iOS10.3.1 砸壳之路
2018-06-27 本文已影响49人
Evans_Xiao
砸壳的原理:
开发者提交给Appstore发布的App,都经过FairPlay作为版权保护而加密,这样可以保证机器上跑的应用是苹果审核过的,也可以管理软件授权,起到DRM的作用。经过加密的Store App也无法通过Hopper等反编译静态分析,无法Class-Dump,在逆向分析过程中需要对加密的二进制文件进行解密才可以进行静态分析,这一过程就是大家熟知的砸壳(脱壳)。
主要分为两种模式: 静态解密 和 动态解密
测试设备:越狱iPod (iOS10.3.1)
一、静态解密
1、命令行工具: Clutch. 作者使用最新版 v2.0.4
2、拷贝Clutch文件拷贝的iPhone的/usr/bin/目录下
scp Clutch root@192.168.0.116:/usr/bin
这里需要注意:
下载的Clutch可能命名为Clutch-2.0.4. 需要改名为Clutch
3、Clutch需要可执行权限
chmod +x Clutch
4、查看Clutch使用说明
iPod:/usr/bin root# Clutch
Usage: Clutch [OPTIONS]
-b --binary-dump <value> Only dump binary files from specified bundleID
-d --dump <value> Dump specified bundleID into .ipa file
-i --print-installed Print installed applications
--clean Clean /var/tmp/clutch directory
--version Display version and exit
-? --help Display this help and exit
-n --no-color Print with colors disabled
5、查看可砸壳的应用
iPod:/usr/bin root# Clutch -i
Installed apps:
1: 微博 <com.sina.weibo>
2: 央视影音 <cn.vuclip.mobiletv>
3: Shazam 音乐神搜 <com.shazam.Shazam>
4: こつこつ家計簿-無料のカレンダー家計簿 <com.doubibi74.money76>
5: 微信 <com.tencent.xin>
6: 可可英语-英语听力口语训练神器 <com.kekenet.kkyy>
7: 支付宝 - 让生活更简单 <com.alipay.iphoneclient>
8: 中国大学MOOC(慕课) <com.netease.edumooc>
9: 爱思加强版 <com.pd.A4Player>
10: 快拍 - Snapchat <com.toyopagroup.picaboo>
11: 天天快报 - 腾讯兴趣阅读平台 <com.tencent.reading>
6、砸壳应用
Clutch -d com.netease.edumooc
还可以根据每个应用前面的标号进行
Clutch -d 8
砸壳结束后结果如下:
Zipping edumooc.app
Dumping <FXBlurView> arm64
Successfully dumped framework FXBlurView!
Child exited with status 0
Dumping <AFNetworking> arm64
ASLR slide: 0x1000e4000
Dumping <edumooc> (arm64)
Patched cryptid (64bit segment)
Successfully dumped framework AFNetworking!
Child exited with status 0
Dumping <vfrReader> arm64
Dumping <libextobjc> arm64
.....
Zipping iRate.framework
Zipping libextobjc.framework
Zipping pop.framework
Zipping vfrReader.framework
DONE: /private/var/mobile/Documents/Dumped/com.netease.edumooc-iOS9.0-(Clutch-2.0.4).ipa
Finished dumping com.netease.edumooc in 27.1 seconds
7、通过scp将砸壳的放到Mac上
scp root@192.168.0.116:/private/var/mobile/Documents/Dumped/com.netease.edumooc-iOS9.0-(Clutch-2.0.4).ipa ./
可是通过这个命令报错如下:
-bash: syntax error near unexpected token `('
解决方案,将ipa重命令
cd /private/var/mobile/Documents/Dumped/
mv com.netease.edumooc-iOS9.0-\(Clutch-2.0.4\).ipa edumooc.ipa
scp root@192.168.0.116:/private/var/mobile/Documents/Dumped/edumooc.ipa ./
到此为止,输出的ipa 确实已经是砸壳解密的了!!!(至于怎么验证,可以用MonkeyApp)
二、动态砸壳
1、工具dumpdecrypted点击下载,进入目录,执行
make
获得如下文件:
Makefile README dumpdecrypted.c dumpdecrypted.dylib dumpdecrypted.o
2、 注入dumpdecrypted 到需要砸壳的应用,将dumpdecrypted.dylib拷贝进入手机
scp dumpdecrypted.dylib root@192.168.0.116:~/
3、连接手机后查看进程,找到需要砸壳应用进行PID,建议杀掉所有app进程,仅保留需要的应用
iPod:~ root# ps -e | grep /var/containers/Bundle
输出结果如下:
.....
14442 ?? 0:02.64 /var/containers/Bundle/Application/F00AA075-0534-4188-BCB3-18483E905856/WeChat.app/WeChat
14444 ?? 0:07.63 /var/containers/Bundle/Application/84200ED8-CBBE-4063-BFA2-A9E227345505/AlipayWallet.app/AlipayWallet
16347 ?? 0:00.38 /private/var/containers/Bundle/Application/E26600F2-0A5F-4094-815E-3255B1C50DF7/KuaiBao.app/PlugIns/KBNotificationService.appex/KBNotificationService
18046 ?? 0:04.83 /var/containers/Bundle/Application/215BC91C-6166-4EA2-A5C9-912973E6705E/edumooc.app/edumooc
18547 ttys000 0:00.00 grep /var/containers/Bundle
4、使用以下命令砸壳
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/215BC91C-6166-4EA2-A5C9-912973E6705E/edumooc.app/edumooc
可能出现以下错误信息:
dyld: could not load inserted library 'dumpdecrypted.dylib' because no suitable image found. Did find:
dumpdecrypted.dylib: required code signature missing for 'dumpdecrypted.dylib'
Abort trap: 6
原因:
应该是dumpdecrypted.dylib未签名
解决方案使用 ldid 工具的 ldid -S dumpdecrypted.dylib 命令给 dumpdecrypted.dylib 签名
解决方法:
ldid -S dumpdecrypted.dylib
然后再次运行以下命令:
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/215BC91C-6166-4EA2-A5C9-912973E6705E/edumooc.app/edumooc
恭喜你,成功砸壳,输出如下信息:
objc[18553]: Class EduSimpleTabItem is implemented in both /private/var/containers/Bundle/Application/215BC91C-6166-4EA2-A5C9-912973E6705E/edumooc.app/Frameworks/JYVAddressPicker.framework/JYVAddressPicker (0x101f7ca48) and /var/containers/Bundle/Application/215BC91C-6166-4EA2-A5C9-912973E6705E/edumooc.app/edumooc (0x100f64b50). One of the two will be used. Which one is undefined.
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x1000d8ed8(from 0x1000d8000) = ed8
[+] Found encrypted data at address 00004000 of length 12533760 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/215BC91C-6166-4EA2-A5C9-912973E6705E/edumooc.app/edumooc for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening edumooc.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset ed8
[+] Closing original file
[+] Closing dump file
5、查看输出
iPod:~ root# ls
Library/ Media/ dumpdecrypted.dylib* edumooc.decrypted
edumooc.decrypted即为目标输出文件,也就是砸壳应用的Mach-O文件
6、拷贝Mach-O文件到Mac
scp root@192.168.0.116:~/edumooc.decrypted ./
7、查看Mach-O文件的加密状态
otool -l edumooc.decrypted | grep crypt
输出如下:
edumooc.decrypted:
cryptoff 16384
cryptsize 12533760
cryptid 0
查看支持的架构:
lipo -info edumooc.decrypted
Non-fat file: edumooc.decrypted is architecture: arm64
需要说明的是:
1、目前得到Mach-O文件只有arm64架构的砸壳成功, 因为这里使用的设备是iPod(64位), 若想兼容armv7或其它设备, 需要在armv7架构的设备或其它设备上砸壳. 然后使用otool拆分合并arm64架构和armv7架构得到一个Mach-O文件
2、使用dumpdecrypted 砸壳得到的是 Mach-O文件, 资源包直接使用未砸壳的就可以.
如何快速将砸壳的.ipa或. decrypted文件快速传输到Mac上?
上文主要通过Wi-Fi传输,通过USB连接会更块更稳定.如何使用USB连接终端越狱设备,请移步至此.
当设备通过USB连接后,使用如下命令行:
scp -P 2222 root@127.0.0.1:/private/var/mobile/Documents/Dumped/edumooc.ipa ./
