砸壳

前言

其中用到的砸壳工具就是dumpdecrypted，其原理是让app预先加载一个解密的dumpdecrypted.dylib，然后在程序运行后，将代码动态解密，最后在内存中dump出来整个程序。

iPhone:~ root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/3A5D7F67-04E8-49CF-93CF-5019B11146D6/Documents/dumpdecrypted.dylib  /var/mobile/Containers/Bundle/Application/01ECB9D1-858D-4BC6-90CE-922942460859/WeChat.app/WeChat

先用dumpdecrypted工具先对加过密的ipa包进行砸壳，然后再用class-dump工具去导出它的头文件。

砸壳的步骤：

1、找到app二进制文件对应的目录；
2、找到app document对应的目录；
3、将砸壳工具dumpdecrypt.dylib拷贝到ducument目录下； //目的是为了获取写的权限
4、砸壳；

利用环境变量 DYLD_INSERT_LIBRARY 来添加动态库dumpdecrypted.dylib

接下来要正式的dump可执行文件。

正文

用ssh进入连上的iPhone(确保iPhone和Mac在同一个局域网)。OpenSSH的root密码默认为alpine

1、查找二进制文件对应的目录

iPhone:~ root# ps -e |grep WeChat
  405 ??         0:01.72 /var/mobile/Containers/Bundle/Application/E2B26C47-B989-492B-995C-47EFFA94DAB3/WeChat.app/WeChat
36068 ttys000    0:00.00 grep WeChat

或者

iPhone:~ root#  ps -e | grep /var/mobile
 7691 ??        13:22.82 /var/mobile/Containers/Bundle/Application/01ECB9D1-858D-4BC6-90CE-922942460859/WeChat.app/WeChat
 7836 ttys000    0:00.01 grep /var/mobile

因为从AppStore中下载安装的应用都会位于/var/mobile/..Applications中，

2、查找app document对应的目录
使用Cycript注入目标进程中

iPhone:~ root# cycript -p WeChat
cy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)[0]
@"/var/mobile/Containers/Data/Application/91E7D6CF-A3D3-435B-849D-31BB53ED185B/Documents"

或者使用：

iPhone:~ root# cycript -p WeChat
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/3A5D7F67-04E8-49CF-93CF-5019B11146D6/Documents/"

NSHomeDirectory()  获取Documents目录，砸壳需要将dumpdecrypted.dylib拷贝到目标app的document目录

3、dumpdecrypted

dumpdecrypted.dylib 的获取

devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ ls
Makefile    README      dumpdecrypted.c
devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ make
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c 
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o
devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ ls -a
.           README          dumpdecrypted.o
..          dumpdecrypted.c
Makefile        dumpdecrypted.dylib

使用SCP 拷贝文件到iOS设备对应的目录

devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ scp ./dumpdecrypted.dylib [email protected]://var/mobile/Containers/Data/Application/91E7D6CF-A3D3-435B-849D-31BB53ED185B/Documents
[email protected]'s password: 
dumpdecrypted.dylib                                                                                                                                    100%  193KB  64.0KB/s   00:03    
devzkndeMacBook-Pro:dumpdecrypted-master devzkn$

砸壳

利用环境变量 DYLD_INSERT_LIBRARY 来添加动态库dumpdecrypted.dylib

DYLD_INSERT_LIBRARIES=/PathFrom/dumpdecrypted.dylib /PathTo

第一个path为dylib，目标path 为app二进制文件对应的目录

iPhone:~/Documents root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/91E7D6CF-A3D3-435B-849D-31BB53ED185B/Documents/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/E2B26C47-B989-492B-995C-47EFFA94DAB3/WeChat.app/WeChat
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100030ca8(from 0x100030000) = ca8
[+] Found encrypted data at address 00004000 of length 56770560 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/E2B26C47-B989-492B-995C-47EFFA94DAB3/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 62078976 in the file
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3b34ca8
[+] Closing original file
[+] Closing dump file
iPhone:~/Documents root# ls -a
.  ..  WeChat.decrypted  baiduplist  cfg  vmp

当前目录下会生成砸壳后的文件，即WeChat.decrypted

附

用scp命令把WeChat.decrypted文件拷贝到电脑上,接下来我们要正式的dump、Hopper微信的可执行文件

devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ scp [email protected]:/var/root/Documents/WeChat.decrypted  /Users/devzkn/Downloads/dumpdecrypted-master
[email protected]'s password: 
WeChat.decrypted                                                                                                                                                                  10%   13MB   1.5MB/s   01:17 ETA^WeChat.decrypted                                                                                                                                             WeChat.decrypted  WeChat.dWeChat.decrypted                                                                                                                                                    52%   67MB   1.2MB/s   00:52 ETA

如果没找到文件，就继续执行一次

DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/01ECB9D1-858D-4BC6-90CE-922942460859/WeChat.app/WeChat

iOS 9.2 之后以上砸壳会失败，要加上命令 su mobile

1、报错信息

  Killed: 9

2、看看吧～～

image

3、解决方案：

   参考链接：[http://iosre.com/t/make-dumpdecrypted-work-on-ios-9-3-3/4876](http://iosre.com/t/make-dumpdecrypted-work-on-ios-9-3-3/4876)

   远程到自己的设备后，先执行一条命令：su mobile ， 接着再砸壳。

   A、准备dumpdecrypted，编译好～

  B、远程自己的设备：ssh root@设备IP 

  C、执行命令：su mobile 

  D、查看砸壳APP路径命令：ps -e | grep AppName。

  E、查看APP的Documents路径：先用  cycript -p AppName 钩住 APP, 接着执行命令：[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]         就可以看到路径了~~~

  F、将dumpdecrypted.dylib 拷贝到   用 步骤E  执行的Documents 路径下。

 G、执行砸壳，这里以微信为例：

DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/25025AC7-6BFD-4F00-B2A4-67D96AD0D35A/Documents/dumpdecrypted.dylib /var/containers/Bundle/Application/AD21CDC7-208E-48E6-B739-9448C64F7907/WeChat.app/WeChat

当前测试机，砸wechat

wechat

app:
/var/containers/Bundle/Application/421BB869-22EE-49E2-81D9-16B861A861C5/WeChat.app/WeChat

document:
/var/mobile/Containers/Data/Application/E2758B49-8B4F-4A9E-884C-B9C177519819/Documents/

砸壳：

DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/E2758B49-8B4F-4A9E-884C-B9C177519819/Documents/dumpdecrypted.dylib /var/containers/Bundle/Application/421BB869-22EE-49E2-81D9-16B861A861C5/WeChat.app/WeChat

开始砸壳，class-dump

1、先把WeChat.decrypted拷贝到Mac上，可以通过iFunBox来拷贝。
2、通过class-dump 把头文件dump出来：
YMMacMini:~ yongming$ classdump/class-dump -SsH classdump/WeChat.decrypted -o /Users/yongming/Downloads/WeChat

安装Theos

https://blog.csdn.net/app_ios/article/details/52596230

结合Hooper和lldb 调试

https://www.cnblogs.com/ludashi/p/5730338.html

通过usbmuxd 连接越狱手机，不需要wifi

https://blog.csdn.net/glt_code/article/details/65444592
此处主要是配置完端口后，要另启一个Terminal 窗口连接 ssh

python-client目录下，python tcprelay.py -t 22:2222
另启窗口 ssh root@localhost -p 2222

砸壳

前言

正文