20.1 关于ldid的一个知识

对于ldid的重点是:
是可执行文件进行签名,以便在iPhone上面执行。
另外需要比较与codesign的区别;

On the newer versions of iOS (v5) running this tool ends up with killed 9 error.
The problem here is iOS kernel signature checks the binary file at several places. Jailbreak tools cannot patch all these signature checks because it is difficult for them to patch each and every signature check. When we copy keychaindumper to iPhone, it does not have a signature. So running the binary exits with killed 9 message because iOS kernel does not have the signature of keychain_dumper.
To get rid of this problem add the signature of keychain_dumper to kernel cache (list of hashes) by running the below command. After adding the signature, you can run the rest of commands to dump the keychain entries.

ldid -S keychain_dumper

大概意思:为执行文件添加签名,以便在手机上进行运行。如同app需要签名一样,直接拷贝到手机系统需要直接运行的可执行文件则也需要被签名;

iPhone: keychain dumper – killed 9 problem

Github Keychain-Dumper

原文如下:

In iPhone, keychain is a sqllite database which stores sensitive data on the device. Apple’s keychain service is a library/API provided by Apple that developers can use to store sensitive information on an iOS device securely. Instead of storing sensitive information in plaintext configuration files, developers can leverage the keychain services to have the operating system store sensitive information securely on their behalf.

Keychain is encrypted with a hardware key. Hardware key is unique per device and not even accessible to OS running on the device. So even if some one get access to the keychain db file in a remote attack (Remember android malware, which steal sqlite.db files and sent it to the remote server), they cannot decrypt and view the content. Keychain also restricts the application access to the stored data. Each application on your device has a unique application-identifier (also called as entitlements). The keychain service restricts which data an application can access based on this identifier. By default, applications can only access data associated with their own application-identifier. Later apple introduced keychain groups. Now applications which belong to same group can share the keychain items.

On a jailbroken device, all keychain entries can be accessed by writing an application and making it as a member of all application group.

One such tool designed to grab all the keychain entries is keychain dumper – https://github.com/ptoomey3/Keychain-Dumper

Copy keychain_dumper to iPhone over ssh. Run the below command on SSH Terminal. This extracts all the keychain groups from keychain-2.db and stores in an xml file.

./keychain_dumper -e /var/tmp/entitlements.xml

Using ldid and entitlement xml file, we can make keychain_dumper program as a member of all keychain groups.

ldid -S/var/tmp/entitlements.xml keychain_dumper

Now running keychain dumper reads all the entries from keychain and displays it on the terminal.

./keychain_dumper

On the newer versions of iOS (v5) running this tool ends up with killed 9 error.

The problem here is iOS kernel signature checks the binary file at several places. Jailbreak tools cannot patch all these signature checks because it is difficult for them to patch each and every signature check. When we copy keychaindumper to iPhone, it does not have a signature. So running the binary exits with killed 9 message because iOS kernel does not have the signature of keychain_dumper.

To get rid of this problem add the signature of keychain_dumper to kernel cache (list of hashes) by running the below command. After adding the signature, you can run the rest of commands to dump the keychain entries.

ldid -S keychain_dumper

But in the newer versions (5.0.1), this workaround is not working. Because we have to run ldid command twice with -S option. This tries to overwrite the binary hash on kernel cache and fails. So follow the below listed steps to use the keychain_dumper on newer versions of iOS.

1. Copy keychain_dumper to iPhone over SSH.
2. Manually dump keychain groups with the help of sqlite3 command.

Sqlite3 /var/Keychains/keychain-2.db “select agrp from genp”
Running this command on my phone listed three access groups.
– apple, com.apple.apsd, com.apple.cfnetwork
3. Create a XML file similar to the sample shown below with all the keychain groups listed by above command
(paste the keychain group name in the string tags).
Sample.xml

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd“><plist version=”1.0”>
<dict>
<key>keychain-access-groups</key>
<array>
<string>apple</string>
<string>com.apple.apsd</string>
<string>com.apple.cfnetwork</string>
</array>
</dict>
</plist>

4. Copy sample.xml to /var/tmp folder on iPhone.
5. Run below commands to dump the keychain entries.

ldid –S/var/tmp/ent.xml keychian_dumper
./keychain_dumper

To run the keychain_dumper again, follow all the steps.

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 212,332评论 6 493
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 90,508评论 3 385
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 157,812评论 0 348
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 56,607评论 1 284
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 65,728评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,919评论 1 290
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,071评论 3 410
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 37,802评论 0 268
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,256评论 1 303
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,576评论 2 327
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,712评论 1 341
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,389评论 4 332
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,032评论 3 316
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,798评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,026评论 1 266
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,473评论 2 360
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,606评论 2 350

推荐阅读更多精彩内容

  • mean to add the formatted="false" attribute?.[ 46% 47325/...
    ProZoom阅读 2,694评论 0 3
  • 西罗菲尔[爱心]幸福满家 作者-江名会 家是生命的驿站,漂泊的归所,温暖的所在,家更是心灵的港湾,力量的源...
    布步为赢阅读 546评论 0 0
  • 2018年6月14日,天气晴朗,我的心情也是晴朗朗的。 夏天到了,要做小手工,今日手工主题时做一双...
    吾生jun未老阅读 266评论 0 2
  • 当年少时 青梅未煮酒 竹马床前绕 天涯明月沧海笑 风吹人飘摇
    fancyice阅读 172评论 0 0