App Store应用脱壳
首先還是感謝snakeninny
用Clutch也行 , Clutch -i ,然后Clutch -d 數字
退而求其次, 選擇了dumpdecrypted , 利用的就是dump拷貝技術. 加殼的app在手機運行的時候是脫殼狀態, 并且在內存中連續存儲 , 只要能把這份內存拷貝出來, 就能重新生成脫殼的APP .
###1.下載dumpdecrypted源碼 源碼地址:https://github.com/stefanesser/dumpdecrypted/archive/master.zip , 下載后放到常用位置我的位置是/Users/DH/code/Code/dumpdecrypted-master ###2.編譯Makefile 我們看dumpdecrypted-master 目錄 , 有一個Makefile , 直接編譯
localhost:~?DH$?cd?/Users/DH/code/dumpdecrypted-master?localhost:dumpdecrypted-master?DH$?make
`xcrun?--sdk?iphoneos?--find?gcc`?-Os??-Wimplicit?-isysroot?`xcrun?--sdk?iphoneos?--show-sdk-path`?-F`xcrun?--sdk?iphoneos?--show-sdk-path`/System/Library/Frameworks?-F`xcrun?--sdk?iphoneos?--show-sdk-path`/System/Library/PrivateFrameworks?-arch?armv7?-arch?armv7s?-arch?arm64?-c?-o?dumpdecrypted.o?dumpdecrypted.c?
`xcrun?--sdk?iphoneos?--find?gcc`?-Os??-Wimplicit?-isysroot?`xcrun?--sdk?iphoneos?--show-sdk-path`?-F`xcrun?--sdk?iphoneos?--show-sdk-path`/System/Library/Frameworks?-F`xcrun?--sdk?iphoneos?--show-sdk-path`/System/Library/PrivateFrameworks?-arch?armv7?-arch?armv7s?-arch?arm64?-dynamiclib?-o?dumpdecrypted.dylib?dumpdecrypted.o
復制代碼
會生成一個dumpdecrypted.dylib ###3.用SSH連接到手機 ######可以選用wifi鏈接, 也可以用USB鏈接 ,我更喜歡用USB鏈接 #####wifi:
ssh?root@iphoneIP?復制代碼
####USB
/User/DH/code/USBSSH/tcprelay.py?-?t?22:5555ssh?root@localhost?-p?5555
復制代碼
###4.用ps -e 定位APP
1.首先先運行你要定位的APP2.dinghaoyueyuceshiji:~?root#?ps?-e
??PID?TTY???????????TIME?CMD
????1????????????0:34.89?/sbin/launchd
??....
?1571????????????0:02.36?/var/mobile/Containers/Bundle/Application/0FC82FA4-C182-4FED-927A-ACF8A539858C/WeChat.app/WeChat
?1576????????????0:00.36?sshd:?root@ttys000?
?1580????????????0:01.90?/var/mobile/Containers/Bundle/Application/DBD2DC2E-B871-468E-8134-9107C8BCB48B/OPlayer?Lite.app/OPlayer?Lite
?1578?ttys000????0:00.06?-sh
?1585?ttys000????0:00.01?ps?-e
復制代碼
######找到你的應用 /var/mobile/Containers/Bundle/Application/DBD2DC2E-B871-468E-8134-9107C8BCB48B/OPlayer Lite.app/OPlayer Lite 這個Oplayer Lite就是 或者使用它的PID 1580 App Store下載的應用在目錄/var/mobile/Containers/Bundle/Application 下就能找到 ###5.用Cycript找出OPlayer Lite的Documents目錄路徑。 #####Cycript在Cydia自帶源Cydia/Telesphoreo中就有
dinghaoyueyuceshiji:~?root#?cycript?-p?1580cy#?
輸入cy#?[[NSFileManager?defaultManager]?URLsForDirectory:NSDocumentDirectory?inDomains:NSUserDomainMask][0]
會出來結果:
#"file:///var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents/"
復制代碼
###6.將dumpdecrypted.dylib拷貝到Documents目錄下(拷貝到/var/mobile 下面更方便)
重新打開命令行localhost:~?DH$?scp?/Users/DH/code/dumpdecrypted-master/dumpdecrypted.dylib?root@192.168.1.55:/var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents/
The?authenticity?of?host?'192.168.1.55?(192.168.1.55)'?can't?be?established.
RSA?key?fingerprint?is?f9:dd:8b:b9:0e:62:e2:75:55:e3:0b:15:8f:2e:cd:09.
Are?you?sure?you?want?to?continue?connecting?(yes/no)??yes
Warning:?Permanently?added?'192.168.1.55'?(RSA)?to?the?list?of?known?hosts.
root@192.168.1.55's?password:?
dumpdecrypted.dylib???????????????????????????100%??193KB?192.9KB/s???00:00???
復制代碼
這個拷貝我不會 ,我都是用pp助手之類的直接拖拽進去 ###7.開始砸殼
0.打開應用, 然后ps -e , 找到目錄 1.cd /var/mobile 2.su mobile 3.DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/DBD2DC2E-B871-468E-8134-9107C8BCB48B/XXX.app/XXX\ XXX 4.然后再/var/mobile 目錄下的就是了 復制代碼#####下面的內容比較復雜, 有興趣的看看
1.找到剛才連接手機的并運行了cycript?-p?PID?的那個命令行?2.然后control?+?D?退出cycript
3.cd?/var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents/
4.dinghaoyueyuceshiji:/var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents?root#?DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib?/var/mobile/Containers/Bundle/Application/DBD2DC2E-B871-468E-8134-9107C8BCB48B/OPlayer\?Lite.app/OPlayer\?Lite
DISCLAIMER:?This?tool?is?only?meant?for?security?research?purposes,?not?for?application?crackers.
如果出現?Killed:?9
su?mobile?
繼續執行第4
[+]?detected?64bit?ARM?binary?in?memory.
[+]?offset?to?cryptid?found:?@0x100010c58(from?0x100010000)?=?c58
[+]?Found?encrypted?data?at?address?00004000?of?length?18710528?bytes?-?type?1.
[+]?Opening?/private/var/mobile/Containers/Bundle/Application/DBD2DC2E-B871-468E-8134-9107C8BCB48B/OPlayer?Lite.app/OPlayer?Lite?for?reading.
[+]?Reading?header
[+]?Detecting?header?type
[+]?Executable?is?a?FAT?image?-?searching?for?right?architecture
[+]?Correct?arch?is?at?offset?24346624?in?the?file
復制代碼
######上面第四條命令有點長 , 大家仔細點, 后面跟著的是用ps -e出來的app的地址 . 如果APP名字有空格, 注意加\
當前目錄會生成dinghaoyueyuceshiji:/var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents?root#?ls
OPlayer?Lite.decrypted??OPlayerLite.zip??dumpdecrypted.dylib
其中的OPlayerLite.zip是自己壓縮的?,?應該會有一個OPlayer?Lite.decrypted?和dumpdecrypted.dylib兩個文件
復制代碼
###8.拷貝到MAC
1.查看mac當前的地址?,?我的是192.168.1.282.知道自己的root賬戶密碼,?如果不知道
如果不知道root用戶密碼,需要重設。
命令[sudo?passwd?root?]
然后提示你輸入當前登錄用戶密碼,通過以后,
提示你輸入兩遍root的密碼。
這樣你就設置好root帳號密碼了
localhost:~?DH$?sudo?passwd?root
Password:
Changing?password?for?root.
New?password:
Retype?new?password:
3.如果知道root密碼?直接在終端輸入
dinghaoyueyuceshiji:/var/mobile/Containers/Data/Application/C66F8EB9-D667-468A-BCAE-041DE6A03BB9/Documents?root#?scp?OPlayer\?Lite.decrypted?root@192.168.1.28:/Users/DH/code/
Password:
OPlayer?Lite.decrypted??????????????????????????????????????????????????????????????????????????????????????????????????????????????????100%???49MB???1.5MB/s???00:33???
復制代碼
###9.轉換OPlayer Lite.decrypted
此時我們把OPlayer?Lite.decrypted的擴展名去掉運行下面的代碼:
lipo?OPlayer\?Lite?-thin?arm64?-output?Oplayer_arm64
Oplayer_arm64就是一個無殼文件了?,?將ipa包里面的替換掉,這就是一個無殼的APP了。
復制代碼
ifunbox 可能提示未越獄 去cydia 下載Apple File Conduit 2 如果不會替換就回復我
總結
以上是生活随笔為你收集整理的App Store应用脱壳的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Realm数据库版本迁移
- 下一篇: 【html、css、jq】制作一个简洁的