Vx Search for “gjZKeyFrame” Follow “Keyframe Keyframe” to get the latest audio and video technical articles in time.
This public account will go through the sharing of audio and video technology roadmap: audio and video basics (completed) → audio and video tools (in progress) → audio and video engineering examples (preparation) → audio and video industry practice (preparation). Pay attention to the cost is not high, missed dry goods loss is not small ↓↓↓
App reverse engineering is a common method to do competitive product analysis. As the saying goes, “A good reverse engineer can get off work early”. Here we do a brief introduction to iOS reverse, which will involve the following tools:
- Theos[1] : A make-based build system for iOS jailbreak development, but also supports building software for other supported platforms.
- MonkeyDev[2] : A non-jailbroken plug-in development integration wizard.
- FLEX[3] : a tool for exploring and debugging iOS App UI and stacks.
- Checkra1n [4] : An iPhone jailbreak tool based on checkM8 vulnerability.
- Frida-ios-dump [5] : An ios App shell smashing tool.
- Usbmuxd [6] : a socket daemon that can be used to multiplex connections from and to iOS devices.
1. Non-jailbreak App debugging
1.1. Environment Configuration
Use the following command to download the latest Theos:
sudo git clone --recursive https://github.com/theos/theos.git /opt/theos
Copy the code
1.2. Install MonkeyDev
Install MonkeyDev using the following command:
sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/AloneMonkey/MonkeyDev/master/bin/md-install)"
Copy the code
Uninstall MonkeyDev using the following command:
sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/AloneMonkey/MonkeyDev/master/bin/md-uninstall)"
Copy the code
Update MonkeyDev with the following command:
sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/AloneMonkey/MonkeyDev/master/bin/md-update)"
Copy the code
After installing/updating, you need to restart Xcode before creating a new project.
MonkeyDev consists of four modules:
Logos Tweak
: Use the logify.pl tool provided by Theos.xm
Files into.mm
The file is compiled with CydiaSubstrate integrated, and can Hook OC functions and specify addresses using MSHookMessageEx and MSHookFunction.CaptainHook Tweak
: Use the header file provided by CaptainHook to get the Hook and attribute of OC function.Command-line Tool
: You can directly create command line tools that run on jailbroken devices.MonkeyApp
This is a module that automatically integrates Reveal, Cycript and dylib for third party applications. It supports debugging of dylib and third party applications. It also supports Pod and SDK for third party applications.
1.3. Use MonkeyApp to debug App
Here mainly introduces the use of MonkeyApp debugging App.
Apps in the App Store are encrypted and cannot be debugged directly, so there is usually a shell cracking process before that. Shell breaking needs to be carried out in the jailbreak environment, if there is no jailbreak machine and environment, it can be downloaded on some other platforms after the shell breaking App.
Create a MonkeyApp in Xcode:
2) Drag the ipA file after breaking the shell to the TargetApp directory:
At this point, you can run the project and start debugging your App.
3) In order to debug the App better, we can integrate FLEX to do some assistance, which requires us to add a Podfile under the project and pod install.
The Podfile reads as follows:
Target 'MyAppTestDylib' do pod 'FLEX', '~> 2.0' endCopy the code
You also need to add code to myAppTestdylib. m of the project:
#import "MyAppTestDylib.h" #import <CaptainHook/CaptainHook.h> #import <UIKit/UIKit.h> #import <Cycript/Cycript.h> #import < mdcycriptManager.h > #import <FLEX/ flexManager.h > // import header files. CHConstructor{ printf(INSERT_SUCCESS_WELCOME); [[NSNotificationCenter defaultCenter] addObserverForName:UIApplicationDidFinishLaunchingNotification object:nil queue:[NSOperationQueue mainQueue] usingBlock:^(NSNotification * _Nonnull note) { #ifndef __OPTIMIZE__ CYListenServer(6666); MDCycriptManager* manager = [MDCycriptManager sharedInstance]; [manager loadCycript:NO]; NSError* error; NSString* result = [manager evaluateCycript:@"UIApp" error:&error]; NSLog(@"result: %@", result); if(error.code != 0){ NSLog(@"error: % @ ", error. LocalizedDescription);} [[FLEXManager sharedManager] showExplorer]; / / display the FLEX component toolbar. # endif}]; }Copy the code
Now you can run and see the FLEX toolbar.
More details can be found in MonkeyDev Wiki[7].
1.4. Export the sandbox file of debugging App
Usually we want to export the sandbox file for our debug App. In this case, we can add Application Supports iTunes File Sharing to the Info.plist file of MonkeyApp and set it to YES.
image
So we can select the device in Finder and copy the Document file of our App in Files.
2, the escape
It says that to debug the App, you need to crack the IPA file, and the crack needs to be carried out in the jailbreak environment, so here we continue to introduce how to jailbreak.
The jailbreak tool used here is Checkra1n. Checkra1n Download [8]
Jailbreak process, after downloading and installing the tool, follow the tool’s instructions step by step.
3, smashing shells
The earliest decrypted tool was DumpDecrypted [9], which works by having an App pre-load a decrypted Dumpdecrypte.dylib, then dynamically decrypt the code after the program runs, and finally dump the entire program in memory. This shell smashing only hits the main App executable.
For applications where the framework exists, conradev’s Dumpdecrypted can be used to dump and decrypt each module through the _dyLD_register_func_for_add_image registry callback. But this one still needs to copy dumpdecrypted. Dylib and find the path or whatever, which is still a bit of a hassle.
Frida-ios-dump is an in-memory dump tool based on frida’s powerful function, which can be implemented by injecting JS into the memory and automatically copying the ipA file to the PC through Python. After configuration, a command can be used to crack the shell.
3.1 environment configuration
The first step is to install Frida on your phone and Mac. See the documentation on the website: Frida Home [10].
1) Frida installation on mobile:
- After the jailbreak,
Cydia → Software Source → Edit → Add source (build.frida.re)
. - Enter the
build.frida.re
Source download Frida.
2) Install FRIda on Mac:
$ sudo pip install frida
Copy the code
3) Install frida-ios-dump on Mac:
$ git clone https://github.com/AloneMonkey/frida-ios-dump.git $ cd frida-ios-dump $ sudo pip install -r requirements.txt --upgradeCopy the code
This installation process may encounter some problems with the incorrect version of the dependency package, you can follow the prompts to install the required version.
3.2. Connect your mobile phone
Install usBmuxd first. It comes with a tool called iProxy, which we use for port mapping:
$ brew install usbmuxd
$ iproxy 2222 22
Creating listening port 2222 for device port 22
waiting for connection
New connection for 2222->22, fd = 5
waiting for connection
Copy the code
Install OpenSSH on our jailbroken phone, open a new terminal window on our Mac, and log in to our phone:
$SSH -p 2222 [email protected] // password:alpine // Refer to OpenSSH access tutorial on jailbroken devices for this password.Copy the code
To this environment is configured, then you can hit the shell.
3.3, a key to hit the shell
The simplest way to do this is to use./dump + the name displayed by the application as follows:
$ cd frida-ios-dump $ ./dump.py XXX open target app...... Waiting for the application to open...... start dump target app...... Start the dump/var/containers/Bundle/Application / 6665 aa28-68 cc - 4845-8610-7010 E96061C6 / XXX. App/XXX XXX 100% 68 MB 11.4 MB/s 00:05 start dump /private/var/containers/Bundle/Application/6665AA28-68CC-4845-8610-7010E96061C6/XXX.app/Frameworks/WCDB.framework/WCDB WCDB 100% 2555KB 11.0MB/s 00:00 start dump /private/var/containers/Bundle/Application/6665AA28-68CC-4845-8610-7010E96061C6/XXX.app/Frameworks/MMCommon.framework/MM Common MMCommon 100% 979KB 10.6MB/s 00:00 start dump /private/var/containers/Bundle/Application/6665AA28-68CC-4845-8610-7010E96061C6/XXX.app/Frameworks/MultiMedia.framework/ MultiMedia MultiMedia 100% 6801KB 11.1MB/s 00:00 start dump /private/var/containers/Bundle/Application/6665AA28-68CC-4845-8610-7010E96061C6/XXX.app/Frameworks/mars.framework/mars Mars 100% 7462KB 11.1MB/s 00:00 [email protected] 100% 2253 230.9KB/s 00:00 [email protected] 100% 4334 834.8KB/s PNG 100% 2659 620.6KB/s AppIcon76x76~ipad. PNG 100% 1523 358.0KB/s AppIcon83.5x83.5@2x~ipad. PNG 100% 2725 568.9KB/s 00:00 assets. car 100% 10MB 11.1MB/s 00:00....... AppIntentVocabulary. Plist 100% 197 KB/s 00:00 AppIntentVocabulary. 52.9 167 43.9 KB/s 00:00 plist 100% AppIntentVocabulary. Plist 100% 187. 50.2 KB/s 00:00 InfoPlist strings 100% 100% of the 1720 416.4 KB/s 00:00 to [email protected] 14KB 2.2MB/s 00:00 mm. Strings 100% 404KB 10.2MB/s 00:00 network_setting. HTML 100% 1695 450.4KB/s 00:00 Infoplist. strings 100% 1822 454.1KB/s 00:00 mm. Strings 100% 409KB 10.2MB/s 00:00 network_setting. HTML 100% 1819 477.5KB/s 00:00 InfoPlist. Strings 100% 1814 466.8KB/s 00:00 mm. Strings 100% 409KB 10.3MB/s 00:00 network_setting.html 100% 1819 404.9 KB/s 00:00Copy the code
What if there are duplicate application names? First check the name and bundle ID of the installed application using the following command:
$ ./dump.py -l PID Name Identifier ----- ------------------------- ---------------------------------------- 9661 App Moment 1311 Safari com.apple.mobilesafari 16586 Information Com.apple.mobilesms 4147 XXX com.xxx.yyy 10048 Camera com.apple.camera 7567 Com.apple. Preferences - CrashReporter Crash reporter - Cydia com. Saurik. Cydia - directory com. Apple. MobileAddressBook - mail com. Apple. Mobilemail - Music com. Apple. Music .Copy the code
Then use the following command to shell the specified bundle ID application:
$ ./dump.py -b com.XXX.YYY
Copy the code
After the automatic shell breaking transfer is completed, a decrypted IPA file will be generated in the current directory.
For more details you can refer to: One command to complete shell smashing [11].
The resources
[1] Theos: github.com/theos/theos
[2] MonkeyDev: github.com/AloneMonkey…
[3] FLEX: github.com/Flipboard/F…
[4] checkra1n: checkra.in/
[5] frida – ios – dump: github.com/AloneMonkey…
[6] usbmuxd: github.com/libimobiled…
[7] MonkeyDev Wiki: github.com/AloneMonkey…
[8] Releases releases of Releases of Releases of Releases of Releases of Releases of Releases of Releases of Releases of Releases of Releases…
[9] dumpdecrypted: github.com/stefanesser…
[10] frida home: www.frida.re/docs/home/
[11] hit a command complete shell: www.alonemonkey.com/2018/01/30/…
Recommended reading
“FFmpeg tools: Audio and Video development with it, quick @ your brother to see”
Visual Audio and Video Analysis Tools: A great collection of tools to use and forward to Your brother
Data Capture Tools: See what protocols have been optimized for Competing products