iOS逆向_钉钉定位
2019-01-05 本文已影响458人
李永开
一.说明
目的是破解钉钉定位的方法,在家里也可以正常上班打卡.
二.准备工作
- appstore下载钉钉
- 打开ifunbox, 找到 /var/mobile/Containers/Bundle/Application/F2A26AA8-0737-4C7D-AB0B-9CAE638E8E82/DingTalk.app下的mach-o文件,拖到桌面
- 手机root用户下:Clutch -i查看,Clutch -d 进行脱壳
失败了:请用dumpDecrypted
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/F2A26AA8-0737-4C7D-AB0B-9CAE638E8E82/DingTalk.app/DingTalk - mac下:class-dump -H DingTalk -o ~/Desktop/classDump_DingTalk
- theos
mac:运行nic.pl - 编写Tweak.xm
找到系统的定位方法,然后hook
%hook AMapLocationManager
- (void)locationManager:(id)arg1 didUpdateLocations:(id)arg2
{
NSArray *lyk_arr = [[NSUserDefaults standardUserDefaults] objectForKey:@"lyk_setLocation"];
double fir = [lyk_arr[0] doubleValue] + arc4random_uniform(10)/1000000.0;
double sec = [lyk_arr[1] doubleValue] + arc4random_uniform(10)/1000000.0;
CLLocation *l = [[CLLocation alloc]initWithLatitude:fir longitude:sec];
NSArray *arr = @[l];
NSLog(@"llykk_%@,%@",arg2,l);
%orig(arg1, arr);
}
%end
%hook DTConversationListController
- (void)viewWillAppear:(_Bool)arg1
{
%orig;
UIButton *btn = [UIButton buttonWithType:UIButtonTypeCustom];
btn.frame = CGRectMake(0, 200, 30, 30);
[btn setTitle:@"😈" forState: UIControlStateNormal];
[[UIApplication sharedApplication].keyWindow addSubview:btn];
[btn addTarget:self action:@selector(btnAction) forControlEvents:UIControlEventTouchUpInside];
}
%new
- (void)btnAction
{
if(![[UIApplication sharedApplication].keyWindow viewWithTag:666])
{
UIView *alert = [[UIView alloc]initWithFrame:CGRectMake(50, 200, 275, 120)];
alert.backgroundColor = [UIColor colorWithRed:1 green:0 blue:0 alpha:1];
alert.tag = 666;
[[UIApplication sharedApplication].keyWindow addSubview:alert];
UILabel *label = [[UILabel alloc]initWithFrame:CGRectMake(0, 0, 275, 20)];
label.text = @"请输入新的经纬度";
label.font = [UIFont systemFontOfSize:14];
label.textAlignment = NSTextAlignmentCenter;
[alert addSubview:label];
UITextField *firField = [[UITextField alloc]initWithFrame:CGRectMake(0, 30, 275, 20)];
firField.tag = 661;
firField.placeholder = @"请输入经度";
firField.backgroundColor = [UIColor whiteColor];
[alert addSubview:firField];
UITextField *secField = [[UITextField alloc]initWithFrame:CGRectMake(0, 60, 275, 20)];
secField.tag = 662;
secField.placeholder = @"请输入纬度";
secField.backgroundColor = [UIColor whiteColor];
[alert addSubview:secField];
UIButton *btn = [UIButton buttonWithType:UIButtonTypeCustom];
btn.frame = CGRectMake(0, 85, 275, 30);
[btn setTitle:@"确定" forState: UIControlStateNormal];
[btn addTarget:self action:@selector(yesAction:) forControlEvents:UIControlEventTouchUpInside];
[alert addSubview:btn];
}
else
{
UIView *alert = [[UIApplication sharedApplication].keyWindow viewWithTag:666];
[[UIApplication sharedApplication].keyWindow addSubview:alert];
}
NSArray *arr = [[NSUserDefaults standardUserDefaults] objectForKey:@"lyk_setLocation"];
if (arr==nil) return;
UIView *alert = [[UIApplication sharedApplication].keyWindow viewWithTag:666];
UITextField *firField = [alert viewWithTag:661];
firField.text = arr[0];
UITextField *secField = [alert viewWithTag:662];
secField.text = arr[1];
}
%new
- (void)yesAction:(UIButton *)btn
{
UIView *alert = [[UIApplication sharedApplication].keyWindow viewWithTag:666];
UITextField *firField = [alert viewWithTag:661];
UITextField *secField = [alert viewWithTag:662];
NSArray *arr = @[firField.text,secField.text];
[[NSUserDefaults standardUserDefaults] setObject:arr forKey:@"lyk_setLocation"];
[[NSUserDefaults standardUserDefaults] synchronize];
[btn.superview removeFromSuperview];
}
%end
八.重签名
- 通过iFunbox拿到DingTalk.app
-
codesign -vv -d WeChat.app查看签名信息 - 将tuo'ke
1.拿到DingTalk.app,将脱壳的mach-o放进去替换
2.删掉Pluglns文件夹和Watch文件夹
3.对framework进行重签名
4.修改DingTalk的info.plist,将bundle id 改为 自己证书里面的.
