是能分配可执行内存的,只是非越狱没调试的应用不能执行没签名/签名验证失败的内存(除了JIT)
把内层App的主二进制改成库, 挂载外层App上,然后再把所有的资源整合, 灰产的一种手法, 过审核用的多
解释器解释器
启动失败了,多启动几次就可以了,也感觉是解释器的样子,启动过程,有个生成文件过程,查看文件,mach-o,动态库,都对应一个 vmx 文件,可能虚拟执行这个文件吧。
1 个赞
你这个不太现实啊,主二进制改成动态库还是要依赖其他库 还有这么多资源文件 你要改的工作量太大了
看了就是一个pe/dyld loader,资源文件路径等等一些关键的东西重定向。
(lldb) bt
- thread #23, name = ’ *155213’, stop reason = breakpoint 19.1
- frame #0: 0x0000000104f10a1c KeePass
___lldb_unnamed_symbol12851$$KeePass frame #1: 0x0000000133a5da70 frame #2: 0x000000010c86f92c KeePass frame #3: 0x000000010c8670a8 KeePass frame #4: 0x000000010c866b3c KeePass frame #5: 0x000000010c86b714 KeePass frame #6: 0x0000000104e0ce58 KeePass___lldb_unnamed_symbol7683$$KeePass + 36
frame #7: 0x0000000104e0b53c KeePass___lldb_unnamed_symbol7641$$KeePass + 212 frame #8: 0x0000000104e0b68c KeePass___lldb_unnamed_symbol7644$$KeePass + 36
frame #9: 0x000000010c818c90 KeePass
frame #10: 0x000000010c875d08 KeePass
frame #11: 0x00000001a2be1d8c libsystem_pthread.dylib`_pthread_start + 156
(lldb) bt
- frame #0: 0x0000000104f10a1c KeePass
- thread #23, name = ’ *155213’, stop reason = breakpoint 19.1
- frame #0: 0x0000000104f10a1c KeePass
___lldb_unnamed_symbol12851$$KeePass frame #1: 0x0000000133a5da70 frame #2: 0x000000010c86f92c KeePass frame #3: 0x000000010c8670a8 KeePass frame #4: 0x000000010c866b3c KeePass frame #5: 0x000000010c86b714 KeePass frame #6: 0x0000000104e0ce58 KeePass___lldb_unnamed_symbol7683$$KeePass + 36
frame #7: 0x0000000104e0b53c KeePass___lldb_unnamed_symbol7641$$KeePass + 212 frame #8: 0x0000000104e0b68c KeePass___lldb_unnamed_symbol7644$$KeePass + 36
frame #9: 0x000000010c818c90 KeePass
frame #10: 0x000000010c875d08 KeePass
frame #11: 0x00000001a2be1d8c libsystem_pthread.dylib`_pthread_start + 156
(lldb) mem region 0x000000010c86f92c
[0x0000000105320000-0x0000000111cac000) rw- __DATA
(lldb) mem read 0x0000000105320000 -c 0x100
0x105320000: cf fa ed fe 0c 00 00 01 00 00 00 00 02 00 00 00 …
0x105320010: 7e 00 00 00 b0 32 00 00 85 00 a1 04 00 00 00 00 ~…2…
0x105320020: 19 00 00 00 48 00 00 00 5f 5f 50 41 47 45 5a 45 …H…__PAGEZE
0x105320030: 52 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 RO…
0x105320040: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 …
0x105320050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
0x105320060: 00 00 00 00 00 00 00 00 19 00 00 00 28 07 00 00 …(…
0x105320070: 5f 5f 54 45 58 54 00 00 00 00 00 00 00 00 00 00 __TEXT…
0x105320080: 00 00 00 00 01 00 00 00 00 c0 98 0c 00 00 00 00 …
0x105320090: 00 00 00 00 00 00 00 00 00 c0 98 0c 00 00 00 00 …
0x1053200a0: 05 00 00 00 05 00 00 00 16 00 00 00 00 00 00 00 …
0x1053200b0: 5f 5f 74 65 78 74 00 00 00 00 00 00 00 00 00 00 __text…
0x1053200c0: 5f 5f 54 45 58 54 00 00 00 00 00 00 00 00 00 00 __TEXT…
0x1053200d0: 00 40 00 00 01 00 00 00 6c 7c b5 0a 00 00 00 00 .@…l|…
0x1053200e0: 00 40 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 .@…
0x1053200f0: 00 04 00 80 00 00 00 00 00 00 00 00 00 00 00 00 …
一个关键的函数,转发api到系统,应该是类似syscall之类的
__text:0000000104F10A1C E9 03 00 91 MOV X9, SP
__text:0000000104F10A20 FD 7B BF A9 STP X29, X30, [SP,#-0x10+var_s0]!
__text:0000000104F10A24 FD 03 00 91 MOV X29, SP
__text:0000000104F10A28 E6 1F BF AD STP Q6, Q7, [SP,#var_20]!
__text:0000000104F10A2C E4 17 BF AD STP Q4, Q5, [SP,#0x20+var_40]!
__text:0000000104F10A30 E2 0F BF AD STP Q2, Q3, [SP,#0x40+var_60]!
__text:0000000104F10A34 E0 07 BF AD STP Q0, Q1, [SP,#0x60+var_80]!
__text:0000000104F10A38 E8 27 BF A9 STP X8, X9, [SP,#0x80+var_90]!
__text:0000000104F10A3C E6 1F BF A9 STP X6, X7, [SP,#0x90+var_A0]!
__text:0000000104F10A40 E4 17 BF A9 STP X4, X5, [SP,#0xA0+var_B0]!
__text:0000000104F10A44 E2 0F BF A9 STP X2, X3, [SP,#0xB0+var_C0]!
__text:0000000104F10A48 E0 07 BF A9 STP X0, X1, [SP,#0xC0+var_D0]!
__text:0000000104F10A4C E0 03 0B AA MOV X0, X11
__text:0000000104F10A50 E1 03 00 91 MOV X1, SP
__text:0000000104F10A54 6B 8D 01 94 BL loc_104F74000
__text:0000000104F10A58 EB 03 00 AA MOV X11, X0
__text:0000000104F10A5C E0 07 C1 A8 LDP X0, X1, [SP+0xD0+var_D0],#0x10
__text:0000000104F10A60 E2 0F C1 A8 LDP X2, X3, [SP+0xC0+var_C0],#0x10
__text:0000000104F10A64 E4 17 C1 A8 LDP X4, X5, [SP+0xB0+var_B0],#0x10
__text:0000000104F10A68 E6 1F C1 A8 LDP X6, X7, [SP+0xA0+var_A0],#0x10
__text:0000000104F10A6C E8 27 C1 A8 LDP X8, X9, [SP+0x90+var_90],#0x10
__text:0000000104F10A70 E0 07 C1 AC LDP Q0, Q1, [SP+0x80+var_80],#0x20
__text:0000000104F10A74 E2 0F C1 AC LDP Q2, Q3, [SP+0x60+var_60],#0x20
__text:0000000104F10A78 E4 17 C1 AC LDP Q4, Q5, [SP+0x40+var_40],#0x20
__text:0000000104F10A7C E6 1F C1 AC LDP Q6, Q7, [SP+0x20+var_20],#0x20
__text:0000000104F10A80 BF 03 00 91 MOV SP, X29
__text:0000000104F10A84 FD 7B C1 A8 LDP X29, X30, [SP+var_s0],#0x10
__text:0000000104F10A88 60 01 1F D6 BR X11
- frame #0: 0x0000000104f10a1c KeePass
很多自己分配的内存
(lldb) bt all
thread #1, queue = ‘com.apple.main-thread’
frame #0: 0x00000001a2bae820 libsystem_malloc.dylib<redacted> + 164 frame #1: 0x00000001a7e18fe0 CoreAnalytics + 172
frame #2: 0x00000001a7e18f1c CoreAnalytics<redacted> + 20 frame #3: 0x00000001a7e1fc94 CoreAnalyticsCoreAnalytics::Client::isEventWhitelisted(std::__1::basic_string_view<char, std::__1::char_traits >) const + 56
frame #4: 0x00000001a7e0e740 CoreAnalyticsAnalyticsIsEventUsed + 80 frame #5: 0x00000001a73e9740 UIKitCore + 24
frame #6: 0x00000001a32b0028 Foundation__NSFireTimer + 64 frame #7: 0x00000001a2e4503c CoreFoundation + 28
frame #8: 0x00000001a2e44d78 CoreFoundation<redacted> + 880 frame #9: 0x00000001a2e44448 CoreFoundation + 276
frame #10: 0x00000001a2e3f584 CoreFoundation<redacted> + 1920 frame #11: 0x00000001a2e3eadc CoreFoundationCFRunLoopRunSpecific + 464
frame #12: 0x00000001acddf328 GraphicsServicesGSEventRunModal + 104 frame #13: 0x00000001a6f4c63c UIKitCoreUIApplicationMain + 1936
frame #14: 0x0000000104a56e50 KeePass___lldb_unnamed_symbol1794$$KeePass + 88 frame #15: 0x00000001a2cc8360 libdyld.dylib + 4
thread #6, name = ‘com.apple.uikit.eventfetch-thread’
frame #0: 0x00000001a2c9c634 libsystem_kernel.dylibmach_msg_trap + 8 frame #1: 0x00000001a2c9baa0 libsystem_kernel.dylibmach_msg + 72
frame #2: 0x00000001a2e44288 CoreFoundation<redacted> + 216 frame #3: 0x00000001a2e3f3a8 CoreFoundation + 1444
frame #4: 0x00000001a2e3eadc CoreFoundationCFRunLoopRunSpecific + 464 frame #5: 0x00000001a317e784 Foundation + 228
frame #6: 0x00000001a317e664 Foundation<redacted> + 88 frame #7: 0x00000001a6fe4e80 UIKitCore + 152
frame #8: 0x00000001a32af09c Foundation<redacted> + 848 frame #9: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #9, name = ‘com.apple.NSURLConnectionLoader’
frame #0: 0x00000001a2c9c634 libsystem_kernel.dylibmach_msg_trap + 8 frame #1: 0x00000001a2c9baa0 libsystem_kernel.dylibmach_msg + 72
frame #2: 0x00000001a2e44288 CoreFoundation<redacted> + 216 frame #3: 0x00000001a2e3f3a8 CoreFoundation + 1444
frame #4: 0x00000001a2e3eadc CoreFoundationCFRunLoopRunSpecific + 464 frame #5: 0x00000001a61084e8 CFNetwork___lldb_unnamed_symbol3$$CFNetwork + 192
frame #6: 0x00000001a32af09c Foundation<redacted> + 848 frame #7: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #10, name = ‘com.ibireme.yykit.webimage.request’
frame #0: 0x00000001a2c9c634 libsystem_kernel.dylibmach_msg_trap + 8 frame #1: 0x00000001a2c9baa0 libsystem_kernel.dylibmach_msg + 72
frame #2: 0x00000001a2e44288 CoreFoundation<redacted> + 216 frame #3: 0x00000001a2e3f3a8 CoreFoundation + 1444
frame #4: 0x00000001a2e3eadc CoreFoundationCFRunLoopRunSpecific + 464 frame #5: 0x00000001a317e784 Foundation + 228
frame #6: 0x00000001a31b8198 Foundation<redacted> + 88 frame #7: 0x000000012566fc7c YYKit+[YYWebImageOperation _networkThreadMain:] + 216
frame #8: 0x00000001a32af09c Foundation<redacted> + 848 frame #9: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #11, name = ‘AVAudioSession Notify Thread’
frame #0: 0x00000001a2c9c634 libsystem_kernel.dylibmach_msg_trap + 8 frame #1: 0x00000001a2c9baa0 libsystem_kernel.dylibmach_msg + 72
frame #2: 0x00000001a2e44288 CoreFoundation<redacted> + 216 frame #3: 0x00000001a2e3f3a8 CoreFoundation + 1444
frame #4: 0x00000001a2e3eadc CoreFoundationCFRunLoopRunSpecific + 464 frame #5: 0x00000001afa21c1c AVFAudio + 156
frame #6: 0x00000001afa72d60 AVFAudio<redacted> + 204 frame #7: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #12, name = ‘tg.mach.exc’
frame #0: 0x00000001a2c9c634 libsystem_kernel.dylibmach_msg_trap + 8 frame #1: 0x00000001a2c9baa0 libsystem_kernel.dylibmach_msg + 72
frame #2: 0x0000000104f77940 KeePass___lldb_unnamed_symbol13239$$KeePass + 220 frame #3: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #21
frame #0: 0x00000001a2cbdc94 libsystem_kernel.dylib__psynch_cvwait + 8 frame #1: 0x00000001a2bdf094 libsystem_pthread.dylib + 672
frame #2: 0x00000001331e7a60
frame #3: 0x000000011598f790 KeePass
frame #4: 0x00000001159ca01c KeePass
frame #5: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156 thread #22 frame #0: 0x00000001a2cbdc94 libsystem_kernel.dylib__psynch_cvwait + 8
frame #1: 0x00000001a2bdf094 libsystem_pthread.dylib<redacted> + 672 frame #2: 0x0000000133154ec8 frame #3: 0x0000000115a79880 KeePass frame #4: 0x0000000115a50f88 KeePass frame #5: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
- thread #23, name = ’ *155213’, stop reason = breakpoint 16.1
- frame #0: 0x0000000104f10a88 KeePass
___lldb_unnamed_symbol12851$$KeePass + 108 frame #1: 0x0000000133a5da70 frame #2: 0x000000010c86f92c KeePass frame #3: 0x000000010c8670a8 KeePass frame #4: 0x000000010c866b3c KeePass frame #5: 0x000000010c86b714 KeePass frame #6: 0x0000000104e0ce58 KeePass___lldb_unnamed_symbol7683$$KeePass + 36
frame #7: 0x0000000104e0b53c KeePass___lldb_unnamed_symbol7641$$KeePass + 212 frame #8: 0x0000000104e0b68c KeePass___lldb_unnamed_symbol7644$$KeePass + 36
frame #9: 0x000000010c818c90 KeePass
frame #10: 0x000000010c875d08 KeePass
frame #11: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156 thread #24, name = 'matrix::mrs' frame #0: 0x00000001a2cbdc94 libsystem_kernel.dylib__psynch_cvwait + 8
frame #1: 0x00000001a2bdf094 libsystem_pthread.dylib<redacted> + 672 frame #2: 0x00000001331e7358 frame #3: 0x00000001159874a4 KeePass frame #4: 0x0000000115988298 KeePass frame #5: 0x00000001159ca01c KeePass frame #6: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #26, name = ’ *155222’
frame #0: 0x00000001a2af5714 libsystem_c.dylibftell frame #1: 0x000000013381c930 frame #2: 0x000000010c8676dc KeePass frame #3: 0x000000010c865e08 KeePass frame #4: 0x000000010c8308ec KeePass frame #5: 0x000000010c875d08 KeePass frame #6: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #28, name = ‘mars::smc *155226’
frame #0: 0x00000001a2cbdce4 libsystem_kernel.dylib__psynch_mutexwait + 8 frame #1: 0x00000001a2bdfd38 libsystem_pthread.dylib+ 88
frame #2: 0x00000001a2bdfcac libsystem_pthread.dylib<redacted> + 256 frame #3: 0x0000000133a1f628 frame #4: 0x000000010c8386e0 KeePass frame #5: 0x000000010c838688 KeePass frame #6: 0x000000010c8193d8 KeePass frame #7: 0x000000010c819340 KeePass frame #8: 0x000000010c829428 KeePass frame #9: 0x000000010c82ae9c KeePass frame #10: 0x000000010c830abc KeePass frame #11: 0x000000010c875d08 KeePass frame #12: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #29, name = ’ *155227’
frame #0: 0x00000001a2cbdce4 libsystem_kernel.dylib__psynch_mutexwait + 8 frame #1: 0x00000001a2bdfd38 libsystem_pthread.dylib+ 88
frame #2: 0x00000001a2bdfcac libsystem_pthread.dylib<redacted> + 256 frame #3: 0x0000000133a1f628 frame #4: 0x000000010c8386e0 KeePass frame #5: 0x000000010c838688 KeePass frame #6: 0x000000010c867030 KeePass frame #7: 0x000000010c866b3c KeePass frame #8: 0x000000010c86b714 KeePass frame #9: 0x0000000104e0ce58 KeePass___lldb_unnamed_symbol7683$$KeePass + 36
frame #10: 0x0000000104e0baa4 KeePass___lldb_unnamed_symbol7666$$KeePass + 300 frame #11: 0x0000000104e0bc44 KeePass___lldb_unnamed_symbol7667$$KeePass + 28
frame #12: 0x000000010c829490 KeePass
frame #13: 0x000000010c82a7cc KeePass
frame #14: 0x000000010c8308ec KeePass
frame #15: 0x000000010c875d08 KeePass
frame #16: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156 thread #30, name = 'mars::stn *155228' frame #0: 0x00000001a2cbdce4 libsystem_kernel.dylib__psynch_mutexwait + 8
frame #1: 0x00000001a2bdfd38 libsystem_pthread.dylib<redacted> + 88 frame #2: 0x00000001a2bdfcac libsystem_pthread.dylib+ 256
frame #3: 0x0000000133a1f628
frame #4: 0x000000010c8386e0 KeePass
frame #5: 0x000000010c838688 KeePass
frame #6: 0x000000010c8193d8 KeePass
frame #7: 0x000000010c819340 KeePass
frame #8: 0x000000010c829428 KeePass
frame #9: 0x000000010c82a7cc KeePass
frame #10: 0x000000010c8308ec KeePass
frame #11: 0x000000010c875d08 KeePass
frame #12: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156 thread #31, name = 'ProfileCore *155229' frame #0: 0x00000001a2cbdc94 libsystem_kernel.dylib__psynch_cvwait + 8
frame #1: 0x00000001a2bdf094 libsystem_pthread.dylib<redacted> + 672 frame #2: 0x00000001339fd4c0 frame #3: 0x000000010c82929c KeePass frame #4: 0x000000010c82ae9c KeePass frame #5: 0x000000010c830abc KeePass frame #6: 0x000000010c875d08 KeePass frame #7: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #32, name = ‘mars::mmext *155230’
frame #0: 0x00000001a2cbdc94 libsystem_kernel.dylib__psynch_cvwait + 8 frame #1: 0x00000001a2bdf094 libsystem_pthread.dylib+ 672
frame #2: 0x00000001339fd4c0
frame #3: 0x000000010c82929c KeePass
frame #4: 0x000000010c82ae9c KeePass
frame #5: 0x000000010c830abc KeePass
frame #6: 0x000000010c875d08 KeePass
frame #7: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156 thread #35, name = 'mars::webnet *155237' frame #0: 0x00000001a2cbdce4 libsystem_kernel.dylib__psynch_mutexwait + 8
frame #1: 0x00000001a2bdfd38 libsystem_pthread.dylib<redacted> + 88 frame #2: 0x00000001a2bdfcac libsystem_pthread.dylib+ 256
frame #3: 0x00000001a2bdf124 libsystem_pthread.dylib<redacted> + 816 frame #4: 0x00000001339fd4c0 frame #5: 0x000000010c82929c KeePass frame #6: 0x000000010c82a7cc KeePass frame #7: 0x000000010c8308ec KeePass frame #8: 0x000000010c875d08 KeePass frame #9: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #36, name = ‘mars::cdn *155238’
frame #0: 0x00000001a2cbdce4 libsystem_kernel.dylib__psynch_mutexwait + 8 frame #1: 0x00000001a2bdfd38 libsystem_pthread.dylib+ 88
frame #2: 0x00000001a2bdfcac libsystem_pthread.dylib<redacted> + 256 frame #3: 0x00000001a2bdf124 libsystem_pthread.dylib+ 816
frame #4: 0x00000001339fd4c0
frame #5: 0x000000010c82929c KeePass
frame #6: 0x000000010c82ae9c KeePass
frame #7: 0x000000010c830abc KeePass
frame #8: 0x000000010c875d08 KeePass
frame #9: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156 thread #37, name = 'com.Tencent.WCDB.Queue.Operation' frame #0: 0x00000001a2cbdc94 libsystem_kernel.dylib__psynch_cvwait + 8
frame #1: 0x00000001a2bdf094 libsystem_pthread.dylib<redacted> + 672 frame #2: 0x00000001a2d107a8 libc++.1.dylibstd::__1::condition_variable::wait(std::__1::unique_lockstd::__1::mutex&) + 24
frame #3: 0x000000013384fd08
frame #4: 0x000000010d6d7d80 KeePass
frame #5: 0x000000010d636414 KeePass
frame #6: 0x000000010d636690 KeePass
frame #7: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156 thread #40, name = ' *155290' frame #0: 0x00000001a2cbdc94 libsystem_kernel.dylib__psynch_cvwait + 8
frame #1: 0x00000001a2bdf094 libsystem_pthread.dylib<redacted> + 672 frame #2: 0x00000001339fd4c0 frame #3: 0x000000010c926ce8 KeePass frame #4: 0x000000010c865e30 KeePass frame #5: 0x000000010c8308ec KeePass frame #6: 0x000000010c875d08 KeePass frame #7: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #53, queue = ‘com.apple.CFNetwork.LoaderQ’
frame #0: 0x00000001a2c9c634 libsystem_kernel.dylibmach_msg_trap + 8 frame #1: 0x00000001a2c9baa0 libsystem_kernel.dylibmach_msg + 72
frame #2: 0x00000001a2aa38b8 libxpc.dylib<redacted> + 100 frame #3: 0x00000001a2aa36e8 libxpc.dylib+ 96
frame #4: 0x00000001a2a88368 libxpc.dylibxpc_pipe_simpleroutine + 52 frame #5: 0x00000001a2a74634 libsystem_trace.dylib+ 36
frame #6: 0x00000001a2b93184 libdispatch.dylib<redacted> + 16 frame #7: 0x00000001a2b6d420 libdispatch.dylib+ 216
frame #8: 0x00000001a2b6d338 libdispatch.dylib<redacted> + 112 frame #9: 0x00000001a2a740e0 libsystem_trace.dylib+ 524
frame #10: 0x00000001a2a7f960 libsystem_trace.dylib<redacted> + 420 frame #11: 0x00000001a2a7f4fc libsystem_trace.dylib+ 6744
frame #12: 0x00000001a2a7da8c libsystem_trace.dylib<redacted> + 152 frame #13: 0x00000001a2a80078 libsystem_trace.dylib_os_log_impl + 12
frame #14: 0x00000001a7d51c18 libboringssl.dylibboringssl_session_disconnect + 412 frame #15: 0x00000001a7d59810 libboringssl.dylibnw_protocol_boringssl_disconnect + 120
frame #16: 0x00000001a5116984 libnetwork.dylib<redacted> + 268 frame #17: 0x00000001a51d0ff8 libnetwork.dylib+ 1272
frame #18: 0x00000001a53ca6ec libnetwork.dylib<redacted> + 28 frame #19: 0x00000001a54967d4 libnetwork.dylibnw_array_apply + 128
frame #20: 0x00000001a53c1cf8 libnetwork.dylib<redacted> + 144 frame #21: 0x00000001a51d0ff8 libnetwork.dylib+ 1272
frame #22: 0x00000001a53dbbfc libnetwork.dylib<redacted> + 992 frame #23: 0x00000001a5532410 libnetwork.dylibnw_queue_context_async_if_needed + 84
frame #24: 0x00000001a53db5c8 libnetwork.dylibnw_connection_cancel + 212 frame #25: 0x00000001a61aebac CFNetwork___lldb_unnamed_symbol3321$$CFNetwork + 540
frame #26: 0x00000001a6302edc CFNetwork___lldb_unnamed_symbol10922$$CFNetwork + 80 frame #27: 0x00000001a62a9340 CFNetwork___lldb_unnamed_symbol8422$$CFNetwork + 848
frame #28: 0x00000001a6243e70 CFNetwork___lldb_unnamed_symbol6100$$CFNetwork + 96 frame #29: 0x00000001a6241ac4 CFNetwork___lldb_unnamed_symbol6094$$CFNetwork + 152
frame #30: 0x00000001a6248208 CFNetwork___lldb_unnamed_symbol6221$$CFNetwork + 548 frame #31: 0x00000001a623e2e4 CFNetwork___lldb_unnamed_symbol6037$$CFNetwork + 240
frame #32: 0x00000001a623dea4 CFNetwork___lldb_unnamed_symbol6034$$CFNetwork + 40 frame #33: 0x00000001a6322c88 CFNetwork___lldb_unnamed_symbol11744$$CFNetwork + 52
frame #34: 0x00000001a2b92610 libdispatch.dylib<redacted> + 24 frame #35: 0x00000001a2b93184 libdispatch.dylib+ 16
frame #36: 0x00000001a2b70710 libdispatch.dylib<redacted> + 564 frame #37: 0x00000001a2b7115c libdispatch.dylib+ 452
frame #38: 0x00000001a2b7227c libdispatch.dylib<redacted> + 1736 frame #39: 0x00000001a2b7a43c libdispatch.dylib+ 576
frame #40: 0x00000001a2be2b88 libsystem_pthread.dylib_pthread_wqthread + 276 thread #66, queue = 'com.apple.root.default-qos' frame #0: 0x000000015ec7a6a0 frame #1: 0x00000001a2d9d7dc CoreFoundation+ 208
frame #2: 0x0000000104f109f8 KeePass___lldb_unnamed_symbol12849$$KeePass + 120 frame #3: 0x00000001a2b93184 libdispatch.dylib+ 16
frame #4: 0x00000001a2b6ce8c libdispatch.dylib<redacted> + 404 frame #5: 0x00000001a2b7d02c libdispatch.dylib+ 1232
frame #6: 0x00000001a2b79110 libdispatch.dylib<redacted> + 344 frame #7: 0x00000001a2b798b0 libdispatch.dylib+ 116
frame #8: 0x00000001a2be2b48 libsystem_pthread.dylib_pthread_wqthread + 212 thread #68 frame #0: 0x00000001a2be5758 libsystem_pthread.dylibstart_wqthread
thread #72, name = ‘mars::stn::lonklink *160788’
frame #0: 0x0000000104f14020 KeePass___lldb_unnamed_symbol12852$$KeePass + 32 frame #1: 0x000000010c8585b8 KeePass frame #2: 0x000000010c8585b8 KeePass frame #3: 0x000000010c858c70 KeePass frame #4: 0x000000010c859f70 KeePass frame #5: 0x000000010c97ed28 KeePass frame #6: 0x000000010c97c1a0 KeePass frame #7: 0x000000010c8308ec KeePass frame #8: 0x000000010c875d08 KeePass frame #9: 0x00000001a2be1d8c libsystem_pthread.dylib_pthread_start + 156
thread #75, queue = ‘__eventqueue’
frame #0: 0x00000001a2beb554 libobjc.A.dylib<redacted> + 92 frame #1: 0x00000001a2beb984 libobjc.A.dylib+ 196
frame #2: 0x00000001a2bf48f8 libobjc.A.dylib<redacted> + 40 frame #3: 0x00000001a2bf47d8 libobjc.A.dylib+ 20
frame #4: 0x00000001a2bf5684 libobjc.A.dylib<redacted> + 100 frame #5: 0x00000001a2da7a40 CoreFoundation+ 48
frame #6: 0x0000000104a477f0 KeePass___lldb_unnamed_symbol1458$$KeePass + 320 frame #7: 0x0000000104a47918 KeePass___lldb_unnamed_symbol1459$$KeePass + 24
frame #8: 0x0000000104a5d310 KeePass___lldb_unnamed_symbol1961$$KeePass + 388 frame #9: 0x0000000104a5c960 KeePass___lldb_unnamed_symbol1952$$KeePass + 80
frame #10: 0x0000000104a6b770 KeePass___lldb_unnamed_symbol2158$$KeePass + 312 frame #11: 0x0000000104a98d00 KeePass___lldb_unnamed_symbol3196$$KeePass + 1156
frame #12: 0x0000000104a987e0 KeePass___lldb_unnamed_symbol3194$$KeePass + 64 frame #13: 0x00000001a2b93184 libdispatch.dylib+ 16
frame #14: 0x00000001a2b6ce8c libdispatch.dylib<redacted> + 404 frame #15: 0x00000001a2b7d02c libdispatch.dylib+ 1232
frame #16: 0x00000001a2b705e0 libdispatch.dylib<redacted> + 260 frame #17: 0x00000001a2b71128 libdispatch.dylib+ 400
frame #18: 0x00000001a2b7a43c libdispatch.dylib<redacted> + 576 frame #19: 0x00000001a2be2b88 libsystem_pthread.dylib_pthread_wqthread + 276
thread #76
frame #0: 0x00000001a2cbea7c libsystem_kernel.dylib`__workq_kernreturn + 8
期间会自己去调用dlopen装载一些目标库函数
- frame #0: 0x0000000104f10a88 KeePass
2 个赞
路径重定向就完了,你不也通过hook来重定向了吗? 
还花了我28块买会员,为了调试它。
1 个赞
能改成功的
上架不是不能用dlopen吗
我刚试了下,确实如此,正常用户暂时只能加载微信
有没有可能跟playcover同理
那个文件应该是生成closure文件吧,应该不是虚拟cpu,本来就是能直接跑那个砸壳包的,为什么还要用虚拟cpu那不是速度更慢了?只能同时运行一个ipa那是因为把ui线程(主线程)给占用了。
不再看了,这个东西能危害国家安全。
不用解释,因为例如它的范例“微信”是可以下断点的,下个断点对比一下代码就知道了,看我上面贴的汇编代码。
(帖子已被作者删除)
1 个赞
我不知道你为什么非要说它用了虚拟cpu,那个vmx应该是dyld的closure预加载技术生成的包(这个不确定),微信app可以断在它内部代码,然后ida打开微信对比代码。
上面我已经贴了调试后代码了,也在微信的代码块下了断点比较了代码,微信的代码是自己mmap的一大块内存。
还没有人这么强的,让虚拟cpu的速度这么快,可以让虚拟cpu里面微信的运行速度和真机的微信速度媲美。
(帖子已被作者删除)
1 个赞
我不需要知道具体细节,现在我们是在讨论它到底是不是用了虚拟cpu,它没有用虚拟cpu!
微信内部可以下断点的!!!
(帖子已被作者删除)