前言
在做这个实践之前,我一直认为反编译是一件很困难很无聊的一件事。直到自己亲自动手实践了一下,发现整个过程其实没有那么难(当然,仅仅是针对逆向了一个安装包的过程来说,完整的逆向过程还是有不少东西要学的)。今天就把自己动手实现的整个反编译过程记录一下。
准备工作
- 一部越狱的手机(越狱工作十分简单,使用pp助手即可完成);
- 安装包逆向解析工具:dumpdecrypted class-dump ,主要用于解析应用头文件并生成可阅读的OC代码
- 使用Reveal查看APP UI
一. 反编译目标APP头文件
1. 将手机越狱,并在越狱工具Cydia内搜索openssh、Cydia Substrate、Cycript
2. 安装dumpdecrypted和class-dump
//以下命令在终端完成
cd /Users/jacky/Downloads/dumpdecrypted-master
make
`xcrun --sdk iphoneos --find gcc` -Os -Wimplicit -isysroot `xcrun --sdk iphoneos --show-sdk-path` -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/Frameworks -F`xcrun --sdk iphoneos --show-sdk-path`/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c -o dumpdecrypted.o dumpdecrypted.c
3.获取要反编译的APP文件目录
通过Mac终端控制手机,注意OpenSSH的默认密码是alpine,这里需要注意的是我们的电脑和手机必须在同一个WiFi的连接下,查看手机wifi的ip地址在终端执行命令
ssh root@192.168.0.102
root@192.168.0.102's password: //这里输入alpine
接下来保持你要反编译的app在前台运行,同时在刚刚与手机建立连接的终端输入ps -e并回车,这里我们以腾讯新闻客户端为例,手机仅仅保持腾讯客户端前台运行,在终端输入命令后打印如下:
PID TTY TIME CMD
1 ?? 1:41.19 /sbin/launchd
227 ?? 1:12.00 /usr/sbin/syslogd
229 ?? 0:07.19 /usr/sbin/WirelessRadioManagerd
233 ?? 0:00.59 /usr/sbin/wirelessproxd
239 ?? 0:01.87 /System/Library/PrivateFrameworks/TCC.framework/tccd
242 ?? 0:17.33 /usr/libexec/fseventsd
245 ?? 0:23.28 /usr/libexec/installd
246 ?? 0:00.00 (MSUnrestrictProc)
248 ?? 0:00.57 /System/Library/PrivateFrameworks/MobileInstallation.framework/XPCServices/com.apple.MobileInstallationHelperService.xpc/
251 ?? 0:07.27 /System/Library/PrivateFrameworks/IAP.framework/Support/iaptransportd
254 ?? 0:52.72 /System/Library/PrivateFrameworks/iTunesStore.framework/Support/itunesstored
259 ?? 0:11.17 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent
261 ?? 1:11.99 /usr/libexec/configd
263 ?? 0:03.92 /usr/sbin/distnoted daemon
265 ?? 0:14.64 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted
267 ?? 72:19.69 /usr/libexec/backboardd
269 ?? 0:00.35 /usr/libexec/nfcd
271 ?? 0:27.58 /usr/libexec/assertiond
273 ?? 0:34.17 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd
275 ?? 0:04.54 /usr/sbin/fairplayd.H2
277 ?? 0:27.67 /usr/sbin/mDNSResponder
279 ?? 1:07.36 /usr/sbin/notifyd
281 ?? 1:14.47 /usr/sbin/wifid
287 ?? 9:12.79 /System/Library/CoreServices/SpringBoard.app/SpringBoard
289 ?? 0:00.26 /System/Library/PrivateFrameworks/GenerationalStorage.framework/revisiond
293 ?? 52:45.76 /usr/sbin/mediaserverd
295 ?? 0:06.61 /usr/libexec/sharingd
297 ?? 0:12.68 /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/identityservicesd
299 ?? 0:23.42 /System/Library/CoreServices/powerd.bundle/powerd
310 ?? 0:03.73 /System/Library/Frameworks/AssetsLibrary.framework/Support/assetsd
321 ?? 1:11.29 /usr/sbin/cfprefsd daemon
324 ?? 0:07.68 /System/Library/PrivateFrameworks/MobileContainerManager.framework/Support/containermanagerd
327 ?? 0:00.96 /usr/libexec/diagnosticd
333 ?? 0:55.72 /usr/libexec/networkd
336 ?? 0:06.62 /usr/sbin/BTServer
338 ?? 0:34.36 /usr/libexec/routined
342 ?? 0:14.35 /usr/libexec/nsurlstoraged
344 ?? 0:05.26 /usr/libexec/nanoregistryd
347 ?? 0:00.01 /usr/libexec/rocketd
350 ?? 0:15.57 /System/Library/Frameworks/Accounts.framework/accountsd
357 ?? 0:43.51 /usr/libexec/hangtracerd
359 ?? 0:00.07 /usr/libexec/MobileGestaltHelper
365 ?? 0:00.18 /usr/libexec/networkd_privileged
369 ?? 0:00.05 /usr/libexec/nanoregistrylaunchd
372 ?? 0:01.71 /System/Library/PrivateFrameworks/FoundationODR.framework/ondemandd.bundle/ondemandd
375 ?? 0:04.66 /usr/libexec/lsd
377 ?? 0:00.04 /System/Library/PrivateFrameworks/TouchRemote.framework/Support/touchsetupd
379 ?? 2:23.77 /usr/libexec/nsurlsessiond
381 ?? 0:14.87 /usr/libexec/timed
383 ?? 0:03.85 /usr/libexec/nehelper
397 ?? 5:59.90 /usr/libexec/UserEventAgent (System)
402 ?? 0:00.06 /usr/libexec/misd
406 ?? 0:00.01 /usr/libexec/pfd -d
409 ?? 0:01.10 /usr/libexec/lockbot
414 ?? 0:40.08 /usr/libexec/pphelper/PPHelperLaunchd
416 ?? 0:00.09 /usr/libexec/misagent
421 ?? 0:04.58 /System/Library/PrivateFrameworks/Accessibility.framework/Frameworks/AccessibilityUI.framework/XPCServices/com.apple.acce
424 ?? 25:36.62 /usr/libexec/locationd
427 ?? 0:01.25 /usr/libexec/mobileassetd
430 ?? 0:00.09 /usr/libexec/mobileactivationd
433 ?? 0:15.84 /System/Library/PrivateFrameworks/GeoServices.framework/geod
436 ?? 1:11.79 /usr/libexec/securityd
439 ?? 0:01.14 /System/Library/PrivateFrameworks/AuthKit.framework/akd
441 ?? 4:05.72 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter
446 ?? 0:13.47 /usr/libexec/atc
451 ?? 0:00.03 /System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd
454 ?? 0:01.85 /System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd
457 ?? 0:02.34 /System/Library/PrivateFrameworks/MusicLibrary.framework/Support/medialibraryd
462 ?? 0:14.24 /usr/libexec/lockdownd
466 ?? 0:00.10 /System/Library/PrivateFrameworks/VisualVoicemail.framework/vmd
473 ?? 0:00.05 /usr/sbin/BlueTool -R
476 ?? 0:00.76 /System/Library/PrivateFrameworks/IMDPersistence.framework/XPCServices/IMDPersistenceAgent.xpc/IMDPersistenceAgent
481 ?? 0:01.77 /usr/libexec/biometrickitd --launchd
484 ?? 2:56.85 /usr/libexec/coreduetd
486 ?? 1:07.12 /usr/libexec/symptomsd
490 ?? 0:00.52 /System/Library/PrivateFrameworks/MapsSupport.framework/mapspushd
492 ?? 0:00.33 /System/Library/PrivateFrameworks/StoreBookkeeperClient.framework/Support/storebookkeeperd
494 ?? 0:00.54 /usr/libexec/findmydeviced
498 ?? 0:27.23 /usr/libexec/SafariCloudHistoryPushAgent
501 ?? 0:00.06 /System/Library/Frameworks/Security.framework/IDSKeychainSyncingProxy.bundle/IDSKeychainSyncingProxy
504 ?? 0:00.11 /System/Library/Frameworks/Security.framework/CloudKeychainProxy.bundle/CloudKeychainProxy
507 ?? 0:03.49 /System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd
510 ?? 0:00.18 /System/Library/PrivateFrameworks/CallHistory.framework/Support/CallHistorySyncHelper
513 ?? 0:18.54 /usr/libexec/gamed
516 ?? 0:00.13 /System/Library/PrivateFrameworks/AskPermission.framework/askpermissiond
519 ?? 0:04.28 /System/Library/PrivateFrameworks/HomeSharing.framework/Support/itunescloudd
522 ?? 0:02.84 /System/Library/PrivateFrameworks/HomeKitDaemon.framework/Support/homed
525 ?? 0:01.00 /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled
527 ?? 0:03.63 /System/Library/Frameworks/PassKit.framework/passd
531 ?? 0:00.15 /System/Library/PrivateFrameworks/iCloudNotification.framework/ind
534 ?? 0:08.14 /System/Library/PrivateFrameworks/CloudDocsDaemon.framework/bird
537 ?? 0:00.79 /usr/libexec/fmfd
540 ?? 0:02.69 /System/Library/PrivateFrameworks/TelephonyUtilities.framework/callservicesd
546 ?? 0:02.53 /usr/libexec/aosnotifyd
549 ?? 0:01.09 /usr/sbin/filecoordinationd
551 ?? 0:00.10 /usr/libexec/keybagd -t 15
555 ?? 0:22.69 /System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd
558 ?? 0:00.55 /usr/libexec/adid
561 ?? 0:00.13 /System/Library/PrivateFrameworks/CarKit.framework/Support/carkitd
564 ?? 0:04.04 /usr/libexec/pipelined
566 ?? 0:11.86 /usr/libexec/duetexpertd
569 ?? 0:02.11 /System/Library/PrivateFrameworks/UserActivity.framework/Agents/useractivityd
573 ?? 0:09.53 /System/Library/PrivateFrameworks/Search.framework/searchd
576 ?? 0:00.07 /System/Library/PrivateFrameworks/CoreFollowUp.framework/followupd
583 ?? 0:01.03 /System/Library/PrivateFrameworks/CloudDocsDaemon.framework/XPCServices/ContainerMetadataExtractor.xpc/ContainerMetadataE
586 ?? 0:00.36 /System/Library/CoreServices/AppleIDAuthAgent
589 ?? 0:00.30 /System/Library/PrivateFrameworks/AssistantServices.framework/assistantd
595 ?? 0:03.52 /usr/libexec/DuetHeuristic-BM
601 ?? 0:01.60 /usr/libexec/pkd -d/var/db/PlugInKit-Annotations
612 ?? 0:02.28 /System/Library/PrivateFrameworks/CalendarDaemon.framework/Support/calaccessd
620 ?? 0:00.12 /Applications/MobileSafari.app/webbookmarksd
622 ?? 0:00.05 /System/Library/PrivateFrameworks/AppSupport.framework/Support/cplogd
624 ?? 0:15.84 /Applications/MobileMail.app/MobileMail
626 ?? 0:00.05 /System/Library/PrivateFrameworks/UIFoundation.framework/XPCServices/com.apple.uifoundation-bundle-helper.xpc/com.apple.u
629 ?? 0:00.64 /System/Library/PrivateFrameworks/CoreRecents.framework/recentsd
634 ?? 0:23.22 /var/containers/Bundle/Application/E1C69DFA-A28C-4247-9030-335808503E89/AlipayWallet.app/AlipayWallet
636 ?? 0:00.46 /System/Library/PrivateFrameworks/CoreSuggestions.framework/suggestd
646 ?? 0:02.39 /usr/libexec/wcd
653 ?? 0:00.13 /System/Library/PrivateFrameworks/CacheDelete.framework/deleted
656 ?? 0:00.13 /System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd
742 ?? 0:00.09 /usr/sbin/absd
794 ?? 0:00.19 /usr/libexec/notification_proxy
811 ?? 0:02.68 /System/Library/Frameworks/HealthKit.framework/healthd
825 ?? 0:00.05 /usr/libexec/afcd
826 ?? 0:00.00 (MSUnrestrictProc)
836 ?? 0:03.20 /System/Library/Frameworks/Metal.framework/XPCServices/MTLCompilerService.xpc/MTLCompilerService
852 ?? 0:03.09 /usr/libexec/rtcreportingd
866 ?? 0:00.18 /usr/libexec/online-auth-agent
869 ?? 0:00.10 /Applications/Contacts.app/PlugIns/ContactsCoreSpotlightExtension.appex/ContactsCoreSpotlightExtension
872 ?? 0:00.68 /Applications/MobileCal.app/PlugIns/CalendarWidget.appex/CalendarWidget
874 ?? 0:12.29 /Applications/Stocks.app/PlugIns/StocksWidget.appex/StocksWidget
933 ?? 0:00.08 /System/Library/CoreServices/EscrowSecurityAlert.app/EscrowSecurityAlert
941 ?? 0:00.07 /usr/libexec/companion_proxy
948 ?? 0:04.46 /System/Library/TextInput/kbd
951 ?? 0:41.09 /private/var/containers/Bundle/Application/CCE14291-E925-45A2-A759-18E084E261C1/SogouInput.app/PlugIns/com.sogou.sogouinp
957 ?? 0:03.48 /usr/libexec/mobile_installation_proxy
960 ?? 0:00.04 /System/Library/CoreServices/CacheDeleteSystemFiles
962 ?? 0:00.06 /System/Library/CoreServices/CacheDeleteITunesStore
964 ?? 0:00.52 /System/Library/CoreServices/CacheDeleteAppContainerCaches
967 ?? 0:00.65 aslmanager
969 ?? 0:00.09 /usr/libexec/replayd
975 ?? 0:05.61 /usr/libexec/swcd
987 ?? 0:02.04 /System/Library/PrivateFrameworks/MapsSupport.framework/navd
996 ?? 0:01.36 /usr/libexec/mmaintenanced
1004 ?? 0:00.57 /usr/libexec/seld
1013 ?? 0:00.12 /System/Library/PrivateFrameworks/CommunicationsFilter.framework/CMFSyncAgent.app/CMFSyncAgent
1016 ?? 0:08.80 /Applications/InCallService.app/InCallService
1052 ?? 0:25.06 /System/Library/PrivateFrameworks/StreamingZip.framework/XPCServices/com.apple.StreamingUnzipService.xpc/com.apple.Stream
1058 ?? 0:02.81 /usr/libexec/splashboardd
1181 ?? 0:05.55 /var/containers/Bundle/Application/EEE70959-6650-4665-964A-CE4B77FD5DD8/WeChat.app/WeChat
1206 ?? 0:12.51 /Applications/SafariViewService.app/SafariViewService
1208 ?? 0:00.25 /System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.Networking.xpc/com.apple.WebKit.Networking
1214 ?? 0:00.18 /System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1281 ?? 0:00.14 /System/Library/PrivateFrameworks/FamilyCircle.framework/familycircled
1355 ?? 0:00.79 /Applications/MessagesNotificationViewService.app/MessagesNotificationViewService
1447 ?? 0:00.09 /usr/libexec/OTAPKIAssetTool
1806 ?? 0:00.10 /System/Library/PrivateFrameworks/QuickLookThumbnailing.framework/Support/com.apple.quicklook.ThumbnailsAgent
1812 ?? 0:00.06 /usr/libexec/tipsd
2046 ?? 0:00.75 /usr/libexec/tzd
2134 ?? 0:01.36 /var/containers/Bundle/Application/EFB23F4D-BC89-4835-890D-7C6B1B25A020/WeRead.app/WeRead
2147 ?? 0:00.08 /System/Library/PrivateFrameworks/SafariShared.framework/XPCServices/com.apple.Safari.History.xpc/com.apple.Safari.Histor
2505 ?? 2:32.07 /System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated
2692 ?? 0:01.05 /System/Library/PrivateFrameworks/SoftwareBehaviorServices.framework/Support/softwarebehaviorservicesd
2817 ?? 0:00.09 /usr/libexec/limitadtrackingd
2820 ?? 0:00.21 /System/Library/PrivateFrameworks/AssetCacheServices.framework/XPCServices/AssetCacheLocatorService.xpc/AssetCacheLocator
2972 ?? 0:02.33 /usr/libexec/ptpd -t usb
3026 ?? 0:01.53 /Applications/StoreKitUIService.app/StoreKitUIService
3099 ?? 0:00.23 sshd: root@ttys000
3106 ?? 0:07.53 /var/containers/Bundle/Application/80A788E7-9FEE-4896-B963-DE0D37911FB1/QQNews.app/QQNews
3108 ?? 0:00.07 /System/Library/Frameworks/UIKit.framework/Support/pasteboardd
3111 ?? 0:00.05 /System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.Networking.xpc/com.apple.WebKit.Networking
3113 ?? 0:00.06 /System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.xpc/com.apple.WebKit.WebContent
3101 ttys000 0:00.03 -sh
3116 ttys000 0:00.01 ps -e
在这么多的打印中我们只找以/var/containers开头的打印信息,因为真机的应用程序目录都是这个格式,最终我们确定腾讯新闻的文件目录:
/var/containers/Bundle/Application/80A788E7-9FEE-4896-B963-DE0D37911FB1/QQNews.app/QQNews
4. 使用Cycript找出反编译APP的Documents目录路径
通过上面操作我们知道腾讯新闻的名称应该是QQNews
1234:~ root# cycript -p QQNews
//使用FileManager查找Documents文件夹
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
//下面的打印信息就是我们要找的Documents文件夹路径
#"file:///var/mobile/Containers/Data/Application/43E3939B-59E5-4442-8A80-ED0E33C8EDBD/Documents/"
cy#
//control+z退出
5.将dumpdecrypted.dylib拷贝到Documents目录下
dumpdecrypted-master jacky$ scp /Users/jacky/Downloads/dumpdecrypted-master/dumpdecrypted.dylib root@192.168.3.37:/var/mobile/Containers/Data/Application/43E3939B-59E5-4442-8A80-ED0E33C8EDBD/Documents/
root@192.168.3.37's password:
dumpdecrypted.dylib 100% 193KB 2.8MB/s 00:00
这里需要注意的是我们不能直接在第四步结束后的终端上直接执行这样的命令,因为此时的终端是直接控制手机的,你直接在上面运行拷贝命令会提示“/Users/jacky/Downloads/dumpdecrypted-master/dumpdecrypted.dylib: No such file or directory”
6. 使用dumpdecrypted.dylib工具进行砸壳处理
cd /var/mobile/Containers/Data/Application/43E3939B-59E5-4442-8A80-ED0E33C8EDBD/Documents/
1234:/var/mobile/Containers/Data/Application/43E3939B-59E5-4442-8A80-ED0E33C8EDBD/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/80A788E7-9FEE-4896-B963-DE0D37911FB1/QQNews.app/QQNews mach-o decryption dumper
Killed: 9
1234:/var/mobile/Containers/Data/Application/43E3939B-59E5-4442-8A80-ED0E33C8EDBD/Documents root# su mobile
1234:~/Containers/Data/Application/43E3939B-59E5-4442-8A80-ED0E33C8EDBD/Documents mobile$ DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/80A788E7-9FEE-4896-B963-DE0D37911FB1/QQNews.app/QQNews mach-o decryption dumper
mach-o decryption dumper
DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x1000d8ca8(from 0x1000d8000) = ca8
[+] Found encrypted data at address 00004000 of length 42254336 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/80A788E7-9FEE-4896-B963-DE0D37911FB1/QQNews.app/QQNews for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening QQNews.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset ca8
[+] Closing original file
[+] Closing dump file
1234:~/Containers/Data/Application/43E3939B-59E5-4442-8A80-ED0E33C8EDBD/Documents mobile$ ls
HLLiteFiles dumpdecrypted.dylib qn_my_concern_global.data qn_sorted_tagitems_.data submenu.data
QQNews.decrypted fontsizetype.value qn_my_concern_list_.data subMenuChannel_news_live.data tadConfig.plist
QQNewsData.db helpInfo.data qn_my_concern_recommand_.data subMenuInCurrent.data
遇到的问题:在执行命令时报killed: 9,在github上查看原来这是iOS9.3.2-9.3.3才会遇到的问题,查看issues发现有人给出解决方案,经过尝试,直接在终端输入“su mobile”命令后重新执行一次即可
7. 使用class-dump解析文件
在解析文件之前,我们首先需要将得到的QQNews.decrypted文件拷贝到电脑上,这里同样需要注意不能直接在控制手机的端口上执行拷贝命令,而是要新开一个窗口执行拷贝命令:
scp root@192.168.3.37:/var/mobile/Containers/Data/Application/43E3939B-59E5-4442-8A80-ED0E33C8EDBD/Documents/QQNews.decrypted ~/Desktop
root@192.168.3.37's password:
QQNews.decrypted 100% 51MB 12.9MB/s 00:03
这里我们选择将文件拷贝到电脑桌面,之后你可以在桌面看到QQNews.decrypted文件,然后就是使用class-dump将文件解析成OC代码
cd /Users/jacky/Desktop
//这里需要将arm64指定为自己手机的架构,如果是64位架构就没有问题,如果是iPhone5之前的手机则需要替换为armv7
jjb-pyxw:Desktop jacky$ class-dump --arch arm64 QQNews.decrypted > QQNews.m
如果一切顺利,我们已经可以在桌面看到QQNews.m的文件,打开它你会发现一切好像都有点熟悉的味道!
二. 使用Reveal查看APP界面
1.打开Reveal(1.6.3版本),在菜单栏里找到Help/Show Reveal Library in Finder/ iOS Library,找到libReveal.dylib和Reveal.framework
2.将libReveal.dylib拷贝到手机的/Library/MobileSubstrate/DynamicLibraries文件夹下
//这里注意不要使用控制手机的那个终端窗口执行拷贝命令,原因前面已经说过
scp /Applications/Reveal.app/Contents/SharedSupport/iOS-Libraries/libReveal.dylib root@192.168.3.37:/Library/MobileSubstrate/DynamicLibraries
root@192.168.3.37's password:
libReveal.dylib 100% 4282KB 9.8MB/s 00:00
3.获取目标APP的bundle id,并新建一个libReveal.plist文件,将目标APP的bundle id填入里面
这里的问题就来了,怎么获得目标APP的bundle id?
在以前,我们可以选择在iTunes上直接下载目标APP的ipa文件解压或者使用iTools来获得,但是现在这条路已经行不通了
经过一番搜索,得到的可行方法是:
1.直接在App Store搜索目标APP,将链接分享到电脑,获得id编号
例如腾讯新闻的为:https://itunes.apple.com/cn/app/%E8%85%BE%E8%AE%AF%E6%96%B0%E9%97%BB-%E4%BA%8B%E5%AE%9E%E6%B4%BE%E7%9A%84%E7%83%AD%E7%82%B9%E8%B5%84%E8%AE%AF%E5%A8%B1%E4%B9%90%E7%9F%AD%E8%A7%86%E9%A2%91%E8%BD%AF%E4%BB%B6/id399363156?mt=8
2.然后在浏览器中打开https://itunes.apple.com/lookup?id=399363156,即可获得一个txt文档,打开文档搜索bundleid即可获得
3.使用Xcode新建一个plist,命名为libReveal.plist,填入目标APP的bundleid
将libReveal.plist拷贝到手机/Library/MobileSubstrate/DynamicLibraries文件夹下
scp /Users/jacky/Desktop/Test/oc/JailbreakDemo/JailbreakDemo/libReveal.plist root@192.168.3.37:/Library/MobileSubstrate/DynamicLibraries
root@192.168.3.37's password:
libReveal.plist 100% 343 45.2KB/s 00:00
4.重新打开目标APP,并使用Reveal查看
结束语
以上就是关于本次逆向实践的全过程记录,更深入的学习还在进行中,在此只是希望把整个操作和踩坑过程记录下来,提醒自己的同时也可以帮助其他对逆向感兴趣节省整个操作时间。整个过程中特别需要注意的就是文件从Mac拷贝到手机和从手机拷贝到Mac上时一定不要在控制手机的那个终端窗口上进行,否则你会头大的!