Ios (add shell, remove shell)

The use of special algorithms to change the executable code (such as compression, encryption) to achieve the purpose of protecting the program code

Unshell, once the executable of our App is executed, the code in the executable is loaded into memory
After the shell, all the code in the executable is encrypted and cannot be loaded using DYLD, so a shell program is wrapped around the executable and can be run directly. The shell program uses a decryption algorithm to decrypt our executable file. After decryption, it will execute the file and load the code into memory.

Usually when we download an App from the App Store, it’s the App Store that shells the App we upload.

otool -lThe file path | grep criptCopy the code

Use MachOView to Load the file and view Load Commands -> LC_ENCRYPTION_INFO -> Crypt ID, 0 indicates unencrypted,>=1 indicates encrypted.

The operation of removing a shell program and restoring an unencrypted executable file.

There are two kinds of peeling methods, hard peeling and dynamic peeling.

Hard shinning: it is the shell program directly through the implementation of decryption algorithm to get the executable we need, in iOS, the general use of hard shinning.
Dynamic unpacking: refers to the program after running, directly from memory to export the executable we need.

The most commonly used decrypting tools in iOS are Clutch and Dumpdecrypted

Download: github.com/KJCracks/Cl…

Download the latest Release and rename the downloaded file Clutch
Copy the Clutch file to the /usr/bin directory on your iPhone with the following command, or use ifunBox to drag it directly

SCP Clutch file path root@mobile phone address :/usr/binCopy the code

Copy code If executing the Clutch command on an iPhone prompts you with no permissions, you need to add execution permissions for Clutch

chmod +x /usr/bin/Clutch
Copy the code

Clutch used

After connecting to the iPhone remotely, use the following command to list the currently installed apps that can be unhulled

Clutch -i
Copy the code

Unshell the App by App serial number or bundle ID

Clutch -dThe serial number or Clutch-d bundle ID

Copy the code

After the success of the shell, in/private/var/mobile/Documents/Dumped/path can find the ipa file after the success of the shell

In the path, /private/var is the real path in iPhone, and /var in iPhone is the substitute of /private/var

Import the unhulled IPA package to the Mac, find the Mach-o file in it, and use otool to check Load Commands to find Crypt ID 0

Download: github.com/stefanesser…

After downloading the source code, execute the make command in the source directory to compile and obtain the dylib dynamic library file
Copy the dylib file to your iPhone (/var/root is recommended if you are root)

Dumpdecrypted use

The terminal goes into the location of dylib and uses the environment variable DYLD_INSERT_LIBRARIES to inject dylib into the executable that needs to be shelled

DYLD_INSERT_LIBRARIES=dumpdecrypted. Dylib Executable file pathCopy the code

You can view the full path to the executable file running on your iPhone with Ps-A
After execution, the /var/root directory generates the corresponding.decrypted file, which is the decrypted executable. Now use the otool command to view Load Commands to find Crypt ID 0.
Finally, you can export all the header files in an executable using tools like class-dump.