iOS逆向学习

发表于 2021-09-28 更新于 2022-01-24 分类于 iOS 阅读次数：本文字数： 2k 阅读时长 ≈ 2 分钟

《iOS应用逆向与安全之道》

微信读书可阅读

本文是阅读本书的笔记

实用工具

# 010-editor为收费软件
brew install --cask 010-editor
brew install tree

010 Editor -> Templates -> View Installed Templates -> Add
添加MachOTemplate.bt用于分析ARM64架构的程序

wget -N -c http://www.sweetscape.com/010editor/repository/files/MachO.bt

应用脱壳

# cryptid=1表示已加壳，cryptid=0表示未加壳
otool -l bili-universal | grep crypt

Clutch

傻瓜砸壳，很多应用都脱壳失败

# mac terminal
wget -N -c https://github.com/KJCracks/Clutch/releases/download/2.0.4/Clutch-2.0.4 -O Clutch
scp -r Clutch [email protected]:/usr/bin/

# iPhone terminal
chmod +x /usr/bin/Clutch
# 打印App Store安装的所有应用列表
Clutch -i
# 傻瓜砸壳，很多应用都脱壳失败
Clutch -d tv.danmaku.bilianime

dumpdecrypted

# mac terminal
git clone https://github.com/stefanesser/dumpdecrypted.git
cd dumpdecrypted

# 删除Makefile中的-F$(SDK)/System/Library/PrivateFrameworks，然后执行make
make

codesign -f -s - dumpdecrypted.dylib
scp -r dumpdecrypted.dylib [email protected]:/usr/bin/

# iPhone terminal
cd /tmp
ps -ef | grep bili
# 这里执行后dump失败了，应该是只能砸< iOS 11
DYLD_INSERT_LIBRARIES=/usr/bin/dumpdecrypted.dylib /var/containers/Bundle/Application/F893C850-40BB-4C1F-8691-FB51BFAF4FC5/bili-universal.app/bili-universal

bfinject

iOS 11～iOS 11.1.2 https://github.com/BishopFox/bfinject
iOS 11～iOS 11.4.1 https://github.com/MJavad/bfinject

修复闪退

如果脱壳后的ipa包安装后运行闪退，则需要稍微处理一下

unzip xxx.ipa
codesign -d --entitlements - ./Payload/*.app > ent.xml
codesign -s - --entitlements ent.xml -f ./Payload/*.app/xxx
zip -r xxx_ok.ipa Payload

CrackerXI（iOS 11～iOS 13）

2021傻瓜式，脱壳后共享到电脑

# mac terminal
scp -r [email protected]:/var/mobile/Documents/CrackerXI/ .

frida-ios-dump

# mac terminal
git clone https://github.com/AloneMonkey/frida-ios-dump

运行时分析

Cycript

Cydia中搜索”Cycript”安装即可

cycript -p bili-universal
NSHomeDirectory()

[[UIApp keyWindow] recursiveDescription ].toString()
[[UIApp keyWindow] _autolayoutTrace ].toString()

Reveal

UI调试工具

Cydia中搜索”Reveal2Loader”安装，安装完成后会在“设置”里出现“Reveal”

# mac terminal
brew install --cask reveal # 收费软件

[email protected]

frida

被控端，添加软件源https://build.frida.re/，搜索“Frida”进行安装

# 控制端 mac terminal
sudo pip install frida
sudo pip install frida-tools
frida --version

frida-ls-devices

frida-ps

frida-trace -U -i compress -i "recv*" -x "recvmsg*" -x recvfrom 微信