IOS 逆向工程之砸壳
xcrun –sdk iphoneos –show-sdk-path,查看输出,看看目前的默认SDK是什么版本,例如楼猪的是“/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.1.sdk”。这里分2种情况:
或
SDK=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.X.sdk
,即iOS版本需要与SDK版本相同。 注意,5.1版SDK编译出的dylib是向下兼容的,可以用于iOS5.0,6.1版SDK同理。(注意:这个有待验证,楼猪还没这么干过)
GCC_UNIVERSAL=$(GCC_BASE) -arch armv7 -arch armv7s -arch arm64
改为
GCC_UNIVERSAL=$(GCC_BASE) -arch armv7 -arch armv7s
再将dumpdecrypted.c第76行的
if (lc->cmd ==LC_ENCRYPTION_INFO || lc->cmd == LC_ENCRYPTION_INFO_64)
改成
if(lc->cmd == LC_ENCRYPTION_INFO)
,保存。这里继续:接着直接cd到“/Users/wwc/Desktop/Code/dumpdecrypted-master/”下,然后输入“make”并回车,生成“/Users/wwc/Desktop/Code/dumpdecrypted-master/dumpdecrypted.dylib”。
1.将“锤子”放入设备中
查看iOS设备的IP地址,然后在Mac上使用scp命令将dumpdecrypted.dylib文件放到iOS设备中:
$ scp dumpdecrypted.dylib root@192.168.xxx.xxx:/var/tmp
root@192.168.xxx.xxx's password:
dumpdecrypted.dylib 100% 81KB 81.0KB/s 00:00
2.砸
选定一个让你觉得非常不爽或非常感兴趣的app,我就随便选了一个QQ。在iOS设备上打开iFunBox,查到它的可执行文件的路径为:/var/mobile/Applications/xxxxxxxx/QQ.app/QQ
然后用SSH连到iOS设备上,cd到刚刚动态库的路径:/var/tmp。
$ ssh root@192.168.xxx.xxx
root@192.168.xxx.xxx's password:
root# cd /var/tmp/
root# ls
FlipswitchCache/ com.apple.audio.hogmode.plist
L65ancd.sock= com.apple.tccd/
L65d.sock= com.apple.timed.plist
MediaCache/ cydia.log
RestoreFromBackupLock* dumpdecrypted.dylib*
SpringBoard_reboot_flag launchd/
com.apple.assistant.bundleservicecache.plist mobile_assertion_agent.log
砸壳(久等了):
- root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx/QQ.app/QQ
- mach-o decryption dumper
- DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
- [+] detected 32bit ARM binary in memory.
- [+] offset to cryptid found: @0xd5a90(from 0xd5000) = a90
- [+] Found encrypted data at address 00004000 of length 3047424 bytes - type 1.
- [+] Opening /private/var/mobile/Applications/EBBD26E9-DDBA-481E-9403-84D159436889/QQ.app/QQ for reading.
- [+] Reading header
- [+] Detecting header type
- [+] Executable is a FAT image - searching for right architecture
- [+] Correct arch is at offset 16384 in the file
- [+] Opening QQ.decrypted for writing.
- [+] Copying the not encrypted start of the file
- [+] Dumping the decrypted data into the file
- [+] Copying the not encrypted remainder of the file
- [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a90
- [+] Closing original file
- [+] Closing dump file
成果:
root# ls
FlipswitchCache/ com.apple.audio.hogmode.plist
QQ.decrypted com.apple.tccd/
L65ancd.sock= com.apple.timed.plist
L65d.sock= cydia.log
MediaCache/ dumpdecrypted.dylib*
RestoreFromBackupLock* launchd/
SpringBoard_reboot_flag mobile_assertion_agent.log
com.apple.assistant.bundleservicecache.plist
或
class-dump –arch armv7 Victim.decrypted
///////////////////////注意://///////////////////////////
楼猪直接执行了class-dump命令提取了头文件,命令如下:
class-dump -H QQ.decrypted -o /Users/wwc/Desktop/Code/headers
等待命令执行完毕,查看这个目录,你想要的东西就在里面了。
这是楼猪借鉴了各方经验,加上自己亲自动手操作得到的结论,可能某些地方存在纰漏,希望各位小伙伴积极指正。小弟在此拜谢了。