一、Frida
- 利用 Hopper、class-dump、ios-ssl-kill-switch、Keychain-Dumper、MachOParser 可以進行靜態分析,
- 使用 CycriptTricks(Powerful private methods)、UIButton 的sendActionsForControlEvents、DerekSelander LLDB(Python scripts to aid in your debugging sessions)、frida 可以進行動態除錯分析,
- 采用 Theos、MonkeyDev 進行開發調 試iphone/tool、iphone/tweak,
- Frida 是一款基于 Python + javascript 的 hook 框架,通殺 android\iOS\linux\win\osx 各平臺,Frida 原理是手機端安裝一個 server 程式把手機端的埠轉到 PC 端寫的 python 腳本進行通信,而 Python 腳本中采用 javascript 語言撰寫 hook 代碼,
① install frida on device
- Start Cydia and add Frida’s repository by navigating to Manage -> Sources -> Edit -> Add and entering https://build.frida.re
- apt-get update:
-rwxr-xr-x 1 root wheel 11292672 Oct 14 00:54 /usr/sbin/frida-server*
-rw-r--r-- 1 root wheel 779 Oct 14 00:54 /Library/LaunchDaemons/re.frida.server.plist
② install frida on mac
- 安裝 pip, pip 是 Python 的包管理工具:
$ sudo easy_install pip
- 安裝:
$ sudo -H pip install frida
- 升級 frida:
$ sudo pip install --upgrade frida --ignore-installed six
- 通過 USB 連接設備,確保 Frida 正常作業:
-U, --usb connect to USB device -a, --applications list only applications -i, --installed include all installed applications
$ frida-ps -Uai
PID Name Identifier
--- ------------ ---------------------------
904 Cydia com.saurik.Cydia
856 微信 com.tencent.xin
858 郵件 com.apple.mobilemail
App Store com.apple.AppStore
③ debug
- pdb.py can be invoked as a script to debug other scripts:
$ python -m pdb ./dump.py 微信
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(7)<module>()
-> import sys
- pdb 常用命令:
(Pdb) h
Documented commands (type help <topic>):
========================================
EOF bt cont enable jump pp run unt
a c continue exit l q s until
alias cl d h list quit step up
args clear debug help n r tbreak w
b commands disable ignore next restart u whatis
break condition down j p return unalias where
- 說明:
break 或 b: 設定斷點 設定斷點
continue 或 c: 繼續執行程式
list 或 l: 查看當前行的代碼段
step 或 s: 進入函式
return 或 r: 執行代碼直到從當前函式回傳
exit 或 q: 中止并退出
next 或 n: 執行下一行
pp : 列印變數的值
(Pdb) pp os.getcwd()
'/Users/devzkn/Downloads/kevin\xef\xbc\x8dsoftware/ios-Reverse_Engineering/frida-ios-dump-master'
- 列印漢字:
(Pdb) print sys.argv
['./dump.py', '\xe5\xbe\xae\xe4\xbf\xa1']
(Pdb) print sys.argv[1]
微信
④ 利用 frida 進行 dump
- frida-ios-dump :https://github.com/zhangkn/frida-ios-dump
-
- 安裝上面步驟 install frida on device and mac;
-
- 使用 usbmuxd 進行埠轉發,本地埠 2222,轉發到 iOS 的 22 埠;
-
- 執行 dump.py,
devzkndeMacBook-Pro:bin devzkn$ frida-ps -Uai
PID Name Identifier
---- ------------ ---------------------------
1314 App Store com.apple.AppStore
2151 微信 com.tencent.xin
2183 淘寶聯盟 com.alimama.moon
1309 設定 com.apple.Preferences
- 必須在 dump.py 所在的目錄下執行,即使使用 ln -l 也會失敗:
devzkndeMacBook-Pro:frida-ios-dump-master devzkn$ ./dump.py 驅蚊大咖
open target app......
start dump target app......
二、常見問題
① Operation not permitted
- Operation not permitted: /var/folders/6t/h404bjcd5tb_4q86tpv_251rv_0h0j/T/pip-sYsqDS-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info;
- This is because OS X El Capitan ships with six 1.4.1 installed already and when it attempts to uninstall it (because awscli depends on botocore, botocore depends on python-dateutil, and python-dateutil depends on six >= 1.5) it doesn’t have permission to do so because System Integrity Protection doesn’t allow even root to modify those directories.
$ sudo -H pip install --ignore-installed six
- 檢測 frida-server 沒有啟動:
iPhone:/usr/sbin root# killall SpringBoard
iPhone:/usr/sbin root# ps -e |grep frida-server
2290 ttys000 0:00.01 grep frida-server
② frida Failed to spawn 的替代方案
- 先使用 frida-ps -Uai 查看 PID;
- 使用 frida -p attach:
$ frida -U -p 1262
____
/ _ | Frida 10.6.27 - A world-class dynamic instrumentation framework
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at http://www.frida.re/docs/home/
[iPhone::PID::1262]->
③ 使用中文路徑導致 frida-ios-dump 失敗
- 具體的問題分析程序:
(Pdb) l
108 script = loadJsFile(session, APP_JS);
109 name = target.decode('utf8');
110 script.post(name);
111 opened.wait();
112 session.detach();
113 -> createDir(os.getcwd()+"/"+OUTPUT)
114 print "start dump target app......"
115 session = device.attach(name);
116 script = loadJsFile(session, DUMP_JS);
117 script.post("dump");
118 finished.wait();
(Pdb) s
--Return--
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(113)main()->None
-> createDir(os.getcwd()+"/"+OUTPUT)
(Pdb) l
108 script = loadJsFile(session, APP_JS);
109 name = target.decode('utf8');
110 script.post(name);
111 opened.wait();
112 session.detach();
113 -> createDir(os.getcwd()+"/"+OUTPUT)
114 print "start dump target app......"
115 session = device.attach(name);
116 script = loadJsFile(session, DUMP_JS);
117 script.post("dump");
118 finished.wait();
(Pdb) s
UnicodeDecodeError: UnicodeD...ge(128)')
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(127)<module>()
-> main(sys.argv[1])
(Pdb) l
122 if len(sys.argv) < 2:
123 print "usage: ./dump.py 微信"
124 sys.exit(0)
125 else:
126 try:
127 -> main(sys.argv[1])
128 except KeyboardInterrupt:
129 if session:
130 session.detach()
131 sys.exit()
132 except:
(Pdb) s
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(128)<module>()
-> except KeyboardInterrupt:
(Pdb) pp UnicodeDecodeError
<type 'exceptions.UnicodeDecodeError'>
- 創建目錄命名最好使用英文,否則腳本不支持中文路徑的話,就容易出問題;比如 frida-ios-dump 就不支持存盤路徑是中文的,
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/333809.html
標籤:python