├── .gitignore
├── Makefile
├── README.md
├── README_current.json
├── book.json
├── book_current.json
├── node_modules
└── src
├── README.md
├── SUMMARY.md
├── after_ipa
├── README.md
└── install_ipa.md
├── appendix
├── README.md
└── reference.md
├── assets
├── favicon.ico
└── img
│ ├── add_shell_before_after.jpg
│ ├── aweme_app_running_normal.jpg
│ ├── aweme_crash_log_no_func_name.jpg
│ ├── aweme_ips_log.png
│ ├── aweme_start_crash_ips_log.png
│ ├── cracked_aweme_ipa.png
│ ├── cracked_ipa_tiktok.jpg
│ ├── dump_start_app_timeout.png
│ ├── frida_ios_dump_tiktok.jpg
│ ├── fridaiosdump_aweme.png
│ ├── ios_crack_shell_logic.png
│ ├── ipa_install_fail_devicenotsupportedbythinning.png
│ ├── load_success_0_00b_no_progress.png
│ ├── origin_uisupporteddevices_no_model.jpg
│ ├── xcode_aweme_anti_ssl_pinning.jpg
│ └── xcode_devices_simulators_view_devices_logs.jpg
├── common_issue
├── README.md
├── crash_after_start.md
├── devicenotsupportedbythinning.md
├── no_progress_0_00b.md
└── timeout_reached.md
├── crack_example
├── README.md
└── frida_ios_dump
│ ├── README.md
│ ├── aweme.md
│ ├── tiktok.md
│ └── youtube.md
├── crack_shell_overview
└── README.md
└── crack_tools
├── README.md
├── bfinject.md
├── clutch.md
├── dumpdecrypted.md
└── frida_ios_dump.md
/.gitignore:
--------------------------------------------------------------------------------
1 | node_modules/
2 | output/
3 | debug/
4 |
5 | *.zip
6 |
7 | .DS_Store
8 |
9 | !src/**/output
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | include ../../common/honkit_makefile.mk
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # iOS逆向开发:砸壳ipa
2 |
3 | * 最新版本:`v1.1.1`
4 | * 更新时间:`20241209`
5 |
6 | ## 简介
7 |
8 | 介绍iOS逆向中的砸壳脱壳出ipa方面的内容。主要包括什么是壳,为何要砸壳,常见砸壳工具,比如frida-ios-dump、dumpdecrypted、clutch等;以及举例介绍如何用frida-ios-dump砸壳YouTube、抖音等app得到ipa文件;以及砸壳出iap后的事情,包括ipa的安装;以及整理常见的问题及解决办法。
9 |
10 | ## 源码+浏览+下载
11 |
12 | 本书的各种源码、在线浏览地址、多种格式文件下载如下:
13 |
14 | ### HonKit源码
15 |
16 | * [crifan/ios_re_crack_shell_ipa: iOS逆向开发:砸壳ipa](https://github.com/crifan/ios_re_crack_shell_ipa)
17 |
18 | #### 如何使用此HonKit源码去生成发布为电子书
19 |
20 | 详见:[crifan/honkit_template: demo how to use crifan honkit template and demo](https://github.com/crifan/honkit_template)
21 |
22 | ### 在线浏览
23 |
24 | * [iOS逆向开发:砸壳ipa book.crifan.org](https://book.crifan.org/books/ios_re_crack_shell_ipa/website/)
25 | * [iOS逆向开发:砸壳ipa crifan.github.io](https://crifan.github.io/ios_re_crack_shell_ipa/website/)
26 |
27 | ### 离线下载阅读
28 |
29 | * [iOS逆向开发:砸壳ipa PDF](https://book.crifan.org/books/ios_re_crack_shell_ipa/pdf/ios_re_crack_shell_ipa.pdf)
30 | * [iOS逆向开发:砸壳ipa ePub](https://book.crifan.org/books/ios_re_crack_shell_ipa/epub/ios_re_crack_shell_ipa.epub)
31 | * [iOS逆向开发:砸壳ipa Mobi](https://book.crifan.org/books/ios_re_crack_shell_ipa/mobi/ios_re_crack_shell_ipa.mobi)
32 |
33 | ## 版权和用途说明
34 |
35 | 此电子书教程的全部内容,如无特别说明,均为本人原创。其中部分内容参考自网络,均已备注了出处。如发现有侵权,请通过邮箱联系我 `admin 艾特 crifan.com`,我会尽快删除。谢谢合作。
36 |
37 | 各种技术类教程,仅作为学习和研究使用。请勿用于任何非法用途。如有非法用途,均与本人无关。
38 |
39 | ## 鸣谢
40 |
41 | 感谢我的老婆**陈雪**的包容理解和悉心照料,才使得我`crifan`有更多精力去专注技术专研和整理归纳出这些电子书和技术教程,特此鸣谢。
42 |
43 | ## 其他
44 |
45 | ### 作者的其他电子书
46 |
47 | 本人`crifan`还写了其他`150+`本电子书教程,感兴趣可移步至:
48 |
49 | [crifan/crifan_ebook_readme: Crifan的电子书的使用说明](https://github.com/crifan/crifan_ebook_readme)
50 |
51 | ### 关于作者
52 |
53 | 关于作者更多介绍,详见:
54 |
55 | [关于CrifanLi李茂 – 在路上](https://www.crifan.org/about/)
56 |
--------------------------------------------------------------------------------
/README_current.json:
--------------------------------------------------------------------------------
1 | {
2 | "latestVersion": "v1.1.1",
3 | "lastUpdate": "20241209",
4 | "gitRepoName": "ios_re_crack_shell_ipa",
5 | "bookName": "iOS逆向开发:砸壳ipa",
6 | "bookDescription": "介绍iOS逆向中的砸壳脱壳出ipa方面的内容。主要包括什么是壳,为何要砸壳,常见砸壳工具,比如frida-ios-dump、dumpdecrypted、clutch等;以及举例介绍如何用frida-ios-dump砸壳YouTube、抖音等app得到ipa文件;以及砸壳出iap后的事情,包括ipa的安装;以及整理常见的问题及解决办法。"
7 | }
--------------------------------------------------------------------------------
/book.json:
--------------------------------------------------------------------------------
1 | {
2 | "title": "iOS逆向开发:砸壳ipa",
3 | "description": "介绍iOS逆向中的砸壳脱壳出ipa方面的内容。主要包括什么是壳,为何要砸壳,常见砸壳工具,比如frida-ios-dump、dumpdecrypted、clutch等;以及举例介绍如何用frida-ios-dump砸壳YouTube、抖音等app得到ipa文件;以及砸壳出iap后的事情,包括ipa的安装;以及整理常见的问题及解决办法。",
4 | "pluginsConfig": {
5 | "github-buttons": {
6 | "buttons": [
7 | {
8 | "repo": "ios_re_crack_shell_ipa",
9 | "user": "crifan",
10 | "type": "star",
11 | "count": true,
12 | "size": "small"
13 | },
14 | {
15 | "user": "crifan",
16 | "type": "follow",
17 | "width": "120",
18 | "count": false,
19 | "size": "small"
20 | }
21 | ]
22 | },
23 | "sitemap-general": {
24 | "prefix": "https://book.crifan.org/books/ios_re_crack_shell_ipa/website/"
25 | },
26 | "toolbar-button": {
27 | "url": "https://book.crifan.org/books/ios_re_crack_shell_ipa/pdf/ios_re_crack_shell_ipa.pdf",
28 | "icon": "fa-file-pdf-o",
29 | "label": "下载PDF"
30 | },
31 | "theme-default": {
32 | "showLevel": true
33 | },
34 | "disqus": {
35 | "shortName": "crifan"
36 | },
37 | "prism": {
38 | "css": [
39 | "prism-themes/themes/prism-atom-dark.css"
40 | ]
41 | },
42 | "sharing": {
43 | "douban": false,
44 | "facebook": true,
45 | "google": false,
46 | "hatenaBookmark": false,
47 | "instapaper": false,
48 | "line": false,
49 | "linkedin": false,
50 | "messenger": false,
51 | "pocket": false,
52 | "qq": true,
53 | "qzone": false,
54 | "stumbleupon": false,
55 | "twitter": true,
56 | "viber": false,
57 | "vk": false,
58 | "weibo": true,
59 | "whatsapp": false,
60 | "all": [
61 | "douban",
62 | "facebook",
63 | "google",
64 | "instapaper",
65 | "line",
66 | "linkedin",
67 | "messenger",
68 | "pocket",
69 | "qq",
70 | "qzone",
71 | "stumbleupon",
72 | "twitter",
73 | "viber",
74 | "vk",
75 | "weibo",
76 | "whatsapp"
77 | ]
78 | },
79 | "tbfed-pagefooter": {
80 | "copyright": "crifan.org,使用署名4.0国际(CC BY 4.0)协议发布",
81 | "modify_label": "最后更新:",
82 | "modify_format": "YYYY-MM-DD HH:mm:ss"
83 | },
84 | "donate": {
85 | "wechat": "https://www.crifan.org/files/res/crifan_com/crifan_wechat_pay.jpg",
86 | "alipay": "https://www.crifan.org/files/res/crifan_com/crifan_alipay_pay.jpg",
87 | "title": "",
88 | "button": "打赏",
89 | "alipayText": "支付宝打赏给Crifan",
90 | "wechatText": "微信打赏给Crifan"
91 | }
92 | },
93 | "author": "Crifan Li ",
94 | "language": "zh-hans",
95 | "root": "./src",
96 | "links": {
97 | "sidebar": {
98 | "主页": "http://www.crifan.org"
99 | }
100 | },
101 | "plugins": [
102 | "theme-comscore",
103 | "anchors",
104 | "expandable-menu",
105 | "-lunr",
106 | "-search",
107 | "search-plus",
108 | "disqus",
109 | "-highlight",
110 | "prism",
111 | "prism-themes",
112 | "github-buttons",
113 | "-splitter",
114 | "splitter-nosessionbutcookie",
115 | "-sharing",
116 | "sharing-plus",
117 | "tbfed-pagefooter",
118 | "donate",
119 | "sitemap-general",
120 | "copy-code-button",
121 | "blockquote-callout",
122 | "toolbar-button"
123 | ]
124 | }
--------------------------------------------------------------------------------
/book_current.json:
--------------------------------------------------------------------------------
1 | {
2 | "title": "iOS逆向开发:砸壳ipa",
3 | "description": "介绍iOS逆向中的砸壳脱壳出ipa方面的内容。主要包括什么是壳,为何要砸壳,常见砸壳工具,比如frida-ios-dump、dumpdecrypted、clutch等;以及举例介绍如何用frida-ios-dump砸壳YouTube、抖音等app得到ipa文件;以及砸壳出iap后的事情,包括ipa的安装;以及整理常见的问题及解决办法。",
4 | "pluginsConfig": {
5 | "github-buttons": {
6 | "buttons": [
7 | {
8 | "repo": "ios_re_crack_shell_ipa"
9 | }
10 | ]
11 | },
12 | "sitemap-general": {
13 | "prefix": "https://book.crifan.org/books/ios_re_crack_shell_ipa/website/"
14 | },
15 | "toolbar-button": {
16 | "url": "https://book.crifan.org/books/ios_re_crack_shell_ipa/pdf/ios_re_crack_shell_ipa.pdf"
17 | }
18 | }
19 | }
--------------------------------------------------------------------------------
/node_modules:
--------------------------------------------------------------------------------
1 | ../../generated/honkit/node_modules
--------------------------------------------------------------------------------
/src/README.md:
--------------------------------------------------------------------------------
1 | # iOS逆向开发:砸壳ipa
2 |
3 | * 最新版本:`v1.1.1`
4 | * 更新时间:`20241209`
5 |
6 | ## 简介
7 |
8 | 介绍iOS逆向中的砸壳脱壳出ipa方面的内容。主要包括什么是壳,为何要砸壳,常见砸壳工具,比如frida-ios-dump、dumpdecrypted、clutch等;以及举例介绍如何用frida-ios-dump砸壳YouTube、抖音等app得到ipa文件;以及砸壳出iap后的事情,包括ipa的安装;以及整理常见的问题及解决办法。
9 |
10 | ## 源码+浏览+下载
11 |
12 | 本书的各种源码、在线浏览地址、多种格式文件下载如下:
13 |
14 | ### HonKit源码
15 |
16 | * [crifan/ios_re_crack_shell_ipa: iOS逆向开发:砸壳ipa](https://github.com/crifan/ios_re_crack_shell_ipa)
17 |
18 | #### 如何使用此HonKit源码去生成发布为电子书
19 |
20 | 详见:[crifan/honkit_template: demo how to use crifan honkit template and demo](https://github.com/crifan/honkit_template)
21 |
22 | ### 在线浏览
23 |
24 | * [iOS逆向开发:砸壳ipa book.crifan.org](https://book.crifan.org/books/ios_re_crack_shell_ipa/website/)
25 | * [iOS逆向开发:砸壳ipa crifan.github.io](https://crifan.github.io/ios_re_crack_shell_ipa/website/)
26 |
27 | ### 离线下载阅读
28 |
29 | * [iOS逆向开发:砸壳ipa PDF](https://book.crifan.org/books/ios_re_crack_shell_ipa/pdf/ios_re_crack_shell_ipa.pdf)
30 | * [iOS逆向开发:砸壳ipa ePub](https://book.crifan.org/books/ios_re_crack_shell_ipa/epub/ios_re_crack_shell_ipa.epub)
31 | * [iOS逆向开发:砸壳ipa Mobi](https://book.crifan.org/books/ios_re_crack_shell_ipa/mobi/ios_re_crack_shell_ipa.mobi)
32 |
33 | ## 版权和用途说明
34 |
35 | 此电子书教程的全部内容,如无特别说明,均为本人原创。其中部分内容参考自网络,均已备注了出处。如发现有侵权,请通过邮箱联系我 `admin 艾特 crifan.com`,我会尽快删除。谢谢合作。
36 |
37 | 各种技术类教程,仅作为学习和研究使用。请勿用于任何非法用途。如有非法用途,均与本人无关。
38 |
39 | ## 鸣谢
40 |
41 | 感谢我的老婆**陈雪**的包容理解和悉心照料,才使得我`crifan`有更多精力去专注技术专研和整理归纳出这些电子书和技术教程,特此鸣谢。
42 |
43 | ## 其他
44 |
45 | ### 作者的其他电子书
46 |
47 | 本人`crifan`还写了其他`150+`本电子书教程,感兴趣可移步至:
48 |
49 | [crifan/crifan_ebook_readme: Crifan的电子书的使用说明](https://github.com/crifan/crifan_ebook_readme)
50 |
51 | ### 关于作者
52 |
53 | 关于作者更多介绍,详见:
54 |
55 | [关于CrifanLi李茂 – 在路上](https://www.crifan.org/about/)
56 |
--------------------------------------------------------------------------------
/src/SUMMARY.md:
--------------------------------------------------------------------------------
1 | # iOS逆向开发:砸壳ipa
2 |
3 | * [前言](README.md)
4 | * [砸壳ipa概览](crack_shell_overview/README.md)
5 | * [常见砸壳工具](crack_tools/README.md)
6 | * [frida-ios-dump](crack_tools/frida_ios_dump.md)
7 | * [dumpdecrypted](crack_tools/dumpdecrypted.md)
8 | * [Clutch](crack_tools/clutch.md)
9 | * [bfinject](crack_tools/bfinject.md)
10 | * [砸壳实例](crack_example/README.md)
11 | * [frida-ios-dump实例](crack_example/frida_ios_dump/README.md)
12 | * [TikTok的ipa](crack_example/frida_ios_dump/tiktok.md)
13 | * [抖音的ipa](crack_example/frida_ios_dump/aweme.md)
14 | * [YouTube的ipa](crack_example/frida_ios_dump/youtube.md)
15 | * [砸壳后](after_ipa/README.md)
16 | * [安装ipa](after_ipa/install_ipa.md)
17 | * [砸壳常见问题](common_issue/README.md)
18 | * [timeout was reached](common_issue/timeout_reached.md)
19 | * [无进度 0.00B 00:00](common_issue/no_progress_0_00b.md)
20 | * [DeviceNotSupportedByThinning](common_issue/devicenotsupportedbythinning.md)
21 | * [app启动后崩溃](common_issue/crash_after_start.md)
22 | * [附录](appendix/README.md)
23 | * [参考资料](appendix/reference.md)
24 |
--------------------------------------------------------------------------------
/src/after_ipa/README.md:
--------------------------------------------------------------------------------
1 | # 砸壳后
2 |
3 | 砸壳后,得到ipa文件后,还有些事情要做:
4 |
5 | * 确认app已解密 = 确认砸壳成功
6 | * 安装ipa
7 |
8 | ## 确认app已解密
9 |
10 | 可以用`otool`查看字段crypt的值:
11 |
12 | * `cryptid=1`: 已加密
13 | * `cryptid=0`: 没加密=已解密
14 |
15 | ### 举例
16 |
17 | * 官网原始版本,安装到iPhone中后的,抖音的二进制文件`Aweme`:已加密
18 | ```bash
19 | ➜ Aweme.app otool -l Aweme | grep crypt
20 | cryptoff 28672
21 | cryptsize 4096
22 | cryptid 1
23 | ```
24 | * 砸壳后的抖音的ipa中的二进制文件`Aweme`:已解密
25 | ```bash
26 | ➜ Aweme.app pwd
27 | xxx/Aweme抖音/iPhone7-137black/Aweme.app
28 | ➜ Aweme.app otool -l Aweme | grep crypt
29 | cryptoff 28672
30 | cryptsize 4096
31 | cryptid 0
32 | ```
33 |
--------------------------------------------------------------------------------
/src/after_ipa/install_ipa.md:
--------------------------------------------------------------------------------
1 | # 砸壳后安装ipa
2 |
3 | 砸壳得到ipa文件之后,如果后续需要动态调试,包括部分的静态分析,往往需要:
4 |
5 | 确保ipa可以正常安装
6 |
7 | 此时往往也会遇到很多问题:
8 |
9 | * 安装ipa
10 | * 【已解决】换用Filza安装砸壳抖音ipa
11 | * 【已解决】越狱iPhone中删除之前通过ipa安装的抖音app
12 | * 【已解决】脱壳抖音ipa用爱思助手安装后启动失败闪退
13 | * 【已解决】把砸壳后抖音ipa安装到iPhone中
14 | * 【已解决】越狱iPhone中如何实现respring重启桌面SpringBoard
15 | * 【记录】对比研究抖音ipa不同方式安装后embedded.mobileprovision签名证书中appId的区别
16 | * 【已解决】确认抖音ipa的app内部是否有重签名证书文件embedded.mobileprovision
17 | * 【已解决】iPhone中Filza安装17.8.0抖音ipa报错:Failed to verify code signature The application does not have a valid signature
18 | * 【已解决】iPhone中Filza安装17.8.0抖音ipa报错:Application is missing the application identifier entitlement
19 |
--------------------------------------------------------------------------------
/src/appendix/README.md:
--------------------------------------------------------------------------------
1 | # 附录
2 |
3 | 下面列出相关参考资料。
4 |
--------------------------------------------------------------------------------
/src/appendix/reference.md:
--------------------------------------------------------------------------------
1 | # 参考资料
2 |
3 | * 【已解决】iPhone中tiktok国际版砸壳出ipa文件
4 | * 【已解决】iOS版抖音的砸壳脱壳
5 | * 【已解决】Mac中用frida-ios-dump给iOS版抖音脱壳出ipa
6 | * 【已解决】用frida-ios-dump给17.8.0版本抖音砸壳ipa
7 | * 【已解决】Mac中用frida-ios-dump去砸壳出YouTube的ipa文件
8 | * 【已解决】iPhone中查看已安装app的包名
9 | * 【已解决】用frida-ios-dump砸壳报错:Failed to enumerate applications unable to communicate with remote frida-server
10 | * 【已解决】iPhone中Cydia中安装升级最新版的16.0.2的Frida
11 | * 【已解决】frida-ios-dump砸壳报错:ModuleNotFoundError No module named frida
12 | * 【已解决】iOS的二进制用otool看不到crypt以及MachOView看不到LC_ENCRYPTION_INFO_64字段
13 | * 【已解决】frida-ios-dump砸壳抖音卡死无进度:0.00B 00:00
14 | * 【已解决】脱壳后抖音app启动就崩溃闪退
15 | * 【已解决】砸壳后抖音ipa安装失败:DeviceNotSupportedByThinning
16 | *
17 | * [iOS逆向开发:iPhone越狱](http://book.crifan.org/books/ios_re_iphone_jailbreak/website)
18 | * [安装Frida · 逆向调试利器:Frida](https://book.crifan.org/books/reverse_debug_frida/website/install_upgrade/install_frida.html)
19 | *
20 | * [frida-ps | Frida • A world-class dynamic instrumentation toolkit](https://frida.re/docs/frida-ps/)
21 | * [[iOS]判断ipa是否脱壳_风浅月明的博客-CSDN博客_ipa脱壳](https://blog.csdn.net/wsyx768/article/details/124691420)
22 | * [[iOS逆向]18、砸壳 - 简书 (jianshu.com)](https://www.jianshu.com/p/d2c5e5388d60)
23 | * [十、iOS逆向之《越狱砸壳/ipa脱壳》 - 简书 (jianshu.com)](https://www.jianshu.com/p/1991854c65af)
24 | * [iOS逆向:App脱壳/ipa破解-华盟网 (77169.net)](https://www.77169.net/html/28064.html)
25 | * [iOS逆向攻防实战 - 掘金 (juejin.cn)](https://juejin.cn/post/7073109091320610829)
26 | * [Models - The iPhone Wiki](https://www.theiphonewiki.com/wiki/Models)
27 | *
28 |
--------------------------------------------------------------------------------
/src/assets/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/favicon.ico
--------------------------------------------------------------------------------
/src/assets/img/add_shell_before_after.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/add_shell_before_after.jpg
--------------------------------------------------------------------------------
/src/assets/img/aweme_app_running_normal.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/aweme_app_running_normal.jpg
--------------------------------------------------------------------------------
/src/assets/img/aweme_crash_log_no_func_name.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/aweme_crash_log_no_func_name.jpg
--------------------------------------------------------------------------------
/src/assets/img/aweme_ips_log.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/aweme_ips_log.png
--------------------------------------------------------------------------------
/src/assets/img/aweme_start_crash_ips_log.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/aweme_start_crash_ips_log.png
--------------------------------------------------------------------------------
/src/assets/img/cracked_aweme_ipa.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/cracked_aweme_ipa.png
--------------------------------------------------------------------------------
/src/assets/img/cracked_ipa_tiktok.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/cracked_ipa_tiktok.jpg
--------------------------------------------------------------------------------
/src/assets/img/dump_start_app_timeout.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/dump_start_app_timeout.png
--------------------------------------------------------------------------------
/src/assets/img/frida_ios_dump_tiktok.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/frida_ios_dump_tiktok.jpg
--------------------------------------------------------------------------------
/src/assets/img/fridaiosdump_aweme.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/fridaiosdump_aweme.png
--------------------------------------------------------------------------------
/src/assets/img/ios_crack_shell_logic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/ios_crack_shell_logic.png
--------------------------------------------------------------------------------
/src/assets/img/ipa_install_fail_devicenotsupportedbythinning.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/ipa_install_fail_devicenotsupportedbythinning.png
--------------------------------------------------------------------------------
/src/assets/img/load_success_0_00b_no_progress.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/load_success_0_00b_no_progress.png
--------------------------------------------------------------------------------
/src/assets/img/origin_uisupporteddevices_no_model.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/origin_uisupporteddevices_no_model.jpg
--------------------------------------------------------------------------------
/src/assets/img/xcode_aweme_anti_ssl_pinning.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/xcode_aweme_anti_ssl_pinning.jpg
--------------------------------------------------------------------------------
/src/assets/img/xcode_devices_simulators_view_devices_logs.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/crifan/ios_re_crack_shell_ipa/6b01a90d456e125234fc0c8deac204b4ee694f88/src/assets/img/xcode_devices_simulators_view_devices_logs.jpg
--------------------------------------------------------------------------------
/src/common_issue/README.md:
--------------------------------------------------------------------------------
1 | # 砸壳常见问题
2 |
3 | 此处整理,砸壳出iap的常见问题和解决办法。
4 |
--------------------------------------------------------------------------------
/src/common_issue/crash_after_start.md:
--------------------------------------------------------------------------------
1 | # app启动后崩溃
2 |
3 | * 现象:用frida-ios-dump砸壳后的app,启动后就崩溃
4 | * 原因
5 | * 其实有多种可能
6 | * 思路
7 | * 可以通过找app崩溃日志,而找到,具体错误的现象和找出背后的根本原因
8 |
9 | ### 通过ips崩溃日志找崩溃原因
10 |
11 | 举例:
12 |
13 | 抖音启动就闪退崩溃,此时去找crash崩溃日志:
14 |
15 | 
16 |
17 | 打开对应的,Aweme的崩溃日志文件:
18 |
19 | * `Aweme-2022-01-07-102659.ips`
20 | * 
21 |
22 | ```log
23 | {"app_name":"Aweme","timestamp":"2022-01-07 10:26:59.00 +0800","app_version":"18.9.0","slice_uuid":"31ed6d91-1868-36f5-89b8-c39fbf7d01e3","adam_id":0,"build_version":"189034","bundleID":"com.ss.iphone.ugc.Aweme","share_with_app_devs":0,"is_first_party":0,"bug_type":"109","os_version":"iPhone OS 13.4.1 (17E262)","incident_id":"C446C22E-347A-4340-8D68-637187E331B4","name":"Aweme"}
24 | Incident Identifier: C446C22E-347A-4340-8D68-637187E331B4
25 | CrashReporter Key: 17234ceb2c5be537d1971110d8a3263466bb1250
26 | Hardware Model: iPhone9,2
27 | Process: Aweme [8782]
28 | Path: /private/var/containers/Bundle/Application/9AB25481-0AD3-435C-A02E-68F9623535BB/Aweme.app/Aweme
29 | Identifier: com.ss.iphone.ugc.Aweme
30 | Version: 189034 (18.9.0)
31 | AppStoreTools: 13C88a
32 | Code Type: ARM-64 (Native)
33 | Role: Foreground
34 | Parent Process: launchd [1]
35 | Coalition: com.ss.iphone.ugc.Aweme [4724]
36 |
37 | Date/Time: 2022-01-07 10:26:59.5847 +0800
38 | Launch Time: 2022-01-07 10:26:58.4574 +0800
39 | OS Version: iPhone OS 13.4.1 (17E262)
40 | Release Type: User
41 | Baseband Version: 7.51.01
42 | Report Version: 104
43 |
44 | Exception Type: EXC_CRASH (SIGABRT)
45 | Exception Codes: 0x0000000000000000, 0x0000000000000000
46 | Exception Note: EXC_CORPSE_NOTIFY
47 | Triggered by Thread: 0
48 |
49 | Last Exception Backtrace:
50 | (0x18d0ed5f0 0x18ce0fbcc 0x18d1430cc 0x18d142748 0x18cfc5edc 0x119d9a4dc 0x10ac42650 0x10ac418bc 0x10ac40b80 0x10ac40730 0x10ac33af8 0x10ac2036c 0x10bc2f940 0x10ac20080 0x10ac1fb48 0x10bc2e1c8 0x111713890 0x19118ea5c 0x1911907e8 0x191196084 0x19093d46c 0x190deca38 0x19093df50 0x19093d9a4 0x19093dd7c 0x19093d63c 0x190941ad8 0x190d10dd4 0x190e05e7c 0x190941834 0x190e05d78 0x19094169c 0x1907b0f2c 0x1907afacc 0x1907b0c64 0x1911942d0 0x190d36284 0x19226720c 0x19228bd84 0x1922717ec 0x19228ba40 0x18cdb3524 0x18cd5c434 0x1922b0440 0x1922b010c 0x1922b0634 0x18d06bb64 0x18d06babc 0x18d06b244 0x18d066274 0x18d065c34 0x1971af38c 0x19119822c 0x111714094 0x1049a7ca4 0x18ceed800)
51 |
52 | Thread 0 name: Dispatch queue: com.apple.main-thread
53 | Thread 0 Crashed:
54 | 0 libsystem_kernel.dylib 0x000000018cee2d88 0x18cebd000 + 155016
55 | 1 libsystem_pthread.dylib 0x000000018cdfb1e8 0x18cdf9000 + 8680
56 | 2 libsystem_c.dylib 0x000000018cd4e644 0x18ccdc000 + 468548
57 | 3 libc++abi.dylib 0x000000018ceb6cc0 0x18cea4000 + 76992
58 | 4 libc++abi.dylib 0x000000018cea8e10 0x18cea4000 + 19984
59 | 5 libobjc.A.dylib 0x000000018ce0fe80 0x18ce0a000 + 24192
60 | 6 libc++abi.dylib 0x000000018ceb614c 0x18cea4000 + 74060
61 | 7 libc++abi.dylib 0x000000018ceb60e4 0x18cea4000 + 73956
62 | 8 libdispatch.dylib 0x000000018cdb3538 0x18cd58000 + 374072
63 | 9 libdispatch.dylib 0x000000018cd5c434 0x18cd58000 + 17460
64 | 10 FrontBoardServices 0x00000001922b0440 0x19225b000 + 349248
65 | 11 FrontBoardServices 0x00000001922b010c 0x19225b000 + 348428
66 | 12 FrontBoardServices 0x00000001922b0634 0x19225b000 + 349748
67 | 13 CoreFoundation 0x000000018d06bb64 0x18cfc3000 + 691044
68 | 14 CoreFoundation 0x000000018d06babc 0x18cfc3000 + 690876
69 | 15 CoreFoundation 0x000000018d06b244 0x18cfc3000 + 688708
70 | 16 CoreFoundation 0x000000018d066274 0x18cfc3000 + 668276
71 | 17 CoreFoundation 0x000000018d065c34 0x18cfc3000 + 666676
72 | 18 GraphicsServices 0x00000001971af38c 0x1971ac000 + 13196
73 | 19 UIKitCore 0x000000019119822c 0x19076c000 + 10666540
74 | 20 ??? 0x0000000111714094 0 + 4587602068
75 | 21 Aweme 0x00000001049a7ca4 0x1049a0000 + 31908
76 | 22 libdyld.dylib 0x000000018ceed800 0x18ceec000 + 6144
77 |
78 |
79 | Thread 1:
80 | 0 libsystem_pthread.dylib 0x000000018ce07738 0x18cdf9000 + 59192
81 |
82 | ...
83 | ```
84 |
85 | 从中可以看出:
86 |
87 | * 二进制文件:
88 | * `/private/var/containers/Bundle/Application/9AB25481-0AD3-435C-A02E-68F9623535BB/Aweme.app/Aweme`
89 |
90 |
91 | 注:多次尝试用:
92 |
93 | * XCode->Window->Devices and Simulators-》View Devices logs
94 | * 
95 |
96 | 最后才看到,解析后的日志,带库(但仍没有解析出函数名)的:
97 |
98 | * 
99 |
100 | 总之,确定是自己的插件导致的了。
101 |
102 | 重新安装一下反越狱检测插件试试
103 |
104 | 即可解决问题:
105 |
106 | 抖音可以正常启动了:
107 |
108 | * 
109 |
110 | 反推:
111 |
112 | 此处crash是由于之前的代码,hook了https的SSL证书,但是新iPhone测试机中没有Charles证书,导致的崩溃。
113 |
114 | 之前另外一个iPhone测试机已解决了,但是此处iPhone没安装新版插件。
115 |
116 | 重新安装修复后的版本:
117 |
118 | * 
119 |
120 | 即可解决问题。
121 |
--------------------------------------------------------------------------------
/src/common_issue/devicenotsupportedbythinning.md:
--------------------------------------------------------------------------------
1 | # DeviceNotSupportedByThinning
2 |
3 | * 现象:此处把砸壳后的抖音ipa去安装到越狱iPhone中报错:`DeviceNotSupportedByThinning`
4 | * 
5 | * 原因:
6 | * 此处的(抖音的app的)ipa是,Thinning瘦身后的
7 | * 即:上传到AppStore后的,只支持部分iPhone机型的安装包
8 | * 其中所支持的设备,不包含当前iPhone机型
9 | * 具体细节
10 | * `Aweme抖音/已脱壳/Payload/Aweme.app/Info.plist`
11 | * 
12 | * 解决办法:
13 | * 方法1:把当前机型,加到其支持列表中
14 | * 方法2:直接去掉机型限制
15 |
16 | * 具体步骤
17 |
18 | ### 方法1
19 |
20 | * 方法1:
21 |
22 | 解压`ipa`,得到`Payload`目录,找到:
23 |
24 | `Payload/xxx.app/Info.plist`
25 |
26 | 比如此处的:
27 |
28 | `Aweme抖音/已脱壳/Payload/Aweme.app/Info.plist`
29 |
30 | 编辑:`UISupportedDevices`部分,加上自己的机型
31 |
32 | 此处最后是:
33 |
34 | ```xml
35 | UISupportedDevices
36 |
37 | iPhone9,1
38 | iPhone9,2
39 | iPhone9,3
40 | iPhone9,4
41 | iPhone10,1
42 | iPhone10,2
43 | iPhone10,3
44 | iPhone10,4
45 | iPhone10,5
46 | iPhone10,6
47 | iPhone11,2
48 | iPhone11,4
49 | iPhone11,6
50 | iPhone11,8
51 | iPhone12,1
52 | iPhone12,3
53 | iPhone12,5
54 | iPhone12,8
55 | iPhone13,1
56 | iPhone13,2
57 | iPhone13,3
58 | iPhone13,4
59 | iPhone14,2
60 | iPhone14,3
61 | iPhone14,4
62 | iPhone14,5
63 |
64 | ```
65 |
66 | 注:
67 |
68 | 自己的机型,可以去参考:
69 |
70 | [Models - The iPhone Wiki](https://www.theiphonewiki.com/wiki/Models)
71 |
72 | 比如:
73 |
74 | `iPhone7P`是`iPhone9,2` (另外:美版是`iPhone9,4`)
75 |
76 | ### 方法2
77 |
78 | * 方法2:
79 | * 直接把`Info.plist`中的`UISupportedDevices`的部分,去掉。
80 | * 注:未验证是否有效,估计是有效的。
81 |
--------------------------------------------------------------------------------
/src/common_issue/no_progress_0_00b.md:
--------------------------------------------------------------------------------
1 | # 无进度:Load success 0.00B [00:00, ?B/s]
2 |
3 | * 现象:frida-ios-dump砸壳最后,虽然提示Load success,但是始终没有进度,进度是0
4 | ```bash
5 | ./dump.py com.ss.iphone.ugc.Aweme
6 | Start the target app com.ss.iphone.ugc.Aweme
7 | Dumping 抖音 to /var/folders/2f/53mn2kn920dfq4ww2gdqfpxc0000gn/T
8 | 。。。
9 | [frida-ios-dump]: Load byteaudio.framework success.
10 | 0.00B [00:00, ?B/s]
11 | ```
12 | * 
13 |
14 | * 原因:未知。
15 | * 解决办法:多试几次。
16 | * **想办法,用各种方式的,多试几次**
17 | * 包括
18 | * 故意中断
19 | * 砸壳前,已启动app,或,不启动app
20 | * 等等
21 | * 具体步骤:
22 | * 此处就是,某一次,在用:
23 | * `./dump.py com.ss.iphone.ugc.Aweme`
24 | * 启动后,也是同样卡死时
25 | * 注:当时抖音已正在运行了
26 | * Ctrl+C中断后,立刻再试:
27 | * `./dump.py com.ss.iphone.ugc.Aweme`
28 | * 结果就真的可以继续了。
29 |
--------------------------------------------------------------------------------
/src/common_issue/timeout_reached.md:
--------------------------------------------------------------------------------
1 | # timeout was reached
2 |
3 | ## 现象
4 |
5 | 有时候,运行`./dump.py xxx`时,卡死在:`Start the target app xxx`,过了会,报错:超时了
6 |
7 | ```bash
8 | ➜ frida-ios-dump git:(master) python3 ./dump.py com.xxx.yyy.zzz
9 | /Users/crifan/dev/dev_src/_reverse_security/ios_reverse/AloneMonkey/frida-ios-dump/./dump.py:340: SyntaxWarning: invalid escape sequence '\.'
10 | output_ipa = re.sub('\.ipa$', '', output_ipa)
11 | Start the target app com.xxx.yyy.zzz
12 | timeout was reached
13 | ```
14 |
15 | 
16 |
17 | ## 原因
18 |
19 | * 表面原因:(脚本)无法(自动的去)启动app
20 | * 深层原因:未知
21 |
22 | ## 解决办法
23 |
24 | 手动去先(点击桌面图标的方式去)启动app后,再重试,即可继续砸壳出ipa
25 |
--------------------------------------------------------------------------------
/src/crack_example/README.md:
--------------------------------------------------------------------------------
1 | # 砸壳实例
2 |
3 | 此处介绍,具体如何用砸壳工具去砸壳出ipa文件。
4 |
--------------------------------------------------------------------------------
/src/crack_example/frida_ios_dump/README.md:
--------------------------------------------------------------------------------
1 | # frida-ios-dump实例
2 |
3 | 此处介绍,如何用`frida-ios-dump`去砸壳出iOS的app的ipa文件。
4 |
--------------------------------------------------------------------------------
/src/crack_example/frida_ios_dump/aweme.md:
--------------------------------------------------------------------------------
1 | # 抖音的ipa
2 |
3 | 此处介绍,具体如何用`frida-ios-dump`去砸壳`抖音`的ipa文件:
4 |
5 | * 概述
6 | ```bash
7 | ./dump.py com.ss.iphone.ugc.Aweme
8 | ```
9 |
10 | ## 详解
11 |
12 | 砸壳的具体过程和详细输出:
13 |
14 | ```bash
15 | ➜ frida-ios-dump git:(master) ./dump.py com.ss.iphone.ugc.Aweme
16 | Start the target app com.ss.iphone.ugc.Aweme
17 | Dumping 抖音 to /var/folders/2f/53mn2kn920dfq4ww2gdqfpxc0000gn/T
18 | [frida-ios-dump]: Load VolcEngineRTC.framework success.
19 | [frida-ios-dump]: Load byteaudio.framework success.
20 | [frida-ios-dump]: Load AwemeCore.framework success.
21 | [frida-ios-dump]: Load BDLRepairer.framework success.
22 | start dump /private/var/containers/Bundle/Application/B625C6BC-D6B2-429F-B621-10A5EF7EB8F6/Aweme.app/Aweme
23 | Aweme.fid: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 71.7k/71.7k [00:00<00:00, 724kB/s]
24 | start dump /private/var/containers/Bundle/Application/B625C6BC-D6B2-429F-B621-10A5EF7EB8F6/Aweme.app/Frameworks/AwemeCore.framework/AwemeCore
25 | AwemeCore.fid: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 230M/230M [00:07<00:00, 33.8MB/s]
26 | start dump /private/var/containers/Bundle/Application/B625C6BC-D6B2-429F-B621-10A5EF7EB8F6/Aweme.app/Frameworks/BDLRepairer.framework/BDLRepairer
27 | BDLRepairer.fid: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 68.2k/68.2k [00:00<00:00, 1.76MB/s]
28 | start dump /private/var/containers/Bundle/Application/B625C6BC-D6B2-429F-B621-10A5EF7EB8F6/Aweme.app/Frameworks/VolcEngineRTC.framework/VolcEngineRTC
29 | VolcEngineRTC.fid: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 10.6M/10.6M [00:00<00:00, 25.0MB/s]
30 | start dump /private/var/containers/Bundle/Application/B625C6BC-D6B2-429F-B621-10A5EF7EB8F6/Aweme.app/Frameworks/byteaudio.framework/byteaudio
31 | byteaudio.fid: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 2.14M/2.14M [00:00<00:00, 23.2MB/s]
32 | Assets.car: 286MB [00:16, 18.6MB/s]
33 | 0.00B [00:00, ?B/s]Generating "抖音.ipa"
34 | ```
35 |
36 | 
37 |
38 | 砸壳出的ipa文件:`抖音.ipa`
39 |
40 | 
41 |
--------------------------------------------------------------------------------
/src/crack_example/frida_ios_dump/tiktok.md:
--------------------------------------------------------------------------------
1 | # TikTok的ipa
2 |
3 | 给TikTok砸壳出ipa:
4 |
5 | * 概述
6 | ```bash
7 | ./dump.py com.zhiliaoapp.musically
8 | ```
9 |
10 | * 详解:
11 |
12 | ## 前提
13 |
14 | * 前提:越狱iPhone中已安装`TikTok`
15 | * 注:通过境外比如美区`AppleID`登录后的`AppStore`中才能搜索和下载`TikTok`
16 |
17 | ## 砸壳ipa的步骤
18 |
19 | (1)先确认app包名
20 |
21 | ```bash
22 | ideviceinstaller -l -o list_user
23 | ```
24 |
25 | 输出能看到:
26 |
27 | * `com.zhiliaoapp.musically, "268010", "TikTok"`
28 |
29 | 得到`TikTok`包名是:`com.zhiliaoapp.musically`
30 |
31 | (2)确保Mac中当前Python中已安装frida(以及相关的库)
32 |
33 | 如果没有装,要去安装:
34 |
35 | ```bash
36 | pip install frida paramiko scp tqdm
37 | ```
38 |
39 | (3)另外新建一个终端,开启端口映射
40 |
41 | 新建一个终端窗口(或Tab),去运行端口映射
42 |
43 | ```bash
44 | iproxy 2222 22
45 | ```
46 |
47 | (4)确保frida版本一致:Mac中和iPhone中frida版本是一样的
48 |
49 | 说明:
50 |
51 | * 如何查看frida版本
52 | * iPhone
53 | ```bash
54 | frida-server --version
55 | ```
56 | * Mac
57 | ```bash
58 | pip show frida
59 | ```
60 | * 如果frida版本不一致
61 | * 后续会报错:`Failed to enumerate applications unable to communicate with remote frida-server`
62 | * `Failed to enumerate applications: unable to communicate with remote frida-server; please ensure that major versions match and that the remote Frida has the feature you are trying to use`
63 | * 需要去确保一致
64 | * 举例:
65 | * 此处frida版本:
66 | * Mac:`16.0.2`
67 | * iPhone:`15.1.27`
68 | * 如何解决
69 | * 去iPhone中`Cydia`中升级frida到最新版`16.0.2`
70 |
71 | (5)确保被砸壳的app已退出,没在运行
72 |
73 | 可选? iPhone中被砸壳的app,已退出,不要已启动真正运行
74 |
75 | (6)真正开始砸壳
76 |
77 | * 概述
78 | ```bash
79 | ./dump.py com.zhiliaoapp.musically
80 | ```
81 | * 详解
82 |
83 | ```bash
84 | crifan@licrifandeMacBook-Pro ~/dev/dev_src/ios_reverse/AloneMonkey/frida-ios-dump master ./dump.py com.zhiliaoapp.musically
85 | Start the target app com.zhiliaoapp.musically
86 | Dumping TikTok to /var/folders/yy/46k2nmtx7nv344lm9zb6q66c0000gn/T
87 | [frida-ios-dump]: Load libvcn.framework success.
88 | [frida-ios-dump]: Load crypto.framework success.
89 | [frida-ios-dump]: Load VolcEngineRTC.framework success.
90 | [frida-ios-dump]: Load byteaudio.framework success.
91 | [frida-ios-dump]: Load TikTokMSearchFramework.framework success.
92 | [frida-ios-dump]: Load MuseDiscoverFramework.framework success.
93 | [frida-ios-dump]: Load AAWELaunchTracker.framework success.
94 | [frida-ios-dump]: Load RTCFFmpeg.framework success.
95 | [frida-ios-dump]: Load TTFFmpeg.framework success.
96 | [frida-ios-dump]: Load AAWEBootChecker.framework success.
97 | [frida-ios-dump]: Load ffmpeg_dashdec.framework success.
98 | [frida-ios-dump]: Load BDLRepairer.framework success.
99 | [frida-ios-dump]: Load SCSDKCreativeKit.framework success.
100 | [frida-ios-dump]: Load boringssl.framework success.
101 | [frida-ios-dump]: MusicallyCore.framework has been loaded.
102 | [frida-ios-dump]: Load SCSDKCoreKit.framework success.
103 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/TikTok
104 | TikTok.fid: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████| 74.5k/74.5k [00:00<00:00, 577kB/s]
105 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/MusicallyCore.framework/MusicallyCore
106 | MusicallyCore.fid: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████| 185M/185M [00:07<00:00, 24.9MB/s]
107 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/BDLRepairer.framework/BDLRepairer
108 | BDLRepairer.fid: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████| 67.9k/67.9k [00:00<00:00, 542kB/s]
109 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/AAWEBootChecker.framework/AAWEBootChecker
110 | AAWEBootChecker.fid: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████| 72.6k/72.6k [00:00<00:00, 1.22MB/s]
111 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/AAWELaunchTracker.framework/AAWELaunchTracker
112 | AAWELaunchTracker.fid: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████| 71.1k/71.1k [00:00<00:00, 1.46MB/s]
113 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/RTCFFmpeg.framework/RTCFFmpeg
114 | RTCFFmpeg.fid: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████| 617k/617k [00:00<00:00, 6.91MB/s]
115 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/SCSDKCoreKit.framework/SCSDKCoreKit
116 | SCSDKCoreKit.fid: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████| 351k/351k [00:00<00:00, 6.16MB/s]
117 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/SCSDKCreativeKit.framework/SCSDKCreativeKit
118 | SCSDKCreativeKit.fid: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████| 129k/129k [00:00<00:00, 2.44MB/s]
119 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/TTFFmpeg.framework/TTFFmpeg
120 | TTFFmpeg.fid: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████| 3.09M/3.09M [00:00<00:00, 23.4MB/s]
121 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/VolcEngineRTC.framework/VolcEngineRTC
122 | VolcEngineRTC.fid: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████| 8.14M/8.14M [00:00<00:00, 28.6MB/s]
123 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/boringssl.framework/boringssl
124 | boringssl.fid: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████| 632k/632k [00:00<00:00, 10.3MB/s]
125 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/byteaudio.framework/byteaudio
126 | byteaudio.fid: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████| 1.60M/1.60M [00:00<00:00, 11.4MB/s]
127 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/crypto.framework/crypto
128 | crypto.fid: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1.44M/1.44M [00:00<00:00, 15.6MB/s]
129 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/ffmpeg_dashdec.framework/ffmpeg_dashdec
130 | ffmpeg_dashdec.fid: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████| 101k/101k [00:00<00:00, 1.90MB/s]
131 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/libvcn.framework/libvcn
132 | libvcn.fid: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 192k/192k [00:00<00:00, 2.94MB/s]
133 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/TikTokMSearchFramework.framework/TikTokMSearchFramework
134 | TikTokMSearchFramework.fid: 100%|██████████████████████████████████████████████████████████████████████████████████████████████| 3.68M/3.68M [00:00<00:00, 18.1MB/s]
135 | start dump /private/var/containers/Bundle/Application/51BA1962-1A1E-40D8-AB83-E5BEACEF772C/TikTok.app/Frameworks/MuseDiscoverFramework.framework/MuseDiscoverFramework
136 | MuseDiscoverFramework.fid: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████| 351k/351k [00:00<00:00, 4.65MB/s]
137 | icon_home_dislike_new.json: 281MB [00:23, 12.7MB/s]
138 | 0.00B [00:00, ?B/s]Generating "TikTok.ipa"
139 | ```
140 |
141 | 
142 |
143 | 成功的话,有相关日志输出:`Generating "TikTok.ipa"`
144 |
145 | 即可在当前目录找到砸壳后的ipa文件:`TikTok.ipa`
146 |
147 | 
148 |
--------------------------------------------------------------------------------
/src/crack_example/frida_ios_dump/youtube.md:
--------------------------------------------------------------------------------
1 | # YouTube的ipa
2 |
3 | 此处介绍,具体如何用`frida-ios-dump`去砸壳`YouTube`的ipa文件:
4 |
5 | * 概述
6 | ```bash
7 | ./dump.py com.google.ios.youtube
8 | ```
9 |
10 | ## 详解
11 |
12 | 先查看出Youtube的包名:
13 |
14 | ```bash
15 | ➜ frida-ios-dump git:(master) ideviceinstaller -l -o list_user
16 | CFBundleIdentifier, CFBundleVersion, CFBundleDisplayName
17 | rn.notes.best, "11122019", "爱思极速版"
18 | com.suiyi.foodshop1, "4911", "食行生鲜"
19 | com.cisco.anyconnect, "4.6.03052", "AnyConnect"
20 | com.baidu.BaiduMobile, "10.5.5.10", "百度"
21 | com.ishuyin.iShuYin, "1.22", "爱书音"
22 | com.evernote.iPhone.Evernote, "358974", "印象笔记"
23 | com.alipay.iphoneclient, "10.1.2.091512", "支付宝"
24 | ctrip.com, "8.3.0", "携程旅行"
25 | com.Qting.QTTour, "8.0.1.4", "蜻蜓FM"
26 | com.360buy.jdmobile, "7.3.6", "京东"
27 | com.taobao.tmall, "10948419", "手机天猫"
28 | com.netease.cloudmusic, "876", "网易云音乐"
29 | com.tencent.mqq, "7.2.9.404", "QQ"
30 | com.crifan.ShowSysInfo, "1", "ShowSysInfo"
31 | com.tencent.xin, "8.0.16.35", "微信"
32 | com.google.ios.youtube, "17.08.2", "YouTube"
33 | developer.apple.wwdc-Release, "801.5.2", "Developer"
34 | com.ss.iphone.ugc.Aweme, "179011", "抖音"
35 | com.3WRHBBSBW4.com.rileytestut.AltStore, "1", "AltStore"
36 | ```
37 |
38 | 其中有我们要找的`YouTube`的详细信息:
39 |
40 | * com.google.ios.youtube, "17.08.2", "YouTube"
41 | * 包名: `com.google.ios.youtube`
42 | * 版本: `17.08.2`
43 | * 名称: `YouTube`
44 |
45 | 砸壳的具体过程和输出日志:
46 |
47 | ```bash
48 | ➜ frida-ios-dump git:(master) pwd
49 | /Users/crifan/dev/DevSrc/iOS/AloneMonkey/frida-ios-dump
50 |
51 | ➜ frida-ios-dump git:(master) ./dump.py com.google.ios.youtube
52 | Start the target app com.google.ios.youtube
53 | Dumping YouTube to /var/folders/2f/53mn2kn920dfq4ww2gdqfpxc0000gn/T
54 | [frida-ios-dump]: Load widevine_cdm_secured_ios.framework success.
55 | [frida-ios-dump]: Module_Framework.framework has been loaded.
56 | start dump /private/var/containers/Bundle/Application/ECB295AB-1355-46D1-8580-273B2CE98802/YouTube.app/YouTube
57 | YouTube.fid: 100%|██████████████████| 16.3M/16.3M [00:00<00:00, 17.7MB/s]
58 | start dump /private/var/containers/Bundle/Application/ECB295AB-1355-46D1-8580-273B2CE98802/YouTube.app/Frameworks/widevine_cdm_secured_ios.framework/widevine_cdm_secured_ios
59 | widevine_cdm_secured_ios.fid: 100%|█| 3.44M/3.44M [00:00<00:00, 24.2MB/s]
60 | start dump /private/var/containers/Bundle/Application/ECB295AB-1355-46D1-8580-273B2CE98802/YouTube.app/Frameworks/Module_Framework.framework/Module_Framework
61 | Module_Framework.fid: 100%|███████████| 114M/114M [00:03<00:00, 36.6MB/s]
62 | Localizable.strings: 190MB [00:44, 4.45MB/s]
63 | 0.00B [00:00, ?B/s]
64 | Generating "YouTube.ipa"
65 | ```
66 |
--------------------------------------------------------------------------------
/src/crack_shell_overview/README.md:
--------------------------------------------------------------------------------
1 | # 砸壳ipa概览
2 |
3 | ## 什么是壳?
4 |
5 | `壳`,在安全和逆向领域,泛指:用技术手段,给原程序额外加上一层保护程序
6 |
7 | ### 什么是iOS的app的壳?
8 |
9 | iOS中的app,发布渠道一般都是`App Store`。
10 |
11 | 从`App Store`下载的APP全都是经过苹果加密过的`ipa`包。
12 |
13 | 而Apple会为了安全,给app加密(使用Apple ID相关的对称加密算法),这个过程俗称为:`加壳`,就像给app外部上加了一层壳
14 |
15 | 
16 |
17 | 而加密后的`ipa`包,是无法继续后续的逆向过程的
18 |
19 | * 后续的典型的逆向过程是
20 | * 用`IDA`/`Hopper`等去`反编译`
21 | * 用`class-dump`等去`导出头文件`
22 | * 说明
23 | * `class-dump`直接去导出,未砸壳的,`App Store`上的二进制的话
24 | * 只能导出`CDStructures.h`这个空的头文件,无法得到想要的各种类的头文件
25 | * 对砸壳后的ipa,去用`MonkeyDev`动态调试
26 | * 等等
27 |
28 | ## 什么是iOS的砸壳 + 如何砸壳?
29 |
30 | 想要破解分析iOS的app之前,需要`把这层壳砸破`=`砸壳`=`脱壳`。
31 |
32 | * 砸壳有两种机制
33 | * 静态砸壳:使用已知的解密方法对软件进行解密叫静态砸壳,静态砸壳难度大,需要知道其软件的加密算法才能对其解密
34 | * 现在没有这种工具
35 | * 动态砸壳
36 | * 现在绝大多数工具都是用此方式
37 |
38 | 如何(动态)砸壳呢?就要先了解app运行机制:app程序运行起来都会直接在内存解密出原始代码
39 |
40 | 
41 |
42 | 可以在越狱的设备里面通过内存`dump`方式提取解密后的程序,这种解密过程,也就是给app去壳的过程,又称为`砸壳`=`破壳`
43 |
44 | * 额外说明
45 | * 解密之后还需要手动恢复`Mach-O`头信息才能运行
46 | * 由于高版本非完美越狱里面,都没有删掉签名验证
47 | * 所以直接运行都会出现`killed 9`
48 | * 需要手动签名之后才能使用
49 |
50 | ## 砸壳的前提
51 |
52 | * 确保iOS设备(iPhone等)已越狱
53 | * 详见:
54 | * [iOS逆向开发:iPhone越狱](http://book.crifan.org/books/ios_re_iphone_jailbreak/website)
55 |
--------------------------------------------------------------------------------
/src/crack_tools/README.md:
--------------------------------------------------------------------------------
1 | # 砸壳工具
2 |
3 | 常用的iOS的app的砸壳的工具:
4 |
5 | * `frida-ios-dump`:最新,最好用,最常用
6 | * 其他更早的工具
7 | * `dumpdecrypted`
8 | * 一般配合`Cycript`使用?
9 | * `clutch`
10 | * `bfinject`
11 |
--------------------------------------------------------------------------------
/src/crack_tools/bfinject.md:
--------------------------------------------------------------------------------
1 | # bfinject
2 |
--------------------------------------------------------------------------------
/src/crack_tools/clutch.md:
--------------------------------------------------------------------------------
1 | # Clutch
2 |
3 | * `Clutch`
4 | * 是什么
5 | * Fast iOS executable dumper
6 | * a high-speed iOS decryption tool
7 | * 功能:脱壳=砸壳
8 | * 针对(越狱的)iOS设备,(解密)导出头文件
9 | * 支持平台
10 | * 所有iOS设备:iPhone/iPod Touch/iPad
11 | * 资料
12 | * GitHub
13 | * KJCracks/Clutch: Fast iOS executable dumper
14 | * https://github.com/KJCracks/Clutch
15 | * Wiki
16 | * Home · KJCracks/Clutch Wiki
17 | * https://github.com/KJCracks/Clutch/wiki
18 | * Tutorial · KJCracks/Clutch Wiki
19 | * https://github.com/KJCracks/Clutch/wiki/Tutorial
20 | * FAQ · KJCracks/Clutch Wiki
21 | * https://github.com/KJCracks/Clutch/wiki/FAQ
22 |
23 | ## help语法
24 |
25 | ```bash
26 | Clutch [OPTIONS]
27 | -b --binary-dump Only dump binary files from specified bundleID
28 | -d --dump Dump specified bundleID into .ipa file
29 | -i --print-installed Print installed application
30 | --clean Clean /var/tmp/clutch directory
31 | --version Display version and exit
32 | -? --help Display this help and exit
33 | ```
34 |
--------------------------------------------------------------------------------
/src/crack_tools/dumpdecrypted.md:
--------------------------------------------------------------------------------
1 | # dumpdecrypted
2 |
3 | * dumpdecrypted
4 | * 一句话描述:iOS的砸壳工具
5 | * Dumps decrypted iPhone Applications to a file
6 | * 资料
7 | * GitHub
8 | * stefanesser/dumpdecrypted: Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. This tool is necessary for security researchers to be able to look under the hood of encryption.
9 | * https://github.com/stefanesser/dumpdecrypted
10 |
--------------------------------------------------------------------------------
/src/crack_tools/frida_ios_dump.md:
--------------------------------------------------------------------------------
1 | # frida-ios-dump
2 |
3 | * frida-ios-dump
4 | * 一句话描述:Pull a decrypted IPA from a jailbroken device
5 | * Github
6 | * AloneMonkey/frida-ios-dump: pull decrypted ipa from jailbreak device
7 | * https://github.com/AloneMonkey/frida-ios-dump
8 |
9 | ## 下载
10 |
11 | * 下载命令
12 | ```bash
13 | git clone https://github.com/AloneMonkey/frida-ios-dump.git
14 | ```
15 | * 下载后的文件的说明
16 | * `dump.py`:最核心的文件,用来砸壳的Python脚本
17 | * `requirements.txt`:Python依赖包的列表
18 | * 后续安装依赖的库,需要用到
19 |
20 | ## 初始化环境
21 |
22 | * 先安装Frida
23 | * 概述
24 | * (Win/Mac等)电脑端
25 | ```bash
26 | pip install frida
27 | ```
28 | * (iOS/Android等)移动端
29 | * iPhone
30 | * `Cydia` -> 添加源 https://build.frida.re -> 安装插件:`Frida`
31 | * 详解
32 | * [安装Frida · 逆向调试利器:Frida](https://book.crifan.org/books/reverse_debug_frida/website/install_upgrade/install_frida.html)
33 | * 再去安装依赖的其他的库
34 | * 直接用官网的依赖文件`requirements.txt`去安装
35 | ```bash
36 | sudo pip install -r requirements.txt
37 | ```
38 | * 或已知需要哪些库,手动安装
39 | ```bash
40 | pip install paramiko scp tqdm
41 | ```
42 | * USB端口转发
43 | * 目的:方便本地直接访问对应端口,即可映射为,实际的iOS设备
44 | * 步骤
45 | * 概述
46 | ```bash
47 | iproxy 2222 22
48 | ```
49 | * 详解
50 | * [frida-ios-dump砸壳TikTok的ipa的实例](../crack_example/frida_ios_dump/tiktok.md)
51 |
52 | ## 使用=砸壳
53 |
54 | * 概述
55 | * 查看app包名或app名称
56 | * 方式1:`frida-ps`
57 | ```bash
58 | frida-ps -Uai
59 | ```
60 | * 方式2:`ideviceinstaller`
61 | ```bash
62 | ideviceinstaller -l -o list_user
63 | ```
64 | * 开始砸壳
65 | * 准备工作
66 | * 最好先手动启动app
67 | * 有时候,没有手动启动app,倒也是可以正常工作,但有时候不行
68 | * 命令
69 | ```bash
70 | ./dump.py iOSAppPackageOriOSAppName
71 | ```
72 | * 举例
73 | ```bash
74 | ./dump.py com.zhiliaoapp.musically
75 |
76 | ./dump.py com.ss.iphone.ugc.Aweme
77 |
78 | ./dump.py com.google.ios.youtube
79 | ./dump.py YouTube
80 | ```
81 | * 详解
82 | * 详见后续章节:[frida-ios-dump实例](../crack_example/frida_ios_dump/README.md)
83 |
--------------------------------------------------------------------------------