1、GitHub下載最新版,https://github.com/KJCracks/Clutch/releases

2、把下載的Clutch放到越獄的手機的/usr/bin目錄下

3、ssh連接iphone

wifi:~ clf$ ssh root@192.168.2.2

4、進入目錄

iPhone:~ root# cd /usr/bin

5、輸入Clutch

iPhone:/usr/bin root# Clutch-2.0.4
sh: /usr/bin/Clutch-2.0.4: Permission denied

這里是因為沒有賦予Clutch可執行權限

iPhone:/usr/bin root# chmod +x Clutch-2.0.4 
iPhone:/usr/bin root# Clutch-2.0.4
Usage: Clutch-2.0.4 [OPTIONS]
-b --binary-dump <value> Only dump binary files from specified bundleID 
-d --dump <value>        Dump specified bundleID into .ipa file 
-i --print-installed     Print installed applications 
   --clean               Clean /var/tmp/clutch directory 
   --version             Display version and exit 
-? --help                Display this help and exit 
-n --no-color            Print with colors disabled 

可以看出這里是一些Clutch的命令使用，我們找到我們需要砸殼的App的bundleID，

iPhone:/usr/bin root# Clutch-2.0.4 -i
1:   QQ <com.tencent.mqq>
2:   ...
...

砸殼

iPhone:/usr/bin root# Clutch-2.0.4 -d cn.dxwt.Community10000

然后會告訴你砸殼之后的.ipa文件的路徑

Zipping Community10000v6.app
...
DONE: /private/var/mobile/Documents/Dumped/cn.dxwt.Community10000-iOS10.0-(Clutch-2.0.4).ipa
Finished dumping cn.dxwt.Community10000 in 5.7 seconds

然后就大功告成了。