F・诺华提斯

源码在这里

https://github.com/stefanesser/dumpdecrypted/

编译好后把 

1

dumpdecrypted.dylib
放到 
1

/usr/lib/dumpdecrypted.dylib

连上 ssh

iPhone:/ root# cd /
iPhone:/ root# DYLD_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/7F3190A0-6BE1-4562-BA54-AE0069FA5B1D/IF.app/IF

mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0xa2a08(from 0xa2000) = a08
[+] Found encrypted data at address 00004000 of length 13139968 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/7F3190A0-6BE1-4562-BA54-AE0069FA5B1D/IF.app/IF for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
[+] Opening IF.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a08
[+] Closing original file
[+] Closing dump file

iPhone:/ root#

会在当前目录生成 IF.decrypted, 拷出来, 拖进 IDA

iOS 8.3/8.4 下修改 bin 后闪退的问题:

  1. 先解密

  2. 再把原始 bin 改名

  3. 修改解密后的 bin

  4. ldid -s 给解密后的 bin 签名

F・诺华提斯

先 clone 源码

1
2
3
4
5

git clone http://llvm.org/git/llvm.git

git clone http://llvm.org/git/clang.git

git clone http://llvm.org/git/lldb.git

再下载

http://gnuwin32.sourceforge.net/

http://www.swig.org/download.html

http://www.cmake.org/download/

ninja.exe 放到 

1

cmake\bin

目录结构如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

+-- build.bat
|
+-- GetGnuWin32
|
+-- swigwin-3.0.5
|
+-- cmake-3.2.2-win32-x86
|
+-- llvm
|
`-- tools
    |
    +-- clang
    |
    `-- lldb

CMakeLists.txt 加上下面两句

set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /OPT:REF")

set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} /OPT:REF")

build.bat 如下

@echo off
cd/d "%~dp0"

set PATH=%~dp0GetGnuWin32\bin;%~dp0swigwin-3.0.5;%~dp0cmake-3.2.2-win32-x86\bin;%PATH%

call "C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\vcvarsall.bat" x86

mkdir release
cd release

cmake -G Ninja "%~dp0llvm" -DCMAKE_BUILD_TYPE=RelWithDebInfo

cmd/k

echo ninja lldb

pause

配置好后直接执行 ninja lldb 就可以编译了

就这么简单的几个步骤, 非要写个长篇大论, 让我折腾半天

debugserver-320.2.89
F・诺华提斯

test

proc conn
br set -a $pc+0x80
c

br del -f
s

m w -f bytes 0x1580EE 00 00
x 0x1580EE

br set -a 0x1580EE
c

wat s e -w read -s 8 -- $r0+0x124
wat s e -w read -s 8 -- 0x27dfda60

br set -a 0x00158112
c

m w -f bytes $r0+292 00 00 00 00 00 00 00 00
b *0x003C79AA
delete 1
set $r0 &= ~0x800

b ptrace
c
delete 2
set $r0 = -1

b *0x00550BF2

set inferior-auto-start-dyld off
set sharedlibrary load-rules ".*" ".*" none
set sharedlibrary preload-libraries off
b *0x00008FE6

Breakpoint 1 at 0x8fe6
F・诺华提斯

git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git

@echo off
cd/d "%~dp0"

call depot_tools\gclient
call depot_tools\fetch v8

set PATH=%~dp0depot_tools\python276_bin\;%PATH%
set V8_ARCH=x64

call "C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\vcvarsall.bat" %V8_ARCH%

python.exe v8\build\gyp_v8 -Dtarget_arch=%V8_ARCH%
:: -Dcomponent=static_library -Dtarget_arch=%V8_ARCH% -Dv8_enable_i18n_support=1 -Dv8_use_snapshot=1
::msbuild /m /p:UseEnv=true;Configuration=Release;Platform=%V8_ARCH% v8\tools\gyp\v8.vcxproj

"%VS120COMNTOOLS%\..\IDE\devenv.com" /useenv /rebuild Release v8\build\All.sln

pause
F・诺华提斯

获取 google 日语输入法安装包下载地址

from ml import *
import asyncio

stable = r'''<?xml version="1.0" encoding="UTF-8"?>
<request protocol="3.0">
    <os platform="win" version="6.1" sp="" arch="x86"/>
    <app appid="{DDCCD2A9-025E-4142-BCEB-F467B88CF830}" ap="external-stable-universal">
        <updatecheck/>
    </app>
</request>
'''

dev = r'''<?xml version="1.0" encoding="UTF-8"?>
<request protocol="3.0">
    <os platform="win" version="6.1" sp="" arch="x86"/>
    <app appid="{DDCCD2A9-025E-4142-BCEB-F467B88CF830}" ap="external-dev-universal">
        <updatecheck/>
    </app>
</request>
'''

@asyncio.coroutine
def query_chrome(ver):
    http = AsyncHttp()
    http.SetProxy('localhost', 7777)

    response = yield from http.request('post', 'http://tools.google.com/service/update2', data = ver)

    info = ET.fromstring(response.text())
    app = info.find('app')
    updatecheck = app.find('updatecheck')
    urls = updatecheck.find('urls')
    manifest = updatecheck.find('manifest')

    name = manifest.find('packages')[0].attrib['name']
    dllist = [(x.attrib['codebase'] + name) for x in urls]

    for url in dllist:
        print(url.split('://', maxsplit = 1)[1])
    print()

    return dllist

@asyncio.coroutine
def run():
    dl = (yield from query_chrome(stable))[-1]

def main():
    asyncio.get_event_loop().run_until_complete(run())

    PauseConsole('done')

if __name__ == '__main__':
    TryInvoke(main)