[IOS reverse engineering] dumpdecrypted shell
I briefly tried frida-trace and found that it can track various functions corresponding to the dynamic runtime of pid. But for a complete APP application, how do we get the key running functions? Here we need to reversely disassemble the IPA and find the code. Logic, and then combined with frida dynamics to see.
Aisi Assistant download IPA
Apple ConfigurationDownload IPA
This is done by caching IPA, which is officially produced by APPLE. Unlike Aisi, which mirrors the Apple Mall, this method is more recommended.
Log in to APPLEid, then find your app download record from iCloud history,
click Add, and it will cache the ipa first.
~/Library/Group Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps
You can remove it from the folder first and then click Stop.
Smash the shell
dumpdecrypted
✘ ~/repos git clone https://github.com/stefanesser/dumpdecrypted.git
Cloning into 'dumpdecrypted'...
remote: Enumerating objects: 31, done.
remote: Total 31 (delta 0), reused 0 (delta 0), pack-reused 31
Receiving objects: 100% (31/31), 7.10 KiB | 1.77 MiB/s, done.
Resolving deltas: 100% (15/15), done.
~/repos cd dumpdecrypted
~/repos/dumpdecrypted master ls
Makefile README dumpdecrypted.c
~/repos/dumpdecrypted master mke
zsh: command not found: mke
✘ ~/repos/dumpdecrypted master make
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -dynamiclib -o dumpdecrypted.dylib dumpdecrypted.o
~/repos/dumpdecrypted master ls
Makefile README dumpdecrypted.c dumpdecrypted.dylib dumpdecrypted.o
~/repos/dumpdecrypted master
After completing the above, we got the compiled product dumpdecrypted.dylib, now get it into the mobile phone
openssh
First you need to download openssh in cydia
Then find the IP address of your phone (look in wifi)
Computer connection ssh
ssh [email protected]
The default root password of openssh here is alpine
, it is recommended to modify it, the modification is as follows
iPhone:~ root# passwd
Changing password for root.
New password:
Retype new password:
iPhone:~ root#
Just pass in scp,
search the App application location,
and sign our dynamic library.
ldid -S dumpdecrypted.dylib
Smash the shell, take wechat as an example:
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/58F8F561-7406-479B-B90E-64C266218A4B/WKMainProject.app/WKMainProject
If it appears
, it means that the shelling failed.
Otherwise, the unpacked mach-0 file will be generated in the current folder: Generate: app name.decrypted
You can see whether the file is encrypted through the following command
otool -l WeChat|grep cry