iosre

dumpdecrypted

Dumps decrypted mach-o files from encrypted applications、framework or app extensions.

Posted by kunnan on July 1, 2018

前言

本文重点推荐使用frida-ios-dump-master,而非dumpdecrypted.dylib

I 、frida-ios-dump-master

使用frida-ios-dump-master 只需先用frida-ps查看applications Name ,之后执行dump.py 即可在dump.py 目录下生成砸壳之后的ipa包。

Frida环境的搭建可以看下这篇文章

II、dumpdecrypted.dylib

签名动态库文件

  • 列出可签名证书 security find-identity -v -p codesigning
  • 为dumpecrypted.dylib签名 codesign --force --verify --verbose --sign "iPhone Developer: xxx xxxx (xxxxxxxxxx)" dumpdecrypted.dylib

原理

*dumpdecrypted的原理:通过向宏 DYLD_INSERT_LIBRARIES 里写入动态库的完整路径,就可以在可执行文件加载的时候,将动态链接库插入。

把自己通过DYLD_INSERT_LIBRARIES这个环境变量注入到已经通过系统加载器解密的 mach-o文件(因此要求程序是运行状态),再把解密后的内存数据 dump出来--并没有破解 appstore的加密算法
  • dumpdecrypted/dumpdecrypted.c 
    <!-- __attribute__((constructor)) 在main() 之前执行,__attribute__((destructor)) 在main()执行结束之后执行. -->
__attribute__((constructor))
void dumptofile(int argc, const char **argv, const char **envp, const char **apple, struct ProgramVars *pvars)
<!--  -->

砸壳的步骤:

*1、找到app二进制文件对应的目录;

ps -e|grep /var/mobile/Container*

*2、找到app document对应的目录;

cycript -p 

cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]

*3、将砸壳工具dumpdecrypt.dylib拷贝到ducument目录下; //目的是为了获取写的权限

devzkndeMacBook-Pro:dumpdecrypted-master devzkn$ scp ./dumpdecrypted.dylib root@192.168.2.212://var/mobile/Containers/Data/Application/91E7D6CF-A3D3-435B-849D-31BB53ED185B/Documents

*4、砸壳;利用环境变量 DYLD_INSERT_LIBRARY 来添加动态库dumpdecrypted.dylib

DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/01ECB9D1-858D-4BC6-90CE-922942460859/KNWeChat.app/KNWeChat

第一个path为dylib,目标path 为app二进制文件对应的目录

  • iPhone:~ root# find / -name “.” | xargs grep “DYLD_INSERT_LIBRARIES” > ~/text.text 
    iPhone:~ root# cat  text.text
Binary file /Developer/Library/PrivateFrameworks/DTDDISupport.framework/libViewDebuggerSupport.dylib matches
Binary file /Developer/usr/lib/libBacktraceRecording.dylib matches
Binary file /Library/Frameworks/CydiaSubstrate.framework/Libraries/SubstrateLauncher.dylib matches
Binary file /Library/Frameworks/CydiaSubstrate.framework/Libraries/SubstrateLoader.dylib matches
Binary file /System/Library/Caches/com.apple.xpcd/xpcd_cache.dylib matches
/System/Library/LaunchDaemons/com.apple.searchd.plist:		<key>no_DYLD_INSERT_LIBRARIES</key>

III、 dumpdecrypted的改进版

  • 以tweak的形式注入,避免以上繁琐的步骤

It is recommended to use frida-ios-dump instead!

IV、可以dump混编的class-dump

  • 可以dump混编的 
    devzkndeMBP:bin devzkn$ swiftOCclass-dump  --arch arm64 /Users/devzkn/decrypted/AppStoreV10.2/Payload/AppStore.app/AppStore -H -o  /Users/devzkn/decrypted/AppStoreV10.2/head

V 、Clutch

通过posix_spawnp生成一个新的进程,然后暂停进程并dump内存。

VI 架构不匹配的时候报:mach-o, but wrong architecture

image

解决方案

  • 使用KNdumpdecryptedTweak获取不同架构的二进制文件进行合并

  • 使用进行合并lipo -create

    lipo -create ./WeChat /Users/devzkn/decrypted/wx6.7.0/WeChat.decrypted -output ./WeChat

    ➜  WeChat.app  lipo -create Frameworks/TXLiteAVSDK_Smart_No_VOD.framework/TXLiteAVSDK_Smart_No_VOD /Users/devzkn/decrypted/wx6.7.0/arm64/TXLiteAVSDK_Smart_No_VOD.decrypted -output Frameworks/TXLiteAVSDK_Smart_No_VOD.framework/TXLiteAVSDK_Smart_No_VOD

    lipo -create /Users/devzkn/decrypted/wx6.7.0/Payload/WeChat.app/Frameworks/WCDB.framework/WCDB /Users/devzkn/decrypted/wx6.7.0/arm64/WCDB.decrypted -output  /Users/devzkn/decrypted/wx6.7.0/Payload/WeChat.app/Frameworks/WCDB.framework/WCDB

    lipo -create /Users/devzkn/decrypted/wx6.7.0/Payload/WeChat.app/Frameworks/QMapKit.framework/QMapKit /Users/devzkn/decrypted/wx6.7.0/arm64/QMapKit.decrypted -output /Users/devzkn/decrypted/wx6.7.0/Payload/WeChat.app/Frameworks/QMapKit.framework/QMapKit

    lipo -create /Users/devzkn/decrypted/wx6.7.0/Payload/WeChat.app/Frameworks/MMCommon.framework/MMCommon /Users/devzkn/decrypted/wx6.7.0/arm64/MMCommon.decrypted -output /Users/devzkn/decrypted/wx6.7.0/Payload/WeChat.app/Frameworks/MMCommon.framework/MMCommon

    lipo -create /Users/devzkn/decrypted/wx6.7.0/Payload/WeChat.app/Frameworks/MultiMedia.framework/MultiMedia /Users/devzkn/decrypted/wx6.7.0/arm64/MultiMedia.decrypted -output /Users/devzkn/decrypted/wx6.7.0/Payload/WeChat.app/Frameworks/MultiMedia.framework/MultiMedia

    lipo -create /Users/devzkn/decrypted/wx6.7.0/Payload/WeChat.app/Frameworks/mars.framework/mars /Users/devzkn/decrypted/wx6.7.0/arm64/mars.decrypted -output /Users/devzkn/decrypted/wx6.7.0/Payload/WeChat.app/Frameworks/mars.framework/mars

    系统库就不用合并了:

    /Users/devzkn/decrypted/wx6.7.0/Payload/WeChat.app/Watch/WeChatWatchNative.app/PlugIns/WeChatWatchNativeExtension.appex/Frameworks/libswiftCore.dylib

other

签名

  • 查询可签名证书 
    exit 0devzkndeMacBook-Pro:.git devzkn$ security find-identity -v -p codesigning
2) CB45FC98D2F6BC553EF706D835077 "iPhone Developer: kn zhang (48M9)"
17 valid identities found
  • 为dumpecrypted.dylib签名的例子 
    codesign --force --verify --verbose --sign "iPhone Developer: xxx xxxx (xxxxxxxxxx)" dumpdecrypted.dylib

    See Also

/Users/devzkn/bin//knpost dumpdecrypted Dumps decrypted mach-o files from encrypted applications、framework or app extensions. -t iosre
#原来""的参数,需要自己加上""

转载请注明: > dumpdecrypted

Search
    CATALOG
      FEATURED TAGS
      iOS Debug Open_Source_Framework RunLoop Swift Xcode ReactiveCocoa Runtime Mac Efficiency Terminal Git objc CocoaPods ruby shell iosre Cycript OutlineOfChineseHistory Workplace GoogleMethodology Search CocoaTouchStaticLibrary ReadaBookEveryDay miniprogram es6 internet py Xiang_Shuai_Beida_Finance_Course frida WebScoket note MobileSubstrate security dyld MGCopy Logical_thinking Knowledge_is_power jb How_to_be_a_master_of_network_management hook DeviceInfo Video
      FRIENDS