IOS reverse
Get ready: Jailbreak the perfect iPhone
Reverse APP thinking: 1. Code analysis
Static analysis of Mach-O files MachOView, class-dump, Hopper Disassembler, IDA, etc
3, dynamic debugging for the running APP code debugging P debugserver, LLDB
4. Code writing
5. Inject code into the APP
6. If necessary, it may be necessary to re-sign and package ipA
1. Mac remote login to iPhone
-
Secure Shell (SSH) is a Secure Shell protocol.
OpenSSH is a free open source implementation of the SSH protocol (install OpenSSH on iPhone via Cydia (apt.saurik.com)).
The Mac can be remotely logged in to the iPhone using OpenSSH
-
SSH communicates over TCP, so make sure that the Mac and iPhone are on the same LAN, such as the same WiFi connection
Input at terminal
SSH Account name@Server host ADDRESSCopy the code
Such as:
SSH [email protected] and then enter the password (default is alpine)Copy the code
In this way, wifi login is limited by network speed
- 1.1 sh USB. sh (note: python2 USbmuxD-1.0.8 /python-client/tcprelay.py -t 22:100010 88888:8888)
1.2 sh login.sh (note: SSH -p 10010 root@localhost)
The above command takes effect because the usb.sh and login.sh files have been port mapped and placed in the root directory (the mapping requires the USBmuxd toolkit).
Echo $PATH Check the set root directory. If you want to write scripts that can be executed in other places, you can also put them in the PATH PATH
2. Because, cell phones and computers can connect mobile phone license file/var/root /. SSH/authorized_keys add computer public key ~ /. SSH/id_rsa. Pub
There’s a service on the Mac, USBMUxd (which starts automatically when you start up), that transfers Mac data to the iPhone via USB
/System/Library/PrivateFrameworks/MobileDevice.framework/Resources/usbmuxd
Download the USBMUxD toolkit (download v1.0.8, using the python script tcprelay.py)
Cgit.sukimashita.com/usbmuxd.git…
2. Obtain the IPA package of software on the mobile phone
-
Cycript is installed on the phone
Cycript is a mashup of Objective-C++, ES6 (JavaScript), Java and other syntax that can be used to explore, modify, and debug running Mac\iOS apps
Website: www.cycript.org/
Documents: www.cycript.org/manual/
Install Cycript on Cydia to upgrade the APP in trial run on iPhone
Use: cycript-p process ID for example: cycript-p NewsBoard
Cycript-p Process name
Cancel input :Ctrl + C
Exit :Ctrl + D
Clear the screen :Command + R
Github has some reference functions wrapped in Cycript
Github.com/CoderMJLee/…
@import mjcript –>MJAppId, MJFrontVC(), MJDocPath, MJAppPath, etc
-
Clutch-i gets the appID of the shell software
-
PS command (install adv-cmds on mobile phone)
Ps -a lists all processes
The ps command is process status
Can filter the key word, such as: ps – A | grep WeChat
-
You can also use the github tool at github.com/CoderMJLee/…
MJAppTools can get the schema, name, whether to shell, installation package path, database path, etc
Third, hulling
-
There are a lot of great unmasking tools in iOS
Clutch:github.com/KJCracks/Cl…
Dumpdecrypted:github.com/stefanesser…
AppCrackr, Crackulous
-
After clutch-i gets the APPID, clutch-d (APP serial number) exports the APP package eg: clutch-d 1 prints the path to the unpacking
-
DYLD_INSERT_LIBRARIES hulling
Such as: [netease News] <com.netease.news> /private/var/mobile/Containers/Bundle/Application/64F0B25C-062E-4A89-8834-3F534C24E70D/NewsBoard.app
Perform:
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /private/var/mobile/Containers/Bundle/Application/64F0B25C-062E-4A89-8834-3F534C24E70D/NewsBoard.app/NewsBoard
The obtained unshell file is stored in the current directory (Device/var/root).
-
Check for peeling
Otool – l name | grep crypt, for example: otool -l NewsBoard | grep crypt view about whether netease news
You can also use hopper to see if it’s shelled
Cryptid 0 is shelled and cryptid 1 is added
4. Decompile the early files
-
class-dump
As the name implies, it is used to dump the class information of a Mach-o file and generate the corresponding.h header file
The official address: stevenygard.com/projects/cl…
After downloading the tool package, copy the class-dump file to the /usr/local/bin directory on the Mac so that the terminal can recognize the class-dump command
Common formats:
Class-dump -h Mach -o File path -o Directory for storing header files -h Indicates the directory for storing header files to be generated. -o Specifies the directory for storing header files
For example, class-dump -h NewsBoard -o Header can be used to analyze code in the current directory
Fifth, theos
-
Install the signature tool LDID
1. Ensure that BREW is installed
/usr/bin/ruby -e "$(curl -fsSL
https://raw.githubusercontent.com/Homebrew/install/master/install)"
Copy the code
2. Install Ldid using BREW
$ brew install ldid
- Modifying environment Variables
- Edit the user profile
$ vim ~/.bash_profile
2. Add the following two lines to the bash_profie fileCopy the code
export THEOS=~/theos
export PATH=PATH
3. Make the environment variables configured for.bash_profiel take effect immediately (or reopen the terminal)
source ~/.bash_profile
Download theos
It is recommended to download the code in the $PATH directory (as you just configured)
THEOS
Create Tweak Project
1: Save the CD file to a directory (for example, desktop)
cd ~/Desktop
$ nic.pl
2, select [13.] iPhone /tweak
3. Fill in the project information
Name Project ID MobileSubstrate Bundle filter Write the ID of the application and press enter
Write code
Case by case
Package, compile and install
Make clean && make && make package && make install (tweak file
Do your own plug-in Device/Library/MobileSubstrate/DynamicLibraries
Viii. Theos information
-
Directory structure: github.com/theos/theos…
-
The environment variable: iphonedevwiki.net/index.php/T…
-
Logoes syntax: iphonedevwiki.net/index.php/L…
-
%hook %end: Hook the start and end of a class
-
%log: prints method call details
You can view it in Xcode -> Window -> Devices and Simulators
-
HBDebugLog similar NSLog
-
%new: Adds a new method
-
% C (className) : Generates a class object, such as class % C (NSObject), similar to NSStringFromClass(), objc_getClass()
-
%orig: The function calls the original logic
-
%ctor: called when the dynamic library is loaded
-
%dtor: called when the program exits
-
Logify.pl: You can quickly convert a header file into an XM file that already contains printed information
-
logify.pl xx.h > xx.xm Copy the code
1, in UserCenterViewController. H directory to perform
logify.pl UserCenterViewController.h > UserCenterViewController.xm
2, UserCenterViewController. The xm copy to Makefile (Tweak. Xm) directory
XJRongxin_FILES = $(wildcard SRC /*.xm)
4, replace unknown classes with void to delete __weak protocol
5, I don’t want to go into too much detail, %log is NSLog(@”%@”,NSStringFromSelector(_cmd));
6, HBLogDebug(@” = 0x%x”, (unsigned int)r) change HBLogDebug(@” = 0x%@”, r)
-
Ix. Cracked MAC and IPhone software
Example: PC software cracking./YZCTest
Example: netease news to advertise NTESNBNewsListController hasAd
Example: Youku removes advertisements beginning with 90s. XAdEnginePreAdModule setupVideoAd needAd
If the IPhone is not jailbroken, you also need to pack the signature and other operations.
10. Dynamic debugging
11. Signature packing
-
Prepare an Embedded. Mobileprovision file (must be paid certificate, appID,device must match) and put it in the. App package.
- It can be found in the APP package automatically generated by Xcode and then recompiled
- You can go to the developer website to generate a certificate to download
-
Extract Entitlements. Plist file from Embedded. Mobileprovision file
- security cms -D -i embedded.mobileprovision > temp.plist
- /usr/libexec/PlistBuddy -x -c’Print :Entitlements’ temp.plist > entilements.plist
-
View available certificates
- security find-identity -v -p codesigning
-
Sign the dynamic library in app, AppExtension, etc
- Codesign -F -s Certificate ID XXX.dylib
-
Sign the.app package
- Codesign – F-S Certificate ID — Entitlements.plist XXX. App
-
Re-signing tool
-
iOS App Signer
-
https://github.com/DanTheMan827/ios-app-signer Copy the code
-
Yes. App is re-signed and packaged as IPA
-
The corresponding Embedded. Mobileprovision file must be provided in the. App package
-
-
iReSign
- Github.com/maciekish/i…
- The IPA can be re-signed and packaged as an IPA
- The path of embedded. Mobileprovision and Entitlements. Plist files must be provided
-
Xii. Other Notes
Tweak skills
1. Load image resources and create layout folder equivalent to Device/Library
Pictures will be on the Device/Library/PreferenceLoader/Preference
2, make your own plugin in the Device/Library/MobileSubstrate/DynamicLibraries
3, and # define XJFile (path) @ “/ Library/PreferenceLoader/Preferences/xjxmly/” # path
4, multiple files, multiple directories, reference headers using paths such as @import “ABC /def/person.h”
Xm SRC /.m (with a space in the middle)
6, if you add classes, method properties, etc., to declare
@interface xjdefine
- (void)vipReOpenPlayer;
@end
Copy the code