iOS Reverse engineering app shelling

First, generate Dumpdecrypted.dylib dynamic library

First of all we want to create a "smash shell" with the dynamic library dumpdecrypted.dylib, we "hit the shell" when the main use of this dynamic library. The source of the dynamic library is open source on GitHub (GitHub address), to get dumpdecrypted.dylib this dynamic library, only need to download the code from GitHub, and then compile, generate Dumpdecrypted.dylib can. Below is the use make command to compile the dumpdecrypted source code.

Go to the Dumpdecrypted folder and run the Make command.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801144805809-314304479. PNG "width=" 538 "height=" style= "margin:0px;padding:0px;border:none;"/>

Once the compilation is complete, there will be one more dumpdecrypted.dylib dynamic library in the Dumpdecrypted folder, which is the tool we use to break the shell later.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801145219106-1540698585. PNG "style=" margin:0px;padding:0px;border:none; "/>

Second, "smashing the shell" before the preparation work

The next step is to find the app path to "shell" on the jailbreak phone, first use SSH to connect to your jailbreak device, then open the app you want to shell out in the jailbreak device, here we consider. The app downloaded from Aippstore will be located in/var/mobile/applications, below the installation path of the app downloaded from AppStore on my phone. Of course, below is the use of the IExplore tool for viewing, in the content below, we will use a copy of the file Iexplorer, of course, you can also use the Ifunbox mentioned previously.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801145825653-2107973291. PNG "width=" 313 "height=" 490 "style=" margin:0px;padding:0px;border:none; "/>

From the top of the directory is very difficult to find out, the application of less you can open a look. To this kind of application is more than the case, one by one folder open is not very realistic, so we have to go through another way to locate the "" "app is located in the directory.

This shortcut location "" is the way to "view the application process", first you need to open, and then run the command below to see the file directory/var/mobile/directory of all the running apps, the specific command is as follows:

Ps-e | Grep/var/mobile

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801150518887-341396670. PNG "width=" 606 "height=" style= "margin:0px;padding:0px;border:none;"/>

Above is the output of the above command after the operation, from the above content, we can easily find the "WeChat" in the directory. We can open the directory through IExplore, and more intuitively look at the directory where the app is located, as shown below. The absolute path to the above process is to be written down, because the path is used when the shell is smashed behind it.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801150826372-963512621. PNG "style=" margin:0px;padding:0px;border:none; "/>

Next we will use the Cycript tool to find the WeChat document path, if your jailbreak device is not installed Cycript tools, then please go to cydia download install Cycript tool. The steps below are the steps to use the Cycript tool to view the document directory of the attached process.

1. Using Cycript to inject into the target process

Cycript-p WeChat

When the above command finishes, it goes into cycript mode, as shown below. Of course, the jailbreak device on the iOS9.2.1 execution of the above command will be an error, perhaps the current Cycript this powerful tool does not support iOS9.2 bar. So I was doing the experiment on the iOS7.2.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801152054403-186388091. PNG "width=" 343 "height=" style= "margin:0px;padding:0px;border:none;"/>

2. Get the document directory for the process

[[Nsfilemanager Defaultmanager] URLsForDirectory:NSDocumentDirectoryinDomains:NSUserDomainMask] [0]

Enter the above content, and then click Enter, the WeChat process will output the document directory, the output results are as follows. The red part below is the absolute path of the WeChat document directory.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201611/545446-20161117164642263-804319243. PNG "width=" 709 "height=" "style=" margin:0px;padding:0px;border:none; "/>

Once the above directory is found, use IExplore to enter the directory and copy the Dumpdecripted.dylib dynamic Library we generated above to that directory, as shown below:

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801152803981-122822242. PNG "width=" 359 "height=" style= "margin:0px;padding:0px;border:none;"/>

Three, start smashing shell

After the "shell" preparation is ready, we're about to start smashing the shells. Enter into the WeChat document directory, execute the command below to smash the shell.

dyld_insert_libraries=dumpdecrypted.dylib/var/mobile/applications/3dc16044-e5bb-4038-9e31-cfe3c7134a7b/ Wechat.app/wechat

In the above command, dyld_insert_libraries behind this dynamic library is the dynamic library we generated above, the path behind this is the absolute path of WeChat execution file, after running the above command, began to smash Shell, below is the process of our shell.
650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801153637418-408267863. PNG "width=" 469 "height=" "style=" margin:0px;padding:0px;border:none; "/>

When the shell process is complete, a wechat.decrypted file is generated in our document directory, as shown below. This file is the shelled file, we can copy the file to our Mac for use.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801154218887-338432803. PNG "width=" 363 "height=" 149 "style=" margin:0px;padding:0px;border:none; "/>

Iv. Export the header file of the Shelled app

Copy the wechat.decrypted shelling file that was generated above on our Mac, and the next step is the time we class-dump the factory. Next we'll use Class-dump to export all the header files for the shelled file. The specific steps are shown below.

1. Prelude

wechat.decrypted file, I executed the command below to export its header file, the command below in the app without shell is so, directly can export the corresponding app header file, as follows:

Class-dump-s-s-h Wechat.decrypted-o./headers

After the execution of the above command is the result below, and did not export the desired header file, Google a bit, is the structure of arm is not correct, so there is no export success.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801161438012-548330467. PNG "width=" 506 "height=" 153 "style=" margin:0px;padding:0px;border:none; "/>

2. Start Exporting header files

From the above we can see that the Headers folder does not generate the corresponding header file. Is there a problem with the file we decrypted? Thus, I used the hopper opened the decrypted file, it can be opened normally, and then Google a bit, it turns out that we are in the export header file specified ARM architecture is not correct, and then use the Class-dump--arch configuration item to specify the ARMV7 schema, In this case, the header file is exported successfully.

Class-dump--arch armv7-s-s-h wechat.decrypted-o./headers

Operation steps and results as shown, export success, you can slowly analyze.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801162148606-998741807. PNG "width=" 535 "height=" 388 "style=" margin:0px;padding:0px;border:none; "/>

Wu, Hopper

The above uses the class-dump to operate our shelling the document, the wood has the problem. So let's take a look at the effect on the hopper, below is the effect of using hopper to open the "shelled" file. Of course, you can also use Ida Pro to see, of course, here we are using hopper. From the bottom of the view, the result is perfect.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/545446/201608/545446-20160801162720778-1710792399. PNG "width=" 633 "height=" 356 "style=" margin:0px;padding:0px;border:none; "/>

iOS Reverse engineering app shelling