[原创]一键砸壳开源插件adcpp-ios-dump-iOS安全-看雪-安全社区|安全招聘|kanxue.com

[原创]一键砸壳开源插件adcpp-ios-dump

发表于: 2021-9-16 18:04 16058

[原创]一键砸壳开源插件adcpp-ios-dump

GeekNeo

2021-9-16 18:04

16058

# adcpp-ios-dump

开源地址：https://gitee.com/geekneo/adcpp-ios-dump

#### 介绍

一键Dump iOS加密MachO至A64Dbg与之对应的缓存目录。

#### 软件架构

adcpp-ios-dump.py : A64Dbg插件主程序，用于人机交互；

adcpp-ios-dump.adc : A64Dbg插件附加程序，用于Dump加密的MachO，它是由主程序发送至目标iOS进程中的Payload程序；

adcpp-ios-dump.mm : A64Dbg插件附加程序源代码，用于macOS平台开发者模式修改adcpp-ios-dump.mm的实现逻辑；

#### 安装教程

将adcpp-ios-dump.py、adcpp-ios-dump.adc拷贝至A64Dbg插件目录，然后重启A64Dbg即可。

macOS/Linux目录为：

```

~/A64Dbg/plugin

```

Windows目录为：

```

SysDrive:\Users\~\A64Dbg\plugin

```

#### 使用说明

1.将A64Dbg调试模式设置为Remote UraniumVM iOS；

2.Attach要砸壳的目标进程；

3.执行主菜单Plugins/adcpp-ios-dump，然后就可以在A64Dbg缓存目录得到对应解密后的MachO文件；

```assembly

adcpp_ios_dump : Start dumping process 4093.

adcpp_ios_dump : Dumping /var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/iOSApp.

adcpp_ios_dump : Readed file iOSApp, size 62505088.

adcpp_ios_dump : Min version a0000, encrypt info 0x4000,50118656.

adcpp_ios_dump : Sending iOSApp, 10.0.0, 62505088.

Received iOSApp, 10.0.0, 62505088.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/iOSApp.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios10.0.0/iOSApp.

adcpp_ios_dump : Dumping /private/var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/Frameworks/webview_flutter.framework/webview_flutter.

adcpp_ios_dump : Readed file webview_flutter, size 123376.

adcpp_ios_dump : Min version 90000, encrypt info 0x4000,32768.

adcpp_ios_dump : Sending webview_flutter, 9.0.0, 123376.

Received webview_flutter, 9.0.0, 123376.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/webview_flutter.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios9.0.0/webview_flutter.

adcpp_ios_dump : Dumping /private/var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/Frameworks/yoga.framework/yoga.

adcpp_ios_dump : Readed file yoga, size 197248.

adcpp_ios_dump : Min version 80000, encrypt info 0x4000,65536.

adcpp_ios_dump : Sending yoga, 8.0.0, 197248.

Received yoga, 8.0.0, 197248.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/yoga.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios8.0.0/yoga.

adcpp_ios_dump : Dumping /private/var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/Frameworks/QMUIKit.framework/QMUIKit.

adcpp_ios_dump : Readed file QMUIKit, size 1812032.

adcpp_ios_dump : Min version 80000, encrypt info 0x4000,983040.

adcpp_ios_dump : Sending QMUIKit, 8.0.0, 1812032.

Received QMUIKit, 8.0.0, 1812032.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/QMUIKit.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios8.0.0/QMUIKit.

adcpp_ios_dump : Dumping /private/var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/Frameworks/Flutter.framework/Flutter.

adcpp_ios_dump : Readed file Flutter, size 8136384.

adcpp_ios_dump : Min version 80000, encrypt info 0x4000,7356416.

adcpp_ios_dump : Sending Flutter, 8.0.0, 8136384.

Received Flutter, 8.0.0, 8136384.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/Flutter.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios8.0.0/Flutter.

adcpp_ios_dump : Dumping /private/var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/Frameworks/device_info.framework/device_info.

adcpp_ios_dump : Readed file device_info, size 73680.

adcpp_ios_dump : Min version 90000, encrypt info 0x4000,16384.

adcpp_ios_dump : Sending device_info, 9.0.0, 73680.

Received device_info, 9.0.0, 73680.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/device_info.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios9.0.0/device_info.

adcpp_ios_dump : Dumping /private/var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/Frameworks/FMDB.framework/FMDB.

adcpp_ios_dump : Readed file FMDB, size 159072.

adcpp_ios_dump : Min version 80000, encrypt info 0x4000,65536.

adcpp_ios_dump : Sending FMDB, 8.0.0, 159072.

Received FMDB, 8.0.0, 159072.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/FMDB.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios8.0.0/FMDB.

adcpp_ios_dump : Dumping /private/var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/Frameworks/path_provider.framework/path_provider.

adcpp_ios_dump : Readed file path_provider, size 74176.

adcpp_ios_dump : Min version 90000, encrypt info 0x4000,16384.

adcpp_ios_dump : Sending path_provider, 9.0.0, 74176.

Received path_provider, 9.0.0, 74176.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/path_provider.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios9.0.0/path_provider.

adcpp_ios_dump : Dumping /private/var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/Frameworks/native_pdf_renderer.framework/native_pdf_renderer.

adcpp_ios_dump : Readed file native_pdf_renderer, size 174688.

adcpp_ios_dump : Min version 90000, encrypt info 0x4000,65536.

adcpp_ios_dump : Sending native_pdf_renderer, 9.0.0, 174688.

Received native_pdf_renderer, 9.0.0, 174688.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/native_pdf_renderer.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios9.0.0/native_pdf_renderer.

adcpp_ios_dump : Dumping /private/var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/Frameworks/App.framework/App.

adcpp_ios_dump : Readed file App, size 8212336.

adcpp_ios_dump : Min version 80000, encrypt info 0x4000,6799360.

adcpp_ios_dump : Sending App, 8.0.0, 8212336.

Received App, 8.0.0, 8212336.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/App.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios8.0.0/App.

adcpp_ios_dump : Dumping /private/var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/Frameworks/shared_preferences.framework/shared_preferences.

adcpp_ios_dump : Readed file shared_preferences, size 74144.

adcpp_ios_dump : Min version 90000, encrypt info 0x4000,16384.

adcpp_ios_dump : Sending shared_preferences, 9.0.0, 74144.

Received shared_preferences, 9.0.0, 74144.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/shared_preferences.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios9.0.0/shared_preferences.

adcpp_ios_dump : Dumping /private/var/containers/Bundle/Application/6155B008-47B9-4660-857D-D0CC77A52838/iOSApp.app/Frameworks/sqflite.framework/sqflite.

adcpp_ios_dump : Readed file sqflite, size 104640.

adcpp_ios_dump : Min version 90000, encrypt info 0x4000,32768.

adcpp_ios_dump : Sending sqflite, 9.0.0, 104640.

Received sqflite, 9.0.0, 104640.

Saved to ~/A64Dbg/decache/iOS/arm64-apple-ios/sqflite.

Linked to ~/A64Dbg/decache/iOS/arm64-apple-ios9.0.0/sqflite.

adcpp_ios_dump : Finished dumping.

```

#### 版本历史

2021/9/16:

* 发布V0.1.0;

* 实现一键砸壳iOS程序至A64Dbg对应缓存目录的功能；