App Store应用脱壳

首先还是感谢snakeninny

用Clutch也行 , Clutch -i ,然后Clutch -d 数字

退而求其次, 选择了dumpdecrypted , 利用的就是dump拷贝技术. 加壳的app在手机运行的时候是脱壳状态, 并且在内存中连续存储 , 只要能把这份内存拷贝出来, 就能重新生成脱壳的APP .

1.下载dumpdecrypted源码

源码地址:https://github.com/stefanesser/dumpdecrypted/archive/master.zip , 下载后放到常用位置我的位置是/Users/DH/code/Code/dumpdecrypted-master

2.编译Makefile

我们看dumpdecrypted-master 目录 , 有一个Makefile , 直接编译

localhost:~ DH$ cd /Users/DH/code/dumpdecrypted-master 
localhost:dumpdecrypted-master DH$ make
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c 
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o

会生成一个dumpdecrypted.dylib

3.用SSH连接到手机

可以选用wifi链接, 也可以用USB链接 ,我更喜欢用USB链接

wifi:

ssh root@iphoneIP 

USB

/User/DH/code/USBSSH/tcprelay.py - t 22:5555
ssh root@localhost -p 5555

4.用ps -e 定位APP

1.首先先运行你要定位的APP
2.dinghaoyueyuceshiji:~ root# ps -e
  PID TTY           TIME CMD
    1 ??         0:34.89 /sbin/launchd
  ....
 1571 ??         0:02.36 /var/mobile/Containers/Bundle/Application/0FC82FA4-C182-4FED-927A-ACF8A539858C/WeChat.app/WeChat
 1576 ??         0:00.36 sshd: root@ttys000 
 1580 ??         0:01.90 /var/mobile/Containers/Bundle/Application/DBD2DC2E-B871-468E-8134-9107C8BCB48B/OPlayer Lite.app/OPlayer Lite
 1578 ttys000    0:00.06 -sh
 1585 ttys000    0:00.01 ps -e

找到你的应用

/var/mobile/Containers/Bundle/Application/DBD2DC2E-B871-468E-8134-9107C8BCB48B/OPlayer Lite.app/OPlayer Lite
这个Oplayer Lite就是 或者使用它的PID 1580
App Store下载的应用在目录/var/mobile/Containers/Bundle/Application 下就能找到

5.用Cycript找出OPlayer Lite的Documents目录路径。

Cycript在Cydia自带源Cydia/Telesphoreo中就有

dinghaoyueyuceshiji:~ root# cycript -p 1580
cy# 

输入cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
会出来结果:
#"file:///var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents/"

6.将dumpdecrypted.dylib拷贝到Documents目录下(拷贝到/var/mobile 下面更方便)

重新打开命令行
localhost:~ DH$ scp /Users/DH/code/dumpdecrypted-master/dumpdecrypted.dylib [email protected]:/var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents/
The authenticity of host '192.168.1.55 (192.168.1.55)' can't be established.
RSA key fingerprint is f9:dd:8b:b9:0e:62:e2:75:55:e3:0b:15:8f:2e:cd:09.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.55' (RSA) to the list of known hosts.
[email protected]'s password: 
dumpdecrypted.dylib                           100%  193KB 192.9KB/s   00:00   

这个拷贝我不会 ,我都是用pp助手之类的直接拖拽进去

7.开始砸壳

0.打开应用, 然后ps -e , 找到目录
1.cd /var/mobile
2.su mobile
3.DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib  /var/mobile/Containers/Bundle/Application/DBD2DC2E-B871-468E-8134-9107C8BCB48B/XXX.app/XXX\ XXX
4.然后再/var/mobile 目录下的就是了

下面的内容比较复杂, 有兴趣的看看

1.找到刚才连接手机的并运行了cycript -p PID 的那个命令行 
2.然后control + D 退出cycript
3.cd /var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents/
4.dinghaoyueyuceshiji:/var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/DBD2DC2E-B871-468E-8134-9107C8BCB48B/OPlayer\ Lite.app/OPlayer\ Lite
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

如果出现 Killed: 9

su mobile 

继续执行第4

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100010c58(from 0x100010000) = c58
[+] Found encrypted data at address 00004000 of length 18710528 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/DBD2DC2E-B871-468E-8134-9107C8BCB48B/OPlayer Lite.app/OPlayer Lite for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 24346624 in the file

上面第四条命令有点长 , 大家仔细点, 后面跟着的是用ps -e出来的app的地址 . 如果APP名字有空格, 注意加\

当前目录会生成
dinghaoyueyuceshiji:/var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents root# ls
OPlayer Lite.decrypted  OPlayerLite.zip  dumpdecrypted.dylib
其中的OPlayerLite.zip是自己压缩的 , 应该会有一个OPlayer Lite.decrypted 和dumpdecrypted.dylib两个文件

8.拷贝到MAC

1.查看mac当前的地址 , 我的是192.168.1.28
2.知道自己的root账户密码, 如果不知道
如果不知道root用户密码，需要重设。
　　命令［sudo passwd root ］
　　然后提示你输入当前登录用户密码，通过以后，
　　提示你输入两遍root的密码。
　　这样你就设置好root帐号密码了
localhost:~ DH$ sudo passwd root
Password:
Changing password for root.
New password:
Retype new password:
3.如果知道root密码 直接在终端输入
dinghaoyueyuceshiji:/var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents root# scp OPlayer\ Lite.decrypted [email protected]:/Users/DH/code/
Password:
OPlayer Lite.decrypted                                                                                                                  100%   49MB   1.5MB/s   00:33   

9.转换OPlayer Lite.decrypted

此时我们把OPlayer Lite.decrypted的扩展名去掉
运行下面的代码:
lipo OPlayer\ Lite -thin arm64 -output Oplayer_arm64
Oplayer_arm64就是一个无壳文件了 , 将ipa包里面的替换掉，这就是一个无壳的APP了。

ifunbox 可能提示未越狱 去cydia 下载Apple File Conduit 2
如果不会替换就回复我