APP砸壳

工具

class-dump
dumpdecrypted
一部越狱手机
OpenSSH(Cydia)
Cycript(Cydia)
adv-cmds(Cydia)

步骤

1.用ssh进入连上的iPhone(确保iPhone和Mac在同一个网段)。OpenSSH的root密码默认为alpine。

ssh root@192.168.2.10

2.关闭所有后台app，仅保持需要破解的app在后台，输入命令ps -e，找到app的bundle地址,如6429行所示

 6408 ??         0:00.40 /usr/libexec/ptpd -t usb
 6429 ??         0:01.44 /var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX
 6448 ??         0:00.28 sshd: root@ttys000
 6450 ttys000    0:00.05 -sh
 6487 ttys000    0:00.01 ps -e

3.使用cycript命令，找到目标app的Documents路径，输入cycript -p XXX

v2panda-iPhone-5s:~ root# cycript -p XXX
cy#

在cy#后键入

[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]

如图，记录下Documents地址，ctrl+z退出

v2panda-iPhone-5s:~ root# cycript -p XXX
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/9491960B-BAE6-439A-B210-3B183AB657EF/Documents/"
cy#

4.将生成的将dumpdecrypted.dylib拷贝到Documents目录下

scp dumpdecrypted.dylib root@192.168.2.10:/var/mobile/Containers/Data/Application/9491960B-BAE6-439A-B210-3B183AB657EF/Documents/
root@192.168.2.10's password:
dumpdecrypted.dylib                                                                                          100%  193KB 192.9KB/s   00:00

5.开始砸壳，使用以下命令，会在当前目录下生成XXX.decrypted砸壳后的文件。

DYLD_INSERT_LIBRARIES=/path/to/dumpdecrypted.dylib /path/to/executable

具体的为

v2panda-iPhone-5s:~ root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/9491960B-BAE6-439A-B210-3B183AB657EF/Documents/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x10003cb68(from 0x10003c000) = b68
[+] Found encrypted data at address 00004000 of length 180224 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 245760 in the file
[+] Opening SimpleNote.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3cb68
[+] Closing original file
[+] Closing dump file
v2panda-iPhone-5s:~ root#

6.将砸壳后的XXX.decrypted文件拷贝到电脑上。

scp root@192.168.2.10:/var/root/XXX.decrypted /Users/v2panda/Apps
root@192.168.2.10's password:
XXX.decrypted                                                                                         100%  507KB 253.7KB/s   00:02

7.classdump之

./class-dump -s -S -H ./XXX.decrypted -o ./sn

这里以微信为例，7000+的文件。

WeChat.png

后记

这里简单记录下App砸壳的有关步骤,更多详细内容以及后续开发可到iOSRE查看。