0. 基礎環境 iPhone 5s 64bit iOS 8.1 已越獄
1. mobileTerminal 使用 源 http://cydia.angelxwind.net 的版本;vim 版本7.1-3p,不要升級到7.3-1;
2. dyld: Library not loaded: /usr/lib/libpcre.0.dylib
==》 apt-get install pcre
3. 在ssh 登錄後執行命令時可能卡住,需要點擊手機激活屏幕。
4. Cydia 倉庫搜索時大小寫不敏感
5. 使用git 提示 'fatal: Unable to find remote helper for ‘https’,將 https 協議換成git
6. 解決IOS "Illegal instruction:4" 以及 gdb 'Unrecognized osabi 0 in arm_set_osabi_from_host_info' 錯誤
通過cydia 一些倉庫下載的工具版本有限,可以直接下載deb 包安裝(比如cydia 搜到的gcc 和gdb 版本都少了'p')
libgcc: http://apt.saurik.com/debs/libgcc_4.2-20080410-1-6_iphoneos-arm.deb
gcc: http://apt.saurik.com/debs/iphone-gcc_4.2-20080604-1-8p_iphoneos-arm.deb
gdb: http://apt.saurik.com/debs/gdb_1518-12p_iphoneos-arm.deb
make: http://apt.saurik.com/debs/make_3.81-2p_iphoneos-arm.deb
由於BIN文件編譯的版本較老,可以通過給文件打補丁解決,只需兩條命令。
sed -i 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' ios_bin //替換
ldid -s ios_bin //重新簽名
注:iOS 8 以上已經不支持gdb,使用 lldb+debugserver 來替換。使用Xcode 連接真機,然後Debug->Attach to process 選擇一個app,這樣Xcode 會安裝debugserver 到真機 /Developer/usr/bin/ 目錄下。 debugserver 作爲運行在 iOS 上的 lldb 服務端,執行 Mac 上的 lldb 傳過來的命令,再把執行結果返回給 Mac 上的 lldb 並顯示給用戶。
7. 可以從bigboss源安裝 lrzsz ,使用時注意命令是 lrz 和 lsz
8. iOS 8.1 app 安裝目錄在 /private/var/mobile/Containers/Bundle/Application/
app 數據存儲在 /private/var/mobile/Containers/Data/Application/
9. you can now find otool in the "Darwin CC Tools" package from the Cydia/Telesphoreo repository.
(dpkg -i --force-overwrite、dpkg -r com.isecpartners.introspy)
10. iPhone安裝Snoop-it後系統圖標消失解決辦法(64bit 設備不要嘗試安裝)
1)、SSH連接手機,進入“/Applications”目錄,發現只有一個Snoop-it Config.app的文件夾,刪除之;
2)、打開"/private/var/mobile/Library/Caches/com.saurik.Cydia/lists/cydia.radare.org_._Packages 、repo.nesolabs.de_._Packages ",刪除其中帶有snoop的段落;
3)、分別打開“/private/var/lib/dpkg/status”和“/private/var/lib/dpkg/status-old”文件,刪除snoopit相關的段落;
4)、查找系統應用安裝包路徑,“/private/var/stash/xxxxx/Applications”(其中xxxxx不同手機不一樣,找到包含Applications的即可),將該文件夾下所有拷貝到根目錄“/Applications”下(此時該目錄應該是空的);
5)、重啓手機,SSH連接輸入“uicache”命令,所有圖標就出來了。
6)、後續請勿執行手機恢復操作,有白蘋果的風險,至少我第一臺設備就是在該操作之後掛掉的。圖標恢復出來後能用就可以了。
11. 下載 https://github.com/nu11p0inter/iNalyzer 版本,主要是修改了iOS 8 之後app 安裝的路徑問題。可以使用源 https://appsec-labs.com/cydia 的版本
Xcode 10 編譯提示問題:
0) 、一開始 libz.dylib 顯示找不到
可以直接在 build phases 中直接把已有的Link library 中 libz.dylib 刪除,系統會自動找到合適的路徑
如果不行則自己手動添加,如下
Go to Build Phases >Link Binary with Librairies > + > Add other
Once in the file selection window do "CMD"+Shift+G (Go to folder) and type /usr/lib/
From /usr/lib you can add : libz.dylib/libz.tbd and more...
Compile and have fun
1)、 Union lc_str no member ptr
+union lc_str {
+ uint32_t offset; /* offset to the string */
+#ifndef __LP64__
+ char *ptr; /* pointer to the string */
+#endif
可以看到如果定義爲64位系統,即 __LP__64 存在定義,則不存在ptr,可以直接將此行註釋掉
//overdrive_dyld->dylib.name.ptr = (char *) sizeof(struct dylib_command);
2)、 “__vm_region” x86_64 reference not found, from dump.o
The vm_xxx API was using 32 bit type to store addresses. But, as mach API is design to interact with other processes, it has to be capable of dealing with 64 bits addresses even in a 32 bit process.
That why the mach_vm_xxx API was introduce in 10.4, the first Mac OS X version able to run 64 bit processes.
mach_task_self doesn't have any reason to change.
查找 dump.m 中 vm_region() 函數更換爲 mach_vm_region() 函數,且dump.h 中 #import <mach/mach_vm.h>
此時會提示"error mach_vm.h unsupported.” 即 mach_vm.h 爲空,查找到mach_vm.h 的路徑後,先備份再從其他地方複製過來
sudo mv /Users/xxx/Desktop/Xcode-beta.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/usr/include/mach/mach_vm.h /Users/xxx/Desktop/Xcode-beta.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/usr/include/mach/mach_vm.h.bak
sudo cp /usr/include/mach/mach_vm.h /Users/xxx/Desktop/Xcode-beta.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/usr/include/mach/mach_vm.h
同上將真機SDK 的mach_vm.h 也複製一遍
3)、 編譯提示找不到 ldid 路徑,直接修改此 sh 中 ldid 不能生效,因爲會被覆蓋。故暫時新建腳本中使用的路徑,將ldid 拷貝過來
4) 、真機編譯時提示 XXX isn't code signed but requires entitlements. It is not possible to add entitlements to a binary with
嘗試 target->general->signing->automatically manage,選擇dev team後不能enable development signing,即使在 build settings中把code signing entitlements 中的依賴文件去掉也不行。
cd /Users/xxx/Desktop/Xcode-beta.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk
cp SDKSettings.plist SDKSettings.plist.bak
/usr/libexec/PlistBuddy -c "Set :DefaultProperties:AD_HOC_CODE_SIGNING_ALLOWED YES” SDKSettings.plist
/usr/libexec/PlistBuddy -c "Set :DefaultProperties:CODE_SIGNING_REQUIRED NO” SDKSettings.plist
plutil -p SDKSettings.plist xml 格式查看
修改SDK中的這兩個key之後,再取消掉automatically manage signing,這樣就能越過簽名進行編譯
11. 啓動 INTROSPY 分析之後,發現 /private/var/mobile/Library/BatteryLife/Archives 目錄一直不斷產生 *.PLSQL 文件,導致存儲空間急劇增長。for f in *.PLSQL; do rm "$f"; done
12. Xcode 10 iOS 模擬器目錄如下:
/Users/xxx/Library/Developer/CoreSimulator/Devices/8CA8E182-5DF2-4B73-A4FB-6637510EA1D2/data/Containers/Bundle/Application/6B3E9DF2-4F09-444D-9826-34D72B18C577
8CA8E182-5DF2-4B73-A4FB-6637510EA1D2 表示具體一個device如iPhone 5s iOS 8.1
6B3E9DF2-4F09-444D-9826-34D72B18C577 表示一個app具體路徑
/Users/xxx/Library/Developer/CoreSimulator/Devices/8CA8E182-5DF2-4B73-A4FB-6637510EA1D2/data/Containers/Data/Application/35036EB8-AB36-4BCE-86E4-AEC840CCB93E/Documents/secret-data
13. How to compile DVIA-2 for Swift 4.2 and Xcode 10 for mobile app security
一、Xcode10 Multiple commands produced error
1. In Xcode, go to File->Project/Workspace settings.
2. Change the build system to Legacy Build system.
二、Umbrella header 'Realm.h' not found
Hold down option while clicking Product in the Xcode menu shows the Clean Build Folder…option
三、Invalid redeclaration of 'removeSubrange' in List.swift in Xcode 10 —— "pod update RealmSwift"
四、Overlapping accesses to 'derivedKeyData', but modification requires exclusive access; consider copying to a local variable
In the recent Swift 4.2 branch, the existing Swift 4.1 warning about ‘overlapping accesses’ is now an error in Swift 4 mode. This means that projects with this warning will fail to build with the Swift 4.2 compiler.
The warning typically arises when a mutating method that modifies a variable is passed a non-escaping closure that reads from the same variable. For example:
var buffer = Data(count: Int(INET6_ADDRSTRLEN))
// Warning: overlapping accesses to 'buffer', but modification
// requires exclusive access; consider copying to a local variable
let ptr = buffer.withUnsafeMutableBytes {
// Note: conflicting access is here
inet_ntop(AF_INET, &sin.sin_addr, $0, socklen_t(buffer.count))
}
Here withUnsafeMutableBytes() is a mutating method on buffer and so conceptually modifies the entire variable for the duration of the method. The compiler warns on the call to count, which is a computed property that reads from buffer while the modification is in progress — a violation of Swift’s rules for exclusive access.
The best way to address this warning is by reading the buffer count outside of the closure and copying it to a captured local variable:
var buffer = Data(count: Int(INET6_ADDRSTRLEN))
let count = buffer.count
let ptr = buffer.withUnsafeMutableBytes {
inet_ntop(AF_INET, &sin.sin_addr, $0, socklen_t(count))
}
五、unavailable function 'system': not available on iOS(iOS 11 SDK 移除了system 函數)
#include <spawn.h>
extern char **environ;
unsigned char run_cmd(char *cmd)
{
pid_t pid;
char *argv[] = {"sh", "-c", cmd, NULL};
int status;
status = posix_spawn(&pid, "/bin/sh", NULL, NULL, argv, environ);
if (status == 0) { //posix_spawn success return 0
if (waitpid(pid, &status, 0) == -1) {
perror("waitpid");
}
return 1; // run_cmd success return
}
return 0; // run_cmd fail return
}
六、conflict types of ‘SecRandomCopyBytes'
extern int SecRandomCopyBytes(SecRandomRef rnd, size_t count, void *bytes) __attribute__((weak_import));
14. 免費個人開發者
一、使用appid 登陸蘋果開發者中心即成爲免費開發者(沒有後臺設置capability的權限,即如果app 需要entitlements 設置,則不能實現簽名)
二、在Xcode —>preference —>accounts 添加appid 賬號
三、修改Xcode project 和 taerget app 的設置
如genernal 中 bundle ID 需要唯一(如果是需要分發的需要到開發者中心註冊)
Team 設置爲個人開發者賬號,選擇 auto manage signing,如果build setttings 中有手動設置signing 設置,重新選擇爲 iOS Developer 即可。
調試機器選擇usb 連接到真機,就能進行調試了。(免費開發者簽名用於非越獄機器,只要7天有效期限,用於越獄機器,無限期,如果機器iOS 版本比較高,需要在設置—》設備與描述文件中信任本開發者)
ld 出現 目錄不存在的錯誤,build settings 中搜索 frame 和 library path 設置,把錯誤的路徑刪除
ld 出現Flurry 不支持bitcode 的錯誤,build settings 中把 enable bitcode 選項關閉
deployment target 影響能允許的設備操作系統版本,如果代碼調用了高級系統的SDK 接口函數,則只能運行在>= 的系統上
15. Installing DVIA use Xcode build package
Xcode 編譯完成的 app 包在 類似 /Users/xxx/Library/Developer/Xcode/DerivedData/DamnVulnerableIOSApp-hjigvwacknpesuduahcrzmqikljc/Build/Products/Debug-iphonesimulator(Debug-iphoneos) 目錄下
將 DVIA.app 放入一層名爲Payload的目錄,接着壓縮爲 DVIA.zip,再更名爲 DVIA.ipa,再使用 installipa 等工具安裝。
Xcode->Product->Scheme->Edit Scheme,Info頁在Build Configuraion選擇相對應你需要生成的版本(debug/release)