Dumpdecripted砸壳出来的文件仍然是加密文件!?求解~~

按步骤砸壳微信,但是砸出来仍然是加密文件,这是怎么回事呢?

1)Dumpdecripted:

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100070ca8(from 0x100070000) = ca8
[+] Found encrypted data at address 00004000 of length 39927808 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/F0F17FE3-D0B7-4932-A710-1F52FD98DDD6/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 44236800 in the file
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 2a30ca8
[+] Closing original file
[+] Closing dump file

  1. class-dump文件:

bogon:headers peter$ class-dump --arch armv7 WeChat.decrypted
//
// Generated by class-dump 3.5 (64 bit).
//
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//

#pragma mark -

//
// File: WeChat.decrypted
// UUID: 0161FE2E-E495-3099-9704-2BA3CE0BE7A3
//
// Arch: armv7
// Source version: 0.0.0.0.0
// Minimum iOS version: 7.0.0
// SDK version: 9.1.0
//
// Objective-C Garbage Collection: Unsupported
//
// Run path: @executable_path/Frameworks
// = /Frameworks
// Run path: @loader_path/Frameworks
// = /Frameworks
// Run path: @executable_path/Frameworks
// = /Frameworks
// This file is encrypted:
// cryptid: 0x00000001
// cryptoff: 0x00004000
// cryptsize: 0x02394000
//

不好意思,知道原因了,设备是arm64的!(⊙﹏⊙)b

1 个赞

lipo瘦身就完了啊

1 个赞

我用下这条命令。。多谢~~

怎么lipo瘦身啊

补充下 我砸出来的壳,arm7是解密的了 arm64是加密的 然后重签名不上
otool -l WeChat |grep crypt
cryptoff 16384
cryptsize 46137344
cryptid 0
cryptoff 16384
cryptsize 49610752
cryptid 1

Google.com

[+] detected 64bit ARM binary in memory.
[-] This mach-o file is not encrypted. Nothing was decrypted.

发现说文件没有加密,iOS 9.1 系统,什么情况?