$ ssh root@192.168.4.166 #ssh wifi登录手机初始化密码alpine
SSH安全连接存储服务器公钥
- 客户端存储服务器ssh公钥文件路径
~/.ssh/known_hosts
- 服务器端的ssh
2.1 公钥路径/etc/ssh/ssh_host_rsa_key.pub
2.2 私钥路径/etc/ssh/ssh_host_rsa_key
- 连接过程中提示中间人攻击,是因为IP 和公钥信息发生改变,想要连接删除公钥信息
3.1解决1:vim ~/.ssh/known_hosts
删除对应的IP公钥信息。vim删除指令dd
3.2解决2:ssh-kengen -R 192.168.4.166
192.168.4.166服务器IP
SSH基于密钥的客户端认证
- 客户端的密钥生成,指令
ssh-keygen
1.1 公钥路径~/.ssh/id_rsa.pub
1.2私钥路径~/.ssh/id_rsa
- 将公钥追加到服务器端的授权文件里
2.1 授权文件路径~/.ssh/authorized_keys
2.2将客户端的公钥追加到服务器授权文件ssh-copy-id root@192.168.4.166
- 手动将客户端的公钥追加到服务器授权文件
3.1scp ~/.ssh/id_rsa.pub root@192.168.4.166:~/.ssh
拷贝公钥到服务器.ssh目录下
3.2cat id_rsa.pub >> authorized_keys
将公钥内容追加到authorized_keys授权文件
3.3rm id_rsa.pub
删除公钥文件
通过USB进行SSH登录
- 下载usbmuxd工具包https://cgit.sukimashita.com/usbmuxd.Git/snapshot/usbmuxd-1.0.8.tar.gz
- 将iPhone的22端口映射到Mac本地的10010端口
python Desktop/USB/tcprelay.py -t 22:10010
- 登录iPhone
ssh root@localhost -p 10010
- 注意 步骤2后执行步骤3
Cycript基本用法
- 开启
1.1cycript
1.2cycript -p 进程ID
1.3cycript -p 进程名称
建议使用- 关闭退出
control+d
- 变量
var app = UIApp.keyWindown
- 通过内存地址访问对象
#0x13f181290
- APP加载的所有的OC类
ObjectiveC.classes
- 查看对象的成员变量
*UIApp
或*#0x13f181290
- 递归打印View的所有子控件
recursiveDescription()
- 筛选
choose(UIViewController)
PS
ps -A
当前所有进程ps -A | grep music
监听music相关进程
安装deb
scp -P 10010 RevealLoader.deb root@Localhost:/var/root/Media/Cydia/AutoInstall
重启手机安装插件killall SpringBoard
脱壳
- 验证是否加壳 MachOView->load commands->LCENCRIPTION_INFO ->Cript ID(加密ID) : 0未加密
- 验证是否加壳
otool -l To-Do | grep scrypt
crypt id: 0未加密- Clutch 脱壳工具
3.1 下载https://github.com/KJCracks/Clutch/releases
3.2 拖拽到手机/usr/bin/
目录下
3.3 权限问题chmod +x /usr/bin/Clutch
- Dumpdecrypted脱壳工具
4.1 下载https://github.com/stefanesser/dumpdecrypted
4.2 使用make指令,获取动态库
4.3将生成的动态库copy到iPhone/var/root
目录
Clutch使用
ahs-zjshebei:~ root# Clutch -i #查看手机需脱壳APP列表
Installed apps:
1: 京东-挑好物,上京东 <com.360buy.jdmobile>
2: 拼多多 <com.xunmeng.pinduoduo>
3: 爱思加强版 <com.pd.A4Player>
ahs-zjshebei:~ root# Clutch -d 3 #导出脱壳后的可执行文件
Dumpdecrypted使用⚠️有问题待解决
ahs-zjshebei:~ root# ps -A | grep pin
1702 ?? 0:05.42 /var/mobile/Containers/Bundle/Application/F3B24116-D9F7-4B4A-B500-B9E4F4689036/pinduoduo.app/pinduoduo
1712 ttys000 0:00.01 grep pin
ahs-zjshebei:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/F3B24116-D9F7-4B4A-B500-B9E4F4689036/pinduoduo.app/pinduoduo
dyld: Symbol not found: ___chkstk_darwin
Referenced from: dumpdecrypted.dylib
Expected in: /usr/lib/libSystem.B.dylib
in dumpdecrypted.dylib
Trace/BPT trap: 5
ahs-zjshebei:~ root#
Theos
安装
brew install dyid
- 编辑.base_profile
2.1vim ~/.base_profile
2.2 在.base_profile添加环境变量
export THEOS=~/theos
export PATH=$THEOS/bin:$PATH
2.3source ~/.base_profile
环境变量生效- 下载theos
git clone --recursive https://github.com/theos/theos.git $THEOS
nic.pl创建Tweak
localhost:AQY zhangheng$ mkdir IQYTweak
localhost:AQY zhangheng$ cd IQYTweak/
localhost:IQYTweak zhangheng$ nic.pl
NIC 2.0 - New Instance Creator
------------------------------
[1.] iphone/activator_event
[2.] iphone/application_modern
[3.] iphone/application_swift
[4.] iphone/flipswitch_switch
[5.] iphone/framework
[6.] iphone/library
[7.] iphone/preference_bundle_modern
[8.] iphone/tool
[9.] iphone/tool_swift
[10.] iphone/tweak
[11.] iphone/xpc_service
Choose a Template (required): 10
Project Name (required): iqytweak
Package Name [com.yourcompany.iqytweak]: com.hy.iqy
Author/Maintainer Name [张恒]:
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.qiyi.iphone
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]:
Instantiating iphone/tweak in iqytweak/...
Done.
Tweak配置编写
makefile文件
export THEOS_DEVICE_IP=127.0.0.1
export THEOS_DEVICE_PORT=10010
INSTALL_TARGET_PROCESSES = SpringBoard
include $(THEOS)/makefiles/common.mk
TWEAK_NAME = iqytweak
iqytweak_FILES = Tweak.x
iqytweak_CFLAGS = -fobjc-arc
include $(THEOS_MAKE_PATH)/tweak.mk
Tweak.x文件
%hook QYResourcePopView
- (id)initWithFrame:(struct CGRect)arg1{
return nil;
}
%end
执行命令安装插件
make
make package
make install
localhost:iqytweak zhangheng$ make
> Making all for tweak iqytweak…
==> Preprocessing Tweak.x…
==> Compiling Tweak.x (armv7)…
==> Linking tweak iqytweak (armv7)…
ld: warning: OS version (6.0.0) too small, changing to 7.0.0
ld: warning: building for iOS, but linking in .tbd file (/Users/zhangheng/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator
==> Generating debug symbols for iqytweak…
rm /Users/zhangheng/Desktop/AQY/IQYTweak/iqytweak/.theos/obj/debug/armv7/Tweak.x.m
==> Preprocessing Tweak.x…
==> Compiling Tweak.x (arm64)…
==> Linking tweak iqytweak (arm64)…
ld: warning: OS version (6.0.0) too small, changing to 7.0.0
ld: warning: building for iOS, but linking in .tbd file (/Users/zhangheng/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator
==> Generating debug symbols for iqytweak…
rm /Users/zhangheng/Desktop/AQY/IQYTweak/iqytweak/.theos/obj/debug/arm64/Tweak.x.m
==> Preprocessing Tweak.x…
==> Compiling Tweak.x (arm64e)…
==> Linking tweak iqytweak (arm64e)…
ld: warning: OS version (6.0.0) too small, changing to 7.0.0
ld: warning: building for iOS, but linking in .tbd file (/Users/zhangheng/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator
==> Generating debug symbols for iqytweak…
rm /Users/zhangheng/Desktop/AQY/IQYTweak/iqytweak/.theos/obj/debug/arm64e/Tweak.x.m
==> Merging tweak iqytweak…
==> Signing iqytweak…
localhost:iqytweak zhangheng$ make package
> Making all for tweak iqytweak…
make[2]: Nothing to be done for `internal-library-compile'.
> Making stage for tweak iqytweak…
dm.pl: building package `com.hy.iqy:iphoneos-arm' in `./packages/com.hy.iqy_0.0.1-6+debug_iphoneos-arm.deb'
localhost:iqytweak zhangheng$ make install
==> Installing…
The authenticity of host '[127.0.0.1]:10010 ([127.0.0.1]:10010)' can't be established.
RSA key fingerprint is SHA256:4p2uNUxuMsg7xdx45xlpzKzoCZy5NYR/gzyT9+qSxbo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:10010' (RSA) to the list of known hosts.
Selecting previously deselected package com.hy.iqy.
(Reading database ... 5503 files and directories currently installed.)
Unpacking com.hy.iqy (from /tmp/_theos_install.deb) ...
Setting up com.hy.iqy (0.0.1-6+debug) ...
==> Unloading SpringBoard…
localhost:iqytweak zhangheng$
动态调试
- debugserver环境搭建
debugserver
在手机上的路径/Developer/usr/bin
拷贝到电脑- 权限签名
2.1ldid -e debugserver > debugserver.entitlements
导出权限签名
2.2debugserver.entitlements
添加get-task-allow
、task_for_pid-allow
权限
2.3 赋权ldid -Sdebugserver.entitlements debugserver
2.4 赋权后的debugserver
放到手机的/usr/bin/
目录下
2.5 ⚠️-sh: /usr/bin/debugserver: Permission denied
解决方式chmod +x /usr/bin/debugserver
- debugserver使用
debugserver *:10011 -a WeChat
localhost:usb zhangheng$ sh login.sh
ahs-zjshebei:~ root# debugserver *:10011 -a WeChat
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-340.3.51.1
for arm64.
Attaching to process WeChat...
Listening to port 10011 for a connection from *...
^C
ahs-zjshebei:~ root# debugserver *:10011 -a WeChat
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-340.3.51.1
for arm64.
Attaching to process WeChat...
Listening to port 10011 for a connection from *...
Waiting for debugger instructions for process 0.
- LLDB使用
- 使用USB端口映射
python tcprelay.py -t 10011:10011
- 进入LLBD
lldb
process connect connect://localhost:10011
localhost:usb zhangheng$ lldb
(lldb) process connect connect://localhost:10011
Process 1180 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
frame #0: 0x000000019b8e4c30 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
-> 0x19b8e4c30 <+8>: ret
libsystem_kernel.dylib`mach_msg_overwrite_trap:
0x19b8e4c34 <+0>: mov x16, #-0x20
0x19b8e4c38 <+4>: svc #0x80
0x19b8e4c3c <+8>: ret
Target 0: (WeChat) stopped.
(lldb) c
Process 1180 resuming
(lldb)
网友评论