iOS逆向之移除Oplayer lite广告
iOS逆向之移除Oplayer lite广告
一、环境要求:
1、iPod touch6: iOS10.3.1(已经越狱)
2、Xcode安装MonkeyDev
3、OPlayer Lite.ipa(Window PP助手获取)【非必须】
二、lldb调试定位
1、直接在app store上下载Oplayer lite播放神器,为了方便调试,最好将设备设置成语言英文,后面会用到!
2、通过ssh连接越狱设备
ssh root@172.20.134.8
3、关闭设备上的其他进程,最好只保留Oplayer lite,通过以下命令获取设备上所有运行的进程,只查看目标进程:
iPod:~ root# ps aux | grep OPlayer
mobile 6593 3.6 6.5 1384832 66024 ?? Ss 5:27PM 0:20.84 /var/containers/Bundle/Application/AAAB1B0F-A9A6-455C-BE5B-8E0230A75252/OPlayer Lite.app/OPlayer Lite
root 6607 0.0 0.0 624224 8 s000 R+ 5:29PM 0:00.00 grep OPlayer
4、根据教程iOS10.3.1 砸壳之路使用两种方式进行应用砸壳,这里笔者就不详述了。
笔者通过第一种静态方式结果如下:
iPod:~ root# Clutch -i
Installed apps:
1: 快拍 - Snapchat <com.toyopagroup.picaboo>
2: 优酷视频-世界杯赛事全程高清直播 <com.youku.YouKu>
3: 央视影音 <cn.vuclip.mobiletv>
4: A4 Player <com.pd.A4Player>
5: 可可英语-英语听力口语训练神器 <com.kekenet.kkyy>
6: VPN Plus Privacy Protector <vpn.free.proxy.FreeVPN-Plus>
7: 搜狐视频-法医秦明1、2两季独家连播 <com.sohu.iPhoneVideo>
8: 微博 <com.sina.weibo>
9: 腾讯视频 <com.tencent.live4iphone>
10: Shazam 音乐神搜 <com.shazam.Shazam>
11: OPlayer Lite - media player <com.olimsoft.oplayer.lite>
12: VPN - Super Unlimited Proxy <mobi.mobilejump.freevpn>
13: 天天快报 - 腾讯兴趣阅读平台 <com.tencent.reading>
iPod:~ root# Clutch -d 11
Zipping OPlayer Lite.app
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!
Error: Failed to dump <OPlayer WatchKit Extension> with arch arm64
2018-08-06 17:36:20.796 Clutch[6610:278690] failed operation :(
2018-08-06 17:36:20.796 Clutch[6610:278690] application <NSOperationQueue: 0x1004be080>{name = 'NSOperationQueue 0x1004be080'}
Error: Failed to dump <OPlayer WatchKit Extension>
2018-08-06 17:36:20.797 Clutch[6610:278690] failed operation :(
2018-08-06 17:36:20.797 Clutch[6610:278690] application <NSOperationQueue: 0x1004be080>{name = 'NSOperationQueue 0x1004be080'}
ASLR slide: 0x100020000
Dumping <OPlayer Lite> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Zipping OPlayer WatchKit Extension.appex
FAILED: <OPlayer Lite bundleID: com.olimsoft.oplayer.lite>
Finished dumping com.olimsoft.oplayer.lite in 20.9 seconds
很遗憾失败了,其原因自行百度。。。
所以最好通过动态砸壳来解决,若是大佬能通过Clutch方式解决,请私信me!!!
5、查看广告存在的位置
iPod:~ root# cycript -p 6593
cy# [[UIApp keyWindow] recursiveDescription].toString()
`<UIWindow: 0x102661a40; frame = (0 0; 320 568); opaque = NO; autoresize = RM+BM; gestureRecognizers = <NSArray: 0x17024f540>; layer = <UIWindowLayer: 0x170229900>>
| <UITransitionView: 0x10d4e6eb0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x170634b40>>
| | <UIView: 0x10d43e5f0; frame = (0 0; 320 568); autoresize = W+H; autoresizesSubviews = NO; layer = <CALayer: 0x17042f420>>
| | | <UIView: 0x10d405740; frame = (0 0; 320 568); layer = <CALayer: 0x17042f620>>
| | | | <PlayerView: 0x10d43d560; frame = (0 0; 320 568); layer = <CAEAGLLayer: 0x17042f680>>
| | | | <AVPlayerDemoPlaybackView: 0x10d400320; frame = (0 0; 320 568); layer = <AVPlayerLayer: 0x170633d20>>
| | | | | <AVPlayerLayerIntermediateLayer: 0x1706344e0> (layer)
| | | | | | <FigVideoContainerLayer: 0x1704578b0> (layer)
| | | | | | | <FigVideoLayer: 0x17065cf80> (layer)
| | | | | | <FigSubtitleCALayer: 0x170457c40> (layer)
| | | | | | <AVPlayerLayerIntermediateLayer: 0x170628300> (layer)
| | | <SubtitleLabel: 0x1026f95d0; baseClass = UILabel; frame = (0 0; 320 40); text = ''; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x170291120>>
| | | <UILabel: 0x10d4025d0; frame = (0 62; 320 20); text = 'IMG_4758.MOV'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x170290360>>
| | | <UILabel: 0x10d410650; frame = (0 52; 320 50); text = ''; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17029e6e0>>
| | | <UIView: 0x1027b8070; frame = (0 0; 320 50); layer = <CALayer: 0x174229e20>>
| | | | <UIButton: 0x102734a50; frame = (0 0; 320 50); opaque = NO; layer = <CALayer: 0x174229dc0>>
| | | | | <UIImageView: 0x10d435250; frame = (0 0; 320 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635e80>>
| | | | <UILabel: 0x10271ed60; frame = (60 0; 260 50); text = 'Buy the full version to r...'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x174283fc0>>
| | | <RoundedRectView: 0x10265a540; frame = (0 0; 320 64); layer = <CALayer: 0x170429de0>>
| | | | <PlaySeekView: 0x10d40c050; frame = (39 22; 242 32); layer = <CALayer: 0x170427700>>
| | | | | <UILabel: 0x10d452980; frame = (0 3; 60 25); text = '00:00:03'; userInteractionEnabled = NO; tag = 10000; layer = <_UILabelLayer: 0x170292110>>
| | | | | <OBSlider: 0x10267c790; baseClass = UISlider; frame = (60 5; 118 22); opaque = NO; tag = 10002; layer = <CALayer: 0x170427000>; value: 3.000000>
| | | | | | <UIView: 0x10d42e1e0; frame = (39 7; 77 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635c80>>
| | | | | | | <UIImageView: 0x10d421cd0; frame = (-37 0; 114 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635cc0>>
| | | | | | <UIImageView: 0x10d429350; frame = (2 7; 37 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635d20>>
| | | | | | <UIImageView: 0x102692290; frame = (24 -4; 30 30); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635d80>>
| | | | | <UILabel: 0x10d425830; frame = (178 3; 64 25); text = '-00:00:07'; userInteractionEnabled = NO; tag = 10001; layer = <_UILabelLayer: 0x17028d9d0>>
| | | | <UIButton: 0x10d404790; frame = (258 6; 58 50); opaque = NO; layer = <CALayer: 0x1704351c0>>
| | | | <UIButton: 0x10d4192a0; frame = (0 6; 58 54); opaque = NO; layer = <CALayer: 0x1704298a0>>
| | | | <UIButton: 0x10d420dc0; frame = (268 16; 48 44); opaque = NO; layer = <CALayer: 0x170426760>>
| | | | | <UIImageView: 0x102770f80; frame = (2 7; 44 30); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17422c700>>
| | | | <UIButton: 0x10d424e50; frame = (4 16; 48 44); opaque = NO; layer = <CALayer: 0x170429c20>>
| | | | | <UIImageView: 0x10d4b9eb0; frame = (2 7; 44 30); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635c40>>
| | | <NewRoundedRectView: 0x10d4a96a0; frame = (-5 480; 330 90); layer = <CALayer: 0x17062cce0>>
| | | | <UIButton: 0x1026a2c40; frame = (34 4; 44 44); opaque = NO; layer = <CALayer: 0x170429780>>
| | | | | <UIImageView: 0x10d4e0240; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635bc0>>
| | | | <UIButton: 0x10d42f130; frame = (86 4; 44 44); opaque = NO; layer = <CALayer: 0x170424520>>
| | | | | <UIImageView: 0x10d4de1b0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635ae0>>
| | | | <UIButton: 0x10d404a60; frame = (138 4; 44 44); opaque = NO; layer = <CALayer: 0x170426040>>
| | | | | <UIImageView: 0x10d4dc1d0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635a20>>
| | | | <UIButton: 0x10d416000; frame = (190 4; 44 44); opaque = NO; layer = <CALayer: 0x170427220>>
| | | | | <UIImageView: 0x10d4d3830; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706359e0>>
| | | | <UIButton: 0x10d434c00; frame = (242 4; 44 44); opaque = NO; layer = <CALayer: 0x1704291c0>>
| | | | | <UIImageView: 0x10d4d58c0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635980>>
| | | | <MPVolumeView: 0x10d4c7520; frame = (20 56; 240 30); opaque = NO; layer = <CALayer: 0x170632ea0>>
| | | | | <MPButton: 0x10d4c80b0; baseClass = UIButton; frame = (218.5 2; 21.5 18); opaque = NO; autoresize = LM+BM; layer = <CALayer: 0x170428480>>
| | | | | | <UIImageView: 0x10d4c83e0; frame = (-39.25 -41; 100 100); alpha = 0; opaque = NO; userInteractionEnabled = NO; tag = 1886548836; layer = <CALayer: 0x170631b00>>
| | | | | | <UIImageView: 0x10d4d1850; frame = (0 0; 21.5 18); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706358e0>>
| | | | | <MPVolumeSlider: 0x10d4c7920; baseClass = UISlider; frame = (0 -5; 211.5 28); opaque = NO; autoresize = W+BM; layer = <CALayer: 0x17062b6c0>; value: 0.000000>
| | | | | | <UIView: 0x10d498720; frame = (2 10; 207.5 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635460>>
| | | | | | | <UIImageView: 0x10d425ac0; frame = (0 0; 207.5 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635560>>
| | | | | | <UIImageView: 0x10d4bc0f0; frame = (2 10; 0 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706355c0>>
| | | | | | <UIImageView: 0x10d4be180; frame = (-3 -1; 30 30); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635620>>
| | | | <UIButton: 0x10d4a3210; frame = (276 40; 44 44); opaque = NO; layer = <CALayer: 0x170428180>>
| | | | | <UIImageView: 0x1027764c0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17422a9e0>>
| | | | <UIButton: 0x10d4a4cb0; frame = (276 40; 44 44); hidden = YES; opaque = NO; layer = <CALayer: 0x17042b500>>
| | | <FloatingView: 0x10d4add90; frame = (45 124; 230 160); hidden = YES; layer = <CALayer: 0x170429300>>
| | | | <UIButton: 0x10d41c3a0; frame = (21 4; 50 50); opaque = NO; layer = <CALayer: 0x1704330c0>>
| | | | | <UIImageView: 0x102700650; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17422aa80>>
| | | | <UIButton: 0x10d498e60; frame = (91 4; 50 50); opaque = NO; layer = <CALayer: 0x1704249a0>>
| | | | | <UIImageView: 0x102779690; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17423cb20>>
| | | | <UIButton: 0x10d4ae9f0; frame = (91 56; 50 50); opaque = NO; layer = <CALayer: 0x170432e00>>
| | | | | <UIImageView: 0x1027b2f20; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174229f00>>
| | | | <UIButton: 0x10d4b0900; frame = (21 106; 50 50); opaque = NO; layer = <CALayer: 0x1704328e0>>
| | | | | <UIImageView: 0x1026656e0; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170634d20>>
| | | | <UIButton: 0x102738580; frame = (91 106; 50 50); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x174223f40>>
| | | | | <UIImageView: 0x10d497630; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170634ba0>>
| | | | <UIButton: 0x10d4b2960; frame = (161 4; 50 50); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170425a80>>
| | | | | <UIImageView: 0x10d43f260; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170429160>>
| | | | <UIButton: 0x10d4b49a0; frame = (161 106; 50 50); opaque = NO; layer = <CALayer: 0x170627b20>>
| | | | | <UIImageView: 0x10d4b5500; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042f880>>
| | | <FloatingView: 0x10d4b67e0; frame = (-5 188; 62 192); layer = <CALayer: 0x170630ae0>>
| | | | <UIButton: 0x10d4b6d20; frame = (11 3.2; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170633160>>
| | | | | <UIImageView: 0x10d436ff0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170633ce0>>
| | | | <UIButton: 0x10d4b7db0; frame = (11 50.4; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x17062e040>>
| | | | | <UIImageView: 0x1026a9ad0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706337a0>>
| | | | <UIButton: 0x10d4ba170; frame = (11 97.6; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170632760>>
| | | | | <UIImageView: 0x10d402990; frame = (7 7; 30 30); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706344c0>>
| | | | <UIButton: 0x10d4bc3b0; frame = (11 144.8; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170632c20>>
| | | | | <UIImageView: 0x102797f20; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174229de0>>
| | | <FloatingView: 0x10d4b69a0; frame = (263 188; 62 192); layer = <CALayer: 0x170632880>>
| | | | <UIButton: 0x10d4be440; frame = (6 3.2; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170632be0>>
| | | | | <UIImageView: 0x10d44d340; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062a280>>
| | | | <UIButton: 0x10d4c04b0; frame = (6 50.4; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170629c00>>
| | | | | <UIImageView: 0x10d434ed0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170632940>>
| | | | <UIButton: 0x10d4c2490; frame = (6 97.6; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x1702377c0>>
| | | | | <UIImageView: 0x10264f740; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170634b00>>
| | | | <UIButton: 0x10d4c4090; frame = (6 144.8; 44 44); opaque = NO; tintColor = UIExtendedSRGBColorSpace 0.192157 0.760784 0.486275 1; layer = <CALayer: 0x17062e5a0>>
| | | | | <UIImageView: 0x1026d5810; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062f7c0>>
| | | <UILabel: 0x10d4c6020; frame = (0 448; 320 30); text = ''; alpha = 0; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17048ae10>>
| | | <UILabel: 0x10d4c6b50; frame = (0 284; 320 100); userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17048a780>>
| | | | <_UILabelContentLayer: 0x1706337c0> (layer)
| | | <SingleHandRoundedRectView: 0x10d4d9d10; frame = (0 341; 227 227); hidden = YES; layer = <CALayer: 0x170432e80>>
| | | | <UIImageView: 0x10d4da0e0; frame = (0 0; 227 227); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170432de0>>
| | | | <UIButton: 0x10d4d5b80; frame = (80 165; 52 52); opaque = NO; layer = <CALayer: 0x170632dc0>>
| | | | | <UIImageView: 0x10268c4f0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170426d00>>
| | | | <UIButton: 0x10d4d1b10; frame = (150 160; 52 52); opaque = NO; layer = <CALayer: 0x17062c6a0>>
| | | | | <UIImageView: 0x10d40f400; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062abc0>>
| | | | <UIButton: 0x10d4cfa80; frame = (105 75; 52 52); opaque = NO; layer = <CALayer: 0x17062b9a0>>
| | | | | <UIImageView: 0x1026c59a0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170432940>>
| | | | <UIButton: 0x10d4d3af0; frame = (20 25; 52 52); opaque = NO; layer = <CALayer: 0x170630e20>>
| | | | | <UIImageView: 0x10d416a20; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706315a0>>
| | | | <UIButton: 0x10d4d7870; frame = (10 95; 52 52); opaque = NO; layer = <CALayer: 0x170433720>>
| | | | | <UIImageView: 0x10d4a5d50; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170629d00>>
| | | | <UIButton: 0x10d4d9910; frame = (10 170; 52 52); opaque = NO; layer = <CALayer: 0x170633c00>>
| | | | | <UIImageView: 0x10d403130; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706265c0>>
| | | <SingleHandRoundedRectView: 0x10d4e4690; frame = (93 341; 227 227); hidden = YES; layer = <CALayer: 0x170630000>>
| | | | <UIImageView: 0x10d4e4860; frame = (0 0; 227 227); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706273c0>>
| | | | <UIButton: 0x10d4e0500; frame = (100 165; 52 52); opaque = NO; layer = <CALayer: 0x170424ba0>>
| | | | | <UIImageView: 0x10d4006c0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170632d60>>
| | | | <UIButton: 0x10d4dc490; frame = (25 160; 52 52); opaque = NO; layer = <CALayer: 0x170633100>>
| | | | | <UIImageView: 0x102655f40; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170632360>>
| | | | <UIButton: 0x10d4da2d0; frame = (75 75; 52 52); opaque = NO; layer = <CALayer: 0x170633180>>
| | | | | <UIImageView: 0x1026894c0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062f220>>
| | | | <UIButton: 0x10d4de470; frame = (165 25; 52 52); opaque = NO; layer = <CALayer: 0x170433580>>
| | | | | <UIImageView: 0x10266a930; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042f800>>
| | | | <UIButton: 0x10d4e21f0; frame = (165 95; 52 52); opaque = NO; layer = <CALayer: 0x170433920>>
| | | | | <UIImageView: 0x10d42adc0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170426c40>>
| | | | <UIButton: 0x10d4e4290; frame = (170 170; 52 52); opaque = NO; layer = <CALayer: 0x1704293e0>>
| | | | | <UIImageView: 0x102663010; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170426700>>
| | | <UIButton: 0x10d4e4a50; frame = (260 258; 52 52); hidden = YES; opaque = NO; layer = <CALayer: 0x17062eb20>>
| | | | <UIImageView: 0x10d41df50; frame = (1 1; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170432820>>
| | | <UIButton: 0x10d4e4d20; frame = (10 258; 52 52); hidden = YES; opaque = NO; layer = <CALayer: 0x17062cf60>>
| | | | <UIImageView: 0x1026f92a0; frame = (1 1; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1704270e0>>`
这里需要说明的是,[[UIApp keyWindow] recursiveDescription].toString()
是查看当前页面的所有view。稍微仔细点的同学就会主要到,每次进入播放界面时,界面上方都有一个banner,内容是Buy the full version to remove ads?
.所以简单的方式是,通过搜索关键字查找控件。可得到如下结果:
<UILabel: 0x10271ed60; frame = (60 0; 260 50); text = 'Buy the full version to r...'; userInteractionEnabled = NO;
我们可以在后面进行lldb调试的时候,根据这个为依据进行查找调试。
5、利用debugserver结合LLDB调试app
debugserver *:1234 -a "OPlayer Lite"
6、新建终端LLDB连接App
lldb
process connect connect://172.20.128.176:1234
7、接下来查看偏移地址
image list -o -f
[ 0] 0x000000000005c000 /var/containers/Bundle/Application/AAAB1B0F-A9A6-455C-BE5B-8E0230A75252/OPlayer Lite.app/OPlayer Lite(0x000000010005c000)
......
[ 7] 0x0000000000350000 /Users/weihua/Library/Developer/Xcode/iOS DeviceSupport/10.3.1 (14E304)/Symbols/System/Library/Frameworks/UIKit.framework/UIKit
通过hopper v4分析addSubview
在UIKit框架的偏移地址:
addSubview:0x0000000187775d24
通过image list -o -f
分析UIKit框架在模块中加载的的起始偏移地址:
UIKit: 0x0000000000350000
设置断点:
br s -a 0x0000000000350000+0x0000000187775d24
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d24 <+0>: stp x24, x23, [sp, #-0x40]!
0x187ac5d28 <+4>: stp x22, x21, [sp, #0x10]
0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<PlayerView: 0x1027f27d0; frame = (0 0; 568 320); layer = <CAEAGLLayer: 0x1704298c0>>
(lldb) c
Process 432 resuming
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d24 <+0>: stp x24, x23, [sp, #-0x40]!
0x187ac5d28 <+4>: stp x22, x21, [sp, #0x10]
0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<UIView: 0x1027f32a0; frame = (0 0; 568 320); layer = <CALayer: 0x17042dc40>>
......
......
......
(lldb) po $x2
<UILayoutContainerView: 0x1027700d0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x1702374e0>>
(lldb) c
Process 432 resuming
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d24 <+0>: stp x24, x23, [sp, #-0x40]!
0x187ac5d28 <+4>: stp x22, x21, [sp, #0x10]
0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<UIButton: 0x10f23eb00; frame = (0 0; 320 50); opaque = NO; layer = <CALayer: 0x17042e180>>
(lldb) c
Process 432 resuming
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d24 <+0>: stp x24, x23, [sp, #-0x40]!
0x187ac5d28 <+4>: stp x22, x21, [sp, #0x10]
0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<UILabel: 0x10f2009b0; frame = (60 0; 260 50); text = 'Buy the full version to r...'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17028bc70>>
到此为止找到了相关控件,然后通过ni
命令往回追溯目标模块调用时的起始地址。
(lldb) ni
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x0000000187ac5d28 UIKit`-[UIView(Hierarchy) addSubview:] + 4
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d28 <+4>: stp x22, x21, [sp, #0x10]
0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
0x187ac5d34 <+16>: add x29, sp, #0x30 ; =0x30
Target 0: (OPlayer Lite) stopped.
(lldb)
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x0000000187ac5d2c UIKit`-[UIView(Hierarchy) addSubview:] + 8
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
0x187ac5d34 <+16>: add x29, sp, #0x30 ; =0x30
0x187ac5d38 <+20>: mov x20, x0
Target 0: (OPlayer Lite) stopped.
(lldb)
(lldb)
error: invalid thread
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x0000000187ac5d30 UIKit`-[UIView(Hierarchy) addSubview:] + 12
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
0x187ac5d34 <+16>: add x29, sp, #0x30 ; =0x30
0x187ac5d38 <+20>: mov x20, x0
0x187ac5d3c <+24>: mov x0, x2
Target 0: (OPlayer Lite) stopped.
(lldb)
........
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x0000000187ac6074 UIKit`-[UIView(Hierarchy) addSubview:] + 848
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac6074 <+848>: b 0x180414250 ; objc_release
UIKit`-[UIView(Internal) _addSubview:positioned:relativeTo:]:
0x187ac6078 <+0>: stp x28, x27, [sp, #-0x60]!
0x187ac607c <+4>: stp x26, x25, [sp, #0x10]
0x187ac6080 <+8>: stp x24, x23, [sp, #0x20]
Target 0: (OPlayer Lite) stopped.
(lldb)
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x00000001003d01f8 OPlayer Lite`_mh_execute_header + 3621368
OPlayer Lite`_mh_execute_header:
-> 0x1003d01f8 <+3621368>: adrp x8, 5089
0x1003d01fc <+3621372>: ldr x20, [x8, #0x630]
0x1003d0200 <+3621376>: mov x0, x19
0x1003d0204 <+3621380>: mov x1, x20
Target 0: (OPlayer Lite) stopped.
(lldb)
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x00000001003d01fc OPlayer Lite`_mh_execute_header + 3621372
OPlayer Lite`_mh_execute_header:
-> 0x1003d01fc <+3621372>: ldr x20, [x8, #0x630]
0x1003d0200 <+3621376>: mov x0, x19
0x1003d0204 <+3621380>: mov x1, x20
0x1003d0208 <+3621384>: bl 0x10106f28c ; symbol stub for: objc_msgSend
Target 0: (OPlayer Lite) stopped.
由结果看来,OPlayer Lite
模块起始基地址为0x1003d01f8
,
然后通过减去OPlayer Lite
偏移地址0x000000000005c000
,
(lldb) p/x 0x1003d01f8-0x000000000005c000
(long) $74 = 0x00000001003741f8
然后把0x00000001003741f8
放入已经打开的Hopper Disassembler v4中,用快捷键G
进行查找,结果如下:
这里我们进行更加结果进行猜测,addAds_OnLocalAds
很有可能是我们需要查找的结果。接下来,我们对其进行进行断点调试,先找到addAds_OnLocalAds
的地址:
地址为:0x000000010037c518
(lldb) p/x 0x000000010037c518+0x000000000005c000
(long) $76 = 0x00000001003d8518
可能此时设备卡顿不动,继续运行,并且移除所有命令:
(lldb) c
Process 432 resuming
(lldb) br del
About to delete all breakpoints, do you want to do that?: [Y/n] y
All breakpoints removed. (1 breakpoint)
重新设置断点,即addAds_OnLocalAds
处设置断点:
br s -a 0x00000001003d8518
然后返回上一界面,重新播放视频,此时命令行输出:
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
frame #0: 0x00000001003d8518 OPlayer Lite`_mh_execute_header + 3654936
OPlayer Lite`_mh_execute_header:
-> 0x1003d8518 <+3654936>: stp d9, d8, [sp, #-0x50]!
0x1003d851c <+3654940>: stp x24, x23, [sp, #0x10]
0x1003d8520 <+3654944>: stp x22, x21, [sp, #0x20]
0x1003d8524 <+3654948>: stp x20, x19, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb)
接下来获取名称及地址:
(lldb) p (char*)$x1
(char *) $78 = 0x0000000101454c97 "addAds_OnLocalAds"
方法执行完以后应该返回的地址
(lldb) p/x $lr
(unsigned long) $83 = 0x00000001003d01f8
(lldb) p/x 0x00000001003d01f8-0x000000000005c000
(long) $84 = 0x00000001003741f8
0x00000001003741f8
是我们需要的地址,根据这个地址可以在Hopper V4中进行跳转:
在上图中,找了方法addAds_OnLocalAds
方法,说明位置正确,然后根据汇编指令cbnz
,可知这一处是一个判断语句。
最关键的信息是,我们还看到了在一个"PlayViewController"控制器中存在一个'localAdView'的成员变量。
同时继续往上继续查找,可以找到该方法是在[PlayViewController viewWillAppear:]
中调用的,如下图:
接下来,我们进行确认。
通过class-dump
的方式获取头文件。这里不说具体原因了,命令如下:
class-dump OPlayer_Lite.decrypted -H -o header
然后在header文件夹中可以进行确认。
OK,到此为止,我们已经找到了 广告加载的界面的了。我们需要通过工程来进行最后的实现。
三、MonkeyDev调试定位
这里为了简单,我采用了MonkeyDev来实现,当然也可以通过 Theos 的方式,笔者亲测成功!!!
关于如何安装MonkeyDev,请移步MonkeyDev安装教程及简介。
需要说明的是,MonkeyDev的好处就是能通过界面调试app,定位控件,当然如果安装了Reveal那就更加简单,iOS上面的界面调试神器。但是
MonkeyDev需要已经破解了ipa,这里可以通过Window上的PP助手
获取。
首先新建工程,命名Oplayerlite
.其它的也不多了,直接贴关键代码。
然后运行工程,发现之前的 'Buy the full version to remove ads?' 相关的UIView已经没了,但是又出现了新的广告,以下截图来自Reveal,Xcode也可以。
08.png然后在PlayViewController
中找到了相关的调用GADBannerView *gAdView;
,然后通过头文件查找GADBannerView
,结果找到了如下调用函数:
此时抱着怀疑的态度试了修改工程中OplayerliteDylib.xm
内容如下:
// See http://iphonedevwiki.net/index.php/Logos
#import <UIKit/UIKit.h>
@interface PlayViewController
@property(strong, nonatomic) UIView *localAdView;
@end
%hook PlayViewController
- (void)viewWillAppear:(BOOL)arg1
{
self.localAdView = [[UIView alloc]initWithFrame:CGRectZero];
%orig;
}
%end
%hook GADBannerView
- (void)setFrame:(struct CGRect)arg1
{
NSLog(@"__%s__",__func__);
}
%end
然后run一下,结果居然成功了。
OK,恭喜,到此为止真的实现了Oplayer lite播放时移除广告的功能。
四、打包安装App至非越狱
后面,我想这如何将此app安装的到非越狱的设备上。
10.png将此app进行到处,放入Payload文件中压缩,重命名为.ipa的文件。此时可能还无法进行安装,需要最后一步操作,进行ipa重签名。
具体请参考iOS重签名操作