APP砸壳-iOS

1. 准备一个越狱的iPhone手机（在越狱机上Cydia上安装 openSSH 和 Cycript)

Cydia	openSSH	Cycript

2. dumpdecrypted 注入砸壳文件 (下载后解压可执行文件，然后cd到目录下，执行 make 命令。会得到dumpdecrypted.dylib文件)

dumpdecrypted文件夹

3. class-dump 解析砸壳后的代码（下载后解压文件，放到/usr/local/bin, 打开终端输入sudo chmod 777 /usr/local/sbin/class-dump给class-dump执行权利)

class-dump官网

4. 利用ssh协议链接手机与电脑 ssh root@192.168.20.249

5. 链接成功后在终端执行 ps -e | grep var查看你手机所运行进程（最好关闭所有其他进程，只留你要砸壳的进程）

此为我终端所显示内容

63 ??        0:00.01 /bin/sh ./var/root/Library/HCherryex/sshh
355 ??       0:00.03 /var/root/Library/HCherryex/HCherryex
360 ??       0:00.08 /usr/libexec/pkd -d/var/db/PlugInKit-Annotations
1022 ??      0:04.24 /var/mobile/Containers/Bundle/Application/BD1541B0-F48A-4553-943D-       EF49012EE76C/DingTalk.app/DingTalk
1051 ??      0:00.08 /private/var/root/Media/MIService/MIService
1236 ??      0:09.76 /var/mobile/Containers/Bundle/Application/3B9BAB22-6D78-4B83-A4B2-   4675BF60D155/WeChat.app/WeChat
1279 ttys000 0:00.01 grep var</pre>

6. 执行 cycript -p 1236 ，进入cycript环境

7. 打开要砸壳的APP到手机前台，再执行 [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0] （得到沙盒目录，并保存，同时保存5步骤的可执行文件目录）

8. 再打开一个终端程序，同时执行 scp /Users/mk/Desktop/dumpdecrypted-master/dumpdecrypted.dylibroot@192.168.20.249****:/var/mobile/Containers/Data/Application/EBEEC7CB-E1C6-4810-99AC-64AB329A9D4B/Documents/

scp+（dumpdecrypted.dylib文件目录）+（root@ip地址）+ (:) +（砸壳app的沙盒地址）

9. 在已链接ssh的终端程序中执行 DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/3B9BAB22-6D78-4B83-A4B2-4675BF60D155/WeChat.app/WeChat

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100090ca8(from  0x100090000) = ca8
[+] Found encrypted data at address 00004000 of length 59965440 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/3B9BAB22-6D78-4B83-A4B2-4675BF60D155/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 66879488 in the file
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3fc8ca8
[+] Closing original file
[+] Closing dump file</pre>

同时执行ls 查看目录会查看到WeChat.decrypted文件，此为脱壳的微信文件

10.回到Mac环境的终端程序，执行

scp root@192.168.101.21:/var/mobile/Containers/Data/Application/EBEEC7CB-E1C6-4810-99AC-64AB329A9D4B/Documents/WeChat.decrypted ~desktop

将文件复制到桌面

WeChat.decrypted

11.利用class-dump将砸壳文件解析，得到微信源码头文件

class-dump -H /Users/mk/Desktop/WeChat.decrypted -o /Users/mk/Desktop/WeChat

WeCHat头文件