方法一:通过助手下载已砸壳的App
方法二:iPhone上用插件CrackerXI砸壳(ios11-ios12)
方法三:Mac上使用dumpdecrypted砸壳(ios12以下?)
本文主要记录dumpdecrypted砸壳过程
到GitHub上下载
https://codeload.github.com/stefanesser/dumpdecrypted/zip/master
make 把dumpdecrypted.dylib上传到iPhone上,目录自定。
(1)进入到dumpdecrypted.dylib所在目录
(2)砸壳,路径为App进程的路径
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/CBAA7471-BFD0-445B-AF2B-B80533AB5051/Shadowrocket.app/Shadowrocket 砸壳完成后会在dumpdecrypted.dylib所在目录下生成.decrypted文件,就是砸壳后的App
注:(App进程路径,可通过ps -e | grep /var/containers命令获取,该命令表示查看所有/var/containers 目录下正在运行的App的路径)
iPhoneSE:~ root# ps -e | grep /var/containers 2768 ?? 0:00.16 /private/var/containers/Bundle/Application/E3376938-FB58-483C-91E8-AD201161B420/MobileMail.app/PlugIns/MailCacheDeleteExtension.appex/MailCacheDeleteExtension 6878 ?? 0:04.41 /private/var/containers/Bundle/Application/CBAA7471-BFD0-445B-AF2B-B80533AB5051/Shadowrocket.app/PlugIns/PacketTunnel.appex/PacketTunnel 7258 ?? 0:00.94 /var/containers/Bundle/Application/CBAA7471-BFD0-445B-AF2B-B80533AB5051/Shadowrocket.app/Shadowrocket 7270 ?? 0:20.43 /var/containers/Bundle/Application/53A3F198-E219-4A71-8464-AEB55684BB83/WeChat.app/WeChat 7310 ttys000 0:00.01 grep /var/containers [1]+ Stopped ps -e | grep /var/containers [1]+ Done ps -e | grep /var/containers iPhoneSE:~ root# class-dump --arch arm64 已砸壳app的.app文件夹或.decrypted文件 -H -o 导出的头文件保存路径