第一步:连接SSH
打开终端在终端输入:
python tcprelay.py 22:2222
Forwarding local port 2222 to remote port 22
Incoming connection to 2222
Waiting for devices...
Connecting to device <MuxDevice: ID 1 ProdID 0x12a8 Serial '57fe8578a65bc8faee5babd864b0bd3c2505aead' Location 0x14600000>
Connection established, relaying data
新建终端窗口
输入登录密码即可连接成功,初始密码为alpine
ssh root@localhost -p 2222
第二部:砸壳
关闭所有app,打开你要砸壳的app
输入ps -e
/var/mobile/Containers/Bundle/Application/38132536-3CA4-4136-AC87-D127C52B4472/xxx.app/xxx
cycript -p xxx
[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/E74320E5-AF33-4FDE-A14E-284E8F0225CA/Documents/"
拷贝dumpdecrypted.dylib到获取的Documents路径 (iFunbox 或 scp)
开始砸壳:
cd /var/mobile/Containers/Data/Application/E74320E5-AF33-4FDE-A14E-284E8F0225CA/Documents
输入
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/38132536-3CA4-4136-AC87-D127C52B4472/xxx.app/xxx
成功后再路径下会生成一个xxx.decrypted
导出xxx.decrypted 使用class-dump 导出.h 文件(注:arm64 根据设备类型选择)
class-dump -s -S -H --arch arm64 Aweme.decrypted -o /Users/Alan/Desktop/head
附:
armv6设备:iPhone,iPhone2,iPhone3G
armv7设备:iPhone3GS,iPhone4,iPhone4S
armv7s设备:iPhone5,iPhone5C
arm64设备:iPhone5S,iPhone6,iPhone6S
