preface

Playing backwards gives you a high level of awareness about the security of your application and improves your ability to protect your application. Here are some common jailbreak methods and shell smashing tools to share, after all, want to stand high to play the reverse, not jailbreak to get Root permission to play a snake.

1.0 the jailbreak

Basically, jailbreaking works by attacking the iOS security boot chain. All jailbreak tool authors need to find the vulnerability in the trust chain, so as to disable the component responsible for authentication in the trust chain and obtain the ROOT permission of the iOS system. Perfect jailbreak, the so-called perfect jailbreak is cracked iOS system vulnerabilities, each system restart can automatically call the injection of malicious code, to destroy the security verification, ROOT permission again, ios10 below the system can be perfect jailbreak. Imperfect jailbreak, the so-called imperfect jailbreak refers to that after jailbreaking the system, the security chain is not completely broken, some information or function application is not good; For example; After the shutdown must be connected to the jailbreak software boot; Or reboot will cause the jailbreak to fail; Such a jailbreak is called an imperfect jailbreak, and currently available tools for ios10 and beyond only allow for imperfect jailbreaks.

1.1 Jailbreaking Tools

  • uncOver:unc0ver.dev/, this is currently the most frequently used jailbreak tool, and after jailbreak app store is familiar with Cydia, the most convenient is very convenientRestore the original appleUnified, so the following tool is used as an example, say about jailbreak steps and attention points.
  • Odyssey:theodyssey.dev/, this tool interested can play a play, pay attention to jailbreak time firstDisconnect the network.

1.2 Jailbreak Procedure

  • downloaduncOverIpa package of jailbreak tools.

  • Heavy signature uncOverThe package is installed on the phone (note that there is no need to crack the shell, only apps in the appstore need to crack the shell). Install The uncOver into the phone using the methods found on the uncOver website or available hereappSign.shThe script is re-signed. Create an empty project demo, drag appsign.sh into the project and create a new one at the same timeAPPEmpty folder, putuncOver.ipaPut it in this folder. As is shown in

First xcode runs the demo, the purpose is to firstDescription filePut it on your phone,Heavy signatureThat’s what you useDescription fileRe-signed to uncOver, so the description file must exist on the phone first. And then Xcode addsRun Script,appSign.shAdd The uncOver to xcode to run the demo and now set up the Phone. appSign.shThe script is as follows

# ${SRCROOT} it is the directory of the project file TEMP_PATH="${SRCROOT}/Temp"ASSETS_PATH= = = = = = = = = = = = ="${SRCROOT}/APP"Target IPA package path TARGET_IPA_PATH="${ASSETS_PATH}/*.ipa"Clear the Temp folder rm -rf"${SRCROOT}/Temp"
mkdir -p "${SRCROOT}/Temp"# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- #1.Decompress IPA to Temp unzip-oqq"$TARGET_IPA_PATH" -d "$TEMP_PATH"Get the unzipped temporary APP path TEMP_APP_PATH=$(set --)"$TEMP_PATH/Payload/"*.app; echo"$1")
# echo "Path :$TEMP_APP_PATH"# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- #2.# BUILT_PRODUCTS_DIR # TARGET_NAME Target name TARGET_APP_PATH="$BUILT_PRODUCTS_DIR/$TARGET_NAME.app"
echo "App path: $TARGET_APP_PATH"
rm -rf "$TARGET_APP_PATH"
mkdir -p "$TARGET_APP_PATH"
cp -rf "$TEMP_APP_PATH/" "$TARGET_APP_PATH"# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- #3.Delete extension and WatchAPP. Personal certificate cannot sign Extention RM-rf"$TARGET_APP_PATH/PlugIns"
rm -rf "$TARGET_APP_PATH/Watch"# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- #4.Update info. Plist file CFBundleIdentifier # set:"Set : KEY Value" "Target file path"
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier $PRODUCT_BUNDLE_IDENTIFIER" "$TARGET_APP_PATH/Info.plist"# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- #5.APP_BINARY=`plutil -convert xml1 -o - $TARGET_APP_PATH/Info.plist|grep -A1 Exec|tail -n1|cut -f2 -d\>|cut -f1 -d\<`Chmod +x"$TARGET_APP_PATH/$APP_BINARY"# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- #6.Re-signing third-party FrameWorks TARGET_APP_FRAMEWORKS_PATH="$TARGET_APP_PATH/Frameworks"
if [ -d "$TARGET_APP_FRAMEWORKS_PATH" ];
then
for FRAMEWORK in "$TARGET_APP_FRAMEWORKS_PATH/"*
do/usr/bin/codesign --force --sign"$EXPANDED_CODE_SIGN_IDENTITY" "$FRAMEWORK"If you need to inject your own decrypt library, you can do it without #yololib"$TARGET_APP_PATH/$APP_BINARY" "Frameworks/wgyHook.framework/wgyHook"
#yololib "$TARGET_APP_PATH/$APP_BINARY" "Frameworks/libwgy.dylib"
Copy the code
  • Disconnect the xcodeRe-run uncOver and check Install in SettingsopensshPlug-in (OpenSSH plug-in can be installed after the jailbreak or checked here. If the plug-in is not installed, the jailbreak phone cannot be connected), click the jailbreak button to start the jailbreak. During the jailbreak, the device will restart. Note: the version of uncOver7.0.2 always prompted to install a Unveil Security App, not to install the less, with 6.0.2 was successful, have know friends leave a message.

Tip: Provide several sources for installing plug-ins

  • The bees source: apt.cydiami.com.
  • LeiFengYuan: atp.abcydia.com.
  • Bingner: atp.bingner.com.

1.3 the openSSH

After jailbreaking, we need to install the OpenSSH plug-in to communicate with the mobile phone. You can check “Install” when jailbreaking, or you can install the plug-in in Cydia. OpenSSH is a free open source implementation of the Secure SHell (SSH) protocol. The SSH protocol can be used for remote control or to transfer files between computers.

1.3.1 Connecting mobile Phones through wifi

sshthroughwifiThe process of logging in to the mobile phone is as shown in the figure aboveThe public keySend it to the MAC, and the MAC holds itPublic key encryption passwordFor mobile phonePrivate key decryption passwordVerify permissions. You can’t be a code porter unless you understand how it works.

  • SSH Username @Mobile PHONE IP address. Such as [email protected]. The mobile phone and MAC must be on the same network segment. When connecting to a mobile phone through wifi, the default connection is port 22 on the mobile phone, which is equivalent to SSH -P [email protected].
  • Default password:alpine

Notice that there are two users under the phone

  • The Root user: the highest permission user, can access any file, we generally use root user.
  • Mobile users: a common user can access only /var/mobile in the user directory

macThe end saves the mobile endThe public key, the following figure.sshdirectoryknown_hostsThe file records the public key corresponding to each phone’s IP address. sshConnect the mobile phone and enter/etc/sshCatalogue, there’s assh_host_rsa_key.pubFile, as shown in the following figure. The public key is the public key sent to the Mac terminal.

Quick instructions

It is too cumbersome to specify an IP address and user name for each login connection. inThe home directoryHidden folder inside.sshCreating a DirectoryconfigFor example, I have two jailbreak devices here, one 6 is perfect jailbreak, one 6s is not perfect jailbreak, can be configured as follows.If the IP address changes, yesModify the configFor SSH login, enter the Host alias.

1.3.2 Connecting the Mobile phone through USB

SSH Verifying login rights through USB connection to a mobile phone is the same as wifi. However, you need to enable a mapping service between a local port and port 22 of a mobile phone. In this case, accessing a local port is accessing port 22 of a mobile phone. You can use the libimobiledevice tool or the usbmuxd service on the Mac to enable port mapping services. Here, libimobiledevice and local port 12345 are used as an example.

  • The installationlibimobiledevice$brew install libiMobileDevice
  • Mapping port,iproxy 12345 22
  • SSH -p 12345 [email protected]. SSH connects to local 12345 and connects to port 22 of the opposite device through USB due to port mapping.

Quick instructions

Most of the time we use USB connection, after all the debugging will be smoother, the wifi will be blocked in many times, so we have to make a USB quick login command. We can create a new folder in the home directory, such as wgyShell, and create several shell scripts in this folder, such as usbconnect. sh(enable port mapping), 6.sh(connect iphone6 device), 6s.sh(connect iphone6s device), as shown below. To connect an iphone6, run sh usbconnect. sh and then sh 6.sh.

1.3.3 Confidential Login

sshIt is too troublesome to set the password every time you connect to your phone, you can set itAvoid close login. The principle of no-secret login and wifi and USB is not the same, it isMactheThe public keyStored in the phone, the phone sends one when logging inRandom stringThe Mac,MacWith the localThe private key encryptionAnd send it to the phone,Mobile phoneEnd useA public key to decrypt. The instructions for non-secret login are as follows.

  • $ssh-copy-id Username @server IP address

2.0 hit a shell

Submitted to theAppstorereleasedApp, are encrypted under official protection to ensure that apps running on the machine are approved by Apple and to manage software licensing. For apps encrypted by the App Store, static analysis cannot be decomcompiled by Hopper or class-dump. In reverse analysis, static analysis can only be performed by decrypting the encrypted binary file, which is a well-known processHit a shell(unshell), note that only apps downloaded from the Appstore are packaged,Other applications, such as enterprise certificate packaging, can be re-signed without breaking the shell.Here’s how ios apps work:Before the APP loads into memoryThe system just gives the application toshellSo we are generally talking about smashing shellsDynamic hit a shellIs to start with the executable image running in the process memory space. Currently, three tools are commonly used to break shellsClutch, Dumpdecrypted, frida-ios-dump, let’s play them separately.

2.1 the Clutch

Clutch is a shell smashing tool that has been suspended for a long time and seems to only work on perfectly jailbroken phones under ios10, so it’s a classic, so give it a try. Complete the following steps

  • Liverpoolfc.tv: github.com/KJCracks/Cl…
  • Download the latest release to your Mac at Clutch 2.0.4
  • SCP - P 12345. / Clutch - 2.0.4 [email protected]: / usr/root/Clutch. Enable usb port mapping, SSH copy Clutch into the root directory of the phone. Note that P is capitalized here.
  • chmod +x ClutchTo add executable permissions to Clutch
  • ./Clutch -i
  • / clutch-d application ID
  • SCP -p 12345 [email protected]: indicates the path after shell smashing. Indicates the local MAC address path. Copy the shell from your phone to your computer.

Here to hit the wechat shell as an example, the success of the shell will appear the following tips, according to the shell path copy into the computer, can also be usedifunboxCopy it into your computer. Otool -l macho file | grep crypt; Command to check whether the shell is smashed successfully,Cryptid =0 indicates that shell smashing is successful.

2.2 dumpdecrypted

Dumpdecrypted is also used very frequently, and can be used on perfectly jailbroken phones. It works by modifying the environment variable DYLD_INSERT_LIBRARIES to crack shells, as if systems after ios9.0 had to switch to mobile users. And add executable permission to dumpdecrypted. Here, iphone6s ios14.2 system is used as an example to crack wechat. The steps are as follows.

  • Liverpoolfc.tv: github.com/stefanesser… Direct Git Clone
  • Dumpdecrypted folderDown terminal operationmakeCompile to generate a dynamic librarydumpdecrypted.dylib
  • scp -P 12345 ./dumpdecrypted.dylib mobile@localhost:/var/mobile/dumpdecrypted.dylib. Start usb port mapping and SSH copy dumpDecrypted. Dylib into the mobile directory of the phone. Note that P is uppercase here.
  • ps -A; Check the running process, looking for need to hit A shell application, can use ps – A | grep Wechat screening quickly find
  • DYLD_INSERT_LIBRARIES=dumpdecrypted. Dylib Sandbox path

But it is a pity that has been hit not successful, the Internet to find a lot of methods are not good, know that online games can give me a message.

Frida – ios 3.3 – dump

Frida-ios-dump feels like the best shell breaking tool available. Perfect jailbreak and imperfect jailbreak can be used quickly and easily. Details are as follows.

Mac

  • Python installationPython3: Brew install Python3: Brew install Python3
  • PIP installSudo easy_install PIP, python3
  • sudo pip install frida-tools. The installationfrida-toolsSudo -h PIP install frida-tools
  • Sudo git clone github.com/AloneMonkey… . You can also download the frida-ios-dump script from Github.
  • Terminal access just downloadedfrida-ios-dumpExecute command under folderSudo PIP install -r requirements. TXT -- upgrade, the MAC frida environment is set up

Mobile terminal

  • Add the source build. Frida. Re
  • The installationFridaIf the installation fails, reinstall it until it succeeds

use

  • Enable USB port mapping
  • Enter thefrida-ios-dumpOpen it under folderdump.pyFile, modify usb connection device port, Host information, especially if usedpip3To install frida-tools, you also need to modify dump.pypythonVersion, as shown below

  • Mobile terminalOpen the APPAnd into thefrida-ios-dumpDirectory, terminal running./dump.py apply displayName/apply bundleIDYou can break the shell, pay attention to be applieddisplaynameorbundleidCan be broken shell, such as broken shell wechat”. / dump. Py WeChat“, as shown below, the package will be placed in the frida-ios-dump folder after successfully cracking the shell

Common commands

  • scpTo copy MAC files to mobile phones, run SCP -p 12345 MAC file [email protected]: / var/root “; If you want to copy the mobile phone file to MAC, for example, SCP -p [email protected]: phone file path Computer file path “; If you copy the folder scp-r-p
  • ps -A“Ps: running process – A | grep process name” can be filtered, I usually use this command to check the application sandbox path
  • Otool -l executable file | grep cryptThe MAC side can use this command to see if Macho has been shelled
  • ls -l: View file permissions
  • frida-ps -U: Mac side view the running process in the connected USB phone
  • frida-ps -Uai: Mac side to view all installed applications connected to the USB phone, I usually use this command to get applicationsDisplayname or bundleidTo hit a shell

Console Chinese garble

sshAfter the mobile phone is connected, the terminal cannot input Chinese. Enter as followsChinese can be garbled Create a new.inputrcFile, as follows

set convert-meta off
set output-meta on
set meta-flag on
set input-meta on
Copy the code

scpCopy files into/var/rootDirectory, and then the terminal can enter Chinese

3.0 the Class – the dump

You can unfile objective-C binary files, which need to be the shell of the binary file, and export the header file to static analysis of the application

  • Official website to download the class – dump and extract the stevenygard.com/projects/cl…
  • /class-dump -h Macho file -o The exported header file. The class-dump path can be configured in theIn environment variables“, so you can use class-dump directly without having to go to the class-dump directory like I did