iOS逆向命令集

越狱命令行

破壳：

10.10.215.119

ssh root@10.10.215.119

ssh root@10.10.213.176

CCBMobileBank

Fuqianlade-iPhone:~ root# ps aux | grep FqlMerchantX

Fuqianlade-iPhone:~ root# ps aux | grep CCBMobileBank

cycript -p 1682

查看工程文档路径

cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]

#"file:///var/mobile/Containers/Data/Application/D41C4343-63AA-4BFF-904B-2146128611EE/Documents/"

//破解文件部署

Connection to 10.10.213.176 closed.

/var/mobile/Containers/Data/Application/B01FE602-A5DD-4E0F-873F-4EEAB77DD5B1/Documents/

localhost:~ zzf073$ scp /Users/zzf073/Desktop/dumpdecrypted-master/dumpdecrypted.dylib root@10.10.215.119:/var/mobile/Containers/Data/Application/B01FE602-A5DD-4E0F-873F-4EEAB77DD5B1/Documents/

localhost:~ zzf073$ scp /Users/zzf073/Desktop/dumpdecrypted-master/dumpdecrypted.dylib root@10.10.213.176:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents/

执行破解操作

root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/4317E560-4555-40DB-A2DD-DA7BCFD5A208/CCBMobileBank.app/CCBMobileBank mach-o decryption dumper

移出破解文件

scp root@10.10.213.176:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents/WeChat.decrypted /Users/zzf073/Desktop/

scp root@10.10.215.119:/var/mobile/Containers/Data/Application/B01FE602-A5DD-4E0F-873F-4EEAB77DD5B1/Documents/CCBMobileBank.decrypted  /Users/zzf073/Desktop/

dumpdecrypted.dylib 

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/97C700C3-BFC6-403F-9F9A-F86718B50B6F/WeChat.app/WeChat

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.

[+] offset to cryptid found: @0x100008ca8(from 0x100008000) = ca8

[+] Found encrypted data at address 00004000 of length 53149696 bytes - type 1.

[+] Opening /private/var/mobile/Containers/Bundle/Application/97C700C3-BFC6-403F-9F9A-F86718B50B6F/WeChat.app/WeChat for reading.

[+] Reading header

[+] Detecting header type

[+] Executable is a FAT image - searching for right architecture

[+] Correct arch is at offset 58195968 in the file

[+] Opening WeChat.decrypted for writing.

[+] Copying the not encrypted start of the file

[+] Dumping the decrypted data into the file

[+] Copying the not encrypted remainder of the file

[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3780ca8

[+] Closing original file

[+] Closing dump file

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# 

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# ls

00000000000000000000000000000000  Ksid SMReport.dat   dumpdecrypted.dylib

28151a05933262a83edb6bf13c1614ab  LocalInfo.lst  SafeMode.dat   f28bb14707638a842e2ae52f5362e7bf

309bf6cf478a5a14b0837554068b1198  MMResourceMgr  WeChat.decrypted  f2c98788f57f249a5c3eba7cb9d9d9a5

355b70a369152b9e1c6cb3a568febfca  MMappedKV db.globalconfig   mmupdateinfo.archive

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# cd WeChat.decrypted

-sh: cd: WeChat.decrypted: Not a directory

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# 

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# 

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# ^C

Fuqianlade-iPhone:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents root# exit

logout

Connection to 10.10.213.176 closed.

localhost:~ zzf073$ scp root@10.10.213.176:/var/mobile/Containers/Data/Application/6E9CE214-6E6E-4A4A-A5CF-DEAAC3F15D24/Documents/WeChat.decrypted /Users/zzf073/Desktop/

root@10.10.213.176's password: 

WeChat.decrypted                                                                                              100%  118MB   6.6MB/s   00:18    

localhost:~ zzf073$ cd /Users/zzf073/Desktop/破壳 

localhost:破壳 zzf073$ ls

WeChat.decrypted

localhost:破壳 zzf073$ class-dump -H WeChat.decrypted -o ./h

2.使用方法

命令如下：class-dump -H /Applications/Calculator.app -o /Users/apple/Desktop/calculate heads

生成目标工程

/opt/theos/bin/nic.pl

hookApp

com.zzf073.hookApp

com.ccb.ccbDemo

localhost:tweak zzf073$ /opt/theos/bin/nic.pl

NIC 2.0 - New Instance Creator

------------------------------

  [1.] iphone/activator_event

  [2.] iphone/application_modern

  [3.] iphone/cydget

  [4.] iphone/flipswitch_switch

  [5.] iphone/framework

  [6.] iphone/ios7_notification_center_widget

  [7.] iphone/library

  [8.] iphone/notification_center_widget

  [9.] iphone/preference_bundle_modern

  [10.] iphone/tool

  [11.] iphone/tweak

  [12.] iphone/xpc_service

Choose a Template (required): 11

Project Name (required): hookApp

Package Name [com.yourcompany.hookapp]: com.xxx.hookapp

Author/Maintainer Name [zzf073]: zzf073

[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.zzf073.hookApp

[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: -

头文件转换

logify.pl  ./xx/ViewController.h > ./Tweak.xm

com.zzf073.TweakTestx

FQUserCenterController.h

FQLoginViewController.h

FQAppManager.h

SettingViewController.h

CCB_3_VM_MyAccountDetailInfoList

CCB_3_VC_MyAccountDetailInfoList

logify.pl CCB_3_VM_MyAccountDetailInfoList.h CCB_3_VC_MyAccountDetailInfoList.h > ../Tweak.xm

注入安装包

make package install

Theos make install 出现了问题

http://www.iosre.com/t/theos-make-install/6706

连接手机

（下载openssh）

ssh root@10.10.213.176

这个过程会提示你输入几次iphone或者ipad的密码。默认是:alpine.

1, ssh root@10.10.245.208 （iP地址为设备的iP地址）

2, ps -e       （查看进程）

3, cycript -p  （附加进程）

ps: command not found

advs  安装

CCBMobileBank

Connection to 10.10.213.176 closed.

bogon:xtest zzf073$ ssh root@10.10.213.176

root@10.10.213.176's password: 

Fuqianlade-iPhone:~ root# ps aux | grep FqlMerchantX

root      1677   0.0  0.0   536256    428 s000  R+    6:59PM   0:00.01 grep FqlMerchantX

Fuqianlade-iPhone:~ root# ps aux | grep FqlMerchantX

root      1687   0.0  0.0   536256    436 s000  R+    6:59PM   0:00.01 grep FqlMerchantX

mobile    1682   0.0  2.3   672780  23476   ??  Ss    6:59PM   0:00.68 /var/mobile/Containers/Bundle/Application/9B748578-23F7-48C7-B042-7D30FCF7F8D3/

Fuqianlade-iPhone:~ root# cycript -p 1682  

UI破解技术

cy# var delegate = UIApp.delegate

#"<AppDelegate: 0x1742205a0>"

cy# UIApp.keyWindow.recursiveDescription().toString()

[#0x1614f5bd0 nextResponder]

打包命令

make package

make package install

MakeFile组成：

10.10.213.176

ARCHS = armv7 arm64

TARGET = iphone:latest:8.0

include /opt/theos/makefiles/common.mk

TWEAK_NAME = iOSREGreetings

iOSREGreetings_FILES = Tweak.xm

iOSREGreetings_FRAMEWORKS = UIKit

include $(THEOS_MAKE_PATH)/tweak.mk

after-install::

    install.exec "killall -9 SpringBoard"

include theos/makefiles/common.mk  

APPLICATION_NAME = firstdemo  

[applicationName]_FILES = main.m firstdemoApplication.mm RootViewController.mm  

[applicationName]_FRAMEWORKS = UIKitFoundationQuartzCoreAudioToolboxCoreGraphics

设置环境变量

打开命令行然后输入

export THEOS=export SDKVERSION=7.1

reveals

Users/zzf073/Desktop/reveal@10.10.213.176

破解版