What is jailbreak?
Jailbreaking refers to the process of obtaining the root permission of the iOS system by analyzing the iOS code to find out the vulnerabilities and bypass the security permission check of the system.
Without jailbreaking, all operations are limited to sandbox, the directory level of the system is not clear, all learning is superficial, can not know the truth behind. After jailbreaking, we can access the entire file system of the device, change some Settings, write some tools to inject specific apps, and so on. Device jailbreak can help us to have a deeper understanding of the structure of iOS system, analyze the behavior of the system, and lay a solid foundation for future learning and use!
The preparatory work
To get started, we need to do some preparatory work:
- A perfectly jailbroken cell phone (installed
) - Install on cydia on phone
To view the current process (ps -A
) - Installed on MAC
, used to view the file directory on the phone
The directory structure
Applications hosts apps from all systems and from Cydia, excluding apps downloaded from the App Store
Library System resources, user Settings. System logs and ringtones. The important directory is Library/MobileSubstrate, where all the plug-ins based on Cydia Substrate are stored, and the plug-ins developed by ourselves are also stored in this directory
The User directory actually points to var/mobile
Store photo albums, etc/Users/Library
Store text messages, emails, etc
Bin Stores user-level binary files, such as MV and LS
Etc stores system scripts, hosts configuration files, and SSH configuration files. It actually points to private/etc
Sbin Stores system-level binary files, such as reboot and mount
Usr user tools and programs, /usr/include store standard C header files. /usr/lib is where the library files are stored
Var files that change frequently, including Keychains, temporary files, and apps downloaded from the App Store
… .
Reverse thinking
Interface analysis
- Cycript memory analysis debugging
- Reveal UI hierarchy analysis
- .
The code analysis
- Class-dump exports header files
- Hopper disassembly analysis
- .
Dynamic debugging
- LLDB breakpoint debugging analysis
- .
Write the code
- Tweak to write
- CaptainHook
- .
Re-sign app, pack and install
IOS and MacOS are both based on Darwin (apple’s Open Unix kernel), so iOS also supports terminal operations. SSH is a network protocol used for encrypted login between computers.
OpenSSH is a free open source implementation of THE SSH protocol. We use openSSH to log in to iPhone
Search To install OpenSSH on iPhone Cydia, and after successful installation, you can view the instructions through OpenSSH Access how-to
Make sure that the MAC and iPhone are on the same wifi. Log in to the iPhone from the MAC with the account name root@ip and the password is alpine by default
SSH root@ the code
➜ ~ ssh root@ iPhone:~ root# Copy the code
After the login succeeds, change the login password
iPhone:~ root# passwd Copy the code
In the case of unstable wifi, you may encounter a delay when entering commands through SSH (SSH uses TCP and MAC is connected to wifi through network connection). So to speed up the transmission, you can also use USB
Connect the way to connect to iPhone.
There is a service on the MAC, USBMUxD, that transfers MAC data to the iPhone via USB
Download the toolkit…
python python-client/ -t 22:10010 Copy the code
Map port 22 on the iPhone to port 10010 on the MAC
Open a new terminal window, access the local port 10010, also connected to the iPhone
➜ ~ ssh root@localhost -p 10010 iPhone:~ root# Copy the code
Cycript is a tool that allows developers to view and modify runtime App memory information using a combination of Objective-C++ and JavaScript syntax. The official website provides some classic usage methods
Search for Cycript in iPhone Cydia and install it
The basic use
iPhone:~ root# cycript cy# var a = 3 3 cy# var b = 4 4 cy# a + b 7 cy# iPhone:~ root# cycript -p SpringBoard cy# UIApp #"<SpringBoard: 0x15481c200>" cy# NSHomeDirectory() @"/var/mobile" ... Copy the code
Analyze applications through Cycript
iPhone:~ root# cycript -p WeChat cy# [NSBundle mainBundle].bundleIdentifier @"" cy# [NSBundle mainBundle].bundlePath @"/var/mobile/Containers/Bundle/Application/C2F6EDC4-2B37-4A1E-B974-D9DE607CF2A8/" cy# NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)[0] @"/var/mobile/Containers/Data/Application/36F8BF2B-D67D-4072-8B0F-FCCD21FBA31F/Documents" cy# UIApp.keyWindow.rootViewController #"<MMUINavigationController: 0x1400a9800>" cy# Copy the code
Cycript advanced applications, custom scripts
Cycript itself supports loading your own scripts, which can be found at…
iPhone:~ root# cycript -p WeChat cy# @import mjcript {} cy# MJAppId @"" cy# MJAppPath @"/var/mobile/Containers/Bundle/Application/C2F6EDC4-2B37-4A1E-B974-D9DE607CF2A8/" cy# MJDocPath @"/var/mobile/Containers/Data/Application/36F8BF2B-D67D-4072-8B0F-FCCD21FBA31F/Documents" cy# MJFrontVc() #"<WCAccountMainLoginViewController: 0x13faaf600>" Copy the code
After an App is uploaded to the App Store, Apple encrypts it and dynamically decrypts it when the App is running. In this case, some tools cannot be used to analyze and crack the App. Therefore, we need to decrypt the encrypted APP first, that is, unshell the app. There are two main types of decrypted tools in iOS called Clutch Dumpted
How to check whether shelled
View Load Commands in MachOView -> LC_ENCRYPTION_INFO -> Crypt ID, 0 for unencrypted and 1 for encrypted
Run the otool command to query information
➜ Desktop otool -l iQiYiPhoneVideo. Decrypted | grep crypt iQiYiPhoneVideo. The decrypted: Crypff 16384 cryptsize 97370112 cryptid 0 ➜ DesktopCopy the code
Clutch… Download the latest release, remove the version number, copy the Clutch file to the /usr/bin directory of the iPhone, give the execution permission and use it
Clutch -i
Lists the apps and bundle ids installed on the device
IPhone :~ root# Clutch - I Installed apps: 1: iQiyi - Breaking the ice full network broadcast <com.qiyi. IPhone > 2: Himalayan FM "Listen to the book community" talktalk storytelling <com.gemd.iting>Copy the code
Clutch -d 1
Clutch -d com.qiyi.iphone
Enter the serial number or bundleId to unshell the file. After the unshell operation succeeds, a new IPA file will be generated
iPhone:~ root# Clutch -d 1 Zipping ... . DONE: / private/var/mobile/Documents/Dumped/com. Qiyi. The iphone - iOS9.0 - (Clutch - 2.0.4). Ipa Finished dumping com. Qiyi. The iphone in 65.5 seconds iPhone:~ root#Copy the code
-…, download the source code, then switch to the directory and execute
Compile, and when it’s done, it generates onedumpdecrypted.dylib
Dynamic library file
Copy dylib to the /var/root directory on the iPhone, connect to the iPhone, go to the directory where dylib resides, and use the environment variable DYLD_INSERT_LIBRARIES to inject dylib into the executable file that needs to be shinning
DYLD_INSERT_LIBRARIES=dumpdecrypted. Dylib Executable file path
Xx.decrypted is a decrypted IPA file
Class-dump is a tool for retrieving class, method, and attribute information from executable files. Download it at… Directory for global access. Class-dump parses the Mach-o file to get the class information.
Class-dump -h -o generates a directory for storing header filesCopy the code
➜ Desktop class - dump - H iQiYiPhoneVideo. Decrypted - o iqiyiHeaders 18:21:53 2019-07-07. 488 class - dump (10899-565880) Warning: Parsing instance variable type failed, marker 2019-07-07 18:21:56.056 class-dump[10899:565880] Warning: Parsing instance variable type failed, marker 2019-07-07 18:21:56.056 Parsing instance variable type failed, _pendingCount 2019-07-07 18:21:59.021 Class-dump [10899:565880] Warning: Parsing instance variable type failed. Parsing instance variable type failed, _cameraTextureUploaded 2019-07-07 18:21:59.024 class-dump[10899:565880] Warning: Parsing instance variable type failed, _cameraTextureUploaded 2019-07-07 18:21:59.024 Parsing instance variable type failed, _needUpdateEffect 2019-07-08 [10899:565880] Warning: Parsing instance variable type failed. Parsing method types failed, SetNofityTarget: 2019-07-07 18:21:59.254 Class-dump [10899:565880] Warning: Parsing method types failed, SetNofityTarget: 2019-07-07 18:21:59.254 Parsing method types failed, wrapper 2019-07-07 18:21:51.99 Warning: Parsing method types failed, wrapper 2019-07-07 18:21:51.99 Parsing instance variable type failed, wrapper 2019-07-07 18:22:21.651 Parsing method types failed, SetNofityTarget:Copy the code
Reveal is an iOS tool for viewing the structure of an application’s interface and debugging it. It is similar to xcode UI debugging. The website is Reveal can be found in…
MAC installation pass Reveal
Search for the Reveal Loader installation in iPhone Cydia. After the installation is successful, the Reveal option will be directly displayed in system Settings. Click to enter the app to be debugs
Find MAC pass Reveal the RevealServer file, cover the iPhone/Library/RHRevealLoader/RevealServer file, restart the iPhone
After the installation is complete, you can open the process on your iPhone and select Debug in Reveal
Hopper is a disassembly tool available for Mac and Linux. Hopper can display disassembly code, flowcharts, and pseudocode for files being analyzed. It can also directly modify assembly instructions to create new executable files
Dynamic debugging
Dynamic debugging and static analysis complement each other. Static analysis can only analyze the internal execution of static functions, while dynamic debugging can obtain the information of parameter transfer, execution process and register memory at run time.
LLDB is the debugging tools, xcode when using xcode debugging app, xcode automatically install debugserver to iPhone/Developer/usr/bin/debugserver directory, iPhone launch services, Wait for Xcode to connect to remote debugging.
The permission of the debugserver is incorrect
The DebugServer can only debug self-developed apps, but does not have permission to debug third-party apps
If you want the DebugServer to debug other apps, grant certain permissions to the DebugServer and re-sign the debugServer
- get-task-allow
- task_for_pid-allow
Re-sign debugserver
Copy the DEBUgServer to the MAC and export the original signing permission of the DEBUgServer
➜ Desktop LDD-e DebugServer > DebugServer. EntitlementsCopy the code
Entitlements add GET-task-allow, task_for_pID-allow permissions to the debugServer. entitlements add get-task-allow, task_for_pID-allow permissions to the debugServer
Run the lDID command to re-sign
➜ Desktop ldid - Sdebugserver. Entitlements debugserverCopy the code
Put the re-signed debugServer in the iPhone /usr/bin directory
Debugserver use
IPhone, the DebugServer is attached to a running process on iPhone
Debugserver *: port number -a process
Port number: Start debugServer service with a port on iPhone (except reserved port)
Process: App process information, process ID or process name, recommended process name
iPhone:~ root# debugserver *:10011 -a iQiYiPhoneVideo Copy the code
The LLDB service is enabled on the MAC and the DEBUgServer service is connected
➜ Desktop LLDB (LLDB) process the connect connect: / / localhost: 10011Copy the code
After successful connection, the attached APP will be in a breakpoint state, and you can press C to continue running the program
The LLDB command is commonly used
(LLDB) expression a (int) $0 = 10 (LLDB) p a (int) $1 = 10 (LLDB) Po a 10 Thread #1, queue = '', stop reason = breakpoint 2.1 * frame #0: 0x0000000100000edf Test`test at main.m:15:17 frame #1: 0x0000000100000f35 Test`main(argc=1, argv=0x00007ffeefbff570) at main.m:23:9 frame #2: Breakpoint set -f Person. M -n test (LLDB) breakpoint set -f Person. M -n test (LLDB) Breakpoint set -n "-[Person test]" // Person. M 12 line Breakpoint list // delete a breakpoint (LLDB) breakpoint delete 3 // frame // Frame is the current program stack, we enter bt command, print out the current thread frame. // In debugging, we usually care about the variable values of the current stack. We can use frame variable to get all variable values. // It is also possible to enter a specific variable name to get a separate variable value, such as frame v a to get the value of a. (lldb) frame variable (int) argc = 1 (const char **) argv = 0x00007ffeefbff570 (lldb) frame variable (int) a = 10 (int) b = 20 (int) c = 30 (lldb) frame variable a (int) a = 10 (lldb) frame info frame #0: 0x0000000100000EDF Test 'Test at main.m:15:17 // Check confidence or file location based on address or name (LLDB) image lookup -n Test (LLDB) image lookup -a 0x000000010A1C3e36 LLDB image lookup -t PersonCopy the code
Restores the restore-symbol of the symbol table
Restore – symbol addresses. For example, breakpoint set -n “-[Person test]”, but you will find that the breakpoint is not hit because the compiler removes the symbol when the app is packaged and published to AppStroe. So the [Person test] is not found at this point.
Once you restore the symbol table, you can break points for the Person test, just as we did when we developed with Xcode.
- Download source code and compile.
git clone --recursive
cd restore-symbol && make
Copy the code
- Restore symbol using this command. It will output a new mach-o file with symbol.
./restore-symbol /pathto/origin_mach_o_file -o /pathto/mach_o_with_symbol
Copy the code
Override the new mach-O, restart it, and test it.
In the reverse process, we basically confirm that we need to modify a certain function after the analysis, and the only thing left is to write code to hook. Fortunately, a tool called Theos for injecting interceptor functions has been written for us
The official wiki
The installation
Install the following prerequisites:
- Homebrew
- Xcode1 is mandatory. The Command Line Tools package isn’t sufficient for Theos to work. Xcode includes toolchains for all Apple platforms.
Newer Xcode 4.4 Supported, but only when building for ARMv6 (1st/2nd Generation iPhone/iPod Touch)
brew install ldid xz Copy the code
Set up the
environment variable:echo "export THEOS=~/theos" >> ~/.bash_profile echo "export PATH=$THEOS/bin:$PATH" >> ~/.bash_profile source ~/.bash_profile Copy the code
For this change to take effect, you must restart your shell. Open a new tab and do
echo $THEOS
on your shell to check if this is working. -
Clone Theos to your device:
git clone --recursive $THEOS Copy the code
Create a project
Theos provides many modules to create different types of projects. Here we select Tweak.
Open terminal and select any directory. Enter ‘’, select 10 Tweak project and press Enter to generate some configuration to fill in. When this is done, a project will be generated in the current directory where we will code our tweak project.
Description of configuration options:
Project Name (Required) : Indicates the Project Name
Package Name [com yourcompany. Testtweak] : create a unique ID, return can, have default values
Author/Maintainer Name: Creator Name, default MAC user Name
MobileSubstrate Bundle filter: indicates the Bundle ID of the target application that needs to be injected
List of applications to terminate upon installation: After the installation is successful, kill the specified process and press Enter
Project Structure:
Makefile: Makefile file
INSTALL_TARGET_PROCESSES = SpringBoard include $(THEOS)/makefiles/ TWEAK_NAME = testTweak testTweak_FILES = Tweak.x testTweak_CFLAGS = -fobjc-arc include $(THEOS_MAKE_PATH)/ Copy the code
You need to add the environment variable to connect to phone at the top of the file
exportTHEOS_DEVICE_IP = THEOS_DEVICE_PORT=10010 Copy the code
You can also set global environment variables so that you don’t need to write each file individually
Echo "export THEOS_DEVICE_IP=" >> ~/. Bash_profile echo "export THEOS_DEVICE_PORT=10010" >> ~/. Bash_profile source ~/.bash_profileCopy the code
Tweak. X: file to write code to
Control: Specifies information about the deb package, including name, description, etc
Package: com. Yourcompany. Testtweak Name: testtweak Depends: mobilesubstrate Version: 0.0.1 Architecture: iphoneos-arm Description: An awesome MobileSubstrate tweak! Maintainer: gyh Author: gyh Section: TweaksCopy the code
TestTweak. Plist: specifies the Bundle ID of the target file to be injected
{ Filter = { Bundles = ( "com.qiyi.iphone" ); }; } Copy the code
Introduction to Basic Syntax
% hook class name % end
Hook class and write the methods that need to hook, such as the viewDidLoad method of the Hook ViewController
%hook ViewController - (void)viewDidLoad { } %end Copy the code
So we’ve hooked viewDidLoad, and when our app calls viewDidLoad, it’s going to come to our place first. So there’s something you can do at this point. Note that %hook and %end are paired, and %end represents the end of a hook class
Print the method call details, which print out all the arguments passed in. You can view the logs generated by the phone through the MAC console application
%hook ViewController - (void)viewDidLoad { %log; } - (void)messageName:(int)arg1 arg2:(int)arg2 { %log; } %end Copy the code
Call the original method, so that the program go back to the original method, does not affect the normal flow
%hook ViewController - (void)viewDidLoad { %log; %orig; } - (void)messageName:(int)arg1 arg2:(int)arg2 { %log; %orig; } %end Copy the code
If you need to add a new method to the current class, use %new to do so
%new - (void)newMethod { } Copy the code
The object method used to generate a class, % C (ClassName), essentially calls oc’s objc_getClass() method
SettingController *svc = [[%c(SettingController) alloc] init]; SVC = [[SettingController alloc] init];Copy the code
%ctor %dtor
- % cTOR program to start loading dynamic library called, do some initialization action
- %dtor is called when the program exits, handling some tails
- %ctor %dtor corresponds to constructors and destructors
%ctor {printf(" start \n"); } %dtor {printf(" end \n"); }Copy the code
Logify. pl allows you to quickly log all methods in a header file and see each method call from the console during debugging
➜ DouYuHeaders logify. Pl DYPendantContainarView. H > DYPendantContainarView. Mm ➜ DouYuHeaders ls -l | grep DYPendantContainarView -rw-r--r-- 1 gyh staff 3375 7 11 00:18 DYPendantContainarView.h -rw-r--r-- 1 gyh staff 4618 7 14 11:45 DYPendantContainarView. Mm ➜ DouYuHeadersCopy the code
As you can see, file is generated in the current directory, and %log is added to each method by default, greatly improving the efficiency of analysis
%hook DYPendantContainarView + (void)initialize { %log; %orig; } - (void)setKvoController:(FBKVOController *)kvoController { %log; %orig; } - (FBKVOController *)kvoController { %log; FBKVOController * r = %orig; HBLogDebug(@" = %@", r); return r; } - (void)setPendantConfig:(NSDictionary *)pendantConfig { %log; %orig; } - (NSDictionary *)pendantConfig { %log; NSDictionary * r = %orig; HBLogDebug(@" = %@", r); return r; } - (void)setDisplayType:(long long )displayType { %log; %orig; } - (long long )displayType { %log; long long r = %orig; HBLogDebug(@" = %lld", r); return r; } - (void)setTipViews:(NSMutableArray *)tipViews { %log; %orig; } - (NSMutableArray *)tipViews { %log; NSMutableArray * r = %orig; HBLogDebug(@" = %@", r); return r; } - (void)setMoreButton:(UIButton *)moreButton { %log; %orig; } - (UIButton *)moreButton { %log; UIButton * r = %orig; HBLogDebug(@" = %@", r); return r; } - (void)setScrollView:(UIScrollView *)scrollView { %log; %orig; } - (UIScrollView *)scrollView { %log; UIScrollView * r = %orig; HBLogDebug(@" = %@", r); return r; }... . . %endCopy the code
More grammar Logos for reference document…
Write the code
Now that we know the basics of grammar, let’s do a little exercise based on what we’ve just learned. Here, douyu app is taken as an example to remove small advertisements on the live broadcast page, as shown in the picture below
Open the App, open the Reveal UI tool on MAC, and check the hierarchy. After layer upon layer analysis, we found that the advertisement view was DYPendantContainarView. The unexpected result was that all three small advertisements were placed on one view. So what we’re going to do is we’re going to go through the header file and look at the actual code
We copied the shucked Mateo Mach-o file from the phone to the computer, exported the header file through class-dump, and after that, dragged the header file to sublime and found the DYPendantContainarView class.
Write simple code. The simplest way to initialize a hook is to return nil if the view is attached to the top layer.
%hook DYPendantContainarView - (id)initWithFrame:(struct CGRect)arg1 { NSLog(@"-------- initWithFrame ------ "); return nil; } %end %ctor {NSLog(@"---- douyu hook ------"); NSLog(@"---- Douyu hook ------"); NSLog(@"---- Douyu hook ------"); NSLog(@"---- Douyu hook ------"); NSLog(@"---- Douyu hook ------"); }Copy the code
Compile package install
In the last step we have done the analysis, the code has been written, this step we do is how to add the code just written to the phone and work.
Once the code is written, we do three steps
The make command performs makefile compilation
➜ douyutweak make > Making all forTweak douyuTweak...= = > Preprocessing Tweak. X... = = > the Compiling Tweak. X (armv7)... Linking tweak douyuTweak (armv7)... Ld: warning: OS version (6.0.0) too small, changing to 7.0.0 ld: warning: building for iOS, but linking in .tbd file (/Users/gyh/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator ==> Generating debug symbols for douyuTweak... Rm/Users/gyh/Desktop/douyutweak /. Theos/obj/debug/armv7 / Tweak x.m = = > Preprocessing Tweak. X... = = > the Compiling Tweak. X (arm64)... ==> Linking tweak douyuTweak (arm64)... Ld: warning: OS version (6.0.0) too small, changing to 7.0.0 ld: warning: building for iOS, but linking in .tbd file (/Users/gyh/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator ==> Generating debug symbols for douyuTweak... Rm/Users/gyh/Desktop/douyutweak /. Theos/obj/debug/arm64 / Tweak x.m = = > Preprocessing Tweak. X... = = > the Compiling Tweak. X (arm64e)... Linking tweak douyuTweak (arm64e)... Ld: warning: OS version (6.0.0) too small, changing to 7.0.0 ld: warning: building for iOS, but linking in .tbd file (/Users/gyh/theos/vendor/lib/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator ==> Generating debug symbols for douyuTweak... Rm/Users/gyh/Desktop/douyutweak /. Theos/obj/debug/arm64e/Tweak x.m = = > Merging Tweak douyutweak... = = > Signing douyuTweak... ➜ douyutweakCopy the code
Once compiled and packaged into a deb, a deb package is generated in the Packages folder
➜ douyutweak make package > Making all forTweak douyuTweak... make[2]: Nothing to be done for `internal-library-compile'. > Making stage forTweak building package `com.yourcompany.douyutweak:iphoneos-arm' in `. / packages/com. Yourcompany. Douyutweak_0. 0.1-7 + debug_iphoneos - arm. Deb '➜ douyutweakCopy the code
The installation
➜ douyutweak make install ==> Installing... (Reading database ... 4267 files and directories currently installed) Preparing to replace com. Yourcompany. Douyutweak 0.0.1-6 + debug (using /tmp/_theos_install.deb) ... Unpacking replacement com.yourcompany.douyutweak ... Setting up com. Yourcompany. Douyutweak (0.0.1-7 + debug)... = = > Unloading SpringBoard... ➜ douyutweakCopy the code
Execution is completed will restart SpringBoard, the plug-in will be installed under/Library/MobileSubstrate/DynamicLibraries this position
The above three steps will write the code into a package installed on the phone, the next is to verify the code just written.
Note that the above three steps can also be combined into one step
➜ make package install
Copy the code
Launch the APP, at which point Cydia Substrate will insert our dynamic library into the corresponding APP based on the Bundle ID in the PList.
Open the system console and view the logs of the mobile phone. We can see that our dynamic library is loaded first, and then our constructor is called, which means we have successfully hooked.
Let’s go to the live screen and see if we can do initWihitFrame of the DYPendantContainarView
It can be seen that our own log has been typed out, indicating that our previous conjecture is correct. If there is no problem, the view of the advertisement is not created successfully, then the advertisement will not be displayed. See the picture below
When we make, theos converts our logos tweak code into c++ code and files into the dynamic library dylib. You can use to actively view the transformation
➜ douyutweak Tweak. X > Tweak. MmCopy the code
Take the douyu example, redirecting the code to tweak. Mm
#line 1 "Tweak.x"
#include <substrate.h>
#if defined(__clang__)
#if __has_feature(objc_arc)
#define _LOGOS_SELF_TYPE_NORMAL __unsafe_unretained
#define _LOGOS_SELF_TYPE_INIT __attribute__((ns_consumed))
#define _LOGOS_SELF_CONST const
#define _LOGOS_RETURN_RETAINED __attribute__((ns_returns_retained))
@class DYPendantContainarView;
static DYPendantContainarView* (*_logos_orig$_ungrouped$DYPendantContainarView$initWithFrame$)(_LOGOS_SELF_TYPE_INIT DYPendantContainarView*, SEL, struct CGRect) _LOGOS_RETURN_RETAINED; static DYPendantContainarView* _logos_method$_ungrouped$DYPendantContainarView$initWithFrame$(_LOGOS_SELF_TYPE_INIT DYPendantContainarView*, SEL, struct CGRect) _LOGOS_RETURN_RETAINED;
#line 3 "Tweak.x"
static DYPendantContainarView* _logos_method$_ungrouped$DYPendantContainarView$initWithFrame$(_LOGOS_SELF_TYPE_INIT DYPendantContainarView* __unused self, SEL __unused _cmd, struct CGRect arg1) _LOGOS_RETURN_RETAINED {
NSLog(@"-------- initWithFrame ------ ");
return nil;
static __attribute__((constructor)) void _logosLocalCtor_ce8e2604(int __unused argc, char __unused **argv, char __unused **envp) {
NSLog(@"---- Douyu Hook ------");
NSLog(@"---- Douyu Hook ------");
NSLog(@"---- Douyu Hook ------");
NSLog(@"---- Douyu Hook ------");
NSLog(@"---- Douyu Hook ------");
static __attribute__((constructor)) void _logosLocalInit() {
{Class _logos_class$_ungrouped$DYPendantContainarView = objc_getClass("DYPendantContainarView"); MSHookMessageEx(_logos_class$_ungrouped$DYPendantContainarView, @selector(initWithFrame:), (IMP)&_logos_method$_ungrouped$DYPendantContainarView$initWithFrame$, (IMP*)&_logos_orig$_ungrouped$DYPendantContainarView$initWithFrame$);} }
#line 19 "Tweak.x"
Copy the code
Make Package will package the dynamic library into a deb. Make install will upload the deb to the phone. Cydia will take over and install the deb to the specified folder.
Upon opening the app, Cydia Substrate will check whether the plist file is the process to hook, and if the BundleID is consistent, it will insert its own dynamic library upon startup, thus reaching the purpose of hook.
Theos tweak doesn’t make changes to the executable file, just changes the logic in memory
Only the jailbroken machine has the permission to insert the dynamic library at startup. You can see this logic in the dyLD source code.
Heavy signature
To ensure that the apps you install on your phone are authenticated and legitimate, Apple has a signature system that requires all apps installed on the device to be legally signed. Apps downloaded from AppStroe and debugged on real machines are trusted.
All of our previous steps worked well because jailbreak machines did not verify the signature certificates and other information. But what if we wanted to reverse engineer for a non-jailbroken machine? As mentioned earlier, we don’t have access to dynamic libraries or phone folders on non-jailbroken machines. The only way to do this was to modify the Mach-O file and insert our dynamic library into the Mach-O file, but the problem was that once you modified the Mach-O file, the original signature information of the app would be destroyed and the installation would not be verified. All we need to do is modify the signature information after mach-O to a signature that the phone can trust, and then we can install. This leads to the re-signature mechanism
The principle of
In normal development, we want to carry out real machine debugging, need to carry out complex operations step by step, so what are these operations respectively, why do it?
. We take a look at first CertificateSigningRequest certSigningRequest ios_development. Cer entitlements *. Mobileprovision this several files all represent what
CertificateSigningRequest. CertSigningRequest (equivalent to MAC public key), the applicant’s public key information contains the application to fill in the mailbox, name information, etc. A private key is also generated, and there is a one-to-one correspondence between the public and private keys
Ios_development. cer Adds the account information through the MAC public key, generates a summary of the information through the hash algorithm, and generates a CER certificate through the apple private key encryption. The CER certificate contains a digital signature encrypted with the MAC public key and apple private key
Apple’s private key exists in the Apple background, and the public key exists on every iPhone for decryption and authentication
Entitlements file, which lists app actions that are allowed and actions that are rejected. After Capabilities is set in Xcode, an entry is added to the license file.
➜ Desktop codesign -d --entitlements - DYZB Executable=/Users/gyh/Desktop/DYZB?? qq<? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE plist PUBLIC "- / / / / DTD plist Apple / 1.0 / EN" "" > < plist Version = "1.0" > < dict > < key > working. The wifi - info < / key > < true / >, < the key > keychain access - groups < / key > <array> <string></string> <string></string> </array> <key></key> <string>xxx</string> <key></key> <true/> <key>application-identifier</key> <string></string> <key>aps-environment</key> <string>production</string> <key></key> <array> <string></string> </array> </dict> </plist>% ➜ DesktopCopy the code
*. Mobileprovision description file, Contains the preceding certificate information, appId, devices, Entitlements APP during packaging will copy the configuration file (embedded. Mobileprovision) encrypted through the Apple private key to the. App directory.
// View the Mobileprovision description file Security CMS -d -I Embedded. MobileprovisionCopy the code
Now how do you verify the signature and decrypt it
App at the start, first through the apple public key to solve the description file, one verify configuration devices, APPID, Entitlements information, any same does not conform to cannot be installed.
Then verify the cer certificate information, decrypt the digital signature of the certificate through the Apple public key, and get a summary of the information and the MAC public key and account information. The MAC public key and account information through the hash algorithm to generate a summary of information, take this summary of information and we get the summary of information corresponding to, if consistent, it proves that it has not been tampered, we get the information is trusted
Take out the MAC public key just obtained to decrypt and verify the executable file, so complete the verification, successful installation and operation
Given the signing mechanism above, we know that if you modify the Mach-O file, the signature information will be corrupted and the installation will not be completed. Therefore, we need to re-sign the modified Mach-O file with our own public key and certificate so that it can be installed on our phone.
Take douyu as an example. Install dylib and APP on a non-jailbreak machine.
Go to apple developer background to generate a set of certificates, appId to select a wildcard, Device contains the machine to install, and finally generate a description file, download and rename it as Embedded. Mobileprovision (developer account that needs to be paid)
Copy the app package, douyuTweak. Dylib dynamic library, CydiaSubstrate dynamic library to MAC
Copy embedded. Mobileprovision, douyuTweak. Dylib, CydiaSubstrate to. App package directory, at the same level as Mach-o.
Associate dynamic libraries to Mach – O so that we can execute our dynamic library files at runtime. Insert_dylib is used for dynamic library injection
/* Usage: insert_dylib dylib_path binary_path [new_binary_path] Option flags: --inplace --weak --overwrite --strip-codesig --no-strip-codesig --all-yes */ / Run the command in the. App directory // @executable_path Represents the directory where the executables reside // insert_dylib@executable_path/Dynamic library executables New generated executables ➜ dyzb. app insert_dylib @executable_path/douyuTweak.dylib DYZB DYZB DYZB already exists. Overwrite it? [y/n] y Binary is a fat binary with 2 archs. LC_CODE_SIGNATURE load command found. Remove it? [y/n] y LC_CODE_SIGNATURE load command found. Remove it? [y/ N] y Added LC_LOAD_DYLIB to all archs in DYZB ➜ dyzb.appCopy the code
Modify the loading path of the dynamic library. We use otool to view dynamic libraries that executable files depend on
➜ Dyzb. app otool -L DYZB DYZB (Architecture ARM64): The/usr/lib/libobjc. A. d. ylib (compatibility version 1.0.0, Current version 228.0.0) /usr/lib/libc++.1.dylib (Compatibility version 1.0.0, /usr/lib/libc++abi. Dylib (compatibility version 1.0.0, The current version 400.17.0)/usr/lib/libiconv. 2. The dylib (compatibility version 7.0.0, current version 7.0.0)... . . Executable_path /douyuTweak. Dylib (Compatibility version 0.0.0, current version 0.0.0)Copy the code
At this point we can see that our dynamic library has been associated successfully. Then look at the dynamic libraries that Douyutweak.dylib depends on
➜ otool -L douyuTweak.dylib douyuTweak.dylib (architecture arm64): /Library/MobileSubstrate/DynamicLibraries/douyuTweak.dylib (compatibility version 0.0.0, current version 0.0.0) /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1652.20.0) /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1652.20.0) /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate (compatibility version 0.0.0, current version 0.0.0) Copy the code
Can see/Library/Frameworks/CydiaSubstrate framework/CydiaSubstrate this path is in prison break machine, the path is not escape the machine can’t find this file. In step 3 we’ve already copied CydiaSubstrate to the same directory, so we need to modify the loading path here
// Use the install_name_tool tool to change the path. // Install_name_tool -change the original path. // @loader_path indicates the directory where the dynamic library resides: ➜ install_name_tool -change /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate @loader_path/CydiaSubstrate douyuTweak.dylibCopy the code
After the modification is successful, we use otool to check again
➜ dyzb. app otool -l douyutweak.dylib... . @loader_path/CydiaSubstrate (compatibility version 0.0.0, current version 0.0.0)Copy the code
You can see that the dynamic library dependency path has been modified successfully.
The next step is to re-sign the dynamic library. . All dynamic libraries, extensions and Watch in the app package need to be re-signed
To see which certificates are currently available on the computer, we select the first one and use the preceding string of ids
➜ DYZB. App security find - identity - v - p codesigning 1) 6 adff1fe0c8af2745f58972d564e0ac95cb7927b "iPhone Developer: (xxx)" 2) 5F2052946CD744E13F98DE5FAEB3DB4483F56FFF "iPhone Distribution: xxx (xxx)" 3) 978F840CF7E4BBFBCD9E32953722CBBF7BB018B5 "Mac Developer: (xxx)" 4) B832B6F319CB6710441E9436A8AB8D62A0F79057 "Apple Development: (xxx)" 4 valid identities foundCopy the code
Resending the dynamic library
➜ DYZB. App codesign - fs 6 adff1fe0c8af2745f58972d564e0ac95cb7927b douyuTweak. Dylib douyuTweak. Dylib: Replacing existing signature ➜ DYZB. App codesign - fs 6 adff1fe0c8af2745f58972d564e0ac95cb7927b CydiaSubstrate Colony strate: Replacing Existing Signature ➜ dyzb. appCopy the code
Since there are other Frameworks in the Frameworks folder, re-sign all Frameworks under Frameworks. If there is no Frameworks folder, ignore it
➜ DYZB. App codesign - fs 6 adff1fe0c8af2745f58972d564e0ac95cb7927b Frameworks/AdLibrary framework Frameworks/AdLibrary.framework: Replacing existing signature ➜ DYZB. App codesign - 6 adff1fe0c8af2745f58972d564e0ac95cb7927b fs Frameworks/P2PiOS.framework Frameworks/P2PiOS.framework: Replacing existing signature ➜ DYZB. App codesign - 6 adff1fe0c8af2745f58972d564e0ac95cb7927b fs Frameworks/TencentXP2P.framework Frameworks/TencentXP2P.framework: Replacing existing signature ➜ DYZB. App codesign - 6 adff1fe0c8af2745f58972d564e0ac95cb7927b fs Frameworks/XADLibrary framework Frameworks/XADLibrary framework: replacing existing signature ➜ DYZB. The appCopy the code
Finally, re-sign the app. So I’m going to modify this file
Extract Entitlements. Plist file from Embedded. Mobileprovision file
security cms -D -i embedded.mobileprovision > temp.plist /usr/libexec/PlistBuddy -x -c 'Print :Entitlements' temp.plist > entitlements. Plist ➜ Downloads the ls -l | grep entitlement - rw - r - r - @ 1 gyh staff 453 7 15 "entitlements. Plist ➜ DownloadsCopy the code
Sign the APP package
codesign -fs 6ADFF1FE0C8AF2745F58972D564E0AC95CB7927B --entitlements entitlements.plist Copy the code
You can also use the ios-app-signer re-signature tool to re-sign. After the configuration is complete, click Start to automatically re-sign and generate ipA packets
The installation. Create the “Payload” folder, drag the. App package, compress the “Payload” folder, and change the “zip” folder to “ipA”. Install it on your phone through iFunBox or other third-party tools. The installation is successful
MonkeyDev iS iOS application reverse and security author developed a set of reverse tools, using Xcode to complete all operations, powerful, easy to use. Making the address
- You can use Xcode to develop CaptainHook Tweak, Logos Tweak, and Command line tools to develop plug-ins on jailbroken machines, which is a migration and improvement of the original iOSOpenDev feature.
- Simply drag in a shell-smashing application and automatically integrate class-dump, restored-Symbol, Reveal, Cycript, and injected dynamic libraries and re-sign them to install on a non-jailbroken machine.
- Support debugging of their own dynamic library and third-party App
- Support for SDK integration through CocoaPods third-party applications and non-jailbroken plug-ins. In short, build a non-jailbroken plug-in store through CocoaPods.
The following is a brief introduction to the use process. Please refer to the wiki for detailed installation and configuration instructions.
After the installation is complete, when creating a New Xcode project, you will find a row of function buttons below to choose from
Drag the unshelled app package into the specified TargetApp directory and write it using Tainhook in testaiqiyidylib. m or using Logos syntax in testaiqiyidylib. xm in the Logos file. (Select Objective-C++ Source as type)
Here we use logos syntax, which we learned earlier
Build Setting allows you to export headers by default when class_dump is enabled, and restore symbol information when retore_symbol is enabled
After setting up, connect to the real machine and select certificate debugging. After running, you can see the output information, just like our debug environment debugging. MonkeyDev is briefly introduced here, a word, a strong stroke!