iOS 逆向学习系列之一:砸壳

2018-05-29  本文已影响101人  bai_ya

App Store中下载的程序是加密后的,为了能够获取目标程序的类信息以便之后修改源码,我们需要对应用程序做一个解密,也就是砸壳。

硬件设备需要有一台越狱手机和一台装了开发环境的mac电脑。

以下以 微信 为例,进行操作。

1. 远程连接iphone

iphone 本质也是一台linux设备,所以可以用登录服务器的方式连接iphone。具体操作如下:

  1. 连到同一个wifi,在 设置-无线局域网 中查看iphone的ip,我这里是 192.168.1.116

  2. 使用 ssh 命令登录服务器

     ssh root@192.168.1.116

    登录过程中需要输入服务器密码,ios 默认密码为 alpine

2. 找到app路径和Document路径

  1. 用ssh连接上iOS设备后,我们打开想要砸壳的app,输入 ps -e,就可以在进程中找到这个app的二进制文件的地址:

    9281 ??         0:02.65 /var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat    ```

**9281** 为微信的进程名,可执行文件目录为 
***/var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat***

  2. Cycript 找出 TargetApp 的 Documents 目录路径

    admin:~ root# cycript -p 9281
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/"

    cycript -p process process 为第一步中拿到的进程名!
    cycript -p process process 为第一步中拿到的进程名!
    cycript -p process process 为第一步中拿到的进程名!

    现在得到 微信Document 目录
    file:///var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/

    也可以用PP助手类的工具直接获得Document目录

3. 编译dumpdecrypted

dumpdecrypted 工具就是要用的砸壳工具。他的原理是让app预先加载一个解密的dumpdecrypted.dylib,然后在程序运行后,将代码动态解密,最后在内存中dump出来整个程序。

Baiya:Ios baiya$ cd dumpdecrypted/
Baiya:dumpdecrypted baiya$ ls
Makefile    README      dumpdecrypted.c
Baiya:dumpdecrypted baiya$ make
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c 
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'

即可得到dumpdecrypted.dylib文件。
一般SDK是向下兼容的,保证SDK版本与越狱设备的版本一致或者高于越狱设备版本即可。
使用xcrun --sdk iphoneos --show-sdk-path查看SDK版本。
如下:SDK版本是9.3。因为设备是iOS 8.4,所以没问题

Baiya:dumpdecrypted baiya$ xcrun --sdk iphoneos --show-sdk-path
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk

4. 砸壳

  1. 将生成的dumpdecrypted.dylib拷贝到设备目录,可以用scp命令PP助手

    Baiya:dumpdecrypted baiya$ scp dumpdecrypted.dylib root@192.168.1.116:/var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/
root@192.168.1.116's password: 
dumpdecrypted.dylib                                                     100%  193KB 192.9KB/s   00:00

  2. 进入Document目录下面,执行DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib相关的命令

    admin:/var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 32bit ARM binary in memory.
[-] This mach-o file is not encrypted. Nothing was decrypted.

    因为博主装的是没有加密的23333

    正常是:

    iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] Found encrypted data at address 00002000 of length 1826816 bytes - type 1.
[+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 2408224 in the file
[+] Opening Scan.decrypted for writing.
[-] Failed opening. Most probably a sandbox issue. Trying something different.
[+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/tmp/Scan.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Closing original file
[+] Closing dump file

    会生成app砸壳后的文件xx.decrypted. 这里就是WeChat.decrypted。如果是没有加密的,直接使用WeChat即可

取出解密后程序

还是scp命令或者PP助手

Baiya:dumpdecrypted baiya$ scp root@192.168.1.116:/var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat ~/Desktop/
root@192.168.1.116's password: 
WeChat                                                                                                                                             100%   97MB   2.2MB/s   00:45

查看APP信息

参考链接:

iOS逆向之dumpdecrypted的使用
iOS逆向 - Cycript基本用法
iOS逆向 - dumpdecrypted工具砸壳
用dumpdecrypted给App砸壳
iOS逆向之IPA脱壳
iOS 冰与火之歌番外篇 - App Hook 答疑以及 iOS 9 砸壳

上一篇下一篇

猜你喜欢

热点阅读