时时勤拂拭,勿使惹尘埃

TOC

Categories

iOS(十三)使用 bfinject 注入iOS 11_cycript & 砸壳


0x0 前言

由于工作需要使用cycript等工具,但由于 sariku 和 coolstar 神仙打架,导致cycript在ios 11上无法直接运行,所以需要用bfinject工具来运行cycript。

0x1 bfinject安装使用

bfinject的安装使用比较简单,参考github源码:https://github.com/BishopFox/bfinject
安装bfinject:
$ wget https://github.com/BishopFox/bfinject/raw/master/bfinject.tar .
$ scp bfinject.tar [email protected]192.168.1.104:~/
$ ssh [email protected]192.168.1.104
iPhone:~/bfinject root# mkdir bfinject
iPhone:~/bfinject root# mv bfinject.tar ./bfinject
iPhone:~/bfinject root# cd bfinject
iPhone:~/bfinject root# tar xvf bfinject.tar
使用bfinjec,可以看到bfinject内置了注入工具cycript和砸壳工具decrypt,且支持其他dylib的注入:
iPhone:~/bfinject root# bash bfinject
Syntax: bfinject [-p PID | -P appname] [-l /path/to/yourdylib | -L feature]

For example:
   bfinject -P Reddit.app -l /path/to/evil.dylib   # Injects evil.dylib into the Reddit app
     or
   bfinject -p 1234 -L cycript                     # Inject Cycript into PID
     or
   bfinject -p 4566 -l /path/to/evil.dylib         # Injects the .dylib of your choice into PID

Instead of specifying the PID with -p, bfinject can search for the correct PID based on the app name.
Just enter "-P identifier" where "identifier" is a string unique to your app, e.g. "fing.app".

Available features:
  cycript    - Inject and run Cycript
  decrypt    - Create a decrypted copy of the target app
  test       - Inject a simple .dylib to make an entry in the console log
  ispy       - Inject iSpy. Browse to http://<DEVICE_IP>:31337/

0x11 使用bfinjec 内置的Cycript注入app:

iPhone:~/bfinject root# bash bfinject -P SYHDAppPayProject -L cycript
执行成功后iPhone会弹框提示cycript loaded!并开启监听1337端口,mac端开启cycript远程连接即可:
$ cycript -r 192.168.1.104:1337
cy# [[NSBundle mainBundle] bundleIdentifier]
@"com.tmgigame.apppaytool"
cy# [[NSBundle mainBundle] bundlePath]
@"/var/containers/Bundle/Application/C438C976-2657-46F1-83BE-07F2DFBAF5A7/SYHDAppPayProject.app"
cy# [[NSFileManager defaultManager ] URLsForDirectory:NSDocumentDirectory inDomains: NSUserDomainMas]
@[#"file:///var/mobile/Containers/Data/Application/BB2EB568-851B-42F4-AD1F-B9B4D5295755/Documents/"]
ruby版本过高导致cycript执行失败
如果ruby版本过高,cycript会执行失败:
$ cycript
dyld: Library not loaded: /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
  Referenced from: /usr/local/share/cycript_0.9.594/Cycript.lib/cycript-apl
  Reason: image not found
安装对应版本并拷贝到Cycript.lib目录下即可:
$ brew install [email protected]2.0
$ cp /usr/local/Cellar/[email protected]2.0/2.0.0-p648_6/lib/libruby.2.0.0.dylib /usr/local/share/cycript_0.9.594/Cycript.lib/
$ cycript
cy#

0x12 使用bfinject砸壳

使用bfinject砸壳也很简单,只需要将cycript参数换成decrypt即可:
iPhone:~/bfinject root# bash bfinject -P SYHDAppPayProject -L decrypt
[+] Electra detected.
[+] Injecting into '/var/containers/Bundle/Application/C438C976-2657-46F1-83BE-07F2DFBAF5A7/SYHDAppPayProject.app/SYHDAppPayProject'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID MLP6RB876U and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 378.
[bfinject4realz] Calling thread_create() on PID 378
[bfinject4realz] Looking for ROP gadget... found at 0x1843594e0
[bfinject4realz] Fake stack frame at 0x12e63c000
[bfinject4realz] Calling _pthread_set_self() at 0x18459b778...
[bfinject4realz] Returned from '_pthread_set_self'
[bfinject4realz] Calling dlopen() at 0x184359460...
[bfinject4realz] Returned from 'dlopen'
[bfinject4realz] Success! Library was loaded at 0x1c01f0a00
[+] So long and thanks for all the fish.
执行完成后会在App的数据目录(通过上文cycript获取App数据目录路径)下生成脱壳ipa文件:
iPhone:/var/mobile/Containers/Data/Application/BB2EB568-851B-42F4-AD1F-B9B4D5295755/Documents root# ls -al
total 17772
drwxr-xr-x 5 mobile mobile      160 May 30 13:14 ./
drwxr-xr-x 8 mobile mobile      256 May 27 09:48 ../
drwxr-xr-x 3 mobile mobile       96 May 27 10:37 .UTSystemConfig/
-rw-r--r-- 1 mobile mobile 17670111 May 30 13:09 decrypted-app.ipa
-rw-r--r-- 1 mobile mobile     1466 May 30 10:33 user.arch

0x2 bfinject在iOS11.2及以上版本的坑

目前 bfinject 的项目源码仅支持 Dylib 注入的系统为 iOS 11.0 - 11.1.2, 但是现在手头上工作设备为 iOS 11.2,所以会有一些坑:
参考:https://itreefly.com/posts/3ab7b72b.html
  1. [!] Unknown jailbreak. Aborting.
    未检索到相应越狱后的文件,查看bfinject源码:
    #
    # Detect LiberiOS vs Electra
    #
    if [ -f /bootstrap/inject_criticald ]; then
     # This is Electra
     echo "[+] Electra detected."
     cp jtool.liberios /bootstrap/usr/local/bin/
     chmod +x /bootstrap/usr/local/bin/jtool.liberios
     JTOOL=/bootstrap/usr/local/bin/jtool.liberios
     cp bfinject4realz /bootstrap/usr/local/bin/
     INJECTOR=/bootstrap/usr/local/bin/bfinject4realz
    
    这是由于目前最新的 Electra 越狱后系统里bootstrap 目录名更改为 electra 了:
    iPhone:~/bfinject root# ls /electra/
    amfid_payload.dylib*  inject_criticald*  jailbreakd_client*   pspawn_payload.dylib*
    helloworld*           jailbreakd*        libjailbreak.dylib*
    
    所以软连接过去,并手动创建代码中的文件夹即可:
    iPhone:~/bfinject root# ln -s /electra /bootstrap
    iPhone:~/bfinject root# mkdir /bootstrap/usr
    iPhone:~/bfinject root# mkdir /bootstrap/usr/local
    iPhone:~/bfinject root# mkdir /bootstrap/usr/local/bin
    
  2. md5: command not found
    使用md5sum替代md5:$ ln -s /usr/bin/md5sum /usr/bin/md5
  3. [bfinject4realz] Failed to create thread in remote process.
                  This most likely is caused by "Tweaks" being enabled in Electra.
                  Please try rebooting and re-jailbreaking with "Tweaks" disabled.
    
    bfinject注入模块与Tweaks有冲突,重启后重新越狱时取消Tweaks选项即可

0x3 原生cycript的killed 9问题

原生cycript的killed 9是由于cydia substrate框架不支持导致的,并非签名问题,从saurik的cydia源下载的cycript签名如下:
$ codesign -vvd cycript
Executable=/*/*/cycript
Identifier=cycript_
Format=Mach-O universal (armv6 arm64)
CodeDirectory v=20200 size=632 flags=0x0(none) hashes=23+5 location=embedded
Signature size=8520
Authority=Developer ID Application: Jay Freeman (YN3GF3Y6DG)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Aug 29, 2016 at 04:29:15
Info.plist=not bound
TeamIdentifier=YN3GF3Y6DG
Sealed Resources=none
Internal requirements count=1 size=168

0 评论:

发表评论