dumpdecrypted 砸殼
一、dumpdecrypted源碼地址
二、確認要砸殼的iOS系統版本
即iOS版本需要與SDK版本相同。注意,5.1版SDK編譯出的dylib是向下兼容的,可以用于iOS5.0,6.1版SDK同理。
三、提取需要的SDK版本
下載舊版本的Xcode,然后把里面的SDK提取出來。
Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs 把Xcode這個文件夾提取出來放在桌面。
四、修改MakeFile和修改源碼
修改
SDK=`xcrun --sdk iphoneos --show-sdk-path`
改成
SDK=~/Desktop/SDKs/iPhoneOS8.X.sdk
再將dumpdecrypted.c第76行的
if (lc->cmd ==LC_ENCRYPTION_INFO || lc->cmd == LC_ENCRYPTION_INFO_64)
改成
if(lc->cmd == LC_ENCRYPTION_INFO)
五、編譯dumpdecrypted.dylib
接著直接cd到“~/Desktop/dumpdecrypted-master/”下,然后輸入“make”并回車,在當前目錄下生成dumpdecrypted.dylib
不想自己編譯的話,我已經全部編譯好了6.0,7.0,8.0
dumpdecrypted.dylib和源碼地址
六、去掉arm64
雖說現在IDA6.9已經支持arm64,但是arm64還是很難看啊,去掉arm64之后就方便多了
1、把/var/mobile/Applications/XXXXXX/TargetApp.app/XXXTargetApp 復制到mac上
2、執行命令行
lipo xxx -remove arm64 -output xxx.remove
七、砸殼
1、把dumpdecrypted.dylib放到iOS砸殼app的Document下
2、cd到iOS中dumpdecrypted.dylib的目錄下
3、輸入命令行,回車砸殼完畢
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/XXXXXX/TargetApp.app/XXXTargetApp
4、顯示
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x81a78(from 0x81000) = a78
[+] Found encrypted data at address 00004000 of length 6569984 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/03B61840-2349-4559-B28E-0E2C6541F879/TargetApp.app/TargetApp for reading.
[+] Reading header
[+] Detecting header type[+] Executable is a plain MACH-O image
[+] Opening TargetApp.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset a78
[+] Closing original file[+] Closing dump file
八、完成
class-dump、IDA 可以開始使用啦
