iOS脱壳工具dumpdecrypted的基本使用

1 Reply

1、啥是脱壳(也叫砸壳)?我试着从头开始说起。
1.1、安装在iPhone上的App扩展名为.ipa,ipa中最关键的可执行文件叫Mach-o文件;
1.2、这个Mach-o文件相当于windows平台的exe文件,文件名一般与ipa文件同名;
1.3、脱壳是逆向工程中的专业术语,所谓逆向工程即通过Mach-o文件反推程序源代码(暂时这么理解吧);
1.4、上述几点的意思是说,人家可能拿到你的ipa文件即可破解你的app,甚至修改里面的功能;
1.5、好了,苹果公司为了解决这个安全性问题,在App上架AppStore后会将ipa包再加密一次(加壳);
1.6、这样一来从正规渠道下载的应用就无法直接被反编译了,差不多就是这么回事;

2、接下来要说的就是如果“解密”从AppStore下载下来的App,先做准备;
2.1、准备好几个工具:class-dump、iFunBox、Cycript、MachOView、Hopper Disassembler;
2.2、如果这几个东西你不熟悉就比较难搞了,过会要用的有iFunBox、Cycript;
2.3、dumpdecrypted的Github地址:https://github.com/stefanesser/dumpdecrypted,直接下载zip包就行;
2.4、解压出来应该是有三个文件,在终端直接执行当前目录下的MakeFile即可生成一个dumpdecrypted.dylib;
2.5、这个dumpdecrypted.dylib是重点了,后在就靠这个文件了;

3、在iPhone上脱壳
3.1、SSH登录到iPhone上(这个如果有问题,你是怎么坚持看到这里来的);
3.2、ps -A查看当前进程,可以找到你需要脱壳的App,记下App的路径,比如:

/var/mobile/Applications/C84FAD25-C206-40AF-A920-EABAE384FA67/Wallpaper.app/Wallpaper

3.3、将dumpdecrypted.dylib拷贝到iPhone的var/root目录下(即root用户的Home目录,通过iFunBox或scp);
3.4、在var/root目录中执行DYLD_INSERT_LIBRARIES这个动态库注入命令,注意要大写!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

iPhone4s:~ root# dyld_insert_libraries=dumpdecrypted.dylib /var/mobile/Applications/C84FAD25-C206-40AF-A920-EABAE384FA67/Wallpaper.app/Wallpaper
Abort trap: 6
iPhone4s:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/C84FAD25-C206-40AF-A920-EABAE384FA67/Wallpaper.app/Wallpaper
mach-o decryption dumper
 
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
 
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x6ca4c(from 0x6c000) = a4c
[+] Found encrypted data at address 00004000 of length 4358144 bytes - type 1.
[+] Opening /private/var/mobile/Applications/C84FAD25-C206-40AF-A920-EABAE384FA67/Wallpaper.app/Wallpaper for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
[+] Opening Wallpaper.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a4c
[+] Closing original file
[+] Closing dump file

3.5、没有报错就是成功了,当前目录下会生成一个Wallpaper.decrypted文件,即为脱壳后的文件,到此结束;
3.6、将该文件拷出来,class-dump –arch armv7 -H Wallpaper.decrypted -o Headers;
3.7、这里要注意的是–arch armv7,这个armv7是因为当前手机是armv7架构,实际情况实际对待;
3.8、使用MachOView、Hopper或otool命令去解析该Mach-o文件,只有armv7架构对应部分脱壳了,这个需要注意一下;
3.9、后面的事情就与壳无关了。

One thought on “iOS脱壳工具dumpdecrypted的基本使用

  1. Sian Post author

    在iOS9.3.5中,会报错killed: 9

    1
2

    Sian-iPhone4s:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/2DFA7C08-F7AB-4CF6-8004-7931DFDC0111/ting.app/ting
Killed: 9

    解决方案:
    将dumpdecrypted.dylib拷贝到/var/mobile目录下,切换mobile用户(su mobile)执行上述代码

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

    Sian-iPhone4s:~ mobile$ DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/2DFA7C08-F7AB-4CF6-8004-7931DFDC0111/ting.app/ting
mach-o decryption dumper
 
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
 
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x39a4c(from 0x39000) = a4c
[+] Found encrypted data at address 00004000 of length 51314688 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/2DFA7C08-F7AB-4CF6-8004-7931DFDC0111/ting.app/ting for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening ting.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset a4c
[+] Closing original file
[+] Closing dump file

Leave a Reply