iOS逆向研究02

1.第一个逆向程序

• 创建tweak工程

  ➜  iOS /opt/theos/bin/nic.pl NIC 2.0 - New Instance Creator------------------------------  [1.] iphone/activator_event  [2.] iphone/application_modern  [3.] iphone/cydget  [4.] iphone/flipswitch_switch  [5.] iphone/framework  [6.] iphone/ios7_notification_center_widget  [7.] iphone/library  [8.] iphone/notification_center_widget  [9.] iphone/preference_bundle_modern  [10.] iphone/tool  [11.] iphone/tweak  [12.] iphone/xpc_service //选择tweak工程  Choose a Template (required): 11   //工程名称Project Name (required): MyFirstReProject  //deb包的名字（类似于bundle identifier)Package Name [com.yourcompany.myfirstreproject]: com.iosre.myfirstreproject  //tweak作者Author/Maintainer Name [System Administrator]: luz //tweak作用对象的bundle identifier[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.apple.springboard //tweak安装完成后需要重启的应用[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: SpringBoardInstantiating iphone/tweak in myfirstreproject/...Done.

• 工程文件结构介绍

  • Makefile

    //工程包含的通用头文件include $(THEOS)/makefiles/common.mk//创建工程时指定的“Project Name，指定好之后一般不要再更改TWEAK_NAME = MyFirstReProject//tweak包含的源文件，指定多个文件时用空格隔开MyFirstReProject_FILES = Tweak.xm//tweak工程的头文件，一般有application.mk、tweak.mk和tool.mk几类include $(THEOS_MAKE_PATH)/tweak.mk//指定tweak安装之后，需要做的事情，这里是杀掉SpringBoard进程 after-install::    install.exec "killall -9 SpringBoard"补充://编译debug或者releaseDEBUG = 0//越狱iPhone的ip地址THEOS_DEVICE_IP = 192.168.1.113//指定支持的处理器架构ARCHS = armv7 arm64 //指定需要的SDK版本iphone:Base SDK:Deployment TargetTARGET = iphone:latest:8.0  //最新的SDK，程序发布在iOS8.0以上//导入框架，多个框架时用空格隔开MyFirstReProject_FRAMEWORKS = UIKit MyFirstReProject_PRIVATE_FRAMEWORKS = AppSupport//链接libsqlite3.0.dylib、libz.dylib和dylib1.oMyFirstReProject_LDFLAGS = -lz –lsqlite3.0 –dylib1.o//make cleanclean::    rm -rf ./packages/* 

  • tweak文件
    “xm”中的“x”代表这个文件支持Logos语法，如果后缀名是单独一个“x”，说明源文件支持Logos和C语法；如果后缀名是“xm”
    ，说明源文件支持Logos和C/C++语法。

  /* How to Hook with LogosHooks are written with syntax similar to that of an Objective-C @implementation.You don't need to #include <substrate.h>, it will be done automatically, as willthe generation of a class list and an automatic constructor.%hook ClassName// Hooking a class method+ (id)sharedInstance {    return %orig;}// Hooking an instance method with an argument.- (void)messageName:(int)argument {    %log; // Write a message about this call, including its class, name and arguments, to the system log.    %orig; // Call through to the original function with its original arguments.    %orig(nil); // Call through to the original function with a custom argument.    // If you use %orig(), you MUST supply all arguments (except for self and _cmd, the automatically generated ones.)}// Hooking an instance method with no arguments.- (id)noArguments {    %log;    id awesome = %orig;    [awesome doSomethingElse];    return awesome;}// Always make sure you clean up after yourself; Not doing so could have grave consequences!%end*/

  • %hook 指定需要hook的class，必须以%end结尾

  • %log 该指令在%hook内部使用，将函数的类名、参数等信息写入syslog
    Cydia内搜索安装syslogd

  • %orig该指令在%hook内部使用，执行被钩住（hook）的函数的原始代码。

  • control
    control文件记录了deb包管理系统所需的基本信息，会被打包进deb包里。