23.应用砸壳

一、frida-ios-dump 🔗

1.1 电脑上安装frida

• Clone到本地先

• cd进目录

• 执行sudo pip install -r requirements.txt --upgrade

1.2 手机上安装frida

• 添加源build.frida.re

• 搜索并安装frida

  • 两端版本要一致

1.3 手机连上电脑进行端口映射

这里为了方便起见提供了几个好用的脚本：

• sh iPhoneUSBProxy.sh

  • 🔗

  • 进行端口映射（22-2222）

  • 2222是frida默认的

  • 22是系统默认的

• sh iPhoneLocalLogin.sh(另开一个终端页)

  • 🔗

  • USB链接

• ptython-client

注意电脑上只能插一个手机。血的教训啊。有一天本地登录一直报错，搞了一个小时各种搜索，头要炸了，拔掉手机去上个厕所。拔下数据线的一瞬间感觉世界都亮了，我才意识到插了两个手机。

1.4 查看可砸壳应用

进入Clone下来的frida-ios-dump目录下

./dump.py -l

➜  frida-ios-dump git:(master) ./dump.py -l
 PID  Name           Identifier
----  -------------  -----------------------------
5853  Cydia          com.saurik.Cydia
6661  人人视频           com.rrds.rrdianshi
6609  设置             com.apple.Preferences
   -  App Store      com.apple.AppStore
   -  Azizi          com.inke.yaamar
   -  DobbyDemo      cn.Ryukie.Sama.Loviary
   -  Elic           com.ryukie.sama.minesweeper
   -  FaceTime通话     com.apple.facetime
   -  Facebook       com.facebook.Facebook
   -  Google Maps    com.google.Maps
   -  LogiDemo       cn.Ryukie.Sama.LogiDemo
   -  Safari浏览器      com.apple.mobilesafari
   -  Shadowrocket   com.liguangming.Shadowrocket
   -  Substitute     com.ex.substitute.settings
   -  Twitter        com.atebits.Tweetie2
   -  Watch          com.apple.Bridge
   -  iTunes Store   com.apple.MobileStore
   -  unc0verSobani  com.ryukie.sama.Sobani
   -  信息             com.apple.MobileSMS
   -  健康             com.apple.Health
   -  图书             com.apple.iBooks
   -  地图             com.apple.Maps
   -  备忘录            com.apple.mobilenotes
   -  天气             com.apple.weather
   -  家庭             com.apple.Home
   -  微信             cn.Ryukie.Sama.Hanoi
   -  快捷指令           com.apple.shortcuts
   -  指南针            com.apple.compass
   -  提示             com.apple.tips
   -  提醒事项           com.apple.reminders
   -  播客             com.apple.podcasts
   -  文件             com.apple.DocumentsApp
   -  日历             com.apple.mobilecal
   -  时钟             com.apple.mobiletimer
   -  查找             com.apple.findmy
   -  梦见账本           com.ryukie.sama.ledger.Ledger
   -  测距仪            com.apple.measure
   -  照片             com.apple.mobileslideshow
   -  电话             com.apple.mobilephone
   -  百度地图           com.baidu.map
   -  相机             com.apple.camera
   -  股市             com.apple.stocks
   -  腾讯地图           com.tencent.sosomap
   -  视频             com.apple.tv
   -  计算器            com.apple.calculator
   -  语音备忘录          com.apple.VoiceMemos
   -  通讯录            com.apple.MobileAddressBook
   -  邮件             com.apple.mobilemail
   -  钉钉             com.laiwang.DingTalk
   -  钱包             com.apple.Passbook
   -  音乐             com.apple.Music
   -  高德地图           com.autonavi.amap

1.4 执行砸壳脚本

Run ./dump.py Display name or Bundle identifier

成功后就可以在frida-ios-dump中找到砸壳的包了！

二、Python版本问题

升级系统为MacOS11.4后就一直dump不出来了

➜  frida-ios-dump git:(master) ./dump.py -l
/Library/Python/2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends import default_backend
Traceback (most recent call last):
  File "./dump.py", line 20, in <module>
    import paramiko
  File "/Library/Python/2.7/site-packages/paramiko/__init__.py", line 22, in <module>
    from paramiko.transport import SecurityOptions, Transport
  File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 129, in <module>
    class Transport(threading.Thread, ClosingContextManager):
  File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 190, in Transport
    if KexCurve25519.is_available():
  File "/Library/Python/2.7/site-packages/paramiko/kex_curve25519.py", line 30, in is_available
    X25519PrivateKey.generate()
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/primitives/asymmetric/x25519.py", line 39, in generate
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/backends/openssl/backend.py", line 117, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/openssl/binding.py", line 14, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: dlopen(/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/_openssl.so, 2): Symbol not found: _DTLS_client_method
  Referenced from: /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/_openssl.so
  Expected in: flat namespace
 in /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/_openssl.so
Error in atexit._run_exitfuncs:
Traceback (most recent call last):
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
    func(*targs, **kargs)
  File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 120, in _join_lingering_threads
    for thr in _active_threads:
TypeError: 'NoneType' object is not iterable
Error in sys.exitfunc:
Traceback (most recent call last):
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
    func(*targs, **kargs)
  File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 120, in _join_lingering_threads
    for thr in _active_threads:
TypeError: 'NoneType' object is not iterable

解决

前提是安装了Python3

切换用Python3环境

➜ frida-ios-dump git:(master) sudo pip3 install -r requirements.txt --upgrade