dumpdecrypted 脱壳

exchen

1.源码编译dumpdecrypted
git clone git://github.com/stefanesser/dumpdecrypted
cd dumpdecrypted
make
编译成功之后在当前目录找到dumpdecrypted.dylib

2. 找出进程
iPhone:~ root# ps -e | grep Application

3. 使用cycript注入进程获取document目录
cycript -p xxx
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#”file:///var/mobile/Containers/Data/Application/DB766E86-A1A2-4846-89F3-67565FD1B0AB/Documents/”

4. 上传dumpdecrypted.dylib到Documents目录

5. 执行以下命令脱壳
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/91D12F3A-D554-4767-B69C-5F4BEDD4C78A/xxx.app/xxx
在Documents目录找到xxx.decrypted, 这个文件就是脱壳后的可执行文件了。

goodcyg

iPhone se 11.1.2.报错事killed 9，已经签名过了。感觉是被系统干掉。

蚂蚁吃象

frida-ios-dump这个可以，https://www.exchen.net/ios-hacker-frida-ios-dump.html

goodcyg

@蚂蚁吃象
报错事killed 9,是啥原因？

exchen

goodcyg 发表于 2019-12-29 19:10
@蚂蚁吃象
报错事killed 9,是啥原因？

iOS 11 签名时没有添加 platform-application 会出现 killed 9。不过蚂蚁吃象说的对，iOS 11 以上基本上都用
frida-ios-dump 脱壳了。

goodcyg

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>platform-application</key>
        <true/>  
       
        <key>com.apple.private.mobileinstall.allowedSPI</key>
        <array>
                <string>Lookup</string>
                <string>Install</string>
                <string>Browse</string>
                <string>Uninstall</string>
                <string>LookupForLaunchServices</string>
                <string>InstallForLaunchServices</string>
                <string>BrowseForLaunchServices</string>
                <string>UninstallForLaunchServices</string>
                <string>CopyDiskUsageForLaunchServices</string>
                <string>InstallLocalProvisioned</string>
        </array>   
       
        <key>com.apple.private.security.no-container</key>
        <true/>
       
        <key>com.apple.springboard.launchapplications</key>
        <true/>
       
        <key>com.apple.springboard.openapplications</key>
        <true/>  
       
        <key>com.apple.private.skip-library-validation</key>
        <true/>  
       
        <key>com.apple.lsapplicationworkspace.rebuildappdatabases</key>
        <true/>
       
        <key>com.apple.private.MobileContainerManager.allowed</key>
        <true/>
       
        <key>com.apple.private.MobileGestalt.AllowedProtectedKeys</key>
        <true/>
       
        <key>com.apple.managedconfiguration.profiled-access</key>
        <true/>
       
        <key>com.apple.developer.icloud-services</key>
        <array>
                <string>CloudDocuments</string>
                <string>CloudKit</string>
        </array>
       
        <key>run-unsigned-code</key>
        <true/>  
       
        <key>dynamic-codesigning</key>
        <true/>  
       
        <key>get-task-allow</key>
        <true/>
</dict>
</plist>

@exchan 我权限给比较大，这个几个我都给了。为啥还会出现出现 killed 9