1、GitHub下载最新版,https://github.com/KJCracks/Clutch/releases
2、把下载的Clutch放到越狱的手机的/usr/bin目录下
3、ssh连接iphone
wifi:~ clf$ ssh root@192.168.2.2
4、进入目录
iPhone:~ root# cd /usr/bin
5、输入Clutch
iPhone:/usr/bin root# Clutch-2.0.4
sh: /usr/bin/Clutch-2.0.4: Permission denied
这里是因为没有赋予Clutch可执行权限
iPhone:/usr/bin root# chmod +x Clutch-2.0.4
iPhone:/usr/bin root# Clutch-2.0.4
Usage: Clutch-2.0.4 [OPTIONS]
-b --binary-dump <value> Only dump binary files from specified bundleID
-d --dump <value> Dump specified bundleID into .ipa file
-i --print-installed Print installed applications
--clean Clean /var/tmp/clutch directory
--version Display version and exit
-? --help Display this help and exit
-n --no-color Print with colors disabled
可以看出这里是一些Clutch的命令使用,我们找到我们需要砸壳的App的bundleID,
iPhone:/usr/bin root# Clutch-2.0.4 -i
1: QQ <com.tencent.mqq>
2: ...
...
砸壳
iPhone:/usr/bin root# Clutch-2.0.4 -d cn.dxwt.Community10000
然后会告诉你砸壳之后的.ipa文件的路径
Zipping Community10000v6.app
...
DONE: /private/var/mobile/Documents/Dumped/cn.dxwt.Community10000-iOS10.0-(Clutch-2.0.4).ipa
Finished dumping cn.dxwt.Community10000 in 5.7 seconds
然后就大功告成了。
