├── README.md
├── Reveal.md
├── Theos.md
├── Class-dump.md
└── Dumpdecrypted.md


/README.md:
--------------------------------------------------------------------------------
1 | # iOSRENote


--------------------------------------------------------------------------------
/Reveal.md:
--------------------------------------------------------------------------------
 1 | # Reveal Loader
 2 | 
 3 | Reveal主页：http://revealapp.com
 4 | 
 5 | Reveal 是一个界面调试工具，[这里](http://blog.devzeng.com/blog/ios-reveal-integrating.html)有一篇iOS开发中集成Reveal的教程，所以我们就不讨论如何集成到自己的工程中，接下来我们看一下如何使用Reveal查看任意app。
 6 | 
 7 | 需要的东西：
 8 | 
 9 | - 越狱设备
10 | - Cydia
11 | - iFile
12 | - SSH
13 | 
14 | 使用Cydia下载 [**Reveal Loader**](https://github.com/heardrwt/RevealLoader) 并安装后re-spring或重启iOS设备。在系统设置中找到 **Reveal** -> **Enabled Applications** 进行配置，打开你想要Reveal的app。
15 | 
16 | ![这是参考文献中的图](http://bbs.iosre.com/uploads/default/359/db1478db9712f0c5.PNG)
17 | 
18 | 建议需要查看哪个开哪个，其他的关闭掉，这样Reveal加载速度会快一点。
19 |  
20 | ![这是参考文献中的图](http://ww3.sinaimg.cn/large/6a011e49gw1eyk3r7s8rvj21520rgwma.jpg)
21 | 
22 | 
23 | ## 参考文献
24 | 
25 | - http://c.blog.sina.com.cn/profile.php?blogid=cb8a22ea89000gtw 
26 | 	<br/>这篇有点过时了，我修改libReveal.plist时经常出现白苹果😔，可以强制进入[安全模式](https://www.google.com.hk/#newwindow=1&safe=strict&q=iphone+安全模式)后将文件修改好再重新启动。
27 | - http://hilen.github.io/2015/12/01/Reveal-Loader/
28 | 


--------------------------------------------------------------------------------
/Theos.md:
--------------------------------------------------------------------------------
 1 | # Theos
 2 | 
 3 | Git仓库地址：<https://github.com/theos/theos> by [Github@DHowett](https://github.com/DHowett?tab=repositories)
 4 | 
 5 | 更新模版：<https://github.com/DHowett/theos-nic-templates>
 6 | 
 7 | lidi: <http://joedj.net/ldid>
 8 | 
 9 | dpkg-deb：<https://github.com/DHowett/dm.pl>
10 | 
11 | 
12 | 
13 | 
14 | 
15 | 
16 | 
17 | 
18 | 
19 | ## 安装
20 | - 下载**theos**并安装到 `/opt/theos` 
21 | - 配置环境变量 `cd ~` -> `export THEOS=/opt/theos`
22 | - 下载**ldid**到`/opt/theos/bin` 修改权限 `sudo chmod 777 /opt/theos/bin/ldid`
23 | - 下载**dm.pl**重命名为**dpkg-deb**到`/opt/theos/bin` 修改权限 `sudo chmod 777 /opt/theos/bin/dpkg-deb`
24 | - 更新**模版jar**下载拷贝至`opt/theos/templates/iphone/`，注意去重	
25 | ## 创建工程
26 | 
27 | 终端运行 `$THEOS/bin/nic.pl`
28 | 
29 | ```ruby
30 | 
31 | NIC 2.0 - New Instance Creator
32 | ------------------------------
33 |   [1.] iphone/activator_event
34 |   [2.] iphone/application_modern
35 |   [3.] iphone/cydget
36 |   [4.] iphone/flipswitch_switch
37 |   [5.] iphone/framework
38 |   [6.] iphone/ios7_notification_center_widget
39 |   [7.] iphone/library
40 |   [8.] iphone/notification_center_widget
41 |   [9.] iphone/preference_bundle_modern
42 |   [10.] iphone/sbsettingstoggle
43 |   [11.] iphone/tool
44 |   [12.] iphone/tweak
45 |   [13.] iphone/xpc_service
46 | Choose a Template (required): 
47 | 
48 | ```
49 | 
50 | 
51 | 
52 | 
53 | 
54 | 
55 | 
56 | ## 参考文献
57 | 
58 | - http://security.ios-wiki.com/issue-3-7/
59 | 


--------------------------------------------------------------------------------
/Class-dump.md:
--------------------------------------------------------------------------------
 1 | # Class-dump
 2 | 
 3 | Github地址： https://github.com/nygard/class-dump
 4 | 
 5 | 主页：http://stevenygard.com/projects/class-dump
 6 | 
 7 | 下载并打开[安装包](http://stevenygard.com/download/class-dump-3.5.dmg)（版本可能会随时更新）
 8 | 将class-dump可执行文件放到`/usr/bin`下或者`/usr/local/bin`
 9 | 
10 | ```ruby
11 | class-dump 3.5 (64 bit)
12 | Usage: class-dump [options] <mach-o-file>
13 | 
14 |   where options are:
15 |         -a             显示实例变量的偏移
16 |         -A             显示实现地址
17 |         --arch <arch>  选择通用二进制特定的架构(PPC,PPC64,是i386,x86_64）
18 |         -C <regex>     只显示类匹配的正则表达式
19 |         -f <str>       找到方法名字符串
20 |         -H             在当前路径下导出头文件，或者通过-o指定路径
21 |         -I             排序类，类别，以及通过继承协议 ps:此参数将覆盖-s
22 |         -o <dir>       -H导出头文件的指定保存路径
23 |         -r             递归扩展框架和固定VM共享库
24 |         -s             类和类名排序
25 |         -S             按名称排序
26 |         -t             阻止头文件输出，主要用于测试
27 |         --list-arches  列出文件中的架构，然后退出
28 |         --sdk-ios      指定的iOS SDK版本（会看在/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS<version>.sdk
29 |         --sdk-mac      指定Mac OS X版本（会看在/Developer/SDKs/MacOSX<version>.sdk
30 |         --sdk-root     指定完整的SDK根路径（或使用--sdk -IOS / - SDK -MAC的快捷方式）
31 | ```
32 | 
33 | - 如果dump出的文件只有CDStructures.h文件，则表示出现错误。
34 | - 如果dump导出的文件命名为XXEncryptedXXX，则需要通过AppCrackr、Clutch、dumpcrypted等进行砸壳。 [这里是dumpcrypted的使用](Dumpdecrypted.md)
35 | 
36 | 
37 | ## 例子
38 | class-dump AppKit:
39 | 
40 | ```ruby
41 | class-dump /System/Library/Frameworks/AppKit.framework
42 | ```
43 | 
44 | class-dump UIKit:
45 | 
46 | ```ruby
47 | class-dump /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk/System/Library/Frameworks/UIKit.framework
48 | ```
49 | 
50 | class-dump UIKit and all the frameworks it uses:
51 | 
52 | ```ruby
53 | class-dump /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk/System/Library/Frameworks/UIKit.framework -r --sdk-ios 4.3
54 | ```
55 | 
56 | class-dump UIKit (and all the frameworks it uses) from developer tools that have been installed in /Dev42 instead of /Developer:
57 | 
58 | ```ruby
59 | class-dump /Dev42/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.0.sdk/System/Library/Frameworks/UIKit.framework -r --sdk-root /Dev42/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.0.sdk
60 | ```
61 | 
62 | 使用dumpdecrypted给App砸壳后
63 | 
64 | ```ruby
65 | class-dump --arch armv7 app.decrypted -H -o ./heads/
66 | ```
67 | 
68 | ## class-dump-z
69 | 
70 | 主页：https://code.google.com/p/networkpx/wiki/class_dump_z
71 | 
72 | 使用wiki： https://code.google.com/archive/p/networkpx/wikis/class_dump_z.wiki
73 | 
74 | 将`class-dump-z`可执行文件放到`/usr/bin`下或者`/usr/local/bin`
75 | 
76 | 
77 | ## 参考文献
78 | 
79 | - http://itony.me/200.html
80 | 


--------------------------------------------------------------------------------
/Dumpdecrypted.md:
--------------------------------------------------------------------------------
 1 | # Dumpdecrypted
 2 | 
 3 | ## 路径
 4 | 
 5 | 用iFile、Filza等工具找到：
 6 | 
 7 | iOS7在`/var/mobile/Application/`
 8 | 
 9 | iOS8在`/var/mobile/Containers/Bundle/Application/`
10 | 
11 | sandbox路径：`/var/mobile/Containers/Data/Application/xxx`
12 | 
13 | ## 编译
14 | 源码地址：https://github.com/stefanesser/dumpdecrypted/archive/master.zip
15 | 
16 | `make`后生成`dumpdecrypted.dylib`文件
17 | 
18 | >**ps:** 这里有几个编译好的dylib可以下载：
19 | </br>
20 | https://github.com/iosre/Ready2Rock/blob/master/dumpdecrypted_5.dylib
21 | https://github.com/iosre/Ready2Rock/blob/master/dumpdecrypted_6.dylib
22 | https://github.com/iosre/Ready2Rock/blob/master/dumpdecrypted_7.dylib
23 | 
24 | 
25 | ## 砸壳
26 | 把编译好的`dumpdecrypted.dylib`文件放入想要砸壳的app的documents文件夹里
27 | 
28 | 执行以下代码砸壳：
29 | ```ruby
30 | DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/AppPath/Name.app/Name 
31 | ```
32 | 
33 | 记录一次成功日志
34 | ```ruby
35 | Last login: Sat Jul 16 21:36:39 on ttys000
36 | localhost:~ lihao$ sudo ssh root@192.168.1.13
37 | ssh: connect to host 192.168.1.13 port 22: Operation timed out
38 | localhost:~ lihao$ sudo ssh root@192.168.1.13
39 | root@192.168.1.13's password: 
40 | iPhone:~ root# cd /var/mobile
41 | iPhone:/var/mobile root# cd Containers/Data/Application/  
42 | iPhone:/var/mobile/Containers/Data/Application/4ED085B4-FF7F-4B90-98F9-F17E241E1534 root# cd Documents/
43 | 
44 | iPhone:/var/mobile/Containers/Data/Application/4ED085B4-FF7F-4B90-98F9-F17E241E1534/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/1BD15C2B-3661-4104-B8D4-3DE455EB4FB1/NewsBoard.app/NewsBoard
45 | 
46 | mach-o decryption dumper
47 | DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.
48 | 
49 | [+] detected 32bit ARM binary in memory.
50 | [+] offset to cryptid found: @0xc6a90(from 0xc6000) = a90
51 | [+] Found encrypted data at address 00004000 of length 12861440 bytes - type 1.
52 | [+] Opening /private/var/mobile/Containers/Bundle/Application/1BD15C2B-3661-4104-B8D4-3DE455EB4FB1/NewsBoard.app/NewsBoard for reading.
53 | [+] Reading header
54 | [+] Detecting header type
55 | [+] Executable is a FAT image - searching for right architecture
56 | [+] Correct arch is at offset 16384 in the file
57 | [+] Opening NewsBoard.decrypted for writing.
58 | [+] Copying the not encrypted start of the file
59 | [+] Dumping the decrypted data into the file
60 | [+] Copying the not encrypted remainder of the file
61 | [+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a90
62 | [+] Closing original file
63 | [+] Closing dump file
64 | iPhone:/var/mobile/Containers/Data/Application/4ED085B4-FF7F-4B90-98F9-F17E241E1534/Documents 
65 | 
66 | root# 
67 | ```
68 | 
69 | 成功后会生成`Name.decrypted`文件
70 | 
71 | ## 分析
72 | 
73 | 当砸壳完毕后，将砸壳生成的 ***.decrypted 文件拷贝至你的MAC。
74 | 
75 | 通过class-dump分析：
76 | 
77 | ```ruby
78 | class-dump --arch armv7 /Users/lihao/Desktop/Name.decrypted -H -o path/
79 | ```
80 | 
81 | ## 注意
82 | - 通过Cydia等第三方渠道下载的app有的不需要砸壳，当使用dumpdecrypted时会提示以下信息：
83 | `This mach-o file is not encrypted. Nothing was decrypted.`
84 | - 当砸壳完毕后，使用 class-dump 仍然只导出 CDStructures.h 一个文件，则可能架构选择错误；因为dumpdecrypted只能砸相应手机处理器对应的壳。
85 | 
86 | 
87 | 
88 | ## 参考文献
89 | - http://bbs.iosre.com/t/dumpdecrypted-app/22/65
90 | - http://bbs.iosre.com/t/dumpdecrypted-app/160
91 | - http://bbs.iosre.com/t/class-dump-error-cannot-find-offset-for-address-xxxx-in-dataoffsetforaddress/1911


--------------------------------------------------------------------------------