前提條件:
越獄手機里, 安裝了 <JJ斗地主>
使用砸殼工具clutch
下載地址: https://github.com/KJCracks/Clutch/releases
dzq:~/data root# Clutch -i | grep JJ
57: JJ斗地主-歡樂棋牌休閑合集 <cn.jj.TKLobby>
[1]+ Stopped Clutch -i | grep JJ
[1]+ Done Clutch -i | grep JJ
dzq:~/data root# Clutch -d 57
Zipping JJ斗地主.app
Error: posix_spawn: No such file or directory (Error 2)
Error: posix_spawn: No such file or directory (Error 2)
Error: posix_spawn: No such file or directory (Error 2)
Error: Failed to dump <RNCAsyncStorage> with arch arm64
2020-04-26 12:04:51.272 Clutch[4652:115450] failed operation :(
2020-04-26 12:04:51.272 Clutch[4652:115450] application <NSOperationQueue: 0x102077830>{name = 'NSOperationQueue 0x102077830'}
Error: Failed to dump <RNCAsyncStorage>
2020-04-26 12:04:51.273 Clutch[4652:115450] failed operation :(
2020-04-26 12:04:51.273 Clutch[4652:115450] application <NSOperationQueue: 0x102077830>{name = 'NSOperationQueue 0x102077830'}
Error: Failed to dump <react_native_image_picker> with arch arm64
2020-04-26 12:04:51.274 Clutch[4652:115443] failed operation :(
2020-04-26 12:04:51.274 Clutch[4652:115443] application <NSOperationQueue: 0x10212dcb0>{name = 'NSOperationQueue 0x10212dcb0'}
Error: Failed to dump <react_native_image_picker>
2020-04-26 12:04:51.274 Clutch[4652:115443] failed operation :(
2020-04-26 12:04:51.274 Clutch[4652:115443] application <NSOperationQueue: 0x10212dcb0>{name = 'NSOperationQueue 0x10212dcb0'}
Error: posix_spawn: No such file or directory (Error 2)
Error: Failed to dump <react_native_view_shot> with arch arm64
2020-04-26 12:04:51.275 Clutch[4652:115435] failed operation :(
2020-04-26 12:04:51.275 Clutch[4652:115435] application <NSOperationQueue: 0x1021240c0>{name = 'NSOperationQueue 0x1021240c0'}
Error: Failed to dump <react_native_view_shot>
2020-04-26 12:04:51.276 Clutch[4652:115435] failed operation :(
2020-04-26 12:04:51.276 Clutch[4652:115435] application <NSOperationQueue: 0x1021240c0>{name = 'NSOperationQueue 0x1021240c0'}
Error: Failed to dump <react_native_sqlite_storage> with arch arm64
Error: posix_spawn: No such file or directory (Error 2)
Error: posix_spawn: No such file or directory (Error 2)
很遺憾, 使用Clutch工具砸殼失敗
使用砸殼工具dumpdecrypted
下載:git clone https://github.com/stefanesser/dumpdecrypted.git
網上其他的教程都是直接把源碼下載下來后,直接make, 然后生成了一個: dumpdecrypted.dylib 文件, 然后興致勃勃scp到剛越獄的手機上, 開始砸殼
我按照這個做了, 碰到了兩個問題:
1, 簽名問題
2, libSystem.B.dylib 不匹配, 導致運行失敗 報什么 __check_ 的什么玩意
解決辦法:
1, 下載iPhoneOS12.4.sdk
下載源: https://github.com/xybp888/iOS-SDKs
下載具體版本的SDK: svn checkout https://github.com/xybp888/iOS-SDKs/trunk/iPhoneOS12.4.sdk
為什么下載這個版本?
因為本人的手機系統版本是12.4.5, 僅此而已
2, 修改makefile文件
GCC_BIN=`xcrun --sdk iphoneos --find gcc` GCC_UNIVERSAL=$(GCC_BASE) -arch armv7 -arch armv7s -arch arm64 SDK=iPhoneOS12.4.sdk CFLAGS = GCC_BASE = $(GCC_BIN) -Os $(CFLAGS) -Wimplicit -isysroot $(SDK) -F$(SDK)/System/Library/Frameworks -F$(SDK)/System/Library/PrivateFrameworks all: dumpdecrypted.dylib dumpdecrypted.dylib: dumpdecrypted.o $(GCC_UNIVERSAL) -dynamiclib -o $@ $^ %.o: %.c $(GCC_UNIVERSAL) -c -o $@ $< clean: rm -f *.o dumpdecrypted.dylib
然后重新執行make, 會生成 dumpdecrypted.dylib 文件
3, 對其進行簽名
brew install ldid ldid -S dumpdecrypted.dylib
4, 簽名后, 將其拷貝到越獄手機上
scp dumpdecrypted.dylib root@myiphone:/var/root/data
提示:
本人設置了ssh免密登錄,
本人修改了/etc/hosts文件. 新增myiphone域名解析. 對iPhone進行映射
本人在蘋果手機的root用戶下新建了data目錄. 以后傳文件,或者拿破解文件 直接 ~/data/文件名
本人設置了iphone ssh支持中文, 登錄ssh
echo "export LC_ALL='en_US.UTF-8'" > ~/.profile
正式開始砸殼
1, 拿到 JJ斗地主 可執行路徑.
先在手機上運行JJ斗地主, 然后
dzq:~/data root# ps -e | grep JJ 4830 ?? 0:05.17 /var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主 4832 ttys000 0:00.03 grep JJ
2, cd 到 data目錄
cd ~/data DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主
3, 稍等片刻后,
dzq:~/data root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主 mach-o decryption dumper DISCLAIMER: This tool is only meant for security research purposes, not for application crackers. [+] detected 64bit ARM binary in memory. [+] offset to cryptid found: @0x101084cf8(from 0x101084000) = cf8 [+] Found encrypted data at address 00004000 of length 13336576 bytes - type 1. [+] Opening /private/var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主 for reading. [+] Reading header [+] Detecting header type [+] Executable is a plain MACH-O image [+] Opening JJ斗地主.decrypted for writing. [+] Copying the not encrypted start of the file [+] Dumping the decrypted data into the file [+] Copying the not encrypted remainder of the file [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset cf8 [+] Closing original file [+] Closing dump file dzq:~/data root# ll -sh: ll: command not found dzq:~/data root# ls JJ斗地主.decrypted dumpdecrypted.dylib*
非常好, 拿到了砸殼后的文件《JJ斗地主.decrypted》 , 之后就可以用反編譯工具,分析一波了.
使用砸殼工具CrakerXI+
安裝CrakerXI+:
打開cydia軟件, 軟件源, 右上角的編輯按鈕,左上角的添加按鈕, 輸入: http://cydia.iphonecake.com, 然后完成
點擊搜索CrakerXI+安裝.
打開軟件, 設置選項卡里, 全部選擇, 然后隨便砸殼了, 我個人選擇 選擇 Full ipa
不全部選擇會有坑: 每次打開被砸殼的軟件都會重新砸殼. 把人搞吐血.
砸殼之后存放的目錄: /var/mobile/Documents/CrackerXI/
總結:
從appstore下載安裝后的目錄:
應用程序安裝目錄:/private/var/containers/Bundle/Application/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX/
某個應用程序的可寫目錄:
/var/mobile/Containers/Data/Application/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX/
/var/root/Containers/Data/Application/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX/
用的哪個目錄取決於那個應用 是使用什么權限來運行的.
具體確定輸出目錄:
dzq:/var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15 root# cycript -p JJ斗地主 cy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES); @["/var/mobile/Containers/Data/Application/00B2D6E5-E2A1-48FF-8743-55E34AA7B700/Documents"] cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask] @[#"file:///var/mobile/Containers/Data/Application/00B2D6E5-E2A1-48FF-8743-55E34AA7B700/Documents/"]
有兩種方式: 隨便用哪種都可以, 然后ctrl + D. 結束 cy