前言
iosre:http://bbs.iosre.com/t/run-a-...
chinapyg:http://www.chinapyg.com/forum...
dllhook:http://www.dllhook.com/catego...
Requirements
- Device Tools
1、otool
otool ——查看程序依赖哪些动态库信息,反编代码段
安装iNalyzer 即可
nm ② ——显示符号表
ldid ③ ——签名工具
gdb ——调试工具 patch ——补丁工具
SSH ——远程控制
class-dump、otool is included in the package called: BigBoss Recommended Tools
2、 gdb 、lldb
3、 class-dump
https://speakerdeck.com/tgrf/...
- 安装LLVM ,以便make class-dump-swift
cd llvm-3.9.0.src/
mkdir build
cd build
cmake ..
make && sudo make install
Then you can successfully compile this project with just make.
- 停止建立虚拟网络接口
devzkndeMacBook-Pro:~ devzkn$ rvictl -x 07cf5424d3844522c3396fc55f419a11633cb54c
查看进程
iPhone:~ root# ps aux|grep /var/mobile/Containers/Bundle/
mobile 15771 36.1 14.7 981872 152828 ?? Ss 3:01PM 4:20.37 /var/mobile/Containers/Bundle/Application/239A0B7E-AA8C-4E43-873D-16254934321A/Taobao4iPhone.app/Taobao4iPhone
mobile 15493 0.0 7.7 862412 79568 ?? Ss 5:58PM 13:11.90 /var/mobile/Containers/Bundle/Application/DB9E7889-BC60-4B5C-91BD-E59D08204958/WeChat.app/WeChat
mobile 11974 0.0 2.3 821156 24204 ?? Ss Wed09AM 3:18.29 /var/mobile/Containers/Bundle/Application/472F4813-5586-49C7-BE0E-0A860C5001AC/Moon.app/Moon
root 15793 0.0 0.0 536236 384 s001 R+ 3:14PM 0:00.01 grep /var/mobile/Containers/Bundle/
准备工作
http://blog.csdn.net/z9291189...
iPhone:~ root# cycript -p Taobao4iPhone
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/2A1297E2-A76F-4ABE-A01D-203A7EA72776/Documents/"
control+d 进行退出。
插入动态库
iPhone:/var/mobile/Containers/Data/Application/2A1297E2-A76F-4ABE-A01D-203A7EA72776/Documents root# DYLD_INSERT_LIBRARIES=./dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/239A0B7E-AA8C-4E43-873D-16254934321A/Taobao4iPhone.app/Taobao4iPhone
devzkndeMacBook-Pro:bin devzkn$ class-dump --arch armv7 /Users/devzkn/decrypted/Taobao4iPhoneV7.1.0/Taobao4iPhone.decrypted -H -o ~/decrypted/Taobao4iPhoneV7.1.0/Taobao4iPhoneHead
补充
安装llVM
https://github.com/Maximus-/c...
最新的 LLVM 只支持 cmake 来编译了,首先安装 cmake 。
brew install cmake
编译:
mkdir build
cmake /path/to/llvm/source
cmake --build .
编译时间比较长,而且编译结果会生成20G左右的文件。
编译完成后,就能在build/bin/目录下面找到生成的工具了。
bundleIdentifier
iPhone:~ root# cycript -p Taobao4iPhone
cy# [[NSBundle mainBundle] bundleIdentifier]
@"com.taobao.taobao4iphone"
cy#
tweakTool
- plutil
iPhone:/System/Library/LaunchDaemons root# plutil com.apple.racoon.plist
{
EnableTransactions = 1;
Label = "com.apple.racoon";
MachServices = {
"com.apple.SecureNetworking.IPSec" = 1;
};
ProgramArguments = (
"/usr/sbin/racoon",
"-D"
);
RunAtLoad = 0;
Sockets = {
Listeners = {
SockFamily = Unix;
SockPathMode = 384;
SockPathName = "/var/run/control.sock";
};
};
}
通过launchctl命令来控制后台程序
- 停止xxx后台程序
lauchctl stop xxx.plist
- launchctl list 查看启动的后台程序
Phone:/System/Library/LaunchDaemons root# launchctl list
PID Status Label
- 0 com.apple.mediastream.mstreamd
- -44 com.apple.icloud.findmydeviced
第1栏 后台进程的PID
第2栏 最后一次退出的状态
- 停止进程
launchctl stop com.apple.DumpPanic
- 移除
launchctl remove com.apple.DumpPanic
Run a daemon (as root) on iOS
Because daemons are loaded by launchd, which is owned by root:wheel,
iPhone:/sbin root# ls -l /sbin/launchd
-rwxr-xr-x 1 root wheel 239536 Nov 19 2014 /sbin/launchd
so both a daemon and its config file must be owned by root:wheel too, it borns and runs as root. Take it in mind and we'll get back to this later.