App Store中下载的程序是加密后的,为了能够获取目标程序的类信息以便之后修改源码,我们需要对应用程序做一个解密,也就是砸壳。
硬件设备需要有一台越狱手机和一台装了开发环境的mac电脑。
以下以 微信 为例,进行操作。
1. 远程连接iphone
iphone 本质也是一台linux设备,所以可以用登录服务器的方式连接iphone。具体操作如下:
连到同一个wifi,在 设置-无线局域网 中查看iphone的ip,我这里是 192.168.1.116
-
使用 ssh 命令登录服务器
ssh root@192.168.1.116
登录过程中需要输入服务器密码,ios 默认密码为
alpine
2. 找到app路径和Document路径
-
用ssh连接上iOS设备后,我们打开想要砸壳的app,输入
ps -e
,就可以在进程中找到这个app的二进制文件的地址:9281 0:02.65 /var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat ``` **9281** 为微信的进程名,可执行文件目录为 ***/var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat***
-
用 Cycript 找出 TargetApp 的 Documents 目录路径
admin:~ root# cycript -p 9281 cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0] #"file:///var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/"
cycript -p process
process 为第一步中拿到的进程名!
cycript -p process
process 为第一步中拿到的进程名!
cycript -p process
process 为第一步中拿到的进程名!现在得到 微信 的 Document 目录
file:///var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/也可以用PP助手类的工具直接获得Document目录
3. 编译dumpdecrypted
dumpdecrypted
工具就是要用的砸壳工具。他的原理是让app预先加载一个解密的dumpdecrypted.dylib
,然后在程序运行后,将代码动态解密,最后在内存中dump出来整个程序。
首先下载dumpdecrypted源代码,项目地址 https://github.com/stefanesser/dumpdecrypted
切到dumpdecrypted目录,直接使用
make
命令编译
Baiya:Ios baiya$ cd dumpdecrypted/
Baiya:dumpdecrypted baiya$ ls
Makefile README dumpdecrypted.c
Baiya:dumpdecrypted baiya$ make
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
即可得到dumpdecrypted.dylib
文件。
一般SDK是向下兼容的,保证SDK版本与越狱设备的版本一致或者高于越狱设备版本即可。
使用xcrun --sdk iphoneos --show-sdk-path
查看SDK版本。
如下:SDK版本是9.3。因为设备是iOS 8.4,所以没问题
Baiya:dumpdecrypted baiya$ xcrun --sdk iphoneos --show-sdk-path
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk
-
常见错误
参见iOS逆向之dumpdecrypted的使用
4. 砸壳
-
将生成的
dumpdecrypted.dylib
拷贝到设备目录,可以用scp命令
或PP助手
等Baiya:dumpdecrypted baiya$ scp dumpdecrypted.dylib root@192.168.1.116:/var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/ root@192.168.1.116's password: dumpdecrypted.dylib 100% 193KB 192.9KB/s 00:00
-
进入
Document
目录下面,执行DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib
相关的命令admin:/var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat mach-o decryption dumper DISCLAIMER: This tool is only meant for security research purposes, not for application crackers. [+] detected 32bit ARM binary in memory. [-] This mach-o file is not encrypted. Nothing was decrypted.
因为博主装的是没有加密的23333
正常是:
iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan mach-o decryption dumper DISCLAIMER: This tool is only meant for security research purposes, not for application crackers. [+] Found encrypted data at address 00002000 of length 1826816 bytes - type 1. [+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan for reading. [+] Reading header [+] Detecting header type [+] Executable is a FAT image - searching for right architecture [+] Correct arch is at offset 2408224 in the file [+] Opening Scan.decrypted for writing. [-] Failed opening. Most probably a sandbox issue. Trying something different. [+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/tmp/Scan.decrypted for writing. [+] Copying the not encrypted start of the file [+] Dumping the decrypted data into the file [+] Copying the not encrypted remainder of the file [+] Closing original file [+] Closing dump file
会生成app砸壳后的文件
xx.decrypted
. 这里就是WeChat.decrypted
。如果是没有加密的,直接使用WeChat
即可
取出解密后程序
还是scp
命令或者PP助手
Baiya:dumpdecrypted baiya$ scp root@192.168.1.116:/var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat ~/Desktop/
root@192.168.1.116's password:
WeChat 100% 97MB 2.2MB/s 00:45
查看APP信息
-
查询架构
file app
Baiya:Desktop baiya$ file WeChat WeChat: Mach-O universal binary with 2 architectures WeChat (for architecture armv7): Mach-O executable arm WeChat (for architecture arm64): Mach-O 64-bit executable
微信支持两种架构 armv7 和 arm64
-
查询下它的加密情况
otool -l 主文件名 | grep crypt
Baiya:Desktop baiya$ otool -l WeChat | grep crypt cryptoff 16384 cryptsize 40910848 cryptid 0 cryptoff 16384 cryptsize 43974656 cryptid 0
cryptid 1代表加密,cryptid 0代表未加密。两个分别对应着armv7和arm64,也就是它们都没有加密。
参考链接:
iOS逆向之dumpdecrypted的使用
iOS逆向 - Cycript基本用法
iOS逆向 - dumpdecrypted工具砸壳
用dumpdecrypted给App砸壳
iOS逆向之IPA脱壳
iOS 冰与火之歌番外篇 - App Hook 答疑以及 iOS 9 砸壳