当前位置: 首页>编程语言>正文

iOS 逆向学习系列之一:砸壳

App Store中下载的程序是加密后的,为了能够获取目标程序的类信息以便之后修改源码,我们需要对应用程序做一个解密,也就是砸壳。

硬件设备需要有一台越狱手机和一台装了开发环境的mac电脑。

以下以 微信 为例,进行操作。

1. 远程连接iphone

iphone 本质也是一台linux设备,所以可以用登录服务器的方式连接iphone。具体操作如下:

  1. 连到同一个wifi,在 设置-无线局域网 中查看iphone的ip,我这里是 192.168.1.116

  2. 使用 ssh 命令登录服务器

     ssh root@192.168.1.116
    

    登录过程中需要输入服务器密码,ios 默认密码为 alpine

2. 找到app路径和Document路径

  1. 用ssh连接上iOS设备后,我们打开想要砸壳的app,输入 ps -e,就可以在进程中找到这个app的二进制文件的地址:

    9281 0:02.65 /var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat    ```
    
    **9281** 为微信的进程名,可执行文件目录为 
    ***/var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat***
    
    
  2. Cycript 找出 TargetApp 的 Documents 目录路径

    admin:~ root# cycript -p 9281
    cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
    #"file:///var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/"
    

    cycript -p process process 为第一步中拿到的进程名!
    cycript -p process process 为第一步中拿到的进程名!
    cycript -p process process 为第一步中拿到的进程名!

    现在得到 微信Document 目录
    file:///var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/

    也可以用PP助手类的工具直接获得Document目录

3. 编译dumpdecrypted

dumpdecrypted 工具就是要用的砸壳工具。他的原理是让app预先加载一个解密的dumpdecrypted.dylib,然后在程序运行后,将代码动态解密,最后在内存中dump出来整个程序。

  • 首先下载dumpdecrypted源代码,项目地址 https://github.com/stefanesser/dumpdecrypted

  • 切到dumpdecrypted目录,直接使用make命令编译

Baiya:Ios baiya$ cd dumpdecrypted/
Baiya:dumpdecrypted baiya$ ls
Makefile    README      dumpdecrypted.c
Baiya:dumpdecrypted baiya$ make
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c 
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'

即可得到dumpdecrypted.dylib文件。
一般SDK是向下兼容的,保证SDK版本与越狱设备的版本一致或者高于越狱设备版本即可。
使用xcrun --sdk iphoneos --show-sdk-path查看SDK版本。
如下:SDK版本是9.3。因为设备是iOS 8.4,所以没问题

Baiya:dumpdecrypted baiya$ xcrun --sdk iphoneos --show-sdk-path
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk
  • 常见错误

    参见iOS逆向之dumpdecrypted的使用

4. 砸壳

  1. 将生成的dumpdecrypted.dylib拷贝到设备目录,可以用scp命令PP助手

    Baiya:dumpdecrypted baiya$ scp dumpdecrypted.dylib root@192.168.1.116:/var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/
    root@192.168.1.116's password: 
    dumpdecrypted.dylib                                                     100%  193KB 192.9KB/s   00:00 
    
  2. 进入Document目录下面,执行DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib相关的命令

    admin:/var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat
    mach-o decryption dumper
    
    DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
    
    [+] detected 32bit ARM binary in memory.
    [-] This mach-o file is not encrypted. Nothing was decrypted.
    

    因为博主装的是没有加密的23333

    正常是:

    iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan
    mach-o decryption dumper
    
    DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
    
    [+] Found encrypted data at address 00002000 of length 1826816 bytes - type 1.
    [+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan for reading.
    [+] Reading header
    [+] Detecting header type
    [+] Executable is a FAT image - searching for right architecture
    [+] Correct arch is at offset 2408224 in the file
    [+] Opening Scan.decrypted for writing.
    [-] Failed opening. Most probably a sandbox issue. Trying something different.
    [+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/tmp/Scan.decrypted for writing.
    [+] Copying the not encrypted start of the file
    [+] Dumping the decrypted data into the file
    [+] Copying the not encrypted remainder of the file
    [+] Closing original file
    [+] Closing dump file
    

    会生成app砸壳后的文件xx.decrypted. 这里就是WeChat.decrypted。如果是没有加密的,直接使用WeChat即可

取出解密后程序

还是scp命令或者PP助手

Baiya:dumpdecrypted baiya$ scp root@192.168.1.116:/var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat ~/Desktop/
root@192.168.1.116's password: 
WeChat                                                                                                                                             100%   97MB   2.2MB/s   00:45 

查看APP信息

  • 查询架构 file app

    Baiya:Desktop baiya$ file WeChat 
    WeChat: Mach-O universal binary with 2 architectures
    WeChat (for architecture armv7):    Mach-O executable arm
    WeChat (for architecture arm64):    Mach-O 64-bit executable
    

    微信支持两种架构 armv7arm64

  • 查询下它的加密情况 otool -l 主文件名 | grep crypt

    Baiya:Desktop baiya$ otool -l WeChat | grep crypt
         cryptoff 16384
        cryptsize 40910848
          cryptid 0
         cryptoff 16384
        cryptsize 43974656
          cryptid 0
    

    cryptid 1代表加密,cryptid 0代表未加密。两个分别对应着armv7和arm64,也就是它们都没有加密。

参考链接:

iOS逆向之dumpdecrypted的使用
iOS逆向 - Cycript基本用法
iOS逆向 - dumpdecrypted工具砸壳
用dumpdecrypted给App砸壳
iOS逆向之IPA脱壳
iOS 冰与火之歌番外篇 - App Hook 答疑以及 iOS 9 砸壳


https://www.xamrdz.com/lan/5nt2016471.html

相关文章: