1、找到微信的可执行文件Wechat的具体路径:
把iPhone上的所有App都关掉,唯独保留微信,然后输入命令 ps -e----->/var/mobile/Containers/Bundle/Application/84C4EF60-8677-4E2A-BC2D-CC88460E1380/WeChat.app/WeChat
2、使用Cycript找出微信的Documents的路径,输入命令cycript -p WeChat
NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)[0]
@"/var/mobile/Containers/Data/Application/AB9ADF8F-D127-4401-B77A-9E261F996581/Documents"
3、记下刚获取到的两个路径(Bundle和Documents),使用dumpdecrypted来为微信二进制文件(WeChat)砸壳。
从Github上下载最新的dumpdecrypted源码,进入dumpdecrypted源码的目录,编译dumpdecrypted.dylib.
4、拷贝dumpdecrypted.dylib到微信的Documents目录下
5、开始砸壳:DYLD_INSERT_LIBRARIES=/PathFrom/dumpdecrypted.dylib /PathTo
DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/AB9ADF8F-D127-4401-B77A-9E261F996581/Documents/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/84C4EF60-8677-4E2A-BC2D-CC88460E1380/WeChat.app/WeChat
执行如下:
iPhone:~ root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/AB9ADF8F-D127-4401-B77A-9E261F996581/Documents/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/84C4EF60-8677-4E2A-BC2D-CC88460E1380/WeChat.app/WeChat
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0xa2a90(from 0xa2000) = a90
[+] Found encrypted data at address 00004000 of length 53313536 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/84C4EF60-8677-4E2A-BC2D-CC88460E1380/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 16384 in the file
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a90
[+] Closing original file
[+] Closing dump file
当前目录下会生成砸壳后的文件,即WeChat.decrypted
6、拷出WeChat.decrypted文件,将WeChat.decrypted改为WeChat,砸壳完成。
7、class-dump命令,把刚刚砸壳后的WeChat.decrypted,导出其中的头文件。./class-dump -s -S -H ./WeChat.decrypted -o ./header