[IOS reverse engineering] frida-ios-dump smashes the shell
I tried dumpdecrypted and Clutch before, but failed to crack the shell successfully. These tools were updated before 2016, and there is no technical iteration, so we are trying new shell smashing ideas
https://github.com/ AloneMonkey/frida-ios-dump
frida-ios-dump
In addition to frida, there are some additional environments here
usbmuxd
brew install usbmuxd
pip dependency
sudo python3 -m pip install -r requirements.txt --upgrade
✘ ~/Downloads/VulnTools/SecurityForIOS/frida-ios-dump master python3 -m pip install paramiko
Looking in indexes: http://mirrors.aliyun.com/pypi/simple/
Collecting paramiko
Downloading http://mirrors.aliyun.com/pypi/packages/ae/fe/3ab1540ee3f956fed7c738ac60b17586b3e57629a6b8f8dcbb790fca00c2/paramiko-3.0.0-py3-none-any.whl (210 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 210.8/210.8 kB 88.9 kB/s eta 0:00:00
Requirement already satisfied: cryptography>=3.3 in /Users/huangweihong/.pyenv/versions/3.8.13/lib/python3.8/site-packages (from paramiko) (37.0.2)
Collecting pynacl>=1.5
Downloading http://mirrors.aliyun.com/pypi/packages/ce/75/0b8ede18506041c0bf23ac4d8e2971b4161cd6ce630b177d0a08eb0d8857/PyNaCl-1.5.0-cp36-abi3-macosx_10_10_universal2.whl (349 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 349.9/349.9 kB 90.5 kB/s eta 0:00:00
Collecting bcrypt>=3.2
Downloading http://mirrors.aliyun.com/pypi/packages/78/d4/3b2657bd58ef02b23a07729b0df26f21af97169dbd0b5797afa9e97ebb49/bcrypt-4.0.1-cp36-abi3-macosx_10_10_universal2.whl (473 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 473.4/473.4 kB 85.7 kB/s eta 0:00:00
Requirement already satisfied: cffi>=1.12 in /Users/huangweihong/.pyenv/versions/3.8.13/lib/python3.8/site-packages (from cryptography>=3.3->paramiko) (1.15.0)
Requirement already satisfied: pycparser in /Users/huangweihong/.pyenv/versions/3.8.13/lib/python3.8/site-packages (from cffi>=1.12->cryptography>=3.3->paramiko) (2.21)
Installing collected packages: bcrypt, pynacl, paramiko
Successfully installed bcrypt-4.0.1 paramiko-3.0.0 pynacl-1.5.0
~/Downloads/VulnTools/SecurityForIOS/frida-ios-dump master ./dump.py
Traceback (most recent call last):
File "./dump.py", line 22, in <module>
from scp import SCPClient
ModuleNotFoundError: No module named 'scp'
✘ ~/Downloads/VulnTools/SecurityForIOS/frida-ios-dump master python3 -m pip install scp
Looking in indexes: http://mirrors.aliyun.com/pypi/simple/
Collecting scp
Downloading http://mirrors.aliyun.com/pypi/packages/7f/04/4bcc504e6c2fdcfee7d74a6d14a49db0f129baf2cfa19f61148f333e96b9/scp-0.14.5-py2.py3-none-any.whl (8.7 kB)
Requirement already satisfied: paramiko in /Users/huangweihong/.pyenv/versions/3.8.13/lib/python3.8/site-packages (from scp) (3.0.0)
Requirement already satisfied: pynacl>=1.5 in /Users/huangweihong/.pyenv/versions/3.8.13/lib/python3.8/site-packages (from paramiko->scp) (1.5.0)
Requirement already satisfied: cryptography>=3.3 in /Users/huangweihong/.pyenv/versions/3.8.13/lib/python3.8/site-packages (from paramiko->scp) (37.0.2)
Requirement already satisfied: bcrypt>=3.2 in /Users/huangweihong/.pyenv/versions/3.8.13/lib/python3.8/site-packages (from paramiko->scp) (4.0.1)
Requirement already satisfied: cffi>=1.12 in /Users/huangweihong/.pyenv/versions/3.8.13/lib/python3.8/site-packages (from cryptography>=3.3->paramiko->scp) (1.15.0)
Requirement already satisfied: pycparser in /Users/huangweihong/.pyenv/versions/3.8.13/lib/python3.8/site-packages (from cffi>=1.12->cryptography>=3.3->paramiko->scp) (2.21)
Installing collected packages: scp
Successfully installed scp-0.14.5
Smash the shell
Terminal 1
iproxy 2222 22
Terminal 2
ssh root@127.0.0.1 -p 2222
The authenticity of host '[127.0.0.1]:2222 ([127.0.0.1]:2222)' can't be established.
RSA key fingerprint is SHA256:S1zJ0P1vjW2JU7KPVtdi11dF0YNd1CNUEoK9jdPzBs8.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:23: 192.168.0.103
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[127.0.0.1]:2222' (RSA) to the list of known hosts.
root@127.0.0.1's password:
iPhone:~ root#
iPhone:~ root#
Terminal 3
~ fridadump xxxx
Start the target app xxxxx
Unzip
unzip xx.ipa
A payload folder will appear in the current directory, which contains the shelled app.
encrypted query
✘ ~/wenku/Payload/WKMainProject.app otool -l WKMainProject | grep crypt
cryptoff 26890240
cryptsize 4096
cryptid 0
Binary reverse viewing
Directly throw the IPA obtained above to hopper to view the reverse code
question
if appears
~ frida-ps -U
Failed to enumerate processes: timeout was reached
You can update the frida version of cydia and the local frida version of mac
if appears
~ fridadump xxx
Start the target app xxxx
timeout was reached
You need to ensure that the screen is always on and the app is open, because it is dynamically injected.