ios app 砸壳

  这里介绍使用dumpdecrypted砸壳。原理是用DYLD_INSERT_LIBRARIES这个环境变量加载脱壳的动态链接库dumpdecrypted.dylib

  1.ssh连接上越狱的机器,输入密码alpine

    ssh root@192.168.7.116

  2.打开要砸的app,ps aux | grep var找到它的目录

    yigewangde-iPhone:~ root# ps aux | grep var

    mobile    1118   0.0  1.0  1139072   9684   ??  Ss   Wed10AM   5:30.70 /var/containers/Bundle/Application/BCC24500-0986-4343-A287-7BAF60B33E60/WeChat.app/WeChat

    root      1913   0.0  0.1   537488    568 s000  S+    9:50AM   0:00.02 grep var

    root       474   0.0  0.2   707792   1676   ??  Ss   Tue04PM   0:00.47 /usr/libexec/pkd -d/var/db/PlugInKit-Annotations

    mobile    1902   0.0  4.8   900736  47580   ??  Us    9:50AM   0:03.69 /var/containers/Bundle/Application/249A5309-8F1A-4C4A-93FD-E48EEAE00C95/DingTalk.app/DingTalk

    我们拿DingTalk开刀。

  3.用scp把dumpdecrypted.dylib 拷贝到 /usr/lib目录下

    scp dumpdecrypted.dylib root@192.168.7.116:/usr/lib

  4.切换到mobile用户

    su mobile

  5.切换到/var/mobile/Documents这个目录

    cd /var/mobile/Documents

  6.开始砸壳

    DYLD_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dylib /var/containers/Bundle/Application/249A5309-8F1A-4C4A-93FD-E48EEAE00C95/DingTalk.app/DingTalk

 

    mach-o decryption dumper

 

    DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

 

    [+] detected 64bit ARM binary in memory.

    [+] offset to cryptid found: @0x100084cf8(from 0x100084000) = cf8

    [+] Found encrypted data at address 00004000 of length 40534016 bytes - type 1.

    [+] Opening /private/var/containers/Bundle/Application/249A5309-8F1A-4C4A-93FD-E48EEAE00C95/DingTalk.app/DingTalk for reading.

    [+] Reading header

    [+] Detecting header type

    [+] Executable is a plain MACH-O image

    [+] Opening DingTalk.decrypted for writing.

    [+] Copying the not encrypted start of the file

    [+] Dumping the decrypted data into the file

    [+] Copying the not encrypted remainder of the file

    [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset cf8

    [+] Closing original file

    [+] Closing dump file

  7.over了。在/var/mobile/Documents下就可以看到了

 然后来看一下怎么重新签名,这样就可以安装到没有越狱的手机 上了。

    1.先到appstore下载到对应的ipa,我是用ituns下载到电脑上的。

    2.解压缩

    3.找到payload里的压缩包,显示包内容

    4.把里面的可执行文件替换为我们的解压缩的内容

    5.用ios app signer重新签名,会生成 新的ipa

posted on 2016-08-26 10:12  各各他  阅读(1322)  评论(0编辑  收藏  举报

导航