IOS Reverse Engineering Study Notes (6) using dumpdecrypted to Shell
The intention was to use AppCrackr to crack the shell. As a result, all the shells failed. At first, I thought the App was too encrypted. Later I learned that the reason was that AppCrackr was too violent and caused public anger, as a result, the core function was forced to be disabled due to complaints.
Fortunately, I found a post using dumpdecrypted ON THE RE official website. The following are my experiences with shelling.
1. Hammer creation 1. Download dumpdecrypted source code
: Https://github.com/stefanesser/dumpdecrypted/archive/master.zip, and uncompress in mac.
2. Confirm the version of the iOS device.
For iOS 7.1.x, in the original post, it's a bit cool to see the snakenny...
3. Makefile
Cd to the dumpdecrypted directory to see the contents of the Makefile file:
CC_BIN = 'xcrun -- sdk iphoneos -- find gcc 'gcc _ UNIVERSAL =$ (GCC_BASE) -arch armv7-arch armv7s-arch arm64SDK = 'xcrun -- sdk iphoneos -- show-sdk-path 'cflags = GCC_BASE =$ (GCC_BIN)-OS $ (CFLAGS) -Wimplicit-isysroot $ (SDK)-F $ (SDK)/System $ all: dumpdecrypted. dylibdumpdecrypted. dylib: dumpdecrypted. o $ (GCC_UNIVERSAL)-dynamiclib-o $ @ $ ^ %. o: %. c $ (GCC_UNIVERSAL)-c-o $ @ $
Most do not understand...
What we need to confirm next isGCC_UNIVERSALAndSDKThe values of these two variables are consistent with those of the iOS device environment.
4. Make sure that the configuration of Makefile is consistent with that of the real machine environment.
Open the terminal in Mac and enterXcrun -- sdk iphoneos -- show-sdk-pathCommand to view the SDK version:
/Applications/Xcode 5.1.1.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.1.sdk
The SDK version of Xcode is 7.1.x. The variable value of GCC_UNIVERSAL can be skipped.
5. An error occurred while creating the dynamic library file (1 ).
After the dynamic library settings in Makefile are consistent with those in the iOS real machine environment, enter make in the current directory.
But failed. The error message is as follows:
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c/bin/sh: /Applications/Xcode: No such file or directorymake: *** [dumpdecrypted.o] Error 127
The reason is that you cannot find/Applications/Xcode to execute some of the scripts. Well, my Mac has three Xcode:/Applications/Xcode 5.0.2,/Applications/Xcode 5.1.1,/Applications/Xcode 6 Beta4, that is, no/Applications/Xcode.
All right. Just rename Xcode 5.1.1 to Xcode:
$ sudo mv Xcode\ 5.1.1.app/ Xcode.app/
(2) more errors
Make again, or report an error. The error message is the same as above.
Not afraid. We also have the xcode-select partner. Generally, errors such as Xcode cannot be found should be asked for help:
$ xcode-select -p/Applications/Xcode 5.1.1.app/Contents/Developer
The path used by xcrun to find the cmd tool is Xcode 5.1.1/. Of course, nothing can be found. At this time, You can reset it (the default is/Applications/Xcode. app /):
$ sudo xcode-select -r$ xcode-select -p /Applications/Xcode.app/Contents/Developer
(3) successful
Make again. The output is as follows:
$ make`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o$ lsMakefile dumpdecrypted.c dumpdecrypted.oREADME dumpdecrypted.dylib
We can see that there are two more files in the directory. The dylib suffix is the dynamic library file we want to create, that is, the hammer used to crack the shell.
2. Shell 1. Place the hammer in the device
View the IP address of the iOS device, and then use the scp command on the Mac to put the dumpdecrypted. dylib file to the iOS device:
$ scp dumpdecrypted.dylib root@192.168.xxx.xxx:/var/tmproot@192.168.xxx.xxx's password:dumpdecrypted.dylib 100% 81KB 81.0KB/s 00:00
2. Smash
Select an app that makes you feel uncomfortable or interested, and I chose HBGC. Open iFile on iOS devices and find its executable file path:/var/mobile/Applications/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC. app/HBGC
Then connect to the iOS device using SSH and cd to the path of the dynamic library:/var/tmp.
$ ssh root@192.168.xxx.xxxroot@192.168.xxx.xxx's password:root# cd /var/tmp/root# lsFlipswitchCache/ com.apple.audio.hogmode.plistL65ancd.sock= com.apple.tccd/L65d.sock= com.apple.timed.plistMediaCache/ cydia.logRestoreFromBackupLock* dumpdecrypted.dylib*SpringBoard_reboot_flag launchd/com.apple.assistant.bundleservicecache.plist mobile_assertion_agent.log
Shell (long wait ):
root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC.app/HBGCmach-o decryption dumperDISCLAIMER: This tool is only meant for security research purposes, not for application crackers.[+] detected 32bit ARM binary in memory.[+] offset to cryptid found: @0xd5a90(from 0xd5000) = a90[+] Found encrypted data at address 00004000 of length 3047424 bytes - type 1.[+] Opening /private/var/mobile/Applications/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC.app/HBGC for reading.[+] Reading header[+] Detecting header type[+] Executable is a FAT image - searching for right architecture[+] Correct arch is at offset 16384 in the file[+] Opening HBGC.decrypted for writing.[+] Copying the not encrypted start of the file[+] Dumping the decrypted data into the file[+] Copying the not encrypted remainder of the file[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a90[+] Closing original file[+] Closing dump file
Results:
root# lsFlipswitchCache/ com.apple.audio.hogmode.plistHBGC.decrypted com.apple.tccd/L65ancd.sock= com.apple.timed.plistL65d.sock= cydia.logMediaCache/ dumpdecrypted.dylib*RestoreFromBackupLock* launchd/SpringBoard_reboot_flag mobile_assertion_agent.logcom.apple.assistant.bundleservicecache.plist
Among them, HBGC. decrypted is the target product, and then IDA will put it on a variety of ax fruit knives.
Iii. Appendix 1. xcrun
First, let's take a look at the help information of xcrun:
$ xcrun -hUsage: xcrun [options]
... arguments ...Find and execute the named command line tool from the active developerdirectory.The active developer directory can be set using `xcode-select`, or via theDEVELOPER_DIR environment variable. See the xcrun and xcode-select manualpages for more information.Options: -h, --help show this help message and exit --version show the xcrun version -v, --verbose show verbose logging output --sdk
find the tool for the given SDK name --toolchain
find the tool for the given toolchain -l, --log show commands to be executed (with --run) -f, --find only find and print the tool path -r, --run find and execute the tool (the default behavior) -n, --no-cache do not use the lookup cache -k, --kill-cache invalidate all existing cache entries --show-sdk-path show selected SDK install path --show-sdk-version show selected SDK version --show-sdk-platform-path show selected SDK platform path --show-sdk-platform-version show selected SDK platform version
Xcrun is used to find a command line tool from an active developer directory and execute the tool.
For example, in the Makefile above: GCC_BIN = 'xcrun -- sdk iphoneos -- find gcc'
Decomposition:
(1) xcrun -- find gcc
$ xcrun --find gcc/Applications/Xcode 5.1.1.app/Contents/Developer/usr/bin/gcc
In this step, the path of the tool gcc is obtained and set to pai_tool_path.
(2) xcrun -- sdk iphoneos pai_tool_path
In this step, the specific tool program is obtained through the path name, which corresponds to the iPhone OS SDK and runs the tool.
(3) GCC_BIN is a shell command that corresponds to the process of searching and executing the tool.
Another example: xcrun -- sdk iphoneos -- show-sdk-path
It is used to find and execute the SDK corresponding to the iPhone OS SDK.
$ xcrun --show-sdk-path/Applications/Xcode 5.1.1.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk $ xcrun --sdk iphoneos --show-sdk-path/Applications/Xcode 5.1.1.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.1.sdk
2. xcode-select
First, let's look at the simple help information:
$ xcode-select -hUsage: xcode-select [options]Print or change the path to the active developer directory. This directorycontrols which tools are used for the Xcode command line tools (for example,xcodebuild) as well as the BSD development commands (such as cc and make).Options: -h, --help print this help message and exit -p, --print-path print the path of the active developer directory -s
, --switch
set the path for the active developer directory -v, --version print the xcode-select version -r, --reset reset to the default command line tools path
It is used to print or change active developer directory, while
Xcrun is used to find the corresponding tool from this directory.. Generally, its value is:
/Applications/Xcode 5.1.1.app/Contents/Developer
For example, in/Applications/Xcode 5.1.1.app/Contents/Developer/usr/bin, you can see some of the above gcc:
$ lsBuildStrings gcc ndisasmCpMac gcov-4.2 opendiffDeRez git projectInfoGetFileInfo git-cvsserver resolveLinksImageUnitAnalyzer git-receive-pack scntoolMergePef git-shell sdefMvMac git-upload-archive sdpResMerger git-upload-pack svnRez gnumake svnadminRezDet hdxml2manxml svndumpfilterRezWack headerdoc2html svnlookSetFile ibtool svnrdumpSplitForks ibtool3 svnserveTextureAtlas ibtoold svnsyncUnRezWack ictool svnversionactool instruments symbolsagvtool iprofiler xcodebuildamlint ld xcrun
The above is only part of the output.
Note: The above is my personal shell cracking experience on my own machine. You should proceed according to your actual situation. For details, refer to: Using dumpdecrypted to shell.