iOS逆向之dumpdecrypted的使用

dumpdecrypted使用:

dumpdecrypted 是個出色的app脫殼開源工具,它的原理是:將應用程序運行起來(iOS系統會先解密程序再啟動),然后將內存中的解密結果dump寫入文件中,得到一個新的可執行程序。

1.下載與安裝:

  • 下載地址:
https://github.com/stefanesser/dumpdecrypted/archive/master.zip
  • 編譯安裝:
    在終端中進入到剛剛下載解壓的目錄。可以發現如下文件:
Shuangquan:RevertProject Wade$ cd dumpdecrypted-master
Shuangquan:dumpdecrypted-master Wade$ ls
Makefile        README          dumpdecrypted.c 
Shuangquan:dumpdecrypted-master Wade$

直接make, 就可以生成dumpdecrypted.dylib文件了

- 常見問題
①錯誤

xcrun --sdk iphoneos --find gcc -Os -Wimplicit -isysroot xcrun --sdk iphoneos --show-sdk-path -Fxcrun --sdk iphoneos --show-sdk-path/System/Library/Frameworks -Fxcrun --sdk iphoneos --show-sdk-path/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c/bin/sh: /Applications/Xcode: No such file or directorymake: *** [dumpdecrypted.o] Error 127

說明是Xcode 路徑有問題
需要執行 xcode-select 設置Xcode的路徑

Shuangquan:Desktop Wade$ sudo xcode-select -p
/Applications/Xcode.app/Contents/Developer
Shuangquan:Desktop Wade$ sudo xcode-select -p
Password:***
/Applications/Xcode.app/Contents/Developer
Shuangquan:Desktop Wade$ sudo xcode-select -r
Password:***
Shuangquan:Desktop Wade$ sudo xcode-select -p
/Applications/Xcode.app/Contents/Developer

② 一般SDK是向下兼容的,如果保證SDK版本與越獄設備的版本一致或者高于越獄設備版本,使用xcrun --sdk iphoneos --show-sdk-path查看SDK版本。如下:SDK版本是8.3,設備是iOS 8.1

Shuangquan:Desktop Wade$ xcrun --sdk iphoneos --show-sdk-path
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.3.sdk


2.砸殼:
- 為設備安裝ssh服務,可以ssh登陸設備
在越獄設備中用Cydia搜索OpenSSH,安裝改軟件,安裝完成后, 在OpenSSH軟件中有 OpenSSH Access How-To,可以查看登陸選項。一般使用ssh命令登陸設備:

/Users/Wade/Documents/workspace/sample/ios_sample
Shuangquan:ios_sample Wade$ ssh root@192.168.199.203
root@192.168.199.203's password:
iPhone:~ root# ls
Library Media
iPhone:~ root#


- 將生成的dumpdecrypted.dylib拷貝到設備目錄,可以用scp命令或其他工具

Shuangquan:dumpdecrypted-master Wade$ ls
Makefile README dumpdecrypted.c dumpdecrypted.dylib dumpdecrypted.o
Shuangquan:dumpdecrypted-master Wade$ scp ./dumpdecrypted.dylib root@192.168.199.203:/User
root@192.168.199.203's password:
dumpdecrypted.dylib 100% 193KB 192.9KB/s 00:00
Shuangquan:dumpdecrypted-master Wade$


- 查找目標文件
登陸越獄設備后,利用cycript查找目標App路徑, 在設備中運行目標App(要運行),然后利用(ps -e | grep 目標App)命令查找路徑和進程ID。
使用(cycript -p 進程ID)進入目標App 執行環境, 利用 [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]獲取目標App的Document路徑。
為什么需要目標App的Document路徑,因為只有在Document路徑,目標App才有讀寫權限。這樣目標App的App路徑和Document路徑都獲取到了。例如獲取Twitter的路徑。

Shuangquan:ios_sample Wade$ ssh root@192.168.199.203
root@192.168.199.203's password:
iPhone:~ root# ls
Library Media
iPhone:~ root# ps -e | grep Twitter
666 ?? 0:06.75 /var/mobile/Containers/Bundle/Application/905D5843-B934-4130-9954-77CEEF255A0A/Twitter.app/Twitter
671 ttys001 0:00.01 grep Twitter
iPhone:~ root# cycript -p 666
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]

"file:///var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents/"

cy#

- 砸殼
將dumpdecrypted.dylib拷貝到目標文件的Document目錄,例如砸殼Twitter,確定Document路徑有dumpdecrypted.dylib文件

Shuangquan:ios_sample Wade$ ssh root@192.168.199.203
root@192.168.199.203's password:
iPhone:~ root# ls
Library Media
iPhone:~ root# cd /var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents/
iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root# ls
com.atebits.tweetie.application-important-state
com.atebits.tweetie.application-state
com.atebits.tweetie.authorizationmanager
com.atebits.tweetie.authorizationmanagerTFNAuthorizationManagerData.data
com.atebits.tweetie.authorizationmanagerTFNAuthorizationManagerRequestCounts.data
com.atebits.tweetie.configuration
com.atebits.tweetie.sentinel
com.twitter.TFSFeatureSwitches.config
dumpdecrypted.dylib
iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root#

然后執行 (DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib 目標App)

iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/905D5843-B934-4130-9954-77CEEF255A0A/Twitter.app/Twitter
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x24a90(from 0x24000) = a90
[+] Found encrypted data at address 00004000 of length 17432576 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/905D5843-B934-4130-9954-77CEEF255A0A/Twitter.app/Twitter for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
[+] Opening Twitter.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a90
[+] Closing original file
[+] Closing dump file
iPhone:/var/mobile/Containers/Data/Application/313C96FB-151A-45F2-A642-E139963751C5/Documents root#

最后編輯于
?著作權歸作者所有,轉載或內容合作請聯系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發布,文章內容僅代表作者本人觀點,簡書系信息發布平臺,僅提供信息存儲服務。

推薦閱讀更多精彩內容