关注各种黑科技
B站UP主,编程教学,游戏玩家,挂B,金牛座

iOS 10.2 Jailbreak – 微信 - dumpdecrypted砸壳

找到微信的Bundle id

ios#ps -ef|grep -i wechat
  501   731     1   0   0:00.00 ??         0:03.70 /var/containers/Bundle/Application/4F86109E-592C-4B81-89AA-C92D78B451F7/WeChat.app/WeChat

找出微信的Documents的路径

这里找到Documents一步可以忽略,dumpdecrypted.dylib放在ios任意目录即可

ios#cycript -p WeChat
cy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, ES)[0]
@"/var/mobile/Containers/Data/Application/7D56B6F8-CBD6-4933-A610-D8AF2F1679D6/Documents"

砸壳

git clone https://github.com/stefanesser/dumpdecrypted.git

make

编译出 dumpdecrypted.dylib

mac$scp dumpdecrypted.dylib root@192.168.2.126:/var/mobile/Containers/Data/Application/7D56B6F8-CBD6-4933-A610-D8AF2F1679D6/Documents
ios#DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/7D56B6F8-CBD6-4933-A610-D8AF2F1679D6/Documents/dumpdecrypted.dylib /var/containers/Bundle/Application/4F86109E-592C-4B81-89AA-C92D78B451F7/WeChat.app/WeChat
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/4F86109E-592C-4B81-89AA-C92D78B451F7/WeChat.app/WeChat
dyld: could not load inserted library 'dumpdecrypted.dylib' because no suitable image found.  Did find:
dumpdecrypted.dylib: required code signature missing for 'dumpdecrypted.dylib'

需要对dumpdecrypted.dylib进行签名

列出证书

 security find-identity -v -p codesigning

签名

codesign --force --verify --verbose --sign "iPhone Developer: xxx xxxx (xxxxxxxxxx)" dumpdecrypted.dylib

ios#DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/4F86109E-592C-4B81-89AA-C92D78B451F7/WeChat.app/WeChat
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x1000f8ca8(from 0x1000f8000) = ca8
[+] Found encrypted data at address 00004000 of length 53133312 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/4F86109E-592C-4B81-89AA-C92D78B451F7/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset ca8
[+] Closing original file
[+] Closing dump file
ios#ls /var/root/
Containers/  Library/  Media/  WeChat.decrypted  dumpdecrypted.dylib*
mac$scp root@192.168.2.126:/var/root/WeChat.decrypted .

参考

http://www.jianshu.com/p/189afbe3b429
转载请注明出处
分享到: 更多 (0)

评论 0