感谢 snakeninny 大神的回复。
我的 dumpDecrypted 版本是从 github clone 下来的:https://github.com/stefanesser/dumpdecrypted,不知道是不是最新版??好像三年没有更新过了。
我查找了一下,报错的位置的代码应该是C文件里面,打开了一个句柄,准备写入 decrypted 文件的时候,没有权限写入,然后报错:
printf("[+] Opening %s for writing.\n", npath); outfd = open(npath, O_RDWR|O_CREAT|O_TRUNC, 0644); if (outfd == -1) { printf("npath: %s\n", npath); printf("rpath: %s\n", rpath); if (strncmp("/private/var/mobile/Applications/", rpath, 33) == 0) { printf("[-] Failed opening. Most probably a sandbox issue. Trying something different.\n"); /* create new name */ strlcpy(npath, "/private/var/mobile/Applications/", sizeof(npath)); tmp = strchr(rpath+33, '/'); if (tmp == NULL) { printf("[-] Unexpected error with filename.\n"); _exit(1); } tmp++; *tmp++ = 0; strlcat(npath, rpath+33, sizeof(npath)); strlcat(npath, "tmp/", sizeof(npath)); strlcat(npath, buffer, sizeof(npath)); printf("[+] Opening %s for writing.\n", npath); outfd = open(npath, O_RDWR|O_CREAT|O_TRUNC, 0644); } if (outfd == -1) { perror("[-] Failed opening"); printf("[-] mark: Failed opening, end here.\n"); printf("\n"); _exit(1); } }
得到的信息为:
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100044d48(from 0x100044000) = d48
[+] Found encrypted data at address 00004000 of length 8028160 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Tumblr for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 9846784 in the file
[+] Opening Tumblr.decrypted for writing.
npath: Tumblr.decrypted
rpath: /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Tumblr
[-] Failed opening: Operation not permitted
[-] mark: Failed opening, end here.
里面的报错主要源自于 perror 这个函数。
[-] Failed opening: Operation not permitted
perror(“[-] Failed opening”);
这里就引发出一个问题了,为何其他app的Document目录可以有权限的写入,只有这个app有问题呢???
既然没有权限创建文件,我就手动先创建了一个文件: “Tumblr.decrypted”
然后重新执行一次,结果可以“成功”砸壳了。
信息如下:
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x10001cd48(from 0x10001c000) = d48
[+] Found encrypted data at address 00004000 of length 8028160 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/79FDC8F4-A945-4EAA-85FB-BB4188A07D1F/com.tumblr.Orangina-122-distribution.app/Tumblr for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 9846784 in the file
[+] Opening Tumblr.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 964d48
[+] Closing original file
[+] Closing dump file
开心得赶紧把Tumblr.decrypted拷贝到桌面,然后用命令查看一下,这里竟然是一半一半的砸壳??
对dumpdecrypted不太熟悉,这里只能对应设备的架构来砸壳对应的arch吗?(我的设备是arm64的,好像Clutch是可以对FAT image所有的arch都砸壳的。)
tool -l Tumblr.decrypted | grep crypt
Tumblr.decrypted (architecture armv7):
cryptoff 16384
cryptsize 7864320
cryptid 1
Tumblr.decrypted (architecture arm64):
cryptoff 16384
cryptsize 8028160
cryptid 0
然后使用class-dump进行头文件解析,发现一点问题:
class-dump --arch arm64 tumblr_arm64.decrypted -o tumblrHeader
2016-07-30 23:17:33.448 class-dump[15999:668403] Error: Cannot find offset for address 0xc0000000010071aa in stringAtAddress:
咦?! 竟然不能dump,赶紧搜索一下论坛,发现有类似的帖子:
然后大部分说这里不能dump的原因是,swift。
看了一下,发现framework里面真的有很多swift的动态库。
但目前不确实是否因为这个原因。