IOS reverse engineering: Shelling apps, ios reverse engineering apps
This blog is an example. In iOS reverse engineering, "shell smashing" is a common task, because directly downloading and installing apps from the AppStore is shelled and encrypted, the Shell Cracking Process is a decryption process. Apps that are not shelled cannot be used in tools such as Class-dump and Hopper. So we need to shell the App. In Android development, App shelling also exists. For example, if App 360 is reinforced, a shell is added to the App.
In this blog, we will use WeChat () as an example to download and install it from the AppStore, and then use the dumpdecrypted tool (of course you can also use other shell tools) for Shell cracking. After shelling, the decrypted App file will be generated, and then we can use Class-dump and Hopper to process the decrypted file. Just start with today's theme.
1. Generate the dumpdecrypted. dylib dynamic library
First, we need to generate the dynamic database dumpdecrypted. dylib for "shell smashing". We mainly use this dynamic library for "shell smashing. The source code of this dynamic library is open-source on github (Github address). You need to get dumpdecrypted. the dynamic library dylib only needs to download the code from github and compile it to generate dumpdecrypted. dylib. The following describes how to use the make command to compile the source code of dumpdecrypted.
Go to the dumpdecrypted folder and run the make command.
After compilation, there will be an additional dumpdecrypted. dylib dynamic library in the dumpdecrypted folder. This dynamic library is the tool we will use later.
2. Preparations before "Shelling"
The next step is to find the app path for "Shelling" on the jailbreak mobile phone. First, connect to your jailbreak Device Using ssh, and then open the App to be shelled in the jailbreak device, here is an example. All applications downloaded and installed from AippStore are located in/Var/mobile/ApplicationsThe following is the installation path of the app downloaded from the AppStore on my mobile phone. Of course, the iExplore tool is used below for viewing. In the content below, iExplorer is used for copying files. Of course, you can also use the iFunBox mentioned earlier.
It is very difficult to find the directory from the top. If there are few applications, you can open them one by one. In the case of many applications, it is unrealistic to open folders one by one, so we have to locate the "" App directory in another way.
To quickly locate the directory where "" is located, you can view the application process. First, you need to open the Directory and run the following command, to view all running apps under the/var/mobile/directory. The command is as follows:
ps -e | grep /var/mobile
The above is the output content after the above command is run. From the above content, we can easily find the directory where "WeChat" is located. You can open this directory through iExplore to view the directory where the App is located more intuitively. The specific content is as follows.We need to write down the absolute path of the process above, because the path will be used when the process is cracked..
Next, we will use the cychat tool to find the Document path of WeChat. If the Cycript tool is not installed on your jailbreak device, go to Cydia to download and install the cychat tool. The following steps show how to use the cyloud tool to view the Document directory of the append process.
1. Inject cylinder into target process
cycript -p WeChat
After the preceding command is executed, it enters the cylinder mode, as shown below. Of course, if you run the above command on the jailbreak Device on iOS9.2.1, an error is reported. It may be that the powerful cylinder does not support iOS9.2 yet. So I did this experiment on iOS7.2.
2. Get the Document directory of the process
[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomans:NSUserDomainMask][0]
Enter the preceding content and press enter to output the Document directory of the WeChat process. The output result is as follows. The red section below is the absolute path of WeChat's Document directory.
After finding the preceding directory, use iExplore to enter the Directory and copy the dynamic dumpdecripted. dylib library we generated above to the directory, as shown below:
Iii. Shell Cracking
After the above preparations are complete, we will begin to crack the shell. Go to the WeChat Document directory and execute the following command to shell it.
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/3DC16044-E5BB-4038-9E31-CFE3C7134A7B/WeChat.app/WeChat
In the above command, the dynamic library behind DYLD_INSERT_LIBRARIES is the dynamic library generated above, and the path behind it is the absolute path of the WeChat execution file. After running the above command, the shell is started, below is the process of shelling.
After the shelling process is complete, a WeChat. decrypted file will be generated in our Document directory, as shown below. This file is an unshelled file. We can copy this file to our Mac for use.
4. Export the header file of the shell App
Copy the WeChat. decrypted shelling file generated above to our Mac. Next we will go to class-dump factory time. Next, we will use class-dump to export all headers of the shell file.. The procedure is as follows.
1. prelude
WeChat. after the decrypted file, I run the following command to export its header file. The command below is useful in apps without shelling. You can directly export the header file of the corresponding app, as shown below:
class-dump -S -s -H WeChat.decrypted -o ./Headers
After the above command is executed, the result is below, and the desired header file is not exported. Google: the ARM architecture is incorrect, so the export fails.
2. start exporting the header file
From the above, we can see that the Headers Folder does not generate the corresponding header file. Is there a problem with the file we decrypted? As a result, I used Hopper to open the decrypted file, which can be opened normally. As a result, Google again. It turns out that the ARM architecture we specified when exporting the header file is incorrect, therefore, the architecture of armv7 is specified using the -- arch configuration item of class-dump. In this way, the header file is exported successfully.
class-dump --arch armv7 -S -s -H WeChat.decrypted -o ./Headers
As shown in the operation steps and results, the export is successful and you can analyze it slowly.
V. Hopper
Used aboveClass-dumpThere is a problem with the wood. Next, let's take a lookHopperThe following figure shows the effect of using Hopper to open the "Shelling" file. You can also useIDA ProOf course, Hopper is used here. From the bottom, the result is Perfect.
So far, the shelling process has ended happily. You can analyze what you want to analyze.