一.準備工作
(1)編譯dumpdecrypted
下載之後,cd到dumpdecrypted-master下,執行make指令,在當前目錄下生成dumpdecrypted.dylib,關注一下,之後會複製到手機中進行砸殼。
(2)手機上安裝openssh,cycript
在手機上通過Cydia軟體安裝openssh,cycript軟體。
(3)PC上安裝cycript
點選Download SDK下載
解壓之後,轉移到opt資料夾中,如下圖:
如果想要在任意路徑能夠執行cycript指令,需要進行如下配置:
cd ~
vi .bash_profile
複製程式碼在.bash_profile中增加絕對路徑
export cycript_path="/opt/cycript_0.9.594"
PATH=$PATH:$cycript_path
複製程式碼使配置生效
source .bash_profile
複製程式碼驗證是否生效
cycript
#cy
複製程式碼出現#cy即生效。
如果是使用iTerm2+oh my zsh組合,可以在.zshrc配置檔案中匯入source .bash_profile,這樣可以一勞永逸,不用每次都執行source指令。
cd ~
vim ~/.zshrc
複製程式碼在下圖中位置新增source .bash_profile指令,:wq儲存退出即可。
如果cycript安裝失敗,出現如下錯誤:
dyld: Library not loaded: /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
Referenced from: /Users/devzkn/Downloads/cycript_0.9.594/Cycript.lib/cycript-apl
Reason: image not found
複製程式碼請參照文章配置cycript環境變數結合Ruby環境。
(4)PC上安裝class-dump
雙擊之後,將class-dump檔案轉移到/usr/bin
sudo cp class-dump /usr/bin
複製程式碼測試是否成功
~ » class-dump tingdongli@TINGDONGLI-MC1
class-dump 3.5 (64 bit)
Usage: class-dump [options] <mach-o-file>
where options are:
-a show instance variable offsets
-A show implementation addresses
--arch <arch> choose a specific architecture from a universal binary (ppc, ppc64, i386, x86_64, armv6, armv7, armv7s, arm64)
-C <regex> only display classes matching regular expression
-f <str> find string in method name
-H generate header files in current directory, or directory specified with -o
-I sort classes, categories, and protocols by inheritance (overrides -s)
-o <dir> output directory used for -H
-r recursively expand frameworks and fixed VM shared libraries
-s sort classes and categories by name
-S sort methods by name
-t suppress header in output, for testing
--list-arches list the arches in the file, then exit
--sdk-ios specify iOS SDK version (will look in /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS<version>.sdk
--sdk-mac specify Mac OS X version (will look in /Developer/SDKs/MacOSX<version>.sdk
--sdk-root specify the full SDK root path (or use --sdk-ios/--sdk-mac for a shortcut)
------------------------------------------------------------
~ »
複製程式碼二.連線手機
1.確保PC和手機在同一個區域網中,openSSH的root密碼預設為alpine。
ssh root@192.168.1.x
複製程式碼2.執行ps -e,定位到想要砸殼的XXX.app
ps -e
複製程式碼3.執行cycript -p XXX,在#cy之後輸入:
[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
複製程式碼定位到目標app的Documents路徑,記錄下來,記為A路徑,將上文中生成的dumpdecrypted.dylib複製到A路徑中
scp dumpdecrypted.dylib root@192.168.1.x:A路徑
複製程式碼三.砸殼
1.開始砸殼,執行指令
DYLD_INSERT_LIBRARIES=A路徑/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX(ps -e中的app 路徑)
複製程式碼列印結果如下,說明砸殼成功:
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x10003cb68(from 0x10003c000) = b68
[+] Found encrypted data at address 00004000 of length 180224 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 245760 in the file
[+] Opening SimpleNote.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3cb68
[+] Closing original file
[+] Closing dump file
複製程式碼2.砸殼後的XXX.decrypted檔案拷貝到電腦上
scp root@192.168.1.x:/var/root/XXX.decrypted /PC上任意路徑
複製程式碼四.class-dump
執行
class-dump --arch armv7 -H XXX.decrypted -o ./
複製程式碼即可提取出App的標頭檔案進行分析。