Everyone knows app has Android and iOS Android is apk now basically apk are encrypted want to dynamic shelling not certain technology is not fixed iOS is IPA today I'm mainly talking about thisprepare the anti-compile device.1. A jailbreak iOS phone my device is Iphone6 ios8.3 has been jailbroken 2. A Mac system can be Mac black Apple on VMware or directly with your Mac computer I used black apples for convenience (how to make black apples to read my previous blog) Let's show you my environment:Preparing the Anti-compilation environment1. Jailbreak the phone1.1 Cydia above installed OpenSSH installed successfully can remote to your phone the default password is Alpine 1.2 github download clutch and then placed in the phone's Bin directory (you can use the Itools tool)Explain what this tool does: If the app is downloaded directly from AppStore, it will be encrypted by default then you can use the Anti-compilation tool Ida (as you'll see below). You have to use this tool to decrypt and generate an IPA2. The Mac machine is ready to LLDB Remote Debug environment (LLDB is what specific can search Google)2.1 Configuring the Debug Serverfrom/applications/xcode.app/contents/developer/platforms/iphoneos.platform/devicesupport/7.0.3\ \ (11B508\)/ DEVELOPERDISKIMAGE.DMGget debugserver and copy it to the desktop (the middle oneDevicesupportcan be replaced by a specific path)2.2 Light There's no need to get a signature. Create a file called Entitlements.plist and then use Xcode to open the edit write input command codesign-s---entitlements entitlements.plist-f Deb Ugserver this debugserver back to the mobile device's/usr/bin/debugserver (you can use the Itools tool)3. Windows system installed anti-compilation tool Ida tools, we can Baidu search cracked versionAnti-compilation experiment startedSSH to a mobile device on a Mac system if your app is downloaded from AppStore, then use clutch to decrypt "I've got an example of a discord program here." 1 use Clutch-i to find the app you installed, number 2 with clutch-d 2 command Line decryption operation because of a headline I downloaded from the jailbreak version of Itools itself has been decrypted, so I do not need the above operation I export the IPA package directly with itools open Fiddler for packet capture analysis (how to configure the mobile phone agent please Baidu itself) Open the app's registration page here's a URL for a request to get a picture of the captcha. There's a sign parameter in it. MD5 encryption next, we're going to get this. How to generate this MD5. Open the IPA package with Ida (it takes a little time to open the first time) press shift+ F12 Open Search string keyword "sign" Double click enter continue double click enter function Press F5 here we can learn that the encryption class is called Bfcrytor inside there is a MD5 method in the function list to search for it sure enough. The class and party that have successfully found the encryption MD5 The name of the lawThe next most important step is to find the memory address where the program runs based on the class and method name and then make the next breakpoint on the memory address.1. Copy the IPA package into the MAC system and useClass-DumpXApp -H -A -S -oHeaders/ dump out the header file with the IMP's address entered in the Header folderin this folder search just the class name we found Bfcryptor Open with Xcodewrite down this memory address 0x0000000100241e30Lldb MountUse the px-a command to find the app run IDthen execute the mount execution with the command and then discover that the app is stuck .and then open another bash and execute the local command .> Lldb> Platform Select Remote-ios> Process Connect connect://iosip:8888You 'll see the following in a minute, which means the mount is successful.get the ASLR offsetThen the memory address of the broken line algorithm is the base + offset is the memory address of the MD5 method = 0x00000000000fc000 +0x0000000100241e30use the following command to make the next breakpointafter the breakpoint executes C command to let the app run up trigger a network request will find the breakpoint stopPrint parameters with po command find ARG3 is the data we MD5 before encryptionNext, write a mock request and experiment .The request was successful!!!!! Summary: This article tells you how to configure the anti-compilation environment How to decompile an app to get the encryption method in the general steps. MD5 the way is relatively simple, with RSA algorithm encryption (such as Guo Shou App,12306app, etc.) is more difficult. But the methods are all the same. Good luck to you all!
Teach you how to decompile the app and get the encryption method