Due to the recent rage of wechat big man, fined the red envelope hanging 50 million dollars, which makes people very panic, let alone fined me 50 million, 5000 pieces I can not bear. So I decided not to use wechat as an example. Change the youku 😈.

This paper will add a Cell(UI only) to enable/disable advertising blocking on the setting page of Youku. The effect can be seen in the picture below.

Several previous articles have introduced the APP re-signature, code injection and Hook principle. It can be found that by building the project and writing the script well, we can analyze a third-party APP with very little cost. Is there a tool that can resign, inject code, Hook source code, class-dump, Cydia Substrate, and even restore symbol tables, all in one project, so that even the real reverse engineer can enjoy the reverse fun? The answer is yes, Monkey is such a non-jailbreak plug-in integration!

Same rules, the title first benefits: click download demo. The tools used in this article are:

  • MonkeyDev
  • Youku IPA package extraction code: XTUA
  • Simpleappdemo. ipA extraction code: AFNC

A Monkey,

What is Monkey? Original iOSOpenDev upgrade, non jailbreak plug-in development integration artifact!

You can use Xcode to develop CaptainHook Tweak, Logos Tweak, and Command line tools to develop plug-ins on jailbroken machines, which is a migration and improvement of the original iOSOpenDev feature.

  • Simply drag in a shell smashing application and automatically integrate class-dump, restored-Symbol, * Reveal, Cycript, and injected dynamic libraries and re-sign them to install on a non-jailbroken machine.
  • Support debugging of their own dynamic library and third-party App
  • Support for SDK integration through CocoaPods third-party applications and non-jailbroken plug-ins. In short, build a non-jailbroken plug-in store through CocoaPods.
Environmental requirements

Before using the tool, make sure that:

  • Install the latest TheOS
sudo git clone --recursive https://github.com/theos/theos.git /opt/theos
Copy the code
  • Install ldid(skip if lDID was installed during theOS installation)
brew install ldid
Copy the code
The installation

You can use the following command to select the specified Xcode to install:

sudo xcode-select -s /Applications/Xcode-beta.app
Copy the code

The default installed Xcode is:

xcode-select -p
Copy the code

Execute the installation command:

sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/AloneMonkey/MonkeyDev/master/bin/md-install)"
Copy the code
uninstall
sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/AloneMonkey/MonkeyDev/master/bin/md-uninstall)"
Copy the code
update

If no special instructions are issued, run the following command to update the information:

sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/AloneMonkey/MonkeyDev/master/bin/md-update)"
Copy the code

After installing/updating, restart Xcode before creating a new project. If the following options are displayed, the installation is successful. If not, repeat the above steps.

The specific usage method can be directly viewed on the official website, of course, part of the practical usage will be introduced below.

Second, the Logos

Logos is a set of components developed by Thoes that are very handy for Hook OC code.

Next we’ll take a look at Logos in a nutshell, and finally use Monkey and Logos to add a bit of UI to Youku.

1. Create a simple project

Create project SimpleAppDemo with only one button. Click the button to raise an Alert. Click download: The SimpleAppDemo button corresponds to:

- (IBAction)tapAction:(id)sender {
    UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"Come" message:@"Bro 😁 😁 😁" delegate:nil cancelButtonTitle:@"I know." otherButtonTitles:nil, nil];
    [alert show];
}
Copy the code

2, smashing shells

Ipa: SimpleAppDemo. Ipa extraction code: AFNC

3. Create a New Monkey project

Simpleappdemo. ipa (simpleAppDemo. ipa) :

With a certificate (any one that works on your phone), Run. Running successfully ~

Play with Logos

In the Monkey project built in the previous step, you can see that there is a Logos directory in the directory:

By default there are two files logosDemodylib.xm and logosDemodylib.mm. The Logos statement is written in LogosDemodylib.xm, and logosDemodylib.mm is automatically generated from the contents of LogosDemodylib.xm. Next, we introduce some common uses of Logos based on several requirements.

  • Change the pop-up content of the click button (hook) because you need to change the popover, so import firstUIKitFramework.
#import <UIKit/UIKit.h>
Copy the code

Since we have the source code at hand, we can skip this step of dynamic analysis and know that the page on which the button is located is called the ViewController. The button responds as follows:

- (IBAction)tapAction:(id)sender
Copy the code

Using hook command:

#import <UIKit/UIKit.h>// hook + class name %hook ViewController // IBAction == void - (void)tapAction (id) Sender {UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"What are you doing?" message:@"😡 😡 😡" delegate:nil cancelButtonTitle:@"I know." otherButtonTitles:nil, nil];
    [alert show];
}

%end
Copy the code

Run the project and find that the button has been successfully hooked.

  • Calling the original method (ORIG)
#import <UIKit/UIKit.h>

%hook ViewController

- (void)tapAction:(id)sender {
    UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"What are you doing?" message:@"😡 😡 😡" delegate:nil cancelButtonTitle:@"I know."otherButtonTitles:nil, nil]; [alert show]; // Call the original method %orig; } %endCopy the code
  • The Monkey project does not compile the source code, so neither the new method nor the original method will be compiled, so you need to use itinterfaceDeclare each method.
#import <UIKit/UIKit.h>// Just to declare @interface ViewController - (void)newFunC; New %new - (void)newFunC{NSLog(@)"newFunC");
}

// IBAction == void
- (void)tapAction:(id)sender {
    UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"What are you doing?" message:@"😡 😡 😡" delegate:nil cancelButtonTitle:@"I know."otherButtonTitles:nil, nil]; [alert show]; [self newFunC]; Orig %orig; } %endCopy the code

All the demos in this article can be downloaded here :Dmoe

Logos in addition to the above hook,end, ORIg,new keywords, there is also: %subclass: add a class %log: print, similar to NSLog %group: Group all code that can be used in different environmental loading code, such as load iOS8 group1, iOS9 load group2, if in part, by default all the code in a hidden group known as “_ungrouped”. .

All Logos syntax is available in the official documentation.

5. Add UI to Youku

First of all here to download my own youku IPA package (ARM64 architecture) : Youku (broken shell). Ipa extraction code: XTUA

Step 1. New project YouKu

Similarly, create a new Monkey project, named YouKu, and put the ipA package downloaded into the TargetApp directory corresponding to the project. The Run. The re-signature was also successful.

In the Demo above, we HOOK our direct project, and since we have the source code at hand, we skip the hardest step: dynamic analysis. And now we want to Hook youku, but we have no youku source on hand, so at this moment we need to carry out dynamic analysis of it. Below, I will combine Xcode and class dump to simply analyze the Settings page of Youku.

Step 2: Class dump

class-dump is a command-line utility for examining the Objective-C segment of Mach-O files. It generates declarations for the classes, categories and protocols. This is the same information provided by using ‘otool -ov’, but presented as normal Objective-C declarations. A MachO file can export all the header file information (including Extension).

The Monkey includes class dump as well as re-signing, so all you need to do is turn it on:

The Run! After success, you can find a folder Youkui4Phone_Headers under the project directory, which contains all the header files of Youku.

Step 3. Analyze the Settings page of Youku

After the project Run is successful, click to enter the setting page (no login is required), as shown below:

What we need to do now is to add a Cell to the last line of the TableView of this page, which contains a Switch to enable/disable AD blocking (UI only, this article is not involved in the implementation of AD blocking, if you need, please be careful and keep following me 😀😀😀).

With great Xcode we can see very clearly that setting the DataSource and Delegate of the page is in the SettingViewController,

SettingViewController needs Hook methods: DataSource and Delegate of TableView.

One additional point to mention here is that the Monkey has already integrated Cydia Substrate into it at the beginning of this article, so we can use the related functions of Cydia Substrate directly.

So in this case we’re going to need to get the corresponding variables of the TableView on this page, and we’re going to need to use the Cydia Substrate functionality. Open all the header files and settingViewControllers and find that there is only one TableView variable: _tabView. Then there was no doubt that it was him! And the way to get it is:

MSHookIvar <UITableView *>(self,"_tabview")
Copy the code

A simple use of reloadData:

[MSHookIvar <UITableView *>(self,"_tabview") reloadData];
Copy the code

The rest of the UI code is not explained here. The entire code is as follows, which is also available in the Demo, including simple persistence of data:

#import <UIKit/UIKit.h>
#define FYDefaults [NSUserDefaults standardUserDefaults]
#define FYSwitchUserDefaultsKey @"FYSwitchUserDefaultsKey"

@interface SettingViewController
- (long long)numberOfSectionsInTableView:(id)arg1;
@end

%hook SettingViewController

%new
-(void)switchChangeAction:(UISwitch *)switchView{
    [FYDefaults setBool:switchView.isOn forKey:FYSwitchUserDefaultsKey];
    [FYDefaults synchronize];
    [MSHookIvar <UITableView *>(self,"_tabview") reloadData]; } / / how many group - (long long) numberOfSectionsInTableView: (id) arg1 tableView = {UITableView * MSHookIvar < UITableView * > (self,"_tabview");
    NSLog(@"fy_numberOfSectionsInTableView:"); // Add an extra onereturn%orig+1; } // how many rows per row - (long long)tableView:(UITableView *)tableView numberOfRowsInSection:(long long)section{NSLog(@"fy_numberOfRowsInSection:"); // Location Settings screen, and is the last oneif(section == [self numberOfSectionsInTableView:tableView]-1){
        return 1;
    }
    else{
        return%orig; }} // Return height - (double)tableView: (UITableView *)tableView heightForRowAtIndexPath:(id)indexPath{NSLog(@)"fy_heightForRowAtIndexPath:"); // Location Settings screen, and is the last oneif([indexPath section] ==[self numberOfSectionsInTableView:tableView]-1){
        return 44;
    }
    else{
        return%orig; }} // each Cell - (id)tableView:(UITableView *)tableView cellForRowAtIndexPath:(id)indexPath{NSLog(@"fy_cellForRowAtIndexPath:"); // Location Settings screen, and is the last groupif([indexPath section] == [self numberOfSectionsInTableView:tableView]-1){
        UITableViewCell * cell = nil;
        if([indexPath row] == 0){
            static NSString *swCell = @"SwCellIdentifier";
            cell = [tableView dequeueReusableCellWithIdentifier:swCell];
            if(! cell){ cell = [[UITableViewCell alloc] initWithStyle:(UITableViewCellStyleDefault) reuseIdentifier:nil]; } cell.textLabel.text = @"Ad-free"; UISwitch *switchView = [[UISwitch alloc] init]; switchView.on = [FYDefaults boolForKey:FYSwitchUserDefaultsKey]; [switchView addTarget:self action:@selector(switchChangeAction:)forControlEvents:(UIControlEventValueChanged)];
            cell.accessoryView = switchView;
            cell.imageView.image = [UIImage imageNamed:([FYDefaults boolForKey:FYSwitchUserDefaultsKey] == 1) ? @"unlocked" : @"locked"];
        }
        cell.backgroundColor = [UIColor whiteColor];
        return cell;
        
    }else{
        return %orig;
    }
}

%end

Copy the code

Final effect

6. Why are monkeys so awesome

Looking at the recompiled app file, you can see that there are many things in the Framework:

Third, summary

This article focuses on the use of Monkey and the basic syntax of Logos. In the next article, I will focus on Cycript installation, basic and advanced usage. I put it in the next post because Cycript with Monkey will do more with less.