iOS 逆向 - 使用 dumpdecrypted 给 APP 砸壳
对 Google Sheets 进行砸壳
iDevice: iPod (armv7)
System: iOS 8.1
- 找到 TargetApp 的 Documents 目录(在设备上操作)
- 将
dumpdecrypted.dylib
拷贝到 TargetApp 的 Docuemnts 目录下(在 Mac 上操作) - 用
dumpdecrypted.dylib
砸壳(在设备上操作) - 将砸壳后的
TargetApp.decrypted
拷贝回本地 Mac(在 Mac 上操作)
找到 TargetApp 的 Documents 目录(在设备上操作)
找到你想要砸壳的 app
ps: 需要在 Cydia
中安装 MobileTerminal 和 Cycript
- 将设备上所有其他的 app 都关掉,只打开你想要砸壳的 TargetApp(如笔者想要砸壳的 Sheets)。
- 通过
ps
命令查看当前在运行的进程,配合grep
命令找到 TargetApp。可以grep AppName
或者grep Containers
,后者不用输入 TargetApp 的名字,毕竟有一些名字不好输入,笔者用的是后面的方法。 - 使用
cycript
注入 TargetApp。可以使用cycript -p AppPID
或cycript -p AppName
两种方式指定要注入的 TargetApp。名字可能不是唯一的,有可能失败。笔者倾向于用 PID 的方法。 - 出现
cy#
即说明进入了cycript
的环境。
MyiPod:~ root# ps -e | grep Containers
2527 ?? 0:08.64 /var/mobile/Containers/Bundle/Application/5C6D0D63-82B0-442B-BCB3-97B800369FCD/Sheets.app/Sheets
2530 ttys000 0:00.01 grep Containers
MyiPod:~ root# cycript -p 2527
cy#
找到 App 的 Document 所在目录
使用 OC 的方法 [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomans:NSUserDomainMask][0]
,直接将 TargetApp 的 Document
目录打印出来。
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomans:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/397CCFE0-69E0-43B1-8894-8F0BB0152656/Documents/"
cy#
ps: Ctrl+D 退出 cycript
将 dumpdecrypted.dylib
拷贝到 TargetApp 的 Docuemnts 目录下(在 Mac 上操作)
将 dumpdecrypted.dylib
从 Mac 中拷贝到 iPod 的 Documents
目录。该目录有读写权限,我们需要写入权限,把砸壳后的数据先写到 Documents
目录下。
likids-MBP:~ Likid$ scp /Develop/iOSRE/dumpdecrypted.dylib root@172.20.10.9:/var/mobile/Containers/Data/Application/397CCFE0-69E0-43B1-8894-8F0BB0152656/Documents/
root@172.20.10.9's password:
dumpdecrypted.dylib 100% 193KB 192.9KB/s 00:00
用 dumpdecrypted.dylib
砸壳(在设备上操作)
在 iPod 中进行砸壳,获得 Sheets.decrypted
。
-
cd
进入 TargetApp 的 Documents 目录 - 查看
dumpdecrypted.dylib
是否已经拷贝到 Documents 下 - 将
dumpdecrypted.dylib
注入 TargetApp,会自动进行砸壳,输出砸壳后的 appTargetApp.decrypted
,如Sheets.decrypted
MyiPod:~ root# cd /var/mobile/Containers/Data/Application/397CCFE0-69E0-43B1-8894-8F0BB0152656/Documents/
MyiPod:/var/mobile/Containers/Data/Application/397CCFE0-69E0-43B1-8894-8F0BB0152656/Documents root# ls
112161084947550660392/ drivekit/ dumpdecrypted.dylib*
MyiPod:/var/mobile/Containers/Data/Application/397CCFE0-69E0-43B1-8894-8F0BB0152656/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/5C6D0D63-82B0-442B-BCB3-97B800369FCD/Sheets.app/Sheets
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x7fa08(from 0x7f000) = a08
[+] Found encrypted data at address 00004000 of length 49872896 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/5C6D0D63-82B0-442B-BCB3-97B800369FCD/Sheets.app/Sheets for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
[+] Opening Sheets.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a08
[+] Closing original file
[+] Closing dump file
MyiPod:/var/mobile/Containers/Data/Application/397CCFE0-69E0-43B1-8894-8F0BB0152656/Documents root# ls
112161084947550660392/ Sheets.decrypted drivekit/ dumpdecrypted.dylib*
MyiPod:/var/mobile/Containers/Data/Application/397CCFE0-69E0-43B1-8894-8F0BB0152656/Documents root#
MyiPod:/var/mobile/Containers/Data/Application/397CCFE0-69E0-43B1-8894-8F0BB0152656/Documents root# exit
将砸壳后的 TargetApp.decrypted
拷贝回本地 Mac(在 Mac 上操作)
将 Sheets.decrypted
拷贝回本地 Mac,查看是否砸壳成功,cryptid
为 0 则表示砸壳成功,该架构没有加密
likids-MBP:~ Likid$ scp root@172.20.10.9:/var/mobile/Containers/Data/Application/397CCFE0-69E0-43B1-8894-8F0BB0152656/Documents/Sheets.decrypted /Develop/iOSRE/Sheets/
root@172.20.10.9's password:
Sheets.decrypted 100% 141MB 1.8MB/s 01:19
likids-MBP:~ Likid$ cd /Develop/iOSRE/Sheets/
likids-MBP:Sheets Likid$ ls
Sheets.decrypted
likids-MBP:Sheets Likid$ file Sheets.decrypted
Sheets.decrypted: Mach-O universal binary with 2 architectures: [arm_v7: Mach-O executable arm_v7] [arm64]
Sheets.decrypted (for architecture armv7): Mach-O executable arm_v7
Sheets.decrypted (for architecture arm64): Mach-O 64-bit executable arm64
likids-MBP:Sheets Likid$ otool -l Sheets.decrypted | grep crypt
Sheets.decrypted (architecture armv7):
cryptoff 16384
cryptsize 49872896
cryptid 0
Sheets.decrypted (architecture arm64):
cryptoff 16384
cryptsize 53395456
cryptid 1
ref: 《iOS应用逆向工程(第2版)》