3. Apply decryption/shell cracking
After an App is uploaded to the App Store, Apple encrypts the App and dynamically decrypts it when it is running. It’s impossible to analyze apps downloaded from the App Store directly. So before analyzing the application, we should decrypt it first, commonly known as smashing the shell. Then the application and decrypted executable files can be exported to the computer
1. dumpdecrypted
Fail to succeed
2.Clutch
2.1 Download and Compile
Pull items from warehouse github.com/KJCracks/Cl… To the local
Open the project with Xcode. Use Debug to compile all architectures (Build Active Architecture Only – No), run target select real machine, and then click Compile.
The compilation produces a command line tool that can run on mobile devices, and an internal script copies its executable, signs it separately and places it onbuildUnder the folder.
Then use SCP to copy the Clutch file to the /usr/bin directory on the mobile device.
SCP/Users/ZSQ/Downloads/Clutch master/build/Clutch [email protected]: / usr/bin /Copy the codeIt then links to the mobile device remotely, giving Clutch executable rights.
chmod +x /usr/bin/Clutch
Copy the code2.2 the use of
Command reference
Clutch [OPTIONS]
-b --binary-dump Only dump binary files from specified bundleID
-d --dump Dump specified bundleID into .ipa file
-i --print-installed Print installed application
--clean Clean /var/tmp/clutch directory
--version Display version and exit
-? --help Display this help and exit
Copy the codeView installed apps and Bundleids
Clutch -i
Copy the codeDecrypt target application
Clutch -b target.bundle.id
Copy the codeThe 2022-03-11 11:45:00. 325 Clutch (3690-399947) the command: Only dump binary files from specified bundleID Zipping xxx.app Dumping <xxx> (arm64) Patched cryptid (64bit segment) Writing new checksum 2022-03-11 11:45:00.660 Clutch [3692:399967] command: Clutch [3693:399969] command: Clutch [3695:399973] command: 662 clutch[3696:399975] command: 664 clutch[3698:399979] command: 665 clutch[3694:399971] command: 668 clutch[3697:399977] command: Only dump binary files from specified bundleID Dumping <SwiftSocket> arm64 Successfully dumped framework SwiftSocket! 699 clutch[3699:399981] Only dump binary files from specified bundleID Dumping <PDFReader> arm64 Dumping <SecurityDetector> arm64 Successfully dumped framework PDFReader! Successfully dumped framework SecurityDetector! Dumping <Charts> arm64 Dumping <DTIActivityIndicator> arm64 Successfully dumped framework DTIActivityIndicator! Successfully dumped framework Antlr4! Dumping <FilesProvider> arm64 Dumping <UXMPDFKit> arm64 Successfully dumped framework Charts! Successfully dumped framework UXMPDFKit! Successfully dumped framework FilesProvider! Zipping FilesProvider.framework Zipping SwiftSocket.framework Zipping UXMPDFKit.framework Zipping Charts.framework Zipping SecurityDetector.framework Zipping PDFReader.framework Zipping DTIActivityIndicator.framework Zipping Antlr4. The framework is DONE: / private/var/mobile/Documents/Dumped/XXX. Ipa Finished dumping com. Neo. The elf in 1.8 secondsCopy the codeAfter the decryption is successful, the decrypted IPA file path is displayed. You can export it to the Mac for further analysis.
3. frida-ios-dump
Frida-ios-dump frida-ios-dump is a shell smashing tool written by a domestic god. Address: github.com/AloneMonkey…
3.1 installation frida
Frida-ios-dump can be used with frida. Python3 support is required for frida. Python2.7 is installed by default, so let’s ignore it. Next, use homebrew to install python3.
Install python3
The brew search python
brew search python
Copy the code
The brew install [email protected]Copy the code
python3Represents what we usepython3.xVersion,pythonThe default value is usedpython2.7Version. This needs to be noted
Install pip3
The most convenient way to install Frida is with PIP. PIP is a Python package management tool that provides the ability to find, download, install, and uninstall Python packages. You can run the following command to check whether the installation is complete:
PIP --version # python2. x pip3 --version # python3. xCopy the code
If it is not already installed, you can use the following command to install it:
Get $curl https://bootstrap.pypa.io/get-pip.py - o - PIP. Py # download installation scripts $sudo python3 get - PIP. Py # run the setup scriptCopy the codeNote: Python3 was used for the installation and PIP3 will be used for future use
Install frida
Let’s officially install Frida
sudo pip3 install frida
sudo pip3 install frida-tools
Copy the code
Install Frida on your phone
inCydiaAdd the sourcehttps://build.frida.re/. And then the searchfridaAnd install.
SSH Connection to a Mobile Phone
On a MAC terminal:
frida-ps -U
Copy the codeWill list the processes currently executing on the mobile system. At this point, the frida installation is complete. Install frida-ios-dump.
Frida – ios 3.2 – dump installation
Download frida-ios-dump to your local PC and run the following command to install the required dependency packages: frida-ios-dump
sudo pip install -r requirements.txt --upgrade
Copy the codeperform
Frida – ios 3.3 – dump at the shell
Select the application listed after executing frida-ps -u to crack the shell. Execute in frida-ios-dump:
Python3./dump.py Application name or bundleIDCopy the codeAfter the shell is broken, the application is copied directly to the frida-ios-dump folder. It’s very convenient