转自:https://www.giuem.com/caddy-tutorial-for-debian/
继续阅读转:Caddy部署
分类: 未分类
转:编译可在苹果iOS设备上运行的Go语言程序
开启unicorn对NEON(STP SIMD)的支持
CPACR_FPEN_MASK = (0x3 << 20) CPACR_FPEN_TRAP_NONE = (0x3 << 20) cpacr = mu.reg_read(UC_ARM64_REG_CPACR_EL1) cpacr = (cpacr & ~CPACR_FPEN_MASK) | CPACR_FPEN_TRAP_NONE mu.reg_write(UC_ARM64_REG_CPACR_EL1, cpacr)
var CPACR_FPEN_MASK uint64 = (0x3 << 20) var CPACR_FPEN_TRAP_NONE uint64= (0x3 << 20) cpacr, err := mu.RegRead(uc.ARM64_REG_CPACR_EL1) if err!=nil{ panic(err.Error()) } cpacr = (cpacr & ^CPACR_FPEN_MASK) | CPACR_FPEN_TRAP_NONE mu.RegWrite(uc.ARM64_REG_CPACR_EL1, cpacr)
IDA切换ARM和THUMB指令
ARM AND THUMB MODE SWITCH INSTRUCTIONS
This processor has two instruction encodings: ARM and THUMB.
IDA allows to specify the encoding mode for every single instruction.
For this IDA uses a virtual register T. If its value is zero, then
the ARM mode is used, otherwise the THUMB mode is used.
You can change the value of the register T using
the ‘change segment register value’ command
(the canonical hotkey is Alt-G)
ollvm特征
我简单给你说ollvm的特征
ollvm的bcf的话
可以去找两个同级的sub
然后
算了不说了
两个同级的bb,不搞编译器的叫loc吧。不叫sub
有一个是循环自己
还有一个是往下走的
伪代码是一大串if true xxxx嵌套
这就是bcf,循环自己的那个就是假的控制流
ollvm的fla很明显。直接看控制流图就行了
splitbb就是一个函数里有一大段很短的loc
之间都是无条件跳转
substitution就是一堆看起来应该被简化的逻辑/数学运算连在一起
每家都说是自己写的
刘欣也说是自己写的我抄他的
谁知道的
不过有几个应该是有点干货
不知道哪家就是了
不说了
光在设计上就是为了解决问题
*解决这些问题
再加额外功能和现有的优化
谁知道他们
实际上汇编层不是if true
是一个恒量表达式
lldb报错”ImportError: cannot import name _remove_dead_weakref”的解决办法
export PATH=/usr/bin:$PATH 切回系统自带python
ida+debugserver真机调试ios app
1.xcode随便新建一个工程,在真机上跑一遍。这样/Developer/usr/bin 下就会有debugserver。
2.sftp把debugserver拉回本地,在同目录下新建plist文件entitlements.plist,内容如下:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>run-unsigned-code</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> </dict> </plist>
3.然后给debugserver重签名
codesign -s - --entitlements entitlements.plist -f debugserver
4.传回真机/usr/bin/debugserver.
5.brew install usbmuxd,把iphone端口映射到本地 iproxy 1234 1234
6.在ida的debug设置里debugger -> debgger options ->set specific options去掉Launch debugserver automatically
7.启动/usr/bin/debugserver *:1234
8.ida里开始调试,输入ip和端口号1234
ios砸壳
1.sftp往手机里传以下文件:
cycript(解压)
dumpdecrypted.dylib(下回来源码直接make编译)
2.ps -e找到目标进程x
3.cycript -p x
4.[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory
inDomains:NSUserDomainMask][0]
获取目标app的附件目录,然后把dumpdecrypted.dylib 传到这个附件目录,然后ctrl+D退出cyc
5.su mobile切用户(重要)
6.进入附件目录,DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/
Application/xxxx/xxxx(执行文件路径)
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100028cf8(from 0x100028000) = cf8
[+] Found encrypted data at address 00004000 of length 59457536 bytes – type 1.
[+] Opening /private/var/containers/Bundle/Application/176519AE-E905-4E0F-A718-3C7B1B96A6E3/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset cf8
[+] Closing original file
[+] Closing dump file
导出文件名:xxxx.decrypted
VM报错”找不到可以连接的有效对等进程”的解决方案
两种原因:
1.驱动被gatekeeper拦截,在设置里允许就行
2.不明原因驱动无法加载,具体表现为VM自带的4个驱动中某个或多个无法正常加载,可以通过kextstat |grep vm查看,正常请款下加载的4个驱动是:
184 1 0xffffff7f85fad000 0x11000 0x11000 com.vmware.kext.vmci (90.8.1) F673BA9E-4370-3867-996E-CA6615DFDE0A <12 5 4 3 1>
185 0 0xffffff7f85fbe000 0x16000 0x16000 com.vmware.kext.vmnet (0752.01.54) 9EDDE1C1-80D8-3154-95A1-25F70585272E <184 5 4 3 1>
186 0 0xffffff7f85fd4000 0x12000 0x12000 com.vmware.kext.vmx86 (0752.01.54) F20CC4A3-BFB5-365B-AEB8-84796FAA26F4 <7 5 4 3 1>
187 0 0xffffff7f85fe6000 0x6000 0x6000 com.vmware.kext.vmioplug.17.1.3 (17.1.3) 4E465B8F-BBF2-3877-BB4B-17398E62310C <53 5 4 3 1>
如果有起不来的,可以写成自启动脚本,在开机后自动把驱动先加载了
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>KeepAlive</key> <false/> <key>Label</key> <string>com.usualwyy.autostartvmmon</string> <key>ProgramArguments</key> <array> <string>/sbin/kextload</string> <string>/Library/StagedExtensions/Applications/VMware Fusion.app/Contents/Library/kexts/vmmon.kext</string> </array> <key>RunAtLoad</key> <true/> <key>StandardErrorPath</key> <string>/dev/null</string> <key>StandardOutPath</key> <string>/dev/null</string> <key>UserName</key> <string>root</string> </dict> </plist>
保存到/Library/LaunchDaemons,然后
sudo plutil -convert binary1 com.usualwyy.autostartvmmon.plist
launchctl load -w /Library/LaunchDaemons/com.usualwyy.autostartvmmon.plist
winlicense/TMD脱壳Tips
1.高版本code段下硬件写断点,跑到后面等解密
特征 rep movs byte ptr es:[edi],byte ptr ds:[esi]
2.低版本以VM解VM
1. .text段下内存写入断点,shift+F9,取消内存断点.
2. bp GetProcessHeap+C,F9,取消断点.
3. .text段下F2断点,F9到oep或者oep的第一个call里面的位置.
https://www.52pojie.cn/thread-50936-1-1.html
3.ESP大法脱剩下的UPX