iOS逆向之dumpdecrypted的使用
dumpdecrypted使用:
dumpdecrypted 是个出色的app脱壳开源工具,它的原理是:将应用程序运行起来(iOS系统会先解密程序再启动),然后将内存中的解密结果dump写入文件中,得到一个新的可执行程序。
1.下载与安装:
- 下载地址:
https://github.com/stefanesser/dumpdecrypted/archive/master.zip
- 编译安装:
在终端中进入到刚刚下载解压的目录。可以发现如下文件:
Shuangquan:RevertProject Wade$ cd dumpdecrypted-master
Shuangquan:dumpdecrypted-master Wade$ ls
Makefile README dumpdecrypted.c
Shuangquan:dumpdecrypted-master Wade$
直接make, 就可以生成dumpdecrypted.dylib文件了
- 常见问题
①错误
xcrun --sdk iphoneos --find gcc -Os -Wimplicit -isysroot xcrun --sdk iphoneos --show-sdk-path -Fxcrun --sdk iphoneos --show-sdk-path/System/Library/Frameworks -Fxcrun --sdk iphoneos --show-sdk-path/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c/bin/sh: /Applications/Xcode: No such file or directorymake: *** [dumpdecrypted.o] Error 127
说明是Xcode 路径有问题
需要执行 xcode-select 设置Xcode的路径
Shuangquan:Desktop Wade$ sudo xcode-select -p
/Applications/Xcode.app/Contents/Developer
Shuangquan:Desktop Wade$ sudo xcode-select -p
Password:***
/Applications/Xcode.app/Contents/Developer
Shuangquan:Desktop Wade$ sudo xcode-select -r
Password:***
Shuangquan:Desktop Wade$ sudo xcode-select -p
/Applications/Xcode.app/Contents/Developer
② 一般SDK是向下兼容的,如果保证SDK版本与越狱设备的版本一致或者高于越狱设备版本,使用xcrun --sdk iphoneos --show-sdk-path查看SDK版本。如下:SDK版本是8.3,设备是iOS 8.1
Shuangquan:Desktop Wade$ xcrun --sdk iphoneos --show-sdk-path
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.3.sdk
2.砸壳:
- 为设备安装ssh服务,可以ssh登陆设备
在越狱设备中用Cydia搜索OpenSSH,安装改软件,安装完成后, 在OpenSSH软件中有 OpenSSH Access How-To,可以查看登陆选项。一般使用ssh命令登陆设备:
/Users/Wade/Documents/workspace/sample/ios_sample
Shuangquan:ios_sample Wade$ ssh root@192.168.199.203
root@192.168.199.203's password:
iPhone:~ root# ls
Library Media
iPhone:~ root#
- 将生成的dumpdecrypted.dylib拷贝到设备目录,可以用scp命令或其他工具
Shuangquan:dumpdecrypted-master Wade$ ls
Makefile README dumpdecrypted.c dumpdecrypted.dylib dumpdecrypted.o
Shuangquan:dumpdecrypted-master Wade$ scp ./dumpdecrypted.dylib root@192.168.199.203:/User
root@192.168.199.203's password:
dumpdecrypted.dylib 100% 193KB 192.9KB/s 00:00
Shuangquan:dumpdecrypted-master Wade$
- 查找目标文件
登陆越狱设备后,利用cycript查找目标App路径, 在设备中运行目标App(要运行),然后利用(ps -e | grep 目标App)命令查找路径和进程ID。
使用(cycript -p 进程ID)进入目标App 执行环境, 利用 [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]获取目标App的Document路径。
为什么需要目标App的Document路径,因为只有在Document路径,目标App才有读写权限。这样目标App的App路径和Document路径都获取到了。例如获取Twitter的路径。
Shuangquan:ios_sample Wade$ ssh root@192.168.199.203
root@192.168.199.203's password:
iPhone:~ root# ls
Library Media
iPhone:~ root# ps -e | grep Twitter
666 ?? 0:06.75 /var/mobile/Containers/Bundle/Application/905D5843-B934-4130-9954-77CEEF255A0A/Twitter.app/Twitter
671 ttys001 0:00.01 grep Twitter
iPhone:~ root# cycript -p 666
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
"file:///var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents/"
cy#
- 砸壳
将dumpdecrypted.dylib拷贝到目标文件的Document目录,例如砸壳Twitter,确定Document路径有dumpdecrypted.dylib文件
Shuangquan:ios_sample Wade$ ssh root@192.168.199.203
root@192.168.199.203's password:
iPhone:~ root# ls
Library Media
iPhone:~ root# cd /var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents/
iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root# ls
com.atebits.tweetie.application-important-state
com.atebits.tweetie.application-state
com.atebits.tweetie.authorizationmanager
com.atebits.tweetie.authorizationmanagerTFNAuthorizationManagerData.data
com.atebits.tweetie.authorizationmanagerTFNAuthorizationManagerRequestCounts.data
com.atebits.tweetie.configuration
com.atebits.tweetie.sentinel
com.twitter.TFSFeatureSwitches.config
dumpdecrypted.dylib
iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root#
然后执行 (DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib 目标App)
iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/905D5843-B934-4130-9954-77CEEF255A0A/Twitter.app/Twitter
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x24a90(from 0x24000) = a90
[+] Found encrypted data at address 00004000 of length 17432576 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/905D5843-B934-4130-9954-77CEEF255A0A/Twitter.app/Twitter for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
[+] Opening Twitter.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a90
[+] Closing original file
[+] Closing dump file
iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root#
