Shell extraction 32-bit program in 64-bit iOS system

The tester has been the 5s and 6,clutch shell, is actually a memory dump process, so each shell after the program loaded into Ida is not happy F5 to see cross-references and brief logic.

Finally decided to make this pit, found that it is not too simple things, perhaps the knowledge of iOS is not much to grasp.

First, we find lipo this thing. Lipo is command-tools inside of the tool, may be issued with Xcode, seemingly a 6.x version after the independent, need to download separately.

Xcode-select--install

Here is also a pit, for the convenience of file exchange, I use a 9.8 mac virtual machine, the inside of Xcode is very early, so lipo-info when viewing the FAT file, does not show the structure of arm64.

Lipo tools can be combined or split, what we need here is the split function.

Lipo Xxx-thin Armv7-output Xxx.armv7

Thin function, you can get a version containing only ARMV7, so re-replace the original app, you can run in 32-bit mode, after the memory dump, you get the 32-bit program, it seems very simple.

Then the replaced program is not executable, view crash information, memory error, unable to execute.

In the middle of the episode is my own Xcode wrote a demo, to test the program containing only the ARMV7 schema iphone5s above the run, found that the compilation is unable to pass, there is a problem in build setting.

No architectures to compile for (Only_active_arch=yes, ACTIVE arch=x86_64, valid_archs=i386)

After 5S, the App Store audit has not allowed the 64-bit architecture of the program shelves, but it seems that should not support the compilation of their own testing is not it? However, 5, without changing the properties of the project, the direct compilation runs successfully, that is, Xcode does not allow 32-bit programs to run on 64-bit?

Set "Build Active Architecture only" to "NO"

This option here is to say whether only the unique schema is compiled. Theoretically, this is because I just want to compile the ARMV7 version and set the Yes explicitly.

The plot is different from what we think, set to no later, 5S successfully run, export file Lipo info but found that the program does contain only armV7, and we want the result is the same, so this option in the end want to do what, do not understand, At least it proves that 32-bit apps can run on 64-bit systems, and so far, the problem has not been solved, and I've spent a day of my time.

Lipo can not run, their own sacrifice 010editor self-modification Try it, need to do is to tell the system, I am a 32-bit program, I did not pack arm64 code. Theoretically can be done, but I tried countless times, perhaps still for the Mach-o file format is not proficient, after all, only limited to know the structure of the approximate.

Just by comparing with your own test demo, the program is still crash, with the same head modification and no exception for offset. It's not a sticker here, it's still a lot of time consuming.

A bitter lesson, look back lipo, found lipo with a remove parameter

Lipo Xxx-remove Arm64-output Xxx.remove

Import Replace, the program runs successfully!

In the above two figure, a thin a remove,thin is only included, remove is only removed, and for programs that are only armv7 and arm64, it seems like the result is the same as the one that only removes the other, but the result is somewhat unexpected. Thin after the program is one of the missing head.

Although it can be run, things are not over, clutch can't knock shell!

Look at the clutch log, it seems that he is still in the way of 64 in dump, see the feeling of eating is really sour, do you want to change clutch code to force 32dump? Seemingly time is not allowed, read the code to find the key changes do not know how long. Re-find the shell tool.

https://github.com/stefanesser/dumpdecrypted

After downloading the direct make, generate dumpdecrypted.dylib, this file will be put into the shell of the app's documents directory. There are also tips here, because human flesh finds this directory to be a physical activity.

#cycript-P Pid#[[nsfilemanager Defaultmanager] urlsfordirectory:nsdocumentdirectory indomains:nsuserdomainmask][0]

After successful import, go to documents directory, execute shell

Dyld_insert_libraries=/path/to/dumpdecrypted.dylib/path/to/executable

The successful solution, the cheerful F5 ~

PS: Remember to modify permissions every time you replace a file.

chmod 755 XXX

Encountered in the middle of the small pit is really heinous, during some questions asked many groups, cynical, wasted a lot of time, was my anger sprayed a mind, saying really do not understand these can not solve the fundamental problem of the people, in a QQ group brush out what the existence of sense.

Shell extraction 32-bit program in 64-bit iOS system