准备工作
1.一台Mac,一台越狱的iPhone
iOS11.0~11.4的越狱,可参考(MacOS使用nuc0ver越狱iOS11.2教程)
2.dumpdecrypted及相应工具(点我下载)
3.确保越狱的iPhone安装了OpenSSH,安装SSH可参考《Mac 远程登录到iPhone ----SSH》
4.将电脑和手机连接在同一WIFI,并查看iPhone的IP
开砸
1.使用SSH连接iPhone,打开终端输入以下命令,把IP替换成你iPhone的IP
ssh root@192.168.101.10
若遇到错误“ssh: connect to host 192.168.10.122 port 22: Connection refused”
参考这篇《Mac下使用ssh》
使用mac生成的RSA key,输入yes,输入密码alpine (openssh的默认密码),若修改了,记得更换
Mac:~my$ ssh root@192.168.101.10
The authenticity of host '192.168.101.10 (192.168.101.10)' can't be established.
RSA key fingerprint is SHA256:stcXcTeLw9G3hKuJPBPEXyEk5fnUF/1hDasD0e9iwRQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.101.10' (RSA) to the list of known hosts.
root@192.168.101.10's password:
bill-5s:~ root# ls
Application\ Support/ Library/ Media/
bill-5s:~ root#
2.打开要砸开的App,在ssh查看进程,这里以微信读书为例子
ps -e
bill-5s:~ root# ps -e
757 ?? 0:00.46 /usr/libexec/mmaintenanced
792 ?? 0:00.26 sshd: root@ttys i
800 ?? 0:01.82 /Applications/MobileSMS.app/MobileSMS
801 ?? 0:06.46 /var/containers/Bundle/Application/EDD6F240-9C62-45E5-B199-C41FE7827BA3/WeRead.app/WeRead
805 ?? 0:00.36 /System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd
794 ttys000 0:00.13 -sh
810 ttys000 0:00.03 ps -e
bill-5s:~ root#
可以看到微信读书的进程ID为801
3.附加进程
cycript -p 801
4.搜索查看doc路径
cy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)[0]
@"/var/mobile/Containers/Data/Application/20D60405-48D5-4693-97BB-03B889312ADE/Documents"
cy#
5.将准备好的dumpdycrypted.dyld文件拷贝至doc目录,使用scp命令
ws-MacBook-Pro:crack file wn$ scp dumpdecrypted.dylib root@192.168.1.5:/var/mobile/Containers/Data/Application/20D60405-48D5-4693-97BB-03B889312ADE/Documents
root@192.168.1.5's password:
dumpdecrypted.dylib 100% 193KB 953.5KB/s 00:00
ws-MacBook-Pro:crack file wn$
网友评论