前提条件:
越狱手机里, 安装了 <JJ斗地主>
使用砸壳工具clutch
下载地址: https://github.com/KJCracks/Clutch/releases
dzq:~/data root# Clutch -i | grep JJ
57: JJ斗地主-欢乐棋牌休闲合集 <cn.jj.TKLobby>
[1]+ Stopped Clutch -i | grep JJ
[1]+ Done Clutch -i | grep JJ
dzq:~/data root# Clutch -d 57
Zipping JJ斗地主.app
Error: posix_spawn: No such file or directory (Error 2)
Error: posix_spawn: No such file or directory (Error 2)
Error: posix_spawn: No such file or directory (Error 2)
Error: Failed to dump <RNCAsyncStorage> with arch arm64
2020-04-26 12:04:51.272 Clutch[4652:115450] failed operation :(
2020-04-26 12:04:51.272 Clutch[4652:115450] application <NSOperationQueue: 0x102077830>{name = 'NSOperationQueue 0x102077830'}
Error: Failed to dump <RNCAsyncStorage>
2020-04-26 12:04:51.273 Clutch[4652:115450] failed operation :(
2020-04-26 12:04:51.273 Clutch[4652:115450] application <NSOperationQueue: 0x102077830>{name = 'NSOperationQueue 0x102077830'}
Error: Failed to dump <react_native_image_picker> with arch arm64
2020-04-26 12:04:51.274 Clutch[4652:115443] failed operation :(
2020-04-26 12:04:51.274 Clutch[4652:115443] application <NSOperationQueue: 0x10212dcb0>{name = 'NSOperationQueue 0x10212dcb0'}
Error: Failed to dump <react_native_image_picker>
2020-04-26 12:04:51.274 Clutch[4652:115443] failed operation :(
2020-04-26 12:04:51.274 Clutch[4652:115443] application <NSOperationQueue: 0x10212dcb0>{name = 'NSOperationQueue 0x10212dcb0'}
Error: posix_spawn: No such file or directory (Error 2)
Error: Failed to dump <react_native_view_shot> with arch arm64
2020-04-26 12:04:51.275 Clutch[4652:115435] failed operation :(
2020-04-26 12:04:51.275 Clutch[4652:115435] application <NSOperationQueue: 0x1021240c0>{name = 'NSOperationQueue 0x1021240c0'}
Error: Failed to dump <react_native_view_shot>
2020-04-26 12:04:51.276 Clutch[4652:115435] failed operation :(
2020-04-26 12:04:51.276 Clutch[4652:115435] application <NSOperationQueue: 0x1021240c0>{name = 'NSOperationQueue 0x1021240c0'}
Error: Failed to dump <react_native_sqlite_storage> with arch arm64
Error: posix_spawn: No such file or directory (Error 2)
Error: posix_spawn: No such file or directory (Error 2)
很遗憾, 使用Clutch工具砸壳失败
使用砸壳工具dumpdecrypted
下载:git clone https://github.com/stefanesser/dumpdecrypted.git
网上其他的教程都是直接把源码下载下来后,直接make, 然后生成了一个: dumpdecrypted.dylib 文件, 然后兴致勃勃scp到刚越狱的手机上, 开始砸壳
我按照这个做了, 碰到了两个问题:
1, 签名问题
2, libSystem.B.dylib 不匹配, 导致运行失败 报什么 __check_ 的什么玩意
解决办法:
1, 下载iPhoneOS12.4.sdk
下载源: https://github.com/xybp888/iOS-SDKs
下载具体版本的SDK: svn checkout https://github.com/xybp888/iOS-SDKs/trunk/iPhoneOS12.4.sdk
为什么下载这个版本?
因为本人的手机系统版本是12.4.5, 仅此而已
2, 修改makefile文件
GCC_BIN=`xcrun --sdk iphoneos --find gcc` GCC_UNIVERSAL=$(GCC_BASE) -arch armv7 -arch armv7s -arch arm64 SDK=iPhoneOS12.4.sdk CFLAGS = GCC_BASE = $(GCC_BIN) -Os $(CFLAGS) -Wimplicit -isysroot $(SDK) -F$(SDK)/System/Library/Frameworks -F$(SDK)/System/Library/PrivateFrameworks all: dumpdecrypted.dylib dumpdecrypted.dylib: dumpdecrypted.o $(GCC_UNIVERSAL) -dynamiclib -o $@ $^ %.o: %.c $(GCC_UNIVERSAL) -c -o $@ $< clean: rm -f *.o dumpdecrypted.dylib
然后重新执行make, 会生成 dumpdecrypted.dylib 文件
3, 对其进行签名
brew install ldid ldid -S dumpdecrypted.dylib
4, 签名后, 将其拷贝到越狱手机上
scp dumpdecrypted.dylib root@myiphone:/var/root/data
提示:
本人设置了ssh免密登录,
本人修改了/etc/hosts文件. 新增myiphone域名解析. 对iPhone进行映射
本人在苹果手机的root用户下新建了data目录. 以后传文件,或者拿破解文件 直接 ~/data/文件名
本人设置了iphone ssh支持中文, 登录ssh
echo "export LC_ALL='en_US.UTF-8'" > ~/.profile
正式开始砸壳
1, 拿到 JJ斗地主 可执行路径.
先在手机上运行JJ斗地主, 然后
dzq:~/data root# ps -e | grep JJ 4830 ?? 0:05.17 /var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主 4832 ttys000 0:00.03 grep JJ
2, cd 到 data目录
cd ~/data DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主
3, 稍等片刻后,
dzq:~/data root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主 mach-o decryption dumper DISCLAIMER: This tool is only meant for security research purposes, not for application crackers. [+] detected 64bit ARM binary in memory. [+] offset to cryptid found: @0x101084cf8(from 0x101084000) = cf8 [+] Found encrypted data at address 00004000 of length 13336576 bytes - type 1. [+] Opening /private/var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主 for reading. [+] Reading header [+] Detecting header type [+] Executable is a plain MACH-O image [+] Opening JJ斗地主.decrypted for writing. [+] Copying the not encrypted start of the file [+] Dumping the decrypted data into the file [+] Copying the not encrypted remainder of the file [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset cf8 [+] Closing original file [+] Closing dump file dzq:~/data root# ll -sh: ll: command not found dzq:~/data root# ls JJ斗地主.decrypted dumpdecrypted.dylib*
非常好, 拿到了砸壳后的文件《JJ斗地主.decrypted》 , 之后就可以用反编译工具,分析一波了.
使用砸壳工具CrakerXI+
安装CrakerXI+:
打开cydia软件, 软件源, 右上角的编辑按钮,左上角的添加按钮, 输入: http://cydia.iphonecake.com, 然后完成
点击搜索CrakerXI+安装.
打开软件, 设置选项卡里, 全部选择, 然后随便砸壳了, 我个人选择 选择 Full ipa
不全部选择会有坑: 每次打开被砸壳的软件都会重新砸壳. 把人搞吐血.
砸壳之后存放的目录: /var/mobile/Documents/CrackerXI/
总结:
从appstore下载安装后的目录:
应用程序安装目录:/private/var/containers/Bundle/Application/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX/
某个应用程序的可写目录:
/var/mobile/Containers/Data/Application/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX/
/var/root/Containers/Data/Application/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX/
用的哪个目录取决于那个应用 是使用什么权限来运行的.
具体确定输出目录:
dzq:/var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15 root# cycript -p JJ斗地主 cy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES); @["/var/mobile/Containers/Data/Application/00B2D6E5-E2A1-48FF-8743-55E34AA7B700/Documents"] cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask] @[#"file:///var/mobile/Containers/Data/Application/00B2D6E5-E2A1-48FF-8743-55E34AA7B700/Documents/"]
有两种方式: 随便用哪种都可以, 然后ctrl + D. 结束 cy