MASTG-TECH-0055: 在调试模式下启动重新打包的应用
如果您已经使用 Frida Gadget 重新打包了一个应用程序,或者如果您想将 lldb附加到应用程序,您必须以调试模式启动应用程序。当您通过 SpringBoard 启动应用程序时,它不会以调试模式启动,并且应用程序将会崩溃。
在使用 安装应用程序安装应用程序后,您可以使用以下命令以调试模式启动它。
请注意,属于 libimobiledevice suite的命令指的是 Github 上提供的最新版本。如果您通过 brew 或其他软件包管理器安装了它们,您可能拥有一个带有不同命令行标志的旧版本。
iOS 17 及更新版本¶
首先,确保您知道正确的 Bundle Identifier。根据您签名应用程序的方式,实际的 Bundle Identifier 可能与原始 Bundle Identifier 不同。要概览已安装的应用程序,请使用 ideviceinstaller 工具(请参见 libimobiledevice suite)
$ ideviceinstaller list
CFBundleIdentifier, CFBundleShortVersionString, CFBundleDisplayName
sg.vp.UnCrackable1.QH868V5764, "1.0", "UnCrackable1"
org.owasp.mastestapp.MASTestApp, "3.0.0", "Adyen3DS2Demo"
com.apple.TestFlight, "3.5.2", "TestFlight"
在此示例中, Sideloadly 将团队标识符(QH868V5764)附加到原始 Bundle Identifier。
接下来,我们需要获取正确的设备标识符,我们可以使用 idevice_id 获取(请参见 libimobiledevice suite)
$ idevice_id
00008101-1234567890123456 (USB)
00008101-1234567890123456 (Network)
现在我们有了正确的 Bundle Identifier 和设备 ID,我们可以使用 xcrun 启动应用程序(请参见 xcrun)
xcrun devicectl device process launch --device 00008101-1234567890123456 --start-stopped sg.vp.UnCrackable1.QH868V5764
13:00:43 Enabling developer disk image services.
13:00:43 Acquired usage assertion.
Launched application with sg.vp.UnCrackable1.QH868V5764 bundle identifier.
最后,您可以使用以下命令附加 lldb
# Execute the lldb debugger
$ lldb
# Select the iOS device you want to interact with
(lldb) device select 00008101-1234567890123456
# Query the processes on a device.
(lldb) device process list
PID PARENT USER TRIPLE NAME
====== ====== ========== ============================== ============================
1 0 launchd
...
771 0 <anonymous>
774 0 <anonymous>
781 0 ReportCrash
783 0 UnCrackable Level 1
# Attach to a specific process by their process ID
(lldb) device process attach --pid 783
Process 783 stopped
* thread #1, stop reason = signal SIGSTOP
frame #0: 0x0000000104312920 dyld`_dyld_start
dyld`_dyld_start:
-> 0x104312920 <+0>: mov x0, sp
0x104312924 <+4>: and sp, x0, #0xfffffffffffffff0
0x104312928 <+8>: mov x29, #0x0 ; =0
0x10431292c <+12>: mov x30, #0x0 ; =0
Target 0: (UnCrackable Level 1) stopped.
# Continue execution of all threads in the current process.
(lldb) c
Process 783 resuming
(lldb)
有关调试 iOS 应用程序的更多信息,请参见 调试。
如果您的应用程序是使用 Frida Gadget 重新打包的,则该应用程序将等待您附加到它,然后才能继续启动。
$ frida-ps -Ua
PID Name Identifier
--- ------------- -------------------------------
389 Calendar com.apple.mobilecal
783 Gadget re.frida.Gadget
336 TestFlight com.apple.TestFlight
783 UnCrackable1 sg.vp.UnCrackable1.QH868V5764
339 Weather com.apple.weather
在一个新的终端窗口中,连接到 Frida gadget,就像在 iOS 17 场景中一样
$ frida -U -n Gadget
____
/ _ | Frida 16.5.9 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to iPhone (id=00008101-000628803A69001E)
[iPhone::Gadget ]-> ObjC.available
true
附加后,应用程序将像往常一样继续执行。
iOS 16 及更早版本¶
在较旧版本的 iOS 上,您可以使用 idevicedebug(请参见 libimobiledevice suite)或 ios-deploy以调试模式启动应用程序。
使用 idevicedebug¶
# Get the package name
$ ideviceinstaller list
CFBundleIdentifier, CFBundleShortVersionString, CFBundleDisplayName
sg.vp.UnCrackable1.QH868V5764, "1.0", "UnCrackable1"
com.apple.TestFlight, "3.7.0", "TestFlight"
com.google.Maps, "24.50.0", "Google Maps"
# Run in debug mode
$ idevicedebug -d run sg.vp.UnCrackable1.QH868V5764
working_directory: /private/var/mobile/Containers/Data/Application/438DE865-2714-4BD9-B1EE-881AD4E54AD1
Setting logging bitmask...
Setting maximum packet size...
Setting working directory...
Setting argv...
app_argv[0] = /private/var/containers/Bundle/Application/E21B5B13-DD85-4C83-9A0E-03FCEBF95CF5/UnCrackable Level 1.app/UnCrackable Level 1
Checking if launch succeeded...
Setting thread...
Continue running process...
使用 ios-deploy¶
要使用 ios-deploy,您首先必须解压 IPA 文件
$ unzip Uncrackable1-frida-codesigned.ipa -d unzipped
接下来,使用 ios-deploy 以及解压缩的 IPA 中的 app 文件夹的路径
$ ios-deploy --bundle 'unzipped/Payload/UnCrackable Level 1.app' -W -d -v
ios-deploy --bundle 'pram/Payload/UnCrackable Level 1.app' -W -d -v
[....] Waiting for iOS device to be connected
Handling device type: 1
Already found device? 0
Hardware Model: D211AP
Device Name: NVISO’s iPhone JBE
Model Name: iPhone 8 Plus
SDK Name: iphoneos
Architecture Name: arm64
Product Version: 16.6.1
Build Version: 20G81
[....] Using 593ad60af30ad045b9cb99d2901031226c1b8c84 (D211AP, iPhone 8 Plus, iphoneos, arm64, 16.6.1, 20G81) a.k.a. '**NVISO**’s iPhone JBE'.
------ Install phase ------
[ 0%] Found 593ad60af30ad045b9cb99d2901031226c1b8c84 (D211AP, iPhone 8 Plus, iphoneos, arm64, 16.6.1, 20G81) a.k.a. 'NVISO’s iPhone JBE' connected through USB, beginning install
[ 5%] Copying /Users/MAS/unzipped/Payload/UnCrackable Level 1.app/META-INF/ to device
[ 5%] Copying /Users/MAS/unzipped/Payload/UnCrackable Level 1.app/META-INF/com.apple.ZipMetadata.plist to device
[ 6%] Copying /Users/MAS/unzipped/Payload/UnCrackable Level 1.app/META-INF/com.apple.ZipMetadata.plist to device
...
附加 Frida¶
如果您的应用程序已使用 Frida Gadget 重新打包,则该应用程序将等待您附加到它,然后才能继续启动。
在一个新的终端窗口中,连接到 Frida gadget,就像在 iOS 17 场景中一样
$ frida-ps -Ua
PID Name Identifier
--- ------------- -----------------------------
...
468 Gadget re.frida.Gadget
...
468 UnCrackable1 sg.vp.UnCrackable1.QH868V5764
$ frida -U -n Gadget
____
/ _ | Frida 16.5.9 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to iPhone (id=593ad60af30ad045b9cb99d2901031226c1b8c84)
[iPhone::Gadget ]-> ObjC.available
true