0x00 Problem origin

slightly

0x01 IpA ready to be shelled

All apps on the App Store use FairPlay DRM digital rights encryption protection technology, which needs to be decrypted before dynamic debugging.

Tool used for decryption: Clutch

Clutch: A high-speed iOS decryption tool.

Clutch decrypts the memory data of an application at runtime in a format.

Clutch is open source and available for free on Github.

Source: https://github.com/KJCracks/Clutch https://github.com/KJCracks/Clutch/releases compiled executable fileCopy the code

Decryption steps:

1. Prepare a jailbreak machine and install openSSH
2. Get the Clutch executable (compile from source or download the compiled executable directly)
3. Copy the clutch executable file to the /usr/bin/directory of the jailbroken device
scp /path/to/clutch root@<your.device.ip>:/usr/bin/Copy the code
4. Export shelled IPA
SSH root@<your.device. IP > clutch-i // Lists the APP clutch-d [n] // that is installed on the device and decrypts and causes IPACopy the code

Once decrypted successfully, Clutch prompts you for the location of the decrypted IPA file, as shown below.





The dehulling process

5. Copy the decrypted IPA file to obtain the peeled IPA
scp root@<your.device.ip>:/path/to/xx.ipa /User/xx/DesktopCopy the code

0x02 Create a new blank project with the same name

The following uses dynamic debugging of Kindle as an example to demonstrate the whole dynamic debugging process.

  1. First get the unhulled Kindle. Ipa file by 0x01.
  2. Then create a new project called Kindle (with any Bundle ID prefix) with the following structure:





Blank engineering structure

0x03 Adding a User-defined Script

Add the Run Script to the Build Phases of Target “Kindle”.





Substitution script

This script realizes the magic of stealthily replacing pillars

First, copy the third-party APP to replace the app generated by our new project

Then sign the third-party app using our certificate

Finally, install the signed third-party APP on the physical machine

It’s like we’re running our own app

The entire process can be seen in Xcode’s Build log, as shown below:





Bulid a log

0x04 Dynamically Debugging third-party Apps

Once the script is added, clean the entire project, then Run, on a non-jailbroken machine.

Click view structure, LLDB dynamic debugging.





View the view structure

You can also decompilate to find the memory address of a particular symbol, and then set breakpoints based on that memory address for all sorts of magical debugging peeping effects.

0x05 Problems encountered

1. Clutch has no execution permission
chmod +x clutchCopy the code
2. Some Extension signatures failed in Plugins

This is true of both Kindle and wechat.

The Xcode log displays information similar to the following:

NSLocalizedDescription=Failed to verify code signature of <MIPluginKitPluginBundle : path = /private/var/mobile/Library/Caches/com.apple.mobile.installd.staging/temp.l4X8Bg/extracted/Kindle.app/PlugIns/KindleToda y.appex identifier = com.amazon.Lassen.KindleTodayExtension type = 7> : 0xe8008001 (Unknown error)}Copy the code

As you can see from the logs, apps running in this way do not sign Plugins.

There are two solutions:

1) Deleting error Plugins folders is generally not useful for dynamic debugging.
2) Create an Extension with the same name and replace it with the Extension of a third-party app with a script.
  • File->New->Target->Today Extension





Add TodayExtension

  • Add the Run Script to Build Phases of Target “KindleToday”.





Copy the Extension

  • Move the Run Script from the Build Phases of Target “Kindle” to the front of the Embed App Extensions.





Run Script location

  • The same can be done if there are other extensions or Watch APP in the APP.