注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

熊猫正正的博客

熊猫正正的天空

 
 
 

日志

 
 

When dyld_decache fails on dyld_shared_cache_arm64, dsc_extractor saves our days  

2015-10-18 16:13:18|  分类: IOS安全 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
链接:http://iosre.com/t/when-dyld-decache-fails-on-dyld-shared-cache-arm64-dsc-extractor-saves-our-days/1974

As you may have already known, dyld_decache by kennyTM fails on arm64 caches. Since arm64 devices are more popular these days, what's the alternative of dyld_decache on dyld_shared_cache_arm64? Luckily, there is an answer: dsc_extractor, an open-sourced tool from Apple.
Now follow me on patching and compiling dsc_extractor so that it can decache dyld_shared_cache_arm64 as dyld_decache used to do.
P.S. You may need to manually install wget with homebrew.

Download and extract dsc_extractor

192:~ snakeninny$ cd ~ 192:~ snakeninny$ mkdir dsc_extractor 192:~ snakeninny$ cd dsc_extractor 192:dsc_extractor snakeninny$ wget http://opensource.apple.com/tarballs/dyld/dyld-210.2.3.tar.gz --2015-10-17 12:14:44-- http://opensource.apple.com/tarballs/dyld/dyld-210.2.3.tar.gz Resolving opensource.apple.com... 17.251.224.146 Connecting to opensource.apple.com|17.251.224.146|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 470411 (459K) [application/x-gzip] Saving to: 'dyld-210.2.3.tar.gz' dyld-210.2.3.tar.gz 100%[==================================================================>] 459.39K 230KB/s in 2.0s 2015-10-17 12:14:46 (230 KB/s) - 'dyld-210.2.3.tar.gz' saved [470411/470411] 192:dsc_extractor snakeninny$ tar xvf dyld-210.2.3.tar.gz x dyld-210.2.3/ x dyld-210.2.3/bin/ ...

Patch

192:dsc_extractor snakeninny$ cd dyld-210.2.3/launch-cache/ 192:launch-cache snakeninny$ touch dsc_extractor.patch

The above command creates an empty file named dsc_extractor.patch under ~/dsc_extractor/dyld-210.2.3/launch-cache. Next copy the contents from here into dsc_extractor.patch and save the file (Note that if you wget or curl the patch file, there'd be an extra newline character at the end of the file, you'd have to remove it manually). Let's continue:

192:launch-cache snakeninny$ patch < dsc_extractor.patch patching file dsc_extractor.cpp Hunk #4 succeeded at 485 with fuzz 2.

Compile

192:launch-cache snakeninny$ clang++ -o dsc_extractor dsc_extractor.cpp dsc_iterator.cpp In file included from dsc_extractor.cpp:51: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../include/c++/v1/ext/hash_map:212:5: warning: Use of the header <ext/hash_map> is deprecated. Migrate to <unordered_map> [-W#warnings] # warning Use of the header <ext/hash_map> is deprecated. Migrate to <unordered_map> ^ 1 warning generated.

Decache

Now there's a binary dsc_extractor under ~/dsc_extractor/dyld-210.2.3/launch-cache. Let's test if it works.
1. Copy /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 from iOS to OSX usingiFunBox.
2. Run /path/to/dsc_extractor /path/to/dyld_shared_cache_arm64 /path/to/decached/binaries/to OSX, the output is shown below:

0/969 1/969 2/969 3/969 4/969 5/969 6/969 ...


Done. Happy hacking iOS 9


References:
1. http://lightbulbone.tumblr.com/post/56546834100/ios-shared-cache-extraction
2. http://ant4g0nist.blogspot.com/2015/04/ios-shared-cache-extraction-to-solve.html
3. http://www.iphonedevwiki.net/index.php?title=Dyld_shared_cache

  评论这张
 
阅读(358)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017