IOS reverse

Get ready: Jailbreak the perfect iPhone

Reverse APP thinking: 1. Code analysis

Static analysis of Mach-O files MachOView, class-dump, Hopper Disassembler, IDA, etc

3, dynamic debugging for the running APP code debugging P debugserver, LLDB

4. Code writing

5. Inject code into the APP

6. If necessary, it may be necessary to re-sign and package ipA

1. Mac remote login to iPhone

  • Secure Shell (SSH) is a Secure Shell protocol.

    OpenSSH is a free open source implementation of the SSH protocol (install OpenSSH on iPhone via Cydia (apt.saurik.com)).

    The Mac can be remotely logged in to the iPhone using OpenSSH

  • SSH communicates over TCP, so make sure that the Mac and iPhone are on the same LAN, such as the same WiFi connection

    Input at terminal

SSH Account name@Server host ADDRESSCopy the code

Such as:

SSH [email protected] and then enter the password (default is alpine)Copy the code

In this way, wifi login is limited by network speed

  • 1.1 sh USB. sh (note: python2 USbmuxD-1.0.8 /python-client/tcprelay.py -t 22:100010 88888:8888)

1.2 sh login.sh (note: SSH -p 10010 root@localhost)

The above command takes effect because the usb.sh and login.sh files have been port mapped and placed in the root directory (the mapping requires the USBmuxd toolkit).

Echo $PATH Check the set root directory. If you want to write scripts that can be executed in other places, you can also put them in the PATH PATH

2. Because, cell phones and computers can connect mobile phone license file/var/root /. SSH/authorized_keys add computer public key ~ /. SSH/id_rsa. Pub

There’s a service on the Mac, USBMUxd (which starts automatically when you start up), that transfers Mac data to the iPhone via USB

/System/Library/PrivateFrameworks/MobileDevice.framework/Resources/usbmuxd

Download the USBMUxD toolkit (download v1.0.8, using the python script tcprelay.py)

Cgit.sukimashita.com/usbmuxd.git…

2. Obtain the IPA package of software on the mobile phone

  • Cycript is installed on the phone

    Cycript is a mashup of Objective-C++, ES6 (JavaScript), Java and other syntax that can be used to explore, modify, and debug running Mac\iOS apps

    Website: www.cycript.org/

    Documents: www.cycript.org/manual/

    Install Cycript on Cydia to upgrade the APP in trial run on iPhone

    Use: cycript-p process ID for example: cycript-p NewsBoard

    Cycript-p Process name

    Cancel input :Ctrl + C

    Exit :Ctrl + D

    Clear the screen :Command + R

    Github has some reference functions wrapped in Cycript

    Github.com/CoderMJLee/…

    @import mjcript –>MJAppId, MJFrontVC(), MJDocPath, MJAppPath, etc

  • Clutch-i gets the appID of the shell software

  • PS command (install adv-cmds on mobile phone)

    Ps -a lists all processes

The ps command is process status

Can filter the key word, such as: ps – A | grep WeChat

  • You can also use the github tool at github.com/CoderMJLee/…

    MJAppTools can get the schema, name, whether to shell, installation package path, database path, etc

Third, hulling

  • There are a lot of great unmasking tools in iOS

    Clutch:github.com/KJCracks/Cl…

    Dumpdecrypted:github.com/stefanesser…

    AppCrackr, Crackulous

  • After clutch-i gets the APPID, clutch-d (APP serial number) exports the APP package eg: clutch-d 1 prints the path to the unpacking

  • DYLD_INSERT_LIBRARIES hulling

    Such as: [netease News] <com.netease.news> /private/var/mobile/Containers/Bundle/Application/64F0B25C-062E-4A89-8834-3F534C24E70D/NewsBoard.app

    Perform:

    DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /private/var/mobile/Containers/Bundle/Application/64F0B25C-062E-4A89-8834-3F534C24E70D/NewsBoard.app/NewsBoard

    The obtained unshell file is stored in the current directory (Device/var/root).

  • Check for peeling

    Otool – l name | grep crypt, for example: otool -l NewsBoard | grep crypt view about whether netease news

You can also use hopper to see if it’s shelled

Cryptid 0 is shelled and cryptid 1 is added

4. Decompile the early files

  • class-dump

    As the name implies, it is used to dump the class information of a Mach-o file and generate the corresponding.h header file

The official address: stevenygard.com/projects/cl…

After downloading the tool package, copy the class-dump file to the /usr/local/bin directory on the Mac so that the terminal can recognize the class-dump command

Common formats:

Class-dump -h Mach -o File path -o Directory for storing header files -h Indicates the directory for storing header files to be generated. -o Specifies the directory for storing header files

For example, class-dump -h NewsBoard -o Header can be used to analyze code in the current directory

Fifth, theos

  • Install the signature tool LDID

    1. Ensure that BREW is installed

/usr/bin/ruby -e "$(curl -fsSL
https://raw.githubusercontent.com/Homebrew/install/master/install)"
Copy the code

2. Install Ldid using BREW

$ brew install ldid

  • Modifying environment Variables
    1. Edit the user profile

$ vim ~/.bash_profile

2. Add the following two lines to the bash_profie fileCopy the code

export THEOS=~/theos

export PATH=PATH

3. Make the environment variables configured for.bash_profiel take effect immediately (or reopen the terminal)

source ~/.bash_profile

Download theos

It is recommended to download the code in the $PATH directory (as you just configured)

THEOS

Create Tweak Project

1: Save the CD file to a directory (for example, desktop)

cd ~/Desktop

$ nic.pl

2, select [13.] iPhone /tweak

3. Fill in the project information

Name Project ID MobileSubstrate Bundle filter Write the ID of the application and press enter

Write code

Case by case

Package, compile and install

Make clean && make && make package && make install (tweak file

Do your own plug-in Device/Library/MobileSubstrate/DynamicLibraries

Viii. Theos information

  • Directory structure: github.com/theos/theos…

  • The environment variable: iphonedevwiki.net/index.php/T…

  • Logoes syntax: iphonedevwiki.net/index.php/L…

    • %hook %end: Hook the start and end of a class

    • %log: prints method call details

      You can view it in Xcode -> Window -> Devices and Simulators

    • HBDebugLog similar NSLog

    • %new: Adds a new method

    • % C (className) : Generates a class object, such as class % C (NSObject), similar to NSStringFromClass(), objc_getClass()

    • %orig: The function calls the original logic

    • %ctor: called when the dynamic library is loaded

    • %dtor: called when the program exits

    • Logify.pl: You can quickly convert a header file into an XM file that already contains printed information

    • logify.pl xx.h > xx.xm
      Copy the code

      1, in UserCenterViewController. H directory to perform

      logify.pl UserCenterViewController.h > UserCenterViewController.xm

      2, UserCenterViewController. The xm copy to Makefile (Tweak. Xm) directory

      XJRongxin_FILES = $(wildcard SRC /*.xm)

      4, replace unknown classes with void to delete __weak protocol

      5, I don’t want to go into too much detail, %log is NSLog(@”%@”,NSStringFromSelector(_cmd));

      6, HBLogDebug(@” = 0x%x”, (unsigned int)r) change HBLogDebug(@” = 0x%@”, r)

Ix. Cracked MAC and IPhone software

Example: PC software cracking./YZCTest

Example: netease news to advertise NTESNBNewsListController hasAd

Example: Youku removes advertisements beginning with 90s. XAdEnginePreAdModule setupVideoAd needAd

If the IPhone is not jailbroken, you also need to pack the signature and other operations.

10. Dynamic debugging

11. Signature packing

  • Prepare an Embedded. Mobileprovision file (must be paid certificate, appID,device must match) and put it in the. App package.

    • It can be found in the APP package automatically generated by Xcode and then recompiled
    • You can go to the developer website to generate a certificate to download
  • Extract Entitlements. Plist file from Embedded. Mobileprovision file

    • security cms -D -i embedded.mobileprovision > temp.plist
    • /usr/libexec/PlistBuddy -x -c’Print :Entitlements’ temp.plist > entilements.plist
  • View available certificates

    • security find-identity -v -p codesigning
  • Sign the dynamic library in app, AppExtension, etc

    • Codesign -F -s Certificate ID XXX.dylib
  • Sign the.app package

    • Codesign – F-S Certificate ID — Entitlements.plist XXX. App
  • Re-signing tool

    • iOS App Signer

      • https://github.com/DanTheMan827/ios-app-signer
        Copy the code
      • Yes. App is re-signed and packaged as IPA

      • The corresponding Embedded. Mobileprovision file must be provided in the. App package

    • iReSign

      • Github.com/maciekish/i…
      • The IPA can be re-signed and packaged as an IPA
      • The path of embedded. Mobileprovision and Entitlements. Plist files must be provided

Xii. Other Notes

Tweak skills

1. Load image resources and create layout folder equivalent to Device/Library

Pictures will be on the Device/Library/PreferenceLoader/Preference

2, make your own plugin in the Device/Library/MobileSubstrate/DynamicLibraries

3, and # define XJFile (path) @ “/ Library/PreferenceLoader/Preferences/xjxmly/” # path

4, multiple files, multiple directories, reference headers using paths such as @import “ABC /def/person.h”

Xm SRC /.m (with a space in the middle)

6, if you add classes, method properties, etc., to declare

@interface xjdefine
 
- (void)vipReOpenPlayer;
 
@end
Copy the code