研究了一下iOS的逆向,主要分为三部分:文件式注入攻击、引导式攻击和公共网络攻击。

文件式注入攻击

编译指令(arm架构指令集)

llvm-gcc hack.c -o hack.o -c -arch armv7 -isysroot iPhoneOS11.2.sdk
llvm-gcc hack.o -o hack -arch armv7 -isysroot iPhoneOS11.2.sdk

注:

SDK_PATH = /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.2.sdk

文件拷贝

scp file root@ip:path

数字签名

ldid -S project

重启

reboot

引导式攻击

引导daemon守护进程监听plist

launchctl load plist

远程发包

nc ip port

公共网络攻击(逆向工程)

主要演示使用cycript动态分析微信App,使用IDA静态分析微信App。

查看微信进程id和路径

ps -e | grep WeChat

cycript挂载微信进程

cycript -p WeChat

获取微信沙盒路经

[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]

拷贝脱壳工具至微信沙盒路径

scp dumpdecrypted.dylib root@ip:/path

ldid数字签名

ldid -S dumpdecrypted.dylib

mobile权限执行

su mobile

使用脱壳工具对微信沙盒进行脱壳

-iPhone:/var/mobile/Containers/Data/Application/5BA1894E-57B7-4EF1-AA27-56A7B126B857/Documents mobile# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/CD24778C-7625-4E90-93E3-07C8B2CA03D9/WeChat.app/WeChat mach-o decryption dumper

拷贝脱壳文件至Mac

内网shell反弹 利用公网服务器scp上传下载

class-dump提取头文件

class-dump -H WeChat.decrypted -o WeChatHeaders

使用cycript查看当前页面元素

UIApp.keyWindow.recursiveDescription().toString()

根据地址寻找事件响应

[#0x164e3000 nextResponder]

IDA调试

指定arm指令集反汇编

Hook动态修改控件值

主要工具为cycript

cy# var app = [UIApplication sharedApplication]  
#"<UIApplication: 0x15ef83de0>"  
cy# var keyWindow = app.keyWindow  
#"<iConsoleWindow: 0x160991550; baseClass = UIWindow; frame = (0 0; 320 568); autoresize = W+H; gestureRecognizers = <NSArray: 0x160992ba0>; layer = <UIWindowLayer: 0x160991ae0>>"  
cy# var rootViewController = keyWindow.rootViewController  
#"<MMTabBarController: 0x160dbd960>"  
cy# var firstNavigationController = rootViewController.childViewControllers[0]  
#"<MMUINavigationController: 0x160cec380>"  
cy# firstNavigationController.navigationItem.titleView=nil  
null  
cy# firstNavigationController.title = "Jinjin Hack"  
"Jinjin Hack"  
cy# firstNavigationController.topViewController.navigationItem.titleView=nil  
null  
cy# firstNavigationController.topViewController.title = "Jinjin Hack"  
"Jinjin Hack"  
cy# firstNavigationCycript HackController.topViewController.navigationItem.rightBarButtonItem = [[UIBarButtonItem alloc] initWithBarButtonSystemItem:UIBarButtonSystemItemCamera target:nil action:nil];  
#"<UIBarButtonItem: 0x160f85130>"

所有工具源码均在iOSpenetration