search

4ch12dy / xia0LLDB

LLDB python scripts for iOS arm64 reversing by xia0
650 stars 114 forks source link

你好,.framework好像砸壳不成功 #11

Closed leroyli closed 4 years ago

leroyli commented 4 years ago

你好,可执行文件能砸壳成功,但是.framework砸壳不成功,请问这个有好的解决方案吗?

设备:iPhone6 用的checkra.in越狱的,系统12.4.5, 砸壳APP是喜马拉雅6.6.66版本

4ch12dy commented 4 years ago

错误日志呢

leroyli commented 4 years ago

没有错误日志,命令是执行成功的,但是用otool查看framework还是加密的,只有二进制是解密的,拖多monkeyDev也是提示framework未解密

leroyli commented 4 years ago

[*] start to dump...

[+] Dumping ting [+] detected 64bit ARM binary in memory. [+] offset to cryptid found: @0x100db0cf8(from 0x100db0000) = cf8 [+] Found encrypted data at address 00004000 of length 82722816 bytes - type 1. [+] Opening /private/var/containers/Bundle/Application/3A335E57-20A7-42C7-8A51-722F8C29130F/ting.app/ting for reading. [+] Reading header [+] Detecting header type [+] Executable is a plain MACH-O image [+] Opening /var/mobile/Containers/Data/Application/19C0D5A3-EA48-49AA-A3A2-A0BF3AAE3C98/Documents/ting.decrypted for writing. [+] Copying the not encrypted start of the file [+] Dumping the decrypted data into the file [+] Copying the not encrypted remainder of the file [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset cf8 [+] Closing original file [+] Closing dump file [*] This mach-o file decrypted done. [+] dump macho file at:/var/mobile/Containers/Data/Application/19C0D5A3-EA48-49AA-A3A2-A0BF3AAE3C98/Documents/ting.decrypted

[+] Dumping XMNetworkRequest [+] detected 64bit ARM binary in memory. [+] offset to cryptid found: @0x108664ad0(from 0x108664000) = ad0 [+] Found encrypted data at address 00004000 of length 131072 bytes - type 1. [+] Opening /private/var/containers/Bundle/Application/3A335E57-20A7-42C7-8A51-722F8C29130F/ting.app/Frameworks/XMNetworkRequest.framework/XMNetworkRequest for reading. [+] Reading header [+] Detecting header type [+] Executable is a plain MACH-O image [+] Opening /var/mobile/Containers/Data/Application/19C0D5A3-EA48-49AA-A3A2-A0BF3AAE3C98/Documents/XMNetworkRequest.decrypted for writing. [+] Copying the not encrypted start of the file [+] Dumping the decrypted data into the file [+] Copying the not encrypted remainder of the file [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset ad0 [+] Closing original file [+] Closing dump file [*] This mach-o file decrypted done. [+] dump macho file at:/var/mobile/Containers/Data/Application/19C0D5A3-EA48-49AA-A3A2-A0BF3AAE3C98/Documents/XMNetworkRequest.decrypted

otool -l XMNetworkRequest.decrypted | grep crypt XMNetworkRequest.decrypted: cryptoff 16384 cryptsize 98304 cryptid 1

otool -l ting.decrypted | grep crypt ting.decrypted: cryptoff 16384 cryptsize 82722816 cryptid 0

4ch12dy commented 4 years ago

我这边测了下这个app,没啥问题的

xia0 ~ $ otool -l XMNetworkRequest.decrypted | grep crypt
XMNetworkRequest.decrypted:
     cryptoff 16384
    cryptsize 98304
      cryptid 0

你是用的最新版吗

leroyli commented 4 years ago

是最新版,如果你测试没问题那估计是我的某个步骤有问题,我再多尝试几遍,感谢