iOS逆向 砸壳

前言

其中用到的砸壳工具就是dumpdecrypted，其原理是让app预先加载一个解密的dumpdecrypted.dylib，然后在程序运行后，将代码动态解密，最后在内存中dump出来整个程序。

iPhone:~ root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/3A5D7F67-04E8-49CF-93CF-5019B11146D6/Documents/dumpdecrypted.dylib  /var/mobile/Containers/Bundle/Application/01ECB9D1-858D-4BC6-90CE-922942460859/WeChat.app/WeChat

先用dumpdecrypted工具先对加过密的ipa包进行砸壳，然后再用class-dump工具去导出它的头文件。

砸壳的步骤：

1、找到app二进制文件对应的目录；
2、找到app document对应的目录；
3、将砸壳工具dumpdecrypt.dylib拷贝到ducument目录下； //目的是为了获取写的权限
4、砸壳；

利用环境变量 DYLD_INSERT_LIBRARY 来添加动态库dumpdecrypted.dylib 

接下来要正式的dump可执行文件。

正文

用ssh进入连上的iPhone(确保iPhone和Mac在同一个局域网)。OpenSSH的root密码默认为alpine

1、查找二进制文件对应的目录

iPhone:~ root# ps -e |grep WeChat  405 ??         0:01.72 /var/mobile/Containers/Bundle/Application/E2B26C47-B989-492B-995C-47EFFA94DAB3/WeChat.app/WeChat36068 ttys000    0:00.00 grep WeChat

或者

iPhone:~ root#  ps -e | grep /var/mobile 7691 ??        13:22.82 /var/mobile/Containers/Bundle/Application/01ECB9D1-858D-4BC6-90CE-922942460859/WeChat.app/WeChat 7836 ttys000    0:00.01 grep /var/mobile

因为从AppStore中下载安装的应用都会位于/var/mobile/..Applications中，

2、查找app document对应的目录
使用Cycript注入目标进程中

iPhone:~ root# cycript -p WeChatcy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)[0]@"/var/mobile/Containers/Data/Application/91E7D6CF-A3D3-435B-849D-31BB53ED185B/Documents"

或者使用：

iPhone:~ root# cycript -p WeChatcy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]#"file:///var/mobile/Containers/Data/Application/3A5D7F67-04E8-49CF-93CF-5019B11146D6/Documents/"

3、dumpdecrypted

dumpdecrypted.dylib 的获取

devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ lsMakefile    README      dumpdecrypted.cdevzkndeMacBook-Pro:dumpdecrypted-master devzkn$ make`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c `xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.odevzkndeMacBook-Pro:dumpdecrypted-master devzkn$ ls -a.           README          dumpdecrypted.o..          dumpdecrypted.cMakefile        dumpdecrypted.dylib

使用SCP 拷贝文件到iOS设备对应的目录

devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ scp ./dumpdecrypted.dylib root@192.168.2.212://var/mobile/Containers/Data/Application/91E7D6CF-A3D3-435B-849D-31BB53ED185B/Documentsroot@192.168.2.212's password: dumpdecrypted.dylib                                                                                                                                    100%  193KB  64.0KB/s   00:03    devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ 

砸壳

利用环境变量 DYLD_INSERT_LIBRARY 来添加动态库dumpdecrypted.dylib

DYLD_INSERT_LIBRARIES=/PathFrom/dumpdecrypted.dylib /PathTo

第一个path为dylib，目标path 为app二进制文件对应的目录

iPhone:~/Documents root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/91E7D6CF-A3D3-435B-849D-31BB53ED185B/Documents/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/E2B26C47-B989-492B-995C-47EFFA94DAB3/WeChat.app/WeChatmach-o decryption dumperDISCLAIMER: This tool is only meant for security research purposes, not for application crackers.[+] detected 64bit ARM binary in memory.[+] offset to cryptid found: @0x100030ca8(from 0x100030000) = ca8[+] Found encrypted data at address 00004000 of length 56770560 bytes - type 1.[+] Opening /private/var/mobile/Containers/Bundle/Application/E2B26C47-B989-492B-995C-47EFFA94DAB3/WeChat.app/WeChat for reading.[+] Reading header[+] Detecting header type[+] Executable is a FAT image - searching for right architecture[+] Correct arch is at offset 62078976 in the file[+] Opening WeChat.decrypted for writing.[+] Copying the not encrypted start of the file[+] Dumping the decrypted data into the file[+] Copying the not encrypted remainder of the file[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3b34ca8[+] Closing original file[+] Closing dump fileiPhone:~/Documents root# ls -a.  ..  WeChat.decrypted  baiduplist  cfg  vmp

当前目录下会生成砸壳后的文件，即WeChat.decrypted

附

用scp命令把WeChat.decrypted文件拷贝到电脑上,接下来我们要正式的dump、Hopper微信的可执行文件

devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ scp root@192.168.2.212:/var/root/Documents/WeChat.decrypted  /Users/devzkn/Downloads/dumpdecrypted-masterroot@192.168.2.212's password: WeChat.decrypted                                                                                                                                                                  10%   13MB   1.5MB/s   01:17 ETA^WeChat.decrypted                                                                                                                                             WeChat.decrypted  WeChat.dWeChat.decrypted                                                                                                                                                    52%   67MB   1.2MB/s   00:52 ETA

如果没找到文件，就继续执行一次

DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/01ECB9D1-858D-4BC6-90CE-922942460859/WeChat.app/WeChat