Tag: ios
-
Install DebugServer for iOS
Extract DebugServer
$ ls /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/ ... $ hdiutil mount /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/15.5/DeveloperDiskImage.dmg 正在检查“Whole_Disk”的校验和… .................................................................................................................................................................................................................................................. Whole_Disk:已验证CRC32 $D034FA6C 已验证CRC32 $8E250F8D /dev/disk4 /Volumes/DeveloperDiskImage $ cp /Volumes/DeveloperDiskImage/usr/bin/debugserver . $ hdiutil unmount /Volumes/DeveloperDiskImage "/Volumes/DeveloperDiskImage" unmounted successfully. $ file debugserver debugserver: Mach-O universal binary with 2 architectures: [arm64:Mach-O 64-bit executable arm64] [arm64e:Mach-O 64-bit executable arm64e] debugserver (for architecture arm64): Mach-O 64-bit executable arm64 debugserver (for architecture arm64e): Mach-O 64-bit executable arm64e $ xcrun -sdk iphoneos lipo -thin arm64 debugserver -output debugserver_arm64Entitlements
View
codesign -d -v --entitlements - --xml debugserver_arm64 Executable=/Users/sskaje/Work/hiksemi/debugserver_arm64 Identifier=com.apple.debugserver Format=Mach-O thin (arm64) CodeDirectory v=20400 size=5134 flags=0x2(adhoc) hashes=150+7 location=embedded Signature=adhoc Info.plist entries=5 TeamIdentifier=not set Sealed Resources=none Internal requirements count=0 size=12 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>seatbelt-profiles</key><array><string>debugserver</string></array><key>com.apple.private.cs.debugger</key><true/><key>com.apple.private.memorystatus</key><true/><key>com.apple.security.network.client</key><true/><key>com.apple.security.network.server</key><true/><key>com.apple.private.logging.diagnostic</key><true/><key>com.apple.backboardd.debugapplications</key><true/><key>com.apple.frontboard.debugapplications</key><true/><key>com.apple.backboardd.launchapplications</key><true/><key>com.apple.frontboard.launchapplications</key><true/><key>com.apple.springboard.debugapplications</key><true/></dict></plist>ent.xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.private.cs.debugger</key><true/> <key>com.apple.private.memorystatus</key><true/> <key>com.apple.security.network.client</key><true/> <key>com.apple.security.network.server</key><true/> <key>com.apple.private.logging.diagnostic</key><true/> <key>com.apple.backboardd.debugapplications</key><true/> <key>com.apple.frontboard.debugapplications</key><true/> <key>com.apple.backboardd.launchapplications</key><true/> <key>com.apple.frontboard.launchapplications</key><true/> <key>com.apple.springboard.debugapplications</key><true/> <key>run-unsigned-code</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> </dict> </plist>debugserver has entitlements
<key>seatbelt-profiles</key> <array> <string>debugserver</string> </array>it causes
iPhone:~ root# debugserver 192.168.11.40:12345 -waitfor HiStor debugserver-@(#)PROGRAM:LLDB PROJECT:lldb-1316.2.4.18 for arm64. Waiting to attach to process HiStor... Listening to port 12345 for a connection from 192.168.11.40... Failed to get connection from a remote gdb process. Exiting.Replace Entitlements
codesign -s - --entitlements ent.xml -f debugserver_arm64 debugserver_arm64: replacing existing signatureScp to server
scp debugserver_arm64 root@192.168.11.11:~/If on palera1n
cp debugserver_arm64 /var/jb/usr/bin/debugserverHiStor
$ debugserver '*:12345' -waitfor HiStorlldb
(lldb) platform select remote-ios Platform: remote-ios Connected: no SDK Path: "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/iPhone8,1 15.8.2 (19H384)" SDK Roots: [ 0] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/iPhone8,1 15.8.2 (19H384)" (lldb) target create HiStor Current executable set to '/Users/sskaje/Work/hiksemi/ios/Payload/HiStor.app/HiStor' (arm64). (lldb) process connect connect://192.168.11.156:12345Useless note
(lldb) memory read -f y -c 4 -s 1 $pc 0x105280e98: 48 61 74 94 (lldb) memory write $pc f0 60 74 94 (lldb) memory read -f y -c 4 -s 1 $pc 0x105280e98: f0 60 74 94 -
iOS HTTPS 抓包工具
介绍一些用过的好用的 iOS 下 HTTPS 的抓包工具。
这些工具的实现原理都是使用 Network Extension 实现VPN,设置路由规则到 VPN 的设备里,再进行流量筛选,例如筛 TCP Port 443 的,转发到内部实现的一个代理服务上,通过中间人攻击的方式,实现 HTTPS 的协议解密甚至劫持。
这些工具的操作步骤大都如下:
- 安装 App。
- 安装并信任证书。最近的 iOS 安装自定义 CA 证书,会需要用户自己到设置里安装描述文件,再去关于本机的证书信任设置里手动启用 CA 证书。
- 创建 VPN。App 里有明确的引导,将用户跳转到 VPN 添加页面。但是这里的VPN 在 App 卸载的时候不会自动删除。
- 配置规则或者默认全部TCP 443
- 启用并解析
这里有个风险,如果使用者不能确认 App 安装的证书完全是本机现生成的私钥及证书且都没有上传到服务器上,那请在使用完相关App 后,至少是取消掉对该 CA 的信任。
以下对比仅限于被对比的对象,优点和缺点不是绝对的。
1. Stream,一款免费的 iOS 程序,看简介应该是中国开发者开发的,可以在 IAP 里赞助开发者。
- 优点:免费,功能直观,而且还算比较完整,可以构造请求。
- 缺点:用户引导做得不够好,如果不懂原理,可能配置不成功。
2. Charles for iOS,Charles Proxy 的 iOS版,功能很简单,就是小贵。
- 优点:功能简单,用户体验好,支持阻断连接(Block List)
- 缺点:付费(不是坏事),而且功能还是稍微少了点,不支持构造请求。
上述两款软件都支持的功能有:
- DNS Spoofing 劫持 DNS 解析
- 记录的黑白名单
都缺的功能
- 修改请求 (Charles 电脑版的 Rewrite 和 Breakpoint)
- 回放请求。
还有个对比项没有去验证,但是大多数情况应该用不到,就是直接的SSL/TLS 请求的记录和解析。
其他软件就太夸张了,要不贵的要死,要不不可理喻。