iOS逆向-脱壳

  • 什么是加壳?

         利用特殊的算法,对可执行文件的编码进行改变(比如压缩、加密),以达到保护程序代码的目的

  • 什么是脱壳?

         摘掉壳程序,将未加密的可执行文件还原出来(有些人也称为“砸壳”)

 

  • iOS中有很多好用的脱壳工具

           Clutch:https://github.com/KJCracks/Clutch

             dumpdecrypted:https://github.com/stefanesser/dumpdecrypted/

            pAppCrackr、Crackulous

  • 通过otool命令行可以查看可执行文件是否脱壳

                otool  -l   可执行文件路径   |  grep   crypt

    0为已经脱壳

 

Clutch配置

  • 下载最新的Release版:https://github.com/KJCracks/Clutch/releases
  • 建议去掉版本号,改名为Clutch   
  • 将Clutch文件拷贝到iPhone的/usr/bin目录中
  • 如果在iPhone上执行Clutch指令,权限不够的话,赋予  可执行的权限

            chmod +x /usr/bin/Clutch

 

  • 列出已经安装的APP:      Clutch -i

iPhone:~ root# Clutch -i
Installed apps:
1:   腾讯视频-怒晴湘西独播 
2:   车来了 
3:   Stream 
4:   QQ 
5:   UC浏览器-新闻资讯抢先看 
6:   酷狗音乐-就是歌多 
7:   喜马拉雅 
8:   ボイスレコーダー-無料ボイスメモ 
9:   爱思加强版 
10:  抖音短视频 
  • 输入APP序号或者Bundle id进行脱壳操作:Clutch -d APP序号或BundleId

iPhone:~ root# Clutch -d 3
Zipping NetworkSniffer.app
ASLR slide: 0x10002c000
Dumping  (arm64)
Patched cryptid (64bit segment)
...
  • 脱壳成功后会生成一个ipa文件

DONE: /private/var/mobile/Documents/Dumped/com.fish.stream-iOS9-(Clutch-2.0.4).ipa
Finished dumping com.fish.stream in 3.1 seconds
iPhone:~ root#

dumpdecrypted配置

  • 下载源代码,然后在源代码目录执行make指令进行编译,获得dylib动态库文件

            https://github.com/stefanesser/dumpdecrypted/

           

  • 将dylib文件拷贝到iPhone上(如果是root用户,建议放/var/root目录)

  • 终端进入dylib所在的目录

  • 使用环境变量DYLD_INSERT_LIBRARIES将dylib注入到需要脱壳的可执行文件(可执行文件路径可以通过ps-A查看获取)

    DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib  可执行文件路径

iPhone:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/06237BF4-4E31-46DD-B667-5FC17F5FD461/ting.app/ting
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x10004cca8(from 0x10004c000) = ca8
[+] Found encrypted data at address 00004000 of length 61276160 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/06237BF4-4E31-46DD-B667-5FC17F5FD461/ting.app/ting for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 67125248 in the file
[+] Opening ting.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4004ca8
[+] Closing original file
[+] Closing dump file
iPhone:~ root#
  • .decrypted文件就是脱壳后的可执行文件

              在手机路径的/device/var/root文件里      

 

常用格式

class-dump -H Mach-O文件路径  -o 头文件存放目录

你可能感兴趣的:(移动开发)