iOS 11.3 系统如何使用bfinject脱壳

目前bfinject的项目源码仅支持Dylib注入的系统为iOS 11.0 - 11.1.2, 但是现在手头有一台最新越狱的iOS 11.3,那么怎样使用bfinject来脱壳呢?

安装bfinject

源码地址:https://github.com/BishopFox/bfinject

Electra越狱用户:

下载bfinject的tar压缩包,https://github.com/BishopFox/bfinject/raw/master/bfinject.tar

安装后运行

bash bfinject

会报错:

[!] Unknown jailbreak. Aborting.

分析Unknown jailbrek报错原因

查看源码:

#
# Detect LiberiOS vs Electra
#
if [ -f /bootstrap/inject_criticald ]; then
# This is Electra
echo "[+] Electra detected."
cp jtool.liberios /bootstrap/usr/local/bin/
chmod +x /bootstrap/usr/local/bin/jtool.liberios
JTOOL=/bootstrap/usr/local/bin/jtool.liberios
cp bfinject4realz /bootstrap/usr/local/bin/
INJECTOR=/bootstrap/usr/local/bin/bfinject4realz
elif [ -f /jb/usr/local/bin/jtool ]; then
# This is LiberiOS
echo "[+] Liberios detected"
JTOOL=jtool
INJECTOR=`pwd`/bfinject4realz
else
echo "[!] Unknown jailbreak. Aborting."
exit 1
fi

目前最新的Electra越狱后系统里找不到文件路径:/bootstrap/inject_criticald,搜索一下inject_reiticald确实存在该文件。

原来如此,bootstrap目录名更改为electra了,

tree-flys-iPhone-7:~ root# ls /electra/
amfid_payload.dylib helloworld inject_criticald jailbreakd jailbreakd_client libjailbreak.dylib pspawn_payload.dylib

FIX 1

考虑到向低版本iOS兼容性,尽量减少修改源代码

创建软连接

ln -s /electra /bootstrap

手动创建代码中的文件夹

mkdir /bootstrap/usr
mkdir /bootstrap/usr/local
mkdir /bootstrap/usr/local/bin

完毕后,执行命令 bash bfinject -P AVPlayer.app -L test

tree-flys-iPhone-7:~/bfinject root# bash bfinject -P AVPlayer.app -L test
[+] Electra detected.
bfinject: md5: command not found
bfinject: md5: command not found
[+] Injecting into '/var/containers/Bundle/Application/B36F534E-DF04-4BBF-987B-EED3E4B3A6AC/AVPlayer.app/AVPlayer'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID DR9UPY28XM and platform entitlements...
jtool /bootstrap/usr/local/bin/ signing error. barfing.

分析 md5: command not found原因

报错的代码行:

# Use random filenames to avoid cached binaries causing "Killed: 9" messages.
RAND=`dd if=/dev/random bs=1 count=16 2>/dev/null | md5`
RANDOM_NAME="${INJECTOR%/*}/`dd if=/dev/random bs=1 count=16 2>/dev/null | md5`"

看上去md5文件缺失,这个比较好解决

tree-flys-iPhone-7:~/bfinject root# md5
bash: md5: command not found

方法比较多,编译一个md5即可;或者采纳openssl,如openssl md5,或者使用GNU工具命令如md5sum,注意处理下前缀或后缀。

tree-flys-iPhone-7:~/bfinject root# echo 'itreefly.com' | md5sum
a24c26e8ba09235dab371b04e5b58936 -
tree-flys-iPhone-7:~/bfinject root# echo 'itreefly.com' | md5sum | sed 's/ .*//'
a24c26e8ba09235dab371b04e5b58936
tree-flys-iPhone-7:~/bfinject root# echo 'itreefly.com' | openssl md5
(stdin)= a24c26e8ba09235dab371b04e5b58936
tree-flys-iPhone-7:~/bfinject root# echo 'itreefly.com' | openssl md5 | sed 's/.* //'
a24c26e8ba09235dab371b04e5b58936

FIX 2

尝试使用md5sum替代md5,修正下代码:

#RAND=`dd if=/dev/random bs=1 count=16 2>/dev/null | md5`
RAND=`dd if=/dev/random bs=1 count=16 2>/dev/null | md5sum | sed 's/ .*//'`
#RANDOM_NAME="${INJECTOR%/*}/`dd if=/dev/random bs=1 count=16 2>/dev/null | md5`"
RANDOM_NAME="${INJECTOR%/*}/`dd if=/dev/random bs=1 count=16 2>/dev/null | md5sum | sed 's/ .*//'`"

# Debug info
echo "*** RAND = $RAND"
echo "*** RANDOM_NAME = $RANDOM_NAME"

测试注入功能

tree-flys-iPhone-7:~/bfinject root# bash bfinject -P AVPlayer.app -L test
[+] Electra detected.
*** RAND = 1c9cf2572f0064d69005b0e4bd2ae5a2
*** RANDOM_NAME = /bootstrap/usr/local/bin/91432177bcba40fb1d026bcf83203e13
[+] Injecting into '/var/containers/Bundle/Application/B36F534E-DF04-4BBF-987B-EED3E4B3A6AC/AVPlayer.app/AVPlayer'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID DR9UPY28XM and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 2627.
[bfinject4realz] Calling thread_create() on PID 2627
[bfinject4realz] Looking for ROP gadget... found at 0x1849b7118
[bfinject4realz] Fake stack frame at 0x108998000
[bfinject4realz] Calling _pthread_set_self() at 0x184c8471c...
[bfinject4realz] Returned from '_pthread_set_self'
[bfinject4realz] Calling dlopen() at 0x1849b6e7c...
[bfinject4realz] Returned from 'dlopen'
[bfinject4realz] Success! Library was loaded at 0x1c0167bc0
[+] So long and thanks for all the fish.

Test Successful

再测试脱壳功能,一切OK👌

~ END ~

~ END ~