1.创建项目模板 /opt/theos/bin/nic.pl,选择tweak

VPN id :LC0022

2.砸壳

1.找到app ps -e | grep VPN

/var/containers/Bundle/Application/727D7596-8DD6-4532-B8E0-2CC989FC488B/VPN.app/VPN

 otool -l WeChat.decrypted | grep crypt查看是否已砸壳，cryptid 为 0 则表示砸壳成功，该架构没有加密

2.找到Documents路径

进入进程脚本环境 cycript -p VPN

执行NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,NSUserDomainMask,YES)[0]

/var/mobile/Containers/Data/Application/13996EA3-8561-43FF-80DE-174B2EEBB091/Documents

3.使用dumpdecrypted.dylib砸壳（scp需要iOS也安装openssh）

scp /Users/liuwuxiong/Desktop/Learn/dumpdecrypted.dylib  root@192.168.1.101:/var/mobile/Containers/Data/Application/13996EA3-8561-43FF-80DE-174B2EEBB091/Documents

dumpdecrypted.dylib 需要拷贝到手机上，使用ldid签名 https://bingozb.github.io/23.html

DYLD_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dylib /var/containers/Bundle/Application/727D7596-8DD6-4532-B8E0-2CC989FC488B/VPN.app/VPN

scp VPN.decrypted  liuwuxiong@192.168.1.104:/Users/liuwuxiong/Desktop/Learn/

3.class-dump

可能出现swift混编，下载class-dump源代码，编译替换当前的class-dump(找到使用的命令目录，可以使用which)

class-dump  VPN.decrypted -H  -o ./VPN\ Headers

4.ida获取汇编源码

5.lldb调试

进入调试环境

1.iOS端运行 debugserver *:1234 -a "VPN" 等待lldb连接

2.mac的终端运行lldb进入后，process connect connect://192.168.1.101:1234 连接调试

进入调试环境

1.获取ASLR偏移 image list -o -f

(lldb) image list -o -f

[  0] 0x00000000000f0000 /var/containers/Bundle/Application/727D7596-8DD6-4532-B8E0-2CC989FC488B/VPN.app/VPN(0x00000001000f0000)

2.在内存上加断点

br s -a 0x00000001000DFDB8+0x0000000000088000

6.libReveal

scp libReveal.plist root@192.168.1.101:/Library/MobileSubstrate/DynamicLibraries/

7.cycript

UIApp.keyWindow.recursiveDescription().toString()

8.结果代码

%hook YJLaunchViewManager

- (void)loadData{

    %orig;

    objc_msgSend(self,@selector(skipADAction));

}

%end // end hook

@interface GADAdAppViewController : UIViewController

@property(retain, nonatomic) UIButton *closeButton;

@end

%hook GADAdAppViewController

- (void)viewDidLoad{

    %orig;

    objc_msgSend(self,@selector(closeButtonPressed),self.closeButton);

}

%end // end hook

%hook CDHIWUCNS

- (void)disconnectEvalutionView{

    objc_msgSend(self,@selector(disconnect));

    return;

}

%end // end hook