1、前言
我们从App Store上下载的app是被苹果加密过的,从其他渠道下载一般没有加密,可执行文件被套上了一层保护壳,而class-dump是无法作用在加密过的App上的。在这种情况下,要想获取头文件,需要先解密App的可执行文件,俗称“砸壳”,这里我们需要使用到的砸壳工具是dumpdecrypted。
2、获取dumpdecrypted
1)打开github官网,搜索dumpdecrypted,第一个就是。
2)使用命令:
git clone git://github.com/stefanesser/dumpdecrypted/
3、编译dumpdecrypted.dylib
wifi:~ clf$ cd /Users/ppd/Documents/dumpdecrypted-master
wifi:dumpdecrypted-master clf$ make
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.2.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.2.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.2.sdk/System/Library/PrivateFrameworks'
make命令执行后会生成一个dumpdecrypted.dylib文件,这就是砸壳需要用到的榔头。这个文件生成一次就可以了,以后可以重复使用,下次破壳就不需要再重新编译了。
4、定位待砸壳TargetApp的可执行文件
首先准备一个越狱的iphone手机,我们关掉iphone上的所有App,打开我们需要砸壳的TargetApp(这里我用微信来测试),接着ssh连接到iphone上,用ps指令打印所有的进程。
连接iphone
wifi:~ clf$ ssh [email protected]
[email protected]'s password:
打印进程
iPhone:~ root# ps -e
PID TTY TIME CMD
1 ?? 0:04.73 /sbin/launchd
17 ?? 0:04.72 /usr/sbin/notifyd
20 ?? 0:42.42 /usr/libexec/UserEventAgent (System)
21 ?? 0:06.38 /usr/libexec/pphelper/PPHelperLaunchd
22 ?? 0:00.28 /usr/libexec/aosnotifyd
23 ?? 0:00.36 /usr/sbin/BTServer
24 ?? 0:49.21 /System/Library/Frameworks/CoreTelephony.framework/Sup
29 ?? 2:10.53 /System/Library/CoreServices/SpringBoard.app/SpringBoa
30 ?? 0:32.47 /System/Library/PrivateFrameworks/AggregateDictionary.
31 ?? 0:00.15 /System/Library/PrivateFrameworks/AssistantServices.fr
35 ?? 9:22.20 /usr/libexec/backboardd
37 ?? 0:07.09 /usr/libexec/configd
38 ?? 0:00.03 /System/Library/CoreServices/AppleIDAuthAgent
40 ?? 0:00.81 /usr/sbin/fairplayd.H2
...
318 ?? 0:00.25 sshd: root@ttys000
457 ?? 0:02.12 /System/Library/CoreServices/AssistiveTouch.app/assistivetouchd
458 ?? 0:09.97 /System/Library/CoreServices/SpringBoard.app/SpringBoard
459 ?? 0:31.09 /usr/libexec/backboardd
476 ?? 0:02.61 /Applications/MobileMail.app/MobileMail
492 ?? 0:00.05 /System/Library/Frameworks/UIKit.framework/Support/pasteboardd
495 ?? 0:00.99 /var/mobile/Applications/F9BB912B-E6C3-4266-AE06-4AF1B3B969D5/WeChat.app/WeChat
319 ttys000 0:00.08 -sh
496 ttys000 0:00.01 ps -e
StoreApp全部位于/var/mobile/Containers/下,其中可执行文件位于/var/mobile/Containers/Bundle/Applications/X下,因为我们只打开了我们需要砸壳的TargetApp,那么进程中唯一的一个“/var/mobile/Applications/”路径就是我们需要路径,也就是TargetApp可执行文件的全路径。
5、用Cycript找出TargetApp的Document目录路径
StoreApp的Document目录位于/var/mobile/Containers/Data/Applications/Y下,因为X与Y不同,利用ps是没办法区别这两个目录的路径,那么我们借助强大的Cycript工具,让App告诉我们Document的路径。如下:
使用命令:cycript -p TargetApp
iPhone:~ root# cycript -p WeChat
cy# [[NSFileManager defaultManager]URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Applications/F9BB912B-E6C3-4266-AE06-4AF1B3B969D5/Documents/"
上面就是Document的路径了。
6、将dumpdecrypted.dylib拷贝到Document目录下
wifi:~ clf$ scp /Users/ppd/Documents/dumpdecrypted-master/dumpdecrypted.dylib [email protected]:/var/mobile/Applications/F9BB912B-E6C3-4266-AE06-4AF1B3B969D5/Documents/
[email protected]'s password:
dumpdecrypted.dylib 100% 193KB 2.0MB/s 00:00
这里采用的是scp方式。
7、开始砸壳
dumpdecrypted.dylib的用法:
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /path/to/executable
进入到document文件下:
iPhone:/var/mobile/Applications/F9BB912B-E6C3-4266-AE06-4AF1B3B969D5/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/F9BB912B-E6C3-4266-AE06-4AF1B3B969D5/WeChat.app/WeChat
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100088ca8(from 0x100088000) = ca8
[+] Found encrypted data at address 00004000 of length 56770560 bytes - type 1.
[+] Opening /private/var/mobile/Applications/F9BB912B-E6C3-4266-AE06-4AF1B3B969D5/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 62078976 in the file
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3b34ca8
[+] Closing original file
[+] Closing dump file
当前目录下会生成WeChat.decrypted,即砸壳后的文件,使用ls命令查看,如下:
iPhone:/var/mobile/Applications/F9BB912B-E6C3-4266-AE06-4AF1B3B969D5/Documents root# ls
00000000000000000000000000000000 MMResourceMgr MemoryStat WeChat.decrypted dumpdecrypted.dylib
LocalInfo.lst MMappedKV SafeMode.dat db.globalconfig heavy_user_id_mapping.dat
利用itools将WeChat.decrypted文件导出到OSX设备上备用。
以上就是砸壳的全部过程了,看起来很简单,但是也是经过了一翻折腾的。
备注问题:为什么要把dumpdecrypted.dylib文件拷贝到Document目录下?
StoreApp对沙盒以外的绝大多数目录是没有写权限的。dumpdecrypted.dylib要写一个decrypted文件,但它是运行在StoreApp中的,与StoreApp的权限相同,那么它的写操作就必须发生在StoreApp拥有写权限的路径下才能成功。StoreApp一定是能写入其Document目录的,因此在Document目录下使用dumpdecrypted.dylib时,保证它能在当前目录下写一个decrypted文件。
备注
查看是否加壳(cryptid 1为加壳)
wifi:Documents clf$ otool -l WeChat.decrypted | grep crypt
cryptid 1
cryptid 0
wifi:Documents clf$ otool -l WeChat.decrypted | grep crypt
WeChat.decrypted (architecture armv7):
cryptoff 16384
cryptsize 52756480
cryptid 1
WeChat.decrypted (architecture arm64):
cryptoff 16384
cryptsize 56770560
cryptid 0
ios10.1.1遇到的问题:
iPhone:/var/mobile/Containers/Data/Application/914E1ECE-D68A-47D1-83CE-3C848DDA0FC9/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/FB01F34B-E7EB-40E9-8F33-23A008F3DD60/XXX.app/XXX
dyld: could not load inserted library 'dumpdecrypted.dylib' because no suitable image found. Did find:
dumpdecrypted.dylib: required code signature missing for 'dumpdecrypted.dylib'
Abort trap: 6
解决办法:
## 列出可签名证书
security find-identity -v -p codesigning
## 为dumpecrypted.dylib签名
codesign --force --verify --verbose --sign "iPhone Developer: xxx xxxx (xxxxxxxxxx)" dumpdecrypted.dylib
之后重新上传砸壳。