碳基体

奋斗在产品安全第一线的安全妹子

解密mach-o文件——dumpdecrypted

在进行App Store APP分析的时候,第一步要做的就是解密mach-o文件,解密的优秀工具有Crackulous,CrackNShare,clutch,但面临iOS的升级(或各种封杀)已逐渐不能使用了。今天要介绍的是Stefan Esser 大牛(iOS越狱大会的常驻嘉宾,iOS内核漏洞挖掘大牛)贡献的非常好用的解密工具dumpdecrypted。


编译dumpdecrypted源码,生成dumpdecrypted.dylib


下载源码

DANI-LEE-2:git clone https://github.com/stefanesser/dumpdecrypted.git

修改MakeFile文件,主要是修改GCC、SDK的路径为实际的路径

DANI-LEE-2:dumpdecrypted danqingdani$ vim Makefile

PLATFORM=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer

SDK_VER=5.1
 
BIN = $(PLATFORM)/usr/bin
GCC_BIN = $(BIN)/gcc
#GCC = $(GCC_BASE) -arch armv6
GCC = $(GCC_BASE) -arch armv7
GCC_UNIVERSAL = $(GCC_BASE) -arch armv6 -arch armv7
GCC_NATIVE = gcc
SDK=$(PLATFORM)/SDKs/iPhoneOS$(SDK_VER).sdk/
  
CFLAGS =
GCC_BASE = $(GCC_BIN) -Os $(CFLAGS) -Wimplicit -isysroot $(SDK) -F$(SDK)System/Library/Frameworks -F$(SDK)System/Library/Privat  eFrameworks
  
all: dumpdecrypted.dylib
  
dumpdecrypted.dylib: dumpdecrypted.o
        $(GCC_UNIVERSAL) -dynamiclib -o $@ $^
  
%.o: %.c
        $(GCC_UNIVERSAL) -dynamiclib -c -o $@ $< 
  
clean:
        rm -f *.o dumpdecrypted.dylib

编译

DANI-LEE-2:dumpdecrypted danqingdani$ make

签名

DANI-LEE-2:dumpdecrypted danqingdani$ codesign -fs tanjiti<自签名证书> dumpdecrypted.dylib

解密mach-o文件

dumpdecrypted.dylib拷贝到iOS设备上

DANI-LEE-2:dumpdecrypted danqingdani$ scp dumpdecrypted.dylib root@10.0.0.3:/tmp/
root@10.0.0.3's password: 
dumpdecrypted.dylib                           100%   46KB  45.8KB/s   00:00    
DANI-LEE-2:dumpdecrypted danqingdani$ ssh root@10.0.0.3<实际的ip>

root@10.0.0.3's password: 

解密mach-o文件,以解密携程旅行为例

danimato-iPad:/tmp root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/2664B392-0B9B-4CB5-9EFC-5F0D8E3D5C80/CTRIP_WIRELESS.app/CTRIP_WIRELESSmach-o decryption dumperDISCLAIMER: This tool is only meant for security research purposes, not for application crackers.[+] offset to cryptid found: @0xeba78(from 0xeb000) = a78[+] Found encrypted data at address 00002000 of length 10551296 bytes - type 1.[+] Opening /private/var/mobile/Applications/2664B392-0B9B-4CB5-9EFC-5F0D8E3D5C80/CTRIP_WIRELESS.app/CTRIP_WIRELESS for reading.[+] Reading header[+] Detecting header type[+] Executable is a FAT image - searching for right architecture[+] Correct arch is at offset 4096 in the file[+] Opening CTRIP_WIRELESS.decrypted for writing.[+] Copying the not encrypted start of the file[+] Dumping the decrypted data into the file[+] Copying the not encrypted remainder of the file[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 1a78[+] Closing original file[+] Closing dump file

根据cryptid的值来验证是否解密成功

danimato-iPad:/tmp root# otool -l /private/var/tmp/CTRIP_WIRELESS.decrypted | grep cryptid cryptid   0

cryptid为0说明解密成功!



参考:

https://github.com/stefanesser/dumpdecrypted



来源:碳基体

评论

热度(2)