Ipa解压里面的framework怎么脱壳

1.下载一个ipa。
2.里面有一个framework目录,存在两个framework,这两个framework怎么脱壳重签名??

我记得Clutch是会帮你脱壳的

使用dumpdecrypted的方式,最后只会产生一个文件的。

字数补丁

JailBreak-5s:/usr/bin root# Clutch-2.0.4 -d 4
Zipping inke.app
Swapping architectures…
Swapping architectures…
Swapping architectures…
Swapping architectures…
Swapping architectures…
Swapping architectures…
ASLR slide: 0xbc000
Dumping (armv7)
Patched cryptid (32bit segment)
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!?

Error: Failed to dump with arch armv7

2017-08-04 15:00:29.257 Clutch-2.0.4[13278:3522383] failed operation :frowning:
2017-08-04 15:00:29.271 Clutch-2.0.4[13278:3522383] application <NSOperationQueue: 0x10034a3f0>{name = ‘NSOperationQueue 0x10034a3f0’}
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Error: Failed to dump with arch arm64

2017-08-04 15:00:29.316 Clutch-2.0.4[13278:3522383] failed operation :frowning:
2017-08-04 15:00:29.316 Clutch-2.0.4[13278:3522383] application <NSOperationQueue: 0x10034a3f0>{name = ‘NSOperationQueue 0x10034a3f0’}
Error: Failed to dump

2017-08-04 15:00:29.317 Clutch-2.0.4[13278:3522383] failed operation :frowning:
2017-08-04 15:00:29.317 Clutch-2.0.4[13278:3522383] application <NSOperationQueue: 0x10034a3f0>{name = ‘NSOperationQueue 0x10034a3f0’}
ASLR slide: 0xa4000
Dumping (armv7)
Patched cryptid (32bit segment)
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!?

Error: Failed to dump with arch armv7

2017-08-04 15:00:30.306 Clutch-2.0.4[13278:3522380] failed operation :frowning:
2017-08-04 15:00:30.306 Clutch-2.0.4[13278:3522380] application <NSOperationQueue: 0x100350d10>{name = ‘NSOperationQueue 0x100350d10’}
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Error: Failed to dump with arch arm64

2017-08-04 15:00:30.322 Clutch-2.0.4[13278:3522380] failed operation :frowning:
2017-08-04 15:00:30.323 Clutch-2.0.4[13278:3522380] application <NSOperationQueue: 0x100350d10>{name = ‘NSOperationQueue 0x100350d10’}
Error: Failed to dump

2017-08-04 15:00:30.323 Clutch-2.0.4[13278:3522380] failed operation :frowning:
2017-08-04 15:00:30.324 Clutch-2.0.4[13278:3522380] application <NSOperationQueue: 0x100350d10>{name = ‘NSOperationQueue 0x100350d10’}
Writing new checksum
ASLR slide: 0x10004c000
Dumping (arm64)
Patched cryptid (64bit segment)
Writing new checksum
ASLR slide: 0x10007c000
Dumping (arm64)
Patched cryptid (64bit segment)
Dumping <PI_iLiveBase> armv7
Successfully dumped framework PI_iLiveBase_armv7!
Dumping armv7
Dumping <PI_iLiveBase> arm64
Successfully dumped framework PSLStreaming_armv7!
Successfully dumped framework PI_iLiveBase!
Child exited with status 0
Dumping arm64
Writing new checksum
Swapping architectures…
Successfully dumped framework PSLStreaming!
Child exited with status 0
Writing new checksum
ASLR slide: 0xf4000
Dumping (armv7)
Patched cryptid (32bit segment)
Writing new checksum
ASLR slide: 0x10001c000
Dumping (arm64)
Patched cryptid (64bit segment)
Zipping PI_iLiveBase.framework
Zipping PSLStreaming.framework
Zipping InkeBroadcastExtension.appex
Zipping InkeBroadcastExtensionUI.appex
Zipping InkeNotificationContentExtension.appex
Zipping InkeNotificationServiceExtension.appex
Writing new checksum
FAILED:
Finished dumping com.meelive.ingkee in 51.4 seconds

签Entitlements了吗。ldid -e看一下

非要dd的话你就得注册一个dyld回调来dumpdecrypted,我想重签名大神也不会。
噗嗤

我描述一下:
我需要在inke这个app里加一个dyld进去然后,重签名,安装在一个非越狱的机器上。

1.在iTunes里下载一个inke的ipa,复制到越狱机器上,用ipa install安装,
2.在越狱手机上进行脱壳,目前就卡这里了。我使用Clutch 这个工具脱壳,然后就失败了,目前还没签什么啊。

在app里加dyld
我说的entitlements是指clutch本身。
而且你需要app在机器上能正常运行才能砸壳

JailBreak-5s:/usr/bin root# ldid -e Clutch-2.0.4

<?xml version="1.0" encoding="UTF-8"?> get-task-allow task_for_pid-allow com.apple.backboardd.debugapplications com.apple.springboard.debugapplications run-unsigned-code com.apple.private.librarian.can-get-application-info com.apple.private.mobileinstall.allowedSPI Lookup CopyInstalledAppsForLaunchServices <?xml version="1.0" encoding="UTF-8"?> get-task-allow task_for_pid-allow com.apple.backboardd.debugapplications com.apple.springboard.debugapplications run-unsigned-code com.apple.private.librarian.can-get-application-info com.apple.private.mobileinstall.allowedSPI Lookup CopyInstalledAppsForLaunchServices <?xml version="1.0" encoding="UTF-8"?> get-task-allow task_for_pid-allow com.apple.backboardd.debugapplications com.apple.springboard.debugapplications run-unsigned-code com.apple.private.librarian.can-get-application-info com.apple.private.mobileinstall.allowedSPI Lookup CopyInstalledAppsForLaunchServices JailBreak-5s:/usr/bin root#

属性正常啊,需要砸壳的app在越狱手机上正常运行的。

嗯Clutch本身看起来是没问题。App本身能正常启动吗

app 本身能正常启动, Clutch-2.0.4 对其他的app功能也正常,能正常砸壳,就是对inke这个app不行

AppStore链接给我我看一下

dyld回调法就是注册dyld回调等那个framework加载的时候把TEXT Dump出来然后Patch进原来的二进制

刚开始接触这些东西,很多东西不知道的,还是想从基础的方法做起。

dumpdecrypted只支持本体。Clutch你那跑不起来。我晚上看看

1 Like

这个问题最后解决了吗,我也遇到了。。。

bagbak 可以脱 Frameworks 和 PlugIns 的壳

使用 * crackerXi 可以 脱完直接是ipa文件