04-packing and unpacking

What is packing？

如前面所介绍的,拿到一个App的ipa包可以通过class-dump、 Hopper Disassembler等工具进行分析,However, when we use these analytics from the phoneApp Store下载的App安装包时,You will find some encrypted files,无法进行分析

这是因为App Store对我们上传的App进行了加壳操作,So why pack it？In fact, it uses a special algorithm,对可执行文件的编码进行改变（比如压缩、加密）,以达到保护程序代码的目的

• 加壳前,AppThe code in the executable is loaded into memory
• 加壳后,AppExecutable files are encrypted,Its outside will wrap a layer of shell program.Because the shell itself is alsoMach-O文件,程序执行时,The shell program is loaded into memory.The shell program then uses the decryption algorithm pairAppExecutable file for decryption operation,解密完成之后就会去执行文件,将代码装载进内存中
  

如何判断AppWhether the executable is packed？

想要判断AppWhether the executable is packed,主要是通过Crypt ID（AppExecutable file encryption type）是否为0判断,如果为0It means that it has not been encrypted、Not the other way around0stands for encryption

The judgment can be made in the following two ways：

• 使用otool命令行

# 搜索Load Commands中的crypt关键字
otool -l 可执行文件名称 | grep crypt

• 利用MachOView查看可执行文件
  

脱壳

Since the packer cannot be analyzedApp可执行文件,Then you need to unpack the program

脱壳方式有两种,硬脱壳和动态脱壳：

• 硬脱壳,The decrypted executable file is obtained by directly executing the decryption algorithm on the shell program（iOS通常做法）
• 动态脱壳,程序运行之后,The executable has been decrypted,然后从内存中导出

脱壳工具

clutch

Download the tool first（点击下载）,Then perform the following steps individually

• 利用iFunBox将Clutch文件拷贝到手机的/usr/bin目录
• SSH登录手机,执行Clutch命令,若显示Permission denied,Enter the following command to gain permission

chmod +x /usr/bin/Clutch

• 执行以下命令,List the current phone that can be unshelledApp

Clutch -i

• 通过序号或者bundle ID进行脱壳操作（注意：不完美越狱iOS12以上不可用）

Clutch -d 2
Clutch -d com.netease.cloudmusic

dumpdecrypted

• 下载源代码,Then execute it in the source code directorymake指令进行编译,获得dylib动态库文件
  
  
• 将dylib文件拷贝到iPhone上（如果是root用户,建议放/var/root目录）
• 终端进入dylib所在位置,使用环境变量DYLD_INSERT_LIBRARIES将dylib注入到需要脱壳的可执行文件（通过ps -A查看可执行文件的完整路径）

# This path isps -Ainstructions are printed
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/992C4ACA-4B99-4FC2-8BEE-11A3BDA1E9D0/neteasemusic.app/neteasemusic

• 执行完成之后,在/var/root目录下会生成neteasemusic.decrypted文件,这就是脱壳之后的可执行文件,然后使用otool命令查看Load Commands可以发现Crypt ID为0
  

dumpdecryptedPossible errors when unpacking

dumpdecrypted.dylibUnsigned error：

dyld: warning: could not load inserted library 'dumpdecrypted.dylib' into hardened process because no suitable image found.  Did find:
	dumpdecrypted.dylib: code signature in (dumpdecrypted.dylib) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
2020-12-15 22:30:03.444 neteasemusic[3758:559109] [OTRLocation: ../Tweak/Tweak.xm:121] ERROR: logos: nil class SpringBoard
2020-12-15 22:30:03.811 neteasemusic[3758:559109] [SnowBoard Launcher] Loader check passed. Loading SnowBoard...
2020-12-15 22:30:03.859 neteasemusic[3758:559132] [SnowBoard] reloadWithoutExtensions (0) took 0.000333 s
[2020/12/15 22:30:04:035] [NMLLogger:26] ---------- application start, version: 7.3.01 ----------
[2020-12-15 22:30:04:070] file:NELPLocationManager.m line:76)<<<<[NELPLocationManager authorizationStatus] = 0
Abort trap: 6

解决办法就是给dumpdecrypted.dylib签名,输入以下指令（前提在dumpdecrypted.dylib目录下）

ldid -S dumpdecrypted.dylib