- 以后台模式启动目标app
xia0 ~ $ issh debug -x backboard /var/containers/Bundle/Application/86E712C8-84CA-49AF-B2EA-01C37395A746/WeChat.app/WeChat
[*]:iproxy process for 2222 port alive, pid=1830
[*]:++++++++++++++++++ Nice to Work :) +++++++++++++++++++++
[*]:iOSRE dir exist
[*]:iproxy process for 1234 port alive, pid=14885
[*]:Run ps -e | grep debugserver | grep -v grep; [[ 0 == 0 ]] && (killall -9 debugserver 2> /dev/null)
[*]:/iOSRE/tools/debugserver file exist, Start debug...
[*]:Run /iOSRE/tools/debugserver -x backboard /var/containers/Bundle/Application/86E712C8-84CA-49AF-B2EA-01C37395A746/WeChat.app/WeChat
- 连接到远端debugserver
(lldb) pcc
Process 19633 stopped
* thread #1, stop reason = signal SIGSTOP
frame #0: 0x00000001200f5000 dyld`_dyld_start
-> 0x1200f5000 <+0>: mov x28, sp
0x1200f5004 <+4>: and sp, x28, #0xfffffffffffffff0
0x1200f5008 <+8>: mov x0, #0x0
0x1200f500c <+12>: mov x1, #0x0
0x1200f5010 <+16>: stp x1, x0, [sp, #-0x10]!
0x1200f5014 <+20>: mov x29, sp
0x1200f5018 <+24>: sub sp, sp, #0x10 ; =0x10
0x1200f501c <+28>: ldr x0, [x28]
Target 0: (dyld) stopped.
- 一些断点设置情况
(lldb) b getpid
Breakpoint 1: no locations (pending).
WARNING: Unable to resolve breakpoint to any actual locations.
(lldb) c
Process 19633 resuming
1 location added to breakpoint 1
Process 19633 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000181ceb570 libsystem_kernel.dylib`__getpid
-> 0x181ceb570 <+0>: adrp x9, 124120
0x181ceb574 <+4>: add x9, x9, #0x90 ; =0x90
0x181ceb578 <+8>: ldr w0, [x9]
0x181ceb57c <+12>: cmp w0, #0x0 ; =0x0
0x181ceb580 <+16>: b.ls 0x181ceb588 ; <+24>
0x181ceb584 <+20>: ret
0x181ceb588 <+24>: mov x16, #0x14
0x181ceb58c <+28>: svc #0x80
Target 0: (WeChat) stopped.
(lldb) xbr -E init
[*] breakpoint at mod int first function:0x1034c7db8
Breakpoint 2: where = WeChat`___lldb_unnamed_symbol143521$$WeChat, address = 0x00000001034c7db8
(lldb) br disable 1
1 breakpoints disabled.
(lldb) c
Process 19633 resuming
这里解释一下为什么需要这么设置断点:b getpid
这个断点主要是保证xbr -E init
这个命令在断点触发的时候能够顺利执行,xbr -E init
然后对第一个init函数下断点,这样保证是目前app的最早执行时机,另外还能指定下断点到main函数xbr -E main
- 执行dumpdecrypted命令进行脱壳
(lldb) dumpdecrypted
[+] Dumping WeChat
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100018d48(from 0x100018000) = d48
[+] Found encrypted data at address 00004000 of length 101662720 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/86E712C8-84CA-49AF-B2EA-01C37395A746/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening /var/mobile/Containers/Data/Application/9649276C-C413-4916-B5AB-AE13C8D7B652/Documents/WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset d48
[+] Closing original file
[+] Closing dump file
[*] This mach-o file decrypted done.
Developed By xia0@2019
- 取回脱壳后的文件到本地,这里用到了issh一条命令取回
xia0 ~ $ issh scp /var/mobile/Containers/Data/Application/9649276C-C413-4916-B5AB-AE13C8D7B652/Documents/WeChat.decrypted /tmp
[*]:iproxy process for 2222 port alive, pid=1830
[*]:++++++++++++++++++ Nice to Work :) +++++++++++++++++++++
[*]:/var/mobile/Containers/Data/Application/9649276C-C413-4916-B5AB-AE13C8D7B652/Documents/WeChat.decrypted is remote file, so cp it from device
WeChat.decrypted 100% 122MB 11.7MB/s 00:10