Teach you how to debug IOS app dynamically (decompile app)

Source: Internet
Author: User
Tags ssl certificate scp command ssh access

Teach you how to dynamically debug your IOS app (decompile app)

With this article you can learn the basics of the reverse of iOS and have a certain understanding of the security of iOS apps. Then can extrapolate, in the home App to find dangerous loopholes to prevent, to ensure user data security.

In the field of security, attack and prevention exist forever. Even if the iPhone has a strong security shield, it can't stop the geeks ' curiosity again and again, developing powerful and convenient tools. This is done on the basis of the tools provided by these geeks!

Preparation Tools
    • Mac Computer and Jailbreak iPhone
    • View phone system catalog Tools IFunbox or Itools
    • Network analysis Tools Charles
    • Anti-compilation tool Hopper, IDA Pro
    • View Header File Tool Class-dump
    • Smashed shell tool dumpdecrypted, clutch
    • Debugger Lldb or GDB
    • Debugging Tools: Cycript
HTTP (S) Grab bag HTTP Grab first step: Get MAC IP

Press the OPTION key and click the wireless network Icon on the Mac menu bar to see the IP address of the current computer.
Or ifconfig en0 it can be viewed in terminal input.

Step two: Set up the agent

Make sure the phone and computer are in the same wifi, on the phone, click "Set-up wireless LAN-connected WiFi", set the HTTP proxy:

Server: For MAC computer IP address (e.g. 192.168.1.122)

PORT: 8888

Step three: Grab the bag

On the computer side, open Charles. Make the phone network request, Charles will pop up a query dialog box

By clicking "Allow", Charles will see a list of the HTTP request records for the phone.

HTTPS Capture First step: Get the Certificate installation address

Install the SSL certificate to the mobile device. Click Help, SSL proxying, Install Charles Root Certificate on a Mobile Device

The pop-up window gets address Chls.pro/ssl

Step Two: IPhone installation certificate

In the Mobile Safari browser Enter the address Chls.pro/ssl, the Certificate Installation page appears, click Install, the phone is set with a password to enter the password to install

Step Three: Configure Agent Host

Charles sets up Proxy. Choose Proxy---SSL proxying Settings ...

Tick Enable SSL proxying, click Add

Host sets the HTTPS interface to crawl, Port fills in 443.

Ask your phone to resend the HTTPS request and see the packet.

<b> Note: Do not grab the bag please turn off the phone HTTP proxy, or disconnect from the computer will not even connect the internet! </b>

Get the. h header File

The IPA, which is downloaded directly from AppStore, is encrypted with FairPlay DRM technology and is unable to get the header file directly using the Class-dump tool. However, if the APP is packaged by development, you can use Class-dump to view all the header files directly, and this section describes how to get the. h file.

Here no longer describes the installation process of the Class-dump tool, the specific steps please direct Baidu.

Go to the directory where Appname.ipa is located, modify the extension to. zip, and unzip the file to get Appname.app.

Then execute:

class-dump -H appName.app -o ./headers/

When the command is completed, all the app header files will be seen in the headers directory in the current directory.

If you add a parameter,-a-s will mark the IMP address of the class method and property in the header file (the module offsets the former base site).

class-dump -H -A -S appName.app -o ./headers/

SSH access to the phone file directory

Use the Cydia app marketplace to install OpenSSH on your jailbreak phone and make sure your Mac and IPhone are in the same wifi and enter it on your Mac terminal:

ssh [email protected], IP is replaced with the IP address of the IPhone

Enter default password: Alpine

You can access the IPhone terminal.

Use clutch to decompile the APP First step: Re-signing Debugserver

There are two ways of getting debugserver.

The first is to get it on a Mac computer.

Enter the path /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/8.3/DeveloperDiskImage.dmg (where 8.3 in the path, which represents the IOS system version, should be consistent with the version of the jailbroken mobile phone system prepared). Double-click developerdiskimage.dmg to copy the Usr/bin/debugserver in the directory to the specified folder.

The second is to get it on the jailbreak phone.

If your phone is connected to your phone and the app is debugged via XCode, a debugserver file will be generated in the/developer/usr/bin/directory on your phone. Export to Mac desktop via IFunbox. or use the SCP command to cpoy out.

Re-signing Debugserver

Add Task_for_pid permissions to Debugserver

To create a entitlements.plist, add the following four keys:

com.apple.springboard.debugapplicationsget-task-allowtask_for_pid-allowrun-unsigned-code

The value corresponding to key is set to Ture

Place Entitlements.plist and Debugserver in the same directory and execute the following command:

codesign -s - --entitlements entitlements.plist -f debugserver

This command will re-sign Debugserver and copy the signed Debugserver to the/usr/bin/directory of the phone system.

<b> Note: Do not copy the Debugserver to the/developer/usr/bin/path </b>

Step two: Get the anti-compiled App executable file via clutch

Put the downloaded clutch into the/usr/bin/path of your phone. Then, give clutch permission to login to the phone via SSH and go to/usr/bin/execution chmod a+x ./Clutch .

By command Clutch -i , list all the applications that can be clutch.

The application of the specified ordinal is shelled, such as the enterprise, the sequence number is 1, the command is Clutch -d 1 . After the completion of execution, will be after shelling the IPA.

Step three: Use Class-dump to get the. h header File

Use the above <b> "get. h header File" </b> Introduction method to get the APP header file after shelling and note the IMP address of the method to break the point.

Dynamic Debugging App

The debugger used for dynamic debugging in this article is lldb.

Step one: Put the iPhone into a pending Mount state

SSH Login to the phone, execute ps -e command to get the APP PID or project name.

Enter/usr/bin/execution ./debugserver IP:port -a PID|appProjectName . Where the first parameter IP can be replaced with the MAC IP address, or use the * wildcard character, allow all IP debugging; the second parameter port write one on the line. The fourth parameter specifies the PID or project name of the APP to be debugged. For example, to debug the PID 6019 Sogou Input Method project name is Sogouinput, then the command is:

./debugserver *:1234 -a 6019Or./debugserver *:1234 -a ‘SogouInput’

Once this command is completed, the app will go into the Mount State and the app will be stuck and the click unresponsive. Normal phenomenon!

If this command error, such as the occurrence of segmentation fault:11, etc., the APP did anti-dynamic debugging protection. In this case, you need to determine what kind of protection the APP uses, and then further find the corresponding measures to eliminate its anti-dynamic debugging protection.

Step two: Listen to the process, go to Mount State

Re-open a MAC terminal to perform the lldb lldb debug state. And then enter

process connect connect://iPhoneIP:port

The IPHONEIP is replaced with the IP address of the IPhone, and the port is changed to the 1234 that you just specified.

After the command is completed, the APP will be mounted in Mount state.

Step three: Get the ASLR offset for your App

The ASLR offset is actually the offset of the virtual memory address relative to the base site of the module. There are two concepts to familiarize yourself with:

    • Start address of module in memory----module base site
    • ASLR offset----The offset of the virtual memory start address from the base site of the module

In the Lldb debugger mode, execute theimge list -o -f

Base Address after module offset = ASLR offset + module offset before base address (method's IMP)

The above formula is especially important because the Class-dump shows "module offset before base address" and LLDB to operate "base site after module offset". So from Class-dump to Lldb to do an address offset conversion.

At this point, the APP's ASLR offset and the method's IMP address have been obtained.

Fourth step: Break point, Debug

Execute in LLDB mode, and br s -a ‘ASLR 偏移量+ IMP‘ then execute c to make the App run up and trigger a method call that will go into breakpoint mode. Enter the po $arg1 first parameter to print.

Then, with tools such as the Grab tool Charles (such as analyzing network request encryption logic) and class-dump (such as modifying the method return value of a class), you can debug the App as you like in XCode!

<B>BR Command Description </b>

BR Dis 1--Disable (disable) breakpoint with number 1

BR en 1--enabled (enable) breakpoint with number 1

BR Dis-Disables all breakpoints

BR en--Enable all breakpoints

BR del 1--Remove (delete) breakpoint with number 1

BR del--Delete all breakpoints

BR List--List all breakpoints

Use the dumpdecrypted shell App

The dumpdecrypted shelling tool works by running the application (the IOS system decrypts the program before it starts), and then dumps the decrypted results in memory to the file to get a new executable program.

First step: Generate the. dylib file

In the terminal into the downloaded directory, and cd dumpdecrypted-master then execute make , you can generate Dumpdecrypted.dylib

Step two: Find the Documents folder path of the APP

Login to IPhone via SSH, then perform the ps -e viewing process to get the process PID to shell. The execution is then cycript -p PID attached to the PID process. The final execution [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0] gets the Documents folder path.

Step three: Start breaking the shell

Copy the dumpdecrypted.dylib that you generated in the first step to the second step. Under the/documents/path, the command is as follows:
scp ~/dumpdecrypted.dylib [email protected]:/var/mobile/Containers/Data/Application/2B4C6281-C015-4FF3-A8EC-5E5C7554D447/Documents(Replace the UDID in the path with the UDID of your App to Shell)

Enter the Documents directory and execute DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/<br/>Application/BFED82A3-3238-4F41-B797-C1CB584CBE05/appProjectName.app/appProjectName (replace the UDID in the path with the UDID of your shell-breaking app; replace Appprojectname with the project name of the app you want to shell)

After the command is executed, a file named appproject.decrypted is generated in the current directory, and this is the APP executable file after the shell is broken. You can get the header file using Class-dump. or use Hopper or IDA Pro for anti-compilation.

Add an anti-dynamic debugging mechanism to your APP Ptrace

In order to facilitate the development and debugging of the application software, from the early version of UNIX provides a means of tracking and controlling the running process, that is, the system calls Ptrace ().
With Ptrace you can implement debug tracing for another process, while Ptrace also provides a very useful parameter that is Pt_deny_attach, which is used to tell the system to block the debugger from attaching.

Therefore, the most common anti-debugging scheme is to implement anti-debugging by calling Ptrace.

Sysctl

When a process is debugged, the process will have a tag to mark that it is being debugged, so you can check the current debug state by Sysctl to see the current process information.

The debugger exits when it detects it, or crashes, or hides the project, and, of course, periodically checks to see if the tag is available.

Syscall

In order to switch from the user state to the kernel state, the system provides a system call function Syscall, the above mentioned Ptrace is also through the system call to achieve.

In kernel Syscalls27 Here you can find the corresponding number of ptrace.

Ptrace 801e812c T

So the following call is equivalent to calling Ptrace:

Syscall (26,31,0,0,0);

<b> Arm </b>

The syscall is implemented by means of a soft interrupt, either from the user state to the kernel state or by assembling the SVC call.

Feel good, please pay attention to my public number Oh!

Teach you how to debug IOS app dynamically (decompile app)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.