越狱命令行

破壳:

10.10.215.119

ssh root@10.10.215.119

ssh root@10.10.213.176

CCBMobileBank

Fuqianlade-iPhone:~ root# ps aux | grep FqlMerchantX

Fuqianlade-iPhone:~ root# ps aux | grep CCBMobileBank

cycript -p 1682

查看工程文档路径

cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]

#"file:///var/mobile/Containers/Data/Application/D41C4343-63AA-4BFF-904B-2146128611EE/Documents/"

//破解文件部署

Connection to 10.10.213.176 closed.

/var/mobile/Containers/Data/Application/B01FE602-A5DD-4E0F-873F-4EEAB77DD5B1/Documents/

localhost:~ zzf073$ scp /Users/zzf073/Desktop/dumpdecrypted-master/dumpdecrypted.dylib root@10.10.215.119:/var/mobile/Containers/Data/Application/B01FE602-A5DD-4E0F-873F-4EEAB77DD5B1/Documents/

localhost:~ zzf073$ scp /Users/zzf073/Desktop/dumpdecrypted-master/dumpdecrypted.dylib root@10.10.213.176:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents/

执行破解操作

root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/4317E560-4555-40DB-A2DD-DA7BCFD5A208/CCBMobileBank.app/CCBMobileBank mach-o decryption dumper

移出破解文件

scp root@10.10.213.176:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents/WeChat.decrypted /Users/zzf073/Desktop/

scp root@10.10.215.119:/var/mobile/Containers/Data/Application/B01FE602-A5DD-4E0F-873F-4EEAB77DD5B1/Documents/CCBMobileBank.decrypted  /Users/zzf073/Desktop/

dumpdecrypted.dylib

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/97C700C3-BFC6-403F-9F9A-F86718B50B6F/WeChat.app/WeChat

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.

[+] offset to cryptid found: @0x100008ca8(from 0x100008000) = ca8

[+] Found encrypted data at address 00004000 of length 53149696 bytes - type 1.

[+] Opening /private/var/mobile/Containers/Bundle/Application/97C700C3-BFC6-403F-9F9A-F86718B50B6F/WeChat.app/WeChat for reading.

[+] Reading header

[+] Detecting header type

[+] Executable is a FAT image - searching for right architecture

[+] Correct arch is at offset 58195968 in the file

[+] Opening WeChat.decrypted for writing.

[+] Copying the not encrypted start of the file

[+] Dumping the decrypted data into the file

[+] Copying the not encrypted remainder of the file

[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3780ca8

[+] Closing original file

[+] Closing dump file

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root#

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# ls

00000000000000000000000000000000  Ksid SMReport.dat   dumpdecrypted.dylib

28151a05933262a83edb6bf13c1614ab  LocalInfo.lst  SafeMode.dat   f28bb14707638a842e2ae52f5362e7bf

309bf6cf478a5a14b0837554068b1198  MMResourceMgr  WeChat.decrypted  f2c98788f57f249a5c3eba7cb9d9d9a5

355b70a369152b9e1c6cb3a568febfca  MMappedKV db.globalconfig   mmupdateinfo.archive

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# cd WeChat.decrypted

-sh: cd: WeChat.decrypted: Not a directory

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root#

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root#

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# ^C

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# exit

logout

Connection to 10.10.213.176 closed.

localhost:~ zzf073$ scp root@10.10.213.176:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents/WeChat.decrypted /Users/zzf073/Desktop/

root@10.10.213.176's password:

WeChat.decrypted                                                                                              100%  118MB   6.6MB/s   00:18

localhost:~ zzf073$ cd /Users/zzf073/Desktop/破壳

localhost:破壳 zzf073$ ls

WeChat.decrypted

localhost:破壳 zzf073$ class-dump -H WeChat.decrypted -o ./h

2.使用方法

命令如下:class-dump -H /Applications/Calculator.app -o /Users/apple/Desktop/calculate\ heads

生成目标工程

/opt/theos/bin/nic.pl

hookApp

com.zzf073.hookApp

com.ccb.ccbDemo

localhost:tweak zzf073$ /opt/theos/bin/nic.pl

NIC 2.0 - New Instance Creator

------------------------------

[1.] iphone/activator_event

[2.] iphone/application_modern

[3.] iphone/cydget

[4.] iphone/flipswitch_switch

[5.] iphone/framework

[6.] iphone/ios7_notification_center_widget

[7.] iphone/library

[8.] iphone/notification_center_widget

[9.] iphone/preference_bundle_modern

[10.] iphone/tool

[11.] iphone/tweak

[12.] iphone/xpc_service

Choose a Template (required): 11

Project Name (required): hookApp

Package Name [com.yourcompany.hookapp]: com.xxx.hookapp

Author/Maintainer Name [zzf073]: zzf073

[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.zzf073.hookApp

[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: -

头文件转换

logify.pl  ./xx/ViewController.h > ./Tweak.xm

com.zzf073.TweakTestx

FQUserCenterController.h

FQLoginViewController.h

FQAppManager.h

SettingViewController.h

CCB_3_VM_MyAccountDetailInfoList

CCB_3_VC_MyAccountDetailInfoList

logify.pl CCB_3_VM_MyAccountDetailInfoList.h CCB_3_VC_MyAccountDetailInfoList.h > ../Tweak.xm

注入安装包

make package install

Theos make install 出现了问题

http://www.iosre.com/t/theos-make-install/6706

连接手机

(下载openssh)

ssh root@10.10.213.176

这个过程会提示你输入几次iphone或者ipad的密码。默认是:alpine.

1, ssh root@10.10.245.208 (iP地址为设备的iP地址)

2, ps -e       (查看进程)

3, cycript -p  (附加进程)

ps: command not found

advs  安装

CCBMobileBank

Connection to 10.10.213.176 closed.

bogon:xtest zzf073$ ssh root@10.10.213.176

root@10.10.213.176's password:

Fuqianlade-iPhone:~ root# ps aux | grep FqlMerchantX

root      1677   0.0  0.0   536256    428 s000  R+    6:59PM   0:00.01 grep FqlMerchantX

Fuqianlade-iPhone:~ root# ps aux | grep FqlMerchantX

root      1687   0.0  0.0   536256    436 s000  R+    6:59PM   0:00.01 grep FqlMerchantX

mobile    1682   0.0  2.3   672780  23476   ??  Ss    6:59PM   0:00.68 /var/mobile/Containers/Bundle/Application/9B748578-23F7-48C7-B042-7D30FCF7F8D3/

Fuqianlade-iPhone:~ root# cycript -p 1682

UI破解技术

cy# var delegate = UIApp.delegate

#"<AppDelegate: 0x1742205a0>"

cy# UIApp.keyWindow.recursiveDescription().toString()

[#0x1614f5bd0 nextResponder]

打包命令

make package

make package install

MakeFile组成:

10.10.213.176

ARCHS = armv7 arm64

TARGET = iphone:latest:8.0

include /opt/theos/makefiles/common.mk

TWEAK_NAME = iOSREGreetings

iOSREGreetings_FILES = Tweak.xm

iOSREGreetings_FRAMEWORKS = UIKit

include $(THEOS_MAKE_PATH)/tweak.mk

after-install::

install.exec "killall -9 SpringBoard"

include theos/makefiles/common.mk  

APPLICATION_NAME = firstdemo  

[applicationName]_FILES = main.m firstdemoApplication.mm RootViewController.mm  

[applicationName]_FRAMEWORKS = UIKitFoundationQuartzCoreAudioToolboxCoreGraphics

设置环境变量

打开命令行然后输入

export THEOS=export SDKVERSION=7.1

reveals

Users/zzf073/Desktop/reveal@10.10.213.176

破解版

iOS逆向命令集的更多相关文章

  1. ios逆向过程中lldb调试技巧

    在ios逆向过程中,善于运用lldb,会给逆向带来很大的方便 一般的命令: 1.image list -o -f  看看各个模块在内存中的基址 2.register read r0  读取寄存器r0的 ...

  2. iOS逆向开发(1):基础工具 | ssh | scp | socat

    小白:小程,我一直想问,什么是逆向来着?是逆向行驶吗? 小程:理解为逆向行驶也没错.一般的项目是从无到有,而逆向是从已有的状态入手,分析出已有的流程与结构的手段. iOS上的逆向开发,是一件有趣的事情 ...

  3. iOS逆向+越狱

    感觉本文涉及内容有点多的,但是自己不愿意写太多,就简单的谢谢关于ios上手的东西吧 初级入手不免要用到,pp助手,i4 tools等 iOS逆向-ipa包重签名及非越狱手机安装多个应用 1.常识 我们 ...

  4. 偏执的iOS逆向研究员:收集全版本的macOS iOS+越狱+内核调试

    Intro 虽然“只有偏执狂才能够生存”这句话已经被假药停给毁了,但是作为一只有逼格的高大上的iOS逆向分析研究员,难道如果有现成的macOS/iOS全版本镜像可以下载并且无限“漫游”,难道你就不想来 ...

  5. iOS逆向(五)-ipa包重签名

    为什么要重签名? 1.在没有源代码的情况下,你已经对某个应用进行了资源修改(比如修改了启动图或图标等).修改完成以后,如果想要让APP可以正常使用,该APP一定要重新签名然后压缩成IPA文件. 2.如 ...

  6. iOS逆向系列-脱壳

    概述 通过iOS逆向系列-逆向App中使用class-dump工具导出App的Mach-O文件所有头文件.Hopper工具分析App的Mach-O文件代码大概实现.但是这些前体是App的Mach-O没 ...

  7. iOS逆向系列-逆向APP思路

    界面分析 通过Cycript.Reveal. 对于Reveal安装配置可参考配置iOS逆向系列-Reveal 通过Reveal找到内存中的UI对象 静态分析 开发者编写的所有代码最终编译链接到Mach ...

  8. iOS逆向之一 工具的安装和使用

    iOS逆向之一-工具的安装和使用 最近在学习iOS安全方面的技术,有些东西就记录下来了,所有有了这篇文章.顺便也上传了DEMO,可以再这里找到这些DEMO的源码:dhar/iOSReProject 越 ...

  9. 《Ansible权威指南》笔记(3)——Ad-Hoc命令集,常用模块

    五.Ad-Hoc命令集1.Ad-Hoc命令集通过/usr/bin/ansible命令实现:ansible <host-pattern> [options]    -v,--verbose  ...

随机推荐

  1. Ubuntu上的Python

    在Ubuntu如何查看Python版本 2版本命令:Python -V  (注意是大写) 3版本命令:Python3 -V Ubutun16上默认安装Python 2.7, Python3 将Pyth ...

  2. vue(2)创建项目

    1.创建项目 cmd到自己指定目录下,执行 vue init webpack-simple hello-vue 2.安装项目依赖 cd hello-vue cnpm install 3.运行该项目,测 ...

  3. spring boot 启动时运行代码(2)ApplicationListener

    项目概览: StepExecutor: @Component @Slf4j public class StepExecutor implements Runnable { @Autowired pri ...

  4. python模块之openpyxl扩展

    主要是对openpyxl扩展进行扩展,使用归类等 1. 安装 pip install openpyxl 想要在文件中插入图片文件,需要安装pillow,安装文件:PIL-fork-1.1.7.win- ...

  5. maya安装错误

    AUTODESK系列软件着实令人头疼,安装失败之后不能完全卸载!!!(比如maya,cad,3dsmax等).有时手动删除注册表重装之后还是会出现各种问题,每个版本的C++Runtime和.NET f ...

  6. ThreadLocal 开启事务

    1.ThreadLocal该类提供了线程局部变量 2.分析原理: ThreadLocal内部有一个Map.Map的key是当前线程对象,value是一个Object对象. 模拟该类: public c ...

  7. DevExtreme 搭建Node.js开发环境

    简介 DevExtreme is a component suite for creating highly responsive web applications for touch devices ...

  8. .net 与 asp.net

    .net 指的是框架,框架包含很多东西例如: > 语言: VB, C#, C++, Ruby, Python ... > 类库: 网络通讯,图像处理, 安全,IO,数据链接访问 ... & ...

  9. dotnetcharting 的简单使用

    dotnetcharting 是一个很好用的图表控件,能画出很漂亮的报表,一般常用到的主要有柱状图.饼图.折线图三种. dotnetcharting 有web版.winform版多个版本可供使用,官方 ...

  10. spring各版本之间的特性增加

    一.Spring3.0以后不再提供一个大的完整的jar包,而是分成20个小的jar包: org.springframework.aop, 包含在应用中使用Spring的AOP特性时所需的类. org. ...