The opening

Through this article, you can understand the basic knowledge of iOS reverse and have a certain understanding of the security of iOS App. Then, it can find dangerous vulnerabilities in its own App to prevent them and ensure user data security.

In security, offense and defense always exist. Even with the iPhone’s strong security mechanisms, geeks have developed powerful and convenient tools that keep them curious. This article is based on the tools provided by these geeks!

The preparation of the instruments

  • Macs and jailbroken iphones
  • Check out the phone’s system directory tool iFunbox or iTools
  • Network analysis tool Charles
  • Decompiler tool Hopper, IDA Pro
  • Check out the header tool class-dump
  • Shell smashing tool Dumpdecrypted, Clutch
  • Debugger LLDB or GDB
  • Debugging tool: Cycript

HTTP (S) caught

HTTP caught

Step 1: Obtain the MAC IP address

Press the Option key and tap the wireless Icon on the Mac menu bar to see the IP address of the current computer. You can also enter ifconfig en0 on the terminal.

Step 2: Set up the proxy

Ensure that the mobile phone and computer are on the same WIFI. On the mobile phone, click “Settings -> WIRELESS LAN -> Connected WIFI” to set HTTP proxy:

Server: Mac IP address (for example, 192.168.1.122)

Port: 8888

Step 3: Grab the bag

On the computer, open Charles. Make a network request on your phone, and Charles will pop up an inquiry dialog box

Click “Allow” and Charles will display a list of HTTP requests for the phone.

HTTPS caught

Step 1: Obtain the certificate installation address

Install SSL certificates to mobile devices. Click Help -> SSL Proxying -> Install Charles Root Certificate on a Mobile Device

Pop-up window appears to get the address CHLS. Pro/SSL

Step 2: iPhone installation certificate

Enter the address chls.pro/ SSL in the Safari browser of the mobile phone, and the certificate installation page is displayed. Click Install, and enter the password configured on the mobile phone to install the certificate

Step 3: Configure the proxy host

Charles sets the Proxy. Select Proxy -> SSL Proxying Settings…

Check Enable SSL Proxying and click Add

Set Host to the HTTPS interface to capture and Port to 443.

Let the mobile phone resend the HTTPS request, and you can see the captured packet.

Note: if you do not capture packets, please close the MOBILE HTTP proxy, otherwise you will not be connected to the Internet after disconnecting from the computer!

Get the.h header file

Ipa downloaded directly from AppStore is encrypted by FairPlay DRM technology of Apple, so class-dump cannot be used to obtain header files directly. You can use class-dump to view all header files. This section explains how to get.h files.

This section does not describe the installation process of class-dump. For details, go to Baidu.

Go to the directory where appname. ipa resides, change the.zip extension, and unzip the file to get appname. app.

Then execute:

class-dump -H appName.app -o ./headers/

After the command is executed, all headers files of the app are displayed in the headers directory under the current directory.

Adding the -a -S argument marks the IMP addresses of class methods and properties in the header file.

class-dump -H -A -S appName.app -o ./headers/

SSH Access the mobile phone file directory

Install OpenSSH on your jailbroken phone using the Cydia App Market. Make sure your Mac and iPhone are on the same WIFI.

SSH root@IP, replace IP with the IP address of the iPhone

Enter the default password: alpine

You can enter the iPhone terminal.

Decompile the App with Clutch

Step 1: Re-sign the DebugServer

There are two ways to obtain the debugServer.

The first is on a Mac

Enter the path / Applications/Xcode. App/Contents/Developer/Platforms/iPhoneOS platform/DeviceSupport / 8.3 / DeveloperDiskImage. DMG (in the path 8.3, indicates the iOS version, which must be consistent with the jailbroken mobile phone version. Double-click developerDiskimage.dmg to copy the usr/bin/ debugServer from the directory to the specified folder.

The second is from a jailbroken phone

If the phone is connected to the phone and debugged the app with XCode, a debugServer file will be generated in the directory /Developer /usr/bin/in the phone. Export to Mac desktop using iFunbox. Or run the SCP command cpoy.

Heavy signature debugserver

Add task_for_PID permission to the debugServer

Create Entitlements. Plist, add the following four keys:

Copy the code

Values corresponding to key are set to true

Place Entitlements. Plist and DebugServer in the same directory, execute the following command:

codesign -s - --entitlements entitlements.plist -f debugserver

This command re-signs the debugServer and copies the signed debugServer to the /usr/bin/directory of the mobile phone system.

Note: Do not copy the debugServer to /Developer/usr/bin/

Step 2: Clutch the decomcompiled App executable

Place the downloaded Clutch in the /usr/bin/directory of your phone. Then, give Clutch permission, SSH into the phone, go to /usr/bin/ and execute chmod a+x./Clutch.

Use the command clutch-i to list all the applications that can be clutched.

Unshell the application with a specified serial number, such as enterprise wechat, serial number 1, command is clutch-d 1. When the execution is complete, a shelled IPA is obtained.

Step 3: Use class-dump to retrieve the.h header file

Use the method described above to get the unhulled App header and write down the IMP address of the method to break the point.

Dynamically debug App

The debugger used for dynamic debugging in this article is LLDB.

Step 1: Put the iPhone into the waiting state

Log in to the mobile phone using SSH and run ps -e to obtain the App PID or project name.

Enter/usr/bin/execution. / debugserver IP: port – a PID | appProjectName. The first parameter IP can be replaced by the Mac IP address, or the * wildcard character can be used to allow debugging of all IP addresses. The second parameter, port, is just a random parameter. The fourth parameter can specify the PID or project name of the App to be debugged. For example, if the SogouInput method whose PID is 6019 is SogouInput, run the following command:

./ debugServer *: 1234-a 6019 or./ debugServer *: 1234-a ‘SogouInput’

After this command is executed, the APP will enter the mount state, and the app will be stuck. Normal phenomenon!

If the command displays an error such as Segmentation fault: 11, it indicates that the App is protected for anti-dynamic debugging. In this case, it is necessary to determine which protection scheme is adopted by the App, and then find corresponding measures to eliminate its anti-dynamic debugging protection.

Step 2: Listen to the process and enter the mount state

Restart a Mac terminal and run the LLDB command to debug LLDB. Then enter

process connect connect://iPhoneIP:port

Replace iPhoneIP with iPhoneIP address. Change port to the specified port 1234.

After the command is executed, the App enters the mounting state.

Step 3: Get the ASLR offset of App

The ASLR offset is essentially the offset of the virtual memory address relative to the module base address. There are two concepts to familiarize yourself with:

  • Module start address in memory —- Module base address
  • ASLR offset —- The offset between the virtual memory start address and the module base address

In LLDB debugger mode, run the imge list -o -f command

Base address after module offset = ASLR offset + base address before module offset (method IMP address)

This formula is especially important because class-dump shows the “base address before module offset”, whereas LLDB operates on the “base address after module offset”. So from class-dump to LLDB there is an address offset conversion.

At this point, you have the ASLR offset of App and the IMP address of the method.

Step 4: Break point, debug

Execute in LLDB mode, br S -a ‘ASLR offset + IMP’, then execute C to make App run, trigger a method call and go into breakpoint mode. Type Po $arg1 to print the first argument.

Then, with tools like Charles(for example, analyzing network request encryption logic) and class-dump (for example, modifying the return value of a Class method), you can debug your App dynamically just like you would in XCode!

Br Command Description

Br dis 1 — Disable breakpoint 1

Br en 1 — Enable breakpoint 1

Br dis — Disable all breakpoints

Br en — Enable all breakpoints

Br del 1 — Delete (delete) the breakpoint number 1

Br del — Delete all breakpoints

Br list — Lists all breakpoints

Use the DumpDecrypted Decrypted App

The dumpDecrypted tool works by running an application (iOS decrypts the program before starting it), and then writing the decryption result in memory to a file in dump, resulting in a new executable.

Step 1: Generate the.dylib file

To generate dumpdecrypted. Dylib, go to the downloaded directory on the terminal, CD Dumpdecrypted -master, and execute make

Step 2: Find the App’s Documents folder path

Log in to the iPhone using SSH and run ps -e to view the process and get the process PID to break the shell. Then execute cycript -p PID to attach to the PID process. Finally performed [[NSFileManager defaultManager] URLsForDirectory: NSDocumentDirectory inDomains: NSUserDomainMask] [0] to get the Documents Folder path.

Step 3: Start breaking the shell

Copy the dumpdecrypted. Dylib generated in step 1 to the one generated in step 2… /Documents/ Under the path, the command is as follows: scp ~/dumpdecrypted.dylib Root @ IP: / var/mobile/Containers/Data/Application / 2 b4c6281 ff3 – A8EC C015-4-5 e5c7554d447 / Documents (the paths in the UDID replacement for your App to hatch The UDID)

Go to the Documents directory, Perform DYLD_INSERT_LIBRARIES = dumpdecrypted. Dylib/var/mobile/Containers/Bundle / Application/BFED82A3 f41-3238-4 – B797 – C1CB584CBE05 / appProjectName. The app/appProjectName (UDID replacement for you in the paths of breaking the app UDID; Replace appProjectName with the name of the project to break the App.)

After the command is executed, a file called AppProject.decrypted is generated in the current directory. This is the decrypted App executable, that’s what you want! Use class-dump to get the header file. Or decompilate using Hopper or IDA Pro.

Add anti-dynamic debugging to your App

ptrace

To facilitate application development and debugging, a means of tracking and controlling running processes has been provided since early versions of Unix: the system call ptrace(). You can use pTrace to debug trace another process, and pTrace also provides a useful parameter called PTDENYATTACH, which tells the system to prevent the debugger from attaching.

So the most common anti-debugging scheme is to reverse debugging by calling ptrace.

sysctl

When a process is being debugged, it will have a flag to indicate that it is being debugged. Therefore, you can use sysctl to check the information about the current process and see if there is this flag bit to check the current debugging status.

Exit when it detects a debugger, or create a crash, or hide the project, or periodically check for the flag.

syscall

In order to switch from user mode to kernel mode, the system provides a system call function syscall. The ptrace mentioned above is also implemented through system call.

The number of ptrace can be found in Kernel Syscalls27.

26. ptrace 801e812c T

So the following call is equivalent to calling ptrace:

The syscall,31,0,0,0 (26);

arm

Syscall is implemented from user to kernel mode by soft interrupts, and can also be implemented by assembly SVC calls.

Feel good, welcome to pay attention to my public number oh!