使用dumpdecrypted砸壳微信

发表于 | 分类于

查看APP UI使用Reveal,但是想看一些代码的头文件,则需要使用class-dump。之前看一些APP的头文件偷懒都是直接在某助手上直接下载的砸壳成功的文件,今天有时间,手动试一下砸壳,参考文章:
iOS安全—dumpdecrypted APP砸壳

说明

设备:iPhone5c 9.0.2 已越狱
Cycript:0.9.594
微信:6.5.12
dumpdecrypted地址

步骤

要砸壳,首先要找到APP,然后通过dumpdecrypted生成的动态库,进行注入,然后自动砸壳,之后拷贝出砸壳后的文件就好了。
首先,找到微信,需要借助Cycript,这是什么玩意呢?官网有说

Cycript allows developers to explore and modify running applications on
either iOS or Mac OS X using a hybrid of Objective-C++ and JavaScript syntax
through an interactive console that features syntax highlighting and tab
completion.(It also runs standalone on Android and Linux and provides access
to Java, but without injection.)

通过这个东西的几个命令可以方便的找到微信的pid。详细语法可以以后看,今天先砸了微信再说。
Cydia中搜索Cycript,进行安装,之后ssh到设备,输入cycript,terminal输出cy#,表示安装成功,进行一个测试,在SpringBoard中弹出一个AlertView,成功。然后查看微信的pid,是7351
查看NSDocumentDirectoryA路径备用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
ssh root@192.168.1.17
root@192.168.1.17's password:
Silence:~ root# cycript
cy#
Silence:~ root# ps -e | grep SpringBoard
 7248 ??         0:27.37 /System/Library/CoreServices/SpringBoard.app/SpringBoard
 7335 ttys000    0:00.01 grep SpringBoard
Silence:~ root# cycript -p 7248
cy# a = [[UIAlertView alloc] initWithTitle:@"Hello World" message:@"Test" delegate:nil cancelButtonTitle:@"Cancle" otherButtonTitles:nil] 
#"<UIAlertView: 0x170768d0; frame = (0 0; 0 0); layer = <CALayer: 0x19a885a0>>"
cy# [a show] 
cy# 
Silence:~ root# ps aux | grep WeChat
mobile    7351   0.6  6.1   762096  63004   ??  Ss    2:57PM   0:18.49 /var/mobile/Containers/Bundle/Application/6881D1C5-06FE-492A-B05C-9C4A1BD06443/WeChat.app/WeChat
root      7440   0.0  0.0   538336    496 s000  S+    3:26PM   0:00.01 grep WeChat
Silence:~ root# cycript -p 7351
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomans:NSUserDomainMask][0] 
#"file:///var/mobile/Containers/Data/Application/F855AB52-3333-4B75-8676-866C8B1F1D67/Documents/"
cy# ^Z
[1]+  Stopped(SIGTSTP)        cycript -p 7351

下载dumpdecrypted,使用make进行编译,生成dumpdecrypted.dylib,使用scp 本地路径 root@设备ip:A路径,将库文件拷贝到iPhone中。ls查看文件夹下面又这个文件,拷贝成功。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
scp /Users/aaa/Downloads/dumpdecrypted-master/dumpdecrypted.dylib root@192.168.1.17:/var/mobile/Containers/Data/Application/F855AB52-3333-4B75-8676-866C8B1F1D67/Documents/
root@192.168.1.17's password:
dumpdecrypted.dylib                           100%  193KB 192.9KB/s   00:00 
Silence:~ root#
Display all 305 possibilities? (y or n)
Silence:~ root# cd /var/mobile/Containers/Data/Application/F855AB52-3333-4B75-8
676-866C8B1F1D67/Documents/
Silence:/var/mobile/Containers/Data/Application/F855AB52-3333-4B75-8676-866C8B1
F1D67/Documents root# ls -l
total 220
drwxr-xr-x  6 mobile mobile    272 Sep  1 14:57 00000000000000000000000000000000
drwxr-xr-x 24 mobile mobile   1258 Aug  2 16:02 00f8dadbcfd42004516b055fefefd0f1
-rw-r--r--  1 mobile mobile    286 Jun 20 17:23 Ksid
-rw-r--r--  1 mobile mobile   1200 Sep  1 14:57 LocalInfo.lst
drwxr-xr-x 11 mobile mobile    476 Sep  1 14:57 MMResourceMgr
drwxr-xr-x  2 mobile mobile   1360 Aug 16 10:36 MMappedKV
drwxr-xr-x  4 mobile mobile    170 Sep  1 14:57 MemoryStat
-rw-r--r--  1 mobile mobile     15 Sep  1 15:00 SafeMode.dat
-rw-r--r--  1 mobile mobile      4 Sep  1 14:57 db.globalconfig
-rwxr-xr-x  1 root   mobile 197528 Sep  1 15:30 dumpdecrypted.dylib
-rw-r--r--  1 mobile mobile    285 Jul 27 19:30 heavy_user_id_mapping.dat
-rw-r--r--  1 mobile mobile    448 Jun 20 17:23 mmupdateinfo.archive

然后砸壳,在动态库目录下执行命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Con
tainers/Bundle/Application/6881D1C5-06FE-492A-B05C-9C4A1BD06443/WeChat.app/WeChat 
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0xe0a4c(from 0xe0000) = a4c
[+] Found encrypted data at address 00004000 of length 55377920 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/6881D1C5-06FE-492A-B05C-9C4A1BD06443/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset a4c
[+] Closing original file
[+] Closing dump file
Silence:/var/mobile/Containers/Data/Application/F855AB52-3333-4B75-8676-866C8B1
F1D67/Documents

ls查看,多了一个文件WeChat.decrypted,将这个文件拷贝到Mac上

1
2
3
4
5
6
7
8
root# ls
00000000000000000000000000000000  MMappedKV    dumpdecrypted.dylib
00f8dadbcfd42004516b055fefefd0f1  MemoryStat    heavy_user_id_mapping.dat
Ksid  SafeMode.dat    mmupdateinfo.archive
LocalInfo.lst  WeChat.decrypted
MMResourceMgr  db.globalconfig
Silence:/var/mobile/Containers/Data/Application/F855AB52-3333-4B75-8676-866C8B1
scp root@192.168.1.17:/var/mobile/Containers/Data/Application/F855AB52-3333-4B75-8676-866C8B1F1D67/Documents/WeChat.decrypted /Users/aaa/Desktop/WeChat

然后使用class-dump查看头文件

1
class-dump -H /Users/aaa/Desktop/WeChat/WeChat.decrypted -o /Users/aaa/Desktop/WeChat/H

也可以把砸壳文件直接丢到Hopper搜索查看感兴趣的API。
砸壳完成。