dumpdecrypted砸壳高版本iOS(如iOS12)的正确姿势
几年前用dumpdecrypted砸过iOS10系统中应用的壳,最近又有砸壳的需求,不过是iOS12系统。于是完全按照当年在iOS10中的砸壳步骤在iOS12中砸壳,遇到了种种错误。求助于百度和谷歌,用关键字"dumpdecrypted iOS12"搜索,得到的结论全部是dumpdecrypted在iOS12及其更高版本的iOS系统中不行了,然后就介绍其他的砸壳工具,如CrackerXI 。
本人试了一下CrackerXI砸壳确实简单易用,但dumpdecrypted为什么不行却没有找到答案,而且由于dumpdecrypted的砸壳原理是注入动态库dylib进目标进程来dump相关解密数据,难道意味着在高版本的iOS中,也无法注入dylib做点其他事情了吗? 本着探索的精神在经过多次研究实验后,最后成功用dumpdecrypted砸出iOS12.1应用的壳。由于网上并没有看到dumpdecrypted砸高版本iOS系统中应用的壳的文章,故花点时间写个分享献给有需要的人。
(1) 源码下载:从如下地址下载源码 https://github.com/stefanesser/dumpdecrypted
(2) 修改Makefile文件:
GCC_UNIVERSAL=$(GCC_BASE) -arch armv7 -arch armv7s -arch arm64
改成 GCC_UNIVERSAL=$(GCC_BASE) -arch arm64
CFLAGS =
改成CFLAGS = -target arm64-apple-ios12.1
(3) 直接make编译生成dumpdecrypted.dylib
输出如下所示:
(4) 用codesign和个人调试证书给dumpdecrypted.dylib签名:
security find-identity -v -p codesigning
查找可用的证书,然后用找到的证书签名
codesign --force --verify --verbose --sign "找到的可用证书名称" dumpdecrypted.dylib
本机输出如下所示:
(5)签过名的dumpdecrypted.dylib上传iphone手机的/usr/lib/目录:scp -r dumpdecrypted.dylib root@10.0.52.63:/usr/lib/
(6)iphone运行要脱壳的应用,ssh root@10.0.52.63 连上手机,用ps -e | [grep -i xxx]
查看进程id和进程名
(7)cycript注入进程查看应用对应的Documents目录:
cycript -p 进程id值pid 注入进程 (待机等状态有时会导致注入卡主,可以iphone上随便动一下应用)
URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
本机输出如下所示:
PS: 如果不确定进程是否正确,可以cycript中运行:[[[NSBundle mainBundle] infoDictionary] objectForKey:@"CFBundleDisplayName"];
查看应用名称,输出16进制字符串,将16进制字符串直接放到python里print("\xaa\xbb"')一下即可输出中文。
(8)cd到应用的Documents目录下,su mobile
切换到mobile账户下,然后用如下命令开始砸壳
DYLD_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dylib 进程名
本机输出如下所示:
ls查看,有文件YYReader.decrypted 表示脱壳成功。
(9)拉出砸壳后的文件进行分析: scp root@10.0.52.63:/remotefile localfile
本机输出如下所示:
这个错误没有任何其他提示,多种情况都会出现Killed: 9错误,包括:
(1) 未su mobile切换到mobile用户下而直接在root用户下运行注入dylib脱壳,
(2) dylib未签名或采用旧的ldid -S xx.dy
未在Documents目录下运行,iOS10可以在应用的.app目录下注入脱壳,新版iOS12已经不行。
这个错误在控制台会附带其他错误信息提示,根据错误信息提示不同可分为如下几类:
找不到符号错误,原因是编译dylib默认SDKs版本(本人的Xcode12.2 默认对应的iOS14.2)与iphone系统版本(本人的iOS12.1)不匹配, iOS12.1对应的Xcode版本为Xcode10.1(不同Xcode对应的sdk版本可参考:https://en.wikipedia.org/wiki/Xcode,也可通过xcodebuild -showsdks
命令查看当前环境的SDK版本),网上千篇一律说安装多个版本Xcode的,然后用xcode-select命令选择对应的版本,当时下Xcode花了不少时间的,要多下一个10多G的Xcode只为了编译一个dylib,想想都可怕。当时想到Xcdoe写程序是可以指定目标操作系统,如下图所示:
通过修改该iOS系统参数值结合生成的命令行参数(PS:Xcode老早就已经不支持直接编译dylib了),找到-target arm64-apple-ios12.1
参数,最后经过试验确实通过增加编译选项-target arm64-apple-ios12.1
解决。
完整错误提示如下:
采用旧版ldid -S xx.dylib等不正确的签名方式,
完整错误提示如下:
[说明:在iOS12中,内核增加了CMS(Cryptographic Message Syntax)校验,而业界常用的自签名工具ldid以及jtool中CMS都是为空的,导致上述解决方案失效][1]。
未将dylib放到/usr/lib/目录下
新版iOS不支持将dylib放在.app或Documents目录下来注入。
完整错误提示如下:
dylib的版本跟iphone系统不匹配,我从网上下了一个低版本的dylib,添加签名后在系统运行提示了该错误。
完整错误提示如下:
本文主要介绍了高版本iOS中用dumpdecrypted砸壳的过程,并汇总了各种错误情况,特别的通过对于增加编译选项-target arm64-apple-ios12.1
来解决高版本Xcode中编译出dylib与目标iOS系统版本不兼容的问题。另外,注入dylib可以做的事情非常多,并不仅限于砸壳,故本文对于那些想注入dylib到目标进程做其他事情的人同样具有参考价值。
https://www.freebuf.com/articles/terminal/184877.html "iOS 12完美越狱来了!漫谈iOS 12缓解机制"
jay@MacBook
-
Pro dumpdecrypted
%
make
`xcrun
-
-
sdk iphoneos
-
-
find gcc`
-
Os
-
target arm64
-
apple
-
ios12.
1
-
Wimplicit
-
isysroot `xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
-
F`xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
/
System
/
Library
/
Frameworks
-
F`xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
/
System
/
Library
/
PrivateFrameworks
-
arch arm64
-
c
-
o dumpdecrypted.o dumpdecrypted.c
`xcrun
-
-
sdk iphoneos
-
-
find gcc`
-
Os
-
target arm64
-
apple
-
ios12.
1
-
Wimplicit
-
isysroot `xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
-
F`xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
/
System
/
Library
/
Frameworks
-
F`xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
/
System
/
Library
/
PrivateFrameworks
-
arch arm64
-
dynamiclib
-
o dumpdecrypted.dylib dumpdecrypted.o
ld: warning: directory
not
found
for
option
'-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS14.2.sdk/System/Library/PrivateFrameworks'
jay@MacBook
-
Pro dumpdecrypted
%
make
`xcrun
-
-
sdk iphoneos
-
-
find gcc`
-
Os
-
target arm64
-
apple
-
ios12.
1
-
Wimplicit
-
isysroot `xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
-
F`xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
/
System
/
Library
/
Frameworks
-
F`xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
/
System
/
Library
/
PrivateFrameworks
-
arch arm64
-
c
-
o dumpdecrypted.o dumpdecrypted.c
`xcrun
-
-
sdk iphoneos
-
-
find gcc`
-
Os
-
target arm64
-
apple
-
ios12.
1
-
Wimplicit
-
isysroot `xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
-
F`xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
/
System
/
Library
/
Frameworks
-
F`xcrun
-
-
sdk iphoneos
-
-
show
-
sdk
-
path`
/
System
/
Library
/
PrivateFrameworks
-
arch arm64
-
dynamiclib
-
o dumpdecrypted.dylib dumpdecrypted.o
ld: warning: directory
not
found
for
option
'-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS14.2.sdk/System/Library/PrivateFrameworks'
jay@MacBook
-
Pro dumpdecrypted
%
security find
-
identity
-
v
-
p codesigning
1
)
3A1B91863D16D2B252A346CDB242AF451A73DEA1
"Apple Development: xx@qq.com (UN84ST6FLY)"
1
valid identities found
jay@MacBook
-
Pro dumpdecrypted
%
codesign
-
-
force
-
-
verify
-
-
verbose
-
-
sign
"Apple Development: xx@qq.com (UN84ST6FLY)"
dumpdecrypted.dylib
dumpdecrypted.dylib: signed Mach
-
O thin (arm64) [dumpdecrypted]
jay@MacBook
-
Pro dumpdecrypted
%
jay@MacBook
-
Pro dumpdecrypted
%
security find
-
identity
-
v
-
p codesigning
1
)
3A1B91863D16D2B252A346CDB242AF451A73DEA1
"Apple Development: xx@qq.com (UN84ST6FLY)"
1
valid identities found
jay@MacBook
-
Pro dumpdecrypted
%
codesign
-
-
force
-
-
verify
-
-
verbose
-
-
sign
"Apple Development: xx@qq.com (UN84ST6FLY)"
dumpdecrypted.dylib
dumpdecrypted.dylib: signed Mach
-
O thin (arm64) [dumpdecrypted]
jay@MacBook
-
Pro dumpdecrypted
%
shangshuhede
-
iPhone:~ root
12255
??
0
:
04.09
/
var
/
containers
/
Bundle
/
Application
/
35992D04
-
EB51
-
4A84
-
8F95
-
D9495004933E
/
YYReader.app
/
YYReader
12484
ttys002
0
:
00.01
grep
-
i reader
shangshuhede
-
iPhone:~ root
cy
shangshuhede
-
iPhone:~ root
12255
??
0
:
04.09
/
var
/
containers
/
Bundle
/
Application
/
35992D04
-
EB51
-
4A84
-
8F95
-
D9495004933E
/
YYReader.app
/
YYReader
12484
ttys002
0
:
00.01
grep
-
i reader
shangshuhede
-
iPhone:~ root
cy
shangshuhede
-
iPhone:~ root
shangshuhede
-
iPhone:
/
var
/
mobile
/
Containers
/
Data
/
Application
/
78D09E74
-
BB1F
-
4871
-
BBC1
-
6E715C18718A
/
Documents root
FP_IP.txt FP_SEQ.txt NAError YYReader.decrypted come2 first2 last2 tracker.db userDefaults.plist
/
shangshuhede
-
iPhone:
/
var
/
mobile
/
Containers
/
Data
/
Application
/
78D09E74
-
BB1F
-
4871
-
BBC1
-
6E715C18718A
/
Documents root
shangshuhede
-
iPhone:~
/
Containers
/
Data
/
Application
/
78D09E74
-
BB1F
-
4871
-
BBC1
-
6E715C18718A
/
Documents mobile$ DYLD_INSERT_LIBRARIES
=
/
usr
/
lib
/
dumpdecrypted.dylib
/
var
/
containers
/
Bundle
/
Application
/
35992D04
-
EB51
-
4A84
-
8F95
-
D9495004933E
/
YYReader.app
/
YYReader
mach
-
o decryption dumper
DISCLAIMER: This tool
is
only meant
for
security research purposes,
not
for
application crackers.
[
+
] detected
64bit
ARM binary
in
memory.
[
+
] offset to cryptid found: @
0x102950fc8
(
from
0x102950000
)
=
fc8
[
+
] Found encrypted data at address
00004000
of length
26984448
bytes
-
type
1.
[
+
] Opening
/
private
/
var
/
containers
/
Bundle
/
Application
/
35992D04
-
EB51
-
4A84
-
8F95
-
D9495004933E
/
YYReader.app
/
YYReader
for
reading.
[
+
] Reading header
[
+
] Detecting header
type
[
+
] Executable
is
a plain MACH
-
O image
[
+
] Opening YYReader.decrypted
for
writing.
[
+
] Copying the
not
encrypted start of the
file
[
+
] Dumping the decrypted data into the
file
[
+
] Copying the
not
encrypted remainder of the
file
[
+
] Setting the LC_ENCRYPTION_INFO
-
>cryptid to
0
at offset fc8
[
+
] Closing original
file
[
+
] Closing dump
file
shangshuhede
-
iPhone:~
/
Containers
/
Data
/
Application
/
78D09E74
-
BB1F
-
4871
-
BBC1
-
6E715C18718A
/
Documents mobile$
shangshuhede
-
iPhone:~ root
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2020-12-1 18:08
被cjycjw编辑
,原因: