iOS逆向之Clutch砸壳

1、GitHub下载最新版,https://github.com/KJCracks/Clutch/releases

2、把下载的Clutch放到越狱的手机的/usr/bin目录下

3、ssh连接iphone

wifi:~ clf$ ssh root@192.168.2.2

4、进入目录

iPhone:~ root# cd /usr/bin

5、输入Clutch

iPhone:/usr/bin root# Clutch-2.0.4
sh: /usr/bin/Clutch-2.0.4: Permission denied

这里是因为没有赋予Clutch可执行权限

iPhone:/usr/bin root# chmod +x Clutch-2.0.4 
iPhone:/usr/bin root# Clutch-2.0.4
Usage: Clutch-2.0.4 [OPTIONS]
-b --binary-dump <value> Only dump binary files from specified bundleID 
-d --dump <value>        Dump specified bundleID into .ipa file 
-i --print-installed     Print installed applications 
   --clean               Clean /var/tmp/clutch directory 
   --version             Display version and exit 
-? --help                Display this help and exit 
-n --no-color            Print with colors disabled 

可以看出这里是一些Clutch的命令使用，我们找到我们需要砸壳的App的bundleID，

iPhone:/usr/bin root# Clutch-2.0.4 -i
1:   QQ <com.tencent.mqq>
2:   ...
...

砸壳

iPhone:/usr/bin root# Clutch-2.0.4 -d cn.dxwt.Community10000

然后会告诉你砸壳之后的.ipa文件的路径

Zipping Community10000v6.app
...
DONE: /private/var/mobile/Documents/Dumped/cn.dxwt.Community10000-iOS10.0-(Clutch-2.0.4).ipa
Finished dumping cn.dxwt.Community10000 in 5.7 seconds

然后就大功告成了。