This series is a compilation of my early listening to MJ’s class. Some of the references are quoted, and some may have forgotten to add. If there are some references, please contact me.

IOS Reverse (1) Environment setup iOS Reverse (2) Cycript iOS Reverse (3) Reverse tool iOS Reverse (4) Unshell audit iOS Reverse (5) Theos tool iOS Reverse (6) Dynamic debugging iOS reverse (7) re-signature

I. Project preparation

1.1 Installing the Signature Tool

$ brew install ldid
Copy the code

1.2 Modifying Environment Variables

  • Edit the user’s configuration file bash

$ vim ~/.bash_profile

- Add variables after '.bash_profile 'file, Configuration variables refer to [macOS environment variable configuration] (https://wenghengcong.com/posts/349bdc7c/) ` ` ` bash # THEOS export THEOS = ~ / THEOS export PATH=$PATH:$THEOS/binCopy the code
  • let.bash_profileThe configured environment variables take effect immediately, or restart terminal bash

$ source ~/.bash_profile

# # 1.3 download Theos suggested in the above configuration ` $Theos ` directory to download code: ` ` ` bash $$Theos git clone - recursive https://github.com/theos/theos.gitCopy the code

Ii. Project development – Ximalaya to advertise

The process for developing a tweak project is as follows:

  • Confirm development needs: AD removal, membership, unlocking, etc.
  • Confirm the solution to be modified based on requirements.
    • For example, to advertise, we need to determine the view relationship and analyze the view relationship.
    • To add members and crack functions, you need to analyze function calls, logical relationships, guess the implementation, and finally try hook logic.
  • Project development
    1. Clutch, dumpdecrypted;Copy the code
      1. Class dump export header file;
      1. Reveal and Cycript analysis interfaces;
      1. Analyze class relations, function call logic, try to hook;
      1. Debug, compile, package, install;
      1. Re-signing and publishing;

We are here to implement the first 5 steps, re-signature will be described later.

2.1 Creating Tweak Project

What we cracked today is Himalayan FM APP.

The need is: to advertise.

CD to the directory where the project code is stored, here:

$ cd ~/Desktop/crackApp/ting/
Copy the code

  • Project Name:
    • Will options
    • The name of our project here is Tingtweak;
  • Package Name
    • Package name, general or arbitrary
    • Here, we com.luci.tingtweak
  • Author/Maintainer Name
    • The author, of course, is Wenghengcong
    • Enter the default Mac user name
  • [iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]
    • Tweak App bundle ID for Tweak: com.gemd.iting
    • You can use Cycript or MJAppTool to view the Bundle Identifier for the corresponding App;
  • [iphone/tweak] List of applications to terminate upon installation (space-separated, ‘-‘ for none) [SpringBoard]
    • Directly enter

2.2 Project file structure

2.2.1 MakeFile

Makefiles, which specify files, frameworks, libraries, and so on to be used by the project, automate the entire process.

Let’s look at the MakeFile:

include $(THEOS)/makefiles/common.mk
Tweak Name, the 'Project Name' specified when the Project is created by Theos, corresponds to the 'Name' field in the control file, do not change it.
TWEAK_NAME = tingtweak

Tweak contains source files (excluding header files) separated by Spaces
tingtweak_FILES = Tweak.xm

include $(THEOS_MAKE_PATH)/tweak.mk

Kill SpringBoard process after tweak installation so that CydiaSubstrate will load the corresponding dylib when tweak is started
after-install::
	install.exec "killall -9 SpringBoard"
Copy the code

Add environment variables at the front to make it clear which IP and port is used to access the phone:

exportTHEOS_DEVICE_IP = 127.0.0.1export THEOS_DEVICE_IP THEOS_DEVICE_PORT=10010
...include $(THEOS)/makefiles/common.mk
Copy the code

Here, access the mobile phone through the local address and port 10010. Refer to the section connecting the mobile phone through USB in Reverse (I) Environment Construction.

If you don’t want to export the port for every MakeFile of your project, you can add it to the user configuration file, similar to adding the $THEOS variable above, source works:

# THEOS
exportTHEOS_DEVICE_IP = 127.0.0.1export THEOS_DEVICE_IP THEOS_DEVICE_PORT=10010
export THEOS=~/theos
export PATH=$PATH:$THEOS/bin
Copy the code
  • Tweak Default encoding is MRC inserted in MakeFile if ARC is required
For other items, please modify tingtweak to tingtweak_CFLAGS = -fobjc-arcCopy the code

2.2.2 control

This is mainly project-related information, such as project name, version, developer, etc.

Package: com.luci. Tingtweak Name: tingtweak Depends: Mobilesubstrate Version: 0.0.1 Architecture: iphoneos-arm Description: An awesome MobileSubstrate tweak! Maintainer: Wenghengcong Author: Wenghengcong Section: TweaksCopy the code

2.2.3 tingtweak.plist

Set the bundle Id of the app that needs to be reversed. If multiple apps need to be reversed, add their Bundle Id to the bundle array:

{ Filter = { Bundles = ( "com.gemd.iting" ); }; }
Copy the code

2.2.4 xm file

Xm is the Hook code file.

2.3 Unshell and export the header file

  • If clutch-d fails to crack the shell, use the dumpdecrypted tool instead

  • First, use MJAppTool to list the application list and obtain the APP path of Himalaya, obtaining: > /private/var/mobile/Containers/Bundle/Application/77CC1D65-FAD8-4E87-AA39-88756270F899/ting.app/

  • Dumpdecrypted eggs:

    • Break the shell, execute an order: > 5s:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /private/var/mobile/Containers/Bundle/Application/77CC1D65-FAD8-4E87-AA39-88756270F899/ting.app/ting

    • In /var/root, find the corresponding shell file and copy it to your computer

  • Class dump to export Headers, run the > class-dump -h ting -o Headers command

2.4 Analysis Interface

The listening screen displays the following advertisement:

Based on Reveal analysis, it can be basically determined that the advertising view class is XMSoundPatchImageView

You can verify the above conjecture with Cycript:

// enter the cy environment to debug 5s:~ root#cycript -p 893
cy# @import mjcript
cy# MJFrontVc()
#"<XMPlayingViewController: 0x12eca0a00>"//1. Get the address of the hypothesized AD view from Reveal and print the subview cy# #0x130524080.recursiveDescription().toString()`<XMSoundPatchImageView: 0x130524080; frame = (0 105; 320, 223); layer = <CALayer: 0x12ff8c8b0>> | <UIView: 0x130524a60; frame = (0 0; 320, 223); layer = <CALayer: 0x1302a6fe0>> | | <UIImageView: 0x130524220; frame = (56 15; 208, 208); clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x1301c7950>; layer = <CALayer: 0x130524050>> | | | <XMAdMarkView: 0x130524880; baseClass = UIImageView; frame = (0 196; 21.6 12); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x13026faf0>> | <UIButton: 0x1305245f0; frame = (249 0; Thirty 30); opaque = NO; layer = <CALayer: 0x13027e6e0>> | | <UIImageView: 0x1300e0eb0; frame = (0 0; Thirty 30); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1303f17c0>>` //2. The real AD view, by guessing, is UIImageView, remove cy from the superview# #0x130524220.removeFromSuperview()
Copy the code

By removing it from the top, we see from the phone that the AD is gone.

The guess is right.

2.5 Writing Code

Now, we’re going to do something about XMSoundPatchImageView.

Take a look at the XMSoundPatchImageView class from the exported header:

#import <UIKit/UIView.h>

#import "CAAnimationDelegate-Protocol.h"
#import "XMSoundPatchImageViewProtocol-Protocol.h"

@class NSString.UIButton.UIImageView.XMADAudioItem.XMAdMarkView;

@interface XMSoundPatchImageView : UIView <CAAnimationDelegate.XMSoundPatchImageViewProtocol>
{
    _Bool _hideToTop;
    _Bool _onShow;
    unsigned long long _animationType;
    CDUnknownBlockType _soundPatchImageViewWillClose;
    UIButton *_adHidButton;
    UIImageView *_adImageView;
    UIView *_shadow;
    XMAdMarkView *_adMark;
}

@property(retain.nonatomic) XMAdMarkView *adMark; // @synthesize adMark=_adMark;
@property(nonatomic) _Bool onShow; // @synthesize onShow=_onShow;
@property(retain.nonatomic) UIView *shadow; // @synthesize shadow=_shadow;
@property(retain.nonatomic) UIImageView *adImageView; // @synthesize adImageView=_adImageView;
@property(retain.nonatomic) UIButton *adHidButton; // @synthesize adHidButton=_adHidButton;
@property(copy.nonatomic) CDUnknownBlockType soundPatchImageViewWillClose; // @synthesize soundPatchImageViewWillClose=_soundPatchImageViewWillClose;
@property(nonatomic) _Bool hideToTop; // @synthesize hideToTop=_hideToTop;
@property(nonatomic) unsigned long long animationType; // @synthesize animationType=_animationType;
- (void).cxx_destruct;
- (void)onHidButtonClicked:(id)arg1;
- (void)onAdImageViewTapped:(id)arg1;
@property(readonly.nonatomic) XMADAudioItem *audioItem; . - (void)initUI;
- (void)cleanWithAnimation:(_Bool)arg1;
- (void)clean;
- (id)initWithFrame:(struct CGRect)arg1;

// Remaining properties
@property(readonly.copy) NSString *debugDescription;
@property(readonly.copy) NSString *description;
@property(readonly) unsigned long long hash;
@property(readonly) Class superclass;

@end
Copy the code

We didn’t find much from the header file above, but we could just hook the view and always set it to nil.

In Tweak. Xm file:

%hook XMSoundPatchImageView

- (id)initWithFrame:(struct CGRect)arg1
{
	return nil;
}

%end
Copy the code

2.6 Compiling, Packaging, Installing, and Uninstalling

In the Computer Tweak Project directory:

2.6.1 compilation

make
Copy the code

2.6.2 packaging

Package as deb:

make package
Copy the code

By default, make package packages debug versions, if you want to package release versions:

make package debug=0
Copy the code
  • Version number, can be againcontrolSpecified in the file;
  • The debug package is larger than the release version and contains debugging information.
  • Make Package contains the actions of the make directive.

2.6.3 installation

The SpringBoard restarts by default

make install
Copy the code

The process is as follows:

After installation, Springboard will be rebooted, Himalaya will be opened again, surprise, no ads!

2.6.4 uninstall

  • Delete the corresponding dynamic library and PList file directly.

/Library/MobileSubstrate/DynamicLibraries

  • Cydia uninstall directly

2.7 the error

2.7.1 – make package

 $ make package
Can't locate IO/Compress/Lzma.pm in @INC (you may need to install the IO::Compress::Lzma module) (@INC contains: / Library/Perl / 5.18 / Darwin - thread - multi - level 2 / Library/Perl / 5.18 / Network/Library/Perl / 5.18 / Darwin - thread - multi - level 2 / Network/Library/Perl / 5.18 / Library/Perl/Updates / 5.18.2 / System/Library/Perl / 5.18 / Darwin - thread - multi - level 2 / System/Library/Perl / 5.18 / System/Library/Perl/Extras / 5.18 / Darwin - thread - multi - level 2 / System/Library/Perl/Extras / 5.18 .). at /Users/mj/theos/bin/dm.pl line 12. BEGIN failed--compilation aborted at /Users/mj/theos/bin/dm.pl line 12. make: *** [internal-package] Error 2Copy the code

It’s because there’s something wrong with the packaging and compression method. Just change it to Gzip compression.

  • Modify the dm.pl file to comment the following two lines of bash with # signs


v i m vim
THEOS/vendor/dm.pl/dm.pl #use IO::Compress::Lzma; #use IO::Compress::Xz;

- modify the deb. Mk file done gzip compression way 6 ` ` ` bash $$THEOS/vim makefiles/package/deb. Mk _THEOS_PLATFORM_DPKG_DEB_COMPRESSION? = gzipCopy the code

2.7.2 – Make error

1)

$ make
Error: You do not have an SDK in
/Library/Developer/CommandLineTools/Platforms/iPhoneOS.platform/Developer/S
DKs
Copy the code

Because there are multiple Xcodes (install multiple Xcodes), you need to specify the Xcode.

$ sudo xcode-select -s /Applications/Xcode.app/Contents/Developer/
Copy the code

2)

$ make
> Making all for tweak xxx...
make[2]: Nothing to be done for `internal-library-compile'.
Copy the code

I’ve compiled before and I have a cache, so I need to clean it.

$ make clean
$ make
Copy the code

Three, one step further – wechat plus functions

5s:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /private/var/mobile/Containers/Bundle/Application/4E7CFE17-8B9E-4B55-84B1-14E70653EFC3/WeChat.app/WeChat
Copy the code

3.1 Multiple tweak files

Create a new Cell folder to store the corresponding hook code:

So specify this file in the MakeFile:

tweakwechat_FILES = Tweak.xm Cell/MMTableViewCell.xm
Copy the code

Note that:

  • Each file is separated by a space
  • Suppose the wildcard configuration is as follows: makefile

tweakwechat_FILES = Tweak.xm Cell/*.xm

Bash clang: error: no such file or directory: '/Users/wenghengcong/Desktop/crackApp/wechat/tweakwechat/.theos/obj/debug/armv7/Cell/MMTableViewCell.xm.mm' clang: error: no input files make[3]: *** [/Users/wenghengcong/Desktop/crackApp/wechat/tweakwechat/.theos/obj/debug/armv7/Cell/*.xm.298cc4f9.o] Error 1 rm /Users/wenghengcong/Desktop/crackApp/wechat/tweakwechat/.theos/obj/debug/armv7/Tweak.xm.mm /Users/wenghengcong/Desktop/crackApp/wechat/tweakwechat/.theos/obj/debug/armv7/Cell/*.xm.mm make[2]: *** [/Users/wenghengcong/Desktop/crackApp/wechat/tweakwechat/.theos/obj/debug/armv7/tweakwechat.dylib] Error 2 make[1]: *** [internal-library-all_] Error 2 make: *** [tweakwechat.all.tweak.variables] Error 2Copy the code

3.2 Resource Files

Save resource files. Create a new layout folder in tweak project.

3.2.1 layout

Layout is the iOS root directory. File paths created in Layout are mapped to iOS after packaging.

Mapping in iOS:

So, if you need to store resources, plan the storage path.

3.2.2 read

// Define a macro in the header of the file
#define BFFile(path) @"/Library/PreferenceLoader/Preferences/BFWeChat/" #path

cell.imageView.image = [UIImage imageWithContentsOfFile:BFFile(exit.png)];
Copy the code

3.3 the macro

The macro definition syntax is the same as before:

#define BFUserDefaults [NSUserDefaults standardUserDefaults]
#define BFAutoKey @"bf_auto_get_key"
Copy the code

3.4 Installation Script

Script the above packaging and other steps:

# bftweak-make.sh
#! /bin/bash
# do not include the make command because the make package contains the make command
make clean && make package && make install
Copy the code

After successful installation:

Fifth, Theos

Directory structure: github.com/theos/theos…

The environment variable: iphonedevwiki.net/index.php/T…

5.1 Theos-Tweak Implementation process

  • Writing Tweak code
  • Make Tweak code as a dynamic library (*.dylib)
  • Make package: package dylib as a deb file
  • Make install: transfer the deb file to the phone and install the deb via Cydia
  • The plug-in will be installed in/Library/MobileSubstrate/DynamicLibrariesfolder
    • *.dylib: compiled Tweak code
    • *. Plist: stores the Id of the App that needs the hook

  • When you open your APP
    • Cydia Substrate (a plug-in that Cydia automatically installs) will cause the APP to load the corresponding Dylib
    • Modify the code logic in APP memory to execute the function code in dylib

5.2 Logos grammar

Iphonedevwiki.net/index.php/L…

  • %hook􏱮 %end: Hook the start and end of a class
  • %log: prints method call details
    • View logs by Xcode -> Window -> Devices and Simulators
  • HBDebugLog: is similar to NSLog
  • %new: Adds a new method
  • %c(className) : Generates a Class object, such as %c(NSObjct), similar to NSStringFromClass(), 􏱮objc_getClass()
  • %orig: The original code logic of the function
  • %ctor: called when the dynamic library is loaded
  • %dtor: called when the program exits
  • Logify. pl xm􏰅 : Quickly convert a header file to a bash xM file containing printed information

logify.pl xx.h > xx.xm





## 5.3 logify.pl


​```ba
logify.pl xx.h > xx.xm
Copy the code

Xm files generated by logify.pl are often not compiled correctly and need some processing

  • Delete __weak
  • Delete the inout
  • Delete the agreement
    • Or declare the protocol @protocol XXDelegate
  • Delete – (void).cxx_destruct {%log; %orig; }
  • Delete HBLogDebug(@” = 0x%x”, (unsigned int)r);
  • Replace all unknown classes with ids
    • For example, instanceType replaces id directly
  • The replacement class name is void, for example **XXPerson **_ is replaced with **void **_
    • Or declare the class @class XXPerson

6. Other tips

  • At the directory: / System/Library/CoreService/SpringBoard. The app
  • Tweaks are also supported in unshelled apps because tweaks are implemented in memory as a dynamic library and are not modified.appExecutable files in a package.
  • Tweak effect always works, as long as the code used to tweak has not been changed. If you update to a new version, the code used has changed, it will be invalid;
  • Tweaks are not supported on unjailbroken phones;
  • Currently, the Swift project has been gradually supported;
  • Tweaking a game project is difficult, mainly because most games are written in C/C++/C# and code obliasing is common.