微信砸壳方法

1、找到微信的可执行文件Wechat的具体路径：

把iPhone上的所有App都关掉，唯独保留微信，然后输入命令 ps -e----->/var/mobile/Containers/Bundle/Application/84C4EF60-8677-4E2A-BC2D-CC88460E1380/WeChat.app/WeChat

2、使用Cycript找出微信的Documents的路径，输入命令cycript -p WeChat

NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)[0]

@"/var/mobile/Containers/Data/Application/AB9ADF8F-D127-4401-B77A-9E261F996581/Documents"

3、记下刚获取到的两个路径(Bundle和Documents)，使用dumpdecrypted来为微信二进制文件(WeChat)砸壳。

从Github上下载最新的dumpdecrypted源码，进入dumpdecrypted源码的目录，编译dumpdecrypted.dylib.

4、拷贝dumpdecrypted.dylib到微信的Documents目录下

5、开始砸壳：DYLD_INSERT_LIBRARIES=/PathFrom/dumpdecrypted.dylib /PathTo

DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/AB9ADF8F-D127-4401-B77A-9E261F996581/Documents/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/84C4EF60-8677-4E2A-BC2D-CC88460E1380/WeChat.app/WeChat

执行如下：

iPhone:~ root# DYLD_INSERT_LIBRARIES=/var/mobile/Containers/Data/Application/AB9ADF8F-D127-4401-B77A-9E261F996581/Documents/dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/84C4EF60-8677-4E2A-BC2D-CC88460E1380/WeChat.app/WeChat

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 32bit ARM binary in memory.

[+] offset to cryptid found: @0xa2a90(from 0xa2000) = a90

[+] Found encrypted data at address 00004000 of length 53313536 bytes - type 1.

[+] Opening /private/var/mobile/Containers/Bundle/Application/84C4EF60-8677-4E2A-BC2D-CC88460E1380/WeChat.app/WeChat for reading.

[+] Reading header

[+] Detecting header type

[+] Executable is a FAT image - searching for right architecture

[+] Correct arch is at offset 16384 in the file

[+] Opening WeChat.decrypted for writing.

[+] Copying the not encrypted start of the file

[+] Dumping the decrypted data into the file

[+] Copying the not encrypted remainder of the file

[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a90

[+] Closing original file

[+] Closing dump file

当前目录下会生成砸壳后的文件，即WeChat.decrypted

6、拷出WeChat.decrypted文件，将WeChat.decrypted改为WeChat，砸壳完成。

7、class-dump命令,把刚刚砸壳后的WeChat.decrypted,导出其中的头文件。./class-dump -s -S -H ./WeChat.decrypted -o ./header