iOS应用逆向工程(二)

最新推荐文章于 2024-09-25 09:12:43 发布

再见依然

最新推荐文章于 2024-09-25 09:12:43 发布

阅读量4.2k

点赞数

分类专栏： iOS应用逆向工程文章标签： iOS应用逆向工程 ios平台 Theos Theos介绍 Theos安装

本文链接：https://blog.csdn.net/woaizijiheni/article/details/49332851

版权

iOS应用逆向工程专栏收录该内容

8 篇文章 0 订阅

订阅专栏

前一篇对iOS平台做了一个简单的介绍，今天我们就来写一个经典小程序，HelloWorld。很经典的哦！

首先来介绍我的环境：Mac系统为OSX Yosemite，Xcode7，iPhoneOS9.0.SDK,手机系统为iOS8.2。基本上都是最新的。

然后我们的把我们开发的环境要搭建好。

class-dump: 是用来dump目标对象的class信息的工具。它利用Object-C语言的runtime特性(这个应该都不陌生吧)。将存储在Mach-O文件中的头文件信息提取出来，并生成对应的.h文件。class-dump的用法比较简单。首先去http://stevenygard.com/projects/class-dump ,下载下来。下载class-dump-3.5.dmg,

自己随便下一个也行。只要你会安装即可。打开终端输入

$ class-dump

class-dump 3.5 (64 bit)

Usage: class-dump [options] <mach-o-file>

where options are:

-a show instance variable offsets

-A show implementation addresses

--arch <arch> choose a specific architecture from a universal binary (ppc, ppc64, i386, x86_64, armv6, armv7, armv7s, arm64)

-C <regex> only display classes matching regular expression

-f <str> find string in method name

-H generate header files in current directory, or directory specified with -o

-I sort classes, categories, and protocols by inheritance (overrides -s)

-o <dir> output directory used for -H

-r recursively expand frameworks and fixed VM shared libraries

-s sort classes and categories by name

-S sort methods by name

-t suppress header in output, for testing

--list-arches list the arches in the file, then exit

--sdk-ios specify iOS SDK version (will look in /Developer/Platforms/iPhoneOS.platform/Developer/iPhoneOS<version>.sdk

--sdk-mac specify Mac OS X version (will look in /Developer/SDKs/MacOSX<version>.sdk

--sdk-root specify the full SDK root path (or use --sdk-ios/--sdk-mac for a shortcut)

表示你已安装成功

接下来我们用用class-dump

在终端输入：

class-dump -S -s -H HandleWrite -o /path/headers/HandleWrite

首先拿你自己写的app，没有提交AppStore的看看,上面那个是我自己写的，还没有写完，我就不截图了，是什么效果，然后再拿从AppStore上下载下来的再看看是什么效果。(⊙o⊙)…，自己动手做一下吧。看看有什么不同，至于为什么不同，会在接下来的文章里介绍。

接下来，介绍Theos

Theos 是一个越狱开发包，有iOS 越狱知名人士Dustin Howett 开发并分享到Github上

首先去下载

$sudo git clone git://github.com/DHowett/theos.git theos

然后去http://joedj.net/ldid 下载ldid ，把它放在/opt/theos/bin/ 目录下

记得修改权限 sudo chmod 755 /opt/theos/bin/ldid

记得安装好dpkg 工具，如果不确定，在终端输入dpkg验证一下

然后配置CydiaSubstrate

首先去网上下载这个包

mobilesubstrate_0.9.6011_iphoneos-arm.deb

$dpkg-deb -x mobilesubstrate_0.9.6011_iphoneos-arm.deb mobilesubstrate

$cp mobilesubstrate/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate

/opt/theos/lib/libsubstrate.dylib

$sudo cp CydiaSubstrate.h /opt/theos/include/substrate.h

做以上这几步时，我的习惯是将以前的先备份

好了环境搭建好了，我们来写个HelloWorld

$ /opt/theos/bin/nic.pl

NIC 2.0 - New Instance Creator

------------------------------

[1.] iphone/application

[2.] iphone/cydget

[3.] iphone/framework

[4.] iphone/library

[5.] iphone/notification_center_widget

[6.] iphone/preference_bundle

[7.] iphone/sbsettingstoggle

[8.] iphone/tool

[9.] iphone/tweak

[10.] iphone/xpc_service

Choose a Template (required): 9

Project Name (required): iOSREGreetings

Package Name [com.yourcompany.iosregreetings]:

Author/Maintainer Name [olduser]:

[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]:

[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]:

Instantiating iphone/tweak in iosregreetings/...

Done.

这样就创建好了一个反向工程，

$ ls

Makefile control theos

Tweak.xm iOSREGreetings.plist

里面只有这么几个文件。但是大有玄机。

vim Tweak.xm

可以看到，全是注释掉的，而我们的要修改的就是这个文件,在Tweak.xm 中添加以下内容

%hook SpringBoard

-(void)applicationDidFinishLaunching:(id)application {

%orig;

UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"Welcome" message:@"Hello world，你好世界" delegate:nil cancelButtonTitle:@"确定" otherButtonTitles:nil];

[alert show];

[alert release];

}

%end

$vim Makefile 写成下边那样

THEOS_DEVICE_IP = 192.168.2.15

ARCHS = armv7 arm64

TARGET = iphone:latest:8.0

iOSREGreetings_FRAMEWORKS = UIKit

include theos/makefiles/common.mk

TWEAK_NAME = iOSREGreetings

iOSREGreetings_FILES = Tweak.xm

include $(THEOS_MAKE_PATH)/tweak.mk

after-install::

install.exec "killall -9 SpringBoard"

好了，这样我们的第一个HelloWorld就写好了，接下来就是编译了

$ make package install

Making all for tweak iOSREGreetings...

make[2]: Nothing to be done for `internal-library-compile'.

Making stage for tweak iOSREGreetings...

dpkg-deb: building package `com.yourcompany.iosregreetings' in `./com.yourcompany.iosregreetings_0.0.1-1_iphoneos-arm.deb'.

install.exec "cat > /tmp/_theos_install.deb; dpkg -i /tmp/_theos_install.deb && rm /tmp/_theos_install.deb" < "./com.yourcompany.iosregreetings_0.0.1-1_iphoneos-arm.deb"

root@192.168.2.15's password:

Permission denied, please try again.

root@192.168.2.15's password:

Selecting previously deselected package com.yourcompany.iosregreetings.

(Reading database ... 3065 files and directories currently installed.)

Unpacking com.yourcompany.iosregreetings (from /tmp/_theos_install.deb) ...

dpkg-deb: file `/tmp/_theos_install.deb' contains ununderstood data member data.tar.xz , giving up

dpkg: error processing /tmp/_theos_install.deb (--install):

subprocess dpkg-deb --fsys-tarfile returned error exit status 2

Errors were encountered while processing:

/tmp/_theos_install.deb

make: *** [internal-install] Error 1

make 就是编译，package 打包，install 安装

好吧，出错了，我们看看是什么错，打包出错了

百度一下（没法Google ），

在stackoverflow上就有这个

好吧，URL太长了，我直接贴问题的解决办法吧

I found out how to fix it. In $THEOS/makefiles/package/deb.mk replace this line:

 $(ECHO_NOTHING)COPYFILE_DISABLE=1 $(FAKEROOT) -r dpkg-deb -b "$(THEOS_STAGING_DIR)" "$(_THEOS_DEB_PACKAGE_FILENAME)" $(STDERR_NULL_REDIRECT)$(ECHO_END)

with this line:

$(ECHO_NOTHING)COPYFILE_DISABLE=1 $(FAKEROOT) -r dpkg-deb -Zgzip -b "$(THEOS_STAGING_DIR)" "$(_THEOS_DEB_PACKAGE_FILENAME)" $(STDERR_NULL_REDIRECT)$(ECHO_END)

这些大牛们说的很清楚

打开这个文件，使用vim 打开，定位这一行，将这行替换，

再次执行$make package install

OK ! 手机自动重启

重启后我们看到下面这个效果