Dumpdecrypted 砸壳失败

Continuing the discussion from 用dumpdecrypted给App砸壳:

1 Like

最后一步执行出现以下问题,真机是ipad6.1.3越狱设备

DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib “/var/mobile/Applications/2D07B2F4-B543-4488-BF5C-C81B26CF30AE/OPlayer Lite.app/OPlayer Lite”

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x4abc(from 0x4000) = abc
[+] Found encrypted data at address 00004000 of length 23592960 bytes - type 1.
[+] Opening /private/var/mobile/Applications/2D07B2F4-B543-4488-BF5C-C81B26CF30AE/OPlayer Lite.app/OPlayer Lite for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
dyld: lazy symbol binding failed: Symbol not found: ___strlcpy_chk
Referenced from: dumpdecrypted.dylib
Expected in: /usr/lib/libSystem.B.dylib

dyld: Symbol not found: ___strlcpy_chk
Referenced from: dumpdecrypted.dylib
Expected in: /usr/lib/libSystem.B.dylib

Trace/BPT trap: 5

dumpdecrypted是自己编译的吗?

根据这个帖子,貌似是没有装Command Line Tools?

根据教程自己编译的。

本地有装两个xcode就是

试试

前辈,我也遇到这个问题了:

Cheng-teki-iPhone:~ root# cd /var/mobile/Applications/071B5AF9-8A0C-4B2C-A24B-B670A24F53DB/Documents

Cheng-teki-iPhone:/var/mobile/Applications/071B5AF9-8A0C-4B2C-A24B-B670A24F53DB/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/071B5AF9-8A0C-4B2C-A24B-B670A24F53DB/MY.app/MY

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x4a78(from 0x4000) = a78
[+] Found encrypted data at address 00004000 of length 7749632 bytes - type 1.
[+] Opening /private/var/mobile/Applications/071B5AF9-8A0C-4B2C-A24B-B670A24F53DB/MY.app/MY for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
dyld: lazy symbol binding failed: Symbol not found: ___strlcpy_chk
  Referenced from: dumpdecrypted.dylib
  Expected in: /usr/lib/libSystem.B.dylib

dyld: Symbol not found: ___strlcpy_chk
  Referenced from: dumpdecrypted.dylib
  Expected in: /usr/lib/libSystem.B.dylib

Trace/BPT trap: 5

我装了两个XCode 6.3的和5.0.2的 xcode-select 的是6.3的那个,新版本的Xcode, Command Line Tools 应该是自带安装的吧 (我又敲过命令sudo xcode-select --install 重新安装CLT)

重新Make,把dumpdecrypted.dylib复制到iOS的Documents目录下,执行砸壳命令,还是同样的输出~~

@iceiPhone 不知道你当初怎么解决这个问题的?

我的手机是IOS 6.1.3 iPhone 4

万分感谢!:pray:

这个帖子这个帖子来看,貌似还是因为没装好Command Line Tools导致的。你装好后重新一下系统,再重新编译dumpdecrypted,砸壳试试看?

重新安装了CTL,重启过了,按照这两个帖子说的,也在.bash_profile文件里加了export PATH=$PATH:/usr/local/git/bin/

重新编译dumpdecrypted,复制进去 咂壳 -> 还是失败了 一样的输出

我在想,和这里说的]有没有关系:

Compile:

First adjust the Makefile if you have a different iOS SDK installed.

And then just: make

但是我不知道怎么改这里MakeFile文件的SDK

GCC_BIN=`xcrun --sdk iphoneos --find gcc`
GCC_UNIVERSAL=$(GCC_BASE) -arch armv7 -arch armv7s -arch arm64
SDK=`xcrun --sdk iphoneos --show-sdk-path`

CFLAGS = 
GCC_BASE = $(GCC_BIN) -Os $(CFLAGS) -Wimplicit -isysroot $(SDK) -F$(SDK)/System/Library/Frameworks -F$(SDK)/System/Library/PrivateFrameworks

all: dumpdecrypted.dylib

dumpdecrypted.dylib: dumpdecrypted.o 
	$(GCC_UNIVERSAL) -dynamiclib -o $@ $^

%.o: %.c
	$(GCC_UNIVERSAL) -c -o $@ $< 

clean:
	rm -f *.o dumpdecrypted.dylib

这一句就是指定SDK用的,你运行xcrun --sdk iphoneos --show-sdk-path看看是什么输出

嗯 真的是编译dumpdecrypted的时候,选择SDK的问题

SDK=xcrun --sdk iphoneos --show-sdk-path的输出结果:

Cyan-MBP:dumpdecrypted Cyan$ xcrun --sdk iphoneos --show-sdk-path
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.3.sdk

我看到github上也有人提问类似问题,热心友人给出了解答
我照着他的说明去改了下,咂壳成功啦!哈哈

  • 下载Xcode4.6,拷贝出6.1.x的SDK到已安装的目录中;
  • dumpdecrypted工程的makefile和c文件 按照热心友人提示的修改下 重新编译出dumpdecrypted.dylib就可以在iOS 6.3的系统上咂壳了

谢谢@snakeninny 引路!

也就是说,8.3的SDK编译出来的dumpdecrypted不能用在iOS 6上了?

应该是的,

  • 我的MakeFile:

    GCC_BIN=xcrun --sdk iphoneos6.1 --find gcc
    GCC_UNIVERSAL=$(GCC_BASE) -arch armv7 -arch armv7s
    SDK=xcrun --sdk iphoneos6.1 --show-sdk-path

    CFLAGS =
    GCC_BASE = $(GCC_BIN) -Os $(CFLAGS) -Wimplicit -isysroot $(SDK) -F$(SDK)/System/Library/Frameworks -F$(SDK)/System/Library/PrivateFrameworks

    all: dumpdecrypted.dylib

    dumpdecrypted.dylib: dumpdecrypted.o
    $(GCC_UNIVERSAL) -dynamiclib -o $@ $^

    %.o: %.c
    $(GCC_UNIVERSAL) -c -o $@ $<

    clean:
    rm -f *.o dumpdecrypted.dylib

  • dumpdecrypted.c

73行修改一下,去掉 || lc->cmd == LC_ENCRYPTION_INFO_64

-               if (lc->cmd == LC_ENCRYPTION_INFO || lc->cmd == LC_ENCRYPTION_INFO_64) {
+               if (lc->cmd == LC_ENCRYPTION_INFO) {
  • Xcode 6.3下载了iOS 6.1的SDK,放在

/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.1.sdk

2 Likes

这里引用失败,下面显示sed: -e expression #1, char 173: expected newer version of sed
unable to find process,有时候会直接进入,什么都没显示,怎么回事呢??~请指教

dyld: warning, LC_RPATH @executable_path/Frameworks in /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM being ignored in restricted program because of @executable_path
objc[1840]: Class IMMessage is implemented in both /System/Library/PrivateFrameworks/IMCore.framework/IMCore and /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM. One of the two will be used. Which one is undefined.
dyld: warning, LC_RPATH @executable_path/Frameworks in /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM being ignored in restricted program because of @executable_path
dyld: warning, LC_RPATH @executable_path/Frameworks in /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM being ignored in restricted program because of @executable_path
dyld: warning, LC_RPATH @executable_path/Frameworks in /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM being ignored in restricted program because of @executable_path
dyld: warning, LC_RPATH @executable_path/Frameworks in /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM being ignored in restricted program because of @executable_path
dyld: warning, LC_RPATH @executable_path/Frameworks in /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM being ignored in restricted program because of @executable_path
dyld: warning, LC_RPATH @executable_path/Frameworks in /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM being ignored in restricted program because of @executable_path
dyld: warning, LC_RPATH @executable_path/Frameworks in /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM being ignored in restricted program because of @executable_path
dyld: warning, LC_RPATH @executable_path/Frameworks in /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM being ignored in restricted program because of @executable_path
dyld: warning, LC_RPATH @executable_path/Frameworks in /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM being ignored in restricted program because of @executable_path
dyld: warning, LC_RPATH @executable_path/Frameworks in /var/mobile/Containers/Bundle/Application/2A188B6F-A523-471D-A5ED-815948FC7BC3/QunariPhone_Cook_CM.app/QunariPhone_Cook_CM being ignored in restricted program because of @executable_path
Abort trap: 6

这是什么问题啊

保持要调试的app处于当前可见状态试下

假如我想给微信做一个抢红包的tweak,我是不是应该要知道wechat的bundle ID? 在’project’.plist里面-》bundles,键对应的值替换成wechat的Bundle ID?

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x10003cca8(from 0x10003c000) = ca8
[+] Found encrypted data at address 00004000 of length 42401792 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/6145824D-22DD-429C-BA48-05BC0DE6AE1D/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 46678016 in the file
[+] Opening WeChat.decrypted for writing.
[-] Failed opening: Operation not permitted

你把完整操作po出来看看,你砸壳的操作貌似是在一个不可写的目录下进行的