使用dumpdecrypted 解密math-o文件

在进行App Store APP分析的时候，第一步要做的就是解密mach-o文件，解密的优秀工具有Crackulous,CrackNShare,clutch,但面临iOS的升级（或各种封杀）已逐渐不能使用了。今天要介绍的是Stefan Esser 大牛（iOS越狱大会的常驻嘉宾，iOS内核漏洞挖掘大牛）贡献的非常好用的解密工具dumpdecrypted。

 

编译dumpdecrypted源码，生成dumpdecrypted.dylib

 

下载源码

DANI-LEE-2:git clone https://github.com/stefanesser/dumpdecrypted.git

修改MakeFile文件,主要是修改GCC、SDK的路径为实际的路径

DANI-LEE-2:dumpdecrypted danqingdani$ vim Makefile

PLATFORM=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer

SDK_VER=5.1

BIN = $(PLATFORM)/usr/bin
GCC_BIN = $(BIN)/gcc
#GCC = $(GCC_BASE) -arch armv6
GCC = $(GCC_BASE) -arch armv7
GCC_UNIVERSAL = $(GCC_BASE) -arch armv6 -arch armv7
GCC_NATIVE = gcc
SDK=$(PLATFORM)/SDKs/iPhoneOS$(SDK_VER).sdk/

CFLAGS =
GCC_BASE = $(GCC_BIN) -Os $(CFLAGS) -Wimplicit -isysroot $(SDK) -F$(SDK)System/Library/Frameworks -F$(SDK)System/Library/Privat eFrameworks

all: dumpdecrypted.dylib

dumpdecrypted.dylib: dumpdecrypted.o
$(GCC_UNIVERSAL) -dynamiclib -o $@ $^

%.o: %.c
$(GCC_UNIVERSAL) -dynamiclib -c -o $@ $<

clean:
rm -f *.o dumpdecrypted.dylib

编译

DANI-LEE-2:dumpdecrypted danqingdani$ make

签名

DANI-LEE-2:dumpdecrypted danqingdani$ codesign -fs tanjiti<自签名证书> dumpdecrypted.dylib

解密mach-o文件

将dumpdecrypted.dylib拷贝到iOS设备上

DANI-LEE-2:dumpdecrypted danqingdani$ scp dumpdecrypted.dylib root@10.0.0.3:/tmp/
root@10.0.0.3's password: 
dumpdecrypted.dylib                           100%   46KB  45.8KB/s   00:00    
DANI-LEE-2:dumpdecrypted danqingdani$ ssh root@10.0.0.3<实际的ip>

root@10.0.0.3's password:

解密mach－o文件，以解密携程旅行为例

danimato-iPad:/tmp root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/2664B392-0B9B-4CB5-9EFC-5F0D8E3D5C80/CTRIP_WIRELESS.app/CTRIP_WIRELESS mach-o decryption dumper DISCLAIMER: This tool is only meant for security research purposes, not for application crackers. [+] offset to cryptid found: @0xeba78(from 0xeb000) = a78 [+] Found encrypted data at address 00002000 of length 10551296 bytes - type 1. [+] Opening /private/var/mobile/Applications/2664B392-0B9B-4CB5-9EFC-5F0D8E3D5C80/CTRIP_WIRELESS.app/CTRIP_WIRELESS for reading. [+] Reading header [+] Detecting header type [+] Executable is a FAT image - searching for right architecture [+] Correct arch is at offset 4096 in the file [+] Opening CTRIP_WIRELESS.decrypted for writing. [+] Copying the not encrypted start of the file [+] Dumping the decrypted data into the file [+] Copying the not encrypted remainder of the file [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 1a78 [+] Closing original file [+] Closing dump file

根据cryptid的值来验证是否解密成功

danimato-iPad:/tmp root# otool -l /private/var/tmp/CTRIP_WIRELESS.decrypted | grep cryptid cryptid 0

cryptid为0说明解密成功！

 

 

参考：

https://github.com/stefanesser/dumpdecrypted