iOS逆向

$ ssh root@192.168.4.166 #ssh wifi登录手机初始化密码alpine

SSH安全连接存储服务器公钥

客户端存储服务器ssh公钥文件路径~/.ssh/known_hosts

服务器端的ssh
2.1 公钥路径/etc/ssh/ssh_host_rsa_key.pub
2.2 私钥路径/etc/ssh/ssh_host_rsa_key

连接过程中提示中间人攻击，是因为IP 和公钥信息发生改变，想要连接删除公钥信息
3.1解决1: vim ~/.ssh/known_hosts 删除对应的IP公钥信息。vim删除指令 dd
3.2解决2: ssh-kengen -R 192.168.4.166 192.168.4.166服务器IP

SSH基于密钥的客户端认证

客户端的密钥生成,指令ssh-keygen
1.1 公钥路径~/.ssh/id_rsa.pub
1.2私钥路径~/.ssh/id_rsa

将公钥追加到服务器端的授权文件里
2.1 授权文件路径~/.ssh/authorized_keys
2.2将客户端的公钥追加到服务器授权文件 ssh-copy-id root@192.168.4.166

手动将客户端的公钥追加到服务器授权文件
3.1 scp ~/.ssh/id_rsa.pub root@192.168.4.166:~/.ssh拷贝公钥到服务器.ssh目录下
3.2 cat id_rsa.pub >> authorized_keys将公钥内容追加到authorized_keys授权文件
3.3 rm id_rsa.pub删除公钥文件

通过USB进行SSH登录

下载usbmuxd工具包https://cgit.sukimashita.com/usbmuxd.Git/snapshot/usbmuxd-1.0.8.tar.gz

将iPhone的22端口映射到Mac本地的10010端口python Desktop/USB/tcprelay.py -t 22:10010

登录iPhonessh root@localhost -p 10010

注意步骤2后执行步骤3

Cycript基本用法

开启
1.1 cycript
1.2 cycript -p 进程ID
1.3 cycript -p 进程名称建议使用

关闭退出control+d

变量var app = UIApp.keyWindown

通过内存地址访问对象#0x13f181290

APP加载的所有的OC类ObjectiveC.classes

查看对象的成员变量*UIApp或*#0x13f181290

递归打印View的所有子控件recursiveDescription()

筛选choose(UIViewController)

PS

ps -A 当前所有进程

ps -A | grep music监听music相关进程

安装deb

scp -P 10010 RevealLoader.deb root@Localhost:/var/root/Media/Cydia/AutoInstall
重启手机安装插件killall SpringBoard

脱壳

验证是否加壳 MachOView->load commands->LCENCRIPTION_INFO ->Cript ID(加密ID) : 0未加密

验证是否加壳 otool -l To-Do | grep scrypt crypt id: 0未加密

Clutch 脱壳工具
3.1 下载https://github.com/KJCracks/Clutch/releases
3.2 拖拽到手机/usr/bin/目录下
3.3 权限问题chmod +x /usr/bin/Clutch

Dumpdecrypted脱壳工具
4.1 下载https://github.com/stefanesser/dumpdecrypted
4.2 使用make指令，获取动态库
4.3将生成的动态库copy到iPhone/var/root目录

Clutch使用

ahs-zjshebei:~ root# Clutch -i #查看手机需脱壳APP列表
Installed apps:
1:   京东-挑好物，上京东 <com.360buy.jdmobile>
2:   拼多多 <com.xunmeng.pinduoduo>
3:   爱思加强版 <com.pd.A4Player>
ahs-zjshebei:~ root# Clutch -d 3 #导出脱壳后的可执行文件

Dumpdecrypted使用⚠️有问题待解决

ahs-zjshebei:~ root# ps -A | grep pin
 1702 ??         0:05.42 /var/mobile/Containers/Bundle/Application/F3B24116-D9F7-4B4A-B500-B9E4F4689036/pinduoduo.app/pinduoduo
 1712 ttys000    0:00.01 grep pin
ahs-zjshebei:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/F3B24116-D9F7-4B4A-B500-B9E4F4689036/pinduoduo.app/pinduoduo
dyld: Symbol not found: ___chkstk_darwin
  Referenced from: dumpdecrypted.dylib
  Expected in: /usr/lib/libSystem.B.dylib
 in dumpdecrypted.dylib
Trace/BPT trap: 5
ahs-zjshebei:~ root#

Theos

安装

brew install dyid

编辑.base_profile
2.1 vim ~/.base_profile
2.2 在.base_profile添加环境变量
export THEOS=~/theos
export PATH=$THEOS/bin:$PATH
2.3 source ~/.base_profile环境变量生效

下载theos
git clone --recursive https://github.com/theos/theos.git $THEOS

nic.pl创建Tweak

localhost:AQY zhangheng$ mkdir IQYTweak
localhost:AQY zhangheng$ cd IQYTweak/
localhost:IQYTweak zhangheng$ nic.pl 
NIC 2.0 - New Instance Creator
------------------------------
  [1.] iphone/activator_event
  [2.] iphone/application_modern
  [3.] iphone/application_swift
  [4.] iphone/flipswitch_switch
  [5.] iphone/framework
  [6.] iphone/library
  [7.] iphone/preference_bundle_modern
  [8.] iphone/tool
  [9.] iphone/tool_swift
  [10.] iphone/tweak
  [11.] iphone/xpc_service
Choose a Template (required): 10
Project Name (required): iqytweak
Package Name [com.yourcompany.iqytweak]: com.hy.iqy
Author/Maintainer Name [张恒]: 
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.qiyi.iphone
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: 
Instantiating iphone/tweak in iqytweak/...
Done.

Tweak配置编写

makefile文件


export THEOS_DEVICE_IP=127.0.0.1
export THEOS_DEVICE_PORT=10010

INSTALL_TARGET_PROCESSES = SpringBoard

include $(THEOS)/makefiles/common.mk

TWEAK_NAME = iqytweak

iqytweak_FILES = Tweak.x
iqytweak_CFLAGS = -fobjc-arc

include $(THEOS_MAKE_PATH)/tweak.mk

Tweak.x文件


%hook QYResourcePopView

- (id)initWithFrame:(struct CGRect)arg1{
    return nil;
}


%end

执行命令安装插件

make

make package

make install

localhost:iqytweak zhangheng$ make
> Making all for tweak iqytweak…
==> Preprocessing Tweak.x…
==> Compiling Tweak.x (armv7)…
==> Linking tweak iqytweak (armv7)…
ld: warning: OS version (6.0.0) too small, changing to 7.0.0
ld: warning: building for iOS, but linking in .tbd file (/Users/zhangheng/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator
==> Generating debug symbols for iqytweak…
rm /Users/zhangheng/Desktop/AQY/IQYTweak/iqytweak/.theos/obj/debug/armv7/Tweak.x.m
==> Preprocessing Tweak.x…
==> Compiling Tweak.x (arm64)…
==> Linking tweak iqytweak (arm64)…
ld: warning: OS version (6.0.0) too small, changing to 7.0.0
ld: warning: building for iOS, but linking in .tbd file (/Users/zhangheng/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator
==> Generating debug symbols for iqytweak…
rm /Users/zhangheng/Desktop/AQY/IQYTweak/iqytweak/.theos/obj/debug/arm64/Tweak.x.m
==> Preprocessing Tweak.x…
==> Compiling Tweak.x (arm64e)…
==> Linking tweak iqytweak (arm64e)…
ld: warning: OS version (6.0.0) too small, changing to 7.0.0
ld: warning: building for iOS, but linking in .tbd file (/Users/zhangheng/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator
==> Generating debug symbols for iqytweak…
rm /Users/zhangheng/Desktop/AQY/IQYTweak/iqytweak/.theos/obj/debug/arm64e/Tweak.x.m
==> Merging tweak iqytweak…
==> Signing iqytweak…
localhost:iqytweak zhangheng$ make package
> Making all for tweak iqytweak…
make[2]: Nothing to be done for `internal-library-compile'.
> Making stage for tweak iqytweak…
dm.pl: building package `com.hy.iqy:iphoneos-arm' in `./packages/com.hy.iqy_0.0.1-6+debug_iphoneos-arm.deb'
localhost:iqytweak zhangheng$ make install
==> Installing…
The authenticity of host '[127.0.0.1]:10010 ([127.0.0.1]:10010)' can't be established.
RSA key fingerprint is SHA256:4p2uNUxuMsg7xdx45xlpzKzoCZy5NYR/gzyT9+qSxbo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:10010' (RSA) to the list of known hosts.
Selecting previously deselected package com.hy.iqy.
(Reading database ... 5503 files and directories currently installed.)
Unpacking com.hy.iqy (from /tmp/_theos_install.deb) ...
Setting up com.hy.iqy (0.0.1-6+debug) ...
==> Unloading SpringBoard…
localhost:iqytweak zhangheng$

动态调试

debugserver环境搭建

debugserver在手机上的路径/Developer/usr/bin拷贝到电脑

权限签名
2.1 ldid -e debugserver > debugserver.entitlements导出权限签名
2.2 debugserver.entitlements添加get-task-allow、task_for_pid-allow权限
2.3 赋权ldid -Sdebugserver.entitlements debugserver
2.4 赋权后的debugserver放到手机的/usr/bin/目录下
2.5 ⚠️-sh: /usr/bin/debugserver: Permission denied解决方式chmod +x /usr/bin/debugserver

debugserver使用

debugserver *:10011 -a WeChat

localhost:usb zhangheng$ sh login.sh 
ahs-zjshebei:~ root# debugserver *:10011 -a WeChat
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-340.3.51.1
 for arm64.
Attaching to process WeChat...
Listening to port 10011 for a connection from *...
^C
ahs-zjshebei:~ root# debugserver *:10011 -a WeChat
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-340.3.51.1
 for arm64.
Attaching to process WeChat...
Listening to port 10011 for a connection from *...
Waiting for debugger instructions for process 0.

LLDB使用

使用USB端口映射python tcprelay.py -t 10011:10011

进入LLBDlldb

process connect connect://localhost:10011

localhost:usb zhangheng$ lldb
(lldb) process connect connect://localhost:10011
Process 1180 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x000000019b8e4c30 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x19b8e4c30 <+8>: ret    

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x19b8e4c34 <+0>: mov    x16, #-0x20
    0x19b8e4c38 <+4>: svc    #0x80
    0x19b8e4c3c <+8>: ret    
Target 0: (WeChat) stopped.
(lldb) c
Process 1180 resuming
(lldb)