iOS逆向----使用Clutch手動進行砸殼
阿新 • • 發佈:2018-12-21
最近在進行某個APP的逆向,發現原來一直用的很穩定的AloneMonkey猴子大神的一鍵砸殼工具總是卡在dump framework上,也沒有確定是什麼原因,無奈之下只好手動砸殼了。。
這次砸殼沒有選擇很老的dumpdecrypted,畢竟最後一次提交都是2014年的事了。搜了一下,最後選擇了比較新的Clutch(最後一次提交是八個月之前)
我這裡下載的是他已經編譯好的二進位制包,省去了自行編譯的麻煩。
首先連線上越獄手機(具體操作可以參考之前的文章),然後使用scp命令,將這個二進位制檔案傳到手機上(如果沒有越獄手機的話。。。那最大的難點就是如何找一臺越獄手機):
新建終端:
➜ Downloads scp -P 2222 ~/Downloads/Clutch [email protected]:/usr/bin
[email protected]'s password:
Clutch
在手機的終端視窗:
iPhone:/ root# cd /usr/bin iPhone:/usr/bin root# chmod +x Clutch //賦予執行許可權 iPhone:/usr/bin root# Clutch --help Usage: Clutch [OPTIONS] -b --binary-dump <value> Only dump binary files from specified bundleID -d --dump <value> Dump specified bundleID into .ipa file -i --print-installed Print installed applications --clean Clean /var/tmp/clutch directory --version Display version and exit -? --help Display this help and exit -n --no-color Print with colors disabled iPhone:/usr/bin root# Clutch -i Installed apps: 1: WeChat <com.tencent.xin> 2: Weibo <com.sina.weibo> 3: Phoenix II <com.xxx.xii> 4: 語音神器 <com.xxx.xxx> iPhone:/usr/bin root# Clutch -d 4 Zipping Hotlivey.app Dumping <KMCAgoraVRTC> arm64 ASLR slide: 0x1000b8000 Dumping <iSpeakHotlivey> (arm64) Patched cryptid (64bit segment) Successfully dumped framework KMCAgoraVRTC! Child exited with status 0 Writing new checksum Zipping KMCAgoraVRTC.framework DONE: /private/var/mobile/Documents/Dumped/com.xxx.xxx-iOS9.0-(Clutch-2.0.4).ipa Finished dumping com.xxx.xxx in 46.5 seconds //進入dump後ipa包的目錄 iPhone:/tmp root# cd /private/var/mobile/Documents/Dumped/ iPhone:/private/var/mobile/Documents/Dumped root# ls com.xxx.xxx-iOS9.0-(Clutch-2.0.4).ipa //改個簡單的名字,避免後續步驟出錯 iPhone:/private/var/mobile/Documents/Dumped root# mv com.xxx.xxx-iOS9.0-\(Clutch-2.0.4\).ipa IS.ipa iPhone:/private/var/mobile/Documents/Dumped root# ls IS.ipa
新建終端,使用scp命令將ipa包拷貝到桌面上:
➜ Downloads scp -P 2222 [email protected]:/private/var/mobile/Documents/Dumped/IS.ipa ~/Desktop [email protected]'s password: IS.ipa 100% 92MB 11.2MB/s 00:08 //砸殼成功 ➜ Desktop otool -l iS | grep crypt cryptoff 16384 cryptsize 55787520 cryptid 0