cydia
OpenSSH
终端
wifi连接
ssh root@192.168.50.125
默认密码: alpine
!如果网不好可以用usb连接
libimobiledevice
brew install libimobiledevice
iproxy 2222 22
ssh root@localhost -p 2222
文件目录
-
Mac平台
*iTools
*iFunBox
-
iOS平台
*iFile
查看文件属性Cydia 安装Apple File Conduit 2
符号模式
chmod u-x,g=rx,o+wx testfile
绝对模式
chmod 755 testfile
Cydia Substrate
写入补丁和扩展方法
Mobilehooker
替换系统和应用的方法,hook C ,hook OC.
MobileLoder
动态加载到运行的目标应用里面。
Safe mode
捕获异常进入安全模式,删除springboard问题插件
Cydia-adv-cmds
ps命令查看当前运行的进程ID及可执行的路径。
Cydia-appsync
直接修改的应用会破解自身的签名信息,所以,安装修改后的应用会出现错误。这个appsync让系统不在验证应用的签名。
Cydia-iFile
手机上的文件管理器
Cydia-Cycript
手机执行shell命令
cycript语法
http://iphonedevwiki.net/index.php/Cycript_Tricks
获取函数
function tryPrintIvars(a){ var x={}; for(i in *a){ try{ x[i] = (*a)[i]; } catch(e){} } return x; }
choose()函数
打印方法
function printMethods(className, isa) {
var count = new new Type("I");
var classObj = (isa != undefined) ? objc_getClass(className).constructor : objc_getClass(className);
var methods = class_copyMethodList(classObj, count);
var methodsArray = [];
for(var i = 0; i < *count; i++) {
var method = methods[i];
methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)});
}
free(methods);
return methodsArray;
}
Cydia-rsync
Rsync是一个快速和异常灵活的文件复制工具,它能够通过remote shell (rsh,ssh)或remote rsync daemon 来实现本地到或从远程主机的复制。它提供了大量选项来控制行为的方方面面,能够弹性定义复制文件的属性,通过delta-transfer算法,只发送源和目标不同的文件来降低网络数据传输量。rsync作为增强的copy命令广泛的用于镜像和备份。
10系统后替代scp使用如下:
rsync -avze 'ssh -p 2222' root@localhost:/tmp/tmpfile ./
rsync -avze 'ssh -p 2222' ./utils.cy root@localhost:/var/root
应用解密
dumpdecrypted
编译 make 生成dumpdecrypted.dylib
实例:
目标app为抖音(hot) 使用ps -e
788 ?? 0:07.36 /var/containers/Bundle/Application/85CEE1D7-F792-4558-929E-C5E28091381C/Aweme.app/Aweme
获取BundleID命令
iOSde-iPhone:~ root# cat /var/containers/Bundle/Application/85CEE1D7-F792-4558-929E-C5E28091381C/Aweme.app/Info.plist | grep CFBundleIdentifier -A 1
<key>CFBundleIdentifier</key>
<string>com.ss.iphone.ugc.Aweme</string>
新建ios项目,运行到目标手机中,会打印出documents路径
沙河目录:
file:///private/var/mobile/Containers/Data/Application/74041EE0-C137-48E1-908A-9EC48FB8998A/Documents
动态库目录:
/Users/ios/Downloads/ios_util/dumpdecrypted-master/dumpdecrypted.dylib
拷贝:
rsync -avze 'ssh -p 2222' /Users/ios/Downloads/ios_util/dumpdecrypted-master/dumpdecrypted.dylib root@localhost:/var/mobile/Containers/Data/Application/74041EE0-C137-48E1-908A-9EC48FB8998A/Documents
解密:
find / -name Aweme.app
cd /var/mobile/Containers/Data/Application/74041EE0-C137-48E1-908A-9EC48FB8998A/Documents/
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /private/var/containers/Bundle/Application/85CEE1D7-F792-4558-929E-C5E28091381C/Aweme.app/Aweme
签名问题
列出可签名证书
security find-identity -v -p codesigning
为dumpecrypted.dylib签名
"iPhone Developer: xxx xxxx (xxxxxxxxxx)" 这里替换为终端列表出来的证书
codesign --force --verify --verbose --sign "iPhone Developer: xxx xxxx (xxxxxxxxxx)" dumpdecrypted.dylib
查看加密标识
在电脑终端目录下
otool -l Aweme.decrypted | grep crypt
class-dump
编译class-dump,然后执行
Apple:~ ios$ /Users/ios/Library/Developer/Xcode/DerivedData/class-dump-byyfmosahffhpaakekidtjxpmazx/Build/Products/Debug/class-dump ; exit;
class-dump 3.5 (64 bit) (Debug version compiled Jun 28 2018 14:09:00)
Usage: class-dump [options] <mach-o-file>
where options are:
-a show instance variable offsets
-A show implementation addresses
--arch <arch> choose a specific architecture from a universal binary (ppc, ppc64, i386, x86_64, armv6, armv7, armv7s, arm64)
-C <regex> only display classes matching regular expression
-f <str> find string in method name
-H generate header files in current directory, or directory specified with -o
-I sort classes, categories, and protocols by inheritance (overrides -s)
-o <dir> output directory used for -H
-r recursively expand frameworks and fixed VM shared libraries
-s sort classes and categories by name
-S sort methods by name
-t suppress header in output, for testing
--list-arches list the arches in the file, then exit
--sdk-ios specify iOS SDK version (will look for /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS<version>.sdk
or /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS<version>.sdk)
--sdk-mac specify Mac OS X version (will look for /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX<version>.sdk
or /Developer/SDKs/MacOSX<version>.sdk)
--sdk-root specify the full SDK root path (or use --sdk-ios/--sdk-mac for a shortcut)
logout
Saving session...
...copying shared history...
...saving history...truncating history files...
...completed.
讲class-dump 复制到 usr/loacl/bin目录下
sudo cp class-dump /usr/local/bin/
导出oc的文件 swift不行
class-dump --arch arm64 /Users/ios/Desktop/test/Aweme.decrypted -H -o /Users/ios/Desktop/test/Headers
Clutch
编译Clutch,然后执行
将生成的文件复制到设备的/usr/bin/目录下,然后赋予可执行的权限。
rsync -avze 'ssh -p 2222' /Users/ios/Downloads/ios_util/Clutch-2.0.4/Clutch/clutch root@localhost:/usr/bin
赋予管理权限
chmod +x /usr/bin/clutch
查看bundle id
clutch -i
Installed apps:
1: 微信 <com.tencent.xin>
解密应用会生成ipa
clutch -b com.tencent.xin
IDA
Ctrl+F 搜索
space 空格
根据 _objc_msgSend 直接回溯x0 x1
F5 伪代码
Option+T 字符串搜索
G 跳转地址
; : 编写注释
N 变量命名
X 交叉引用
H 进制转换
Y 类型定义
C 在被解析成数据的代码处按C
D 在未被解析成数据的地方按D,即可将机器码或者其他内容转成数据
显示机器码 Option->General->Disassembly
静态分析
cd Redstar.framework/
lipo -info Redstar
只使用arm64框架
lipo Redstar -thin arm64 -output Redstar_arm64
搜索关键字
grep "Star" -rn ./
将OBJECT文件链接成一个文件,如下命令判断是否有bitcode。没有则不会有内容输出
otool -l RAPI.o | grep bitcode
执行ld命令 将文件合成一个
ld -r -arch arm64 -syslibroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -bitcode_bundle ./*.o -o ../output
动态分析
1 复制手机设备下Developer/usr/bin/debugserver文件到电脑中
2 签名权限,新建entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.springboard.debugapplications</key>
<true/>
<key>run-unsigned-code</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
</dict>
</plist>
使用codesign进行签名
codesign -s - --entitlements entitlements.plist -f debugserver
3 将重新签名的debugserver文件复制回手机
执行不了的话,给debugserver权限
chmod +x /usr/bin/debugserver
执行动态调试命令
debugserver *:1234 -a Aweme
debugserver *:1234 -a '进程id'
出现下列命令
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-360.0.26.3
for arm64.
Attaching to process 2095...
Listening to port 1234 for a connection from *...
回到mac电脑在终端输入llbd回车,此时因为wifi链接慢用端口转移
iproxy 1234 1234
之后通过下列命令连接
process connect connect://localhost:1234
之后输入下列命令,程序才能正常运行
c
image list -o -f 'live4iphone'
var/containers/Bundle/Application/870467F6-0FA6-4BC4-99F1-5635FE795812/live4iphone.app/live4iphone(0x00000001000b8000)
然后使用IDA的地址和lldb结合调试
Theos
brew install ldid fakeroot dpkg
- make
- make package
- make install
修改Makefile如下
export THEOS_DEVICE_IP=localhost
export THEOS_DEVICE_PORT=2222
include $(THEOS)/makefiles/common.mk
TWEAK_NAME = TweakDemo
TweakDemo_FILES = Tweak.xm
include $(THEOS_MAKE_PATH)/tweak.mk
after-install::
install.exec "killall -9 live4iphone"
