does not have a signature. So running the binary exits with killed 9 message because iOS kernel does not have the signature of keychain_dumper.
To get rid of this problem add the signature of keychain_dumper to kernel cache (list of hashes) by running the below command. After adding the signature, you can run the rest of commands to dump the keychain entries.

ldid -S keychain_dumper

大概意思:为执行文件添加签名,以便在手机上进行运行。如同app需要签名一样,直接拷贝到手机系统需要直接运行的可执行文件则也需要被签名;

iPhone: keychain dumper – killed 9 problem

Github Keychain-Dumper

原文如下:

In iPhone, keychain is a sqllite database which stores sensitive data on the device. Apple’s keychain service is a library/API provided by Apple that developers can use to store sensitive information on an iOS device securely. Instead of storing sensitive information in plaintext configuration files, developers can leverage the keychain services to have the operating system store sensitive information securely on their behalf.

Keychain is encrypted with a hardware key. Hardware key is unique per device and not even accessible to OS running on the device. So even if some one get access to the keychain db file in a remote attack (Remember android malware, which steal sqlite.db files and sent it to the remote server), they cannot decrypt and view the content. Keychain also restricts the application access to the stored data. Each application on your device has a unique application-identifier (also called as entitlements). The keychain service restricts which data an application can access based on this identifier. By default, applications can only access data associated with their own application-identifier. Later apple introduced keychain groups. Now applications which belong to same group can share the keychain items.

On a jailbroken device, all keychain entries can be accessed by writing an application and making it as a member of all application group.

One such tool designed to grab all the keychain entries is keychain dumper – https://github.com/ptoomey3/Keychain-Dumper

Copy keychain_dumper to iPhone over ssh. Run the below command on SSH Terminal. This extracts all the keychain groups from keychain-2.db and stores in an xml file.

./keychain_dumper -e /var/tmp/entitlements.xml

Using ldid and entitlement xml file, we can make keychain_dumper program as a member of all keychain groups.

ldid -S/var/tmp/entitlements.xml keychain_dumper

Now running keychain dumper reads all the entries from keychain and displays it on the terminal.

./keychain_dumper

On the newer versions of iOS (v5) running this tool ends up with killed 9 error.

The problem here is iOS kernel signature checks the binary file at several places. Jailbreak tools cannot patch all these signature checks because it is difficult for them to patch each and every signature check. When we copy keychaindumper to iPhone, it does not have a signature. So running the binary exits with killed 9 message because iOS kernel does not have the signature of keychain_dumper.

To get rid of this problem add the signature of keychain_dumper to kernel cache (list of hashes) by running the below command. After adding the signature, you can run the rest of commands to dump the keychain entries.

ldid -S keychain_dumper

But in the newer versions (5.0.1), this workaround is not working. Because we have to run ldid command twice with -S option. This tries to overwrite the binary hash on kernel cache and fails. So follow the below listed steps to use the keychain_dumper on newer versions of iOS.

1. Copy keychain_dumper to iPhone over SSH.
2. Manually dump keychain groups with the help of sqlite3 command.

Sqlite3 /var/Keychains/keychain-2.db “select agrp from genp”
Running this command on my phone listed three access groups.
– apple, com.apple.apsd, com.apple.cfnetwork
3. Create a XML file similar to the sample shown below with all the keychain groups listed by above command
(paste the keychain group name in the string tags).
Sample.xml

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd“><plist version=”1.0”>
<dict>
<key>keychain-access-groups</key>
<array>
<string>apple</string>
<string>com.apple.apsd</string>
<string>com.apple.cfnetwork</string>
</array>
</dict>
</plist>

4. Copy sample.xml to /var/tmp folder on iPhone.
5. Run below commands to dump the keychain entries.

ldid –S/var/tmp/ent.xml keychian_dumper
./keychain_dumper

To run the keychain_dumper again, follow all the steps.

上一篇下一篇

猜你喜欢

热点阅读