Bypass SSLPinning on FB iOS App

GitHub - phwd/OneForAllFacebook 讲述了一个 如何bypass fb iOS sslpinning 的方法. 但仅是工具, 没有细节介绍原理. 查看介绍, 需要先入会 fb 小组.

演示视频: https://www.facebook.com/113702895386410/videos/1466262083463811/

NIN: 本文可学习的地方,包括:

  1. 如何使用dumpdecrpted
  2. IPAPatch的运用 (需要另文再讨论)

1. 获取破解 IPA

1.1 Make dumpdecrpted

// on Tab 1

$ git clone https://github.com/conradev/dumpdecrypted
$ cd dumpdecrypted
$ make
// on Tab 2

$ iproxy 2223 22

上传到iPhone

// on Tab 1

$ scp -P 2223 dumpdecrypted.dylib root@localhost:/usr/lib/dumpdecrpted.dylib
$ ssh root@localhost -p 2223
$ ldid -S /usr/lib/dumpdecrpted.dylib

1.2 下载 App

Open FB on iPhone


// on Tab 1

$ ps ax | grep "Facebook"


// on Tab 3

$ scp -r -P 2223 root@localhost:/var/containers/Bundle/Applications/<APP_ID>/ Payload

1.3 获取破解的 fb app


// on Tab 1

$ DYLD_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dylib /var/containers/Bundler/Applications/<APP_ID>/Facebook.app/Facebook

2. Patch App

// on Tab 3

git clone https://github.com/phwd/OneForAllFacebook

// ## Tab 3

scp -P 2223 root@localhost:"Facebook.decrypted FBSharedFramework.decrypted MobileConfig.decrypted" .

mv Facebook.decrypted Payload/

mv Facebook.decrypted Payload/Facebook.app/Facebook

mv FBSharedFramework.decrypted Payload/Facebook.app/Framework/FBSharedFramework.framework/FBS

mv FBSharedFramework.decrypted Payload/Facebook.app/Frameworks/FBSharedFramework

mv MobileConfig.decrpted Payload/Facebook.app/Frameworks/MobileConfig.framwork/MobileConfig

ls Payload/

zip -r app.zip Payload/

mv app.zip app.ipa

cp app.ipa OneForAllFacebook/IPAPatch.xcodeproj/

cp app.ipa OneForAllFacebook/Assets/app.ipa

open OneForAllFacebook/IPAPatch.xcodeproj

Build App on XCode. Patch 后的 App 将被安装到手机上.

Ref

GitHub - phwd/OneForAllFacebook

Show Comments