23.应用砸壳
一、frida-ios-dump 🔗
1.1 电脑上安装frida
Clone到本地先
cd进目录
执行
sudo pip install -r requirements.txt --upgrade
1.2 手机上安装frida
添加源
build.frida.re搜索并安装frida
两端版本要一致
1.3 手机连上电脑进行端口映射
这里为了方便起见提供了几个好用的脚本:
sh iPhoneUSBProxy.sh进行端口映射(22-2222)
2222是frida默认的
22是系统默认的
sh iPhoneLocalLogin.sh(另开一个终端页)USB链接
注意电脑上只能插一个手机。血的教训啊。有一天本地登录一直报错,搞了一个小时各种搜索,头要炸了,拔掉手机去上个厕所。拔下数据线的一瞬间感觉世界都亮了,我才意识到插了两个手机。
1.4 查看可砸壳应用
进入Clone下来的frida-ios-dump目录下
./dump.py -l
➜ frida-ios-dump git:(master) ./dump.py -l
PID Name Identifier
---- ------------- -----------------------------
5853 Cydia com.saurik.Cydia
6661 人人视频 com.rrds.rrdianshi
6609 设置 com.apple.Preferences
- App Store com.apple.AppStore
- Azizi com.inke.yaamar
- DobbyDemo cn.Ryukie.Sama.Loviary
- Elic com.ryukie.sama.minesweeper
- FaceTime通话 com.apple.facetime
- Facebook com.facebook.Facebook
- Google Maps com.google.Maps
- LogiDemo cn.Ryukie.Sama.LogiDemo
- Safari浏览器 com.apple.mobilesafari
- Shadowrocket com.liguangming.Shadowrocket
- Substitute com.ex.substitute.settings
- Twitter com.atebits.Tweetie2
- Watch com.apple.Bridge
- iTunes Store com.apple.MobileStore
- unc0verSobani com.ryukie.sama.Sobani
- 信息 com.apple.MobileSMS
- 健康 com.apple.Health
- 图书 com.apple.iBooks
- 地图 com.apple.Maps
- 备忘录 com.apple.mobilenotes
- 天气 com.apple.weather
- 家庭 com.apple.Home
- 微信 cn.Ryukie.Sama.Hanoi
- 快捷指令 com.apple.shortcuts
- 指南针 com.apple.compass
- 提示 com.apple.tips
- 提醒事项 com.apple.reminders
- 播客 com.apple.podcasts
- 文件 com.apple.DocumentsApp
- 日历 com.apple.mobilecal
- 时钟 com.apple.mobiletimer
- 查找 com.apple.findmy
- 梦见账本 com.ryukie.sama.ledger.Ledger
- 测距仪 com.apple.measure
- 照片 com.apple.mobileslideshow
- 电话 com.apple.mobilephone
- 百度地图 com.baidu.map
- 相机 com.apple.camera
- 股市 com.apple.stocks
- 腾讯地图 com.tencent.sosomap
- 视频 com.apple.tv
- 计算器 com.apple.calculator
- 语音备忘录 com.apple.VoiceMemos
- 通讯录 com.apple.MobileAddressBook
- 邮件 com.apple.mobilemail
- 钉钉 com.laiwang.DingTalk
- 钱包 com.apple.Passbook
- 音乐 com.apple.Music
- 高德地图 com.autonavi.amap1.4 执行砸壳脚本
Run ./dump.py Display name or Bundle identifier
成功后就可以在frida-ios-dump中找到砸壳的包了!
二、Python版本问题
升级系统为MacOS11.4后就一直dump不出来了
➜ frida-ios-dump git:(master) ./dump.py -l
/Library/Python/2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends import default_backend
Traceback (most recent call last):
File "./dump.py", line 20, in <module>
import paramiko
File "/Library/Python/2.7/site-packages/paramiko/__init__.py", line 22, in <module>
from paramiko.transport import SecurityOptions, Transport
File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 129, in <module>
class Transport(threading.Thread, ClosingContextManager):
File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 190, in Transport
if KexCurve25519.is_available():
File "/Library/Python/2.7/site-packages/paramiko/kex_curve25519.py", line 30, in is_available
X25519PrivateKey.generate()
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/primitives/asymmetric/x25519.py", line 39, in generate
from cryptography.hazmat.backends.openssl.backend import backend
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
from cryptography.hazmat.backends.openssl.backend import backend
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/backends/openssl/backend.py", line 117, in <module>
from cryptography.hazmat.bindings.openssl import binding
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/openssl/binding.py", line 14, in <module>
from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: dlopen(/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/_openssl.so, 2): Symbol not found: _DTLS_client_method
Referenced from: /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/_openssl.so
Expected in: flat namespace
in /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/_openssl.so
Error in atexit._run_exitfuncs:
Traceback (most recent call last):
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
func(*targs, **kargs)
File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 120, in _join_lingering_threads
for thr in _active_threads:
TypeError: 'NoneType' object is not iterable
Error in sys.exitfunc:
Traceback (most recent call last):
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
func(*targs, **kargs)
File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 120, in _join_lingering_threads
for thr in _active_threads:
TypeError: 'NoneType' object is not iterable解决
前提是安装了Python3
切换用Python3环境
➜ frida-ios-dump git:(master) sudo pip3 install -r requirements.txt --upgrade
Last updated