iOS应用逆向工程(二)
2015-10-22 14:09
525 查看
前一篇对iOS平台做了一个简单的介绍,今天我们就来写一个经典小程序,HelloWorld。很经典的哦!
首先来介绍我的环境:Mac系统为OSX Yosemite,Xcode7,iPhoneOS9.0.SDK,手机系统为iOS8.2。基本上都是最新的。
然后我们的把我们开发的环境要搭建好。
class-dump: 是用来dump目标对象的class信息的工具。它利用Object-C语言的runtime特性(这个应该都不陌生吧)。将存储在Mach-O文件中的头文件信息提取出来,并生成对应的.h文件。class-dump的用法比较简单。首先去http://stevenygard.com/projects/class-dump
,下载下来。下载class-dump-3.5.dmg,
自己随便下一个也行。只要你会安装即可。打开终端输入
$ class-dump
class-dump 3.5 (64 bit)
Usage: class-dump [options] <mach-o-file>
where options are:
-a show instance variable offsets
-A show implementation addresses
--arch <arch> choose a specific architecture from a universal binary (ppc, ppc64, i386, x86_64, armv6, armv7, armv7s, arm64)
-C <regex> only display classes matching regular expression
-f <str> find string in method name
-H generate header files in current directory, or directory specified with -o
-I sort classes, categories, and protocols by inheritance (overrides -s)
-o <dir> output directory used for -H
-r recursively expand frameworks and fixed VM shared libraries
-s sort classes and categories by name
-S sort methods by name
-t suppress header in output, for testing
--list-arches list the arches in the file, then exit
--sdk-ios specify iOS SDK version (will look in /Developer/Platforms/iPhoneOS.platform/Developer/iPhoneOS<version>.sdk
--sdk-mac specify Mac OS X version (will look in /Developer/SDKs/MacOSX<version>.sdk
--sdk-root specify the full SDK root path (or use --sdk-ios/--sdk-mac for a shortcut)
表示你已安装成功
接下来我们用用class-dump
在终端输入:
class-dump -S -s -H HandleWrite -o /path/headers/HandleWrite
首先拿你自己写的app,没有提交AppStore的看看,上面那个是我自己写的,还没有写完,我就不截图了,是什么效果,然后再拿从AppStore上下载下来的再看看是什么效果。(⊙o⊙)…,自己动手做一下吧。看看有什么不同,至于为什么不同,会在接下来的文章里介绍。
接下来,介绍Theos
Theos 是一个越狱开发包,有iOS 越狱知名人士Dustin Howett 开发并分享到Github上
首先去下载
$sudo git clone git://github.com/DHowett/theos.git theos
然后去http://joedj.net/ldid 下载ldid ,把它放在/opt/theos/bin/ 目录下
记得修改权限 sudo chmod 755 /opt/theos/bin/ldid
记得安装好dpkg 工具,如果不确定,在终端输入dpkg验证一下
然后配置CydiaSubstrate
首先去网上下载这个包
mobilesubstrate_0.9.6011_iphoneos-arm.deb
$dpkg-deb -x mobilesubstrate_0.9.6011_iphoneos-arm.deb mobilesubstrate
$cp mobilesubstrate/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
/opt/theos/lib/libsubstrate.dylib
$sudo cp CydiaSubstrate.h /opt/theos/include/substrate.h
做以上这几步时,我的习惯是将以前的先备份
好了环境搭建好了,我们来写个HelloWorld
$ /opt/theos/bin/nic.pl
NIC 2.0 - New Instance Creator
------------------------------
[1.] iphone/application
[2.] iphone/cydget
[3.] iphone/framework
[4.] iphone/library
[5.] iphone/notification_center_widget
[6.] iphone/preference_bundle
[7.] iphone/sbsettingstoggle
[8.] iphone/tool
[9.] iphone/tweak
[10.] iphone/xpc_service
Choose a Template (required): 9
Project Name (required): iOSREGreetings
Package Name [com.yourcompany.iosregreetings]:
Author/Maintainer Name [olduser]:
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]:
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]:
Instantiating iphone/tweak in iosregreetings/...
Done.
这样就创建好了一个反向工程,
$ ls
Makefile control theos
Tweak.xm iOSREGreetings.plist
里面只有这么几个文件。但是大有玄机。
vim
Tweak.xm
可以看到,全是注释掉的,而我们的要修改的就是这个文件,在Tweak.xm 中添加以下内容
%hook SpringBoard
-(void)applicationDidFinishLaunching:(id)application {
%orig;
UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"Welcome" message:@"Hello world,你好世界" delegate:nil cancelButtonTitle:@"确定" otherButtonTitles:nil];
[alert show];
[alert release];
}
%end
$vim Makefile 写成下边那样
THEOS_DEVICE_IP = 192.168.2.15
ARCHS = armv7 arm64
TARGET = iphone:latest:8.0
iOSREGreetings_FRAMEWORKS = UIKit
include theos/makefiles/common.mk
TWEAK_NAME = iOSREGreetings
iOSREGreetings_FILES = Tweak.xm
include $(THEOS_MAKE_PATH)/tweak.mk
after-install::
install.exec "killall -9 SpringBoard"
好了,这样我们的第一个HelloWorld就写好了,接下来就是编译了
$ make package install
Making all for tweak iOSREGreetings...
make[2]: Nothing to be done for `internal-library-compile'.
Making stage for tweak iOSREGreetings...
dpkg-deb: building package `com.yourcompany.iosregreetings' in `./com.yourcompany.iosregreetings_0.0.1-1_iphoneos-arm.deb'.
install.exec "cat > /tmp/_theos_install.deb; dpkg -i /tmp/_theos_install.deb && rm /tmp/_theos_install.deb" < "./com.yourcompany.iosregreetings_0.0.1-1_iphoneos-arm.deb"
root@192.168.2.15's password:
Permission denied, please try again.
root@192.168.2.15's password:
Selecting previously deselected package com.yourcompany.iosregreetings.
(Reading database ... 3065 files and directories currently installed.)
Unpacking com.yourcompany.iosregreetings (from /tmp/_theos_install.deb) ...
dpkg-deb: file `/tmp/_theos_install.deb' contains ununderstood data member data.tar.xz , giving up
dpkg: error processing /tmp/_theos_install.deb (--install):
subprocess dpkg-deb --fsys-tarfile returned error exit status 2
Errors were encountered while processing:
/tmp/_theos_install.deb
make: *** [internal-install] Error 1
make 就是编译,package 打包,install 安装
好吧,出错了,我们看看是什么错,打包出错了
百度一下(没法Google ),
在stackoverflow上就有这个
好吧,URL太长了,我直接贴问题的解决办法吧
I found out how to fix it. In
this line:
with this line:
这些大牛们说的很清楚
打开这个文件,使用vim 打开,定位这一行,将这行替换,
再次执行$make package install
OK ! 手机自动重启
重启后我们看到下面这个效果
好了,这就是最终效果
怎么样,自己试试吧
这些都是我先做完试验,然后才来写的,拿这些命令我会不会一个一个敲的了
哈哈,只要你懂点Linux知识,你就不会一个一个去敲了
tail -n 1000 history > /tmp/history.log
然后用vim快速定位就OK了
首先来介绍我的环境:Mac系统为OSX Yosemite,Xcode7,iPhoneOS9.0.SDK,手机系统为iOS8.2。基本上都是最新的。
然后我们的把我们开发的环境要搭建好。
class-dump: 是用来dump目标对象的class信息的工具。它利用Object-C语言的runtime特性(这个应该都不陌生吧)。将存储在Mach-O文件中的头文件信息提取出来,并生成对应的.h文件。class-dump的用法比较简单。首先去http://stevenygard.com/projects/class-dump
,下载下来。下载class-dump-3.5.dmg,
自己随便下一个也行。只要你会安装即可。打开终端输入
$ class-dump
class-dump 3.5 (64 bit)
Usage: class-dump [options] <mach-o-file>
where options are:
-a show instance variable offsets
-A show implementation addresses
--arch <arch> choose a specific architecture from a universal binary (ppc, ppc64, i386, x86_64, armv6, armv7, armv7s, arm64)
-C <regex> only display classes matching regular expression
-f <str> find string in method name
-H generate header files in current directory, or directory specified with -o
-I sort classes, categories, and protocols by inheritance (overrides -s)
-o <dir> output directory used for -H
-r recursively expand frameworks and fixed VM shared libraries
-s sort classes and categories by name
-S sort methods by name
-t suppress header in output, for testing
--list-arches list the arches in the file, then exit
--sdk-ios specify iOS SDK version (will look in /Developer/Platforms/iPhoneOS.platform/Developer/iPhoneOS<version>.sdk
--sdk-mac specify Mac OS X version (will look in /Developer/SDKs/MacOSX<version>.sdk
--sdk-root specify the full SDK root path (or use --sdk-ios/--sdk-mac for a shortcut)
表示你已安装成功
接下来我们用用class-dump
在终端输入:
class-dump -S -s -H HandleWrite -o /path/headers/HandleWrite
首先拿你自己写的app,没有提交AppStore的看看,上面那个是我自己写的,还没有写完,我就不截图了,是什么效果,然后再拿从AppStore上下载下来的再看看是什么效果。(⊙o⊙)…,自己动手做一下吧。看看有什么不同,至于为什么不同,会在接下来的文章里介绍。
接下来,介绍Theos
Theos 是一个越狱开发包,有iOS 越狱知名人士Dustin Howett 开发并分享到Github上
首先去下载
$sudo git clone git://github.com/DHowett/theos.git theos
然后去http://joedj.net/ldid 下载ldid ,把它放在/opt/theos/bin/ 目录下
记得修改权限 sudo chmod 755 /opt/theos/bin/ldid
记得安装好dpkg 工具,如果不确定,在终端输入dpkg验证一下
然后配置CydiaSubstrate
首先去网上下载这个包
mobilesubstrate_0.9.6011_iphoneos-arm.deb
$dpkg-deb -x mobilesubstrate_0.9.6011_iphoneos-arm.deb mobilesubstrate
$cp mobilesubstrate/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
/opt/theos/lib/libsubstrate.dylib
$sudo cp CydiaSubstrate.h /opt/theos/include/substrate.h
做以上这几步时,我的习惯是将以前的先备份
好了环境搭建好了,我们来写个HelloWorld
$ /opt/theos/bin/nic.pl
NIC 2.0 - New Instance Creator
------------------------------
[1.] iphone/application
[2.] iphone/cydget
[3.] iphone/framework
[4.] iphone/library
[5.] iphone/notification_center_widget
[6.] iphone/preference_bundle
[7.] iphone/sbsettingstoggle
[8.] iphone/tool
[9.] iphone/tweak
[10.] iphone/xpc_service
Choose a Template (required): 9
Project Name (required): iOSREGreetings
Package Name [com.yourcompany.iosregreetings]:
Author/Maintainer Name [olduser]:
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]:
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]:
Instantiating iphone/tweak in iosregreetings/...
Done.
这样就创建好了一个反向工程,
$ ls
Makefile control theos
Tweak.xm iOSREGreetings.plist
里面只有这么几个文件。但是大有玄机。
vim
Tweak.xm
可以看到,全是注释掉的,而我们的要修改的就是这个文件,在Tweak.xm 中添加以下内容
%hook SpringBoard
-(void)applicationDidFinishLaunching:(id)application {
%orig;
UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"Welcome" message:@"Hello world,你好世界" delegate:nil cancelButtonTitle:@"确定" otherButtonTitles:nil];
[alert show];
[alert release];
}
%end
$vim Makefile 写成下边那样
THEOS_DEVICE_IP = 192.168.2.15
ARCHS = armv7 arm64
TARGET = iphone:latest:8.0
iOSREGreetings_FRAMEWORKS = UIKit
include theos/makefiles/common.mk
TWEAK_NAME = iOSREGreetings
iOSREGreetings_FILES = Tweak.xm
include $(THEOS_MAKE_PATH)/tweak.mk
after-install::
install.exec "killall -9 SpringBoard"
好了,这样我们的第一个HelloWorld就写好了,接下来就是编译了
$ make package install
Making all for tweak iOSREGreetings...
make[2]: Nothing to be done for `internal-library-compile'.
Making stage for tweak iOSREGreetings...
dpkg-deb: building package `com.yourcompany.iosregreetings' in `./com.yourcompany.iosregreetings_0.0.1-1_iphoneos-arm.deb'.
install.exec "cat > /tmp/_theos_install.deb; dpkg -i /tmp/_theos_install.deb && rm /tmp/_theos_install.deb" < "./com.yourcompany.iosregreetings_0.0.1-1_iphoneos-arm.deb"
root@192.168.2.15's password:
Permission denied, please try again.
root@192.168.2.15's password:
Selecting previously deselected package com.yourcompany.iosregreetings.
(Reading database ... 3065 files and directories currently installed.)
Unpacking com.yourcompany.iosregreetings (from /tmp/_theos_install.deb) ...
dpkg-deb: file `/tmp/_theos_install.deb' contains ununderstood data member data.tar.xz , giving up
dpkg: error processing /tmp/_theos_install.deb (--install):
subprocess dpkg-deb --fsys-tarfile returned error exit status 2
Errors were encountered while processing:
/tmp/_theos_install.deb
make: *** [internal-install] Error 1
make 就是编译,package 打包,install 安装
好吧,出错了,我们看看是什么错,打包出错了
百度一下(没法Google ),
在stackoverflow上就有这个
好吧,URL太长了,我直接贴问题的解决办法吧
I found out how to fix it. In
$THEOS/makefiles/package/deb.mkreplace
this line:
$(ECHO_NOTHING)COPYFILE_DISABLE=1 $(FAKEROOT) -r dpkg-deb -b "$(THEOS_STAGING_DIR)" "$(_THEOS_DEB_PACKAGE_FILENAME)" $(STDERR_NULL_REDIRECT)$(ECHO_END)
with this line:
$(ECHO_NOTHING)COPYFILE_DISABLE=1 $(FAKEROOT) -r dpkg-deb -Zgzip -b "$(THEOS_STAGING_DIR)" "$(_THEOS_DEB_PACKAGE_FILENAME)" $(STDERR_NULL_REDIRECT)$(ECHO_END)
这些大牛们说的很清楚
打开这个文件,使用vim 打开,定位这一行,将这行替换,
再次执行$make package install
OK ! 手机自动重启
重启后我们看到下面这个效果
好了,这就是最终效果
怎么样,自己试试吧
这些都是我先做完试验,然后才来写的,拿这些命令我会不会一个一个敲的了
哈哈,只要你懂点Linux知识,你就不会一个一个去敲了
tail -n 1000 history > /tmp/history.log
然后用vim快速定位就OK了
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- iOS 单例的标准写法
- iOS 9之适配ATS
- ios 使用宏创建标准单利
- iOS 文件下载
- ios显示gif格式图片
- iOS 2D绘图详解(Quartz 2D)之路径(点,直线,虚线,曲线,圆弧,椭圆,矩形)
- iOS获取User-Agent(UA)信息的方法
- iOS调试程序时,启动应用失败的解决办法
- 【iOS】【实例】自定义一个简单的TabBar
- iOS获取当前连接的WiFi名称即SSID的方法
- iOS谓词使用--NSPredicate
- IOS 委托和协议区别和联系 (=)
- IOS --委托和协议区别和联系(一)
- iOS中button选择其中一个角改变弧度(适用其他控件)
- iOS property属性
- iOS获取手机型号
- ios -- ViewController跳转+传值(升级版)
- 工作备忘-ios应用安全防护oc源代码混淆,防止class-dump攻击
- 整理iOS9适配的一些坑
- IOS—使用Storyboard实现复杂界面