ios-reverse

IOS reverse

We need a MacOS(or VMWare Virtual Machine)(Version > MacOS 10.15) and Ipad/Iphone(Version > iOS 11). We can refer to link1.

Step0: ipad 7th root

Step1: APP unshell

Ios’s App is similar to APK, and it could install an app in our iPhone. Compared to android, a more strict security mechanism is used by Apple, such as ASLR and encryption (fairplay DRM encryption). First of all, there are some tools to help us:

1
2
3
4
5
6
7
8
1. MachOView.
It could view file structure of Mach-o.
2. class-dump.
It could extract information in Mach-o's header file and generate .h file.
3. MonkeyDev and pod.
It could do dll injection and hook.
4. Hopper Diassembler.
Similar to IDA.

App files are encrypted (fairplay DRM, Digital Rights Management) in many situations, DRM is similar to shell encryption. We should decrypt IPA file first, but there is also a easier way to do this. That is, directly download decrypted IPA files from DumpApp. Otherwise, we need to remove DRM, which is also called 砸壳.

There are many tools to remove DRM:

1
2
1. Static: Iridium, fouldecrypt.
2. Dynamic: dumpdecrypted, Clutch.

After using tools, we will get IPA file. IPA file is a zip file. Then we need to verify whether DRM is removed. The steps is:

1
2
3
4
1. Find IPA file and enter.
2. Find mach-o file.
3. Execute otool -l xxx | grep cryptid.
4. If cryptid = 0, we can ensure that unshell is success.

When we unzip IPA file, we will get some files/folders:

1
2
3
4
5
6
1. xx.app.
	a. CodeResources. Plist file, and save plaintext hash for every file in xx.app.
	b. Assets.car. Image source, Asset Catalog Tinkerer could open it.
	c. embedded.mobileprovision. Certificate.
2. BCSymbolMaps. Symbol file.
3. SwiftSupport. Swift supporing library.

Step2: export header file

After remove DRM protection, we can export header file from IPA file, then we could find hook point. class-dump is a good tool to export header file.

1
class-dump -S -s -H IPA_file_name -o header_save_path

To be continued…

References

[1] https://juejin.cn/post/6934667546301825038

[2] https://hello-david.github.io/archives/82a2b295.html

[3] https://juejin.cn/post/7166220484810375176#heading-8

[4] https://cloud.tencent.com/developer/article/1688063

留言

© 2025 wd-z711

⬆︎TOP