Hit a shell

2017-09-12  本文已影响0人  lifeLL
//1.      ssh进入手机  ssh root@iphone id

//2.      找到目标app路径
Yuanlingde-iPhone:~ root# ps -e|grep Containers
  977 ??         0:33.20 /var/mobile/Containers/Bundle/Application/2BCF44DF-4B58-4074-85B4-1A6E75E5F4DA/WeChat.app/WeChat

//3.      用Cycript找出TargetApp的Documents目录路径
way1 :
Yuanlingde-iPhone:~ root# cycript -p 1050
cy#
cy#
cy# NSHomeDirectory()
@"/var/mobile/Containers/Data/Application/311A8B61-191B-4468-9DDE-CFA00AAB2574”
然后自己拼接上 “/Documents/”
way 2 :
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDominMask][0]
#"file:///var/mobile/Containers/Data/Application/311A8B61-191B-4468-9DDE-CFA00AAB2574/Documents/"

//4.     将dumpdecrypted.dylib拷贝到目标app路径的Documents目录下
lifedeMBP:~ life$ scp /Users/life/iOS/reverse/dumpdecrypted-master/dumpdecrypted.dylib root@192.168.2.204:/var/mobile/Containers/Data/Application/311A8B61-191B-4468-9DDE-CFA00AAB2574/Documents/
root@192.168.2.204's password:
dumpdecrypted.dylib                                        100%  193KB 192.9KB/s   00:00
lifedeMBP:~ life$

//5.     砸 cd进入docment目录
FunMaker-5:~ root# cd /var/mobile/Containers/Data/Application/D41C4343-63AA-4BFF-904B-2146128611EE/Documents/
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/2BCF44DF-4B58-4074-85B4-1A6E75E5F4DA/WeChat.app/WeChat

//6.     拷回MAC
lifedeMBP:~ life$ scp root@192.168.2.204:/var/mobile/Containers/Data/Application/311A8B61-191B-4468-9DDE-CFA00AAB2574/Documents/WeChat.decrypted /Users/life/iOS/reverse/wechat
root@192.168.2.204's password:
WeChat.decrypted                                           100%  116MB 506.2KB/s   03:55

//7.     class dump
lifedeMBP:~ life$ class-dump --arch armv7 -H /Users/life/iOS/reverse/dumpdecrypted-master/WeChat.decrypted -o /Users/life/iOS/reverse/heads.h
(不加-H选项就会打印在终端上)
上一篇下一篇

猜你喜欢

热点阅读