(六)使用dumpdecrypted

原創(chuàng)??2014年08月03日 21:44:46

標(biāo)簽:

iOS逆向工程

10379

本來是打算用AppCrackr砸殼的,結(jié)果砸殼都是失敗的,開始以為是App的加密太厲害了,后來才知道是因為AppCrackr太暴力了,引起公憤,結(jié)果被人投訴招致核心功能被迫關(guān)閉了。

幸好在RE官網(wǎng)搜到一個用dumpdecrypted砸殼的帖子。下面是我砸殼的經(jīng)歷。

一、造錘

1.下載dumpdecrypted源碼

下載地址:https://github.com/stefanesser/dumpdecrypted/archive/master.zip,接著在Mac中解壓。

2.確認(rèn)iOS設(shè)備的版本?

iOS 7.1.x,原帖中snakeninny略啰嗦。。。?

3.Makefile?

cd到dumpdecrypted目錄,看看Makefile文件的內(nèi)容:

[plain]?view plain?copy

CC_BIN=`xcrun?--sdk?iphoneos?--find?gcc`??

GCC_UNIVERSAL=$(GCC_BASE)?-arch?armv7?-arch?armv7s?-arch?arm64??

SDK=`xcrun?--sdk?iphoneos?--show-sdk-path`??


CFLAGS?=??

GCC_BASE?=?$(GCC_BIN)?-Os?$(CFLAGS)?-Wimplicit?-isysroot?$(SDK)?-F$(SDK)/System$??


all:?dumpdecrypted.dylib??


dumpdecrypted.dylib:?dumpdecrypted.o??

????????$(GCC_UNIVERSAL)?-dynamiclib?-o?$@?$^??


%.o:?%.c??

????????$(GCC_UNIVERSAL)?-c?-o?$@?$<??


clean:??

????????rm?-f?*.o?dumpdecrypted.dylib??

大多數(shù)看不懂。。。

接下來我們需要確認(rèn)的是GCC_UNIVERSALSDK這兩個變量的值和iOS設(shè)備的環(huán)境保持一致。

4.確保Makefile的配置和真機環(huán)境一致

在Mac中打開終端,輸入xcrun --sdk iphoneos --show-sdk-path命令,查看SDK版本:

[plain]?view plain?copy

/Applications/Xcode?5.1.1.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.1.sdk??

Xcode的SDK版本是7.1.x,GCC_UNIVERSAL這個變量值可以略過。

5.創(chuàng)建動態(tài)庫文件

(1)一錯

在確保Makefile中對動態(tài)庫的設(shè)置和iOS真機環(huán)境一致后,在當(dāng)前目錄下輸入:make。

但是失敗了,錯誤信息如下:

[plain]?view plain?copy

`xcrun?--sdk?iphoneos?--find?gcc`?-Os??-Wimplicit?-isysroot?`xcrun?--sdk?iphoneos?--show-sdk-path`?-F`xcrun?--sdk?iphoneos?--show-sdk-path`/System/Library/Frameworks?-F`xcrun?--sdk?iphoneos?--show-sdk-path`/System/Library/PrivateFrameworks?-arch?armv7?-arch?armv7s?-arch?arm64?-c?-o?dumpdecrypted.o?dumpdecrypted.c??

/bin/sh:?/Applications/Xcode:?No?such?file?or?directory??

make:?***?[dumpdecrypted.o]?Error?127??

原因是找不到/Applications/Xcode來執(zhí)行其中的一些腳本。 好吧,我的Mac中有3個Xcode:/Applications/Xcode 5.0.2, /Applications/Xcode 5.1.1, /Applications/Xcode 6 Beta4,就是沒有/Applications/Xcode。?

沒事,將Xcode 5.1.1重命名為Xcode就行了:

[plain]?view plain?copy

$?sudo?mv?Xcode\?5.1.1.app/?Xcode.app/??

(2)再錯

再make,還是報錯,錯誤信息和上面一樣。

不怕,我們還有xcode-select這個小伙伴,通常Xcode找不到之類的錯誤都應(yīng)該找它幫忙:

[plain]?view plain?copy

$?xcode-select?-p??

/Applications/Xcode?5.1.1.app/Contents/Developer??

原來xcrun查找cmd tool時的路徑還是Xcode 5.1.1/,當(dāng)然什么都找不到了。這時候?qū)⑺刂镁托辛耍J(rèn)是/Applications/Xcode.app/):

[plain]?view plain?copy

$?sudo?xcode-select?-r??

$?xcode-select?-p???

/Applications/Xcode.app/Contents/Developer??

(3)成功

再make,成功,輸出如下:

[plain]?view plain?copy

$?make??

`xcrun?--sdk?iphoneos?--find?gcc`?-Os??-Wimplicit?-isysroot?`xcrun?--sdk?iphoneos?--show-sdk-path`?-F`xcrun?--sdk?iphoneos?--show-sdk-path`/System/Library/Frameworks?-F`xcrun?--sdk?iphoneos?--show-sdk-path`/System/Library/PrivateFrameworks?-arch?armv7?-arch?armv7s?-arch?arm64?-c?-o?dumpdecrypted.o?dumpdecrypted.c??

`xcrun?--sdk?iphoneos?--find?gcc`?-Os??-Wimplicit?-isysroot?`xcrun?--sdk?iphoneos?--show-sdk-path`?-F`xcrun?--sdk?iphoneos?--show-sdk-path`/System/Library/Frameworks?-F`xcrun?--sdk?iphoneos?--show-sdk-path`/System/Library/PrivateFrameworks?-arch?armv7?-arch?armv7s?-arch?arm64?-dynamiclib?-o?dumpdecrypted.dylib?dumpdecrypted.o??


$?ls??

Makefile??????????dumpdecrypted.c??????????dumpdecrypted.o??

README???????????????dumpdecrypted.dylib??

可以看到目錄中多了兩個文件,其中dylib后綴的就是我們要創(chuàng)建的動態(tài)庫文件,也就是用來砸殼的錘子。

二、砸殼

1.將“錘子”放入設(shè)備中

查看iOS設(shè)備的IP地址,然后在Mac上使用scp命令將dumpdecrypted.dylib文件放到iOS設(shè)備中:

[plain]?view plain?copy

$?scp?dumpdecrypted.dylib?root@192.168.xxx.xxx:/var/tmp??

root@192.168.xxx.xxx's?password:??

dumpdecrypted.dylib???????????????????????????100%???81KB??81.0KB/s???00:00??

2.砸

選定一個讓你覺得非常不爽或非常感興趣的app,我就隨便選了一個HBGC。在iOS設(shè)備上打開iFile,查到它的可執(zhí)行文件的路徑為:/var/mobile/Applications/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC.app/HBGC

然后用SSH連到iOS設(shè)備上,cd到剛剛動態(tài)庫的路徑:/var/tmp。

[plain]?view plain?copy

$?ssh?root@192.168.xxx.xxx??

root@192.168.xxx.xxx's?password:??

root#?cd?/var/tmp/??

root#?ls??

FlipswitchCache/??????????????????????????????com.apple.audio.hogmode.plist??

L65ancd.sock=?????????????????????????????????com.apple.tccd/??

L65d.sock=????????????????????????????????????com.apple.timed.plist??

MediaCache/???????????????????????????????????cydia.log??

RestoreFromBackupLock*????????????????????????dumpdecrypted.dylib*??

SpringBoard_reboot_flag???????????????????????launchd/??

com.apple.assistant.bundleservicecache.plist??mobile_assertion_agent.log??

砸殼(久等了):

[plain]?view plain?copy

root#?DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib?/var/mobile/Applications/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC.app/HBGC??

mach-o?decryption?dumper??


DISCLAIMER:?This?tool?is?only?meant?for?security?research?purposes,?not?for?application?crackers.??


[+]?detected?32bit?ARM?binary?in?memory.??

[+]?offset?to?cryptid?found:?@0xd5a90(from?0xd5000)?=?a90??

[+]?Found?encrypted?data?at?address?00004000?of?length?3047424?bytes?-?type?1.??

[+]?Opening?/private/var/mobile/Applications/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC.app/HBGC?for?reading.??

[+]?Reading?header??

[+]?Detecting?header?type??

[+]?Executable?is?a?FAT?image?-?searching?for?right?architecture??

[+]?Correct?arch?is?at?offset?16384?in?the?file??

[+]?Opening?HBGC.decrypted?for?writing.??

[+]?Copying?the?not?encrypted?start?of?the?file??

[+]?Dumping?the?decrypted?data?into?the?file??

[+]?Copying?the?not?encrypted?remainder?of?the?file??

[+]?Setting?the?LC_ENCRYPTION_INFO->cryptid?to?0?at?offset?4a90??

[+]?Closing?original?file??

[+]?Closing?dump?file??

成果:

[plain]?view plain?copy

root#?ls??

FlipswitchCache/??????????????????????????????com.apple.audio.hogmode.plist??

HBGC.decrypted????????????????????????????????com.apple.tccd/??

L65ancd.sock=?????????????????????????????????com.apple.timed.plist??

L65d.sock=????????????????????????????????????cydia.log??

MediaCache/???????????????????????????????????dumpdecrypted.dylib*??

RestoreFromBackupLock*????????????????????????launchd/??

SpringBoard_reboot_flag???????????????????????mobile_assertion_agent.log??

com.apple.assistant.bundleservicecache.plist??

其中的HBGC.decrypted就是目標(biāo)產(chǎn)物,接下來IDA各種斧頭水果刀上吧。

三、附錄

1.xcrun

首先簡單看看xcrun的幫助信息:

[plain]?view plain?copy

$?xcrun?-h??

Usage:?xcrun?[options]??...?arguments?...??


Find?and?execute?the?named?command?line?tool?from?the?active?developer??

directory.??


The?active?developer?directory?can?be?set?using?`xcode-select`,?or?via?the??

DEVELOPER_DIR?environment?variable.?See?the?xcrun?and?xcode-select?manual??

pages?for?more?information.??


Options:??

??-h,?--help??????????????????show?this?help?message?and?exit??

??--version???????????????????show?the?xcrun?version??

??-v,?--verbose???????????????show?verbose?logging?output??

??--sdk?????????????find?the?tool?for?the?given?SDK?name??

??--toolchain???????????find?the?tool?for?the?given?toolchain??

??-l,?--log???????????????????show?commands?to?be?executed?(with?--run)??

??-f,?--find??????????????????only?find?and?print?the?tool?path??

??-r,?--run???????????????????find?and?execute?the?tool?(the?default?behavior)??

??-n,?--no-cache??????????????do?not?use?the?lookup?cache??

??-k,?--kill-cache????????????invalidate?all?existing?cache?entries??

??--show-sdk-path?????????????show?selected?SDK?install?path??

??--show-sdk-version??????????show?selected?SDK?version??

??--show-sdk-platform-path????show?selected?SDK?platform?path??

??--show-sdk-platform-version?show?selected?SDK?platform?version??

xcrun的作用在于從一個激活的開發(fā)者目錄(active developer directory)中查找一個command line tool,并執(zhí)行這個工具。?

例如上面的Makefile中: GCC_BIN=`xcrun --sdk iphoneos --find gcc`?

分解來看:?

(1)xcrun --find gcc

[plain]?view plain?copy

$?xcrun?--find?gcc??

/Applications/Xcode?5.1.1.app/Contents/Developer/usr/bin/gcc??

這一步獲取了gcc這個tool的路徑,設(shè)為cmd_tool_path。?

(2)xcrun --sdk iphoneos cmd_tool_path?

這一步通過路徑名獲取到了具體的工具程序,這個工具對應(yīng)iphoneos的SDK,并執(zhí)行該工具。?

(3)GCC_BIN是一條shell命令,對應(yīng)的就是這個查找和執(zhí)行工具的過程。?

再如: xcrun --sdk iphoneos --show-sdk-path?

它的作用就是查找對應(yīng)于iphoneos SDK的SDK并執(zhí)行。

[plain]?view plain?copy

$?xcrun?--show-sdk-path??

/Applications/Xcode?5.1.1.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk???


$?xcrun?--sdk?iphoneos?--show-sdk-path??

/Applications/Xcode?5.1.1.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.1.sdk??

2.xcode-select

首先看看簡單的幫助信息:

[plain]?view plain?copy

$?xcode-select?-h??

Usage:?xcode-select?[options]??


Print?or?change?the?path?to?the?active?developer?directory.?This?directory??

controls?which?tools?are?used?for?the?Xcode?command?line?tools?(for?example,??

xcodebuild)?as?well?as?the?BSD?development?commands?(such?as?cc?and?make).??


Options:??

??-h,?--help??????????????????print?this?help?message?and?exit??

??-p,?--print-path????????????print?the?path?of?the?active?developer?directory??

??-s?,?--switch???set?the?path?for?the?active?developer?directory??

??-v,?--version???????????????print?the?xcode-select?version??

??-r,?--reset?????????????????reset?to?the?default?command?line?tools?path??

它的作用在于打印或改變active developer directory,而xcrun就是從這個directory中查找對應(yīng)的工具。 通常它的值為:

[plain]?view plain?copy

/Applications/Xcode?5.1.1.app/Contents/Developer??

例如,在/Applications/Xcode 5.1.1.app/Contents/Developer/usr/bin中,可以看到一些上文需要的gcc:

[plain]?view plain?copy

$?ls??

BuildStrings??????????gcc???????????????ndisasm??

CpMac???????????????gcov-4.2??????????opendiff??

DeRez???????????????git???????????????projectInfo??

GetFileInfo??????????git-cvsserver??????????resolveLinks??

ImageUnitAnalyzer?????git-receive-pack?????scntool??

MergePef??????????git-shell??????????sdef??

MvMac???????????????git-upload-archive?????sdp??

ResMerger??????????git-upload-pack??????????svn??

Rez???????????????gnumake???????????????svnadmin??

RezDet???????????????hdxml2manxml??????????svndumpfilter??

RezWack???????????????headerdoc2html??????????svnlook??

SetFile???????????????ibtool???????????????svnrdump??

SplitForks??????????ibtool3???????????????svnserve??

TextureAtlas??????????ibtoold???????????????svnsync??

UnRezWack??????????ictool???????????????svnversion??

actool???????????????instruments??????????symbols??

agvtool???????????????iprofiler??????????xcodebuild??

amlint???????????????ld???????????????xcrun??

以上只是部分輸出。

注:以上是我個人在自己的機子上的砸殼經(jīng)歷,大家要根據(jù)自己的實際情況進行,詳細(xì)請參考:用dumpdecrypted砸殼

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容