SoFunction
Updated on 2025-04-12

Unveil the mystery of iOS reverse decryption

Preface

Learning and understanding reverse engineering can help us analyze the development architecture and general implementation ideas of competitors and favorite APPs, and we can also manually perform secondary processing of other APPs to meet our own needs. I have been learning iOS reverse for a while. Here is a brief summary to unveil the mystery of iOS reverse.

Remote login to iPhone by Mac

iOS and Mac OS X are both based on Darwin (an open source system kernel based on Unix by Apple), so iOS also supports command-line operations for terminals.

In reverse engineering, we often manipulate iPhones through the command line. In order to enable the command line in the Mac terminal to work on the iPhone, we have to make the Mac and iPhone connect. There are two ways to connect: wifi connection and USB connection.

First install the ssh plugin OpenSSH on the jailbreak software, and the plugin Cyscript that interacts with the application under the command line
Let the jailbroken phone and the mac computer be under the same LAN (in order to be able to access the phone from the mac computer through the ssh service)
Log in to your mobile phone through the ssh service in the mac command line terminal and enter ssh root@mobile ip. The root password by default is alpine. The root password can be modified by yourself.
Then run the program on the phone, use ps -A on the mac terminal to view the current running process of the phone. After finding the process id, you can use cyscript to perform some column operations. For example: Enter the cyscript status of the currently running WeChat process cyscript -p WeChat

When using wifi connection, sometimes there will be lag and delay, so I usually use USB connection.

There is a service program on Mac usbmuxd (it will start automatically when it starts), which can transfer Mac data to iPhone via USB
I used two scripts to log in:

  • python ~/iOS/ -t 22:10010 for port mapping
  • ssh -p 10010 root@localhost usb login

Use of Cyscript

Cyscript is a mixture of Objective-C++, ES6 (JavaScript), Java and other syntaxes, which can be used to explore, modify, and debug running Mac\iOS APP. Official website:

For example, some simple uses:

// WeChat processcycript -p WeChat
// Get the sandbox pathNSSearchPathForDirectoriesInDomains(NSDocumentDirectory,NSUserDomainMask,YES)[0]
// Print the level of the current page view().toString()

It is mainly used with Reveal, and obtains a certain interface or view from Reveal, and then obtains the class or controller to which it belongs, and uses cyscript to debug. For example, if you know that the corresponding class of a view is testView, you want to remove the view from the current interface to achieve the effect of not displaying:

[testView removeFromSuperview];

Code Hook Analysis

If you want to reverse a certain function of the App, code analysis is indispensable.

1. Through the above analysis, after finding the class corresponding to a view, you need to export the header file corresponding to the class for specific analysis.

2. First find the binary file of the App (Mach-O type), (using iFunBox to export the file to Mac) and then use the class-dump tool to export all the header files. The properties and methods can be seen in these header files. class-dump -H Mach-O file path -o header file storage directory

3. If you want to view the complete information of Mach-O file, it is recommended to use MachOView. otool -l prints all Load Commands, it is recommended to use grep for regular filtering. otool -L You can view the library files used.

4. After the header file is analyzed, you can use theos to develop more and more code, and compile and generate the Tweak plug-in (deb format).

Use the instructions, select iphone/tweak and create a tweak project.
Edit files in this tweak project and write your own jailbreak code.
After the development is completed, use make package to package and make install to install it to your phone. Restart the application and you will find that the corresponding function has been changed according to the hook's code.
Principle: After iOS jailbreak, it will install a dynamic library called mobilesubstrate by default. Its function is to provide a system-level intrusion pipeline, and all tweaks can rely on it for development. When the target program starts, the third-party dynamic library of the specified directory is loaded in accordance with the rules. The third-party dynamic library is the cracking program we wrote, so as to achieve the purpose of modifying the in-memory code logic.

5. Sometimes if you want to see the implementation and calling logic of a method in a certain class, you need to use the Hopper Disassembler tool.

Common syntax of theos

  • %hook ,%end : hook the beginning and end of a class
  • %log: Print method call details
  • HBDebugLog: Similar to NSLog
  • %new: Use when adding a new method
  • %orig: The original code logic of the function
  • %ctor: Called when loading dynamic library
  • : You can quickly convert a header file into an xm file that already contains print information
  • If there are additional resource files (such as pictures), put them in the layout folder of the project, corresponding to the root path of the phone/

Crush the shell (removal)

If we use a jailbroken mobile phone, some applications downloaded directly from the PP assistant will eliminate the process of our own shelling. However, if the application is downloaded from the App Store, the App Store has encrypted the application, and then using class-dump, it is impossible to export the header file. This is the time to unshell the APP.

There are two types of shelling tools, Clutch and dumpdecrypted

Clutch :

After logging in to iPhone with Mac terminal, use Clutch to remove the shell
Clutch -i Lists the encrypted applications in the installed applications in the phone.
Clutch -d Application bundleid Deshuts the encrypted application. After the shell is successfully deshut, a new Match-O file will be produced. Just perform class-dump operation on this new file.

Sometimes when using Clutch to unshell, there will be failures, such as an error will occur when unshelling WeChat. At this time, you need to use dumpdecrypted:

The terminal enters the directory where it is located var/root
Use the environment variable DYLD_INSERT_LIBRARIES to inject dylib into the executable file that needs to be unshelled (the executable file path can be obtained through ps -A view)
Execute the command DYLD_INSERT_LIBRARIES= executable file path to complete the shelling operation.

Conclusion

After understanding the above reverse process, you can implement some interesting functions, such as: video client to advertise, modify WeChat exercise steps, prevent WeChat messages from being tested, and WeChat automatically grabs red envelopes. At the same time, we will pay more attention to information security protection during the development of our own client. When studying reverse, you must be good at using various tools and be prepared for continuous failure. You will become more and more courageous as you setbacks and you will eventually succeed.

Okay, the above is the entire content of this article. I hope that the content of this article has a certain reference value for everyone's study or work. If you have any questions, you can leave a message to communicate. Thank you for your support.