Prison break the environment

Arm64 architecture

  • IPhone 5S and later
  • IPad Air, iPad mini2 and later
  • IOS 8 to iOS 10 perfect jailbreak

Check whether the phone and its version can be jailbroken: jailbreak.25pp.com/ios

Cydia installed

Software sources

  • apt.25pp.com
  • apt.saurik.com
  • Bigboss

The plug-in

  • Apple File Conduit
  • AppSync Unified
  • iFile
  • Pp assistant
  • openssh
  • Cycript
  • adv-cmds
  • reveal loader
  • Vi IMproved

Software installation on Mac

  • PP assistant
  • iFunBox
  • MachOView
  • Reveal
  • Hopper Disassembler

Adverse environmental

$for Mac terminal command, # for iPhone terminal command

Wi-fi connection

Default password alpine

$ ssh root@<iPhone-IP-Address>
Copy the code

The server identity information is changed

Delete public key information (~/.ssh/known_hosts)

$ ssh-keygen -R <iPhone-IP-Address>
Copy the code

Secure SSH login to iPhone

$ ssh-keygen
$ ssh-copy-id root@<iPhone-IP-Address>
$ scp ~/.ssh/id_rsa.pub root@<iPhone-IP-Address>:~
$ ssh root@<iPhone-IP-Address>
# mkdir .ssh
# cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
# rm ~/id_rsa.pub
# chmod 755 ~
# chmod 755 ~/.ssh
# chmod 644 ~/.ssh/authorized_keys
Copy the code

USB debugging

Download usbMUxD to ~/Documents and map port 22 of iPhone to port 10010 of local localhost

$ cd~/Documents/ usbmuxD-1.0.8 /python-client $python tcprelay.py -t 22:10010 10011:10011Copy the code

Create a new command line window and connect to port 10010 of localhost, which is port 22 of iPhone

$ ssh root@localhost -p 10010
Copy the code

Chinese garbled characters on iOS terminals are abnormal

Add the following to ~/.inputrc:

set convert-meta off 
set output-meta on
set meta-flag on 
set input-meta on
Copy the code

Cycript

Common tool: MJcript

List all processes

# ps -A
Copy the code

Enter your App’s Cycript environment

# cycript -p <pid or app_exec_name>
Copy the code

Common grammar

[UIApplication sharedApplication]
UIApp
var app = UIApp.keyWindow
#<address_value>
ObjectiveC.classes
*UIApp
UIApp.keyWindow.recursiveDescription().toString()
choose(UIViewController)
Copy the code

The Mach – O files

#define MH_OBJECT 0x1      /* relocatable object file */
#define MH_EXECUTE 0x2     /* demand paged executable file */
#define MH_FVMLIB 0x3      /* fixed VM shared library file */
#define MH_CORE 0x4        /* core file */
#define MH_PRELOAD 0x5     /* preloaded executable file */
#define MH_DYLIB 0x6       /* dynamically bound shared library */
#define MH_DYLINKER 0x7    /* dynamic link editor */
#define MH_BUNDLE 0x8      /* dynamically bound bundle file */
#define MH_DYLIB_STUB 0x9  /* shared library stub for static */
                           /* linking only, no section contents */
#define MH_DSYM 0xa        /* companion file with only debug */
                           /* sections */
#define MH_KEXT_BUNDLE 0xb /* x86_64 kexts */
Copy the code
Common Mach – O describe
MH_OBJECT Object file (.o) Static library file (.a) that is, multiple.os are merged together
MH_DYLIB The dynamic librarydylibframework
MH_DYLINKER Dynamic link editor/usr/lib/dyld
MH_DSYM A file that stores symbolic information about binary files.dSYM/Contents/Resources/DWARF/xxx(Often used to analyze APP crash information)

Check the file types for Mach-o

$ file <file_dir>
Copy the code

Export a specific schema

$ lipo <mach_o_file_dir> -thin arm64 -output <output_dir>
Copy the code

Merging multiple architectures

$ lipo <mach_o_file_1> <mach_o_file_2> -output <output_dir>
Copy the code

shell

tool

  • Clutch
  • dumpdecrypted

Check to see if the executable has been shelled

$ otool -l <exec_dir> | grep crypt
Copy the code

Crypt is 0 and it has peeled off its shell

Dump dumpdecrypted. Dylib into /var/root/and use ps -a to get the App executable

# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib <exec_dir>
Copy the code

Export header

Use class-dump to export the header file of an Objective-C App

$ class-dump -H <app_exec_dir> -o <headers_folder_output_dir>
Copy the code

Theos

Install the signature tool LDID

$ brew install ldid
Copy the code

Configure environment variables and add to.bash_profile:

$ export THEOS=~/theos
$ export PATH=$THEOS/bin:$PATH
$ exportTHEOS_DEVICE_IP = 127.0.0.1 $export THEOS_DEVICE_PORT=10010
Copy the code

Download theos

$ cd ~ && git clone --recursive https://github.com/theos/theos.git $THEOS
Copy the code

Create tweak Project

$ nic.pl
Copy the code

Select the iphone/tweak

MobileSubstrate Bundle filter: decrypt the Bundle ID of the App

Open the Tweak. Xm file to write code

%hook XXXView
- (id)initWithFrame:(struct CGRect)arg1 {
  return nil; 
}
%end
Copy the code

Compile package install

$ make clean && make && make package && make install
Copy the code

Other information:

Directory structure: github.com/theos/theos… The environment variable: iphonedevwiki.net/index.php/T… Logos syntax: iphonedevwiki.net/index.php/L…

Dynamic debugging

Copy the debugServer on iPhone /Developer, export entitlements file

$ ldid -e debugserver > debugserver.entitlements
Copy the code

Open Entitlements file, add the following two items:

  • get-task-allow
  • task_for_pid-allow

Boolen value, set to YES

Then re-sign Entitlements to the debugServer

$ ldid -Sdebugserver.entitlements debugserver
Copy the code

Move the debugServer to /usr/bin on the iPhone

Attach the DebugServer to the App

# debugserver *:10011 -a <pid or app_exec_name>
Copy the code

Start the LLDB and connect to the debugServer

$ lldb
(lldb) process connect connect://<iPhone-IP-Address>:10011
Copy the code

Start the App using the DebugServer

# debugserver -x auto *:10011 <app_exec_dir>
Copy the code

LLDB

Execute an expression

(lldb) expression self.view.backgroundColor = [UIColor redColor]
Copy the code

— is the command option terminator

Prints thread stack information

(lldb) thread backtrace
(lldb) bt
Copy the code

Let the function not execute the power and return directly

(lldb) thread return
Copy the code

Prints the current stack frame variable

(lldb) frame variable
Copy the code

Continue to run

(lldb) thread continue
(lldb) continue
(lldb) c
Copy the code

Single step (subfunction is one step)

(lldb) thread step-over
(lldb) next
(lldb) n
(lldb) ni  # instruction
Copy the code

Single step (enter when encountering a subfunction)

(lldb) thread step-in
(lldb) step
(lldb) s
(lldb) si  # instructios
Copy the code

Return the previous function after executing all the code of the current function

(lldb) thread step-out
(lldb) finish
Copy the code

The breakpoint

(lldb) breakpoint set -n test
(lldb) breakpoint set -n touchesBegan:withEvent:
(lldb) breakpoint set -n "-[ViewController touchesBegan:withEvent:]"
(lldb) breakpoint set -r <regex_expression>

(lldb) breakpoint list
(lldb) breakpoint enable <bpt_no>
(lldb) breakpoint disable <bpt_no>
(lldb) breakpoint delete <bpt_no>
Copy the code

Memory breakpoints (triggered when memory data changes)

(lldb) watchpoint set variable self->age
(lldb) watchpoint set expression &(self->_age)
Copy the code

Find information of a certain type

(lldb) image lookup -t <type>
Copy the code

Locate in a module based on memory address

(lldb) image lookup -a <address>
Copy the code

Find the position of a symbol or function

(lldb) image lookup -n <symbol_name or func_name>
Copy the code

Lists information about the loaded modules

(lldb) image list
(lldb) image list -o -f  Print the module's full path and offset address
Copy the code

Heavy signature

Obtain the embedded. Mobileprovision file in the Xcode compiled App package using the paid certificate

Extract Entitlements. Plist file from Embedded. Mobileprovision

$ security cms -D -i embedded.mobileprovision > tmp.plist
$ /usr/libexec/PlistBuddy -x -c 'Print :Entitlements' tmp.plist > entitlements.plist
Copy the code

Viewing available Certificates

$ security find-identity -v -p codesigning
Copy the code

Re-sign dynamic libraries in.app package, AppExtension, etc

$ codesign -fs <cer_id or cer_str> <dylib_dir>
Copy the code

Re-sign the.app package

$ codesign -fs <cer_id or cer_str> --entitlements entitlements.plist <app_file>
Copy the code

GUI tools:

Copy embedded. Mobileprovision to. App, and then use the iOS app Signer to re-sign the embedded

Dynamic library injection

Install insert_dylib, compile and put the executable in /usr/local/bin

$ cd <app_file_exec_dir>
Copy the code

On the iPhone/Library/MobileSubstrate/DynamicLibararies directory to find the write the tweak of dynamic Library generated by the project, copy it, injected into the App executable file

$ insert_dylib @executable_path/<tweak_dylib_name> <app_exec_name> --all-yes --waek <app_exec_name>
Copy the code

Change the dynamic library load address

Copies of the iPhone/Library/Frameworks/CydiaSubstrate framework/CydiaSubstrate to tweak the generated project at the same level of dynamic link Library directory

Change the directory of dynamic library dependencies generated by the tweak project

$ install_name_tool -change /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate @loader_path/CydiaSubstrate <tweak_dylib_name>
Copy the code

Install ipA files on non-jailbroken phones after re-signing

Check out my personal blog for more

Most of the above code and toolkits can be found on my GitHub