http://highaltitudehacks.com/
0. 基础环境 iPhone 5s 64bit iOS 8.1 已越狱
1. mobileTerminal 使用 源 http://cydia.angelxwind.net 的版本;vim 版本7.1-3p,不要升级到7.3-1;
2. dyld: Library not loaded: /usr/lib/libpcre.0.dylib
==》 apt-get install pcre
3. 在ssh 登录后执行命令时可能卡住,需要点击手机激活屏幕。
4. Cydia 仓库搜索时大小写不敏感
5. 使用git 提示 'fatal: Unable to find remote helper for ‘https’,将 https 协议换成git
6. 解决IOS "Illegal instruction:4" 以及 gdb 'Unrecognized osabi 0 in arm_set_osabi_from_host_info' 错误
通过cydia 一些仓库下载的工具版本有限,可以直接下载deb 包安装(比如cydia 搜到的gcc 和gdb 版本都少了'p')
libgcc: http://apt.saurik.com/debs/libgcc_4.2-20080410-1-6_iphoneos-arm.deb
gcc: http://apt.saurik.com/debs/iphone-gcc_4.2-20080604-1-8p_iphoneos-arm.deb
gdb: http://apt.saurik.com/debs/gdb_1518-12p_iphoneos-arm.deb
make: http://apt.saurik.com/debs/make_3.81-2p_iphoneos-arm.deb
由于BIN文件编译的版本较老,可以通过给文件打补丁解决,只需两条命令。
sed -i 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' ios_bin //替换
ldid -s ios_bin //重新签名
注:iOS 8 以上已经不支持gdb,使用 lldb+debugserver 来替换。使用Xcode 连接真机,然后Debug->Attach to process 选择一个app,这样Xcode 会安装debugserver 到真机 /Developer/usr/bin/ 目录下。 debugserver 作为运行在 iOS 上的 lldb 服务端,执行 Mac 上的 lldb 传过来的命令,再把执行结果返回给 Mac 上的 lldb 并显示给用户。
7. 可以从bigboss源安装 lrzsz ,使用时注意命令是 lrz 和 lsz
8. iOS 8.1 app 安装目录在 /private/var/mobile/Containers/Bundle/Application/
app 数据存储在 /private/var/mobile/Containers/Data/Application/
9. you can now find otool in the "Darwin CC Tools" package from the Cydia/Telesphoreo repository.
(dpkg -i --force-overwrite、dpkg -r com.isecpartners.introspy)
10. iPhone安装Snoop-it后系统图标消失解决办法(64bit 设备不要尝试安装)
1)、SSH连接手机,进入“/Applications”目录,发现只有一个Snoop-it Config.app的文件夹,删除之;
2)、打开"/private/var/mobile/Library/Caches/com.saurik.Cydia/lists/cydia.radare.org_._Packages 、repo.nesolabs.de_._Packages ",删除其中带有snoop的段落;
3)、分别打开“/private/var/lib/dpkg/status”和“/private/var/lib/dpkg/status-old”文件,删除snoopit相关的段落;
4)、查找系统应用安装包路径,“/private/var/stash/xxxxx/Applications”(其中xxxxx不同手机不一样,找到包含Applications的即可),将该文件夹下所有拷贝到根目录“/Applications”下(此时该目录应该是空的);
5)、重启手机,SSH连接输入“uicache”命令,所有图标就出来了。
6)、后续请勿执行手机恢复操作,有白苹果的风险,至少我第一台设备就是在该操作之后挂掉的。图标恢复出来后能用就可以了。
11. 下载 https://github.com/nu11p0inter/iNalyzer 版本,主要是修改了iOS 8 之后app 安装的路径问题。可以使用源 https://appsec-labs.com/cydia 的版本
Xcode 10 编译提示问题:
0) 、一开始 libz.dylib 显示找不到
可以直接在 build phases 中直接把已有的Link library 中 libz.dylib 删除,系统会自动找到合适的路径
如果不行则自己手动添加,如下
Go to Build Phases >Link Binary with Librairies > + > Add other
Once in the file selection window do "CMD"+Shift+G (Go to folder) and type /usr/lib/
From /usr/lib you can add : libz.dylib/libz.tbd and more...
Compile and have fun
1)、 Union lc_str no member ptr
+union lc_str {
+ uint32_t offset; /* offset to the string */
+#ifndef __LP64__
+ char *ptr; /* pointer to the string */
+#endif
可以看到如果定义为64位系统,即 __LP__64 存在定义,则不存在ptr,可以直接将此行注释掉
//overdrive_dyld->dylib.name.ptr = (char *) sizeof(struct dylib_command);
2)、 “__vm_region” x86_64 reference not found, from dump.o
The vm_xxx API was using 32 bit type to store addresses. But, as mach API is design to interact with other processes, it has to be capable of dealing with 64 bits addresses even in a 32 bit process.
That why the mach_vm_xxx API was introduce in 10.4, the first Mac OS X version able to run 64 bit processes.
mach_task_self doesn't have any reason to change.
查找 dump.m 中 vm_region() 函数更换为 mach_vm_region() 函数,且dump.h 中 #import
此时会提示"error mach_vm.h unsupported.” 即 mach_vm.h 为空,查找到mach_vm.h 的路径后,先备份再从其他地方复制过来
sudo mv /Users/xxx/Desktop/Xcode-beta.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/usr/include/mach/mach_vm.h /Users/xxx/Desktop/Xcode-beta.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/usr/include/mach/mach_vm.h.bak
sudo cp /usr/include/mach/mach_vm.h /Users/xxx/Desktop/Xcode-beta.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/usr/include/mach/mach_vm.h
同上将真机SDK 的mach_vm.h 也复制一遍
3)、 编译提示找不到 ldid 路径,直接修改此 sh 中 ldid 不能生效,因为会被覆盖。故暂时新建脚本中使用的路径,将ldid 拷贝过来
4) 、真机编译时提示 XXX isn't code signed but requires entitlements. It is not possible to add entitlements to a binary with
尝试 target->general->signing->automatically manage,选择dev team后不能enable development signing,即使在 build settings中把code signing entitlements 中的依赖文件去掉也不行。
cd /Users/xxx/Desktop/Xcode-beta.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk
cp SDKSettings.plist SDKSettings.plist.bak
/usr/libexec/PlistBuddy -c "Set :DefaultProperties:AD_HOC_CODE_SIGNING_ALLOWED YES” SDKSettings.plist
/usr/libexec/PlistBuddy -c "Set :DefaultProperties:CODE_SIGNING_REQUIRED NO” SDKSettings.plist
plutil -p SDKSettings.plist xml 格式查看
修改SDK中的这两个key之后,再取消掉automatically manage signing,这样就能越过签名进行编译
11. 启动 INTROSPY 分析之后,发现 /private/var/mobile/Library/BatteryLife/Archives 目录一直不断产生 *.PLSQL 文件,导致存储空间急剧增长。for f in *.PLSQL; do rm "$f"; done
12. Xcode 10 iOS 模拟器目录如下:
/Users/xxx/Library/Developer/CoreSimulator/Devices/8CA8E182-5DF2-4B73-A4FB-6637510EA1D2/data/Containers/Bundle/Application/6B3E9DF2-4F09-444D-9826-34D72B18C577
8CA8E182-5DF2-4B73-A4FB-6637510EA1D2 表示具体一个device如iPhone 5s iOS 8.1
6B3E9DF2-4F09-444D-9826-34D72B18C577 表示一个app具体路径
/Users/xxx/Library/Developer/CoreSimulator/Devices/8CA8E182-5DF2-4B73-A4FB-6637510EA1D2/data/Containers/Data/Application/35036EB8-AB36-4BCE-86E4-AEC840CCB93E/Documents/secret-data
13. How to compile DVIA-2 for Swift 4.2 and Xcode 10 for mobile app security
一、Xcode10 Multiple commands produced error
1. In Xcode, go to File->Project/Workspace settings.
2. Change the build system to Legacy Build system.
二、Umbrella header 'Realm.h' not found
Hold down option while clicking Product in the Xcode menu shows the Clean Build Folder…option
三、Invalid redeclaration of 'removeSubrange' in List.swift in Xcode 10 —— "pod update RealmSwift"
四、Overlapping accesses to 'derivedKeyData', but modification requires exclusive access; consider copying to a local variable
In the recent Swift 4.2 branch, the existing Swift 4.1 warning about ‘overlapping accesses’ is now an error in Swift 4 mode. This means that projects with this warning will fail to build with the Swift 4.2 compiler.
The warning typically arises when a mutating method that modifies a variable is passed a non-escaping closure that reads from the same variable. For example:
var buffer = Data(count: Int(INET6_ADDRSTRLEN))
// Warning: overlapping accesses to 'buffer', but modification
// requires exclusive access; consider copying to a local variable
let ptr = buffer.withUnsafeMutableBytes {
// Note: conflicting access is here
inet_ntop(AF_INET, &sin.sin_addr, $0, socklen_t(buffer.count))
}
Here withUnsafeMutableBytes() is a mutating method on buffer and so conceptually modifies the entire variable for the duration of the method. The compiler warns on the call to count, which is a computed property that reads from buffer while the modification is in progress — a violation of Swift’s rules for exclusive access.
The best way to address this warning is by reading the buffer count outside of the closure and copying it to a captured local variable:
var buffer = Data(count: Int(INET6_ADDRSTRLEN))
let count = buffer.count
let ptr = buffer.withUnsafeMutableBytes {
inet_ntop(AF_INET, &sin.sin_addr, $0, socklen_t(count))
}
五、unavailable function 'system': not available on iOS(iOS 11 SDK 移除了system 函数)
#include
extern char **environ;
unsigned char run_cmd(char *cmd)
{
pid_t pid;
char *argv[] = {"sh", "-c", cmd, NULL};
int status;
status = posix_spawn(&pid, "/bin/sh", NULL, NULL, argv, environ);
if (status == 0) { //posix_spawn success return 0
if (waitpid(pid, &status, 0) == -1) {
perror("waitpid");
}
return 1; // run_cmd success return
}
return 0; // run_cmd fail return
}
六、conflict types of ‘SecRandomCopyBytes'
extern int SecRandomCopyBytes(SecRandomRef rnd, size_t count, void *bytes) __attribute__((weak_import));
14. 免费个人开发者
一、使用appid 登陆苹果开发者中心即成为免费开发者(没有后台设置capability的权限,即如果app 需要entitlements 设置,则不能实现签名)
二、在Xcode —>preference —>accounts 添加appid 账号
三、修改Xcode project 和 taerget app 的设置
如genernal 中 bundle ID 需要唯一(如果是需要分发的需要到开发者中心注册)
Team 设置为个人开发者账号,选择 auto manage signing,如果build setttings 中有手动设置signing 设置,重新选择为 iOS Developer 即可。
调试机器选择usb 连接到真机,就能进行调试了。(免费开发者签名用于非越狱机器,只要7天有效期限,用于越狱机器,无限期,如果机器iOS 版本比较高,需要在设置—》设备与描述文件中信任本开发者)
ld 出现 目录不存在的错误,build settings 中搜索 frame 和 library path 设置,把错误的路径删除
ld 出现Flurry 不支持bitcode 的错误,build settings 中把 enable bitcode 选项关闭
deployment target 影响能允许的设备操作系统版本,如果代码调用了高级系统的SDK 接口函数,则只能运行在>= 的系统上
15. Installing DVIA use Xcode build package
Xcode 编译完成的 app 包在 类似 /Users/xxx/Library/Developer/Xcode/DerivedData/DamnVulnerableIOSApp-hjigvwacknpesuduahcrzmqikljc/Build/Products/Debug-iphonesimulator(Debug-iphoneos) 目录下
将 DVIA.app 放入一层名为Payload的目录,接着压缩为 DVIA.zip,再更名为 DVIA.ipa,再使用 installipa 等工具安装。
Xcode->Product->Scheme->Edit Scheme,Info页在Build Configuraion选择相对应你需要生成的版本(debug/release)