Welcome to follow the official wechat account: FSA Full stack action 👋
Before launching iOS apps, FairPlayDRM digital version is encrypted by apple store, commonly known as “shell”. If you want to analyze the APP, you must “shell” to obtain unencrypted binary files
First, detect whether to add shell
This section describes two common methods
1, use,otooldetection
Run the following command
otool -l Twitter | grep crypt
Copy the codeIn the obtained results, if the value of cryptid is 1, it indicates that the shell has been added, and if it is 0, it indicates that the shell has not been added
2, use,MachOViewdetection
After opening the target file with MachOView, expand Load Commands to locate LC_ENCRYPTION_INFO_64. On the right you can see the Crypt ID, same as above, 1 indicates the shell, 0 indicates the unshell
Second, the shell
The following list of commonly used shucking tools is recommended from top to bottom
1.CrackerXI
CrackerXI is relatively simple to install and use, and is by far the most foolproof unmasking tool
Added source address, http://cydia.iphonecake.com/, in Cydia CrackerXI, after the completion of the search can be found after installation.
Before removing the shell, enter the Settings page for configuration, as shown in the following figure
Go back to the AppList page and click the App to be unshucked. In the dialog box that pops up, select YES, Full IPA.
2,Clutch
Github.com/KJCracks/Cl…
Find the latest version of the executable on the Release page, download it, rename it Clutch, and copy the Cluth file to the /usr/bin directory on your iOS device
scp -P 2222 -r ./Clutch root@localhost:/usr/bin/
Copy the codeLog in to your iOS device and add execute permission to the Cluth file
lxf-iPad:~ root# chmod +x /usr/bin/Clutch
Copy the codeFor details on how to upload to iOS devices from Mac via port 2222, and how to log in to iOS devices, please check out my other article: Remote Login to iOS devices from Mac
Run Clutch to see help information
lxf-iPad:~ root# Clutch
Usage: Clutch [OPTIONS]
-b --binary-dump <value> Only dump binary files from specified bundleID
-d --dump <value> Dump specified bundleID into .ipa file
-i --print-installed Print installed applications
--clean Clean /var/tmp/clutch directory
--version Display version and exit
-? --help Display this help and exit
-n --no-color Print with colors disabled
Copy the codeThe -i parameter can print apps downloaded and installed from the AppStore
lxf-iPad:~ root# Clutch -i
Installed apps:
1: Twitter <com.atebits.Tweetie2>
...
Copy the codeThe -d parameter can be unshelled. The following uses Twitter as an example
Clutch -d com.atebits.Tweetie2
Copy the codeAfter shelling the ipa files will be stored to/private/var/mobile/Documents/Dumped/directory
3,dumpdecrypted
Github.com/stefanesser…
Download the source code and run the make command in the dumpDecrypted directory to generate dumpdecrypted.dylib
#Go to the dumpdecrypted directory
cd xxx/dumpdecrypted
#To compile
make
Copy the codeWhen compiled, you have a file called DumpDecrypted. Dylib in the directory
.├ ─ Makefile ├─ README ├─ Dumpdecrypted. C ├─ DumpdecryptedCopy the codeCopy the dumpDecrypted. Dylib file to the iOS device
scp -P 2222 -r ./dumpdecrypted.dylib root@localhost:/usr/bin/
Copy the codeUse the ps command to view the full path of the target file
lxf-iPad:~ root# ps -ax | grep Twitter 15153 ?? 0:00. 00 / var/containers/Bundle/Application / 3 a7c3480 - C30B - 40 d7 - A0A4-6 c313e42b793 / Twitter. App / 15161 ttys000 Twitter 0:00. 02 grep TwitterCopy the codeUnshell the shell by injecting dumpDecrypted. Dylib using the DYLD_INSERT_LIBRARIES environment variable.
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/3A7C3480-C30B-40D7-A0A4-6C313E42B793/Twitter.app/Twitter
Copy the codeAfter the command is executed, the shelled files are saved to the current directory
4, frida – ios – dump
Github.com/AloneMonkey…
Once you download the source code, install the dependency packages required for its Python scripts
pip install -r requirements.tx
Copy the code
-h View help information about parameters
python dump.py -h
Copy the code
-l Displays apps that have been applied to the host
./dump.py -l
Copy the code
Three, take out the shell file
1, Ace assistant
Take CrackerXI as an example, follow this path to find the shelled file
/private/var/mobile/Documents/CrackerXI/
Copy the code
Select the destination file and click the export button in the upper left corner, or right click the file and select the export button in the pop-up menu.
2, SCP
SCP - 2222 - P r root @ localhost: / private/var/mobile/Documents/CrackerXI/Twitter_8. 61 _lxf. Ipa. /Copy the code
Four, validation,
As mentioned at the beginning of this article, use otool or MachOView to check the value of cryptid. If the value is 0, the shell is successfully unshelled.
