一.准备工作
(1)编译dumpdecrypted
dumpdecrypted地址
下载之后,cd到dumpdecrypted-master下,执行make指令,在当前目录下生成dumpdecrypted.dylib,关注一下,之后会复制到手机中进行砸壳。
(2)手机上安装openssh,cycript
在手机上通过Cydia软件安装openssh,cycript软件。
(3)PC上安装cycript
cycript地址
点击Download SDK下载
解压之后,转移到opt文件夹中,如下图:
如果想要在任意路径能够执行cycript指令,需要进行如下配置:
cd ~
vi .bash_profile在.bash_profile中增加绝对路径
export cycript_path="/opt/cycript_0.9.594"
PATH=$PATH:$cycript_path使配置生效
代码语言:javascript复制source .bash_profile验证是否生效
代码语言:javascript复制cycript
#cy出现#cy即生效。
如果是使用iTerm2 oh my zsh组合,可以在.zshrc配置文件中导入source .bash_profile,这样可以一劳永逸,不用每次都执行source指令。
cd ~
vim ~/.zshrc在下图中位置添加source .bash_profile指令,:wq保存退出即可。
如果cycript安装失败,出现如下错误:
代码语言:javascript复制dyld: Library not loaded: /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
Referenced from: /Users/devzkn/Downloads/cycript_0.9.594/Cycript.lib/cycript-apl
Reason: image not found请参照文章配置cycript环境变量结合Ruby环境。
(4)PC上安装class-dump
class-dump.dmg下载
双击之后,将class-dump文件转移到/usr/bin
sudo cp class-dump /usr/bin测试是否成功
代码语言:javascript复制~ » class-dump tingdongli@TINGDONGLI-MC1
class-dump 3.5 (64 bit)
Usage: class-dump [options] <mach-o-file>
where options are:
-a show instance variable offsets
-A show implementation addresses
--arch <arch> choose a specific architecture from a universal binary (ppc, ppc64, i386, x86_64, armv6, armv7, armv7s, arm64)
-C <regex> only display classes matching regular expression
-f <str> find string in method name
-H generate header files in current directory, or directory specified with -o
-I sort classes, categories, and protocols by inheritance (overrides -s)
-o <dir> output directory used for -H
-r recursively expand frameworks and fixed VM shared libraries
-s sort classes and categories by name
-S sort methods by name
-t suppress header in output, for testing
--list-arches list the arches in the file, then exit
--sdk-ios specify iOS SDK version (will look in /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS<version>.sdk
--sdk-mac specify Mac OS X version (will look in /Developer/SDKs/MacOSX<version>.sdk
--sdk-root specify the full SDK root path (or use --sdk-ios/--sdk-mac for a shortcut)
------------------------------------------------------------
~ »二.连接手机
1.确保PC和手机在同一个局域网中,openSSH的root密码默认为alpine。
ssh root@192.168.1.x2.执行ps -e,定位到想要砸壳的XXX.app
ps -e3.执行cycript -p XXX,在#cy之后输入:
[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]定位到目标app的Documents路径,记录下来,记为A路径,将上文中生成的dumpdecrypted.dylib复制到A路径中
scp dumpdecrypted.dylib root@192.168.1.x:A路径三.砸壳
1.开始砸壳,执行指令
代码语言:javascript复制DYLD_INSERT_LIBRARIES=A路径/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX(ps -e中的app 路径)打印结果如下,说明砸壳成功:
代码语言:javascript复制DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[ ] detected 64bit ARM binary in memory.
[ ] offset to cryptid found: @0x10003cb68(from 0x10003c000) = b68
[ ] Found encrypted data at address 00004000 of length 180224 bytes - type 1.
[ ] Opening /private/var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX for reading.
[ ] Reading header
[ ] Detecting header type
[ ] Executable is a FAT image - searching for right architecture
[ ] Correct arch is at offset 245760 in the file
[ ] Opening SimpleNote.decrypted for writing.
[ ] Copying the not encrypted start of the file
[ ] Dumping the decrypted data into the file
[ ] Copying the not encrypted remainder of the file
[ ] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3cb68
[ ] Closing original file
[ ] Closing dump file2.砸壳后的XXX.decrypted文件拷贝到电脑上
代码语言:javascript复制scp root@192.168.1.x:/var/root/XXX.decrypted /PC上任意路径四.class-dump
执行
代码语言:javascript复制class-dump --arch armv7 -H XXX.decrypted -o ./即可提取出App的头文件进行分析。
