App shelling for iOS reverse engineering

This blog for example, to shelling . "Smashing the shell" in the iOS reverse engineering is often done, because the app from the AppStore directly download installed is Shell , in fact, is encrypted, this "shell" process is a decryption process. Apps that are not smashed are not used in tools such as class-dump, Hopper, and so on. So we're going to smash the app to the shell. In Android development There is also the application shell processing, such as what 360 reinforcement, in fact, to add a shell to the app.

This blog we take the WeChat () as an example, download and install from the AppStore, and then use the dumpdecrypted tool (of course you can also use other shell tool) to shell processing. After smashing the shell will generate a decrypted app file, then we can use Class-dump and hopper to process the decrypted file. Talk less and start today's theme.

First, generate Dumpdecrypted.dylib dynamic library

First of all we want to create a "smash shell" with the dynamic library dumpdecrypted.dylib, we "hit the shell" when the main use of this dynamic library. The source of the dynamic library is open source on GitHub (GitHub address ), to get the dumpdecrypted.dylib dynamic Library, just download the code from GitHub, then compile, You can generate Dumpdecrypted.dylib. Below is the use make command to compile the dumpdecrypted source code.

Go to the Dumpdecrypted folder and run the Make command.

　　

Once the compilation is complete, there will be one more dumpdecrypted.dylib dynamic library in the Dumpdecrypted folder, which is the tool we use to break the shell later.

　　

Second, "smashing the shell" before the preparation work

The next step is to find the app path to "shell" on the jailbreak phone, first use SSH to connect to your jailbreak device, then open the app you want to shell out in the jailbreak device, here we consider. The app downloaded from Aippstore will be located in /var/mobile/applications , below the installation path of the app downloaded from AppStore on my phone. Of course, below is the use of the IExplore tool for viewing, in the content below, we will use a copy of the file iexplorer, of course, you can also use the IFunBoxmentioned previously.

　　

From the top of the directory is very difficult to find out, the application of less you can open a look. To this kind of application is more than the case, one by one folder open is not very realistic, so we have to go through another way to locate the "" "app is located in the directory.

This shortcut location "" is the way to "view the application process", first you need to open, and then run the command below to see the file directory /var/mobile/ directory of all the running apps, the specific command is as follows:

Ps-e | Grep/var/mobile

　　

Above is the output of the above command after the operation, from the above content, we can easily find the "WeChat" in the directory. We can open the directory through IExplore, and more intuitively look at the directory where the app is located, as shown below. The absolute path to the above process is to be written down, because the path is used when the shell is smashed behind it.

　　

Next we will use the Cycript tool to find the WeChat document Path , if your jailbreak device is not installed Cycript tools, then please go to cydia download install Cycript tool. The steps below are the steps to use the Cycript tool to view the document directory of the attached process.

1. Using Cycript to inject into the target process

Cycript-p WeChat

When the above command finishes, it goes into cycript mode, as shown below. Of course, the jailbreak device on the iOS9.2.1 execution of the above command will be an error, perhaps the current Cycript this powerful tool does not support iOS9.2 bar. So I was doing the experiment on the iOS7.2.

　　

2. Get the document directory for the process

[[Nsfilemanager defaultmanager] urlsfordirectory: NSDocumentDirectory indomans:nsuserdomainmask[0]

Enter the above content, and then click Enter, the WeChat process will output the document directory, the output results are as follows. The red part below is the absolute path of the WeChat document directory.

　　

Once the above directory is found, use IExplore to enter the directory and copy the dumpdecripted.dylib Dynamic Library We generated above to that directory, as shown below:

　　

Three, start smashing shell

After the "shell" preparation is ready, we're about to start smashing the shells. Enter into the WeChat document directory, execute the command below to smash the shell.

dyld_insert_libraries=dumpdecrypted.dylib /var/mobile/applications/3dc16044-e5bb-4038-9e31-cfe3c7134a7b/wechat.app/wechat

In the above command,dyld_insert_libraries behind this dynamic library is the dynamic library we generated above, the path behind this is the absolute path of WeChat execution file, after running the above command, began to smash Shell, below is the process of our shell.

When the shell process is complete, a wechat.decrypted file is generated in our document directory, as shown below. This file is the shelled file, we can copy the file to our Mac for use.

　　

Iv. Export the header file of the Shelled app

Copy the wechat.decrypted shelling file that was generated above on our Mac, and the next step is the time we class-dump the factory. Next we'll use Class-dump to export all the header pieces of the shelled file . The specific steps are shown below.

1. Prelude

wechat.decrypted file, I executed the command below to export its header file, the command below in the app without shell is so, directly can export the corresponding app header file, as follows:

Class-dump-s-s-h wechat.decrypted -O./headers

After the execution of the above command is the result below, and did not export the desired header file, Google a bit, is the structure of arm is not correct, so there is no export success.

　　

2. Start Exporting header files

From the above we can see that the Headers folder does not generate the corresponding header file. Is there a problem with the file we decrypted? So, I used the hopper opened the decrypted file, it can be opened normally, and then Google a bit, originally we exported the header file when the specified arm architecture is incorrect, The Class-dump--arch configuration item is used to specify the schema of the armv7, so the header file is exported successfully.

Class-dump --arch armv7 -s-s-H wechat.decrypted-o./headers

Operation steps and results as shown, export success, you can slowly analyze.

Wu, Hopper

The above uses the Class-dump to operate our shelling the document, the wood has the problem. So let's take a look at the effect on the Hopper , below is the effect of using Hopper to open the "shelled" file. Of course, you can also use IDA Pro to see, of course, here we are using hopper. From the bottom of the view, the result is perfect.

　　

At this point, the process of shelling is so enjoyable that you can analyze what you want to analyze.

App shelling for iOS reverse engineering