iOS逆向研究02

1.第一个逆向程序

• 创建tweak工程

  ➜  iOS /opt/theos/bin/nic.pl 
  
  NIC 2.0 - New Instance Creator
  ------------------------------
  
    [1.] iphone/activator_event
    [2.] iphone/application_modern
    [3.] iphone/cydget
    [4.] iphone/flipswitch_switch
    [5.] iphone/framework
    [6.] iphone/ios7_notification_center_widget
    [7.] iphone/library
    [8.] iphone/notification_center_widget
    [9.] iphone/preference_bundle_modern
    [10.] iphone/tool
    [11.] iphone/tweak
    [12.] iphone/xpc_service
   //选择tweak工程  
  Choose a Template (required): 11  
  
   //工程名称
  Project Name (required): MyFirstReProject  
  
  //deb包的名字（类似于bundle identifier)
  Package Name [com.yourcompany.myfirstreproject]: com.iosre.myfirstreproject  
  
  //tweak作者
  Author/Maintainer Name [System Administrator]: luz 
  
  //tweak作用对象的bundle identifier
  [iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.apple.springboard 
  
  //tweak安装完成后需要重启的应用
  [iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: SpringBoard
  Instantiating iphone/tweak in myfirstreproject/...
  Done.

• 工程文件结构介绍

  • Makefile

    //工程包含的通用头文件
    include $(THEOS)/makefiles/common.mk
    
    //创建工程时指定的“Project Name，指定好之后一般不要再更改
    TWEAK_NAME = MyFirstReProject
    
    //tweak包含的源文件，指定多个文件时用空格隔开
    MyFirstReProject_FILES = Tweak.xm
    
    //tweak工程的头文件，一般有application.mk、tweak.mk和tool.mk几类
    include $(THEOS_MAKE_PATH)/tweak.mk
    
    //指定tweak安装之后，需要做的事情，这里是杀掉SpringBoard进程 
    after-install::
        install.exec "killall -9 SpringBoard"
    
    补充:
    //编译debug或者release
    DEBUG = 0
    
    //越狱iPhone的ip地址
    THEOS_DEVICE_IP = 192.168.1.113
    
    //指定支持的处理器架构
    ARCHS = armv7 arm64 
    
    //指定需要的SDK版本iphone:Base SDK:Deployment Target
    TARGET = iphone:latest:8.0  //最新的SDK，程序发布在iOS8.0以上
    
    //导入框架，多个框架时用空格隔开
    MyFirstReProject_FRAMEWORKS = UIKit 
    MyFirstReProject_PRIVATE_FRAMEWORKS = AppSupport
    
    //链接libsqlite3.0.dylib、libz.dylib和dylib1.o
    MyFirstReProject_LDFLAGS = -lz –lsqlite3.0 –dylib1.o
    
    //make clean
    clean::
        rm -rf ./packages/* 
    

  • tweak文件
    “xm”中的“x”代表这个文件支持Logos语法，如果后缀名是单独一个“x”，说明源文件支持Logos和C语法；如果后缀名是“xm”
    ，说明源文件支持Logos和C/C++语法。

  /* How to Hook with Logos
  Hooks are written with syntax similar to that of an Objective-C @implementation.
  You don't need to #include <substrate.h>, it will be done automatically, as will
  the generation of a class list and an automatic constructor.
  
  %hook ClassName
  
  // Hooking a class method
  + (id)sharedInstance {
      return %orig;
  }
  
  // Hooking an instance method with an argument.
  - (void)messageName:(int)argument {
      %log; // Write a message about this call, including its class, name and arguments, to the system log.
  
      %orig; // Call through to the original function with its original arguments.
      %orig(nil); // Call through to the original function with a custom argument.
  
      // If you use %orig(), you MUST supply all arguments (except for self and _cmd, the automatically generated ones.)
  }
  
  // Hooking an instance method with no arguments.
  - (id)noArguments {
      %log;
      id awesome = %orig;
      [awesome doSomethingElse];
  
      return awesome;
  }
  
  // Always make sure you clean up after yourself; Not doing so could have grave consequences!
  %end
  */

  • %hook 指定需要hook的class，必须以%end结尾

  • %log 该指令在%hook内部使用，将函数的类名、参数等信息写入syslog
    Cydia内搜索安装syslogd

  • %orig该指令在%hook内部使用，执行被钩住（hook）的函数的原始代码。

  • control
    control文件记录了deb包管理系统所需的基本信息，会被打包进deb包里。