-
-
[求助]IOS 9 越獄流程
-
发表于:
2016-12-23 19:45
5037
-
看舊版本 6.1.3 越獄流程分析的說法
當漏洞跑完提權以後
1.先啟動 afcd 服務 可以瀏覽 / 目錄
shell:
# /usr/libexec/afcd --lockdown -d /
2. 然後重新掛載 /
shell:
# /sbin/mount –u –o rw,suid,dev /
3. 在 /Developer/Library/Lockdown/ServiceAgents 建立兩個 plist
r.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "285K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3q4H3M7r3I4W2i4K6u0W2j5$3!0E0i4K6u0r3c8q4c8p5M7#2)9J5c8W2m8J5L8%4m8W2M7Y4c8&6e0r3W2K6N6q4)9J5k6o6q4Q4x3X3f1H3i4K6u0W2k6s2c8V1">
<plist version="1.0">
<dict>
<key>Label</key>
<string>r</string>
<key>ProgramArguments</key>
<array>
<string>/sbin/mount</string>
<string>-u</string>
<string>-o</string>
<string>rw,suid,dev</string>
<string>/</string>
</array>
</dict>
</plist>
com.apple.afc2.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "e82K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3q4H3M7r3I4W2i4K6u0W2j5$3!0E0i4K6u0r3c8q4c8p5M7#2)9J5c8W2m8J5L8%4m8W2M7Y4c8&6e0r3W2K6N6q4)9J5k6o6q4Q4x3X3f1H3i4K6u0W2k6s2c8V1">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.afc2</string>
<key>ProgramArguments</key>
<array>
<string>/usr/libexec/afcd</string>
<string>--lockdown</string>
<string>-S</string>
<string>-d</string>
<string>/</string>
</array>
</dict>
</plist>
然後禁用 code signing
.....
在 IOS 9 底下
上面兩個重新掛載 / 與啟動 afcd 的 shell 是否正確.
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
