砸壳出错,出错信息:“Segmentation fault: 11” 或者 “Operation not permitted”

技能讨论
1

大家好,最近学习砸壳分析App头文件的时候,遇到一个无法砸壳的问题。上来论坛请教一下大家。

砸壳目标应用:Tumblr
机型:iPhone5s
工具:Clutch dumpdecrypted
遇到的情况:无法砸壳。

首先使用的是 Clutch的 2.0.1版本:
出现了“Segmentation fault: 11”的异常错误,具体信息如下:

root# clutch -d com.tumblr.tumblr
Now dumping com.tumblr.tumblr
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Tumblr
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/Analytics.framework/Analytics
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/BRYEqualsBuilder.framework/BRYEqualsBuilder
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/BRYHTMLParser.framework/BRYHTMLParser
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/BRYHashCodeBuilder.framework/BRYHashCodeBuilder
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/BRYMailToURIParser.framework/BRYMailToURIParser
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/BRYParseKeyboardNotification.framework/BRYParseKeyboardNotification
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/BlueLogger.framework/BlueLogger
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/Bolts.framework/Bolts
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/CHTCollectionViewWaterfallLayout.framework/CHTCollectionViewWaterfallLayout
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/CocktailsRT.framework/CocktailsRT
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/CocoaLumberjack.framework/CocoaLumberjack
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/ComposeUI.framework/ComposeUI
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/CoreExplore.framework/CoreExplore
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/CoreTumblr.framework/CoreTumblr
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/DataDisplayKit.framework/DataDisplayKit
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/Dwifft.framework/Dwifft
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/ExploreUI.framework/ExploreUI
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/FBSDKCoreKit.framework/FBSDKCoreKit
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/FBSDKLoginKit.framework/FBSDKLoginKit
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/FBSDKMessengerShareKit.framework/FBSDKMessengerShareKit
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/FBSDKShareKit.framework/FBSDKShareKit
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/GIFCreator.framework/GIFCreator
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/GIFEncoder.framework/GIFEncoder
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/GRMustache.framework/GRMustache
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/JRSwizzle.framework/JRSwizzle
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/JXHTTP.framework/JXHTTP
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/KVOController.framework/KVOController
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/Logger.framework/Logger
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/Mantle.framework/Mantle
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/Messaging.framework/Messaging
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/MessagingSDK.framework/MessagingSDK
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/NetworkAbstractions.framework/NetworkAbstractions
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/OnePasswordExtension.framework/OnePasswordExtension
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/PSPhotoset.framework/PSPhotoset
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/PigeonSDK.framework/PigeonSDK
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/PlaybackAbstractions.framework/PlaybackAbstractions
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/PostAudioView.framework/PostAudioView
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/Reachability.framework/Reachability
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/SSKeychain.framework/SSKeychain
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/Scimitar.framework/Scimitar
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/ShareExtension.framework/ShareExtension
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/ShareSheet.framework/ShareSheet
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/SharedUI.framework/SharedUI
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/SnoopySDK.framework/SnoopySDK
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/Spectacles.framework/Spectacles
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/TMAudio.framework/TMAudio
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/TMCache.framework/TMCache
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/TMDictionaryUpdatableManagedObject.framework/TMDictionaryUpdatableManagedObject
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/TMTimelineObject.framework/TMTimelineObject
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/TMTumblrSDK.framework/TMTumblrSDK
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/TMTumblrSDK2.framework/TMTumblrSDK2
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/TMVideoPlayer.framework/TMVideoPlayer
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/TZStackView.framework/TZStackView
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/TakeoverMediaBanner.framework/TakeoverMediaBanner
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/VENTouchLock.framework/VENTouchLock
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/WebViewJavascriptBridge.framework/WebViewJavascriptBridge
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/XExtensionItem.framework/XExtensionItem
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/XMLKit.framework/XMLKit
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YAccounts.framework/YAccounts
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YAppManagement.framework/YAppManagement
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YFlurrySDK.framework/YFlurrySDK
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YI13N.framework/YI13N
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YLogTelemetry.framework/YLogTelemetry
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YOTeamID.framework/YOTeamID
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YOVeriJSON.framework/YOVeriJSON
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YOWebStringHelpers.framework/YOWebStringHelpers
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YReachability.framework/YReachability
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YRemoteControlSDK.framework/YRemoteControlSDK
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YahooBrowserKit.framework/YahooBrowserKit
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/YahooVideo.framework/YahooVideo
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/sConnectionMonitor.framework/sConnectionMonitor
Preparing to dump <youtube_ios_player_helper>
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Frameworks/youtube_ios_player_helper.framework/youtube_ios_player_helper
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/PlugIns/Share.appex/Share
Preparing to dump
Path: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/PlugIns/Today.appex/Today
Zipping com.tumblr.Orangina-122-distribution.app
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | ARMDumper Swapping architectures…
DUMP | ARMDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper <youtube_ios_player_helper> Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
DUMP | FrameworkDumper Swapping architectures…
Segmentation fault: 11

接着我重新下载了一个版本的Clutch 2.0.2版本:
也是一样的异常错误“Segmentation fault: 11”。

我以为Clutch无法使用,就换了 dumpdecrypted的方法,具体操作如下:

1.编译了 dumpdecrypted.dylib,用ifunbox放置到了tumblr的Document路径下:

root# cd /var/mobile/Containers/Data/Application/3FC15D89-0F43-4A98-86D6-9632996A36EF/Documents/
root# ls
AnalyticsBuffer InternalEventLogger TMPushNotificationRegistrar YI13N/ dumpdecrypted.dylib

  1. 在这个Document目录下,执行了命令:

root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Tumblr

  1. 具体信息为:

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100060d48(from 0x100060000) = d48
[+] Found encrypted data at address 00004000 of length 8028160 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Tumblr for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 9846784 in the file
[+] Opening Tumblr.decrypted for writing.
[-] Failed opening: Operation not permitted

出错问题为“Operation not permitted”。

这里的工具都可以正常的为其他app砸壳,目前只有遇到这个Tumblr不行。

我google了很多信息,都无法解决这个问题。
所以上来请教大家一下 :

① 为什么这个app无法砸壳?是这个app加密了还是什么原因?

② 观察到其他 有引用第三方sdk的app砸壳的时候,出现的信息只有"ARMDumper",而这个tumblr的信息则是 “FrameworkDumper”.
这是为什么呢?是这个app的第三方sdk引用方式不一样吗?

还请大家不吝赐教。谢谢大家!

1 个赞
2

你看看你的dumpdecrypted源码里,什么情况下会输出这个?我这里的dumpdecrypted是最新版的,源码里都没有这句输出,只有:
printf("[-] Failed opening. Most probably a sandbox issue. Trying something different.\n");
或者
perror("[-] Failed opening");

我在我的iPhone 5上试了一下,是没有问题的:

FunMaker-5:/var/mobile/Containers/Data/Application/8707D655-5C4A-4C7F-835F-FB51C2AD4AA8/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/E8CDE0A5-42B5-4AAE-8258-19DC2F263882/com.tumblr.Orangina-122-distribution.app/Tumblr
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

iOSRE: uid = 0, euid = 0, gid = 0, egid = 0.

[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0xe2ad4(from 0xe2000) = ad4
[+] Found encrypted data at address 00004000 of length 7864320 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/E8CDE0A5-42B5-4AAE-8258-19DC2F263882/com.tumblr.Orangina-122-distribution.app/Tumblr for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening Tumblr.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset ad4
[+] Closing original file
[+] Closing dump file
FunMaker-5:/var/mobile/Containers/Data/Application/8707D655-5C4A-4C7F-835F-FB51C2AD4AA8/Documents root#

3

感谢 snakeninny 大神的回复。

我的 dumpDecrypted 版本是从 github clone 下来的:https://github.com/stefanesser/dumpdecrypted,不知道是不是最新版??好像三年没有更新过了。

我查找了一下,报错的位置的代码应该是C文件里面,打开了一个句柄,准备写入 decrypted 文件的时候,没有权限写入,然后报错:

  	printf("[+] Opening %s for writing.\n", npath);
  	outfd = open(npath, O_RDWR|O_CREAT|O_TRUNC, 0644);
  	if (outfd == -1) {
  	        printf("npath: %s\n", npath);
  	        printf("rpath: %s\n", rpath);
            
  		if (strncmp("/private/var/mobile/Applications/", rpath, 33) == 0) {
  			printf("[-] Failed opening. Most probably a sandbox issue. Trying something different.\n");
  			
  			/* create new name */
  			strlcpy(npath, "/private/var/mobile/Applications/", sizeof(npath));
  			tmp = strchr(rpath+33, '/');
  			if (tmp == NULL) {
  				printf("[-] Unexpected error with filename.\n");
  				_exit(1);
  			}
  			tmp++;
  			*tmp++ = 0;
  			strlcat(npath, rpath+33, sizeof(npath));
  			strlcat(npath, "tmp/", sizeof(npath));
  			strlcat(npath, buffer, sizeof(npath));
  			printf("[+] Opening %s for writing.\n", npath);
  			outfd = open(npath, O_RDWR|O_CREAT|O_TRUNC, 0644);
  		}
  		if (outfd == -1) {
  			perror("[-] Failed opening");
  			printf("[-] mark: Failed opening, end here.\n");
                printf("\n");
  			_exit(1);
  		}
  	}

得到的信息为:

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100044d48(from 0x100044000) = d48
[+] Found encrypted data at address 00004000 of length 8028160 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Tumblr for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 9846784 in the file
[+] Opening Tumblr.decrypted for writing.
npath: Tumblr.decrypted
rpath: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Tumblr
[-] Failed opening: Operation not permitted
[-] mark: Failed opening, end here.

里面的报错主要源自于 perror 这个函数。

[-] Failed opening: Operation not permitted

perror(“[-] Failed opening”);

这里就引发出一个问题了,为何其他app的Document目录可以有权限的写入,只有这个app有问题呢???

既然没有权限创建文件,我就手动先创建了一个文件: “Tumblr.decrypted”
然后重新执行一次,结果可以“成功”砸壳了。

信息如下:

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x10001cd48(from 0x10001c000) = d48
[+] Found encrypted data at address 00004000 of length 8028160 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Tumblr for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 9846784 in the file
[+] Opening Tumblr.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 964d48
[+] Closing original file
[+] Closing dump file

开心得赶紧把Tumblr.decrypted拷贝到桌面,然后用命令查看一下,这里竟然是一半一半的砸壳??
对dumpdecrypted不太熟悉,这里只能对应设备的架构来砸壳对应的arch吗?(我的设备是arm64的,好像Clutch是可以对FAT image所有的arch都砸壳的。)

tool -l Tumblr.decrypted | grep crypt
Tumblr.decrypted (architecture armv7):
cryptoff 16384
cryptsize 7864320
cryptid 1
Tumblr.decrypted (architecture arm64):
cryptoff 16384
cryptsize 8028160
cryptid 0

然后使用class-dump进行头文件解析,发现一点问题:

class-dump --arch arm64 tumblr_arm64.decrypted -o tumblrHeader
2016-07-30 23:17:33.448 class-dump[15999:668403] Error: Cannot find offset for address 0xc0000000010071aa in stringAtAddress:

咦?! 竟然不能dump,赶紧搜索一下论坛,发现有类似的帖子:

然后大部分说这里不能dump的原因是,swift。
看了一下,发现framework里面真的有很多swift的动态库。
但目前不确实是否因为这个原因。