The document value
- Master the essence of coding and write efficient code
- Modify the functions of an existing App
- Learn the design of excellent apps
- Enhance client security
- Strong versatility (the lower level, the stronger the versatility)
Jailbreak Environment Setup
Knowledge reserves
- UI
- multithreading
- Data is stored
equipment
- Debug device iPhone
- At least iphone5s is recommended, as arm64 architecture is supported from 5s onwards
- Or at least iPad Air, iPad mini2 and other devices that support arm64 architecture
- IOS9.1 jailbreak perfect
- Perfect jailbreak is recommended for at least iOS8
- The version can not be too high, to ensure that the perfect jailbreak
- To check whether the phone can be jailbroken: jailbreak.25pp.com/ios
IOS Jailbreak
- Take advantage of the vulnerability of iOS system, obtain the highest permissions of iOS system (Root), unlock the previous restrictions (legal behavior)
advantages
- Create a personalized, different iPhone
- Free to install a variety of useful plug-ins, themes, apps
- Modify some default behaviors of the system App
- Free to install apps that are not from the AppStore
- Paid apps become free apps in seconds
- Flexible file system management allows the iPhone to be as flexible as a USB stick
- It provides a reverse engineering environment for developers
disadvantages
- No warranty
- Power consumption. After jailbreak, the system will stay in some processes, and the power consumption speed will increase about 10%~20%
- A new iOS firmware version cannot be updated in time
- With each new version of the firmware, the jailbreak vulnerability of the previous version will be fixed to disable jailbreak
- If you want to maintain jailbreak status, you must wait for the release of a new jailbreak program, the corresponding firmware version can be upgraded
- No longer protected by the default security of the iOS system, it is vulnerable to malicious software attacks, and personal privacy may be stolen
- If unstable plug-ins are installed, the system may become unstable, slow down, or even have “white apple” problems
Perfect jailbreak and imperfect jailbreak
- Perfect jailbreak: Jailbroken iphones can be shut down and restarted normally
- Imperfect prison break
- Once the iPhone is turned off and turned on again, the screen stays in the splash screen, a “white Apple” state
- Or the device can be started normally, but the cracked software installed cannot be used normally. You need to connect the device to the PC and use the software to boot
- Typically, after Apple releases a new iOS firmware, an imperfect jailbreak for that firmware will be released first, followed by a perfect jailbreak
- Generally, new system versions are not perfect jailbreak
- Recommended Jailbreak methods
- Pp jailbreak.25pp.com/
How to determine whether jailbreak is successful
- Is there a Cydia program on your desktop
- Tool judgment (e.g. Pp assistant) – Jailbreak or not: Yes
Cydia
- App Store after jailbreak
- You can install all kinds of third-party software (plug-ins, patches, apps) in Cydia
- By Jay Freeman (Saurik)
Cydia steps for installing software
- Add software sources (Different software sources may vary) Software Source – Edit – Add – Add a source
- Access the software source to find the corresponding software and start the installation
SpringBoard
- In some cases, after installing the plug-in through Cydia, the “Restart SpringBoard” screen may appear
- SpringBoard is the desktop of iOS
Patches to be installed
Apple File Conduit “2”
- You need to install this patch
- You can access the entire iOS device file system
- Similar patches include afC2 and AFC2Add
- Software sources:
- apt.saurik.com
- apt.25pp.com
AppSync Unified
- You can bypass system verification and install and run cracked IPA installation packages at will
- Software source: apt.25pp.com/
iFile
- Free access to the iOS file system on the iPhone
- Similar examples include Filza File Mnaager and File Browser
- Software sources (BigBoss) : apt.thebigboss.org/repofiles/c…
PP assistant
- You can use pp assistant to install massive APP freely
- Software source: apt.25pp.com/
You need to install it on your Mac
- IFunBox: manages file systems
- PP assistant: free to install massive APP, uninstall app, backup APP for IPA installation package (ios9 no longer support backup app)
Recommended Installation Sequence
IPhone: Cydia->{Apple File Conduit”2″, AppSync Unified}-{iFile, PP assistant} Mac:{iFunBox, PP Assistant}
The installation package
- In general
- Installation packages installed through Cydia are in DEB format (combined with the package management tool APT)
- The installation package installed through the PP assistant is in IPA format
- If installing deb from Cydia source fails
- You can start by downloading the installation package in deb format from the web: enter XXX deb in your browser
- Then open the iFunBox – file system, the software install deb package into/var/root/media/Cydia/AutoInstall, and then restart the mobile phone, Cydia will automatically install the deb
How to determine whether jailbreak is successful
- Is there Cydia on the desktop
- Tool judgment (e.g. PP assistant) – shows jailbreak
- Code judgment, but the situation of each system is not the same, you can search on the Internet as follows:
if ([[NSFileManager defaultManager] fileExistsAtPath:@"/Applications/Cydia.app"]) {
NSLog(@"This device has been jailbroken.");
}else{
NSLog(@"This device is not jailbroken.");
}
Copy the code
Tools to improve productivity
- Alfred: Easy search, workflow (shortcut key Option + space)
- XtraFinder: Enhanced Finder
- ITerm2: command line tool to complete Terminal
- Go2Shell: Quick location from Finder to command line tool
Mac remote login to iPhone
- We often use the command line to perform operations on Mac terminals. IOS and Mac OS X are both based on Darwin, so iOS also supports terminal command line operations
- In reverse engineering, iPhone is often manipulated by command line. In order for the command line in Mac terminal to work on iPhone, we have to connect Mac and iPhone, and establish a connection by remotely logging in from Mac to iPhone
SSH, OpenSSH
- SSH: Secure Shell stands for “Secure Shell protocol,” a protocol that provides security for remote logins. It prevents sniffers from tampering — using SSH, you can encrypt all transmitted data. Man-in-the-middle attacks are impossible to implement, preventing DNS spoofing and IP spoofing
- OpenSSH: a free open source implementation of the SSH protocol, which allows Mac users to remotely log in to iPhone using OpenSSH
Use OpenSSH for remote login
- Install the OphoneSSH tool on iPhone using Cydia (http://apt.saurik.com)
- For details about how to use OpenSSH, see Description
Remote Login using OpenSSH – Procedure
- SSH communicates over TCP, so make sure your Mac and iPhone are on the same LOCAL area network, such as WiFi
- SSH root@mobile IP address (SSH account name @server host address), password: OpenSSH Descripthon to find the default password (alpine); Verify whether to log in to the mobile phone: 1. CD / 2
- Exit Login: Exit
Root, mobile
- There are two common iOS accounts: root and Mobile
- Root: the account with the highest permission
- mobile: Common permission account, can only operate some common files, not operating system level files (login: SSH mobile@iphone IP address to connect to the network, default password is alpine) (ps: command line root path if the # sign, represents the highest user rights, if the $, represents the common user rights)
- Change the passwords of user root and mobile. After logging in to user root, run passwd and passwd mobile respectively.
- Log in to the root user, and run passwd to change the password of the highest permission user. Run passwd mobile to change the password of mobile user (exit: exit).
SSL, OpenSSL
- SSL: Short for Secure Sockets Layer, a security protocol that provides security and data integrity for network communication and encrypts network connections at the transport Layer
- OpenSSL: The open source implementation of SSL. Most HTTPS requests are equivalent to HTTP+OpenSSL.
- OpenSSH encryption is done through OpenSSL (OpenSSH encryption depends on OpenSSL).
The version of SSH
- There are two VERSIONS of the SSH protocol (SSH-1 and SSH-2). Ssh-2 is commonly used nowadays. The client and server versions must be the same to communicate with each other.
- View the SSH version (view the Protocol field in the configuration file)
- Check version on MAC: Command line
- cd /etc/ssh
- ls -l
- Cat ssh_config looks for the number following the Protocol field
- View version on iPhone: Command line
- Login iPhone: IP address of root@iphone network
- cd/etc/ssh
- ls -l
- cat sshd_config
Client: /etc/ssh/ssh_config
Server: /etc/ssh/sshd_config
SSH communication process
- SSH communication can be divided into three main stages
- Establishing a Secure Connection
- Client Authentication
- The data transfer
Establishing a Secure Connection
- During the establishment of a secure connection, the server provides its own proof of identity
The server identity information is changed
- When establishing a secure connection, you may encounter the following error message: Notifies the server that the identity information has been changed. If you still want to connect, do the following:
- vim known_hosts
- (dd:vim command delete) Delete line 9, save and exit
- Re-enter the login server instruction
Or open the “known_hosts” file to delete (update) the public key information of the server. Enter: ssh-keygen -r Server IP address
SSH client authentication mode
- Ssh-2 provides two common client authentication modes
- Password-based client authentication (authentication using account and password)
- Key based client authentication (password-free authentication, the most secure type of authentication)
- By default, sSH-2 attempts key authentication first. If the authentication fails, sSH-2 attempts password authentication only.
SSH- Client authentication based on the secret key
- Ssh-keygen Press Enter (client generates public and private keys)
- cd ~/.ssh
- ls -l
- Ssh-copy-id root@MOBILE PHONE IP address (append the public key to the end of XXX)
- Try logging in to root without entering a password (the clear command clears the command line)
- Compare the authorized_keys file with the cat id_rsa.pub command: cat ~/.ssh/authorized_keys (the authorized_keys file does not exist at first, it is automatically generated)
- Generate a Pair of associated Key pairs on the client: a Public Key and a Private Key ssh-keygen
- Press Enter all the way
- OpenSSH generates an RSA key by default. You can specify the key type by using the -t parameter
- The generated public key is ~/.ssh/id_rsa.pub
- The generated secret key is ~/ SSH /id_rsa
- Add the public key content of the client to the end of the authorization file (~/.ssh/authorized_keys) of the server. Ssh-copy-id root@host ADDRESS of the server
- You need to enter the login password of user root
- Ssh-copy-id automatically appends the contents of ~/.ssh/id_rsa.pud to the ~/.ssh/authorized_keys tail of the server
- Note: since the operation is in the ~ folder, the above operation only solves the root user login problem (will not affect mobile users).
Public key >> Authorization file
- You can use the ssh-copy-id command to automatically add the public key content of the client to the end of the authorization file of the server or manually add the public key content of the client to the end of the authorization file of the server. Copy the public key of the client to a path on the server
- SCP ~/. SSH /id_rsa.pud root@ Server host ADDRESS: ~
- SCP is short for Secure Copy. It is a secure remote file copy command based on SSH login to copy a file to another remote host
- The command line is as follows:
- SSH root@SERVER IP address
- cd .ssh
- ls -l
- rm authorized_keys
- Exit (Delete previously created authorization files first)
- cd .ssh
- ls -l
- Pud root@ Server IP address :~/. SSH (Copy the public key from the client to the server)
- SSH root@SERVER IP address
- cd .ssh
- ls -l
- Cat id_rsa.pud >> authorized_keys(append id_rsa.pub to the end of authorized_keys, or recreate the authorized_keys file if it does not exist)
- rm id_rsa.pub
- Chmod 755 ~(If password-free login is configured, but you still need to enter the password, grant server file permission)
- chmod 755 ~/.ssh
- chmod 644 ~/.ssh/authorized.keys
22 port
- A port is a window for the device to provide external services. Each port has a port number (2^16 in the range of 0 to 65535).
- Some port numbers are reserved and have specified uses, for example
- Port 21 Provides the FTP service
- Port 80 provides the HTTP service
- 32 Port SSH service (you can check the Port field in /etc/ssh/sshd_config)
- More reserved port number: Baidu bar
- By default, the iPhone uses port 22 for SSH communication and uses TCP (MAC is logged in to port 22 of the iPhone through wifi(SSH login)).
Log in over SSH using a USB device
- By default, the Mac uses SSH to log in to the iPhone over a network connection because SSH uses TCP, requiring the iPhone to connect to WiFi
- In order to speed up the transfer, you can also log in using SSH over A USB connection (there is a service program usbmuxd on Mac, it will start automatically after boot, it can transfer Mac data to iPhone via USB) (PATH of USBMUxD: /System/Library/PrivateFrameworks/MobileDevice.framework/Resources/usbmuxd)
Use of USBMUXD 1
- Download usbmuxd toolkit (version download v1.0.8, mainly used inside of a python script: tcprelay. Py) cgit.sukimashita.com/usbmuxd.git… After downloading it, only two.py files are left, and the rest are useless and should be deleted
- Map iPhone port 22 (SSH port) to Mac local port 10010
- CD ~ / Documents/usbmuxd – 1.0.8 / python – client
- Py -t 22:10010 the -t argument is added to support multiple SSH connections at the same time
- Note: Do not terminate this command line to preserve the port mapping state (open a new terminal interface if you want to execute another terminal line)
- It doesn’t have to be port 10010, as long as it’s not reserved
Use of USBMUXD 2
- After the port mapping is complete, if you want to communicate with port 22 on the iPhone, you can directly communicate with port 10010 on the Mac. Open a terminal interface and log in to port 10010 on the Mac using SSH (choose 1 of the following two methods).
- ssh root@localhost -p 10010
- SSH [email protected] -p 10010 (IP address of the local virtual nic) Localhost is a domain name pointing to the IP address 127.0.0.1, the IP address of the local virtual NIC
- The USBMUxD forwards TCP data from port 10010 on the Mac to port 22 on the iPhone over a USB connection
- Copy the public key file to local port 10010.
- scp -P 10010 ~/.ssh/id_rsa.pub root@loaclhost:~
- SSH -p 10010 root@localhost (Log in to local port 10010)
- ls -l
- rm id_rsa.pub
Sh script file
- We can put a series of frequently executed terminal commands into an sh script file (shell) and execute the script file
- Open the path to the
- vim usb.sh
- As I enter the edit mode, copy (python ~ / Documents/iOS/usbmuxd/tcprelay py – t no 010), save the exit
- Cat usb.sh View the usb.sh file
- sh usb.sh
- Control +c Exits the command line 11
- You can run the sh script file using the sh, bash, and source commands
- Sh, bash: the current shell environment starts a subprocess to execute the script file and returns to the shell environment of the parent process. When CD is executed, the child goes to the CD’s directory, but the environment does not change in the parent, that is, the directory does not change
- Source: Run the script file in the current shell environment, and the CD will be redirected to the CD directory. You can use a dot “.” instead, for example, “.test. sh” ps: You can also create login.sh
Chinese garbled characters on iOS terminals are abnormal
- By default, iOS terminals do not support Chinese input and display
- Solution: Create a ~/. Inputrc file with the following contents:
- Instead of converting Chinese characters to escape sequences, set convert-meta off
- Set output-meta on to allow Chinese output to the terminal
- Set meta-flag on, set input-meta on
-
If you want to edit the file content from your terminal, you can install a vim via Cydia (http://apt.saurik.com)
-
The terminal operations are as follows: PS: Enable the mobile phone to support VIM first, download and install the software source, and then operate
- vim .inputrc
- Copy the following: set convert-meta off set output-meta on set meta-flag on set input-meta on
- Login to the mobile terminal at this time, you can support Chinese
Cycript
- Cycript is a mashup of Objective-C++, ES6(JavaScript), Java, and more
- It can be used to explore, modify, and debug running Mac\iOS apps
- Website: www.cycript.org/
- Documents: www.cycript.org/manual/
- Install Cycript on Cydia to upgrade the APP in trial run on iPhone
The ps command
- Install the adv – CMDS
- The ps command is short for process status. You can use the ps command to list the current processes in the system
- List all processes (Ps-A)
- Search keyword (ps – A | grep keywords)
Turning Cycript on and off
steps
- Log in to your iPhone first
- ps -A
- Cycript-p 7661 or Cycript-p neteasemusic for example (Cycript enabled) Control + D (Exit) Cycript-p process ID/ process name)
Common Grammar 1
- UIApp: equivalent to [UIApplication sharedApplication]
- Define variables: var Variable name = variable value
- Column: var app = uiapp.keywindow
- Get the object with the memory address.
- Objectivec.classes (All OC classes loaded in this app)
- View all member variables of an object (directive: *UIApp or *# memory address)
- Print all view child controls recursively (LLDB) Po window recursiveDescription] [self. View. Print all child controls) columns: UIApp. KeyWindow. RecursiveDescription (). The toString ()
Common Grammar 2
- Choose (UIViewController) Choose (UITableViewCell) (If it crashes, re-enter the process and continue)
Dynamically debug the netease cloud
Column:
- To connect to the server, the SCP – 10010 – P/Documents/iOS/LFTool js root @ localhost: / usr/lib/cycript0.9 / LFTool cy (will LFTool. Copy js to LFTool. Cy file)
- Cycript – P Neteasemusic (netease Cloud Music)
- @import LFTool
- LFTopVc() (this method can get the current display of the top VC, packaged oh ~)
- LFInstanceMethodNames(# controller memory address) (print all object methods of the controller)
- [# controller memory address loginButtonClicked:nil]
- LFSubviews(# controller memory address.view) (Print all subviews)
- # textFiled Memory address. Text = “777”
- LFClassMethodNames(# controller memory addresses) control+c: Delete all methods
- LFInstanceMethodNames(# Controller memory address) (object method)
- “, locate the button view and delete the button idea: identify the view with the word “login”
- Python (Enter the Python environment and view the Unicode encoding for “Login”)
- Unicode (‘ login ‘, ‘UTF-8 ‘)
- Remove the login button
- LFAppId
- var view = [[UIView alloc] init]
- The frame = MJRectMake (0,0,100,100)
- view.backgorundColor = [UIColor redColor]
- You can also use the regular LFInstanceMethodNames(# controller memory address, /login/), LFInstanceMethodNames(# controller memory address, /View$/) ending with View
Attached: lftool. cy file
Author’s brief introduction
Worked in the Information Technology Department of Sweet Orange Finance (Wing Payment), responsible for iOS client development