Recently, I have sorted out the information related to IOS APP reverse engineering and shared it with you.

Reverse engineering can be divided into four steps: shell breaking, dump, hook, re-sign.

A, shell smashing:

Summary: IOS APP, if uploaded to the APP Store will be encrypted by Apple, so we downloaded the installation package is encrypted, to perform a decryption, that is, to crack the shell.

Let’s take wechat for example:

First we need a jailbroken iPhone, then go to Cydia and install openSSH, Cycript and iFile. (Easy to view log files when debugging programs)

The new version of iTunes has removed the App function, so you can only download the latest wechat from the App Store on your phone.

Step 1: To get the exact location of the executable file and sandbox of wechat, we first turn off all the programs on the iPhone, but leave wechat.

  

Connect to SSH, open Bash for Mac, and use SSH to connect iPhone(make sure iPhone and Mac are on the same network segment). The default root password of openSSH is alpine

And then type the command ps – e | grep WeChat


Sometimes we need an APP Bundle ID. Here we have a tip. We can close all the apps on the iPhone but keep the apps like wechat, and then enter the command

Ps -e to output the Bundle ID of the currently running APP.

To find the specific path of sandbox Documents, we need to use Cycript to find the specific path of wechat Documents. Enter the command cycript -p WeChat

Open the WeChat, into cy# mode input NSSearchPathForDirectoriesInDomains (NSDocumentDirectory NSUserDomainMask, ES) [0] can find the Documents of the specific path, Or use cy# directory = NSHomeDirectory() to get the location of the sand river (missing /Documents).


Control +D exits the mode

  • Compile DumpdecrypTED To go to the directory of dumpdecrypted source code, type make to compile Dumpdecrypted. Make will generate a dylib file in the current directory.

    • 5. Create a dynamic library file

      (1) A mistake

      After ensuring that the dynamic library Settings in the Makefile are consistent with the iOS real environment, type: make in the current directory.

      But it failed with the following error message:

      1. `xcrun –sdk iphoneos –find gcc` -Os -Wimplicit -isysroot `xcrun –sdk iphoneos –show-sdk-path` -F`xcrun –sdk iphoneos –show-sdk-path`/System/Library/Frameworks -F`xcrun –sdk iphoneos –show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c
      2. /bin/sh: /Applications/Xcode: No such file or directory
      3. make: *** [dumpdecrypted.o] Error 127

      The reason is that /Applications/Xcode cannot be found to execute some of these scripts. Well, I have 3 Xcodes in my Mac: /Applications/Xcode 5.0.2, /Applications/Xcode 5.1.1, /Applications/Xcode 6 Beta4, is no /Applications/Xcode.

      Don’t worry, just rename Xcode 5.1.1 to Xcode:

      1. $ sudo mv Xcode\ 5.1.1.app/ Xcode.app/

      (2) Wrong again

      “Make”, “error”, same error message as above.

      Xcode-select = xcode-select = xcode-select = xcode-select = xcode-select

      1. $ xcode-select -p
      2. / Applications/Xcode 5.1.1. App/Contents/Developer


      Xcrun found the CMD tool in Xcode 5.1.1/, but of course it found nothing. /Applications/ xcode.app /)

      1. $ sudo xcode-select -r
      2. $ xcode-select -p
      3. /Applications/Xcode.app/Contents/Developer

      (3) Success

      Then make, success, output as follows:

      1. $ make
      2. `xcrun –sdk iphoneos –find gcc` -Os -Wimplicit -isysroot `xcrun –sdk iphoneos –show-sdk-path` -F`xcrun –sdk iphoneos –show-sdk-path`/System/Library/Frameworks -F`xcrun –sdk iphoneos –show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c
      3. `xcrun –sdk iphoneos –find gcc` -Os -Wimplicit -isysroot `xcrun –sdk iphoneos –show-sdk-path` -F`xcrun –sdk iphoneos –show-sdk-path`/System/Library/Frameworks -F`xcrun –sdk iphoneos –show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o
      5. $ ls
      6. Makefile dumpdecrypted.c dumpdecrypted.o
      7. README dumpdecrypted.dylib


      You can see that there are two more files in the directory, of which the suffix dylib is the dynamic library file we will create, which is the hammer used to break the shell.



  • SCP copy command Use the SCP command to copy dumpdecrypted. Dylib into the Documents path directory of the iPhone. Type the command: SCP source path: target file path

  • Start cracking shells!! Go back to SSH on your phone and type the command Dumpdecrypted. Specific usage: dumpdecrypted DYLD_INSERT_LIBRARIES = / PathFrom/dumpdecrypted dylib/PathTo

Copy the code

mach-o decryption dumper DISCLAIMER: This tool is only meant for security research purposes, not for application crackers. [+] detected 32bit ARM binary in memory. [+] offset to cryptid found: @0x56a4c(from 0x56000) = a4c [+] Found encrypted data at address 00004000 of length 38748160 bytes – type 1. [+] Opening /private/var/mobile/Containers/Bundle/Application/2C920956-E3D6-4313-BD88-66BD24CEBE9B/WeChat.app/WeChat for reading. [+] Reading header [+] Detecting header type [+] Executable is a FAT image – searching for right architecture [+] Correct arch is at offset 16384 in the file [+] Opening WeChat.decrypted for writing. [+] Copying the not encrypted start of the file [+] Dumping the decrypted data into the file [+] Copying the not encrypted remainder of the file [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a4c [+] Closing original file [+] Closing dump file

This means that the decryption has succeeded, and the decrypted file is generated in the current directory, which is called Decrypted. Again use SCP to copy the decrypted file to the computer. Next we need to formally dump the decrypted executable.

  • SCP remote download to local

    Input instruction:SCP -r root@ip: file directory/file name/destination

Copy the code
Dump debug or release packages, without breaking the shell, can be directly dumped. Only packages downloaded from the App Store need to be cracked. The dump method is as follows: After installation, run the following command: class-dump -h Directory for exporting framework files -o Directory for storing exported header files:cdTo this file, class-dump -h WeChat can get WeChat code declaration of all methods. H file. Third, the hooksCopy the code

– (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2; – (void)AsyncOnAddMsg:(id) arg2; Arg1, – (void) OpenRedEnvelopesRequest: (id); . Yes, next we are going to use these two methods to achieve wechat automatic grab red envelope function. Its realization principle is that by hook wechat’s new message function, we judge whether it is a red envelope message, if so, we call wechat’s method of opening a red envelope. This can achieve the purpose of automatically snatching red envelopes. Ha ha, is not very simple, let’s see how it is implemented.

  • Create a dylib project, because Xcode does not support dylib generation by default, so we need to download iOSOpenDev, and open Xcode again after installation (Xcode7 environment will prompt iOSOpenDev installation failure, please refer to iOSOpenDev installation problem). You can see the iOSOpenDev option under the new project option.

iOSOpenDev

  • The dylib code selects Cocoa Touch Library, so we create a new Dylib project, which we call autoGetRedEnv.

    Delete the autogetreden v.h file, change autogetreden v.m to Autogetreden V.mm, and then add captainhook.h to the project

    Since wechat will not load our hook code on its own initiative, we need to write hook logic into the constructor.

__attribute__((constructor)) static void entry() {// Specific hook method}Copy the code

Hook wechat AsyncOnAddMsg: MsgWrap: method, which is implemented as follows:

// Declare the CMessageMgr class CHDeclareClass(CMessageMgr); CHMethod(2, void CMessageMgr, AsyncOnAddMsg, id, arg1, MsgWrap, id, arg2) {// Call AsyncOnAddMsg:MsgWrap: CHSuper(2, CMessageMgr, AsyncOnAddMsg, arg1, MsgWrap, arg2); //... // The third argument to objc_msgSend must be declared as NSMutableDictionary, otherwise when objc_msgSend is called, (void (*)(id, SEL, NSMutableDictionary*))objc_msgSend)(logicMgr, @selector(OpenRedEnvelopesRequest:), params); } __attribute__((constructor)) static void entry() {// Load CMessageMgr class CHLoadLateClass(CMessageMgr); //hook AsyncOnAddMsg:MsgWrap: CHClassHook(2, CMessageMgr, MsgWrap); }Copy the code

All the codes of the project have been put into Github by the author.

Once the implementation logic is complete, dylib is generated.

Repackage the wechat App

  • In order to run the wechat application and execute our code, we first need wechat to join our dylib. Here we use a dylib injection artifact: Yololib, download the source code from the Internet, and compile it to get Yololib.

    Using Yololib, simply execute the following sentence to complete the successful injection. Before injection we rename the decrypted file we saved to decrypted, which is an executable that has been shelled. ./yololib Target executable file to be injected into the dylib after successful injection of the following information:

    Dylib injection

  • New Entitlements. Plist

<? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE plist PUBLIC "- / / / / DTD plist Apple / 1.0 / EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" > < plist Version = "1.0" > < dict > < key > application - identifier < / key > < string > 123456. com.autogetredenv.demo < / string > <key>com.apple.developer.team-identifier</key> <string>123456</string> <key>get-task-allow</key> <true/> <key>keychain-access-groups</key> <array> <string>123456.com.autogetredenv.demo</string> </array> </dict> </plist>Copy the code

You may not know your certificate Teamid and other information. Here is a tip. You can find the App(for example, Demo) that has been packaged with your developer certificate or enterprise certificate before. ./ldid -e ./Demo.app/demo

. Next we generate dylib (libautoGetRedEnv dylib), just inject dylib WeChat and embedded. Mobileprovision file (which can be found in the packaging before the App) copy to WeChat. The App.

Fourth, renewal

  • Re-sign wechat

  • Command format: codesign -f -s Certificate name object file

    PS: The certificate name can be found in the keystring

    Codesign command is used to sign relevant files in wechat respectively, and the specific implementation is as follows:

    The signature again

  • Xcrun iphoneOS PackageApplication -v WeChat. App -o ~/WeChat. Ipa

Copy the code

Install wechat with red envelope snatching function

If all of the above steps are successfully implemented, then everything really needs to be ready

We can use the iTools tool to install the improved wechat for iPhone(the iPhone Device ID needs to be added to the certificate).

Welcome to joinIOS Development Exchange Learning Group(Password 123), we learn and grow together

Citation: Original address