蟒穴博客找到微信的Bundle id
ios#ps -ef|grep -i wechat 501 731 1 0 0:00.00 ?? 0:03.70 /var/containers/Bundle/Application/4F86109E-592C-4B81-89AA-C92D78B451F7/WeChat.app/WeChat
找出微信的Documents的路径
这里找到Documents一步可以忽略,dumpdecrypted.dylib放在ios任意目录即可
ios#cycript -p WeChat cy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, ES)[0] @"/var/mobile/Containers/Data/Application/7D56B6F8-CBD6-4933-A610-D8AF2F1679D6/Documents"
砸壳
git clone https://github.com/stefanesser/dumpdecrypted.git
make
编译出 dumpdecrypted.dylib
mac$scp dumpdecrypted.dylib root@192.168.2.126:/var/mobile/Containers/Data/Application/7D56B6F8-CBD6-4933-A610-D8AF2F1679D6/Documents ios#DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/7D56B6F8-CBD6-4933-A610-D8AF2F1679D6/Documents/dumpdecrypted.dylib /var/containers/Bundle/Application/4F86109E-592C-4B81-89AA-C92D78B451F7/WeChat.app/WeChat DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/4F86109E-592C-4B81-89AA-C92D78B451F7/WeChat.app/WeChat dyld: could not load inserted library 'dumpdecrypted.dylib' because no suitable image found. Did find: dumpdecrypted.dylib: required code signature missing for 'dumpdecrypted.dylib'
需要对dumpdecrypted.dylib进行签名
列出证书
security find-identity -v -p codesigning
签名
codesign --force --verify --verbose --sign "iPhone Developer: xxx xxxx (xxxxxxxxxx)" dumpdecrypted.dylib
ios#DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/4F86109E-592C-4B81-89AA-C92D78B451F7/WeChat.app/WeChat mach-o decryption dumper DISCLAIMER: This tool is only meant for security research purposes, not for application crackers. [+] detected 64bit ARM binary in memory. [+] offset to cryptid found: @0x1000f8ca8(from 0x1000f8000) = ca8 [+] Found encrypted data at address 00004000 of length 53133312 bytes - type 1. [+] Opening /private/var/containers/Bundle/Application/4F86109E-592C-4B81-89AA-C92D78B451F7/WeChat.app/WeChat for reading. [+] Reading header [+] Detecting header type [+] Executable is a plain MACH-O image [+] Opening WeChat.decrypted for writing. [+] Copying the not encrypted start of the file [+] Dumping the decrypted data into the file [+] Copying the not encrypted remainder of the file [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset ca8 [+] Closing original file [+] Closing dump file
ios#ls /var/root/ Containers/ Library/ Media/ WeChat.decrypted dumpdecrypted.dylib* mac$scp root@192.168.2.126:/var/root/WeChat.decrypted .
参考
http://www.jianshu.com/p/189afbe3b429
