iOS song of ice and fire fan outside the post - App Hook the Q & A and iOS 9 bash shell-vulnerability warning-the black bar safety net

2016-03-16T00:00:00
ID MYHACK58:62201672650
Type myhack58
Reporter 佚名
Modified 2016-03-16T00:00:00

Description

In the previous Chapter we talked about in a non-jailbreak iOS on the App Hook. Using this technique, you can be in a non-jailbreak iOS on the system to achieve a variety of hook features, e.g., micro-channel auto-grab a red envelope, the automatic chat robot, game plug-in, etc. But because of space reasons, some details did not speak very clearly. Didn't expect to read a very large amount, many people have to private message ask me some hook problems encountered, and questions asked are very similar. So I wrote a Q & A article to help you to solve some common problems, the way to introduce how to in iOS 9 on app bash shell (Dumpdecrypted)。 In addition to see the main plot of the readers also don't worry, the next article will give you how to through the sandbox article. the iOS song of ice and fire series of directory are as follows: Objective-C Pwn and iOS arm64 ROP In a non-jailbreak iOS on App Hook(Side Story) App Hook the Q & A and iOS 9 bash shell(Side Story) █████████████ █████████████ Further in the text relates to the code available in my github download:https://github. com/zhengmin1989/iOS_ICE_AND_FIRE 0x01 how to compile the hook. dylib A lot of people private messages to me mentioned hook. dylib cannot be compiled successfully, this problem mostly because there is no installation of Command Line Tools and jailbreak development environment iOSOpenDev result of both tools is to engage iOS security essential environment, you can follow these steps for installation: Command Line Tools Xcode command line tools plug-in, installation method two: (1) Open a terminal, enter:

xcode-select --install (2) Go to the Apple official website to download the installation package https://developer.apple.com/downloads/ ! iOSOpenDev provides a lot of jailbreak development template that can be http://iosopendev. com/download/download. After installing iOSOpenDev after you can in Xcode by creating a new project see our non-jailbroken Hook when needed with CaptainHook. ! 0x02 how to get on the App Store the decrypted ipa We developed the app by default is not encrypted, but the App Store and download the app it is added to the decryption. If we want to hook and re-packaged it, we need to get the decrypted app, otherwise, even if the hook is successful, the signature is successful, installation is successful, the app still crashes it. (1) Check the app whether the encryption: First with file look ipa after extracting the binary file contains which of the schema, e.g., armv7, arm64 is. If there is more than one schema, then, it is best to put all of the architecture are the decryption. But in theory as long as the oldest architecture of the decryption can be, and because the new cpu will be compatible with the old architecture. For example, we take Twitter as an example, you can see the weibo client contains armv7 and arm64 these two architectures. ! Then we can use”otool –l”to output the app of the load commands, and then view like cryptid this flag to determine whether the app is encrypted. If it is 1, then represent the encrypted, if it is 0 Then the representative of the decryption. ! From the above figure you can see that the weibo of the armv7 architecture the code is encrypted, the arm64 architecture is decrypted, the reason is I've been through dumpdecrypted for arm64 architecture the code to drop through the housing. If there is no decryption while using ida to open the app will see the encrypted hints: ! (2) dumpdecrypted bash shell: If you need to decrypt it, we need to use tools to smash the shells. The most famous of smashing the shell tool is dumpdecrypted. His principle is to let the app pre-loaded a decrypted dumpdecrypted. dylib, then the program is running, the code is dynamically decrypted, and finally in the memory dump out the entire program. This tool can be in:https://github. com/stefanesser/dumpdecrypted download. But downloading just the source code, we also need to compile it, here I'll put a report compiled after a good dumpdecrypted. dylib to my github. Although the hook may be in the jailbreak environment, but want to hit the housing, then, must have the jailbreak environment, such as this article on the use of jailbreak after iOS 9. With the ssh connection on the iOS device, we open the want to smash the shell of the app. Then type ps ax, you can in the process find the app binaries to the address: ! Because each app directory has a Info. plist. We can pass this Info. plist to get app's Bundle ID:

cat /var/mobile/Containers/Bundle/Application/19A9AE5E-22DC-449A-A530-C793D88ACB24/Weibo. app/Info. plist ! Such as Weibo, the Bundle ID is: com. sina. weibo is. Get the BundleID after we next to know the app's data directory, the reason is the app running will be subject to the sandbox restrictions, so dump out of the app can only save in its own data directory, here we can by Bundle ID and a private API to get the data directory location: ! The code is as follows: NSString* bundleID = [[NSString alloc] init]; bundleID = @"com. sina. weibo"; id dataID = [[NSClassFromString(@"LSApplicationProxy") applicationProxyForIdentifier:bundleID] dataContainerURL]; NSLog(@"%@",dataID); To obtain data directory after the address, we will dumpdecrypted. dylib is copied to the data of the tmp directory, and then in the tmp directory under the implementation of DYLD_INSERT_LIBRARIES=dumpdecrypted. dylib /var/mobile/Containers/Bundle/Application/19A9AE5E-22DC-449A-A530-C793D88ACB24/Weibo. app/Weibo for bash shell.

[1] [2] next