Ios App破解之路二 JJ斗地主

前提条件:

越狱手机里, 安装了 <JJ斗地主>

使用砸壳工具clutch

下载地址: https://github.com/KJCracks/Clutch/releases

dzq:~/data root# Clutch -i | grep JJ
57:  JJ斗地主-欢乐棋牌休闲合集 <cn.jj.TKLobby>

[1]+  Stopped                 Clutch -i | grep JJ
[1]+  Done                    Clutch -i | grep JJ
dzq:~/data root# Clutch -d 57
Zipping JJ斗地主.app
Error: posix_spawn: No such file or directory (Error 2)

Error: posix_spawn: No such file or directory (Error 2)

Error: posix_spawn: No such file or directory (Error 2)

Error: Failed to dump <RNCAsyncStorage> with arch arm64

2020-04-26 12:04:51.272 Clutch[4652:115450] failed operation :(
2020-04-26 12:04:51.272 Clutch[4652:115450] application <NSOperationQueue: 0x102077830>{name = 'NSOperationQueue 0x102077830'}
Error: Failed to dump <RNCAsyncStorage>

2020-04-26 12:04:51.273 Clutch[4652:115450] failed operation :(
2020-04-26 12:04:51.273 Clutch[4652:115450] application <NSOperationQueue: 0x102077830>{name = 'NSOperationQueue 0x102077830'}
Error: Failed to dump <react_native_image_picker> with arch arm64

2020-04-26 12:04:51.274 Clutch[4652:115443] failed operation :(
2020-04-26 12:04:51.274 Clutch[4652:115443] application <NSOperationQueue: 0x10212dcb0>{name = 'NSOperationQueue 0x10212dcb0'}
Error: Failed to dump <react_native_image_picker>

2020-04-26 12:04:51.274 Clutch[4652:115443] failed operation :(
2020-04-26 12:04:51.274 Clutch[4652:115443] application <NSOperationQueue: 0x10212dcb0>{name = 'NSOperationQueue 0x10212dcb0'}
Error: posix_spawn: No such file or directory (Error 2)

Error: Failed to dump <react_native_view_shot> with arch arm64

2020-04-26 12:04:51.275 Clutch[4652:115435] failed operation :(
2020-04-26 12:04:51.275 Clutch[4652:115435] application <NSOperationQueue: 0x1021240c0>{name = 'NSOperationQueue 0x1021240c0'}
Error: Failed to dump <react_native_view_shot>

2020-04-26 12:04:51.276 Clutch[4652:115435] failed operation :(
2020-04-26 12:04:51.276 Clutch[4652:115435] application <NSOperationQueue: 0x1021240c0>{name = 'NSOperationQueue 0x1021240c0'}
Error: Failed to dump <react_native_sqlite_storage> with arch arm64

Error: posix_spawn: No such file or directory (Error 2)

Error: posix_spawn: No such file or directory (Error 2)

很遗憾, 使用Clutch工具砸壳失败

使用砸壳工具dumpdecrypted

下载:git clone https://github.com/stefanesser/dumpdecrypted.git

网上其他的教程都是直接把源码下载下来后,直接make,  然后生成了一个: dumpdecrypted.dylib 文件, 然后兴致勃勃scp到刚越狱的手机上, 开始砸壳

我按照这个做了, 碰到了两个问题:

1,  签名问题

2, libSystem.B.dylib 不匹配, 导致运行失败   报什么 __check_ 的什么玩意

解决办法:

1,  下载iPhoneOS12.4.sdk

　　下载源: https://github.com/xybp888/iOS-SDKs

　　下载具体版本的SDK: svn checkout https://github.com/xybp888/iOS-SDKs/trunk/iPhoneOS12.4.sdk

　　

　　为什么下载这个版本?

　　因为本人的手机系统版本是12.4.5, 仅此而已

　　

2, 修改makefile文件　　

GCC_BIN=`xcrun --sdk iphoneos --find gcc`
GCC_UNIVERSAL=$(GCC_BASE) -arch armv7 -arch armv7s -arch arm64
SDK=iPhoneOS12.4.sdk

CFLAGS =
GCC_BASE = $(GCC_BIN) -Os $(CFLAGS) -Wimplicit -isysroot $(SDK) -F$(SDK)/System/Library/Frameworks -F$(SDK)/System/Library/PrivateFrameworks

all: dumpdecrypted.dylib

dumpdecrypted.dylib: dumpdecrypted.o
	$(GCC_UNIVERSAL) -dynamiclib -o $@ $^

%.o: %.c
	$(GCC_UNIVERSAL) -c -o $@ $< 

clean:
	rm -f *.o dumpdecrypted.dylib

然后重新执行make, 会生成 dumpdecrypted.dylib 文件

3, 对其进行签名

brew install ldid
ldid -S dumpdecrypted.dylib

4, 签名后, 将其拷贝到越狱手机上

scp dumpdecrypted.dylib root@myiphone:/var/root/data

提示:

　　本人设置了ssh免密登录,

　　本人修改了/etc/hosts文件.  新增myiphone域名解析.  对iPhone进行映射

　　本人在苹果手机的root用户下新建了data目录.   以后传文件,或者拿破解文件 直接 ~/data/文件名

　　本人设置了iphone ssh支持中文,   登录ssh

echo "export LC_ALL='en_US.UTF-8'" > ~/.profile

正式开始砸壳

1, 拿到 JJ斗地主 可执行路径.

　先在手机上运行JJ斗地主, 然后　

dzq:~/data root# ps -e | grep JJ
 4830 ??         0:05.17 /var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主
 4832 ttys000    0:00.03 grep JJ

2,  cd 到 data目录

cd ~/data
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主

3, 稍等片刻后,

dzq:~/data root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x101084cf8(from 0x101084000) = cf8
[+] Found encrypted data at address 00004000 of length 13336576 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15/JJ斗地主.app/JJ斗地主 for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening JJ斗地主.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset cf8
[+] Closing original file
[+] Closing dump file
dzq:~/data root# ll
-sh: ll: command not found
dzq:~/data root# ls
JJ斗地主.decrypted  dumpdecrypted.dylib*

非常好, 拿到了砸壳后的文件《JJ斗地主.decrypted》 ,  之后就可以用反编译工具,分析一波了.

使用砸壳工具CrakerXI+

安装CrakerXI+:

打开cydia软件, 软件源, 右上角的编辑按钮,左上角的添加按钮,  输入: http://cydia.iphonecake.com,  然后完成

点击搜索CrakerXI+安装.

打开软件, 设置选项卡里, 全部选择, 然后随便砸壳了,  我个人选择 选择 Full ipa

不全部选择会有坑: 每次打开被砸壳的软件都会重新砸壳. 把人搞吐血.

砸壳之后存放的目录: /var/mobile/Documents/CrackerXI/

总结:

从appstore下载安装后的目录:

应用程序安装目录:/private/var/containers/Bundle/Application/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX/

某个应用程序的可写目录:

/var/mobile/Containers/Data/Application/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX/

/var/root/Containers/Data/Application/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX/

用的哪个目录取决于那个应用 是使用什么权限来运行的.

具体确定输出目录:

dzq:/var/containers/Bundle/Application/742F31B2-EC2E-4FE3-842B-95DD145D1B15 root# cycript -p JJ斗地主
cy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES);
@["/var/mobile/Containers/Data/Application/00B2D6E5-E2A1-48FF-8743-55E34AA7B700/Documents"]
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask]
@[#"file:///var/mobile/Containers/Data/Application/00B2D6E5-E2A1-48FF-8743-55E34AA7B700/Documents/"]

有两种方式: 随便用哪种都可以,  然后ctrl + D. 结束 cy