Originally intended to use Appcrackr smashed shell, the results smashed shell are failed, began to think that the encryption is too powerful app, later only to know is because appcrackr too violent, causing public outrage, the results were people complained of the core function was forced to shut down.
Fortunately, on the RE official website to find a dumpdecrypted smashed shell posts. Here is my experience of smashing shells.
first, build the hammer1. Download dumpdecrypted Source code
:https://github.com/stefanesser/dumpdecrypted/archive/master.zip, then unzip in Mac.
2. Confirm the version of the iOS device
IOS 7.1.x, the original post Snakeninny slightly verbose ...
3.Makefile
CD to dumpdecrypted directory to see the contents of the makefile file:
Cc_bin= ' xcrun--sdk iphoneos--find gcc ' gcc_universal=$ (gcc_base)-arch armv7-arch armv7s-arch arm64SDK= ' Xcrun--sdk iph Oneos--show-sdk-path ' CFLAGS =gcc_base = $ (gcc_bin)-os $ (CFLAGS)-wimplicit-isysroot $ (SDK)-f$ (SDK)/system$all:dumpde CRYPTED.DYLIBDUMPDECRYPTED.DYLIB:DUMPDECRYPTED.O $ (gcc_universal)-dynamiclib-o [email protected] $^%.O:%.C $ (gcc_universal)-c-o [email protected] $<clean: rm-f *.o dumpdecrypted.dylib
most can not understand ...
Next we need to confirm that the values of the gcc_universal and SDK variables are consistent with the iOS device's environment.
4. Ensure that the makefile configuration is consistent with the real machine environment
Open the terminal in your Mac, enter the xcrun--sdk iphoneos--show-sdk-path command to view the SDK version:
/applications/xcode 5.1.1.APP/CONTENTS/DEVELOPER/PLATFORMS/IPHONEOS.PLATFORM/DEVELOPER/SDKS/IPHONEOS7.1.SDK
The SDK version of Xcode is 7.1.x,gcc_universal this variable value can be skipped.
5. Create a dynamic library file(1) One mistake
After making sure that the settings for the dynamic library are consistent with the iOS real-world environment in makefile, enter: Make in the current directory.
But failed, the error message is as follows:
' Xcrun--sdk iphoneos--find gcc '-os -wimplicit-isysroot ' xcrun--sdk iphoneos--show-sdk-path '-F ' xcrun--sdk Iphon Eos--show-sdk-path '/system/library/frameworks-f ' xcrun--sdk iphoneos--show-sdk-path '/System/Library/ Privateframeworks-arch armv7-arch armv7s-arch arm64-c-o dumpdecrypted.o dumpdecrypted.c/bin/sh:/Applications/Xcode: No such file or directorymake: * * * [DUMPDECRYPTED.O] Error 127
The reason is that/applications/xcode cannot be found to execute some of these scripts. OK, my Mac has 3 Xcode:/applications/xcode 5.0.2,/applications/xcode 5.1.1,/applications/xcode 6 Beta4, that's no/ Applications/xcode.
All right, renaming Xcode 5.1.1 to Xcode is OK:
$ sudo mv xcode\ 5.1.1.app/xcode.app/
(2) again wrong
Make again, error message, the same as above.
Not afraid, we have xcode-select this small partner, usually Xcode can not find such errors should find it to help:
$ Xcode-select-p/applications/xcode 5.1.1.app/contents/developer
the original Xcrun find the CMD tool when the path or Xcode 5.1.1/, of course, nothing is found. This is the right time to reset it (by default,/applications/xcode.app/):
$ sudo xcode-select-r$ xcode-select-p/applications/xcode.app/contents/developer
(3) Success
Again make, success, output is as follows:
$ Make ' xcrun--sdk iphoneos--find gcc '-os -wimplicit-isysroot ' xcrun--sdk iphoneos--show-sdk-path '-F ' xcrun--SDK Iphoneos--show-sdk-path '/system/library/frameworks-f ' xcrun--sdk iphoneos--show-sdk-path '/System/Library/ Privateframeworks-arch armv7-arch armv7s-arch arm64-c-o dumpdecrypted.o dumpdecrypted.c ' xcrun--sdk iphoneos--find g CC '-os -wimplicit-isysroot ' xcrun--sdk iphoneos--show-sdk-path '-F ' xcrun--sdk iphoneos--show-sdk-path '/System/ Library/frameworks-f ' Xcrun--sdk iphoneos--show-sdk-path '/system/library/privateframeworks-arch armv7-arch armv7s- Arch Arm64-dynamiclib-o dumpdecrypted.dylib dumpdecrypted.o$ lsmakefile dumpdecrypted.c Dumpdecrypted.oreadme Dumpdecrypted.dylib
you can see more than two files in the directory, where the dylib suffix is the dynamic library file we're creating, which is the hammer used to smash the shell.
second, hit the shell1. Put the "hammer" into the device
View the IP address of your iOS device, and then use the SCP command on your Mac to Dumpdecrypted.dylib file on your iOS device:
$ SCP dumpdecrypted.dylib [email protected]:/var/tmp[email protected] ' s password:dumpdecrypted.dylib 100% 81KB 81.0kb/s 00:00
2. Smash
Choose an app that makes you feel very uncomfortable or very interested, and I pick a HBGC. Open ifile on your iOS device and find the path to its executable file:/VAR/MOBILE/APPLICATIONS/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC.APP/HBGC
Then use SSH to connect to the iOS device, CD to the path of the just-in-motion library:/var/tmp.
$ SSH [email protected][email protected] ' s password:root# cd/var/tmp/root# lsflipswitchcache/ com.apple.audio.hogmode.plistl65ancd.sock= com.apple.tccd/l65d.sock= com.apple.timed.plistmediacache/ cydia.logrestorefrombackuplock* dumpdecrypted.dylib*springboard_reboot_flag launchd/ Com.apple.assistant.bundleservicecache.plist Mobile_assertion_agent.log
Smashed the shell (waiting):
root# dyld_insert_libraries=dumpdecrypted.dylib/var/mobile/applications/ebbd26e9-ddba-481e-9403-84d159436889/ Hbgc.app/hbgcmach-o Decryption Dumperdisclaimer:this tool is a meant for security of the purposes, not for Applicati On crackers. [+] detected 32bit ARM binary in memory. [+] offset to cryptid found: @0xd5a90 (from 0xd5000) = a90[+] found encrypted data at address 00004000 of length 3047424 by Tes-type 1. [+] OPENING/PRIVATE/VAR/MOBILE/APPLICATIONS/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC.APP/HBGC for reading. [+] Reading header[+] Detecting header type[+] executable is a FAT image-searching for right architecture[+] Correct arch is At offset 16384 in the file[+] Opening hbgc.decrypted for writing. [+] Copying the encrypted start of the file[+] dumping the decrypted data into the file[+] Copying the not encrypted Remai NDEr of the file[+] Setting the Lc_encryption_info->cryptid to 0 at offset 4a90[+] Closing original file[+] Closing dum P File
Results:
root# lsflipswitchcache/ com.apple.audio.hogmode.plistHBGC.decrypted com.apple.tccd/l65ancd.sock= com.apple.timed.plistl65d.sock= cydia.logmediacache/ dumpdecrypted.dylib*restorefrombackuplock* Launchd/springboard_reboot_flag Mobile_assertion_agent.logcom.apple.assistant.bundleservicecache.plist
The hbgc.decrypted is the target product, then ida various axe fruit knife bar.
Third, appendix1.xcrun
First, take a quick look at the help information for Xcrun:
$ xcrun-husage:xcrun [options] <tool name> ... arguments ... Find and execute the named command line tool from the active developerdirectory. The active developer directory can be set using ' Xcode-select ', or via THEDEVELOPER_DIR environment variable. See the Xcrun and Xcode-select manualpages for more information. Options:-H,--help show this help message and Exit--version show the Xcrun version -V,--verbose show verbose logging output--sdk <sdk name> Find the tool for the given SD K name--toolchain <name> Find the tool for the given toolchain-l,--log show commands To is executed (with--run)-F,--find only find and print the tool path-r,--run f IND and execute the tool (the default behavior)-N,--no-cache do is use the lookup cache-k,--kill-cache Invalidate all existing cache entries--show-sdk-path Show selected SDK install Path--show-sdk-version Show selected SDK version--show-sdk-platform-path Show selected SDK platform Path--show-sdk-platform-version Show selected SDK platform version
Xcrun's role is to find a command line tool from an active developer directory (active developer directory) and execute the tool.
For example, the above makefile: gcc_bin= ' xcrun--sdk iphoneos--find GCC '
Decomposition to see:
(1) Xcrun--find gcc
$ xcrun--find Gcc/applications/xcode 5.1.1.APP/CONTENTS/DEVELOPER/USR/BIN/GCC
This step takes the path of the tool in GCC, which is set to Cmd_tool_path.
(2) Xcrun--sdk Iphoneos Cmd_tool_path
This step takes the path name to the specific tool program, which corresponds to the Iphoneos SDK and executes the tool.
(3) Gcc_bin is a shell command that corresponds to the process of finding and executing the tool.
Again such as: Xcrun--sdk Iphoneos--show-sdk-path
Its role is to find and execute the SDK that corresponds to the Iphoneos SDK.
$ xcrun--show-sdk-path/applications/xcode 5.1.1.app/contents/developer/platforms/macosx.platform/developer/sdks/ MACOSX10.9.SDK $ xcrun--sdk iphoneos--show-sdk-path/applications/xcode 5.1.1.app/contents/developer/platforms/ Iphoneos.platform/developer/sdks/iphoneos7.1.sdk
2.xcode-select
First look at the simple Help information:
$ xcode-select-husage:xcode-select [options]print or change the path to the active developer directory. This directorycontrols which tools is used for the Xcode command line tools (for Example,xcodebuild) as well as the BSD D Evelopment commands (such as CC and make). Options: -H,--help print this Help message and Exit-p,--print-path print the path of the active develop Er directory -S <path>,--switch <path> Set the path for the active developer Directory -V,--vers Ion Print the Xcode-select version -R,--reset reset to the default command line tools path
its role is to print or change active developer directory, and
Xcrun is to find the corresponding tool from this directory . Usually its value is:
/applications/xcode 5.1.1.app/contents/developer
For example, in/applications/xcode 5.1.1.app/contents/developer/usr/bin, you can see some of the GCC required above:
$ lsBuildStrings GCC ndisasmcpmac gcov-4.2 opendiffderez git pro Jectinfogetfileinfo git-cvsserver Resolvelinksimageunitanalyzer Git-receive-pack scntoolMergePef Git-shell Sdefmvmac git-upload-archive Sdpresmerger git-upload-pack Svnrez gnumake Svnadminrezdet hdxml2manxml svndumpfilterrezwack headerdoc2html svnlooksetfile Ibtool Svnrdumpsplitforks ibtool3 Svnservetextureatlas ibtoold svnsyncunrezwack Ictool svnversionact OOL Instruments Symbolsagvtool Iprofiler xcodebuildamlint ld Xcrun
These are just partial outputs.
Note: The above is my personal on the machine on the shell experience, we must according to their actual situation, in detail please refer to: with dumpdecrypted smashed shell