工具

步骤

1.用ssh进入连上的iPhone(确保iPhone和Mac在同一个网段)。OpenSSH的root密码默认为alpine

1
ssh root@192.168.2.10

2.关闭所有后台app,仅保持需要破解的app在后台,输入命令ps -e,找到app的bundle地址,如6429行所示

1
2
3
4
5
6408 ??         0:00.40 /usr/libexec/ptpd -t usb
6429 ?? 0:01.44 /var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX
6448 ?? 0:00.28 sshd: root@ttys000
6450 ttys000 0:00.05 -sh
6487 ttys000 0:00.01 ps -e

3.使用cycript命令,找到目标app的Documents路径,输入cycript -p XXX

1
2
v2panda-iPhone-5s:~ root# cycript -p XXX
cy#

在cy#后键入

1
[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]

如图,记录下Documents地址,ctrl+z退出

1
2
3
4
v2panda-iPhone-5s:~ root# cycript -p XXX
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/9491960B-BAE6-439A-B210-3B183AB657EF/Documents/"
cy#

4.将生成的将dumpdecrypted.dylib拷贝到Documents目录下

1
2
3
scp dumpdecrypted.dylib root@192.168.2.10:/var/mobile/Containers/Data/Application/9491960B-BAE6-439A-B210-3B183AB657EF/Documents/
root@192.168.2.10's password:
dumpdecrypted.dylib 100% 193KB 192.9KB/s 00:00

5.开始砸壳,使用以下命令,会在当前目录下生成XXX.decrypted砸壳后的文件。

1
DYLD_INSERT_LIBRARIES=/path/to/dumpdecrypted.dylib /path/to/executable

具体的为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
v2panda-iPhone-5s:~ root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/9491960B-BAE6-439A-B210-3B183AB657EF/Documents/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x10003cb68(from 0x10003c000) = b68
[+] Found encrypted data at address 00004000 of length 180224 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 245760 in the file
[+] Opening SimpleNote.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3cb68
[+] Closing original file
[+] Closing dump file
v2panda-iPhone-5s:~ root#

6.将砸壳后的XXX.decrypted文件拷贝到电脑上。

1
2
3
scp root@192.168.2.10:/var/root/XXX.decrypted /Users/v2panda/Apps
root@192.168.2.10's password:
XXX.decrypted 100% 507KB 253.7KB/s 00:02

7.classdump之

1
./class-dump -s -S -H ./XXX.decrypted -o ./sn

这里以微信为例,7000+的文件。

WeChat.png

后记

这里简单记录下App砸壳的有关步骤,更多详细内容以及后续开发可到iOSRE查看。