iOS逆向研究002
2017-09-04 本文已影响0人
锦鲤跃龙
1.第一个逆向程序
-
创建tweak工程
➜ iOS /opt/theos/bin/nic.pl NIC 2.0 - New Instance Creator ------------------------------ [1.] iphone/activator_event [2.] iphone/application_modern [3.] iphone/cydget [4.] iphone/flipswitch_switch [5.] iphone/framework [6.] iphone/ios7_notification_center_widget [7.] iphone/library [8.] iphone/notification_center_widget [9.] iphone/preference_bundle_modern [10.] iphone/tool [11.] iphone/tweak [12.] iphone/xpc_service //选择tweak工程 Choose a Template (required): 11 //工程名称 Project Name (required): MyFirstReProject //deb包的名字(类似于bundle identifier) Package Name [com.yourcompany.myfirstreproject]: com.iosre.myfirstreproject //tweak作者 Author/Maintainer Name [System Administrator]: luz //tweak作用对象的bundle identifier [iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.apple.springboard //tweak安装完成后需要重启的应用 [iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: SpringBoard Instantiating iphone/tweak in myfirstreproject/... Done.
-
工程文件结构介绍
-
Makefile
//工程包含的通用头文件 include $(THEOS)/makefiles/common.mk //创建工程时指定的“Project Name,指定好之后一般不要再更改 TWEAK_NAME = MyFirstReProject //tweak包含的源文件,指定多个文件时用空格隔开 MyFirstReProject_FILES = Tweak.xm //tweak工程的头文件,一般有application.mk、tweak.mk和tool.mk几类 include $(THEOS_MAKE_PATH)/tweak.mk //指定tweak安装之后,需要做的事情,这里是杀掉SpringBoard进程 after-install:: install.exec "killall -9 SpringBoard" 补充: //编译debug 1 或者release (0) DEBUG = 0 //越狱iPhone的ip地址 THEOS_DEVICE_IP = 192.168.1.113 //指定支持的处理器架构 ARCHS = armv7 arm64 //指定需要的SDK版本iphone:Base SDK:Deployment Target TARGET = iphone:latest:8.0 //最新的SDK,程序发布在iOS8.0以上 //导入框架,多个框架时用空格隔开 MyFirstReProject_FRAMEWORKS = UIKit MyFirstReProject_PRIVATE_FRAMEWORKS = AppSupport //链接libsqlite3.0.dylib、libz.dylib和dylib1.o MyFirstReProject_LDFLAGS = -lz –lsqlite3.0 –dylib1.o //make clean clean:: rm -rf ./packages/*
-
tweak文件
“xm”中的“x”代表这个文件支持Logos语法,如果后缀名是单独一个“x”,说明源文件支持Logos和C语法;如果后缀名是“xm”
,说明源文件支持Logos和C/C++语法。/* How to Hook with Logos Hooks are written with syntax similar to that of an Objective-C @implementation. You don't need to #include <substrate.h>, it will be done automatically, as will the generation of a class list and an automatic constructor. %hook ClassName // Hooking a class method + (id)sharedInstance { return %orig; } // Hooking an instance method with an argument. - (void)messageName:(int)argument { %log; // Write a message about this call, including its class, name and arguments, to the system log. %orig; // Call through to the original function with its original arguments. %orig(nil); // Call through to the original function with a custom argument. // If you use %orig(), you MUST supply all arguments (except for self and _cmd, the automatically generated ones.) } // Hooking an instance method with no arguments. - (id)noArguments { %log; id awesome = %orig; [awesome doSomethingElse]; return awesome; } // Always make sure you clean up after yourself; Not doing so could have grave consequences! %end */
-
%hook 指定需要hook的class,必须以%end结尾
-
%log 该指令在%hook内部使用,将函数的类名、参数等信息写入syslog
Cydia内搜索安装syslogd -
%orig该指令在%hook内部使用,执行被钩住(hook)的函数的原始代码。
-
-
control
control文件记录了deb包管理系统所需的基本信息,会被打包进deb包里。