秒殺一切越獄檢測-----使用LLDB調試器版本的脫殼工具進行脫殼

場景

某一天，項目經理扔來一個APP，叫我檢測一下，結果發現這個APP做了越獄檢測，在越獄手機上一開就exit(0)，那麼現在最流行的frida動態砸殼方法就行不通了，雖然最後使用Clutch靜態砸殼工具砸殼成功，然而這個工具在iOS11.1之後因爲兼容性問題被ban，只能在iOS10的越獄機上使用，那麼如果哪天運氣差，遇見一個只支持iOS12及以上，並且做了越獄檢測的APP，那麼該怎麼辦呢？
經過一番尋找，終於找到了傳說中的LLDB脫殼工具。

支持版本

目前測試下來，iOS12及以上的機器可以正常使用，iOS10的機器不行，手頭沒有iOS11的手機，因此無法測試。

使用方法

首先安裝issh跟xia0LLDB，從github下載，然後執行install.sh

➜  ~ git clone https://github.com/4ch12dy/issh.git
➜  ~ git clone https://github.com/4ch12dy/xia0LLDB.git

然後安裝usbmuxd：

➜  ~ brew install usbmuxd

在命令行裏進行端口轉發：

➜  ~ iproxy 1234 1234
➜  ~ iproxy 2222 22

在已越獄的手機中找到需要砸殼的可執行文件路徑，例如：

/var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket

執行命令：

➜  ~ issh debug -x backboard /var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket
-----以下是輸出-----
[*]:iproxy install. lets go
[*]:iproxy process for 2222 port alive, pid=7699
[*]:scp id_rsa.pub to connect iDevice [1/2]
root@localhost's password:
[*]:add id_rsa.pub to authorized_keys [2/2]
root@localhost's password:
[*]:++++++++++++++++++ Nice to Work :) +++++++++++++++++++++
[*]:iOSRE dir not exist
[*]:Run mkdir -p /iOSRE/tmp;mkdir -p /iOSRE/dylib;mkdir -p /iOSRE/deb;mkdir -p /iOSRE/tools
[*]:iproxy process for 1234 port alive, pid=7742
[*]:Run ps -e | grep debugserver | grep -v grep; [[ 0 == 0 ]] && (killall -9 debugserver 2> /dev/null)
sh: line 1:  3215 Done                    ps -e
      3216 Broken pipe: 13         | grep debugserver
      3217 Killed: 9               | grep -v grep
[*]:kill app because debug with -x backboard
[*]:Run ps -e | grep /var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket | grep -v grep; [[ 0 == 0 ]] && (killall -9 Shadowrocket 2> /dev/null)
[*]:/iOSRE/tools/debugserver file not exist
[*]:Run cat > /iOSRE/tmp/ent.xml << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.backboardd.debugapplications</key>
    <true/>
    <key>com.apple.backboardd.launchapplications</key>
    <true/>
    <key>com.apple.diagnosticd.diagnostic</key>
    <true/>
    <key>com.apple.frontboard.debugapplications</key>
    <true/>
    <key>com.apple.frontboard.launchapplications</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.springboard.debugapplications</key>
    <true/>
    <key>com.apple.system-task-ports</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>platform-application</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>
EOF
[*]:Run cp /Developer/usr/bin/debugserver /iOSRE/tmp/;            cd /iOSRE/tmp;ldid -Sent.xml /iOSRE/tmp/debugserver;            chmod +x  /iOSRE/tmp/debugserver;            cp /iOSRE/tmp/debugserver /iOSRE/tools/;
[*]:Run /iOSRE/tools/debugserver 127.0.0.1:1234 -x backboard /var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket

新建命令窗口，執行lldb以及砸殼命令：

➜  ~ lldb
(lldb) dumpdecrypted -X
-----以下是輸出信息-----
[*] set breakpoint at CFBundleGetMainBundle
[*] will continue process and dump
[*] start execute dumpdecrypted
[*] delete all breakpoints
[*] now is image: 0,/var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket
[*] start dump [0] image:/var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket
[+] fix main addr:0x10019a4f0
[+] Dumping Shadowrocket
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x1000fcc08(from 0x1000fc000) = c08
[+] Found encrypted data at address 00004000 of length 2932736 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 3293184 in the file
[+] Opening /var/mobile/Containers/Data/Application/6B12BDA5-C128-4E09-B016-BA3CF6667521/Documents/Shadowrocket.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 324c08
[+] Closing original file
[+] Closing dump file
[*] This mach-o file decrypted done.
[+] dump macho file at:/var/mobile/Containers/Data/Application/6B12BDA5-C128-4E09-B016-BA3CF6667521/Documents/Shadowrocket.decrypted


[-] image info is null, skip image #




[*] Developed By xia0@2019

可以看到砸殼之後的文件放在了：

/var/mobile/Containers/Data/Application/6B12BDA5-C128-4E09-B016-BA3CF6667521/Documents/Shadowrocket.decrypted

使用issh命令將砸殼文件拷貝到電腦上，當然也可以自行使用scp命令拷貝：

➜  ~ issh scp /var/mobile/Containers/Data/Application/6B12BDA5-C128-4E09-B016-BA3CF6667521/Documents/Shadowrocket.decrypted ~/Desktop
[*]:iproxy install. lets go
[*]:iproxy process for 2222 port alive, pid=7699
[*]:++++++++++++++++++ Nice to Work :) +++++++++++++++++++++
[*]:/var/mobile/Containers/Data/Application/6B12BDA5-C128-4E09-B016-BA3CF6667521/Documents/Shadowrocket.decrypted is remote file, so cp it from device
Shadowrocket.decrypted