IOS Reverse Engineering Study Notes (6) using dumpdecrypted to Shell

IOS Reverse Engineering Study Notes (6) using dumpdecrypted to Shell

The intention was to use AppCrackr to crack the shell. As a result, all the shells failed. At first, I thought the App was too encrypted. Later I learned that the reason was that AppCrackr was too violent and caused public anger, as a result, the core function was forced to be disabled due to complaints.

Fortunately, I found a post using dumpdecrypted ON THE RE official website. The following are my experiences with shelling.

1. Hammer creation 1. Download dumpdecrypted source code

: Https://github.com/stefanesser/dumpdecrypted/archive/master.zip, and uncompress in mac.

2. Confirm the version of the iOS device.

For iOS 7.1.x, in the original post, it's a bit cool to see the snakenny...

3. Makefile

Cd to the dumpdecrypted directory to see the contents of the Makefile file:

CC_BIN = 'xcrun -- sdk iphoneos -- find gcc 'gcc _ UNIVERSAL =$ (GCC_BASE) -arch armv7-arch armv7s-arch arm64SDK = 'xcrun -- sdk iphoneos -- show-sdk-path 'cflags = GCC_BASE =$ (GCC_BIN)-OS $ (CFLAGS) -Wimplicit-isysroot $ (SDK)-F $ (SDK)/System $ all: dumpdecrypted. dylibdumpdecrypted. dylib: dumpdecrypted. o $ (GCC_UNIVERSAL)-dynamiclib-o $ @ $ ^ %. o: %. c $ (GCC_UNIVERSAL)-c-o $ @ $
 
  
Most do not understand...
  

  
What we need to confirm next isGCC_UNIVERSALAndSDKThe values of these two variables are consistent with those of the iOS device environment.

  

4. Make sure that the configuration of Makefile is consistent with that of the real machine environment.
  
Open the terminal in Mac and enterXcrun -- sdk iphoneos -- show-sdk-pathCommand to view the SDK version:
  
/Applications/Xcode 5.1.1.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.1.sdk
  
The SDK version of Xcode is 7.1.x. The variable value of GCC_UNIVERSAL can be skipped.
  

  

  

5. An error occurred while creating the dynamic library file (1 ).
  
After the dynamic library settings in Makefile are consistent with those in the iOS real machine environment, enter make in the current directory.
  
But failed. The error message is as follows:
  
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c/bin/sh: /Applications/Xcode: No such file or directorymake: *** [dumpdecrypted.o] Error 127
  

  
The reason is that you cannot find/Applications/Xcode to execute some of the scripts. Well, my Mac has three Xcode:/Applications/Xcode 5.0.2,/Applications/Xcode 5.1.1,/Applications/Xcode 6 Beta4, that is, no/Applications/Xcode.
  
All right. Just rename Xcode 5.1.1 to Xcode:
  
$ sudo mv Xcode\ 5.1.1.app/ Xcode.app/
  
(2) more errors
  
Make again, or report an error. The error message is the same as above.
  
Not afraid. We also have the xcode-select partner. Generally, errors such as Xcode cannot be found should be asked for help:

  

  
$ xcode-select -p/Applications/Xcode 5.1.1.app/Contents/Developer
  
The path used by xcrun to find the cmd tool is Xcode 5.1.1/. Of course, nothing can be found. At this time, You can reset it (the default is/Applications/Xcode. app /):
  
$ sudo xcode-select -r$ xcode-select -p /Applications/Xcode.app/Contents/Developer
  
(3) successful
  

  
Make again. The output is as follows:
  
$ make`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o$ lsMakefile          dumpdecrypted.c          dumpdecrypted.oREADME               dumpdecrypted.dylib
  
We can see that there are two more files in the directory. The dylib suffix is the dynamic library file we want to create, that is, the hammer used to crack the shell.
  

  

  

2. Shell 1. Place the hammer in the device
  
View the IP address of the iOS device, and then use the scp command on the Mac to put the dumpdecrypted. dylib file to the iOS device:
  
$ scp dumpdecrypted.dylib root@192.168.xxx.xxx:/var/tmproot@192.168.xxx.xxx's password:dumpdecrypted.dylib                           100%   81KB  81.0KB/s   00:00
  

  
2. Smash
  

  
Select an app that makes you feel uncomfortable or interested, and I chose HBGC. Open iFile on iOS devices and find its executable file path:/var/mobile/Applications/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC. app/HBGC
  


  
Then connect to the iOS device using SSH and cd to the path of the dynamic library:/var/tmp.
  
$ ssh root@192.168.xxx.xxxroot@192.168.xxx.xxx's password:root# cd /var/tmp/root# lsFlipswitchCache/                              com.apple.audio.hogmode.plistL65ancd.sock=                                 com.apple.tccd/L65d.sock=                                    com.apple.timed.plistMediaCache/                                   cydia.logRestoreFromBackupLock*                        dumpdecrypted.dylib*SpringBoard_reboot_flag                       launchd/com.apple.assistant.bundleservicecache.plist  mobile_assertion_agent.log
  

  
Shell (long wait ):
  

  
root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC.app/HBGCmach-o decryption dumperDISCLAIMER: This tool is only meant for security research purposes, not for application crackers.[+] detected 32bit ARM binary in memory.[+] offset to cryptid found: @0xd5a90(from 0xd5000) = a90[+] Found encrypted data at address 00004000 of length 3047424 bytes - type 1.[+] Opening /private/var/mobile/Applications/EBBD26E9-DDBA-481E-9403-84D159436889/HBGC.app/HBGC for reading.[+] Reading header[+] Detecting header type[+] Executable is a FAT image - searching for right architecture[+] Correct arch is at offset 16384 in the file[+] Opening HBGC.decrypted for writing.[+] Copying the not encrypted start of the file[+] Dumping the decrypted data into the file[+] Copying the not encrypted remainder of the file[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a90[+] Closing original file[+] Closing dump file
  
Results:
  
root# lsFlipswitchCache/                              com.apple.audio.hogmode.plistHBGC.decrypted                                com.apple.tccd/L65ancd.sock=                                 com.apple.timed.plistL65d.sock=                                    cydia.logMediaCache/                                   dumpdecrypted.dylib*RestoreFromBackupLock*                        launchd/SpringBoard_reboot_flag                       mobile_assertion_agent.logcom.apple.assistant.bundleservicecache.plist
Among them, HBGC. decrypted is the target product, and then IDA will put it on a variety of ax fruit knives.
  

  

  
Iii. Appendix 1. xcrun
  
First, let's take a look at the help information of xcrun:
  
$ xcrun -hUsage: xcrun [options] 
   
     ... arguments ...Find and execute the named command line tool from the active developerdirectory.The active developer directory can be set using `xcode-select`, or via theDEVELOPER_DIR environment variable. See the xcrun and xcode-select manualpages for more information.Options:  -h, --help                  show this help message and exit  --version                   show the xcrun version  -v, --verbose               show verbose logging output  --sdk 
    
                 find the tool for the given SDK name  --toolchain 
     
                find the tool for the given toolchain  -l, --log                   show commands to be executed (with --run)  -f, --find                  only find and print the tool path  -r, --run                   find and execute the tool (the default behavior)  -n, --no-cache              do not use the lookup cache  -k, --kill-cache            invalidate all existing cache entries  --show-sdk-path             show selected SDK install path  --show-sdk-version          show selected SDK version  --show-sdk-platform-path    show selected SDK platform path  --show-sdk-platform-version show selected SDK platform version
     
    
   
  
Xcrun is used to find a command line tool from an active developer directory and execute the tool.
  

  
For example, in the Makefile above: GCC_BIN = 'xcrun -- sdk iphoneos -- find gcc'
  
Decomposition:
  
(1) xcrun -- find gcc
  
$ xcrun --find gcc/Applications/Xcode 5.1.1.app/Contents/Developer/usr/bin/gcc
In this step, the path of the tool gcc is obtained and set to pai_tool_path.
  

  
(2) xcrun -- sdk iphoneos pai_tool_path
  
In this step, the specific tool program is obtained through the path name, which corresponds to the iPhone OS SDK and runs the tool.
  
(3) GCC_BIN is a shell command that corresponds to the process of searching and executing the tool.
  


  
Another example: xcrun -- sdk iphoneos -- show-sdk-path
  
It is used to find and execute the SDK corresponding to the iPhone OS SDK.
  
$ xcrun --show-sdk-path/Applications/Xcode 5.1.1.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk $ xcrun --sdk iphoneos --show-sdk-path/Applications/Xcode 5.1.1.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.1.sdk
  

  
2. xcode-select
  

  
First, let's look at the simple help information:
  
$ xcode-select -hUsage: xcode-select [options]Print or change the path to the active developer directory. This directorycontrols which tools are used for the Xcode command line tools (for example,xcodebuild) as well as the BSD development commands (such as cc and make).Options:  -h, --help                  print this help message and exit  -p, --print-path            print the path of the active developer directory  -s 
   
    , --switch 
    
       set the path for the active developer directory  -v, --version               print the xcode-select version  -r, --reset                 reset to the default command line tools path
    
   
  
It is used to print or change active developer directory, while
  Xcrun is used to find the corresponding tool from this directory.. Generally, its value is:
  
/Applications/Xcode 5.1.1.app/Contents/Developer
  
For example, in/Applications/Xcode 5.1.1.app/Contents/Developer/usr/bin, you can see some of the above gcc:
  
$ lsBuildStrings          gcc               ndisasmCpMac               gcov-4.2          opendiffDeRez               git               projectInfoGetFileInfo          git-cvsserver          resolveLinksImageUnitAnalyzer     git-receive-pack     scntoolMergePef          git-shell          sdefMvMac               git-upload-archive     sdpResMerger          git-upload-pack          svnRez               gnumake               svnadminRezDet               hdxml2manxml          svndumpfilterRezWack               headerdoc2html          svnlookSetFile               ibtool               svnrdumpSplitForks          ibtool3               svnserveTextureAtlas          ibtoold               svnsyncUnRezWack          ictool               svnversionactool               instruments          symbolsagvtool               iprofiler          xcodebuildamlint               ld               xcrun
The above is only part of the output.
  

  


  
Note: The above is my personal shell cracking experience on my own machine. You should proceed according to your actual situation. For details, refer to: Using dumpdecrypted to shell.