iOS逆向—-iOS12之后的静态砸壳
关于静态砸壳其实之前已经介绍过一个工具Clutch,但是由于年久失修,导致其在iOS11之后变得不可用,动不动就kill -9。于是*近又开始研究了一下,发现了一款新的静态砸壳工具flexdecrypt
首先连接到越狱的iPhone上,然后使用wget命令下载*新的deb(wget自行安装):
iPhone:/tmp root# wget https://github.com/JohnCoates/flexdecrypt/releases/download/1.1/flexdecrypt.deb
然后直接安装:
iPhone:/tmp root# dpkg -i flexdecrypt.deb
Selecting previously unselected package flexdecrypt.
(Reading database … 3858 files and directories currently installed.)
Preparing to unpack flexdecrypt.deb …
Unpacking flexdecrypt (1.1) …
Setting up flexdecrypt (1.1) …
安装完之后就可以使用了:
iPhone:/tmp root# flexdecrypt
Error: Missing expected argument ‘<file>’
OVERVIEW: A tool for decrypting apps and Mach-O binaries. Based on the Flex 3
jailbreak app’s source code.
USAGE: flex-decrypt <subcommand>
OPTIONS:
–version Show the version.
-h, –help Show help information.
SUBCOMMANDS:
file (default) Decrypt file.
See ‘flex-decrypt help <subcommand>’ for detailed help.
看描述,flexdecrypt应该不如clutchname智能,因此只能先cd到要砸壳的app目录下,然后再进行砸壳,具体如何找App的路径可以参考之前的博客,这里以砸Quantumult为例:
iPhone:/tmp root# cd /var/containers/Bundle/Application/
iPhone:/var/containers/Bundle/Application/ root# cd 6B8B93D5-DB46-4AAE-A264-F1C93A689B65
iPhone:/var/containers/Bundle/Application/6B8B93D5-DB46-4AAE-A264-F1C93A689B65 root# cd Quantumult.app/
iPhone:/var/containers/Bundle/Application/6B8B93D5-DB46-4AAE-A264-F1C93A689B65/Quantumult.app root# flexdecrypt Quantumult
Wrote decrypted image to /tmp/Quantumult
可以看到静态砸壳的速度是很快的,基本秒出,但是只有一行输出,告诉了你脱壳文件的位置,使用scp命令将文件取出:
➜ ~ scp -P 2222 [email protected]:”/tmp/Quantumult” ~/Desktop
[email protected]’s password:
Quantumult 100% 3235KB 34.9MB/s 00:00
➜ ~ cd Desktop
➜ Desktop otool -l Quantumult| grep crypt
cryptoff 16384
cryptsize 2703360
cryptid 0
可以看出已经成功脱壳。