秒杀一切越狱检测-----使用LLDB调试器版本的脱壳工具进行脱壳

场景

某一天，项目经理扔来一个APP，叫我检测一下，结果发现这个APP做了越狱检测，在越狱手机上一开就exit(0)，那么现在最流行的frida动态砸壳方法就行不通了，虽然最后使用Clutch静态砸壳工具砸壳成功，然而这个工具在iOS11.1之后因为兼容性问题被ban，只能在iOS10的越狱机上使用，那么如果哪天运气差，遇见一个只支持iOS12及以上，并且做了越狱检测的APP，那么该怎么办呢？
经过一番寻找，终于找到了传说中的LLDB脱壳工具。

支持版本

目前测试下来，iOS12及以上的机器可以正常使用，iOS10的机器不行，手头没有iOS11的手机，因此无法测试。

使用方法

首先安装issh跟xia0LLDB，从github下载，然后执行install.sh

➜  ~ git clone https://github.com/4ch12dy/issh.git
➜  ~ git clone https://github.com/4ch12dy/xia0LLDB.git

然后安装usbmuxd：

➜  ~ brew install usbmuxd

在命令行里进行端口转发：

➜  ~ iproxy 1234 1234
➜  ~ iproxy 2222 22

在已越狱的手机中找到需要砸壳的可执行文件路径，例如：

/var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket

执行命令：

➜  ~ issh debug -x backboard /var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket
-----以下是输出-----
[*]:iproxy install. lets go
[*]:iproxy process for 2222 port alive, pid=7699
[*]:scp id_rsa.pub to connect iDevice [1/2]
root@localhost's password:
[*]:add id_rsa.pub to authorized_keys [2/2]
root@localhost's password:
[*]:++++++++++++++++++ Nice to Work :) +++++++++++++++++++++
[*]:iOSRE dir not exist
[*]:Run mkdir -p /iOSRE/tmp;mkdir -p /iOSRE/dylib;mkdir -p /iOSRE/deb;mkdir -p /iOSRE/tools
[*]:iproxy process for 1234 port alive, pid=7742
[*]:Run ps -e | grep debugserver | grep -v grep; [[ 0 == 0 ]] && (killall -9 debugserver 2> /dev/null)
sh: line 1:  3215 Done                    ps -e
      3216 Broken pipe: 13         | grep debugserver
      3217 Killed: 9               | grep -v grep
[*]:kill app because debug with -x backboard
[*]:Run ps -e | grep /var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket | grep -v grep; [[ 0 == 0 ]] && (killall -9 Shadowrocket 2> /dev/null)
[*]:/iOSRE/tools/debugserver file not exist
[*]:Run cat > /iOSRE/tmp/ent.xml << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.backboardd.debugapplications</key>
    <true/>
    <key>com.apple.backboardd.launchapplications</key>
    <true/>
    <key>com.apple.diagnosticd.diagnostic</key>
    <true/>
    <key>com.apple.frontboard.debugapplications</key>
    <true/>
    <key>com.apple.frontboard.launchapplications</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.springboard.debugapplications</key>
    <true/>
    <key>com.apple.system-task-ports</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>platform-application</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>
EOF
[*]:Run cp /Developer/usr/bin/debugserver /iOSRE/tmp/;            cd /iOSRE/tmp;ldid -Sent.xml /iOSRE/tmp/debugserver;            chmod +x  /iOSRE/tmp/debugserver;            cp /iOSRE/tmp/debugserver /iOSRE/tools/;
[*]:Run /iOSRE/tools/debugserver 127.0.0.1:1234 -x backboard /var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket

新建命令窗口，执行lldb以及砸壳命令：

➜  ~ lldb
(lldb) dumpdecrypted -X
-----以下是输出信息-----
[*] set breakpoint at CFBundleGetMainBundle
[*] will continue process and dump
[*] start execute dumpdecrypted
[*] delete all breakpoints
[*] now is image: 0,/var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket
[*] start dump [0] image:/var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket
[+] fix main addr:0x10019a4f0
[+] Dumping Shadowrocket
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x1000fcc08(from 0x1000fc000) = c08
[+] Found encrypted data at address 00004000 of length 2932736 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/7B8641C3-1C26-493D-8065-CF7259087190/Shadowrocket.app/Shadowrocket for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 3293184 in the file
[+] Opening /var/mobile/Containers/Data/Application/6B12BDA5-C128-4E09-B016-BA3CF6667521/Documents/Shadowrocket.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 324c08
[+] Closing original file
[+] Closing dump file
[*] This mach-o file decrypted done.
[+] dump macho file at:/var/mobile/Containers/Data/Application/6B12BDA5-C128-4E09-B016-BA3CF6667521/Documents/Shadowrocket.decrypted


[-] image info is null, skip image #




[*] Developed By xia0@2019

可以看到砸壳之后的文件放在了：

/var/mobile/Containers/Data/Application/6B12BDA5-C128-4E09-B016-BA3CF6667521/Documents/Shadowrocket.decrypted

使用issh命令将砸壳文件拷贝到电脑上，当然也可以自行使用scp命令拷贝：

➜  ~ issh scp /var/mobile/Containers/Data/Application/6B12BDA5-C128-4E09-B016-BA3CF6667521/Documents/Shadowrocket.decrypted ~/Desktop
[*]:iproxy install. lets go
[*]:iproxy process for 2222 port alive, pid=7699
[*]:++++++++++++++++++ Nice to Work :) +++++++++++++++++++++
[*]:/var/mobile/Containers/Data/Application/6B12BDA5-C128-4E09-B016-BA3CF6667521/Documents/Shadowrocket.decrypted is remote file, so cp it from device
Shadowrocket.decrypted