方案一：

一、dumpdecrypted源码地址

github地址

二、确认要砸壳的iOS系统版本

即iOS版本需要与SDK版本相同。注意，5.1版SDK编译出的dylib是向下兼容的，可以用于iOS5.0，6.1版SDK同理。

三、提取需要的SDK版本

下载旧版本的Xcode，然后把里面的SDK提取出来。
Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs 把Xcode这个文件夹提取出来放在桌面。

四、修改MakeFile和修改源码

修改

SDK=`xcrun --sdk iphoneos --show-sdk-path`

改成

SDK=~/Desktop/SDKs/iPhoneOS8.X.sdk

再将dumpdecrypted.c第76行的

if (lc->cmd ==LC_ENCRYPTION_INFO || lc->cmd == LC_ENCRYPTION_INFO_64)

改成

if(lc->cmd == LC_ENCRYPTION_INFO)

五、编译dumpdecrypted.dylib

接着直接cd到“~/Desktop/dumpdecrypted-master/”下，然后输入“make”并回车，在当前目录下生成dumpdecrypted.dylib
不想自己编译的话，我已经全部编译好了6.0，7.0，8.0
dumpdecrypted.dylib和源码地址

六、去掉arm64

虽说现在IDA6.9已经支持arm64，但是arm64还是很难看啊，去掉arm64之后就方便多了
1、把/var/mobile/Applications/XXXXXX/TargetApp.app/XXXTargetApp 复制到mac上
2、执行命令行

lipo xxx -remove arm64 -output xxx.remove

七、砸壳

1、把dumpdecrypted.dylib放到iOS砸壳app的Document下

2、cd到iOS中dumpdecrypted.dylib的目录下

3、输入命令行，回车砸壳完毕

DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/XXXXXX/TargetApp.app/XXXTargetApp

4、显示

[+] detected 32bit ARM binary in memory.
[+] offset to cryptid found: @0x81a78(from 0x81000) = a78
[+] Found encrypted data at address 00004000 of length 6569984 bytes - type 1.
[+] Opening /private/var/mobile/Containers/Bundle/Application/03B61840-2349-4559-B28E-0E2C6541F879/TargetApp.app/TargetApp for reading.
[+] Reading header
[+] Detecting header type[+] Executable is a plain MACH-O image
[+] Opening TargetApp.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset a78
[+] Closing original file[+] Closing dump file

八、完成

class-dump、IDA 可以开始使用啦

改进后的方案二

一、越狱

https://cydia-app.com/downloader/

https://unc0ver.dev/

二、砸壳

https://github.com/stefanesser/dumpdecrypted

cd code/GitHub/dumpdecrypted/

make

scp -P 2222 /Users/zhangruquan/code/GitHub/dumpdecrypted/dumpdecrypted.dylib root@127.0.0.1:/User/Downloads

运行终端ssh到iPhone或者iPad等设备

iproxy 2222 22

waiting for connection

以上窗口不要关闭,另开一个新的终端窗口,运行

ssh -p 2222 root@127.0.0.1

密码

alpine

终端运行(//列出当前运行的进程)

cd /

su mobile

cd /User/Downloads/

DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/containers/Bundle/Application/9BD9166E-95CB-40F4-AE11-54567A29C98A/Aweme.app/Aweme

scp -P 2222 root@127.0.0.1:/User/Downloads/Aweme.decrypted /Users/zhangruquan/

scp -r -P 2222 root@127.0.0.1:/var/containers/Bundle/Application/9BD9166E-95CB-40F4-AE11-54567A29C98A/Aweme.app /Users/zhangruquan

Clutch砸壳

https://github.com/KJCracks/Clutch/releases

下载发布的程序放到越狱设备的usr/bin 中并通过ifile增加可运行权限

Clutch -i

Clutch -d 1

scp -r -P 2222 root@127.0.0.1:/private/var/mobile/Documents/Dumped/com.apple.TestFlight-iOS9.0-(Clutch-2.0.4 DEBUG).ipa /Users/zhangruquan

scp -r -P 2222 root@127.0.0.1:/private/var/mobile/Documents/Dumped/com.dfzx.study.yunbaby-iOS9.0-(Clutch-2.0.4 DEBUG).ipa  /Users/zhangruquan

scp -r -P 2222 root@127.0.0.1:/private/var/mobile/Documents/Dumped/C.ipa  /Users/zhangruquan

Frida-ios-dump安装

1、打开cydia添加源：http://build.frida.re并在搜索中下载安装frida。

2、安装完成后在Mac端执行frida-ps -U查看是否可以工作。

https://github.com/AloneMonkey/frida-ios-dump/tree/3.x

https://blog.csdn.net/yihen18/article/details/101035266

1、安装python 3.7

2、终端进入 cd /Applications/Python\ 3.7 

3、sudo ./Install_Certificates.command 

4、下载代码 https://github.com/AloneMonkey/frida-ios-dump

5、cd到代码目录下sudo pip3 install -r requirements.txt –upgrade

6、iproxy 2222 22

https://github.com/AloneMonkey/frida-ios-dump

https://stackoverflow.com/questions/49183801/ssl-certificate-verify-failed-with-urllib

sudo ./Install_Certificates.command 

cd 到 frida-ios-dump 目录下./dump.py 应用名称/bundle id 即可砸壳

 ./dump.py -l 可以查询可以砸壳的 app

myfile=”Aweme” && export myfile && ./class-dump -H -o “$myfile”header “$myfile” && ./restore-symbol “$myfile” -o “$myfile”withsymbo && ./yololib “$myfile”withsymbo QGiioo.dylib

cd  /var/containers/Bundle/Application/

ls -l  根据日期选择要拷贝的APP

scp -r -P 2222 root@127.0.0.1:/var/containers/Bundle/Application/63021253-0E17-4242-BC7A-4E8D96954AE8/Aweme.app /Users/zhangruquan/code/App_copy

重签名后多设备支持

修改Info.plist

<key>UISupportedDevices</key>
	<array>
		<string>iPad5,1</string>
		<string>iPad5,2</string>
		<string>iPad5,3</string>
		<string>iPad5,4</string>
		<string>iPad6,11</string>
		<string>iPad6,12</string>
		<string>iPad6,7</string>
		<string>iPad6,8</string>
		<string>iPad7,11</string>
		<string>iPad7,12</string>
		<string>iPad7,5</string>
		<string>iPad7,6</string>
		<string>iPhone9,2</string>
		<string>iPhone9,4</string>
	</array>