Hit a shell
2017-09-12 本文已影响0人
lifeLL
//1. ssh进入手机 ssh root@iphone id
//2. 找到目标app路径
Yuanlingde-iPhone:~ root# ps -e|grep Containers
977 ?? 0:33.20 /var/mobile/Containers/Bundle/Application/2BCF44DF-4B58-4074-85B4-1A6E75E5F4DA/WeChat.app/WeChat
//3. 用Cycript找出TargetApp的Documents目录路径
way1 :
Yuanlingde-iPhone:~ root# cycript -p 1050
cy#
cy#
cy# NSHomeDirectory()
@"/var/mobile/Containers/Data/Application/311A8B61-191B-4468-9DDE-CFA00AAB2574”
然后自己拼接上 “/Documents/”
way 2 :
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDominMask][0]
#"file:///var/mobile/Containers/Data/Application/311A8B61-191B-4468-9DDE-CFA00AAB2574/Documents/"
//4. 将dumpdecrypted.dylib拷贝到目标app路径的Documents目录下
lifedeMBP:~ life$ scp /Users/life/iOS/reverse/dumpdecrypted-master/dumpdecrypted.dylib root@192.168.2.204:/var/mobile/Containers/Data/Application/311A8B61-191B-4468-9DDE-CFA00AAB2574/Documents/
root@192.168.2.204's password:
dumpdecrypted.dylib 100% 193KB 192.9KB/s 00:00
lifedeMBP:~ life$
//5. 砸 cd进入docment目录
FunMaker-5:~ root# cd /var/mobile/Containers/Data/Application/D41C4343-63AA-4BFF-904B-2146128611EE/Documents/
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/2BCF44DF-4B58-4074-85B4-1A6E75E5F4DA/WeChat.app/WeChat
//6. 拷回MAC
lifedeMBP:~ life$ scp root@192.168.2.204:/var/mobile/Containers/Data/Application/311A8B61-191B-4468-9DDE-CFA00AAB2574/Documents/WeChat.decrypted /Users/life/iOS/reverse/wechat
root@192.168.2.204's password:
WeChat.decrypted 100% 116MB 506.2KB/s 03:55
//7. class dump
lifedeMBP:~ life$ class-dump --arch armv7 -H /Users/life/iOS/reverse/dumpdecrypted-master/WeChat.decrypted -o /Users/life/iOS/reverse/heads.h
(不加-H选项就会打印在终端上)