iOS砸壳

说明:

本文所有iPhone:~ root#为前缀的命令指的是SSH远程登录手机后执行的命令

SSH远程登录iPhone: https://www.jianshu.com/p/9e24088c9f2a

砸壳的原理:
我们并不知道iOS应用的解密方式, 但是iPhone设备要运行应用肯定要解密. 砸壳就是利用iPhone的解密功能活的越狱应用

1. 静态砸壳

静态砸壳使用Clutch, 主动调起iPhone的解密功能, 得到解密的APP文件

1. 下载Clutch

2. 拷贝Clutch文件拷贝的iPhone的`/usr/bin/`目录下

scp -P 12345 Clutch [email protected]:/usr/bin/

注意:

下载的Clutch命令行工具文件的名字可能是Clutch-x.x.x. 需要改名为Clutch
Clutch需要可执行权限

iPhone:~ root# chmod +x /usr/bin/Clutch
// 查看说明
iPhone:~ root# Clutch
Usage: Clutch [OPTIONS]
-b --binary-dump  Only dump binary files from >specified bundleID
-d --dump         Dump specified bundleID into .ipa file
-i --print-installed     Print installed applications
  --clean               Clean /var/tmp/clutch directory
  --version             Display version and exit
-? --help                Display this help and exit
-n --no-color            Print with colors disabled

目前, Clutch在iOS11的非完美越狱是不好使的

3. 查看可砸壳的应用

iPhone:~ root# Clutch -i
Installed apps:
1:   追书神器-全网更新最快的小说阅读器 
2:   网易云音乐-音乐的力量 
3:   微信

4. 砸壳应用

iPhone:~ root# Clutch -d com.ifmoc.ZhuiShuShenQi

// 或者使用标号

iPhone:~ root# Clutch -d 1

砸壳结束后结果如下:

...
ASLR slide: 0x100060000
Dumping  (arm64)
Patched cryptid (64bit segment)
Writing new checksum
DONE: /private/var/mobile/Documents/Dumped/com.ifmoc.ZhuiShuShenQi-iOS8.0-(Clutch-2.0.4).ipa
Finished dumping com.ifmoc.ZhuiShuShenQi in 26.7 seconds

其中/private/var/mobile/Documents/Dumped/com.ifmoc.ZhuiShuShenQi-iOS8.0-(Clutch-2.0.4).ipa为已经砸壳的ipa包

将IPA文件拷贝到电脑(在电脑端运行此命令)

scp -P 12345 [email protected]:/private/var/mobile/Documents/Dumped/com.ifmoc.ZhuiShuShenQi-iOS8.0-(Clutch-2.0.4).ipa ~/Desktop

可惜, 这个命令不能达到预想的效果, 我试着重命名了IPA文件(链接手机后, 进入/private/var/mobile/Documents/Dumped/目录执行)
iPhone:/private/var/mobile/Documents/Dumped root# mv ./com.ifmoc.ZhuiShuShenQi-iOS8.0-\(Clutch-2.0.4\).ipa ./shenqi.ipa
注意: 我试过了rename命令重命名, 报错-sh: syntax error near unexpected token('`

然后再拷贝
scp -P 12345 [email protected]:/private/var/mobile/Documents/Dumped/shenqi.ipa ~/Desktop

拷贝成功!!!

ps: 也可以使用iFunBox直接拷贝IPA包

5. 验证是否砸壳成功

加压桌面的IPA文件, 找到里面的Mach-O(YouShaQi)文件, 执行如下命令:

otool -l YouShaQi | grep crypt
     cryptoff 16384
    cryptsize 15990784
      cryptid 0

此时 cryptid 为 0, 即没有任何加密. 砸壳成功!!!

2. 动态砸壳

动态砸壳使用dumpdecrypted
原理: 将应用运行起来, 然后从内存中得到已经解密的Mach-O文件

1. 注入dumpdecrypted 到需要砸壳的应用

下载dumpdecrypted并编译, 得到dumpdecrypted.dylib
将 dumpdecrypted.dylib 拷贝进手机的home目录

scp -P 12345 dumpdecrypted.dylib [email protected]:~/

将 dumpdecrypted.dylib 依赖到要砸壳的APP进程

连接手机后查看进程:

iPhone:~ root# ps -A
...
 2289 ??         0:01.49 /var/mobile/Containers/Bundle/Application/E1CB16DE-9254-4189-AE03-1799CAA8B0F9/YouShaQi.app/YouShaQi
 2291 ??         0:00.10 /System/Library/Frameworks/UIKit.framework/Support/pasteboardd
...

依赖进程, 在手机home目录下执行命令:

iPhone:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/E1CB16DE-9254-4189-AE03-1799CAA8B0F9/YouShaQi.app/YouShaQi

结果如下:

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100060d48(from 0x100060000) = d48
[+] Found encrypted data at address 00004000 of length 17367040 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/E1CB16DE-9254-4189-AE03-1799CAA8B0F9/YouShaQi.app/YouShaQi for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 18972672 in the file
[+] Opening YouShaQi.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 1218d48
[+] Closing original file
[+] Closing dump file

查看当前目录

iPhone:~ root# ls
Documents  Library  Media  YouShaQi.decrypted  dumpdecrypted.dylib  reboot

YouShaQi.decrypted 就是砸壳应用的Mach-O文件

拷贝Mach-O文件到电脑桌面

scp -P 12345 [email protected]:~/YouShaQi.decrypted ~/Desktop

查看Mach-O文件的加密状态

otool -l YouShaQi.decrypted | grep crypt
YouShaQi.decrypted (architecture armv7):
     cryptoff 16384
    cryptsize 15990784
      cryptid 1
YouShaQi.decrypted (architecture arm64):
     cryptoff 16384
    cryptsize 17367040
      cryptid 0

arm64砸壳成功!!!

注意:

这里得到Mach-O文件只有arm64架构的砸壳成功, 因为这里使用的设备是iPhone5s(64位), 如果你想兼容armv7, 需要在armv7架构的设备(如iPhone5C)上砸壳. 然后使用otool拆分合并arm64架构和armv7架构得到一个Mach-O文件

使用dumpdecrypted 砸壳得到的是 Mach-O文件, 资源包直接使用未砸壳的就可以

DONE