Kotani bald collection

  • In reverse development, an essential step: crack the shell

  • The better known tools for cracking shells are Clutch, Dumpdecrypted, and Frida (the first two are used in lower versions). Brothers can study the principle, today Xiaogu said frida)

1. The shell

1.1. Shell program

  • Apps that are distributed through the App Store are encrypted, and we call them shell apps

  • Shell programs are protected by App Store encryption. We cannot use disassembler to see ~

  • In reverse development, we need to decrypt the encrypted binary file before we can start working, this part is called cracking shells

1.2. Static shell smashing

There are two kinds of shell-smashing: static shell-smashing and dynamic shell-smashing

  • Static hit a shellIs –diskApplication inDirectly to decrypt, is applied. (High degree of difficulty)

1.3. Dynamic shell smashing

Since programs running in memory can be identified, App Store encryption is not a concern at this point

  • Dynamic hit a shellMainly intercepts running in memoryMachO (Image image).

2. Frida

Clutch and Dumpdecrypted are lower version systems that are more classic. But now basically all Frida (easy to use, pit also more 😆)

2.1. Frida installation

Frida is mainly used for shell smashing. It’s the shell of the phone, so we have to install it on the Mac, on the iPhone, and then configure it

2.1.1. Install Frida on your Mac

First, python. Currently, Kotani recommends python3.

  • Guys can check to see if they have thispython3

If not – Install the brew install python3 command

  • Must havepip

If not – install sudo easy_install PIP

  • OK, you are ready to install Frida

sudo pip install frida-tools

2.1.2. Frida is installed on iPhone

  • Jailbreak the phone and turn on Cydia

  • Add source: build.frida.re

  • The installation

That’s him. Just put it on.

2.1.3. Mac configuration

It’s back to the Mac

  • downloadfrida-ios-dumpThe script

sudo git clone https://github.com/AloneMonkey/frida-ios-dump

  • Enter thefrida-ios-dumpDirectory installation dependency

sudo pip install -r requirements.txt -upgrade

  • That’s actually this file

  • Because it’s installedpython3There are a few changes to be made

Once the installation is complete, you can configure the environment variables to make dump.py available. (If you want to move the script, move dump.py and dump.js together)

2.2. Use of Frida

Frida actually has a lot of features and can be dynamically debugged, but it’s not easy to use. But his shell smashing works like crazy

  • We first connect to the phone (enable port mapping) (see my last blog OpenSSH for this)

  • Let’s look at the process PID

frida-ps -U

  • Start cracking the shell copyIn a letterFor example ~)

Dump. Py WeChat

Straight out

  • Let’s see if he isHit a shellAfter ~

Isn’t it nice to use

3. Summary

  • This blog is mainly about cracking shells, actually Ben didn’t want to write at the beginning. But in the last article has been mentioned on the write ~

  • Frida is actually quite powerful, but we reverse-engineer it with his shell-smashing technology

  • Clutch and Dumpdecrypted are actually not used much anymore, but they used to be quite popular. You can see that

  • At last. Gu finished his blog and bought coffee. Study very late recently, said by the leadership to go to work have no spirit