8. 第一个逆向程序

创建tweak工程

➜  iOS /opt/theos/bin/nic.pl
NIC 2.0 - New Instance Creator
------------------------------
[1.] iphone/activator_event
[2.] iphone/application_modern
[3.] iphone/cydget
[4.] iphone/flipswitch_switch
[5.] iphone/framework
[6.] iphone/ios7_notification_center_widget
[7.] iphone/library
[8.] iphone/notification_center_widget
[9.] iphone/preference_bundle_modern
[10.] iphone/tool
[11.] iphone/tweak
[12.] iphone/xpc_service
//选择tweak工程
Choose a Template (required): 11

//工程名称
Project Name (required): MyFirstReProject

//deb包的名字（类似于bundle identifier)
Package Name [com.yourcompany.myfirstreproject]: com.iosre.myfirstreproject

//tweak作者
Author/Maintainer Name [System Administrator]: luz

//tweak作用对象的bundle identifier
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.apple.springboard

//tweak安装完成后需要重启的应用
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: SpringBoard
Instantiating iphone/tweak in myfirstreproject/...
Done.

工程文件结构

Makefile

//工程包含的通用头文件
include $(THEOS)/makefiles/common.mk

//创建工程时指定的“Project Name，指定好之后一般不要再更改
TWEAK_NAME = MyFirstReProject

//tweak包含的源文件，指定多个文件时用空格隔开
MyFirstReProject_FILES = Tweak.xm

//tweak工程的头文件，一般有application.mk、tweak.mk和tool.mk几类
include $(THEOS_MAKE_PATH)/tweak.mk

//指定tweak安装之后，需要做的事情，这里是杀掉SpringBoard进程
after-install::
install.exec "killall -9 SpringBoard"

补充:
//编译debug或者release
DEBUG = 0

//越狱iPhone的ip地址
THEOS_DEVICE_IP = 192.168.1.113

//指定支持的处理器架构
ARCHS = armv7 arm64

//指定需要的SDK版本iphone:Base SDK:Deployment Target
TARGET = iphone:latest:8.0  //最新的SDK，程序发布在iOS8.0以上

//导入框架，多个框架时用空格隔开
MyFirstReProject_FRAMEWORKS = UIKit
MyFirstReProject_PRIVATE_FRAMEWORKS = AppSupport

//链接libsqlite3.0.dylib、libz.dylib和dylib1.o
MyFirstReProject_LDFLAGS = -lz –lsqlite3.0 –dylib1.o

//make clean
clean::
rm -rf ./packages/*

tweak文件

“xm”中的“x”代表这个文件支持Logos语法，如果后缀名是单独一个“x”，说明源文件支持Logos和C语法；如果后缀名是“xm”，说明源文件支持Logos和C/C++语法。

/* How to Hook with Logos
 Hooks are written with syntax similar to that of an Objective-C @implementation.
 You don't need to #include , it will be done automatically, as will
 the generation of a class list and an automatic constructor.
 
 %hook ClassName
 
 // Hooking a class method
 + (id)sharedInstance {
 return %orig;
 }
 
 // Hooking an instance method with an argument.
 - (void)messageName:(int)argument {
 %log; // Write a message about this call, including its class, name and arguments, to the system log.
 
 %orig; // Call through to the original function with its original arguments.
 %orig(nil); // Call through to the original function with a custom argument.
 
 // If you use %orig(), you MUST supply all arguments (except for self and _cmd, the automatically generated ones.)
 }
 
 // Hooking an instance method with no arguments.
 - (id)noArguments {
 %log;
 id awesome = %orig;
 [awesome doSomethingElse];
 
 return awesome;
 }
 
 // Always make sure you clean up after yourself; Not doing so could have grave consequences!
 %end
 */

参数说明

- %hook 指定需要hook的class，必须以%end结尾

- %log 该指令在%hook内部使用，将函数的类名、参数等信息写入syslog
Cydia内搜索安装syslogd

- %orig该指令在%hook内部使用，执行被钩住（hook）的函数的原始代码。

control

control文件记录了deb包管理系统所需的基本信息，会被打包进deb包里。

编译工程

tweakxm 文件

%hook SpringBoard
-  (void)applicationDidFinishLaunching:(id)application
{
    %orig;
    UIAlertView *alert = [[UIAlertView alloc]
                          initWithTitle:@"Hello，Tanzhou!"
                          message:nil
                          delegate:self cancelButtonTitle:@"OK"
                          otherButtonTitles:nil];
    [alert show];
}

- (void)_menuButtonDown:(id)down
{
    NSLog(@"x=%d, y=%d", 10, 20);
    %log((NSString *)@"iOSRE", (NSString *)@"Debug");
    %orig; // call the original _menuButtonDown:
}
%end

%hook SBLockScreenDateViewController
- (void)setCustomSubtitleText:(id)arg1 withColor:(id)arg2
{
    /*
     NSDate *date=[NSDate date];
     NSDateFormatter *format1=[[NSDateFormatter alloc]init];
     [format1 setDateFormat:@"yyyy/MM/dd HH:mm:ss"];
     NSString *str1=[format1 stringFromDate:date];
     */
    struct tm *loctime;
    char timeBuf[1024] = {0};
    time_t now = time(NULL);
    loctime = localtime(&now);
    strftime(timeBuf, 30, "[%Y/%m/%d %H:%M:%S]", loctime);
    %orig([NSString stringWithUTF8String:timeBuf],arg2);
}
%end

MakeFile文件

DEBUG = 0
THEOS_DEVICE_IP = 10.171.4.22
ARCHS = armv7 arm64
TARGET = iphone:latest:8.0
include $(THEOS)/makefiles/common.mk

TWEAK_NAME = MyFirstReProject
MyFirstReProject_FILES = Tweak.xm
MyFirstReProject_FRAMEWORKS = UIKit
include $(THEOS_MAKE_PATH)/tweak.mk

after-install::
install.exec "killall -9 SpringBoard"
clean::
rm -rf ./packages/*

control文件

Package: com.iosre.myfirstreproject
Name: MyFirstReProject
Depends: mobilesubstrate
Version: 1.0.1
Architecture: iphoneos-arm
Description: My first reproject!
Maintainer: luz
Author: luz
Section: Tweaks
Homepage: https://www.baidu.com

编译命令

make  //编译

make package  //打包

make install  //安装

验证结果