Recently, I have sorted out the information related to IOS APP reverse engineering and shared it with you. Reverse engineering can be divided into four steps: shell breaking, dump, hook, re-sign. Summary: IOS APP, if uploaded to the APP Store will be encrypted by Apple, so we download the installation package is encrypted, if you want to dump a decryption, that is, crack the shell. Let’s take wechat as an example: First of all, we need an iPhone that has been jailbroken, and then enter Cydia to install the three required tools openSSH, Cycript and iFile. (You can easily view the log files when debugging the App.) The new version of iTunes has removed the application function, so you can only download the latest wechat from the App Store on your phone. Step 1: To get the exact location of the executable file and sandbox of wechat, we first turn off all the programs on the iPhone, but leave wechat. Connect to SSH, open Bash for Mac, and use SSH to connect iPhone(make sure iPhone and Mac are on the same network segment). The default root password of openSSH is alpine

Compile DumpdecrypTED To go to the directory of dumpdecrypted source code, type make to compile Dumpdecrypted. Make will generate a dylib file in the current directory.

4. Create dynamic library files

After ensuring that the dynamic library Settings in the Makefile are consistent with the iOS real environment, type: make in the current directory. But it failed with the following error message:

`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c  
/bin/sh: /Applications/Xcode: No such file or directory  
make: *** [dumpdecrypted.o] Error 127  
Copy the code

The reason is that /Applications/Xcode cannot be found to execute some of these scripts. Well, I have 3 Xcodes in my Mac: /Applications/Xcode 5.0.2, /Applications/Xcode 5.1.1, /Applications/Xcode 6 Beta4, is no /Applications/Xcode. $sudo mv Xcode\ 5.1.1.app/ xcode.app / $sudo mv Xcode\ 5.1.1.app/

(2) Wrong again

“Make”, “error”, same error message as above. Xcode-select = xcode-select = xcode-select = xcode-select = xcode-select

$ xcode-select -p  
Copy the code

/ Applications/Xcode 5.1.1. App/Contents/Developer copying code originally xcrun lookup CMD when tool path or Xcode 5.1.1 /, of course, what all can’t find it. /Applications/ xcode.app /)

$ sudo xcode-select -r  
$ xcode-select -p   
/Applications/Xcode.app/Contents/Developer  
Copy the code

(3) make, success, output as follows:

$ make  
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c  
`xcrun --sdk iphoneos --find gcc` -Os  -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o  

$ ls  
Makefile          dumpdecrypted.c          dumpdecrypted.o  
README               dumpdecrypted.dylib  
Copy the code


mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x56a4c(from 0x56000) = a4c
[+] Found encrypted data at address 00004000 of length 38748160 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/2C920956-E3D6-4313-BD88-66BD24CEBE9B/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
[+] Opening WeChat.decrypted forwriting. [+] Copying the not encrypted start of the file [+] Dumping the decrypted data into the file [+] Copying the not encrypted remainder of the file [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a4c [+] Closing original  file [+] Closing dump fileCopy the code

This means that the decryption has succeeded, and the decrypted file is generated in the current directory, which is called Decrypted. Again use SCP to copy the decrypted file to the computer. Next we need to formally dump the decrypted executable. SCP remote download to local input command: SCP -r root@ip: file directory/file name/destination

Second, the dump

Debug or release packages can be dumped without breaking the shell. Only packages downloaded from the App Store need to be cracked. The dump method is as follows: after installation, run the following command: class-dump -h Frame path to be exported -o Header file path to be exported For example: CD to this file, use class-dump -h WeChat to obtain the declarations of all methods of WeChat code. H file.

Third, the hooks

– (void)AsyncOnAddMsg:(id)arg1 MsgWrap:(id)arg2; – (void)AsyncOnAddMsg:(id) arg2; Arg1, – (void) OpenRedEnvelopesRequest: (id); . Yes, next we are going to use these two methods to achieve wechat automatic grab red envelope function. Its realization principle is that by hook wechat’s new message function, we judge whether it is a red envelope message, if so, we call wechat’s method of opening a red envelope. This can achieve the purpose of automatically snatching red envelopes. Ha ha, is not very simple, let’s see how it is implemented. Create a dylib project, because Xcode does not support dylib generation by default, so we need to download iOSOpenDev, and open Xcode again after installation (Xcode7 environment will prompt iOSOpenDev installation failure, please refer to iOSOpenDev installation problem). You can see the iOSOpenDev option under the new project option.

attribute((constructor)) static void entry() {// specific hook method}Copy the code

Hook wechat AsyncOnAddMsg: MsgWrap: method, which is implemented as follows:

// Declare the CMessageMgr class CHDeclareClass(CMessageMgr); CHMethod(2, void CMessageMgr, AsyncOnAddMsg, id, arg1, MsgWrap, id, arg2) {// Call AsyncOnAddMsg:MsgWrap: CHSuper(2, CMessageMgr, AsyncOnAddMsg, arg1, MsgWrap, arg2); //... // The third argument to objc_msgSend must be declared as NSMutableDictionary, otherwise when objc_msgSend is called, (void (*)(id, SEL, NSMutableDictionary*))objc_msgSend)(logicMgr, @selector(OpenRedEnvelopesRequest:), params); } __attribute__((constructor)) static voidentry() {// Load the CMessageMgr class CHLoadLateClass(CMessageMgr); //hook AsyncOnAddMsg:MsgWrap: CHClassHook(2, CMessageMgr, MsgWrap); }Copy the code

All the codes of the project have been put into Github by the author. Once the implementation logic is complete, dylib is generated. In order to run wechat application and execute our code, we first need wechat to join our dylib. Here we use a dylib injection artifact: Yololib, download the source code from the Internet, and compile it to get Yololib. Using Yololib, simply execute the following sentence to complete the successful injection. Before injection we rename the decrypted file we saved to decrypted, which is an executable that has been shelled. ./yololib Target executable file to be injected into the dylib after successful injection of the following information:

Dylib injection new Entitlements. Plist <? xml version="1.0" encoding="UTF-8"? > <! DOCTYPE plist PUBLIC"- / / / / DTD PLIST Apple 1.0 / / EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>123456.com.autogetredenv.demo</string>
    <key>com.apple.developer.team-identifier</key>
    <string>123456</string>
    <key>get-task-allow</key>
    <true/>
    <key>keychain-access-groups</key>
    <array>
        <string>123456.com.autogetredenv.demo</string>
    </array>
</dict>
</plist>
Copy the code

You may not know your certificate Teamid and other information. Here is a tip. You can find the App(for example, Demo) that has been packaged with your developer certificate or enterprise certificate before. ./ldid -e ./Demo.app/demo . Next we generate dylib (libautoGetRedEnv dylib), just inject dylib WeChat and embedded. Mobileprovision file (which can be found in the packaging before the App) copy to WeChat. The App.

5, sign

Re-sign wechat

Command format: codesign -f -s Certificate name object file

PS: The certificate name can be found in the keystring

Codesign command is used to sign relevant files in wechat respectively, and the specific implementation is as follows:

The signature again

After packaging it into IPA and re-signing it for wechat, we can use XCRun to generate IPA. The specific implementation is as follows: Xcrun-sdk iphoneOS PackageApplication -v WeChat. App -o ~/WeChat. Ipa We can now use the iTools tool to install an improved wechat for iPhone(the iPhone Device ID needs to be added to the certificate).

recommended

Top 10 Tools for Flutter

Four years of iOS development and a raise on that question

I went from 10K to 20K

This interview question took me from 15K to 22K