ios

越狱hook

工具

checkra 越狱
安装ipa的工具impactor
越狱ipa,32位,iOS10.x
越狱ipa,64位,iOS11.2-11.3.1

MonkeyDev官网
frida-ios-dump
Theos 生成 TWeak项目
导出.decrypted头文件 class-dump
dylib项目开发

syslogd Utilities
yololib

反汇编

Cydia 软件

1
2
openssh
cycript

砸壳 dumpdecrypted

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# 查看有哪些证书
security find-identity -v -p codesigning

# 签名文件
codesign --force --verify --verbose --sign "iPhone Distribution: HOLLYCRMBEIJING TECHNOLOGY CO.LTD. (T4V6H9AMFL)" dumpdecrypted.dylib

# 拷贝 dumpdecrypted.dylib 到手机app沙盒路径
scp dumpdecrypted.dylib root@192.168.31.121:/var/mobile/Containers/Data/Application/092E7298-56A7-4E68-BF45-CCBC93806DD7/Documents

# 砸壳,进入待砸APP的沙盒目录
DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib 程序WeChat安装路径

# 查看是否加密 cryptid 1加密,2没加密
otool -l WeChat.ipa|grep cry

MonkeyDev

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 安装 theos
sudo git clone --recursive https://github.com/theos/theos.git /opt/theos

# 安装 ldid
brew install ldid
brew install dpkg
# iproxy 端口映射
brew install usbmuxd

xcode-select -p

# 安装 MonkeyDev
sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/AloneMonkey/MonkeyDev/master/bin/md-install)"
# 更新 
sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/AloneMonkey/MonkeyDev/master/bin/md-update)"

Logos Tweak 项目

1
2
3
// 项目工程目录 Package/LibraryMobileSubstrate/DynamicLibraries/.plist 文件修改 Bundles 添加微信的 bundleid

根据手机信息修改 Build Settings 配置 User-Defined 栏目里面的IP,密码等

cycript

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 找到运行中的程序
cycript -p WeChat

# cy 查看沙盒路径
NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)[0]

# 
[NSBundle mainBundle].bundleIdentifier
# 
UIApp.keyWindow.recursiveDescription().toString()
#
[[[UIWindow keyWindow] rootViewController] _printHierarchy].toString()
#
[[UIApp keyWindow] _autolayoutTrace].toString()

# 获取地址的内容: #0x13491fb90
# 打印成员变量: *#0x13491fb90
# 查询当前页面的某个类 choose(UIButton)

debugserver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# debugserver 路径: 找到对应的 DeveloperDiskImage.dmg 里面的 /usr/bin/debugserver
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport

# debugserver 手机路径
/Developer/usr/bin/debugserver

# 拷贝到电脑,重新赋权,然后拷贝到手机 /usr/bin/ 目录下
codesign -s - --entitlements en.plist -f debugserver

# 开启手机端调试
debugserver localhost:12345 –a WeChat

# 手机端口映射 mac端口 手机端口
iproxy 1234 12345

# Mac端 lldb 连接 debugserver
process connect connect://127.0.0.1:1234

文件 en.plist

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.backboardd.debugapplications</key>
    <true/>
    <key>com.apple.backboardd.launchapplications</key>
    <true/>
    <key>com.apple.frontboard.debugapplications</key>
    <true/>
    <key>com.apple.frontboard.launchapplications</key>
    <true/>
    <key>com.apple.springboard.debugapplications</key>
    <true/>
    <key>com.apple.system-task-ports</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>platform-application</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>

dylib

微信步数修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
CHDeclareClass(WCDeviceStepObject); // declare class  

CHOptimizedMethod(0, self,  unsigned int, WCDeviceStepObject, m7StepCount) // hook method (with no arguments and no return value)  
{  
    // write code here ...  

    return 98888; //随意改数 
}  

CHConstructor // code block that runs immediately upon load  
{  
    @autoreleasepool  
    {  
        CHLoadLateClass(WCDeviceStepObject);  
        CHHook(0, WCDeviceStepObject,m7StepCount);  
    }
}

runtime

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
@selector()
-(bool)respondsToSelector:(SEL)
- (IMP)methodForSelector:(SEL)aSelector
+ (IMP)instanceMethodForSelector:(SEL)aSelector

 //获取Ivar的名称
 const char *ivar_getName(Ivar v);
 //获取Ivar的类型编码,
 const char *ivar_getTypeEncoding(Ivar v)
 //通过变量名称获取类中的实例成员变量
 Ivar class_getInstanceVariable(Class cls, const char *name)
 //通过变量名称获取类中的类成员变量
 Ivar class_getClassVariable(Class cls, const char *name)
 //获取指定类的Ivar列表及Ivar个数
 Ivar *class_copyIvarList(Class cls, unsigned int *outCount)
 //获取实例对象中Ivar的值
 id object_getIvar(id obj, Ivar ivar)
 //设置实例对象中Ivar的值
 void object_setIvar(id obj, Ivar ivar, id value)

breakpoint

1
2
3
br list | delete | 
br set -a 地址
br set -n 方法名称

lldb

1
2
3
4
5
frame info

image lookup -rn sendDidClick

expression -l objc -O -- 🙂

汇编 assembly

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# isa 的指向
x86: isa & 0x00007ffffffffff8ULL
arm: isa & 0x0000000ffffffff8ULL

# 查看 寄存器
register read

# 打印 objc_msgSend(id, SEL) 的参数
po $arg1 # 接收消息的对象
po (SEL)$arg2 # 执行消息的方法
po $arg3 # 方法的参数

# arm64
x0 返回值
fp x29 高地址 栈顶
lr x30 函数最后一条指令的下一条指令
sp x31 底地址 栈底
pc x32 当前要执行的指令


# 指令

# 入栈指令: x29, x30 存到 sp-0x10, sp=sp-0x10
stp  x29, x30, [sp, #-0x10]!
# x0 的数据传递到 [SP, #0x8] 地址指向的存储空间
str  x0, [SP, #0x8] 

# 出栈指令: 
ldp  x29, x30, [sp, #-0x10]!
# [x6, #0x80] 的地址值指向的值赋给 x5
ldr  x5, [x6, #0x80]

# x2 的值赋给 x1
mov  x1, x2

# add 加, sub 减, and 与, orr 或, eor 异或


# ?寻找 x8 内 22464 的
adrp  x8, 22464

# 
bl

参考链接

https://www.jianshu.com/p/24c6cb55fb0d

https://www.jianshu.com/p/9487e194fdc9

https://www.jianshu.com/p/64cf03a79caa

https://www.jianshu.com/p/bdbac933c1be