search

ChiChou / bagbak

Yet another frida based iOS dumpdecrypted. Also decrypts app extensions
MIT License
1.14k stars 187 forks source link

Needs to dump all the dylibs/Frameworks. #28

Closed rainyx closed 4 years ago

rainyx commented 4 years ago

ISSUE:

Some dylibs/Frameworks defined in LC_LOAD_DYLIB load command, but not load immediately after the App launched.

In this case, bagbak won't dumps these dylibs/Frameworks. If we launch the dumped App, it will crashes because of the DYLD can't find the lost images.

Crash log:

Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Description: DYLD, Library not loaded: @rpath/libswiftCore.dylib | Referenced from: /var/containers/Bundle/Application/7B61E41D-D6A6-4783-963B-07BB2616044B/XXX.app/XXX | Reason: image not found

How to fix:

  1. Create the dylib with following content.
// File: loader.cpp
#include <mach-o/loader.h>
#include <mach-o/dyld.h>
#include <dlfcn.h>
__attribute__((constructor)) void LibInit() {
    mach_header_64* mh = (mach_header_64*)_dyld_get_image_header(0);
    load_command* lc = (load_command*)(mh + 1);
    uint32_t ncmds = mh->ncmds;
    while (ncmds--) {
        if (lc->cmd == LC_LOAD_DYLIB) {
            dylib_command* dylibLc = (dylib_command*)lc;
            const char* name = (char*)lc + dylibLc->dylib.name.offset;
            dlopen(name, RTLD_GLOBAL | RTLD_LAZY);
        }
        lc = (load_command*)((char*)lc + lc->cmdsize);
    }
}
  1. Inject the dylib into the App and launch it.
  2. Run bagbak, all dylibs/Frameworks will be dumped.

Can you integrate this function into bagbak? Thanks.🍺

ChiChou commented 4 years ago

Can you give me the test case? Which App can I reproduce it on

rainyx commented 4 years ago

Can you give me the test case? Which App can I reproduce it on

App:

Device: iPhone 6s (jailbroken via unc0ver 3.7.0-b3)

ChiChou commented 4 years ago

Those swift runtime libs are located in /usr/lib/swift/, which should not be intergrated to the package

ChiChou commented 4 years ago

Are you reinstalling the app on another device?

ChiChou commented 4 years ago

Can you try this branch? https://github.com/ChiChou/bagbak/tree/warmup

rainyx commented 4 years ago

Those swift runtime libs are located in /usr/lib/swift/, which should not be intergrated to the package

If the ‘Always Embed Swift Standard Libraries’ is enabled, DYLD loads swift libraries from @rpath of the App main bundle rather than /usr/lib/swift/.

rainyx commented 4 years ago

Are you reinstalling the app on another device?

Nope.

rainyx commented 4 years ago

Can you try this branch? https://github.com/ChiChou/bagbak/tree/warmup

Fixed.

ChiChou commented 4 years ago

@rainyx 所以结果呢