iOS逆向, 基础工具之dumpdecrypted

我们可以正常dump系统APP的头文件, 但是App Store下载的应用是加密后, 无法直接用class-dump进行dump头文件, 这个时候就要用到这篇文件的dumpdecrypted, 把加密的APP砸壳后dump, 感谢开发这些工具的大佬们~

环境iPhone5c iOS 10.3.3

下载地址
github

进行clone并make

$git clone https://github.com/stefanesser/dumpdecrypted.git
Cloning into 'dumpdecrypted'...
remote: Counting objects: 31, done.
remote: Total 31 (delta 0), reused 0 (delta 0), pack-reused 31
Unpacking objects: 100% (31/31), done.

$cd dumpdecrypted 
$make
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c 
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.sdk/System/Library/PrivateFrameworks'

执行完make后会在当前目录生成一个dumpdecrypted.dylib 文件 这就是去砸壳的榔头.

$ls
Makefile            README              dumpdecrypted.c     dumpdecrypted.dylib dumpdecrypted.o

现在进入手机寻找想要砸壳的APP的路径, storeAPP的可执行文件都存放在/var/containers/Bundle/Application/ 中

$ls /var/containers/Bundle/Application/
017E448E-7AB7-4619-9F2E-32F9FD02D476  13F95CDA-3F8A-4A8A-8E33-A9D3D896B1CD  3D3F3796-B24C-405C-A257-88F7E0D8BC0C  68A0B1EE-F924-404B-AE6B-DDEB3E996F47

我们无法分别哪个文件夹是..那么我们就用ps命令来过滤一下

避免干扰, 杀掉所有APP进程, 只保留你要砸壳的那一个.

$ps -e | grep /var/containers/Bundle/Application/
 1387 ??         0:02.25 /var/containers/Bundle/Application/68A0B1EE-F924-404B-AE6B-DDEB3E996F47/SeekingArrangement.app/SeekingArrangement
 1408 ttys000    0:00.00 grep /var/containers/Bundle/Application/

我们找到了这个68A0B1EE-F924-404B-AE6B-DDEB3E996F47/SeekingArrangement.app/SeekingArrangement

然后再用cycript来找出对应APP的documents目录

$cycript -p 1387
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/9EE3F784-AAC6-458E-9502-DDD264AFA7A1/Documents/"

然后将刚才的dumpdecrypted.dylib拷贝到这个目录下

$scp dumpdecrypted.dylib [email protected]:/var/mobile/Containers/Data/Application/9EE3F784-AAC6-458E-9502-DDD264AFA7A1/Documents/
[email protected]'s password: 
dumpdecrypted.dylib                                                                                                                             100%  193KB   2.1MB/s   00:00 

然后找到刚才用ps -e找出来的可执行文件, 开始进行砸壳

$DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/68A0B1EE-F924-404B-AE6B-DDEB3E996F47/SeekingArrangement.app/SeekingArrangement

中途可能会出现这个问题

dyld: could not load inserted library 'dumpdecrypted.dylib' because no suitable image found.  Did find:
    dumpdecrypted.dylib: required code signature missing for 'dumpdecrypted.dylib'

    /private/var/mobile/Containers/Data/Application/9EE3F784-AAC6-458E-9502-DDD264AFA7A1/Documents/dumpdecrypted.dylib: required code signature missing for '/private/var/mobile/Containers/Data/Application/9EE3F784-AAC6-458E-9502-DDD264AFA7A1/Documents/dumpdecrypted.dylib'


Abort trap: 6

是因为签名的问题, 用开发者证书对dumpdecrypted.dylib进行签名后重新上传

#list签名
$security find-identity -v -p codesigning
#进行签名
$codesign --force --verify --verbose --sign "iPhone Developer: xxx xxxx (xxxxxxxxxx)" dumpdecrypted.dylib
#scp上传后重新进行砸壳

$DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/68A0B1EE-F924-404B-AE6B-DDEB3E996F47/SeekingArrangement.app/SeekingArrangement
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x4cbe4(from 0x4c000) = be4
[+] Found encrypted data at address 00004000 of length 9633792 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/68A0B1EE-F924-404B-AE6B-DDEB3E996F47/SeekingArrangement.app/SeekingArrangement for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening SeekingArrangement.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset be4
[+] Closing original file
[+] Closing dump file

当前目录会生成SeekingArrangement.decrypted 文件, 即砸壳后的文件

$ls
SeekingArrangement.decrypted  dumpdecrypted.dylib

然后就可以拷贝到你想用的地方进行使用了, class-dump, IDA都等着呢~

至于为什么要在APP的Documents目录进行操作, 因为商店的APP只能在自己的沙盒中进行操作, 相信各位这个问题都可以理解的.