加壳
利用特殊的算法,对可执行文件的编码进行改变(比如压缩、加密),以达到保护程序代码的目的
加密后的可执行文件,放到壳程序中,壳程序被加载到内存,壳程序对加密的可执行文件解密,才能运行
脱壳
硬脱壳
不用运行程序,直接执行解密算法
动态脱壳
将壳程序解密后的内存中的可执行文件导出来
脱壳工具
Clutch
dumpdescrpted
class-dump
判断是否被加密
(LoadCommands -> LC_ENCRYPTION_INFO_64/LC_ENCRYPTION_INFO -> Crypt ID) != 0
SSL(Secure Socket Layer)
https://www.websecurity.digicert.com/security-topics/what-is-ssl-tls-https
为网络通信提供安全及数据完整性的一种安全协议,在传输层对网络链接进行加密。
/etc/ssl
OpenSSL
SSL的开源实现
绝大多数HTTPS请求等价与:HTTP + OpenSSL
TLS
https://www.websecurity.digicert.com/security-topics/what-is-ssl-tls-https
TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term.
SSH
/etc/ssh/ssh_config
/etc/ssh/sshd_config
vim $HOME/.ssh/config
1
2
3
Host 5s
HostName 192.168.3.62
HostKeyAlgorithms=+ssh-dss
1
ssh root@5s
通信过程
-
建立安全连接
服务器发送公钥给客户端,客户端进行保存(方便后续通信),
.ssh/known_hosts -
客户端认证
通过私钥(服务端保存客户端的公钥)或密码
-
数据传输
OpenSSH
OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.
OpenSSH的加密时通过OpenSSL完成的
Monitors
In the field of iOS reverse engineering, tools used for sniffing, monitoring and recording targets’ behaviors can all be concluded as monitors. These tools generally record and display certain operations performed by the target programs, such as UI changes, network activities and file accesses. Reveal, snoop-it, introspy, etc., are frequently used monitors.
Disassemblers
After approaching the code from the UI, we have to use disassembler to sort out the code. Disassemblers take binaries as input, and output assembly code after processing the files. IDA and Hopper are two major disassemblers in iOS reverse engineering.
Debuggers
iOS developers should be familiar with debuggers because we often need to debug our own code in Xcode. We can set a breakpoint on a line of code so that process will stop at that line and display the current status of the process in real time. We constantly use LLDB for debugging during both App development and reverse engineering.
DevelopmentKit
After finishing all the above steps, we can get results from analysis and start to code for now. For App developers, Xcode is the most frequently used development tool. However, if we transfer the battlefield from AppStore to jailbroken iOS, our development kit gets expanded. Not only is there an Xcode based iOSOpenDev, but also a command line based Theos.
References
-
iproxy
1 2 3 4 5 6 7 8
# install iproxy brew install libimobiledevice # map 2222 to 22(usb port) iproxy 2222 22 # ssh to 2222 ssh root@localhost -p 2222
or
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.usbmux.iproxy</string> <key>ProgramArguments</key> <array> <string>/usr/local/bin/iproxy</string> <string>10010</string> <string>22</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/> </dict> </plist>
1 2
# You now don't have to run the iproxy binary every time you want to SSH over USB as the iproxy software is always running in the background. launchctl load ~/Library/LaunchAgents/com.usbmux.iproxy.plist -
tcpplay.py
1
./tcprelay.py -t 22:2222