美文网首页
APP砸壳-iOS

APP砸壳-iOS

作者: 马克吐温Coder | 来源:发表于2019-07-26 17:08 被阅读0次
    1. 准备一个越狱的iPhone手机(在越狱机上Cydia上安装 openSSH 和 Cycript)
    Cydia openSSH Cycript
    2. dumpdecrypted 注入砸壳文件 (下载后解压可执行文件,然后cd到目录下,执行 make 命令。会得到dumpdecrypted.dylib文件)
    dumpdecrypted文件夹
    3. class-dump 解析砸壳后的代码(下载后解压文件,放到/usr/local/bin, 打开终端输入sudo chmod 777 /usr/local/sbin/class-dump给class-dump执行权利)

    class-dump官网
    4. 利用ssh协议链接手机与电脑 ssh root@192.168.20.249
    5. 链接成功后在终端执行 ps -e | grep var查看你手机所运行进程(最好关闭所有其他进程,只留你要砸壳的进程)

    此为我终端所显示内容

    63 ??        0:00.01 /bin/sh ./var/root/Library/HCherryex/sshh
    355 ??       0:00.03 /var/root/Library/HCherryex/HCherryex
    360 ??       0:00.08 /usr/libexec/pkd -d/var/db/PlugInKit-Annotations
    1022 ??      0:04.24 /var/mobile/Containers/Bundle/Application/BD1541B0-F48A-4553-943D-       EF49012EE76C/DingTalk.app/DingTalk
    1051 ??      0:00.08 /private/var/root/Media/MIService/MIService
    1236 ??      0:09.76 /var/mobile/Containers/Bundle/Application/3B9BAB22-6D78-4B83-A4B2-   4675BF60D155/WeChat.app/WeChat
    1279 ttys000 0:00.01 grep var</pre>
    
    6. 执行 cycript -p 1236 ,进入cycript环境
    7. 打开要砸壳的APP到手机前台,再执行 [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0] (得到沙盒目录,并保存,同时保存5步骤的可执行文件目录)
    8. 再打开一个终端程序,同时执行 scp /Users/mk/Desktop/dumpdecrypted-master/dumpdecrypted.dylibroot@192.168.20.249****:/var/mobile/Containers/Data/Application/EBEEC7CB-E1C6-4810-99AC-64AB329A9D4B/Documents/

    scp+(dumpdecrypted.dylib文件目录)+(root@ip地址)+ (:) +(砸壳app的沙盒地址)

    9. 在已链接ssh的终端程序中执行 DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/3B9BAB22-6D78-4B83-A4B2-4675BF60D155/WeChat.app/WeChat
    [+] detected 64bit ARM binary in memory.
    [+] offset to cryptid found: @0x100090ca8(from  0x100090000) = ca8
    [+] Found encrypted data at address 00004000 of length 59965440 bytes - type 1.
    [+] Opening /private/var/mobile/Containers/Bundle/Application/3B9BAB22-6D78-4B83-A4B2-4675BF60D155/WeChat.app/WeChat for reading.
    [+] Reading header
    [+] Detecting header type
    [+] Executable is a FAT image - searching for right architecture
    [+] Correct arch is at offset 66879488 in the file
    [+] Opening WeChat.decrypted for writing.
    [+] Copying the not encrypted start of the file
    [+] Dumping the decrypted data into the file
    [+] Copying the not encrypted remainder of the file
    [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3fc8ca8
    [+] Closing original file
    [+] Closing dump file</pre>
    

    同时执行ls 查看目录会查看到WeChat.decrypted文件,此为脱壳的微信文件

    10.回到Mac环境的终端程序,执行

    scp root@192.168.101.21:/var/mobile/Containers/Data/Application/EBEEC7CB-E1C6-4810-99AC-64AB329A9D4B/Documents/WeChat.decrypted ~desktop

    将文件复制到桌面

    WeChat.decrypted
    11.利用class-dump将砸壳文件解析,得到微信源码头文件

    class-dump -H /Users/mk/Desktop/WeChat.decrypted -o /Users/mk/Desktop/WeChat

    WeCHat头文件

    相关文章

      网友评论

          本文标题:APP砸壳-iOS

          本文链接:https://www.haomeiwen.com/subject/lnddrctx.html