【iOS安全】iOS 砸壳-82世界杯-2010年世界杯_1986年墨西哥世界杯

1. 关于iOS砸壳的介绍

https://mp.weixin.qq.com/s/xFHA2tlc6HCLti_ihlrsZA

2. 准备工作：安装Filza

使用Cydia安装

直接在Cydia里搜索filza，安装“Filza File Manager”

使用Sileo安装

也是直接搜索安装

3. FlexDecrypt砸壳

FlexDecrypt 主要适用于 iOS 12-14 的越狱设备，部分高版本系统可能需要其他工具

3.1 使用Filza安装flexdecrypt

参考：

https://github.com/JohnCoates/flexdecrypt

下载flexdecrypt.deb到手机：

https://github.com/JohnCoates/flexdecrypt/releases/tag/1.1

使用filza打开flexdecrypt.deb，点击flexdecrypt.deb，点击右上角的安装

安装成功：

3.2 使用flexdecrypt砸壳

参考：https://www.jianshu.com/p/c3305067fd94

借助Filza找到app程序的路径

一般是在/var/containers/Bundle/Application/下面：

比如iTunes Store位于：

/var/containers/Bundle/Application/F25EE666-CBE1-4D6F-B0DA-5A8AB41BB364/MobileStore.app/MobileStore

使用flexdecrypt

flexdecrypt /var/containers/Bundle/Application/F25EE666-CBE1-4D6F-B0DA-5A8AB41BB364/MobileStore.app/MobileStore

将 /private/var/tmp/ 路径下的 MobileStore 拷贝到PC

4. Dumpdecrypted砸壳

参考：https://juejin.cn/post/7198210198644129851

有些app使用FlexDecrypt砸壳时会报错，可以用Dumpdecrypted试一下

4.1 生成dumpdecrypted.dylib

下载Dumpdecrypted

https://github.com/stefanesser/dumpdecrypted

在macbook上进入dumpdecrypted-master

make

ldid -S dumpdecrypted.dylib

4.2 使用dumpdecrypted.dylib

找到macho文件的路径（用Filza）

/var/containers/Bundle/Application/6BAB0A28-8DD4-4C30-ABBD-FD37791A75A9/Taobao4iPhone.app/Taobao4iPhone

找到app document对应的路径（用Filza）

/var/mobile/Containers/Data/Application/08613B0F-F178-4672-B12A-958E93BA98DE/Documents

将dumpdecrypted.dylib拷贝至app document对应的目录

/var/mobile/Containers/Data/Application/08613B0F-F178-4672-B12A-958E93BA98DE/Documents

SSH连接手机，root权限执行

DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/08613B0F-F178-4672-B12A-958E93BA98DE/Documents/dumpdecrypted.dylib /var/containers/Bundle/Application/6BAB0A28-8DD4-4C30-ABBD-FD37791A75A9/Taobao4iPhone.app/Taobao4iPhone

其中第一个path是dumpdecrypted.dylib路径，第二个path是app macho文件的路径

就可以得到砸壳出来的文件了：Taobao4iPhone.decrypted

zzz256:/var/mobile/Containers root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/08613B0F-F178-4672-B12A-958E93BA98DE/Documents/dumpdecrypted.dylib /var/containers/Bundle/Application/6BAB0A28-8DD4-4C30-ABBD-FD37791A75A9/Taobao4iPhone.app/Taobao4iPhone

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.

[+] offset to cryptid found: @0x102c49f78(from 0x102c48000) = 1f78

[+] Found encrypted data at address 0044c000 of length 4096 bytes - type 1.

[+] Opening /private/var/containers/Bundle/Application/6BAB0A28-8DD4-4C30-ABBD-FD37791A75A9/Taobao4iPhone.app/Taobao4iPhone for reading.

[+] Reading header

[+] Detecting header type

[+] Executable is a plain MACH-O image

[+] Opening Taobao4iPhone.decrypted for writing.

[+] Copying the not encrypted start of the file

[+] Dumping the decrypted data into the file

[+] Copying the not encrypted remainder of the file

[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 1f78

[+] Closing original file

[+] Closing dump file

4.3 报错：could not load inserted library ‘/xxx/dumpdecrypted.dylib’ into hardened process because no suitable image found

执行DYLD_INSERT_LIBRARIES=时报错：

dyld: warning: could not load inserted library '/var/mobile/Containers/Data/Application/08613B0F-F178-4672-B12A-958E93BA98DE/Documents/dumpdecrypted.dylib' into hardened process because no suitable image found. Did find:

/var/mobile/Containers/Data/Application/08613B0F-F178-4672-B12A-958E93BA98DE/Documents/dumpdecrypted.dylib: code signature in (/var/mobile/Containers/Data/Application/08613B0F-F178-4672-B12A-958E93BA98DE/Documents/dumpdecrypted.dylib) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.

[TBSideWayRecovery] Run before launch tasks with count: 0

Abort trap: 6

解决办法：

生成dumpdecrypted.dylib时不要忘记ldid -S dumpdecrypted.dylib

参考：https://github.com/stefanesser/dumpdecrypted/issues/28

5. FoulDecrypt砸壳

https://github.com/Lessica/fouldecrypt

直接使用工具：Iridium

Iridium 是基于静态砸壳命令行工具 fouldecrypt 做砸壳开发的图形化工具

使用教程：https://www.jianshu.com/p/b60a494c24d3

直接Cydia安装即可

6. Frida-ios-dump砸壳

经过尝试，在iOS 16.6的越狱iPhone X上，FlexDecrypt和Dumpdecrypted均不适用，需使用Frida-ios-dump

原始仓库：https://github.com/AloneMonkey/frida-ios-dump

在 MacOS/Linux 上使用时按照官方教程即可，在Windows上使用时，可选择使用虚拟机（据说可行），也可按照下列步骤：

6.0 前置条件

环境：iPhone X，iOS 16.6，已越狱（越狱工具为Dopamine）

iPhone已启用SSHiPhone和PC上Frida均配置正确iPhone和PC处于同一局域网iPhone和PC有USB数据线连接

6.1 安装gow

https://github.com/bmatzelle/gow/releases

双击exe直接安装

6.2 下载并配置 frida-ios-dump

参见：https://github.com/AloneMonkey/frida-ios-dump

参考：https://www.cnblogs.com/paperpen/p/14845675.html

git clone https://github.com/AloneMonkey/frida-ios-dump.git

pip install -r requirements.txt --upgrade

Windows上无需执行iproxy 2222 22

6.3 执行 dump.py

iPhone上开启SSH，Windows SSH连接到iPhone，启动frida

/var/jb/usr/sbin/frida-server -l 0.0.0.0:6666

启动目标App，后续过程中保持目标App处于前台

iPhone USB连接到Windows

获取目标App的BundleID

frida-ps -H 192.168.31.222:6666 -a

3611 Days Matter com.chii.idays

执行dump.py

python dump.py com.chii.idays -H 192.168.31.222 -p 22

注意 -H 192.168.31.222不可省略

成功出现Days Matter.ipa，砸壳成功

如果想获得主macho文件，解压ipa文件，主macho文件位于\Days Matter\Payload\Days Matter.app\，名为Days Matter

6.4 报错 ImportError: DLL load failed while importing _bcrypt: 找不到指定的程序。

python dump.py时报错：

E:\AcademicWorkplace\iOSSec\frida-ios-dump\frida-ios-dump>python dump.py com.tencent.mqq -H 192.168.31.222 -p 6666

Traceback (most recent call last):

File "E:\AcademicWorkplace\iOSSec\frida-ios-dump\frida-ios-dump\dump.py", line 20, in

import paramiko

File "D:\Academic\Python\Python39\lib\site-packages\paramiko\__init__.py", line 22, in

from paramiko.transport import (

File "D:\Academic\Python\Python39\lib\site-packages\paramiko\transport.py", line 98, in

from paramiko.dsskey import DSSKey

File "D:\Academic\Python\Python39\lib\site-packages\paramiko\dsskey.py", line 37, in

from paramiko.pkey import PKey

File "D:\Academic\Python\Python39\lib\site-packages\paramiko\pkey.py", line 32, in

import bcrypt

File "D:\Academic\Python\Python39\lib\site-packages\bcrypt\__init__.py", line 13, in

from ._bcrypt import (

ImportError: DLL load failed while importing _bcrypt: 找不到指定的程序。

解决办法：

参考：https://blog.csdn.net/m0_46285401/article/details/140298739

pip install bcrypt==4.1.1

6.5 报错 Waiting for USB device…

解决办法：手机通过USB连接到笔记本

6.6 报错 [WinError 5] 拒绝访问。

python dump.py时报错：

E:\AcademicWorkplace\iOSSec\frida-ios-dump\frida-ios-dump-windows-win>python dump.py com.tencent.mqq -H 192.168.31.222 -p 22

Start the target app com.tencent.mqq

Dumping QQ to C:\Users\xxx\AppData\Local\Temp\tmpmeph23ho

[frida-ios-dump]: Load SoundTouch.framework success.

[frida-ios-dump]: Load ilink.framework success.

[frida-ios-dump]: Load owl.framework success.

[frida-ios-dump]: Load TXSoundTouch.framework success.

[frida-ios-dump]: Load UE4.framework success.

[frida-ios-dump]: Load andromeda.framework success.

[frida-ios-dump]: Load matrixreport.framework success.

[frida-ios-dump]: Load ProtobufLite.framework success.

[frida-ios-dump]: Load WeAppCoreSDK.framework success.

start dump /private/var/containers/Bundle/Application/08BC5538-4BEA-4494-9346-DA53E0748B35/QQ.app/QQ

QQ.fid: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████| 425M/425M [00:42<00:00, 10.5MB/s]

start dump /private/var/containers/Bundle/Application/08BC5538-4BEA-4494-9346-DA53E0748B35/QQ.app/Frameworks/andromeda.framework/andromeda

andromeda.fid: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████| 2.80M/2.80M [00:00<00:00, 6.83MB/s]

start dump /private/var/containers/Bundle/Application/08BC5538-4BEA-4494-9346-DA53E0748B35/QQ.app/Frameworks/SoundTouch.framework/SoundTouch

SoundTouch.fid: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████| 71.2k/71.2k [00:00<00:00, 479kB/s]

start dump /private/var/containers/Bundle/Application/08BC5538-4BEA-4494-9346-DA53E0748B35/QQ.app/Frameworks/ilink.framework/ilink

ilink.fid: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████| 7.88M/7.88M [00:00<00:00, 9.67MB/s]

start dump /private/var/containers/Bundle/Application/08BC5538-4BEA-4494-9346-DA53E0748B35/QQ.app/Frameworks/owl.framework/owl

owl.fid: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████| 1.44M/1.44M [00:00<00:00, 4.89MB/s]

start dump /private/var/containers/Bundle/Application/08BC5538-4BEA-4494-9346-DA53E0748B35/QQ.app/Frameworks/TXSoundTouch.framework/TXSoundTouch

TXSoundTouch.fid: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████| 87.6k/87.6k [00:00<00:00, 530kB/s]

start dump /private/var/containers/Bundle/Application/08BC5538-4BEA-4494-9346-DA53E0748B35/QQ.app/Frameworks/UE4.framework/UE4

UE4.fid: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████| 61.1M/61.1M [00:05<00:00, 10.7MB/s]

start dump /private/var/containers/Bundle/Application/08BC5538-4BEA-4494-9346-DA53E0748B35/QQ.app/Frameworks/matrixreport.framework/matrixreport

matrixreport.fid: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████| 469k/469k [00:00<00:00, 2.19MB/s]

start dump /private/var/containers/Bundle/Application/08BC5538-4BEA-4494-9346-DA53E0748B35/QQ.app/Frameworks/ProtobufLite.framework/ProtobufLite

ProtobufLite.fid: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████| 504k/504k [00:00<00:00, 2.81MB/s]

start dump /private/var/containers/Bundle/Application/08BC5538-4BEA-4494-9346-DA53E0748B35/QQ.app/Frameworks/WeAppCoreSDK.framework/WeAppCoreSDK

WeAppCoreSDK.fid: 100%|████████████████████████████████████████████████████████████████████████████████████████████████| 77.3M/77.3M [00:07<00:00, 10.4MB/s]

medalEntranceAnim.json: 620MB [06:46, 1.60MB/s]

0.00B [00:00, ?B/s]Generating "QQ.ipa"

[WinError 5] 拒绝访问。: 'C:\\Users\\xxx\\AppData\\Local\\Temp\\tmpmeph23ho\\Payload\\QQ.fid'

核心原因是Win不支持某些Linux命令。

解决方法：

参考：https://github.com/AloneMonkey/frida-ios-dump/issues/130

下载并安装gow

https://github.com/bmatzelle/gow/releases

6.7 卡死在 0.00B [00:00,?B/s]：

配置都正常，但是砸壳运行时出现0.00B [00:00,?B/s]后卡死，不再继续运行：

解决方法：

改为frida_16.4.10

（原先用的是frida_17.0.7）

6.8 Todo：

这个砸壳的过程好耗时，我们只需要主macho时太多dump是多余的，找时间改下dump.js和dump.py

（其实博主改了两把，但由于博主比较笨导致改完后dump出来的macho是未解密的，有时间再研究下）理论上不需要USB的，实测不接USB就不行，找时间改一下