iOS逆向实战_钉钉定位

一.说明

目的是破解钉钉定位的方法,在家里也可以正常上班打卡.

二.准备工作

  1. appstore下载钉钉
  2. 打开ifunbox, 找到 /var/mobile/Containers/Bundle/Application/F2A26AA8-0737-4C7D-AB0B-9CAE638E8E82/DingTalk.app下的mach-o文件,拖到桌面
  3. 手机root用户下:Clutch -i查看,Clutch -d 进行脱壳
    失败了:请用dumpDecrypted
    DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/F2A26AA8-0737-4C7D-AB0B-9CAE638E8E82/DingTalk.app/DingTalk
  4. mac下:class-dump -H DingTalk -o ~/Desktop/classDump_DingTalk
  5. theos
    mac:运行nic.pl
  6. 编写Tweak.xm
    找到系统的定位方法,然后hook


%hook AMapLocationManager

- (void)locationManager:(id)arg1 didUpdateLocations:(id)arg2
{

    NSArray *lyk_arr = [[NSUserDefaults standardUserDefaults] objectForKey:@"lyk_setLocation"];
    double fir = [lyk_arr[0] doubleValue] + arc4random_uniform(10)/1000000.0;
    double sec = [lyk_arr[1] doubleValue] + arc4random_uniform(10)/1000000.0;



    CLLocation *l = [[CLLocation alloc]initWithLatitude:fir longitude:sec];
    NSArray *arr = @[l];

    NSLog(@"llykk_%@,%@",arg2,l);
    
    %orig(arg1, arr);
    
}

%end




%hook DTConversationListController

- (void)viewWillAppear:(_Bool)arg1
{
    %orig;
    

    UIButton *btn = [UIButton buttonWithType:UIButtonTypeCustom];
    btn.frame = CGRectMake(0, 200, 30, 30);
    [btn setTitle:@"" forState: UIControlStateNormal];
    [[UIApplication sharedApplication].keyWindow addSubview:btn];
    [btn addTarget:self action:@selector(btnAction) forControlEvents:UIControlEventTouchUpInside];
}

%new
- (void)btnAction
{
    if(![[UIApplication sharedApplication].keyWindow viewWithTag:666])
    {
        UIView *alert = [[UIView alloc]initWithFrame:CGRectMake(50, 200, 275, 120)];
        alert.backgroundColor = [UIColor colorWithRed:1 green:0 blue:0 alpha:1];
        alert.tag = 666;
        [[UIApplication sharedApplication].keyWindow addSubview:alert];
        
        UILabel *label = [[UILabel alloc]initWithFrame:CGRectMake(0, 0, 275, 20)];
        label.text = @"请输入新的经纬度";
        label.font = [UIFont systemFontOfSize:14];
        label.textAlignment = NSTextAlignmentCenter;
        [alert addSubview:label];
        
        UITextField *firField = [[UITextField alloc]initWithFrame:CGRectMake(0, 30, 275, 20)];
        firField.tag = 661;
        firField.placeholder = @"请输入经度";
        firField.backgroundColor = [UIColor whiteColor];
        [alert addSubview:firField];
        
        UITextField *secField = [[UITextField alloc]initWithFrame:CGRectMake(0, 60, 275, 20)];
        secField.tag = 662;
        secField.placeholder = @"请输入纬度";
        secField.backgroundColor = [UIColor whiteColor];
        [alert addSubview:secField];
        
        UIButton *btn = [UIButton buttonWithType:UIButtonTypeCustom];
        btn.frame = CGRectMake(0, 85, 275, 30);
        [btn setTitle:@"确定" forState: UIControlStateNormal];
        [btn addTarget:self action:@selector(yesAction:) forControlEvents:UIControlEventTouchUpInside];
        [alert addSubview:btn];
    }
    else
    {
        UIView *alert = [[UIApplication sharedApplication].keyWindow viewWithTag:666];
        [[UIApplication sharedApplication].keyWindow addSubview:alert];
    }
    
    NSArray *arr = [[NSUserDefaults standardUserDefaults] objectForKey:@"lyk_setLocation"];
    if (arr==nil) return;
    UIView *alert = [[UIApplication sharedApplication].keyWindow viewWithTag:666];
    UITextField *firField = [alert viewWithTag:661];
    firField.text = arr[0];
    UITextField *secField = [alert viewWithTag:662];
    secField.text = arr[1];
}

%new
- (void)yesAction:(UIButton *)btn
{
    UIView *alert = [[UIApplication sharedApplication].keyWindow viewWithTag:666];

    UITextField *firField = [alert viewWithTag:661];
    UITextField *secField = [alert viewWithTag:662];
    NSArray *arr = @[firField.text,secField.text];
    [[NSUserDefaults standardUserDefaults] setObject:arr forKey:@"lyk_setLocation"];
    [[NSUserDefaults standardUserDefaults] synchronize];
    
    [btn.superview removeFromSuperview];
}

%end

八.重签名

  • 通过iFunbox拿到DingTalk.app
  • codesign -vv -d WeChat.app查看签名信息
  • 将tuo'ke
    1.拿到DingTalk.app,将脱壳的mach-o放进去替换
    2.删掉Pluglns文件夹和Watch文件夹
    3.对framework进行重签名
    4.修改DingTalk的info.plist,将bundle id 改为 自己证书里面的.

你可能感兴趣的:(iOS逆向实战_钉钉定位)