美文网首页安全
创建第一个逆向工程 (tweak)

创建第一个逆向工程 (tweak)

作者: iChuck | 来源:发表于2018-04-25 15:41 被阅读607次
  1. 使用tweak创建工程

    ➜  tweak /opt/theos/bin/nic.pl
    NIC 2.0 - New Instance Creator
    ------------------------------
      [1.] iphone/activator_event
      [2.] iphone/application_modern
      [3.] iphone/cydget
      [4.] iphone/flipswitch_switch
      [5.] iphone/framework
      [6.] iphone/ios7_notification_center_widget
      [7.] iphone/library
      [8.] iphone/notification_center_widget
      [9.] iphone/preference_bundle_modern
      [10.] iphone/tool
      [11.] iphone/tweak
      [12.] iphone/xpc_service
    Choose a Template (required): 11
    Project Name (required): MyFirstRePoject
    Package Name [com.yourcompany.myfirstrepoject]: com.iosre.myfirstrepoject
    Author/Maintainer Name [chenzhou]: chuck
    [iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.apple.springboard
    [iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: SpringBoard
    Instantiating iphone/tweak in myfirstrepoject/...
    Done.
    
    • Choose a Template (required): 选择tweak工程
    • Project Name (required): 工程名
    • Package Name [com.yourcompany.myfirstrepoject]: deb包的名字
    • Author/Maintainer Name [chenzhou]: 作者
    • [iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: tweak作用对象的bundle indentifier
    • [iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: tweak安装完成后需要重启的应用
  2. tweak 工程目录结构介绍

    • Makefile
    默认文件信息:
    // 工程包含的通用头文件
    include $(THEOS)/makefiles/common.mk
    
    // 创建工程时指定的“Project Name,指定好之后一般不要再更改
    TWEAK_NAME = MyFirstReProject
    
    // tweak包含的源文件,指定多个文件时用空格隔开
    MyFirstReProject_FILES = Tweak.xm
    
    // tweak工程的头文件,一般有application.mk、tweak.mk和tool.mk几类
    include $(THEOS_MAKE_PATH)/tweak.mk
    
    // 指定tweak安装之后,需要做的事情,这里是杀掉SpringBoard进程 
    after-install::
        install.exec "killall -9 SpringBoard"
      
    补充:
    // 编译debug或者release
    DEBUG = 0
    
    // 越狱iPhone的ip地址
    THEOS_DEVICE_IP = 192.168.1.113
    
    // 指定支持的处理器架构
    ARCHS = armv7 arm64 
    
    // 指定需要的SDK版本iphone:Base SDK:Deployment Target
    TARGET = iphone:latest:8.0  //最新的SDK,程序发布在iOS8.0以上
    
    // 导入框架,多个框架时用空格隔开
    MyFirstReProject_FRAMEWORKS = UIKit 
    MyFirstReProject_PRIVATE_FRAMEWORKS = AppSupport
    
    // 链接libsqlite3.0.dylib、libz.dylib和dylib1.o
    MyFirstReProject_LDFLAGS = -lz –lsqlite3.0 –dylib1.o
    
    // make clean
    clean::
        rm -rf ./packages/*
    
    • tweak文件

      • xm中的x代表这个文件支持logos语法,如果后缀名单独是一个x说明源文件支持logos和c语法;如果后缀名是xm,说明源文件支持logos和c/c++语法。
      • %hook指定需要hook的class,必须以%end结尾
      • %log该指令在%hook内部是使用,将函数名的类名、参数等信息写入syslog,Cydia内搜索安装syslog
      • %orig该指令在%hook内部使用,执行被钩住(hook)的函数的原始代码。
      • tewak工程创建的代码
      /* How to Hook with Logos
      Hooks are written with syntax similar to that of an Objective-C @implementation.
      You don't need to #include <substrate.h>, it will be done automatically, as will
      the generation of a class list and an automatic constructor.
      
      %hook ClassName
      
      // Hooking a class method
      + (id)sharedInstance {
          return %orig;
      }
      
      // Hooking an instance method with an argument.
      - (void)messageName:(int)argument {
          %log; // Write a message about this call, including its class, name and arguments, to the system log.
      
          %orig; // Call through to the original function with its original arguments.
          %orig(nil); // Call through to the original function with a custom argument.
      
          // If you use %orig(), you MUST supply all arguments (except for self and _cmd, the automatically generated ones.)
      }
      
      // Hooking an instance method with no arguments.
      - (id)noArguments {
          %log;
          id awesome = %orig;
          [awesome doSomethingElse];
      
          return awesome;
      }
      
      // Always make sure you clean up after yourself; Not doing so could have grave consequences!
      %end
      */
      
      • 修改tewak工程的xm文件之后的代码,hook Springboard当按下home键触发的函数,并打印信息
      %hook SpringBoard
      
      - (void)_menuButtonDown:(id)arg1 {
          NSLog(@"x=%d, y=%d", 10, 20);
          %log((NSString *)@"iOSRE", (NSString *)@"Debug");
          %orig; // call the original _menuButtonDown:
      }
      
      %end
      
    • control

      • control文件记录了deb包管理系统所需的基本信息,会被打包deb包里。
    • MyFirstRePoject.plist

      • 做用对象的文件
      ➜  myfirstrepoject plutil -p MyFirstRePoject.plist
      {
        "Filter" => {
          "Bundles" => [
            0 => "com.apple.springboard"
          ]
        }
      }
      
  3. 编译工程

    # Makefile文件直接make执行
    ➜  myfirstrepoject make
    
    # 错误
    ➜  myfirstrepoject make
    Makefile:1: /makefiles/common.mk: No such file or directory
    Makefile:6: /tweak.mk: No such file or directory
    make: *** No rule to make target `/tweak.mk'.  Stop.
    
    # 修改export THEOS=/opt/theos未设置
    export THEOS=/opt/theos
    
    # 重启shell在执行make
    # 最终生成的文件在./.theos/obj/debug/*.dylib
    
  4. 打包工程

    ➜  myfirstrepoject make package
    > Making all for tweak MyFirstRePoject…
    make[2]: Nothing to be done for `internal-library-compile'.
    > Making stage for tweak MyFirstRePoject…
    Can't locate IO/Compress/Lzma.pm in @INC (you may need to install the IO::Compress::Lzma module) (@INC contains: /usr/local/Cellar/perl/5.26.2/lib/perl5/site_perl/5.26.2/darwin-thread-multi-2level /usr/local/Cellar/perl/5.26.2/lib/perl5/site_perl/5.26.2 /usr/local/Cellar/perl/5.26.2/lib/perl5/5.26.2/darwin-thread-multi-2level /usr/local/Cellar/perl/5.26.2/lib/perl5/5.26.2 /usr/local/lib/perl5/site_perl/5.26.2/darwin-thread-multi-2level /usr/local/lib/perl5/site_perl/5.26.2) at /opt/theos/bin/dm.pl line 12.
    BEGIN failed--compilation aborted at /opt/theos/bin/dm.pl line 12.
    make: *** [internal-package] Error 2
    
    # 打印错误详细信息
    ➜  myfirstrepoject make package messages=yes
    
    # 清楚make记录
    ➜  myfirstrepoject make clean
    
    # 错误缺少IO::Compress::Lzma文件
    # 通过cpan来安装就可以了
    sudo cpan IO::Compress::Lzma
    
    # 然后在执行make命令
    
    ➜  myfirstrepoject make clean
    ==> Cleaning…
    ➜  myfirstrepoject make package
    > Making all for tweak MyFirstRePoject…
    ==> Preprocessing Tweak.xm…
    ==> Compiling Tweak.xm (armv7)…
    ==> Linking tweak MyFirstRePoject (armv7)…
    clang: warning: libstdc++ is deprecated; move to libc++ with a minimum deployment target of iOS 7 [-Wdeprecated]
    ==> Generating debug symbols for MyFirstRePoject (armv7)…
    ==> Preprocessing Tweak.xm…
    ==> Compiling Tweak.xm (arm64)…
    ==> Linking tweak MyFirstRePoject (arm64)…
    clang: warning: libstdc++ is deprecated; move to libc++ with a minimum deployment target of iOS 7 [-Wdeprecated]
    ==> Generating debug symbols for MyFirstRePoject (arm64)…
    ==> Merging tweak MyFirstRePoject…
    ==> Signing MyFirstRePoject…
    > Making stage for tweak MyFirstRePoject…
    dm.pl: building package `com.iosre.myfirstrepoject:iphoneos-arm' in `./packages/com.iosre.myfirstrepoject_0.0.1-6+debug_iphoneos-arm.deb'
    
    # ./packages/com.iosre.myfirstrepoject_0.0.1-6+debug_iphoneos-arm.deb 即为打出的deb包。
    
  5. 查看包(使用dpkg来查看deb包的信息)

    ➜  packages dpkg -I com.iosre.myfirstrepoject_0.0.1-6+debug_iphoneos-arm.deb
     new Debian package, version 2.0.
     size 3682 bytes: control archive=311 bytes.
         247 bytes,    10 lines      control
     Package: com.iosre.myfirstrepoject
     Name: MyFirstRePoject
     Depends: mobilesubstrate
     Architecture: iphoneos-arm
     Description: An awesome MobileSubstrate tweak!
     Maintainer: chuck
     Author: chuck
     Section: Tweaks
     Version: 0.0.1-6+debug
     Installed-Size: 120
    
  6. 把deb包拷贝到iPhone上去

    ➜  packages scp com.iosre.myfirstrepoject_0.0.1-6+debug_iphoneos-arm.deb root@192.168.6.107:/tmp
    
  7. 在iPhone里使用dpkg安装包

    # 如果没有dpkg使用 apt-get install dpkg 或者直接在Cydia里搜索安装
    iPhone:/tmp root# apt-get install dpkg
    
    # 使用 dpkg -i deb包 进行安装
    iPhone:/tmp root# dpkg -i com.iosre.myfirstrepoject_0.0.1-6+debug_iphoneos-arm.deb
    Selecting previously unselected package com.iosre.myfirstrepoject.
    (Reading database ... 4614 files and directories currently installed.)
    Preparing to unpack com.iosre.myfirstrepoject_0.0.1-6+debug_iphoneos-arm.deb ...
    Unpacking com.iosre.myfirstrepoject (0.0.1-6+debug) ...
    Setting up com.iosre.myfirstrepoject (0.0.1-6+debug) ...
    
  8. 重启SpringBoard

    # Springboard是系统应用,杀死进程后会自动重启
    iPhone:/tmp root# killall -9 SpringBoard
    
  9. 查看日志

    # 在Cydia搜索“syslogd to/var/log/syslog”并安装
    # 打印最近的10条日志,并实时更新
    iPhone:~ root# tail -f /var/log/syslog
    
    # 错误 tail :  command not found
    # 在Cydia搜索“Core Utilities”并安装
    # 看了我的Cydia里装了Core utilties还是不能使用的话重新装一遍就可以使用了
    
    # 打印出了我第一个tewak工程的输出
    Apr 25 10:44:24 iPhone SpringBoard[91]: [MyFirstRePoject] Tweak.xm:5 DEBUG: -[<SpringBoard: 0x150022800> _menuButtonDown:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Timestamp:           8674105041
    Total Latency:       21490 us
    SenderID:            0x0000000100000196
    BuiltIn:             1
    AttributeDataLength: 36
    AttributeData:       01 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    ValueType:           Absolute
    EventType:           Keyboard
    UsagePage:           12
    Usage:               64
    Down:                1
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ]: iOSRE, Debug
    
    # 或者直接打印SpringBoard的日志
    iPhone:/tmp root# tail -f /var/log/syslog | grep SpringBoard
    Apr 25 10:54:15 iPhone SpringBoard[91]: x=10, y=20
    Apr 25 10:54:15 iPhone SpringBoard[91]: [MyFirstRePoject] Tweak.xm:5 DEBUG: -[<SpringBoard: 0x150022800> _menuButtonDown:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Apr 25 10:54:15 iPhone SpringBoard[91]: [MPUSystemMediaControls] Enabling lock screen media controls updates for screen turning on.
    Apr 25 10:54:15 iPhone SpringBoard[91]: [MPUSystemMediaControls] Updating supported commands for now playing application.
    Apr 25 10:54:16 iPhone SpringBoard[91]: -[UABestAppSuggestionManager notifyBestAppChanged:type:options:bundleIdentifier:activityType:dynamicIdentifier:when:confidence:deviceName:deviceIdentifier:deviceType:] (null) UASuggestedActionType=0 (null)/(null) opts=(null) when=2018-04-25 02:54:16 +0000 confidence=1 from=(null)/(null) (UABestAppSuggestionManager.m #319)
    Apr 25 10:54:19 iPhone SpringBoard[91]: x=10, y=20
    Apr 25 10:54:19 iPhone SpringBoard[91]: [MyFirstRePoject] Tweak.xm:5 DEBUG: -[<SpringBoard: 0x150022800> _menuButtonDown:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Apr 25 10:54:22 iPhone SpringBoard[91]: x=10, y=20
    Apr 25 10:54:22 iPhone SpringBoard[91]: [MyFirstRePoject] Tweak.xm:5 DEBUG: -[<SpringBoard: 0x150022800> _menuButtonDown:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    
  1. 修改Makefile文件

    include $(THEOS)/makefiles/common.mk
    
    # 发布release版本
    DEBUG = 1
    # 安装的ip
    THEOS_DEVICE_IP = 192.168.6.107
    # 支持的架构
    ARCHS = armv7 arm64
    # 支持的iPhone版本
    TARGET =iphone:latest:8.0
    
    TWEAK_NAME = MyFirstRePoject
    MyFirstRePoject_FILES = Tweak.xm
    
    include $(THEOS_MAKE_PATH)/tweak.mk
    
    after-install::
            install.exec "killall -9 SpringBoard"
    
    # 清楚
    clean::
            rm -rf ./package/*
            
            
    
    tip:
    # 错误 需要把新添加的信息放到include $(THEOS)/makefiles/common.mk前面,第一行就可以了
    ➜  myfirstrepoject make install
    ==> Error: /Applications/Xcode.app/Contents/Developer/usr/bin/make install requires that you set THEOS_DEVICE_IP in your environment.
    ==> Notice: It is also recommended that you have public-key authentication set up for root over SSH, or you will be entering your password a lot.
    make: *** [internal-install] Error 1
    
    
    # 然后执行直接安装到手机上
    make clean 
    make 
    make package 
    make install 
    
    
  2. Deb包介绍 官网

    • deb包本质是一个压缩包文件,里面包含一些特定的目录和文件。安装过程就是dpkg程序按照指定的规则去拷贝和执行脚本。
    # 安装deb包
    dpkg -i filename 
    
    # 查看目录结构
    ➜  packages dpkg -c com.iosre.myfirstrepoject_0.0.1-10+debug_iphoneos-arm.deb
    drwxr-xr-x root/wheel        0 2018-04-25 13:45 .
    drwxr-xr-x root/wheel        0 2018-04-25 13:45 ./Library
    drwxr-xr-x root/wheel        0 2018-04-25 13:45 ./Library/MobileSubstrate
    drwxr-xr-x root/wheel        0 2018-04-25 13:45 ./Library/MobileSubstrate/DynamicLibraries
    -rw-r--r-- root/wheel       57 2018-04-25 13:45 ./Library/MobileSubstrate/DynamicLibraries/MyFirstRePoject.plist
    -rwxr-xr-x root/wheel   132896 2018-04-25 13:45 ./Library/MobileSubstrate/DynamicLibraries/MyFirstRePoject.dylib
    
    • DEBIAN目录-存放control文件、及安装和卸载时需要执行的文件等
    • control文件
    ➜  DEBIAN cat control
    # deb包的名字,卸载和查询信息都用这个名字
    Package: com.iosre.myfirstrepoject
    # 工程名
    Name: MyFirstRePoject
    # 依赖包(可以指定多个,用,分割)
    Depends: mobilesubstrate
    # 描述软件支持的平台架构
    Architecture: iphoneos-arm
    # deb简介
    Description: An awesome MobileSubstrate tweak!
    # deb包维护人联系方式
    Maintainer: chuck
    # 软件作者
    Author: chuck
    # deb包归属类别
    Section: Tweaks
    # 版本
    Version: 0.0.1-10+debug
    Installed-Size: 136
    
    • 脚本文件(解释器文件 #!/bin/sh)
      • preinst

        • 在Deb包文件解包之前,将会运行该脚本。许多“preinst”脚本的任务是停止作用于待升级软件包的服务,直到软件包安装或升级完成。
      • postinst

        • 该脚本的主要任务是完成安装包时的配置工作。许多“postinst”脚本负责执行有关命令为新安装或升级的软件重启服务。
      • prerm

        • 该脚本负责停止与软件包相关联的daemon服务。它在删除软件包关联文件之前执行。
      • postrm

        • 该脚本负责修改软件包链接或文件关联,或删除由它创建的文件。
    # 创建script文件夹创建打包脚本,在安装和卸载的时候都重启SpringBoard
    ➜  myfirstrepoject cd script
    ➜  script ls
    ➜  script vim preinst
    ➜  script vim postinst
    ➜  script vim prerm
    ➜  script vim postrm
    ➜  script chmod +x ./*
    ➜  script ls
    postinst postrm   preinst  prerm
    
    postinst
    
    #!/bin/sh
    
    killall -9 SpringBoard
    
    postrm
    
    #!/bin/sh
    
    killall -9 SpringBoard
    
    • 编写Makefile
    # 把脚本拷贝到DEBIAN目录下,在最后添加
        before-package::
              cp ./script/postinst ./.theos/_/DEBIAN/
              cp ./script/postrm ./.theos/_/DEBIAN/
    
    • 查看
    # 查看
    ➜  myfirstrepoject cd .theos/_/DEBIAN
    ➜  DEBIAN ls
    control  postinst postrm
    
    # 拷贝到手机上
    ➜  packages scp com.iosre.myfirstrepoject_0.0.1-11+debug_iphoneos-arm.deb root@192.168.6.107:/tmp
    
    # 在手机上安装deb包的时候就会自动的重启SpringBoard
    iPhone:/tmp root# dpkg -i com.iosre.myfirstrepoject_0.0.1-11+debug_iphoneos-arm.deb
    
    # 查看包的信息
    iPhone:/tmp root# dpkg -I com.iosre.myfirstrepoject_0.0.1-11+debug_iphoneos-arm.deb
    new debian package, version 2.0.
    size 3722 bytes: control archive=384 bytes.
     248 bytes,    10 lines      control
      34 bytes,     3 lines   *  postinst             #!/bin/sh
      34 bytes,     3 lines   *  postrm               #!/bin/sh
    Package: com.iosre.myfirstrepoject
    Name: MyFirstRePoject
    Depends: mobilesubstrate
    Architecture: iphoneos-arm
    Description: An awesome MobileSubstrate tweak!
    Maintainer: chuck
    Author: chuck
    Section: Tweaks
    Version: 0.0.1-11+debug
    Installed-Size: 136
    
    # 通过包的名称来卸载包 Package: com.iosre.myfirstrepoject
    iPhone:/tmp root# dpkg -r com.iosre.myfirstrepoject 
    
    • Library (/myfirstrepoject/.theos/_/Library)
    /myfirstrepoject/.theos/_/Library
    会镜像映射到目标设备
    iPhone:/tmp root# cd /Library/MobileSubstrate/DynamicLibraries/
    
    • layout
      • dpkg打包时会复制当前目录下layout目录下的所有文件和目录,这些文件和目录会镜像到目标设备上(layout相对于设备的根目录)
    ➜  myfirstrepoject mkdir layout
    ➜  myfirstrepoject cd layout
    ➜  layout mkdir -p usr/bin
    ➜  layout ls
    usr
    ➜  layout touch chuck01
    ➜  layout cd usr/bin
    ➜  bin touch chuck02
    ➜  bin cd ..
    ➜  usr cd ..
    ➜  layout ls
    chuck01 usr
    ➜  layout mkdir tmp
    ➜  layout ls
    chuck01 tmp     usr
    ➜  layout cd tmp
    ➜  tmp touch chuck03
    ➜  tmp
    
    # 在重新make package就可以看到我们直接创建的目录
    ➜  packages dpkg -c com.iosre.myfirstrepoject_0.0.1-12+debug_iphoneos-arm.deb
    drwxr-xr-x root/whee l        0 2018-04-25 14:48 .
    -rw-r--r-- root/wheel        0 2018-04-25 14:45 ./chuck01
    drwxr-xr-x root/wheel        0 2018-04-25 14:44 ./usr
    drwxr-xr-x root/wheel        0 2018-04-25 14:45 ./usr/bin
    -rw-r--r-- root/wheel        0 2018-04-25 14:45 ./usr/bin/chuck02
    drwxr-xr-x root/wheel        0 2018-04-25 14:48 ./Library
    drwxr-xr-x root/wheel        0 2018-04-25 14:48 ./Library/MobileSubstrate
    drwxr-xr-x root/wheel        0 2018-04-25 14:48 ./Library/MobileSubstrate/DynamicLibraries
    -rw-r--r-- root/wheel       57 2018-04-25 14:48 ./Library/MobileSubstrate/DynamicLibraries/MyFirstRePoject.plist
    -rwxr-xr-x root/wheel   132896 2018-04-25 14:48 ./Library/MobileSubstrate/DynamicLibraries/MyFirstRePoject.dylib
    drwxr-xr-x root/wheel        0 2018-04-25 14:45 ./tmp
    -rw-r--r-- root/wheel        0 2018-04-25 14:45 ./tmp/chuck03
    
    deb001.png deb002.png deb003.png deb004.png
  • 再 dpkg -r package 的时候这些目录会被删除

  • deb包用解压工具解压出来的就是打包进去文件和目录

  1. 常见的Logos语法 维基百科wiki

    • block-level
    • %hook 制定需要hook的Class,必须以%end结尾。可以被多个%group包含
    %hook SBApplicationController
    - (void)uninstallApplication:(SBApplication *)application {
        NSLog(@"Hey, we're hooking uninstallApplication:!");
        %orig; // Call the original implementation of this method
        return;
    }
    %end
    
    • %group 该指令用于将%hook分组,便于代码管理及按条件初始化分组,必须以%end结尾。一个%group可以包含多个%hook,所有不属于某个自定义group的%hook会被隐式归类到%group_ungrouped中。
    %group iOS8
    %hook IOS8_SPECIFIC_CLASS
        // your code here
    %end // end hook
    %end // end group ios8
    
    %group iOS9
    %hook IOS9_SPECIFIC_CLASS
        // your code here
    %end // end hook
    %end // end group ios9
    
    %ctor {
        if (kCFCoreFoundationVersionNumber > 1200) {
            %init(iOS9);
        } else {
            %init(iOS8);
        }
    }
    
    • %new 通过在方法定义之上添加这个指令,将一个新方法添加到钩子类或子类中。签名是新方法的Objective-C类型编码;如果省略,将生成一个。必须在%hook块内。
    // 使用
    // %new
    

// %new(signature)

%hook SBApplicationController
- (void)uninstallApplication:(SBApplication *)application {
    NSLog(@"Hey, we're hooking uninstallApplication:!");
    %orig; // Call the original implementation of this method
    return;
}
    
%new
- (void)namespaceNewMethod {
    NSLog(@"We've added a new method to SpringBoard.");
}
%end
```

* Top level
    * %ctor tweak的构造函数,完成初始化工作;如果不显示定义,Theos会自动生成一个%ctor,并在其中调用%init(_ungrouped)。
    * %dtor tweak的构造函数,完成收尾。如果不显示定义,Theos会自动生成一个%dtor。

* Function level
    * %init 该指令用于初始化某个%group,必须在%hook或%ctor内调用;如果带参数,则初始化指定的group,如果不带参数,则初始化_ungrouped。注: 切记,只有调用了%ini,对应的%group才能起作用!
    ```
    %ctor {
   if (kCFCoreFoundationVersionNumber > 1200) %init(iOS9);
       else %init(iOS8);
    }
    ```
    
    * %c 该指令的作用等同于objc_getClass或NSClassFromString,即动态获取一个类的定义,在%hook或%ctor内使用 。

    ```
    %hook SpringBoard
    - (void)_menuButtonDown:(id)down
    {
        %orig;
        SBScreenShotter *shotter = [%c(SBScreenShotter) sharedInstance];
        [shotter saveScreenshot:YES]; 
    }
    %end@
    ```
    
    * %log 该指令在%hook内部使用,将函数的类名、参数等信息写入syslog,可以%log([(),…..])的格式追加其他打印信息。
    * %orig 该指令在%hook内部使用,执行被hook的函数的原始代码;也可以用%orig更改原始函数的参数。
  1. 使用Logos语法,点击home建截屏,%new新添加实例方法和类方法

    //练习
    @interface SBScreenshotter: NSObject
    + (id)sharedInstance;
    - (void)saveScreenshot: (BOOL)arg1;
    @end
    
    @interface SpringBoard
    + (void)_AutoScreenSave2;
    - (void)_AutoScreenSave;
    @end
    
    
    %hook SpringBoard
    
    -  (void)applicationDidFinishLaunching:(id)application 
    { 
        %orig; 
        UIAlertView *alert = [[UIAlertView alloc]  
        initWithTitle:@"Hello,chuck!" 
        message:nil 
        delegate:self cancelButtonTitle:@"OK"
        otherButtonTitles:nil]; 
        [alert show]; 
    }
    
    %new
    - (void)_AutoScreenSave
    {
        NSLog(@"instance method");
        SBScreenShotter *shotter = [%c(SBScreenShotter) sharedInstance];
        [shotter saveScreenshot:YES]; 
    }
    
    %new
    + (void)_AutoScreenSave2
    {
        NSLog(@"class method");
        SBScreenShotter *shotter = [%c(SBScreenShotter) sharedInstance];
        [shotter saveScreenshot:YES]; 
    }
    
    - (void)_menuButtonDown:(id)arg1 {
        // NSLog(@"x=%d, y=%d", 10, 20);
        // %log((NSString *)@"iOSRE", (NSString *)@"Debug");  
        // 实例方法调用
        [self _AutoScreenSave];
        // 类方法调用
        [%c(SpringBoard) _AutoScreenSave2];
        %log((NSString *)@"iOSRE", (NSString *)@"Debug"); 
        %orig; // call the original _menuButtonDown:
    }
    
    %end 
    

相关文章

  • iOS逆向课程笔记(六)

    8.第一个逆向程序 创建tweak工程➜ iOS /opt/theos/bin/nic.pl NIC 2.0 -...

  • iOS逆向记录(三)

    8.第一个逆向程序 创建tweak工程➜ iOS /opt/theos/bin/nic.pl NIC 2.0 -...

  • iOS逆向研究002

    1.第一个逆向程序 创建tweak工程➜ iOS /opt/theos/bin/nic.pl NIC 2.0 -...

  • 创建第一个钩子程序

    什么是tweak(钩子)程序 创建第一个钩子程序 创建工程选择tweak输入tweak工程名输入deb包的名称(B...

  • iOS逆向之Logos语法介绍

    上一篇文章: iOS逆向工具之Tweak工程介绍 上一篇文章,我们介绍tweak工程,简单实用了Logos语法逆向...

  • 创建第一个逆向工程 (tweak)

    使用tweak创建工程➜ tweak /opt/theos/bin/nic.plNIC 2.0 - New In...

  • 第一个IOS逆向工程

    先来看看效果: 最近在看 《ios应用逆向工程(第二版)》刚好看到利用theos创建tweak工程于是就上手试了一...

  • 8. 第一个逆向程序

    创建tweak工程 工程文件结构 Makefile tweak文件 “xm”中的“x”代表这个文件支持Logos语...

  • Theos-tweak工程

    1、查看《iOS逆向 开发工具》 Theos的使用方法做准备工作;2、创建tweak工程,实现在屏幕上添加弹框(越...

  • iOS逆向工程之Theos

    如果你对iOS逆向工程有所了解,那么你对Tweak并不陌生。那么由Tweak我们又会引出Theos, 那么什么是T...

网友评论

    本文标题:创建第一个逆向工程 (tweak)

    本文链接:https://www.haomeiwen.com/subject/palylftx.html