iOS 逆向学习系列之一：砸壳

Posted on 2018-05-29 Edited on 2021-12-09

App Store中下载的程序是加密后的，为了能够获取目标程序的类信息以便之后修改源码，我们需要对应用程序做一个解密，也就是砸壳。

硬件设备需要有一台越狱手机和一台装了开发环境的mac电脑。

以下以微信为例，进行操作。

1. 远程连接iphone

iphone 本质也是一台linux设备，所以可以用登录服务器的方式连接iphone。具体操作如下:

连到同一个wifi，在 设置－无线局域网 中查看iphone的ip，我这里是 192.168.1.116
使用 ssh 命令登录服务器，登录过程中需要输入服务器密码，ios 默认密码为 alpine

ssh root@192.168.1.116

2. 找到app路径和Document路径

用ssh连接上iOS设备后，我们打开想要砸壳的app，输入 ps -e，就可以在进程中找到这个app的二进制文件的地址：

9281 ??         0:02.65 /var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat

9281 为微信的进程名，可执行文件目录为 /var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat。

用 Cycript 找出 TargetApp 的 Documents 目录路径，cycript -p process process 为第一步中拿到的进程名。

admin:~ root# cycript -p 9281
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/"

现在得到微信的 Document 目录，也可以用PP助手类的工具直接获得Document目录。

file:///var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/

3. 编译dumpdecrypted

dumpdecrypted 工具就是要用的砸壳工具。他的原理是让app预先加载一个解密的dumpdecrypted.dylib，然后在程序运行后，将代码动态解密，最后在内存中dump出来整个程序。

首先下载dumpdecrypted源代码，项目地址 https://github.com/stefanesser/dumpdecrypted，然后切到dumpdecrypted目录，直接使用make命令编译，即可得到dumpdecrypted.dylib文件。一般SDK是向下兼容的，保证SDK版本与越狱设备的版本一致或者高于越狱设备版本即可。

Baiya:Ios baiya$ cd dumpdecrypted/
Baiya:dumpdecrypted baiya$ ls
Makefile	README		dumpdecrypted.c
Baiya:dumpdecrypted baiya$ make
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c 
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'
ld: warning: directory not found for option '-F/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks'

使用xcrun --sdk iphoneos --show-sdk-path查看SDK版本。
如下：SDK版本是9.3。因为设备是iOS 8.4，所以没问题。

Baiya:dumpdecrypted baiya$ xcrun --sdk iphoneos --show-sdk-path
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk

常见错误参见iOS逆向之dumpdecrypted的使用

4. 砸壳

将生成的dumpdecrypted.dylib拷贝到设备目录，可以用scp命令或PP助手等。

Baiya:dumpdecrypted baiya$ scp dumpdecrypted.dylib root@192.168.1.116:/var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents/
root@192.168.1.116's password: 
dumpdecrypted.dylib                                                     100%  193KB 192.9KB/s   00:00

进入Document目录下面，执行DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib相关的命令。

admin:/var/mobile/Containers/Data/Application/6A3EDE95-573D-4B8A-A107-6AA596C49DE3/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 32bit ARM binary in memory.
[-] This mach-o file is not encrypted. Nothing was decrypted.

因为博主装的是没有加密的，正常是：

iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] Found encrypted data at address 00002000 of length 1826816 bytes - type 1.
[+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 2408224 in the file
[+] Opening Scan.decrypted for writing.
[-] Failed opening. Most probably a sandbox issue. Trying something different.
[+] Opening /private/var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/tmp/Scan.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Closing original file
[+] Closing dump file

会生成app砸壳后的文件xx.decrypted. 这里就是WeChat.decrypted。如果是没有加密的，直接使用WeChat即可。

取出解密后程序

还是scp命令或者PP助手。

Baiya:dumpdecrypted baiya$ scp root@192.168.1.116:/var/mobile/Containers/Bundle/Application/23A70D56-542F-4843-B1F7-DAF3FB0CED25/WeChat.app/WeChat ~/Desktop/
root@192.168.1.116's password: 
WeChat                                                                                                                                             100%   97MB   2.2MB/s   00:45

查看APP信息

查询架构 file app。微信支持两种架构 armv7 和 arm64。

Baiya:Desktop baiya$ file WeChat 
WeChat: Mach-O universal binary with 2 architectures
WeChat (for architecture armv7):	Mach-O executable arm
WeChat (for architecture arm64):	Mach-O 64-bit executable

查询下它的加密情况 otool -l 主文件名 | grep crypt。cryptid 1代表加密，cryptid 0代表未加密。两个分别对应着armv7和arm64，也就是它们都没有加密。

Baiya:Desktop baiya$ otool -l WeChat | grep crypt
cryptoff 16384
cryptsize 40910848
cryptid 0
cryptoff 16384
cryptsize 43974656
cryptid 0

参考链接：

iOS逆向之dumpdecrypted的使用
 iOS逆向 - Cycript基本用法
 iOS逆向 - dumpdecrypted工具砸壳
 用dumpdecrypted给App砸壳
 iOS逆向之IPA脱壳
 iOS 冰与火之歌番外篇 - App Hook 答疑以及 iOS 9 砸壳