按步骤砸壳微信,但是砸出来仍然是加密文件,这是怎么回事呢?
1)Dumpdecripted:
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100070ca8(from 0x100070000) = ca8
[+] Found encrypted data at address 00004000 of length 39927808 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/F0F17FE3-D0B7-4932-A710-1F52FD98DDD6/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 44236800 in the file
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 2a30ca8
[+] Closing original file
[+] Closing dump file
- class-dump文件:
bogon:headers peter$ class-dump --arch armv7 WeChat.decrypted
//
// Generated by class-dump 3.5 (64 bit).
//
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//
#pragma mark -
//
// File: WeChat.decrypted
// UUID: 0161FE2E-E495-3099-9704-2BA3CE0BE7A3
//
// Arch: armv7
// Source version: 0.0.0.0.0
// Minimum iOS version: 7.0.0
// SDK version: 9.1.0
//
// Objective-C Garbage Collection: Unsupported
//
// Run path: @executable_path/Frameworks
// = /Frameworks
// Run path: @loader_path/Frameworks
// = /Frameworks
// Run path: @executable_path/Frameworks
// = /Frameworks
// This file is encrypted:
// cryptid: 0x00000001
// cryptoff: 0x00004000
// cryptsize: 0x02394000
//