又又又又一个脱壳工具来了

By xia0

#又又又又一个脱壳工具来了

是的,又又又又一个脱壳工具来了:LLDB调试器版本的脱壳工具

#场景

我能想到的场景就是最近分析一个app的时候会在mod_init_func的时候crash,这样导致现有的脱壳工具无法正常脱壳,或者之前Frida没兼容iOS12以及其他特殊场景。所以就做了LLDB中的脱壳工具。

#使用

由于在LLDB中脱壳的特殊性,所以这样我介绍下如何去使用这个脱壳工具

以下命令已集成到xia0LLDBissh

#以后台模式启动目标app
xia0 ~ $ issh debug -x backboard /var/containers/Bundle/Application/86E712C8-84CA-49AF-B2EA-01C37395A746/WeChat.app/WeChat
[*]:iproxy process for 2222 port alive, pid=1830
[*]:++++++++++++++++++ Nice to Work :) +++++++++++++++++++++
[*]:iOSRE dir exist
[*]:iproxy process for 1234 port alive, pid=14885
[*]:Run ps -e | grep debugserver | grep -v grep; [[ 0 == 0 ]] && (killall -9 debugserver 2> /dev/null)
[*]:/iOSRE/tools/debugserver file exist, Start debug...
[*]:Run /iOSRE/tools/debugserver 127.0.0.1:1234 -x backboard /var/containers/Bundle/Application/86E712C8-84CA-49AF-B2EA-01C37395A746/WeChat.app/WeChat
#连接到远端debugserver
(lldb) pcc
Process 19633 stopped
  thread #1, stop reason = signal SIGSTOP
    frame #0: 0x00000001200f5000 dyld`_dyld_start
dyld`_dyld_start:
    0x1200f5000 <+0>:  mov    x28, sp
    0x1200f5004 <+4>:  and    sp, x28, #0xfffffffffffffff0
    0x1200f5008 <+8>:  mov    x0, #0x0
    0x1200f500c <+12>: mov    x1, #0x0
    0x1200f5010 <+16>: stp    x1, x0, [sp, #-0x10]!
    0x1200f5014 <+20>: mov    x29, sp
    0x1200f5018 <+24>: sub    sp, sp, #0x10             ; =0x10
    0x1200f501c <+28>: ldr    x0, [x28]
Target 0: (dyld) stopped.
#一些断点设置情况
(lldb) b getpid
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.
(lldb) c
Process 19633 resuming
1 location added to breakpoint 1
Process 19633 stopped
  thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x0000000181ceb570 libsystem_kernel.dylib getpid
libsystem_kernel.dylib getpid:
    0x181ceb570 <+0>:  adrp   x9, 124120
    0x181ceb574 <+4>:  add    x9, x9, #0x90             ; =0x90
    0x181ceb578 <+8>:  ldr    w0, [x9]
    0x181ceb57c <+12>: cmp    w0, #0x0                  ; =0x0
    0x181ceb580 <+16>: b.ls   0x181ceb588               ; <+24>
    0x181ceb584 <+20>: ret
    0x181ceb588 <+24>: mov    x16, #0x14
    0x181ceb58c <+28>: svc    #0x80
Target 0: (WeChat) stopped.
(lldb) xbr -E init
[*] breakpoint at mod int first function:0x1034c7db8
Breakpoint 2: where = WeChat ___lldb_unnamed_symbol143521$$WeChat, address = 0x00000001034c7db8
(lldb) br disable 1
1 breakpoints disabled.
(lldb) c
Process 19633 resuming

这里解释一下为什么需要这么设置断点:b getpid这个断点主要是保证xbr -E init这个命令在断点触发的时候能够顺利执行,xbr -E init这个命令能够解析内存中的MachO格式找到mod_init_func然后对第一个init函数下断点,这样保证是目前app的最早执行时机,另外还能指定下断点到main函数xbr -E main,由于main函数在init之后,所以一般就对init下断点(有种情况在于app可能没有init函数,这时候就需要对main下断点,这里按实际情况处理)。
这样下好断点以后,禁用或者删除第一个断点(第一个断点调用很频繁且后面不再需要),这样让程序继续执行,等待断点触发。

#执行dumpdecrypted命令进行脱壳
(lldb) dumpdecrypted
[+] Dumping WeChat
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100018d48(from 0x100018000) = d48
[+] Found encrypted data at address 00004000 of length 101662720 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/86E712C8-84CA-49AF-B2EA-01C37395A746/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening /var/mobile/Containers/Data/Application/9649276C-C413-4916-B5AB-AE13C8D7B652/Documents/WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset d48
[+] Closing original file
[+] Closing dump file
[*] This mach-o file decrypted done.

Developed By xia0@2019

如果一切顺利,就能顺利完成脱壳,这里目标文件在 /var/mobile/Containers/Data/Application/9649276C-C413-4916-B5AB-AE13C8D7B652/Documents/WeChat.decrypted

#取回脱壳后的文件到本地,这里用到了issh一条命令取回
xia0 ~ $ issh scp /var/mobile/Containers/Data/Application/9649276C-C413-4916-B5AB-AE13C8D7B652/Documents/WeChat.decrypted /tmp
[*]:iproxy process for 2222 port alive, pid=1830
[*]:++++++++++++++++++ Nice to Work :) +++++++++++++++++++++
[*]:/var/mobile/Containers/Data/Application/9649276C-C413-4916-B5AB-AE13C8D7B652/Documents/WeChat.decrypted is remote file, so cp it from device
WeChat.decrypted                                                                                             100%  122MB  11.7MB/s   00:10

#其他注意事项

目标App文件过大,可能会出现加密段会有内存读取错误,解决办法就是手动在LLDB里面读取一下这个段内容,然后再执行就没问题了。

用到两个工具:

#参考