一.準(zhǔn)備工作

（1）編譯dumpdecrypted

dumpdecrypted地址

下載之后，cd到dumpdecrypted-master下，執(zhí)行make指令，在當(dāng)前目錄下生成dumpdecrypted.dylib,關(guān)注一下，之后會(huì)復(fù)制到手機(jī)中進(jìn)行砸殼。

（2）手機(jī)上安裝openssh,cycript

在手機(jī)上通過(guò)Cydia軟件安裝openssh,cycript軟件。

（3）PC上安裝cycript

cycript地址

點(diǎn)擊Download SDK下載

解壓之后，轉(zhuǎn)移到opt文件夾中，如下圖：

image

如果想要在任意路徑能夠執(zhí)行cycript指令，需要進(jìn)行如下配置：

cd ~
vi .bash_profile

在.bash_profile中增加絕對(duì)路徑

export cycript_path="/opt/cycript_0.9.594"
PATH=$PATH:$cycript_path

使配置生效

source .bash_profile

驗(yàn)證是否生效

cycript
#cy

出現(xiàn)#cy即生效。

如果是使用iTerm2+oh my zsh組合，可以在.zshrc配置文件中導(dǎo)入source .bash_profile,這樣可以一勞永逸，不用每次都執(zhí)行source指令。

cd ~
vim ~/.zshrc

在下圖中位置添加source .bash_profile指令，:wq保存退出即可。

image

如果cycript安裝失敗，出現(xiàn)如下錯(cuò)誤：

dyld: Library not loaded: /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
  Referenced from: /Users/devzkn/Downloads/cycript_0.9.594/Cycript.lib/cycript-apl
  Reason: image not found

請(qǐng)參照文章配置cycript環(huán)境變量結(jié)合Ruby環(huán)境。

（4）PC上安裝class-dump

class-dump.dmg下載

雙擊之后，將class-dump文件轉(zhuǎn)移到/usr/bin

image

sudo cp class-dump /usr/bin

測(cè)試是否成功

~ ? class-dump                                                                                tingdongli@TINGDONGLI-MC1
class-dump 3.5 (64 bit)
Usage: class-dump [options] <mach-o-file>

  where options are:
        -a             show instance variable offsets
        -A             show implementation addresses
        --arch <arch>  choose a specific architecture from a universal binary (ppc, ppc64, i386, x86_64, armv6, armv7, armv7s, arm64)
        -C <regex>     only display classes matching regular expression
        -f <str>       find string in method name
        -H             generate header files in current directory, or directory specified with -o
        -I             sort classes, categories, and protocols by inheritance (overrides -s)
        -o <dir>       output directory used for -H
        -r             recursively expand frameworks and fixed VM shared libraries
        -s             sort classes and categories by name
        -S             sort methods by name
        -t             suppress header in output, for testing
        --list-arches  list the arches in the file, then exit
        --sdk-ios      specify iOS SDK version (will look in /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS<version>.sdk
        --sdk-mac      specify Mac OS X version (will look in /Developer/SDKs/MacOSX<version>.sdk
        --sdk-root     specify the full SDK root path (or use --sdk-ios/--sdk-mac for a shortcut)
------------------------------------------------------------
~ ?

二.連接手機(jī)

1.確保PC和手機(jī)在同一個(gè)局域網(wǎng)中,openSSH的root密碼默認(rèn)為alpine。

ssh root@192.168.1.x

2.執(zhí)行ps -e,定位到想要砸殼的XXX.app

ps -e

3.執(zhí)行cycript -p XXX,在#cy之后輸入：

[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]

定位到目標(biāo)app的Documents路徑，記錄下來(lái)，記為A路徑，將上文中生成的dumpdecrypted.dylib復(fù)制到A路徑中

scp dumpdecrypted.dylib root@192.168.1.x:A路徑

三.砸殼

1.開始砸殼，執(zhí)行指令

DYLD_INSERT_LIBRARIES=A路徑/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX（ps -e中的app 路徑）

打印結(jié)果如下，說(shuō)明砸殼成功：

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x10003cb68(from 0x10003c000) = b68
[+] Found encrypted data at address 00004000 of length 180224 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/79909146-D31F-4225-B18E-8D08D5599FFA/XXX.app/XXX for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 245760 in the file
[+] Opening SimpleNote.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3cb68
[+] Closing original file
[+] Closing dump file

2.砸殼后的XXX.decrypted文件拷貝到電腦上

scp root@192.168.1.x:/var/root/XXX.decrypted /PC上任意路徑

四.class-dump

執(zhí)行

class-dump --arch armv7 -H XXX.decrypted -o ./

即可提取出App的頭文件進(jìn)行分析。