From 089dcfb739dd46e77b263db409a11eaa88a3e162 Mon Sep 17 00:00:00 2001 From: Administrator <3234374354@qq.com> Date: Fri, 19 Sep 2025 15:44:03 +0000 Subject: [PATCH] docs: update Cracking/recovery --- Cracking/recovery.md | 252 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 252 insertions(+) create mode 100644 Cracking/recovery.md diff --git a/Cracking/recovery.md b/Cracking/recovery.md new file mode 100644 index 0000000..ff91dfe --- /dev/null +++ b/Cracking/recovery.md @@ -0,0 +1,252 @@ +--- +title: 系统还原法(Apple M系列芯片) +description: +published: true +date: 2025-09-19T15:44:03.650Z +tags: +editor: markdown +dateCreated: 2025-09-19T15:41:22.848Z +--- + +> 原作者:你们最伟大的黑客sun12 +> +> 修改:小月半 +> +> **实际操作前请认真、完整阅读此教程** + +# 如何查看是否为Apple芯片? + +在系统中点击左上角Apple图标并点击弹出菜单中的关于本机 + +显示intel芯片,那么恭喜你你可以关掉这个教程了 + +如果是像这样显示“Apple M”,那么恭喜你可以继续(忽略那个箭头,那是我在网上找的图) + +![](https://vcn3a8h4w67w.feishu.cn/space/api/box/stream/download/asynccode/?code=MTIyMDhiZjA3MWE4MWI2YTUyNjFlNmFmZjY2YTlmOWRfRjJRWEw4OVJIcHo5WTBSczE3NHUxNlhjMlVQZUZIa1VfVG9rZW46UWJVSmJDZ0dQb1hiQjd4cU9RVmNsUGVqbm1mXzE3NTgyOTYzMzA6MTc1ODI5OTkzMF9WNA) + +# 如何查看能否进入启动菜单? + +首先将macbook完全关机(左上角苹果logo➡️关机) + +黑屏后等待10秒钟并按住电源键不要松,你就会看到苹果标下面显示“继续按住以显示启动选项” + +等待显示“正在载入启动选项之后松开,进入启动菜单后有两种情况” + +一种是成功进入菜单就像下图 + +![](https://vcn3a8h4w67w.feishu.cn/space/api/box/stream/download/asynccode/?code=MzNlNzQxZmY1MWJlMDZjMTQ2MWI0ODhlMGI0NjYxODZfRFlpOFQxYzVLcEdVUXFINkpZeDQ2SGpMcHV3TmhIZ2RfVG9rZW46WXNlemI0MldTbzNvMEp4NUdjTmNzUnZvbnNoXzE3NTgyOTYzMzA6MTc1ODI5OTkzMF9WNA) + +另一种是一个输入密码的界面(一个锁的图标,下面让你输入密码)这种情况**无法使用此教程刷机** + +# 刷机前准备 + +如果你的电脑符合以上条件那么恭喜你你可以往下看了 + +**首先刷机前一定要把东西备份!!!** + +刷机会把所有东西都删掉,所以学校装的Self Service就不存在了(后续会出骗老师用的假Self Service) + +当然App Store可以用了还能自由下载软件(就和新的一样) + +学校一些必要的软件后续会补全到客客邦大群的文件里 + +备份的所有文件可以压缩成一个压缩包临时传到钉钉里或者拷到u盘里(总之放到这台电脑之外的地方就行) + +一切准备就绪后就可以开始刷机了 + +# 抹掉原系统 + +首先根据刚刚讲到的方法进入启动菜单 + +![](https://vcn3a8h4w67w.feishu.cn/space/api/box/stream/download/asynccode/?code=ZTYzNDZmMmRhZTcxODA4Yzg5MDE0NmE0NzA3YzI5ODdfOGVJUE4yM2hnVzZrWGQzREFBWDh2NTlwTG81UkdRZ0lfVG9rZW46QTU5M2JNanREb255MU94TGVIMGNYUzEybmxkXzE3NTgyOTYzMzA6MTc1ODI5OTkzMF9WNA) + +进入这个界面后用鼠标双击右边的那个齿轮(底下显示恢复或者Recovery)或者键盘用➡️选中那个齿轮并按Enter + +启动的样子和正常一样,过一会儿就会进入恢复 + +![](https://vcn3a8h4w67w.feishu.cn/space/api/box/stream/download/asynccode/?code=ZDI2OTU2NTFiMGJhYTU5NmZlMWQ3ZDliODBlMDRkMDNfdkFRczZNUHF6M2tLNHJ1dWtpdW91Qm1xbE5DYVZibHdfVG9rZW46UVh6dGJ1VVY0b1l4Z2R4Z1dOdmNJV2h3bmFiXzE3NTgyOTYzMzA6MTc1ODI5OTkzMF9WNA) + +正常来说是这样的,如果你的显示要输入密码,不用管,无脑点抹掉Mac + +如果你是进入了上图的那个界面,首先点击顶栏的“实用工具”,弹出的菜单中点击“终端” + +终端大概长这样⬆️ + +在里面输入`resetpassword`然后Enter + +弹出窗口后在顶栏选项弹出的菜单里找到“抹掉Mac” + +然后一路确定直到窗口全部消失变成一个苹果进度条后就成功了 + +# 安装原版系统 + +重启后会进入一个英文的界面让你选择语言,如果没有让你选择语言直接进入了恢复界面你可以选择顶栏的“Files”, + +在弹出的列表中选择“Choose Language”选择中文即可,完成选择恢复界面中的“安装 macOS” + +![](https://vcn3a8h4w67w.feishu.cn/space/api/box/stream/download/asynccode/?code=ODM0M2YwYjc0Y2Y1M2RkNmU5ZWQxYmVmN2U0NzMwYWFfSE9IamVpUG5jNk1pUFlTOGVWM3RmdnNmdlY3UjhVaFJfVG9rZW46UjN3UWJmMGFzb2JCT0J4aWxIUWNLSUpKbm5lXzE3NTgyOTYzMzA6MTc1ODI5OTkzMF9WNA) + +连接网络(在王府你可以连“MLearning”,密码为“M2MLearning”) + +在macOS安装器中一路下一步即可,安装到的硬盘应该叫“Macintosh HD”如果不是请到磁盘工具自行重命名 + +安装过程中请确保电量充足,并保持互联网连接,一定不要关上屏幕!!! + +安装完成后会重启(开机动静特别大)然后等待一段时间后就会进入系统配置界面了 + +![](https://vcn3a8h4w67w.feishu.cn/space/api/box/stream/download/asynccode/?code=MmIyNzI1NzIxODYxNWQ2OWJkM2Y0ODk2ZjE3NTZiZTRfV2xkOVhVajU1TW80b3lpS083OWFjR0kxNWJ0cHB1RzJfVG9rZW46Q1hYeWJCdFhObzcwNkN4aFBzc2NlRmxybm5oXzE3NTgyOTYzMzA6MTc1ODI5OTkzMF9WNA) + +**注意一定不要操作!!直接长按电源十秒强制关机!!不然以上的步骤得重来!!** + +# 绕过监管锁 + +系统并没有安装完成,还有个傻b王府设置的监管锁,这个锁无法让你完成系统的配置并进入桌面 + +接下来将绕过监管锁(为什么不能去掉?一个是不太好去,另一个是去掉锁会被信息中心发现) + +首先在关机状态下进入恢复模式(已经讲过了) + +进入恢复模式后在菜单中打开Safari浏览器(记得联网) + +![](https://vcn3a8h4w67w.feishu.cn/space/api/box/stream/download/asynccode/?code=NjRmNmNlOTc0YTExNzlkMDAwNzg5YjE4MTI5MjA1OTVfVnA1UWhqdWR0Rk1sb2hOUk5zVzlyeEFtQTJuYmNDOE1fVG9rZW46SmpMNWIxOG1pb1NFM3N4b0JnS2NPTjNLbnlmXzE3NTgyOTYzMzA6MTc1ODI5OTkzMF9WNA) + +用Safari浏览器打开这个页面,然后全选并复制以下代码(一定要全选!!!) + +绕监管锁的代码: + +```plaintext +#!/bin/bash +RED='\033[1;31m' +GRN='\033[1;32m' +BLU='\033[1;34m' +YEL='\033[1;33m' +PUR='\033[1;35m' +CYAN='\033[1;36m' +NC='\033[0m' +echo -e "${CYAN}*-------------------*---------------------*${NC}" +echo -e "${GRN}* Auto Bypass MDM Lock for MacOS *${NC}" +echo -e "${CYAN}* use it carefully! *${NC}" +echo -e "${RED}* Phoenix Team & NBT Union *${NC}" +echo -e "${CYAN}*-------------------*---------------------*${NC}" +echo -e "${CYAN}*Note:不要重命名MacOS默认硬盘!its called Macintosh HD*${NC}" +echo -e "${CYAN}*LOL hf hf hf hf XD*${NC}" +echo "" +PS3='Please enter your choice: ' +options=("Autoypass on Recovery" "Reboot") +select opt in "${options[@]}"; do + case $opt in + "Autoypass on Recovery") + echo -e "${GRN}Bypass on Recovery" + if [ -d "/Volumes/Macintosh HD - Data" ]; then + diskutil rename "Macintosh HD - Data" "Data" + fi + echo -e "${GRN}Create a new user / Tạo User mới" + echo -e "${BLU}Press Enter to continue, Note: Leaving it blank will default to the automatic user / Nhấn Enter để tiếp tục, Lưu ý: có thể không điền sẽ tự động nhận User mặc định" + echo -e "Enter the username (Default: Apple) / Nhập tên User (Mặc định: Apple)" + read realName + realName="${realName:= Apple}" + echo -e "${BLUE}Nhận username ${RED}WRITE WITHOUT SPACES / VIẾT LIỀN KHÔNG DẤU ${GRN} (Mặc định: Apple)" + read username + username="${username:=Apple}" + echo -e "${BLUE}Enter the password (default: 1234) / Nhập mật khẩu (mặc định: 1234)" + read passw + passw="${passw:=1234}" + dscl_path='/Volumes/Data/private/var/db/dslocal/nodes/Default' + echo -e "${GREEN}Creating User / Đang tạo User" + # Create user + dscl -f "$dscl_path" localhost -create "/Local/Default/Users/$username" + dscl -f "$dscl_path" localhost -create "/Local/Default/Users/$username" UserShell "/bin/zsh" + dscl -f "$dscl_path" localhost -create "/Local/Default/Users/$username" RealName "$realName" + dscl -f "$dscl_path" localhost -create "/Local/Default/Users/$username" RealName "$realName" + dscl -f "$dscl_path" localhost -create "/Local/Default/Users/$username" UniqueID "501" + dscl -f "$dscl_path" localhost -create "/Local/Default/Users/$username" PrimaryGroupID "20" + mkdir "/Volumes/Data/Users/$username" + dscl -f "$dscl_path" localhost -create "/Local/Default/Users/$username" NFSHomeDirectory "/Users/$username" + dscl -f "$dscl_path" localhost -passwd "/Local/Default/Users/$username" "$passw" + dscl -f "$dscl_path" localhost -append "/Local/Default/Groups/admin" GroupMembership $username + echo "0.0.0.0 deviceenrollment.apple.com" >>/Volumes/Macintosh\ HD/etc/hosts + echo "0.0.0.0 mdmenrollment.apple.com" >>/Volumes/Macintosh\ HD/etc/hosts + echo "0.0.0.0 iprofiles.apple.com" >>/Volumes/Macintosh\ HD/etc/hosts + echo -e "${GREEN}Successfully blocked host / Thành công chặn host${NC}" + touch /Volumes/Data/private/var/db/.AppleSetupDone + rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord + rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound + touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled + touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound + echo -e "${CYAN}------ Autobypass SUCCESSFULLY / Autobypass HOÀN TẤT ------${NC}" + echo -e "${CYAN}------ Exit Terminal , Reset Macbook and ENJOY ! ------${NC}" + break + ;; + "Disable Notification (SIP)") + echo -e "${RED}Please Insert Your Password To Proceed${NC}" + sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord + sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound + sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled + sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound + break + ;; + "Disable Notification (Recovery)") + rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord + rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound + touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled + touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound + break + ;; + "Check MDM Enrollment") + echo "" + echo -e "${GRN}Check MDM Enrollment. Error is success${NC}" + echo "" + echo -e "${RED}Please Insert Your Password To Proceed${NC}" + echo "" + sudo profiles show -type enrollment + break + ;; + "Exit") + echo "Rebooting..." + reboot + break + ;; + *) echo "Invalid option $REPLY" ;; + esac +done +``` + +复制完后退出Safari并打开终端(顶栏点击Safari浏览器弹出菜单选择退出,然后在顶栏选择实用工具➡️终端) + +打开终端后在终端粘贴刚刚复制的代码 + +![](https://vcn3a8h4w67w.feishu.cn/space/api/box/stream/download/asynccode/?code=MWUyMzU3MjEzM2YzMzg4Y2RjMzQ0NTIyNWZkMTVhYWJfY1lCN2hMMEg0NWJJWVZyUjNHOUoyODdvY2NqOEU3bFJfVG9rZW46RklHeWJWVGRYb2dLa2N4OHF0WGNEdDRrbkJkXzE3NTgyOTYzMzA6MTc1ODI5OTkzMF9WNA) + +粘贴完后Enter,输入1然后一路Enter,完成后会显示两串蓝色的神秘字符显示Success + +成功后直接点左上角的苹果表重新启动 + +# 关闭SIP并创建账户 + +重启后会显示账户,密码为`1234`,这个临时账户有管理员权限但是无法正常使用(漏洞创建的当然用不了) + +登录进账户后打开启动台,打开“其他”文件夹并打开终端 + +复制以下代码并粘贴到终端里 + +关闭SIP: + +粘贴到终端Enter,然后可能会让你输入密码(就是1234),如果问你一串文字后面显示(y/N)输入y回车,总之一路回车即可 + +跑完后如果显示“Enrollment configuration: We can't determine if this machine is DEP enabled.Tye again later.” + +就说明成功了 + +成功后重启进恢复打开终端输入“`csrutil disable`”并回车 + +![](https://vcn3a8h4w67w.feishu.cn/space/api/box/stream/download/asynccode/?code=ZmE0YzFiYzcxOTc0YTkzZTVlNmE0ZmZhMzIxMGQ3MzFfWXltMGJwd2wyZ2xUVVR4VUFkUUZIT1hTUnBkTGF5ZUJfVG9rZW46VVliNmJIRWtyb3BTdzd4TTlwOGNaMW1YbkxkXzE3NTgyOTYzMzA6MTc1ODI5OTkzMF9WNA) + +出现这样后输入Y回车,如果提示你enter password for user Mac:的提示就输入1234回车即可 + +这样就成功了,完成后重启即可 + +进入系统后就没有监管锁了,只需要在设置里创建一个管理员账户(一定得是管理员),然后到管理员账户里删除这个临时账户即可。 + +到此这个教程就结束了,一些软件可以自行在客客邦里下载 + +# 祝你使用愉快,不会被老师抓 \ No newline at end of file