Recently, I am studying an iOS application. The iOS application is ipA format, but reverse analysis requires IPA peeling, which also requires jailbreaking of mobile phones (PP assistant does not have resources). I have never known about iOS application reverse before, so I did it over the weekend and recorded the process.

1. The iOS jailbreak

Model: iphone6s version: iOS12.1 PC: MAC

1. Delete mobile phone pre-download system update firmware (” Settings “→” General “→” iPhone storage space “, skip if not)

2. Shut down the system update, safari open https://app.abcydia.com/config/pbjc.mobileconfig, install and verify through

3. To install unc0ver, go to https://unc0ver.dev in Safari and click Download OTA to install and verify the description file

4. Jailbreak unc0ver, click Jailbreak, and wait for the system to be automatically backed up and restarted. Open unc0ver (Jailbreak), Jailbreak (Jailbreak), Jailbreak (Jailbreak) The third time unc0ver is opened, re-jailbreak appears and Cydia is installed on the desktop, indicating a successful Jailbreak (1). Every time you restart the device, you need to open unc0ver again to Jailbreak. If it is SpringBoard, you do not need to Jailbreak again. 2. Click Settings Restore RootFS (rec0ver) may return to prison break before snapshot status (untested)) reference: www.jianshu.com/p/18d1b5ab9… www.sohu.com/a/297330181…

5. Open the Cydia, legal channels default even don’t get to the Internet, need to open the Cydia connected to the switch, the default is invisible to the cellular and wifi (Cydia continuous opening and closing in flight mode, test method (failure), computer download ace assistant, connect mobile phone, web search installation, open the global intercept, installation configuration file, after the success will connect VPN, Now open Cydia, the home page is ready to load, add a new source: Apt.abcydia.com, search installation conditionlwifi4 (3), open the phone – > Settings – > software list conditionlwifi4 – > open Cydia network switch, or install netflix plug-ins, in short the objective is to open the Cydia connected to the switch, Unfortunately, neither of the above two options enabled me to open Cydia online, but it did not affect my use of Cydia to download plug-ins from domestic sources

6. Install openSSH and download it from apt.binger.com

7. Install CrackerXI (unshell), 1. Domino source download: apt.wxhbts.com (fast, may be removed) 2.www.cydiacrawler.com website download: add source cydia.iphonecake.com

2. The ipa shells

IOS12 before you can use the clutch, dumpdecrypted, frida – ios – dump shell (reference: www.jianshu.com/p/1991854c6… Note the command format for dumpdecrypted: DYLD_INSERT_LIBRARIES= Dumpdecrypted. Dylib path Mach -o Decryption dumper, also need to compile dumpdecrypted on PC using the same version of SDK as the phone),

After iOS12, decrypted with clutch and dumpted fails, frida-ios-dump does not try, decrypted with CrackerXI

1. Open the CrackerXI, selection of installed application for hulling, waiting, after a successful show after shelling of ipa package in the position of the mobile storage, more: / var/mobile/Documents/CrackerXI/app name _CrackerXI. Ipa

OpenSSH 2. Open the mobile phones and mobile phone didn’t install openSSH, can directly use ace assistant open SSH channels (reference blog.csdn.net/ycc15872296…).

3. Copy the file to the local, SCP – r [email protected]: / var/mobile/Documents/CrackerXI/app name _CrackerXI. Ipa/TMP, the default password is alpine, IP Through the mobile phone wifi connection details

4. Open shell ipa to zip format file, see the encryption: otool -l Payload/app name. The name of the app/app | grep crypt, cryptid 1 on behalf of the encryption, cryptid 0 (unencrypted. The two correspond to ARMV7 and ARM64

3. Mach-o decompiler (Introduction to the Mach-O file)

1. Install the class – dump reference: www.jianshu.com/p/025fa775f…

2. Obtain the. H file, class-dump -h Payload/app name. app-o /work.

3. Install Hopper Disassembler V4.0.8, open Patcher. Move Hopper

4. Open Hopper, select File-read Executable to Disassemble, open binary File (app name, Executable to Disassemble), select according to the decrypted schema type obtained by otool, open and wait, all functions are displayed on the far left. For the.h file, select if(b)f(x) in the middle; Convert the assembly to pseudo-OC code (containing register information), some code may have code confusion. Reference: www.jianshu.com/p/c04ac36c6… , www.jianshu.com/p/384dc5bc1…

Code analysis to be continued.

5. The hooks and monkeyDev github.com/AloneMonkey… , www.jianshu.com/p/28eb7616f… , www.lizenghai.com/archives/21… , github.com/Urinx/iOSAp…

6. Watch snow iOS reverse learning

  • Bbs.pediy.com/thread-2126…
  • Bbs.pediy.com/thread-2099…
  • Bbs.pediy.com/thread-2189…
  • Bbs.pediy.com/thread-2137…
  • Bbs.pediy.com/thread-2127…
  • Bbs.pediy.com/thread-2127…
  • Bbs.pediy.com/thread-2129…
  • Bbs.pediy.com/thread-1988…

The 2019-09-15 update: 1. After escaping the AppStore to download games flash back problem solving methods: tieba.baidu.com/p/574053183… Add the source ryleyangus.com/repo/, search for the latest Version of Liberty Lite jailbreak Detection masking plug-in, and log off the phone after installing it. Go to the Settings screen and select Liberty jailbreak Detection 2 for the corresponding app. ConditionalWifi4 can be found in Settings after re-escaping, and you can turn on the wifi Settings