Appstore下载的App是苹果加密过的, 可执行文件套上了一层保护壳. class-dump 无法作用于加密过的App。所以,要想获取头文件,首先得破解加密的可执行文件,俗称”砸壳”.
dumpdecrypted 就是砸壳工具,需要自行编译。
1、下载工具
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ git clone https://github.com/s
tefanesser/dumpdecrypted
Cloning into 'dumpdecrypted'...
remote: Counting objects: 31, done.
remote: Total 31 (delta 0), reused 0 (delta 0), pack-reused 31
Unpacking objects: 100% (31/31), done.
Checking connectivity... done.
2、编译
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ cd dumpdecrypted/
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ make
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c
2015-12-23 15:44:16.429 xcodebuild[9345:206961] [MT] DVTPlugInManager: Required plug-in compatibility UUID F41BD31E-2683-44B8-AE7F-5F09E919790E for KSImageNamed.ideplugin (com.ksuther.KSImageNamed) not present
2015-12-23 15:44:16.490 xcodebuild[9345:206961] [MT] PluginLoading: Required plug-in compatibility UUID F41BD31E-2683-44B8-AE7F-5F09E919790E for plug-in at path '~/Library/Application Support/Developer/Shared/Xcode/Plug-ins/CodePilot3.xcplugin' not present in DVTPlugInCompatibilityUUIDs
2015-12-23 15:44:16.490 xcodebuild[9345:206961] [MT] PluginLoading: Required plug-in compatibility UUID F41BD31E-2683-44B8-AE7F-5F09E919790E for plug-in at path '~/Library/Application Support/Developer/Shared/Xcode/Plug-ins/ClangFormat.xcplugin' not present in DVTPlugInCompatibilityUUID
..........省略大部分log
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ ls
Makefile dumpdecrypted.c dumpdecrypted.o
README dumpdecrypted.dylib
最后生成了 dumpdecrypted.dylib 文件. 这个就是等会需要用到的砸壳文件。 以后都能重复使用了,无须重新编译。
3、定位需要砸壳的可执行文件。
appstore里面的App一般位于 /var/mobile/Containers/Bundle/Application/xxx 下面
这里有一个小技巧:就是用 ps -e 命令找到所有进程,手机只开一个App,所以含有 /var/mobile 路径的就是可执行文件的路径. 这里拿肯德基的官方app做例子,可以看到 KFC 关键字,所以这个路径是正确的。
didi:~ root# ps -e | grep var
2351 ?? 0:20.04 /var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app/KFC_BRAND
2360 ttys000 0:00.01 grep var
4、找到Doucument目录位置
进入目录下面,使用上一节介绍的cycript工具
didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app root# cycript -p KFC_BRAND
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents/"
5、将dumpdecrypted.dylib拷贝到Document目录下面
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ scp dumpdecrypted.dylib root@192.168.31.209:/var/mobile/Applications/F2842AA9-F
082-4EA1-8FAD-97BBAAA84D8F/Documents/dumpdecrypted.dylib
dumpdecrypted.dylib 100% 193KB 192.9KB/s 00:00
6、开始砸壳
进入Document目录下面,执行 DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib 相关的命令.
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ ssh root@192.168.31.209
didi:~ root# cd /var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents/
didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents root# ls
BIStorage Backups IDatabaseHelper TCSdkConfig.plist dumpdecrypted.dylib imageFileCache.dat tencent_analysis_qc.db
didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /va
r/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app/KFC_BRAND
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x68a08(from 0x68000) = a08
[+] Found encrypted data at address 00004000 of length 4620288 bytes - type 1.
[+] Opening /private/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/KFC_BRAND.app/KFC_BRAND for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
[+] Opening KFC_BRAND.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a08
[+] Closing original file
[+] Closing dump file
会生成app砸壳后的文件xx.decrypted. 这里就是 KFC_BRAND.decrypted
didi:/var/mobile/Applications/F2842AA9-F082-4EA1-8FAD-97BBAAA84D8F/Documents root# ls
BIStorage IDatabaseHelper TCSdkConfig.plist imageFileCache.dat
Backups KFC_BRAND.decrypted dumpdecrypted.dylib tencent_analysis_qc.db
然后就能用 class-dump 、 IDA 工具了.
流程还是比较简单的、跟着步骤一步步来。
为什么要放在Document目录下面?
沙盒意外的大多数文件没有写权限, dumpdecrypted.dylib 要写一个decrypted文件, 它是运行在跟商店app中的,需要与商店里面的app权限相同,所以写操作必须发生在有写权限的路径下才能成功。
获取头文件
检查一下砸壳后的文件是否能获取到头文件。
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ /Users/liuchendi/Desktop/class-dump -H /Users/liuchendi/Desktop/逆向/KFC_BRAND.
decrypted -o head
liuchendi@lovelyddtekiMacBook-Pro dumpdecrypted$ cd head/
liuchendi@lovelyddtekiMacBook-Pro head$ ls
ABNewPersonViewControllerDelegate-Protocol.h MTAWXOPasteboard.h
ABPeoplePickerNavigationControllerDelegate-Protocol.h MTAWXOReachability.h
ABPersonViewControllerDelegate-Protocol.h MTAWXOSessionEnv.h
AMapViewController.h MTAWXOStore.h
APAutoRotateImageView.h MTAWXOStoreEvent.h
APHTTPRequestOperation.h MTAWXOTestSpeedEvent.h
APIBase.h MTAWXOUser.h
...........省略大部分
搞个gitee的项目
![[HBLOG]公众号](https://www.liuhaihua.cn/img/qrcode_gzh.jpg)
