use dumpdecrypted to crack app

use dumpdecrypted to crack app

编译dumpdecrypted 成生动态库 dumpdecrypted.dylib

“砸壳”前的准备工作

找到目标进程的程序目录

A2:~ root# ps -e|grep WeChat
3016 ??         0:03.55 /var/containers/Bundle/Application/A687AEA0-AB28-497F-9E82-3E6798488BA3/WeChat.app/WeChat

和沙盒目录

cy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)
@["/var/mobile/Containers/Data/Application/4E79AA5B-60DE-4653-B87D-064F17B49E93/Documents"]

开始砸壳

把刚才的.dylib 拷到沙盒下Documents目录

liaogangdeMac-mini:dumpdecrypted liaogang$ scp -P  2222   dumpdecrypted.dylib      root@localhost:/var/containers/Bundle/Application/A687AEA0-AB28-497F-9E82-3E6798488BA3/WeChat.app/Documents
Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
dumpdecrypted.dylib                                                                  100%  193KB   4.7MB/s   00:00

切换到刚才的Documents目录,执行下面的命令:

DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/3DC16044-E5BB-4038-9E31-CFE3C7134A7B/WeChat.app/WeChat

如果出现: This mach-o file is not encrypted. Nothing was decrypted. 说明这个文件就是未签名的文件,不需要再脱壳了.

ipa安装

Cydia Impactor 和 MonkeyDev 的app模板进行安装

9.3.3 上  执行dumpdecrypted出现 kill 9的解决方法 github issue

1, copy dumpdecrypted.dylib into /usr/lib. Make sure it has appropriate permissions so that user mobile can read and execute it

-rwxr-xr-x 1 root wheel 197528 Aug 14 16:22 dumpdecrypted.dylib

2, change user to mobile:

su mobile

3, change directory into somewhere that mobile can write to:

cd /var/mobile/Documents

4, execute the command with absolute paths:

DYLD_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dylib /var/containers/Bundle/Application/59CEB222-4C4D-4A34-BC0F-8D38B9E3853D/MyApp.app/MyApp

5, then, you’ll have the MyApp.decrypted file in the current directory

Tested on Pangu jailbroken iOS 9.3.3