逆向壁纸类APP,去除广告下载Vip壁纸
2018-09-26 本文已影响27人
代码移动工程师
写在前面
最近没啥事,自己就像逆向一下别人的app,下载了一块壁纸类app,开始干活。
1.准备越狱手机下载app
最好选择完美越狱的系统,下载app,使用usb连接进入root,用Clutch 脱壳。
iPhone:~ root# Clutch -i
Installed apps:
1: 爱奇艺-延禧攻略独播 <com.qiyi.iphone>
2: こつこつ家計簿-無料のカレンダー家計簿 <com.doubibi74.money76>
3: 网易云音乐-音乐的力量 <com.netease.cloudmusic>
4: 微信 <com.tencent.xin>
5: 优酷视频-天坑鹰猎全网独播 <com.youku.YouKu>
6: 喜马拉雅FM「听书社区」电台有声小说相声评书 <com.gemd.iting>
7: 保镖报警器 <com.baobiao.baobiao>
8: 壁纸 : 高清手机主题桌面动态墙纸 <com.tandy.wallpaper.pid39ch5>
9: 腾讯视频-如懿传独播 <com.tencent.live4iphone>
执行Clutch -d 8 开始脱壳
iPhone:~ root# Clutch -d 8
Zipping Wallpaper.app
ASLR slide: 0x1000d0000
Dumping <NotificationServiceExtension> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
ASLR slide: 0x100034000
Dumping <Wallpaper> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Zipping NotificationServiceExtension.appex
DONE: /private/var/mobile/Documents/Dumped/com.tandy.wallpaper.pid39ch5-iOS8.0-(Clutch-2.0.4).ipa
Finished dumping com.tandy.wallpaper.pid39ch5 in 19.5 seconds
iPhone:~ root#
脱壳成功,将可执行文件拿出来留着备用,使用reveal 查看app 的UI 结构
正常图片
找到下载按钮所在的View是WPDetailBottomView
D848B4B1EF0D30BABEE26104702620CB.jpg
免费的长上面这样,但是有些比较好看的壁纸不出钱就要看视频广告,特别长,没完没了。
3A447C610A562470C77DCF6364A70998.jpg
所以来逆向一把,现在将脱壳脱壳后的可执行文件也就是mach-o 文件提取出头文件。
pp文件夹就是提取出来的头文件
将pp文件夹拖入sublime,搜索WPDetailBottomView,经过一番测试发现点击下载的调用的方法是
- (void)detailWithAction:(long long)arg1;
确定好方法了,那就开始编写tweek 代码。
思路
首先移除立即下载的这个lockView 然后让下载所在的View出现并显示在合适的位置,我顺便将启动页的广告也给它移除了(这个简单)。tweek 代码如下
#import <substrate.h> // necessary
@interface cyMethodSet
- (void)cleanUpSplashWhenStop;
- (void)td_hideActivityIndicatorView;
- (void)showBottomView;
- (id)bottomView;
- (void)hiddenPayView;
@end
// 去除启动页广告
%hook ADKPhotoFrameSplashAdView
- (id)initWithFrame:(struct CGRect)arg1{
return nil;
}
%end
// %hook WPWallSetListView
// - (void)didTapWPBasePhotoView:(id)arg1{
// UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:@"点击了目标" delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
// [alert show];
// %orig;
// }
// %end
UIView *bottomViewHooked;
// - (void)loadCunstomAlertView:(long long)arg1{
// NSString *str = [[NSString alloc]initWithFormat:@"点击了目标%lld",arg1];
// UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
// [alert show];
// }
%hook WPDetailView
- (id)initWithFrame:(struct CGRect)arg1 actionTypes:(long long)arg2{
NSLog(@"------这是测试消息-------");
%log;
dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(0.5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
[self hiddenPayView];
});
dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(1 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
bottomViewHooked = MSHookIvar<UIView *>(self, "_bottomView");
[bottomViewHooked setHidden:NO];
[bottomViewHooked setFrame:CGRectMake(0, 500, 320, 44)];
});
return %orig;
}
- (void)detailBottomViewWithAction:(long long)arg1{
NSString *str = [[NSString alloc]initWithFormat:@"点击了目标%lld",arg1];
UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
[alert show];
%orig;
}
- (void)detailBottomLockWithIndex:(long long)arg1{
NSString *str = [[NSString alloc]initWithFormat:@"点击3了目标%lld",arg1];
UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
[alert show];
%orig;
}
- (void)detailBottomClicked{
// NSString *str = [[NSString alloc]initWithFormat:@"点击4了目标"];
// UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
// [alert show];
%orig;
}
- (void)detailBottomCollectSuccess{
NSString *str = [[NSString alloc]initWithFormat:@"点击3了目标"];
UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
[alert show];
%orig;
}
%end
%hook WPDetailBottomView
- (void)detailWithAction:(long long)arg1{
NSString *str = [[NSString alloc]initWithFormat:@"点击了目2标%lld",arg1];
UIAlertView *alert = [[UIAlertView alloc]initWithTitle:@"提示" message:str delegate:nil cancelButtonTitle:nil otherButtonTitles:@"知道了", nil];
[alert show];
%orig;
}
%end
然后在Tweak.xm 所在文件夹执行
make clean && make && make package && make install
重新进入该app的壁纸vip界面,立即下载的View已经消失,下载的所在的View 出现了,点击下载如图
DE78D8197E1829AB1F9F2DAE20991E68.jpg
里面的还有下载逻辑这部分比较难,我的实现方式是擦除汇编代码。有好方法的可以交流一下,这就是大概的过程。
5A9A3F520CEEBB4CB165D06B1ABD1085.jpg
