这里介绍使用dumpdecrypted砸壳。原理是用DYLD_INSERT_LIBRARIES这个环境变量加载脱壳的动态链接库dumpdecrypted.dylib
1.ssh连接上越狱的机器,输入密码alpine
2.打开要砸的app,ps aux | grep var找到它的目录
yigewangde-iPhone:~ root# ps aux | grep var
mobile 1118 0.0 1.0 1139072 9684 ?? Ss Wed10AM 5:30.70 /var/containers/Bundle/Application/BCC24500-0986-4343-A287-7BAF60B33E60/WeChat.app/WeChat
root 1913 0.0 0.1 537488 568 s000 S+ 9:50AM 0:00.02 grep var
root 474 0.0 0.2 707792 1676 ?? Ss Tue04PM 0:00.47 /usr/libexec/pkd -d/var/db/PlugInKit-Annotations
mobile 1902 0.0 4.8 900736 47580 ?? Us 9:50AM 0:03.69 /var/containers/Bundle/Application/249A5309-8F1A-4C4A-93FD-E48EEAE00C95/DingTalk.app/DingTalk
我们拿DingTalk开刀。
3.用scp把dumpdecrypted.dylib 拷贝到 /usr/lib目录下
scp dumpdecrypted.dylib [email protected]:/usr/lib
4.切换到mobile用户
su mobile
5.切换到/var/mobile/Documents这个目录
cd /var/mobile/Documents
6.开始砸壳
DYLD_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dylib /var/containers/Bundle/Application/249A5309-8F1A-4C4A-93FD-E48EEAE00C95/DingTalk.app/DingTalk
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100084cf8(from 0x100084000) = cf8
[+] Found encrypted data at address 00004000 of length 40534016 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/249A5309-8F1A-4C4A-93FD-E48EEAE00C95/DingTalk.app/DingTalk for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening DingTalk.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset cf8
[+] Closing original file
[+] Closing dump file
7.over了。在/var/mobile/Documents下就可以看到了
然后来看一下怎么重新签名,这样就可以安装到没有越狱的手机 上了。
1.先到appstore下载到对应的ipa,我是用ituns下载到电脑上的。
2.解压缩
3.找到payload里的压缩包,显示包内容
4.把里面的可执行文件替换为我们的解压缩的内容
5.用ios app signer重新签名,会生成 新的ipa