Caddy无法启动报错:caddy.service: Main process exited, code=exited, status=1/FAILURE 解决方案

https://caddy.community/t/caddy-wont-start-could-not-start-http-server-for-challenge-listen-tcp-80-bind-permission-denied/2543

修改服务文件,取消以下注释:

;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true

开启unicorn对NEON(STP SIMD)的支持

IDA切换ARM和THUMB指令

ARM AND THUMB MODE SWITCH INSTRUCTIONS

This processor has two instruction encodings: ARM and THUMB.
IDA allows to specify the encoding mode for every single instruction.
For this IDA uses a virtual register T. If its value is zero, then
the ARM mode is used, otherwise the THUMB mode is used.
You can change the value of the register T using
the ‘change segment register value’ command
(the canonical hotkey is Alt-G)

ollvm特征

我简单给你说ollvm的特征
ollvm的bcf的话
可以去找两个同级的sub
然后
算了不说了
两个同级的bb,不搞编译器的叫loc吧。不叫sub
有一个是循环自己
还有一个是往下走的
伪代码是一大串if true xxxx嵌套
这就是bcf,循环自己的那个就是假的控制流
ollvm的fla很明显。直接看控制流图就行了
splitbb就是一个函数里有一大段很短的loc
之间都是无条件跳转
substitution就是一堆看起来应该被简化的逻辑/数学运算连在一起
每家都说是自己写的
刘欣也说是自己写的我抄他的
谁知道的
不过有几个应该是有点干货
不知道哪家就是了
不说了
光在设计上就是为了解决问题
*解决这些问题
再加额外功能和现有的优化
谁知道他们
实际上汇编层不是if true
是一个恒量表达式

ida+debugserver真机调试ios app

1.xcode随便新建一个工程,在真机上跑一遍。这样/Developer/usr/bin 下就会有debugserver。
2.sftp把debugserver拉回本地,在同目录下新建plist文件entitlements.plist,内容如下:

3.然后给debugserver重签名

 
4.传回真机/usr/bin/debugserver.
5.brew install usbmuxd,把iphone端口映射到本地 iproxy 1234 1234
6.在ida的debug设置里debugger -> debgger options ->set specific options去掉Launch debugserver automatically
7.启动/usr/bin/debugserver *:1234
8.ida里开始调试,输入ip和端口号1234

ios砸壳

1.sftp往手机里传以下文件:

cycript(解压)

dumpdecrypted.dylib(下回来源码直接make编译)

2.ps -e找到目标进程x

3.cycript -p x

4.[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory
inDomains:NSUserDomainMask][0]
获取目标app的附件目录,然后把dumpdecrypted.dylib 传到这个附件目录,然后ctrl+D退出cyc
5.su mobile切用户(重要)
6.进入附件目录,DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/
Application/xxxx/xxxx(执行文件路径)
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100028cf8(from 0x100028000) = cf8
[+] Found encrypted data at address 00004000 of length 59457536 bytes – type 1.
[+] Opening /private/var/containers/Bundle/Application/176519AE-E905-4E0F-A718-3C7B1B96A6E3/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset cf8
[+] Closing original file
[+] Closing dump file

导出文件名:xxxx.decrypted