# 23.应用砸壳

## 一、frida-ios-dump [🔗](https://github.com/AloneMonkey/frida-ios-dump)

### 1.1 电脑上安装frida

* Clone到本地先
* cd进目录
* 执行`sudo pip install -r requirements.txt --upgrade`

### 1.2 手机上安装frida

* 添加源`build.frida.re`
* 搜索并安装frida
  * 两端版本要一致

### 1.3 手机连上电脑进行端口映射

这里为了方便起见提供了几个好用的脚本：

* `sh iPhoneUSBProxy.sh`
  * [🔗](https://github.com/RyukieSama/RyukieDevGitBook/tree/c6bb31d3d9c51d4eb7e71425449f0e0947321913/逆向/Script/iPhoneUSBProxy.sh)
  * 进行端口映射（22-2222）
  * 2222是frida默认的
  * 22是系统默认的
* `sh iPhoneLocalLogin.sh`(另开一个终端页)
  * [🔗](https://github.com/RyukieSama/RyukieDevGitBook/tree/c6bb31d3d9c51d4eb7e71425449f0e0947321913/逆向/Script/iPhoneLocalLogin.sh)
  * USB链接
* [ptython-client](https://github.com/RyukieSama/RyukieDevGitBook/tree/c6bb31d3d9c51d4eb7e71425449f0e0947321913/逆向/Script/python-client/README.md)

> 注意电脑上只能插一个手机。血的教训啊。有一天本地登录一直报错，搞了一个小时各种搜索，头要炸了，拔掉手机去上个厕所。拔下数据线的一瞬间感觉世界都亮了，我才意识到插了两个手机。

### 1.4 查看可砸壳应用

进入Clone下来的`frida-ios-dump`目录下

`./dump.py -l`

```cpp
➜  frida-ios-dump git:(master) ./dump.py -l
 PID  Name           Identifier
----  -------------  -----------------------------
5853  Cydia          com.saurik.Cydia
6661  人人视频           com.rrds.rrdianshi
6609  设置             com.apple.Preferences
   -  App Store      com.apple.AppStore
   -  Azizi          com.inke.yaamar
   -  DobbyDemo      cn.Ryukie.Sama.Loviary
   -  Elic           com.ryukie.sama.minesweeper
   -  FaceTime通话     com.apple.facetime
   -  Facebook       com.facebook.Facebook
   -  Google Maps    com.google.Maps
   -  LogiDemo       cn.Ryukie.Sama.LogiDemo
   -  Safari浏览器      com.apple.mobilesafari
   -  Shadowrocket   com.liguangming.Shadowrocket
   -  Substitute     com.ex.substitute.settings
   -  Twitter        com.atebits.Tweetie2
   -  Watch          com.apple.Bridge
   -  iTunes Store   com.apple.MobileStore
   -  unc0verSobani  com.ryukie.sama.Sobani
   -  信息             com.apple.MobileSMS
   -  健康             com.apple.Health
   -  图书             com.apple.iBooks
   -  地图             com.apple.Maps
   -  备忘录            com.apple.mobilenotes
   -  天气             com.apple.weather
   -  家庭             com.apple.Home
   -  微信             cn.Ryukie.Sama.Hanoi
   -  快捷指令           com.apple.shortcuts
   -  指南针            com.apple.compass
   -  提示             com.apple.tips
   -  提醒事项           com.apple.reminders
   -  播客             com.apple.podcasts
   -  文件             com.apple.DocumentsApp
   -  日历             com.apple.mobilecal
   -  时钟             com.apple.mobiletimer
   -  查找             com.apple.findmy
   -  梦见账本           com.ryukie.sama.ledger.Ledger
   -  测距仪            com.apple.measure
   -  照片             com.apple.mobileslideshow
   -  电话             com.apple.mobilephone
   -  百度地图           com.baidu.map
   -  相机             com.apple.camera
   -  股市             com.apple.stocks
   -  腾讯地图           com.tencent.sosomap
   -  视频             com.apple.tv
   -  计算器            com.apple.calculator
   -  语音备忘录          com.apple.VoiceMemos
   -  通讯录            com.apple.MobileAddressBook
   -  邮件             com.apple.mobilemail
   -  钉钉             com.laiwang.DingTalk
   -  钱包             com.apple.Passbook
   -  音乐             com.apple.Music
   -  高德地图           com.autonavi.amap
```

### 1.4 执行砸壳脚本

Run `./dump.py` `Display name` or `Bundle identifier`

成功后就可以在`frida-ios-dump`中找到砸壳的包了！

## 二、Python版本问题

升级系统为MacOS11.4后就一直dump不出来了

```python
➜  frida-ios-dump git:(master) ./dump.py -l
/Library/Python/2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends import default_backend
Traceback (most recent call last):
  File "./dump.py", line 20, in <module>
    import paramiko
  File "/Library/Python/2.7/site-packages/paramiko/__init__.py", line 22, in <module>
    from paramiko.transport import SecurityOptions, Transport
  File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 129, in <module>
    class Transport(threading.Thread, ClosingContextManager):
  File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 190, in Transport
    if KexCurve25519.is_available():
  File "/Library/Python/2.7/site-packages/paramiko/kex_curve25519.py", line 30, in is_available
    X25519PrivateKey.generate()
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/primitives/asymmetric/x25519.py", line 39, in generate
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/backends/openssl/backend.py", line 117, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/openssl/binding.py", line 14, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: dlopen(/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/_openssl.so, 2): Symbol not found: _DTLS_client_method
  Referenced from: /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/_openssl.so
  Expected in: flat namespace
 in /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/cryptography/hazmat/bindings/_openssl.so
Error in atexit._run_exitfuncs:
Traceback (most recent call last):
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
    func(*targs, **kargs)
  File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 120, in _join_lingering_threads
    for thr in _active_threads:
TypeError: 'NoneType' object is not iterable
Error in sys.exitfunc:
Traceback (most recent call last):
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
    func(*targs, **kargs)
  File "/Library/Python/2.7/site-packages/paramiko/transport.py", line 120, in _join_lingering_threads
    for thr in _active_threads:
TypeError: 'NoneType' object is not iterable
```

### 解决

> 前提是安装了Python3

切换用Python3环境

`➜ frida-ios-dump git:(master) sudo pip3 install -r requirements.txt --upgrade`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ryukiedev.gitbook.io/wiki/ni-xiang/23.-ying-yong-za-ke.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.