Kotani bald collection
- Today we’ll talk a little bit about jailbreak plugin development. Usually use
In a letterFor example, today we use a waveA hand. (hooktheA handtheThe loginAnd get thepasswordSame as above, but for todayPrison break plugin)
1. The train of thought
- Before we do something, we need to get it straight
Train of thought(May not follow the train of thought, but weThe reverseThink about it before you do.
Step 1: Find a process name or binary file name
Step 2: Analyze the login interface and class-dump the header
Step 3: Find the class name and method name, and associate the password box with ~
Fourth part: Thoes writing plug-ins. Hook the method name
Step 5: Install the plug-in and test the case
2. Locate the login method
-
Start playing ~
-
- Let’s see what the process name is
-
- the
IPABreak out
- the
-
- To view
Binary file name
- To view
In general, this name and binary are the same, you can unlock the bag to see ~
-
- So let’s get the header out
class-dump -H com_kwai_gif -o kuaishouHeader
Oh, he did a safety check
-
- Is there nothing to be done? At this time, we can use several methods, I will mention one here
LLDB attached process)
- Is there nothing to be done? At this time, we can use several methods, I will mention one here
Of course, that way we can hook him in
3. Plugins
Let’s first write a plugin and then figure out if this is the right approach
-
- To obtain
A handtheAPPID
- To obtain
-
- through
THOESCreate the plug-in
- through
-
- According to the
LLDBThe commandmethods address
- According to the
-
- Start coding
In the Makefile you still need to configure:
And then I’m going to go into the plug-ins directory, make, make Package; Make install, it will be installed on the phone and restart the desktop
-
- When we click login: we see it on the console
We also saw a weird message, user Default. I took a look (and I didn’t see much)
4. Locate the password
At this time, we have found the method he wants to call (of course, this class may be called by other methods, more carefully, brothers can write a judgment in the login interface to hook. I’m not going to write that judgment here.)
- Let’s see. How did we find him
password.landingWhen ~passwordandClick on the wayThat seems like a long way off.
Heh heh, of course there is a way.
-
The first thing we know is that you can get your password 😜 by clicking the login button
-
I then analyzed the interface structure using Cycript
-
Finally, through the LLDB command. Gets methods, properties, and member variables
Specific operation xiaogu can not write, afraid of creating a bad impression, this blog is mainly plug-in development
- Look at a wave of examples
- After installing the plug-in, the console outputs
5. To summarize
-
First of all, this blog is purely for learning technology, without any other ideas
-
This blog, brothers do not reprint. Kotani feels bad (after all, someone did the security)
-
If there is any bad influence, Xiao Gu can delete the blog immediately. (Guys, don’t play with one hand.)
-
This blog post is a little empty, maybe not very detailed, Xiao Gu is nervous ~ 😆
-
Finally, I hope to work together with my brothers to make progress together (after all, I was born in an era of introversion).