6、微信Crack

确认app是否加密

• 获取 ipa 文件。

• 解压获得二进制文件，并查看包含的架构

$ file Wechat
Wechat: Mach-O universal binary with 2 architectures
Wechat (for architecture armv7):    Mach-O executable arm
Wechat (for architecture arm64):    Mach-O 64-bit executable

• 通过 otool -l 输出 app load commands ，然后查看 cryptid 标志位的值是否为 1 （已加密）

    $ otool -l Wechat | grep crypt
     cryptoff 16384
    cryptsize 38748160
      cryptid 1
     cryptoff 16384
    cryptsize 41467904
      cryptid 1

两个架构都被加密了。

砸壳

armv7设备清单

iPhone 3GS
iPod touch(第三代)
iPad
iPhone 4
iPod touch （第四代）
iPad 2
iPhone 4S
new iPad (第三代)
iPod touch (第五代)
iPad mini

1、ps aux | grep WeChat 获取位置

jiangbinde-iPhone:/ root# ps aux | grep WeChat
mobile    1097   0.7  9.5   829520  97160   ??  Ss    1:32PM   1:02.60 /var/mobile/Applications/3B0E8E0B-797F-49E2-9DC3-278039AFE9BA/WeChat.app/WeChat
root      2385   0.0  0.0   347804    436 s000  R+    4:41PM   0:00.01 grep WeChat

2、使用dumpcrypted进行砸壳

jiangbinde-iPhone:/ root# DYLD_INSERT_LIBRARIES=/var/tmp/dumpdecrypted.dylib /var/mobile/Applications/3B0E8E0B-797F-49E2-9DC3-278039AFE9BA/WeChat.app/WeChat                                                                         
mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100068ca8(from 0x100068000) = ca8
[+] Found encrypted data at address 00004000 of length 49053696 bytes - type 1.
[+] Opening /private/var/mobile/Applications/3B0E8E0B-797F-49E2-9DC3-278039AFE9BA/WeChat.app/WeChat for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a FAT image - searching for right architecture
[+] Correct arch is at offset 53805056 in the file
[+] Opening WeChat.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 3350ca8
[+] Closing original file
[+] Closing dump file

当前目录下生成WeChat.decrypted

jiangbinde-iPhone:/ root# ls -l
total 112922
lrwxr-xr-x  1 root admin        32 Nov  7 22:59 Applications -> /var/stash/_.f4uEpQ/Applications
drwxrwxr-t  8 root admin       340 Aug 22  2013 Developer
drwxrwxr-x 14 root admin       680 Nov  7 23:04 Library
drwxr-xr-x  3 root wheel       102 Aug  8  2013 System
lrwxr-xr-x  1 root admin        11 Nov  9 11:21 User -> /var/mobile
-rw-r--r--  1 root admin 114845680 Nov  9 16:43 WeChat.decrypted
drwxr-xr-x  2 root wheel      1938 Nov  7 22:59 bin
drwxr-xr-x  2 root admin        68 Oct 28  2006 boot
drwxrwxr-t  2 root admin        68 Aug  8  2013 cores
dr-xr-xr-x  3 root wheel      1355 Nov  9 11:20 dev
lrwxr-xr-x  1 root admin        11 Sep 21  2013 etc -> private/etc
-rwxr-xr-x  1 root admin    557984 Nov  7 22:38 evasi0n7
-rw-r--r--  1 root admin         0 Nov  7 22:38 evasi0n7-installed
-rw-r--r--  1 root admin    197528 Nov  9 15:29 iblue
drwxr-xr-x  2 root admin        68 Oct 28  2006 lib
drwxr-xr-x  2 root admin        68 Oct 28  2006 mnt
drwxr-xr-x  4 root wheel       136 Oct 10  2013 private
drwxr-xr-x  2 root wheel       646 Nov  7 22:59 sbin
lrwxr-xr-x  1 root admin        15 Sep 21  2013 tmp -> private/var/tmp
drwxr-xr-x  9 root wheel       374 Nov  7 22:40 usr
lrwxr-xr-x  1 root admin        11 Sep 21  2013 var -> private/var

3、将文件拷贝到mac上

4、动态库编译

5、重签名