ios砸壳

1.sftp往手机里传以下文件:

cycript(解压)

dumpdecrypted.dylib(下回来源码直接make编译)

2.ps -e找到目标进程x

3.cycript -p x

4.[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory
inDomains:NSUserDomainMask][0]
获取目标app的附件目录,然后把dumpdecrypted.dylib 传到这个附件目录,然后ctrl+D退出cyc
5.su mobile切用户(重要)
6.进入附件目录,DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/
Application/xxxx/xxxx(执行文件路径)
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100028cf8(from 0x100028000) = cf8
[+] Found encrypted data at address 00004000 of length 59457536 bytes – type 1.
[+] Opening /private/var/containers/Bundle/Application/176519AE-E905-4E0F-A718-3C7B1B96A6E3/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset cf8
[+] Closing original file
[+] Closing dump file

导出文件名:xxxx.decrypted

发表评论

电子邮件地址不会被公开。 必填项已用*标注