iOS逆向之移除Oplayer lite广告

2018-08-06  本文已影响504人  Evans_Xiao

iOS逆向之移除Oplayer lite广告

一、环境要求:

1、iPod touch6: iOS10.3.1(已经越狱)

2、Xcode安装MonkeyDev

3、OPlayer Lite.ipa(Window PP助手获取)【非必须】

二、lldb调试定位

1、直接在app store上下载Oplayer lite播放神器,为了方便调试,最好将设备设置成语言英文,后面会用到!

2、通过ssh连接越狱设备

ssh root@172.20.134.8

3、关闭设备上的其他进程,最好只保留Oplayer lite,通过以下命令获取设备上所有运行的进程,只查看目标进程:

iPod:~ root# ps aux | grep OPlayer
mobile    6593   3.6  6.5  1384832  66024   ??  Ss    5:27PM   0:20.84 /var/containers/Bundle/Application/AAAB1B0F-A9A6-455C-BE5B-8E0230A75252/OPlayer Lite.app/OPlayer Lite
root      6607   0.0  0.0   624224      8 s000  R+    5:29PM   0:00.00 grep OPlayer

4、根据教程iOS10.3.1 砸壳之路使用两种方式进行应用砸壳,这里笔者就不详述了。

笔者通过第一种静态方式结果如下:

iPod:~ root# Clutch -i
Installed apps:
1:   快拍 - Snapchat <com.toyopagroup.picaboo>
2:   优酷视频-世界杯赛事全程高清直播 <com.youku.YouKu>
3:   央视影音 <cn.vuclip.mobiletv>
4:   A4 Player <com.pd.A4Player>
5:   可可英语-英语听力口语训练神器 <com.kekenet.kkyy>
6:   VPN Plus Privacy Protector <vpn.free.proxy.FreeVPN-Plus>
7:   搜狐视频-法医秦明1、2两季独家连播 <com.sohu.iPhoneVideo>
8:   微博 <com.sina.weibo>
9:   腾讯视频 <com.tencent.live4iphone>
10:  Shazam 音乐神搜 <com.shazam.Shazam>
11:  OPlayer Lite - media player <com.olimsoft.oplayer.lite>
12:  VPN - Super Unlimited Proxy <mobi.mobilejump.freevpn>
13:  天天快报 - 腾讯兴趣阅读平台 <com.tencent.reading>
iPod:~ root# Clutch -d 11
Zipping OPlayer Lite.app
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Error: Failed to dump <OPlayer WatchKit Extension> with arch arm64

2018-08-06 17:36:20.796 Clutch[6610:278690] failed operation :(
2018-08-06 17:36:20.796 Clutch[6610:278690] application <NSOperationQueue: 0x1004be080>{name = 'NSOperationQueue 0x1004be080'}
Error: Failed to dump <OPlayer WatchKit Extension>

2018-08-06 17:36:20.797 Clutch[6610:278690] failed operation :(
2018-08-06 17:36:20.797 Clutch[6610:278690] application <NSOperationQueue: 0x1004be080>{name = 'NSOperationQueue 0x1004be080'}
ASLR slide: 0x100020000
Dumping <OPlayer Lite> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Zipping OPlayer WatchKit Extension.appex
FAILED: <OPlayer Lite bundleID: com.olimsoft.oplayer.lite>
Finished dumping com.olimsoft.oplayer.lite in 20.9 seconds

很遗憾失败了,其原因自行百度。。。

所以最好通过动态砸壳来解决,若是大佬能通过Clutch方式解决,请私信me!!!

5、查看广告存在的位置

iPod:~ root# cycript -p 6593          
cy# [[UIApp keyWindow] recursiveDescription].toString()

`<UIWindow: 0x102661a40; frame = (0 0; 320 568); opaque = NO; autoresize = RM+BM; gestureRecognizers = <NSArray: 0x17024f540>; layer = <UIWindowLayer: 0x170229900>>
   | <UITransitionView: 0x10d4e6eb0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x170634b40>>
   |    | <UIView: 0x10d43e5f0; frame = (0 0; 320 568); autoresize = W+H; autoresizesSubviews = NO; layer = <CALayer: 0x17042f420>>
   |    |    | <UIView: 0x10d405740; frame = (0 0; 320 568); layer = <CALayer: 0x17042f620>>
   |    |    |    | <PlayerView: 0x10d43d560; frame = (0 0; 320 568); layer = <CAEAGLLayer: 0x17042f680>>
   |    |    |    | <AVPlayerDemoPlaybackView: 0x10d400320; frame = (0 0; 320 568); layer = <AVPlayerLayer: 0x170633d20>>
   |    |    |    |    | <AVPlayerLayerIntermediateLayer: 0x1706344e0> (layer)
   |    |    |    |    |    | <FigVideoContainerLayer: 0x1704578b0> (layer)
   |    |    |    |    |    |    | <FigVideoLayer: 0x17065cf80> (layer)
   |    |    |    |    |    | <FigSubtitleCALayer: 0x170457c40> (layer)
   |    |    |    |    |    | <AVPlayerLayerIntermediateLayer: 0x170628300> (layer)
   |    |    | <SubtitleLabel: 0x1026f95d0; baseClass = UILabel; frame = (0 0; 320 40); text = ''; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x170291120>>
   |    |    | <UILabel: 0x10d4025d0; frame = (0 62; 320 20); text = 'IMG_4758.MOV'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x170290360>>
   |    |    | <UILabel: 0x10d410650; frame = (0 52; 320 50); text = ''; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17029e6e0>>
   |    |    | <UIView: 0x1027b8070; frame = (0 0; 320 50); layer = <CALayer: 0x174229e20>>
   |    |    |    | <UIButton: 0x102734a50; frame = (0 0; 320 50); opaque = NO; layer = <CALayer: 0x174229dc0>>
   |    |    |    |    | <UIImageView: 0x10d435250; frame = (0 0; 320 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635e80>>
   |    |    |    | <UILabel: 0x10271ed60; frame = (60 0; 260 50); text = 'Buy the full version to r...'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x174283fc0>>
   |    |    | <RoundedRectView: 0x10265a540; frame = (0 0; 320 64); layer = <CALayer: 0x170429de0>>
   |    |    |    | <PlaySeekView: 0x10d40c050; frame = (39 22; 242 32); layer = <CALayer: 0x170427700>>
   |    |    |    |    | <UILabel: 0x10d452980; frame = (0 3; 60 25); text = '00:00:03'; userInteractionEnabled = NO; tag = 10000; layer = <_UILabelLayer: 0x170292110>>
   |    |    |    |    | <OBSlider: 0x10267c790; baseClass = UISlider; frame = (60 5; 118 22); opaque = NO; tag = 10002; layer = <CALayer: 0x170427000>; value: 3.000000>
   |    |    |    |    |    | <UIView: 0x10d42e1e0; frame = (39 7; 77 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635c80>>
   |    |    |    |    |    |    | <UIImageView: 0x10d421cd0; frame = (-37 0; 114 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635cc0>>
   |    |    |    |    |    | <UIImageView: 0x10d429350; frame = (2 7; 37 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635d20>>
   |    |    |    |    |    | <UIImageView: 0x102692290; frame = (24 -4; 30 30); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635d80>>
   |    |    |    |    | <UILabel: 0x10d425830; frame = (178 3; 64 25); text = '-00:00:07'; userInteractionEnabled = NO; tag = 10001; layer = <_UILabelLayer: 0x17028d9d0>>
   |    |    |    | <UIButton: 0x10d404790; frame = (258 6; 58 50); opaque = NO; layer = <CALayer: 0x1704351c0>>
   |    |    |    | <UIButton: 0x10d4192a0; frame = (0 6; 58 54); opaque = NO; layer = <CALayer: 0x1704298a0>>
   |    |    |    | <UIButton: 0x10d420dc0; frame = (268 16; 48 44); opaque = NO; layer = <CALayer: 0x170426760>>
   |    |    |    |    | <UIImageView: 0x102770f80; frame = (2 7; 44 30); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17422c700>>
   |    |    |    | <UIButton: 0x10d424e50; frame = (4 16; 48 44); opaque = NO; layer = <CALayer: 0x170429c20>>
   |    |    |    |    | <UIImageView: 0x10d4b9eb0; frame = (2 7; 44 30); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635c40>>
   |    |    | <NewRoundedRectView: 0x10d4a96a0; frame = (-5 480; 330 90); layer = <CALayer: 0x17062cce0>>
   |    |    |    | <UIButton: 0x1026a2c40; frame = (34 4; 44 44); opaque = NO; layer = <CALayer: 0x170429780>>
   |    |    |    |    | <UIImageView: 0x10d4e0240; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635bc0>>
   |    |    |    | <UIButton: 0x10d42f130; frame = (86 4; 44 44); opaque = NO; layer = <CALayer: 0x170424520>>
   |    |    |    |    | <UIImageView: 0x10d4de1b0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635ae0>>
   |    |    |    | <UIButton: 0x10d404a60; frame = (138 4; 44 44); opaque = NO; layer = <CALayer: 0x170426040>>
   |    |    |    |    | <UIImageView: 0x10d4dc1d0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635a20>>
   |    |    |    | <UIButton: 0x10d416000; frame = (190 4; 44 44); opaque = NO; layer = <CALayer: 0x170427220>>
   |    |    |    |    | <UIImageView: 0x10d4d3830; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706359e0>>
   |    |    |    | <UIButton: 0x10d434c00; frame = (242 4; 44 44); opaque = NO; layer = <CALayer: 0x1704291c0>>
   |    |    |    |    | <UIImageView: 0x10d4d58c0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635980>>
   |    |    |    | <MPVolumeView: 0x10d4c7520; frame = (20 56; 240 30); opaque = NO; layer = <CALayer: 0x170632ea0>>
   |    |    |    |    | <MPButton: 0x10d4c80b0; baseClass = UIButton; frame = (218.5 2; 21.5 18); opaque = NO; autoresize = LM+BM; layer = <CALayer: 0x170428480>>
   |    |    |    |    |    | <UIImageView: 0x10d4c83e0; frame = (-39.25 -41; 100 100); alpha = 0; opaque = NO; userInteractionEnabled = NO; tag = 1886548836; layer = <CALayer: 0x170631b00>>
   |    |    |    |    |    | <UIImageView: 0x10d4d1850; frame = (0 0; 21.5 18); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706358e0>>
   |    |    |    |    | <MPVolumeSlider: 0x10d4c7920; baseClass = UISlider; frame = (0 -5; 211.5 28); opaque = NO; autoresize = W+BM; layer = <CALayer: 0x17062b6c0>; value: 0.000000>
   |    |    |    |    |    | <UIView: 0x10d498720; frame = (2 10; 207.5 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635460>>
   |    |    |    |    |    |    | <UIImageView: 0x10d425ac0; frame = (0 0; 207.5 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635560>>
   |    |    |    |    |    | <UIImageView: 0x10d4bc0f0; frame = (2 10; 0 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706355c0>>
   |    |    |    |    |    | <UIImageView: 0x10d4be180; frame = (-3 -1; 30 30); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635620>>
   |    |    |    | <UIButton: 0x10d4a3210; frame = (276 40; 44 44); opaque = NO; layer = <CALayer: 0x170428180>>
   |    |    |    |    | <UIImageView: 0x1027764c0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17422a9e0>>
   |    |    |    | <UIButton: 0x10d4a4cb0; frame = (276 40; 44 44); hidden = YES; opaque = NO; layer = <CALayer: 0x17042b500>>
   |    |    | <FloatingView: 0x10d4add90; frame = (45 124; 230 160); hidden = YES; layer = <CALayer: 0x170429300>>
   |    |    |    | <UIButton: 0x10d41c3a0; frame = (21 4; 50 50); opaque = NO; layer = <CALayer: 0x1704330c0>>
   |    |    |    |    | <UIImageView: 0x102700650; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17422aa80>>
   |    |    |    | <UIButton: 0x10d498e60; frame = (91 4; 50 50); opaque = NO; layer = <CALayer: 0x1704249a0>>
   |    |    |    |    | <UIImageView: 0x102779690; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17423cb20>>
   |    |    |    | <UIButton: 0x10d4ae9f0; frame = (91 56; 50 50); opaque = NO; layer = <CALayer: 0x170432e00>>
   |    |    |    |    | <UIImageView: 0x1027b2f20; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174229f00>>
   |    |    |    | <UIButton: 0x10d4b0900; frame = (21 106; 50 50); opaque = NO; layer = <CALayer: 0x1704328e0>>
   |    |    |    |    | <UIImageView: 0x1026656e0; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170634d20>>
   |    |    |    | <UIButton: 0x102738580; frame = (91 106; 50 50); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x174223f40>>
   |    |    |    |    | <UIImageView: 0x10d497630; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170634ba0>>
   |    |    |    | <UIButton: 0x10d4b2960; frame = (161 4; 50 50); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170425a80>>
   |    |    |    |    | <UIImageView: 0x10d43f260; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170429160>>
   |    |    |    | <UIButton: 0x10d4b49a0; frame = (161 106; 50 50); opaque = NO; layer = <CALayer: 0x170627b20>>
   |    |    |    |    | <UIImageView: 0x10d4b5500; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042f880>>
   |    |    | <FloatingView: 0x10d4b67e0; frame = (-5 188; 62 192); layer = <CALayer: 0x170630ae0>>
   |    |    |    | <UIButton: 0x10d4b6d20; frame = (11 3.2; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170633160>>
   |    |    |    |    | <UIImageView: 0x10d436ff0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170633ce0>>
   |    |    |    | <UIButton: 0x10d4b7db0; frame = (11 50.4; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x17062e040>>
   |    |    |    |    | <UIImageView: 0x1026a9ad0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706337a0>>
   |    |    |    | <UIButton: 0x10d4ba170; frame = (11 97.6; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170632760>>
   |    |    |    |    | <UIImageView: 0x10d402990; frame = (7 7; 30 30); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706344c0>>
   |    |    |    | <UIButton: 0x10d4bc3b0; frame = (11 144.8; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170632c20>>
   |    |    |    |    | <UIImageView: 0x102797f20; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174229de0>>
   |    |    | <FloatingView: 0x10d4b69a0; frame = (263 188; 62 192); layer = <CALayer: 0x170632880>>
   |    |    |    | <UIButton: 0x10d4be440; frame = (6 3.2; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170632be0>>
   |    |    |    |    | <UIImageView: 0x10d44d340; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062a280>>
   |    |    |    | <UIButton: 0x10d4c04b0; frame = (6 50.4; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170629c00>>
   |    |    |    |    | <UIImageView: 0x10d434ed0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170632940>>
   |    |    |    | <UIButton: 0x10d4c2490; frame = (6 97.6; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x1702377c0>>
   |    |    |    |    | <UIImageView: 0x10264f740; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170634b00>>
   |    |    |    | <UIButton: 0x10d4c4090; frame = (6 144.8; 44 44); opaque = NO; tintColor = UIExtendedSRGBColorSpace 0.192157 0.760784 0.486275 1; layer = <CALayer: 0x17062e5a0>>
   |    |    |    |    | <UIImageView: 0x1026d5810; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062f7c0>>
   |    |    | <UILabel: 0x10d4c6020; frame = (0 448; 320 30); text = ''; alpha = 0; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17048ae10>>
   |    |    | <UILabel: 0x10d4c6b50; frame = (0 284; 320 100); userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17048a780>>
   |    |    |    | <_UILabelContentLayer: 0x1706337c0> (layer)
   |    |    | <SingleHandRoundedRectView: 0x10d4d9d10; frame = (0 341; 227 227); hidden = YES; layer = <CALayer: 0x170432e80>>
   |    |    |    | <UIImageView: 0x10d4da0e0; frame = (0 0; 227 227); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170432de0>>
   |    |    |    | <UIButton: 0x10d4d5b80; frame = (80 165; 52 52); opaque = NO; layer = <CALayer: 0x170632dc0>>
   |    |    |    |    | <UIImageView: 0x10268c4f0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170426d00>>
   |    |    |    | <UIButton: 0x10d4d1b10; frame = (150 160; 52 52); opaque = NO; layer = <CALayer: 0x17062c6a0>>
   |    |    |    |    | <UIImageView: 0x10d40f400; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062abc0>>
   |    |    |    | <UIButton: 0x10d4cfa80; frame = (105 75; 52 52); opaque = NO; layer = <CALayer: 0x17062b9a0>>
   |    |    |    |    | <UIImageView: 0x1026c59a0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170432940>>
   |    |    |    | <UIButton: 0x10d4d3af0; frame = (20 25; 52 52); opaque = NO; layer = <CALayer: 0x170630e20>>
   |    |    |    |    | <UIImageView: 0x10d416a20; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706315a0>>
   |    |    |    | <UIButton: 0x10d4d7870; frame = (10 95; 52 52); opaque = NO; layer = <CALayer: 0x170433720>>
   |    |    |    |    | <UIImageView: 0x10d4a5d50; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170629d00>>
   |    |    |    | <UIButton: 0x10d4d9910; frame = (10 170; 52 52); opaque = NO; layer = <CALayer: 0x170633c00>>
   |    |    |    |    | <UIImageView: 0x10d403130; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706265c0>>
   |    |    | <SingleHandRoundedRectView: 0x10d4e4690; frame = (93 341; 227 227); hidden = YES; layer = <CALayer: 0x170630000>>
   |    |    |    | <UIImageView: 0x10d4e4860; frame = (0 0; 227 227); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706273c0>>
   |    |    |    | <UIButton: 0x10d4e0500; frame = (100 165; 52 52); opaque = NO; layer = <CALayer: 0x170424ba0>>
   |    |    |    |    | <UIImageView: 0x10d4006c0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170632d60>>
   |    |    |    | <UIButton: 0x10d4dc490; frame = (25 160; 52 52); opaque = NO; layer = <CALayer: 0x170633100>>
   |    |    |    |    | <UIImageView: 0x102655f40; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170632360>>
   |    |    |    | <UIButton: 0x10d4da2d0; frame = (75 75; 52 52); opaque = NO; layer = <CALayer: 0x170633180>>
   |    |    |    |    | <UIImageView: 0x1026894c0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062f220>>
   |    |    |    | <UIButton: 0x10d4de470; frame = (165 25; 52 52); opaque = NO; layer = <CALayer: 0x170433580>>
   |    |    |    |    | <UIImageView: 0x10266a930; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042f800>>
   |    |    |    | <UIButton: 0x10d4e21f0; frame = (165 95; 52 52); opaque = NO; layer = <CALayer: 0x170433920>>
   |    |    |    |    | <UIImageView: 0x10d42adc0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170426c40>>
   |    |    |    | <UIButton: 0x10d4e4290; frame = (170 170; 52 52); opaque = NO; layer = <CALayer: 0x1704293e0>>
   |    |    |    |    | <UIImageView: 0x102663010; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170426700>>
   |    |    | <UIButton: 0x10d4e4a50; frame = (260 258; 52 52); hidden = YES; opaque = NO; layer = <CALayer: 0x17062eb20>>
   |    |    |    | <UIImageView: 0x10d41df50; frame = (1 1; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170432820>>
   |    |    | <UIButton: 0x10d4e4d20; frame = (10 258; 52 52); hidden = YES; opaque = NO; layer = <CALayer: 0x17062cf60>>
   |    |    |    | <UIImageView: 0x1026f92a0; frame = (1 1; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1704270e0>>`

这里需要说明的是,[[UIApp keyWindow] recursiveDescription].toString()是查看当前页面的所有view。稍微仔细点的同学就会主要到,每次进入播放界面时,界面上方都有一个banner,内容是Buy the full version to remove ads?.所以简单的方式是,通过搜索关键字查找控件。可得到如下结果:

<UILabel: 0x10271ed60; frame = (60 0; 260 50); text = 'Buy the full version to r...'; userInteractionEnabled = NO;

我们可以在后面进行lldb调试的时候,根据这个为依据进行查找调试。

5、利用debugserver结合LLDB调试app

debugserver *:1234 -a "OPlayer Lite"

6、新建终端LLDB连接App

lldb
process connect connect://172.20.128.176:1234

7、接下来查看偏移地址

image list -o -f
[  0] 0x000000000005c000 /var/containers/Bundle/Application/AAAB1B0F-A9A6-455C-BE5B-8E0230A75252/OPlayer Lite.app/OPlayer Lite(0x000000010005c000)

......

[  7] 0x0000000000350000 /Users/weihua/Library/Developer/Xcode/iOS DeviceSupport/10.3.1 (14E304)/Symbols/System/Library/Frameworks/UIKit.framework/UIKit

通过hopper v4分析addSubview在UIKit框架的偏移地址:
addSubview:0x0000000187775d24

通过image list -o -f分析UIKit框架在模块中加载的的起始偏移地址:
UIKit: 0x0000000000350000

设置断点:

br s -a 0x0000000000350000+0x0000000187775d24
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
->  0x187ac5d24 <+0>:  stp    x24, x23, [sp, #-0x40]!
    0x187ac5d28 <+4>:  stp    x22, x21, [sp, #0x10]
    0x187ac5d2c <+8>:  stp    x20, x19, [sp, #0x20]
    0x187ac5d30 <+12>: stp    x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<PlayerView: 0x1027f27d0; frame = (0 0; 568 320); layer = <CAEAGLLayer: 0x1704298c0>>

(lldb) c
Process 432 resuming
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
->  0x187ac5d24 <+0>:  stp    x24, x23, [sp, #-0x40]!
    0x187ac5d28 <+4>:  stp    x22, x21, [sp, #0x10]
    0x187ac5d2c <+8>:  stp    x20, x19, [sp, #0x20]
    0x187ac5d30 <+12>: stp    x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<UIView: 0x1027f32a0; frame = (0 0; 568 320); layer = <CALayer: 0x17042dc40>>

......
......
......

(lldb) po $x2
<UILayoutContainerView: 0x1027700d0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x1702374e0>>

(lldb) c
Process 432 resuming
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
->  0x187ac5d24 <+0>:  stp    x24, x23, [sp, #-0x40]!
    0x187ac5d28 <+4>:  stp    x22, x21, [sp, #0x10]
    0x187ac5d2c <+8>:  stp    x20, x19, [sp, #0x20]
    0x187ac5d30 <+12>: stp    x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<UIButton: 0x10f23eb00; frame = (0 0; 320 50); opaque = NO; layer = <CALayer: 0x17042e180>>

(lldb) c
Process 432 resuming
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
->  0x187ac5d24 <+0>:  stp    x24, x23, [sp, #-0x40]!
    0x187ac5d28 <+4>:  stp    x22, x21, [sp, #0x10]
    0x187ac5d2c <+8>:  stp    x20, x19, [sp, #0x20]
    0x187ac5d30 <+12>: stp    x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<UILabel: 0x10f2009b0; frame = (60 0; 260 50); text = 'Buy the full version to r...'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17028bc70>>

到此为止找到了相关控件,然后通过ni命令往回追溯目标模块调用时的起始地址。

(lldb) ni
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
    frame #0: 0x0000000187ac5d28 UIKit`-[UIView(Hierarchy) addSubview:] + 4
UIKit`-[UIView(Hierarchy) addSubview:]:
->  0x187ac5d28 <+4>:  stp    x22, x21, [sp, #0x10]
    0x187ac5d2c <+8>:  stp    x20, x19, [sp, #0x20]
    0x187ac5d30 <+12>: stp    x29, x30, [sp, #0x30]
    0x187ac5d34 <+16>: add    x29, sp, #0x30            ; =0x30 
Target 0: (OPlayer Lite) stopped.
(lldb)  
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
    frame #0: 0x0000000187ac5d2c UIKit`-[UIView(Hierarchy) addSubview:] + 8
UIKit`-[UIView(Hierarchy) addSubview:]:
->  0x187ac5d2c <+8>:  stp    x20, x19, [sp, #0x20]
    0x187ac5d30 <+12>: stp    x29, x30, [sp, #0x30]
    0x187ac5d34 <+16>: add    x29, sp, #0x30            ; =0x30 
    0x187ac5d38 <+20>: mov    x20, x0
Target 0: (OPlayer Lite) stopped.
(lldb)  
(lldb) 
error: invalid thread
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
    frame #0: 0x0000000187ac5d30 UIKit`-[UIView(Hierarchy) addSubview:] + 12
UIKit`-[UIView(Hierarchy) addSubview:]:
->  0x187ac5d30 <+12>: stp    x29, x30, [sp, #0x30]
    0x187ac5d34 <+16>: add    x29, sp, #0x30            ; =0x30 
    0x187ac5d38 <+20>: mov    x20, x0
    0x187ac5d3c <+24>: mov    x0, x2
Target 0: (OPlayer Lite) stopped.
(lldb)  
 
 ........
 
 
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
    frame #0: 0x0000000187ac6074 UIKit`-[UIView(Hierarchy) addSubview:] + 848
UIKit`-[UIView(Hierarchy) addSubview:]:
->  0x187ac6074 <+848>: b      0x180414250               ; objc_release

UIKit`-[UIView(Internal) _addSubview:positioned:relativeTo:]:
    0x187ac6078 <+0>:   stp    x28, x27, [sp, #-0x60]!
    0x187ac607c <+4>:   stp    x26, x25, [sp, #0x10]
    0x187ac6080 <+8>:   stp    x24, x23, [sp, #0x20]
Target 0: (OPlayer Lite) stopped.
(lldb)  
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
    frame #0: 0x00000001003d01f8 OPlayer Lite`_mh_execute_header + 3621368
OPlayer Lite`_mh_execute_header:
->  0x1003d01f8 <+3621368>: adrp   x8, 5089
    0x1003d01fc <+3621372>: ldr    x20, [x8, #0x630]
    0x1003d0200 <+3621376>: mov    x0, x19
    0x1003d0204 <+3621380>: mov    x1, x20
Target 0: (OPlayer Lite) stopped.
(lldb)  
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
    frame #0: 0x00000001003d01fc OPlayer Lite`_mh_execute_header + 3621372
OPlayer Lite`_mh_execute_header:
->  0x1003d01fc <+3621372>: ldr    x20, [x8, #0x630]
    0x1003d0200 <+3621376>: mov    x0, x19
    0x1003d0204 <+3621380>: mov    x1, x20
    0x1003d0208 <+3621384>: bl     0x10106f28c               ; symbol stub for: objc_msgSend
Target 0: (OPlayer Lite) stopped.

由结果看来,OPlayer Lite模块起始基地址为0x1003d01f8
然后通过减去OPlayer Lite偏移地址0x000000000005c000,

(lldb) p/x 0x1003d01f8-0x000000000005c000
(long) $74 = 0x00000001003741f8

然后把0x00000001003741f8放入已经打开的Hopper Disassembler v4中,用快捷键G进行查找,结果如下:

01.png

这里我们进行更加结果进行猜测,addAds_OnLocalAds很有可能是我们需要查找的结果。接下来,我们对其进行进行断点调试,先找到addAds_OnLocalAds的地址:

02.png

地址为:0x000000010037c518

(lldb) p/x 0x000000010037c518+0x000000000005c000
(long) $76 = 0x00000001003d8518

可能此时设备卡顿不动,继续运行,并且移除所有命令:

(lldb) c
Process 432 resuming
(lldb) br del
About to delete all breakpoints, do you want to do that?: [Y/n] y
All breakpoints removed. (1 breakpoint)

重新设置断点,即addAds_OnLocalAds处设置断点:

br s -a 0x00000001003d8518

然后返回上一界面,重新播放视频,此时命令行输出:

* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
    frame #0: 0x00000001003d8518 OPlayer Lite`_mh_execute_header + 3654936
OPlayer Lite`_mh_execute_header:
->  0x1003d8518 <+3654936>: stp    d9, d8, [sp, #-0x50]!
    0x1003d851c <+3654940>: stp    x24, x23, [sp, #0x10]
    0x1003d8520 <+3654944>: stp    x22, x21, [sp, #0x20]
    0x1003d8524 <+3654948>: stp    x20, x19, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb)  

接下来获取名称及地址:

(lldb) p (char*)$x1
(char *) $78 = 0x0000000101454c97 "addAds_OnLocalAds"

方法执行完以后应该返回的地址

(lldb) p/x $lr
(unsigned long) $83 = 0x00000001003d01f8
(lldb) p/x 0x00000001003d01f8-0x000000000005c000
(long) $84 = 0x00000001003741f8

0x00000001003741f8是我们需要的地址,根据这个地址可以在Hopper V4中进行跳转:

03.png

在上图中,找了方法addAds_OnLocalAds方法,说明位置正确,然后根据汇编指令cbnz,可知这一处是一个判断语句。

最关键的信息是,我们还看到了在一个"PlayViewController"控制器中存在一个'localAdView'的成员变量。

同时继续往上继续查找,可以找到该方法是在[PlayViewController viewWillAppear:]中调用的,如下图:

04.png

接下来,我们进行确认。

通过class-dump的方式获取头文件。这里不说具体原因了,命令如下:

class-dump OPlayer_Lite.decrypted -H -o header

然后在header文件夹中可以进行确认。

OK,到此为止,我们已经找到了 广告加载的界面的了。我们需要通过工程来进行最后的实现。

三、MonkeyDev调试定位

这里为了简单,我采用了MonkeyDev来实现,当然也可以通过 Theos 的方式,笔者亲测成功!!!

关于如何安装MonkeyDev,请移步MonkeyDev安装教程及简介

需要说明的是,MonkeyDev的好处就是能通过界面调试app,定位控件,当然如果安装了Reveal那就更加简单,iOS上面的界面调试神器。但是
MonkeyDev需要已经破解了ipa,这里可以通过Window上的PP助手获取。

首先新建工程,命名Oplayerlite.其它的也不多了,直接贴关键代码。

07.png

然后运行工程,发现之前的 'Buy the full version to remove ads?' 相关的UIView已经没了,但是又出现了新的广告,以下截图来自Reveal,Xcode也可以。

08.png

然后在PlayViewController中找到了相关的调用GADBannerView *gAdView;,然后通过头文件查找GADBannerView,结果找到了如下调用函数:

09.png

此时抱着怀疑的态度试了修改工程中OplayerliteDylib.xm内容如下:

// See http://iphonedevwiki.net/index.php/Logos

#import <UIKit/UIKit.h>

@interface PlayViewController

@property(strong, nonatomic) UIView *localAdView;

@end

%hook PlayViewController

- (void)viewWillAppear:(BOOL)arg1
{
    self.localAdView = [[UIView alloc]initWithFrame:CGRectZero];
    %orig;
}

%end


%hook GADBannerView

- (void)setFrame:(struct CGRect)arg1
{
    NSLog(@"__%s__",__func__);
}

%end

然后run一下,结果居然成功了。

OK,恭喜,到此为止真的实现了Oplayer lite播放时移除广告的功能。

四、打包安装App至非越狱

后面,我想这如何将此app安装的到非越狱的设备上。

10.png

将此app进行到处,放入Payload文件中压缩,重命名为.ipa的文件。此时可能还无法进行安装,需要最后一步操作,进行ipa重签名。
具体请参考iOS重签名操作

上一篇下一篇

猜你喜欢

热点阅读