IOS Application Reverse engineering study notes (vi) using dumpdecrypted to smash shells

Originally intended to use Appcrackr smashed shell, the results smashed shell are failed, began to think that the encryption is too powerful app, later only to know is because appcrackr too violent, causing public outrage, the results were people complained of the core function was forced to shut down.

Fortunately, on the RE official website to find a dumpdecrypted smashed shell posts. Here is my experience of smashing shells.

first, build the hammer1. Download dumpdecrypted Source code

:https://github.com/stefanesser/dumpdecrypted/archive/master.zip, then unzip in Mac.

2. Confirm the version of the iOS device

IOS 7.1.x, the original post Snakeninny slightly verbose ...

3.Makefile

CD to dumpdecrypted directory to see the contents of the makefile file:

Cc_bin= ' xcrun--sdk iphoneos--find gcc ' gcc_universal=$ (gcc_base)-arch armv7-arch armv7s-arch arm64SDK= ' Xcrun--sdk iph Oneos--show-sdk-path ' CFLAGS =gcc_base = $ (gcc_bin)-os $ (CFLAGS)-wimplicit-isysroot $ (SDK)-f$ (SDK)/system$all:dumpde CRYPTED.DYLIBDUMPDECRYPTED.DYLIB:DUMPDECRYPTED.O        $ (gcc_universal)-dynamiclib-o [email protected] $^%.O:%.C        $ (gcc_universal)-c-o [email protected] $<clean:        rm-f *.o dumpdecrypted.dylib

most can not understand ...

Next we need to confirm that the values of the gcc_universal and SDK variables are consistent with the iOS device's environment.

4. Ensure that the makefile configuration is consistent with the real machine environment

Open the terminal in your Mac, enter the xcrun--sdk iphoneos--show-sdk-path command to view the SDK version:

/applications/xcode 5.1.1.APP/CONTENTS/DEVELOPER/PLATFORMS/IPHONEOS.PLATFORM/DEVELOPER/SDKS/IPHONEOS7.1.SDK

The SDK version of Xcode is 7.1.x,gcc_universal this variable value can be skipped.

5. Create a dynamic library file(1) One mistake

After making sure that the settings for the dynamic library are consistent with the iOS real-world environment in makefile, enter: Make in the current directory.

But failed, the error message is as follows:

' Xcrun--sdk iphoneos--find gcc '-os  -wimplicit-isysroot ' xcrun--sdk iphoneos--show-sdk-path '-F ' xcrun--sdk Iphon Eos--show-sdk-path '/system/library/frameworks-f ' xcrun--sdk iphoneos--show-sdk-path '/System/Library/  Privateframeworks-arch armv7-arch armv7s-arch arm64-c-o dumpdecrypted.o dumpdecrypted.c/bin/sh:/Applications/Xcode: No such file or directorymake: * * * [DUMPDECRYPTED.O] Error 127

The reason is that/applications/xcode cannot be found to execute some of these scripts. OK, my Mac has 3 Xcode:/applications/xcode 5.0.2,/applications/xcode 5.1.1,/applications/xcode 6 Beta4, that's no/ Applications/xcode.

All right, renaming Xcode 5.1.1 to Xcode is OK:

$ sudo mv xcode\ 5.1.1.app/xcode.app/

(2) again wrong

Make again, error message, the same as above.

Not afraid, we have xcode-select this small partner, usually Xcode can not find such errors should find it to help:

$ Xcode-select-p/applications/xcode 5.1.1.app/contents/developer

the original Xcrun find the CMD tool when the path or Xcode 5.1.1/, of course, nothing is found. This is the right time to reset it (by default,/applications/xcode.app/):

$ sudo xcode-select-r$ xcode-select-p/applications/xcode.app/contents/developer

(3) Success

Again make, success, output is as follows:

$ Make ' xcrun--sdk iphoneos--find gcc '-os  -wimplicit-isysroot ' xcrun--sdk iphoneos--show-sdk-path '-F ' xcrun--SDK Iphoneos--show-sdk-path '/system/library/frameworks-f ' xcrun--sdk iphoneos--show-sdk-path '/System/Library/ Privateframeworks-arch armv7-arch armv7s-arch arm64-c-o dumpdecrypted.o dumpdecrypted.c ' xcrun--sdk iphoneos--find g CC '-os  -wimplicit-isysroot ' xcrun--sdk iphoneos--show-sdk-path '-F ' xcrun--sdk iphoneos--show-sdk-path '/System/ Library/frameworks-f ' Xcrun--sdk iphoneos--show-sdk-path '/system/library/privateframeworks-arch armv7-arch armv7s- Arch Arm64-dynamiclib-o dumpdecrypted.dylib dumpdecrypted.o$ lsmakefile          dumpdecrypted.c          Dumpdecrypted.oreadme               Dumpdecrypted.dylib

you can see more than two files in the directory, where the dylib suffix is the dynamic library file we're creating, which is the hammer used to smash the shell.

second, hit the shell1. Put the "hammer" into the device

View the IP address of your iOS device, and then use the SCP command on your Mac to Dumpdecrypted.dylib file on your iOS device:

$ SCP dumpdecrypted.dylib [email protected]:/var/tmp[email protected] ' s password:dumpdecrypted.dylib                           100%   81KB  81.0kb/s   00:00

2. Smash

Choose an app that makes you feel very uncomfortable or very interested, and I pick a HBGC. Open ifile on your iOS device and find the path to its executable file:/VAR/MOBILE/APPLICATIONS/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC.APP/HBGC

Then use SSH to connect to the iOS device, CD to the path of the just-in-motion library:/var/tmp.

$ SSH [email protected][email protected] ' s password:root# cd/var/tmp/root# lsflipswitchcache/                              com.apple.audio.hogmode.plistl65ancd.sock=                                 com.apple.tccd/l65d.sock=                                    com.apple.timed.plistmediacache/                                   cydia.logrestorefrombackuplock*                        dumpdecrypted.dylib*springboard_reboot_flag                       launchd/ Com.apple.assistant.bundleservicecache.plist  Mobile_assertion_agent.log

Smashed the shell (waiting):

root# dyld_insert_libraries=dumpdecrypted.dylib/var/mobile/applications/ebbd26e9-ddba-481e-9403-84d159436889/ Hbgc.app/hbgcmach-o Decryption Dumperdisclaimer:this tool is a meant for security of the purposes, not for Applicati On crackers. [+] detected 32bit ARM binary in memory. [+] offset to cryptid found: @0xd5a90 (from 0xd5000) = a90[+] found encrypted data at address 00004000 of length 3047424 by Tes-type 1. [+] OPENING/PRIVATE/VAR/MOBILE/APPLICATIONS/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC.APP/HBGC for reading. [+]  Reading header[+] Detecting header type[+] executable is a FAT image-searching for right architecture[+] Correct arch is At offset 16384 in the file[+] Opening hbgc.decrypted for writing. [+] Copying the encrypted start of the file[+] dumping the decrypted data into the file[+] Copying the not encrypted Remai NDEr of the file[+] Setting the Lc_encryption_info->cryptid to 0 at offset 4a90[+] Closing original file[+] Closing dum P File

Results:

root# lsflipswitchcache/                              com.apple.audio.hogmode.plistHBGC.decrypted                                com.apple.tccd/l65ancd.sock=                                 com.apple.timed.plistl65d.sock=                                    cydia.logmediacache/                                   dumpdecrypted.dylib*restorefrombackuplock*                        Launchd/springboard_reboot_flag                       Mobile_assertion_agent.logcom.apple.assistant.bundleservicecache.plist

The hbgc.decrypted is the target product, then ida various axe fruit knife bar.

Third, appendix1.xcrun

First, take a quick look at the help information for Xcrun:

$ xcrun-husage:xcrun [options] <tool name> ... arguments ... Find and execute the named command line tool from the active developerdirectory. The active developer directory can be set using ' Xcode-select ', or via THEDEVELOPER_DIR environment variable. See the Xcrun and Xcode-select manualpages for more information.  Options:-H,--help show this help message and Exit--version show the Xcrun version -V,--verbose show verbose logging output--sdk <sdk name> Find the tool for the given SD  K name--toolchain <name> Find the tool for the given toolchain-l,--log show commands To is executed (with--run)-F,--find only find and print the tool path-r,--run f             IND and execute the tool (the default behavior)-N,--no-cache do is use the lookup cache-k,--kill-cache  Invalidate all existing cache entries--show-sdk-path           Show selected SDK install Path--show-sdk-version Show selected SDK version--show-sdk-platform-path Show selected SDK platform Path--show-sdk-platform-version Show selected SDK platform version

Xcrun's role is to find a command line tool from an active developer directory (active developer directory) and execute the tool.

For example, the above makefile: gcc_bin= ' xcrun--sdk iphoneos--find GCC '

Decomposition to see:

(1) Xcrun--find gcc

$ xcrun--find Gcc/applications/xcode 5.1.1.APP/CONTENTS/DEVELOPER/USR/BIN/GCC

This step takes the path of the tool in GCC, which is set to Cmd_tool_path.

(2) Xcrun--sdk Iphoneos Cmd_tool_path

This step takes the path name to the specific tool program, which corresponds to the Iphoneos SDK and executes the tool.

(3) Gcc_bin is a shell command that corresponds to the process of finding and executing the tool.

Again such as: Xcrun--sdk Iphoneos--show-sdk-path

Its role is to find and execute the SDK that corresponds to the Iphoneos SDK.

$ xcrun--show-sdk-path/applications/xcode 5.1.1.app/contents/developer/platforms/macosx.platform/developer/sdks/ MACOSX10.9.SDK $ xcrun--sdk iphoneos--show-sdk-path/applications/xcode 5.1.1.app/contents/developer/platforms/ Iphoneos.platform/developer/sdks/iphoneos7.1.sdk

2.xcode-select

First look at the simple Help information:

$ xcode-select-husage:xcode-select [options]print or change the path to the active developer directory. This directorycontrols which tools is used for the Xcode command line tools (for Example,xcodebuild) as well as the BSD D Evelopment commands (such as CC and make). Options:  -H,--help print this Help                  message  and Exit-p,--print-path print the path of the            active develop Er directory  -S <path>,--switch <path>  Set the path for the active developer Directory  -V,--vers Ion               Print the Xcode-select version  -R,--reset reset to the                 default command line tools path

its role is to print or change active developer directory, and Xcrun is to find the corresponding tool from this directory . Usually its value is:

/applications/xcode 5.1.1.app/contents/developer

For example, in/applications/xcode 5.1.1.app/contents/developer/usr/bin, you can see some of the GCC required above:

$ lsBuildStrings GCC ndisasmcpmac gcov-4.2 opendiffderez git pro           Jectinfogetfileinfo git-cvsserver Resolvelinksimageunitanalyzer Git-receive-pack scntoolMergePef          Git-shell Sdefmvmac git-upload-archive Sdpresmerger git-upload-pack               Svnrez gnumake Svnadminrezdet hdxml2manxml svndumpfilterrezwack               headerdoc2html svnlooksetfile Ibtool Svnrdumpsplitforks ibtool3 Svnservetextureatlas ibtoold svnsyncunrezwack Ictool svnversionact               OOL Instruments Symbolsagvtool Iprofiler xcodebuildamlint ld Xcrun 

These are just partial outputs.

Note: The above is my personal on the machine on the shell experience, we must according to their actual situation, in detail please refer to: with dumpdecrypted smashed shell