本文主要是介绍安装theos进行CydiaSubstrate Hook,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
安装theos的流程
第一步安装 dpkg ldid
brew install dpkg ldid第二步下载theos 到 /opt/theos目录
sudo git clone --recursive https://github.com/theos/theos.git /opt/theos第三步把/opt/theos的权限改为自己所拥有
sudo chown $(id -u):$(id -g) /opt/theos第四步 vim ~/.bash_profile 加入环境变量
export THEOS=/opt/theos
export PATH=/opt/theos/bin/:$PATH第五步更新bash_profile
source ~/.bash_profile输入nic.pl 验证是否安装成功
编译tweak
➜ antiantidebug git:(master) ls -l
total 32
-rw-r--r-- 1 tesi1a staff 53 6 24 01:19 AntiAntiDebug.plist
-rw-r--r-- 1 tesi1a staff 257 6 24 01:19 Makefile
-rw-r--r-- 1 tesi1a staff 2212 6 24 01:19 Tweak.xm
-rw-r--r-- 1 tesi1a staff 217 6 24 01:19 control
➜ antiantidebug git:(master) cat Makefile
export THEOS_DEVICE_IP = 127.0.0.1
export THEOS_DEVICE_PORT = 2222include $(THEOS)/makefiles/common.mkTWEAK_NAME = AntiAntiDebug
AntiAntiDebug_FILES = Tweak.xminclude $(THEOS_MAKE_PATH)/tweak.mkafter-install::install.exec "killall -9 SpringBoard"➜ antiantidebug git:(master) make1 export THEOS_DEVICE_IP = 127.0.0.1
> Making all for tweak AntiAntiDebug…1 export THEOS_DEVICE_IP = 127.0.0.1
==> Preprocessing Tweak.xm…
==> Compiling Tweak.xm (armv7)…
==> Linking tweak AntiAntiDebug (armv7)…
==> Generating debug symbols for AntiAntiDebug…
rm /Users/tesi1a/Desktop/IOS/AntiAntiDebug/tweak/antiantidebug/.theos/obj/debug/armv7/Tweak.xm.mm
==> Preprocessing Tweak.xm…
==> Compiling Tweak.xm (arm64)…
==> Linking tweak AntiAntiDebug (arm64)…
==> Generating debug symbols for AntiAntiDebug…
rm /Users/tesi1a/Desktop/IOS/AntiAntiDebug/tweak/antiantidebug/.theos/obj/debug/arm64/Tweak.xm.mm
==> Preprocessing Tweak.xm…
==> Compiling Tweak.xm (arm64e)…
==> Linking tweak AntiAntiDebug (arm64e)…
==> Generating debug symbols for AntiAntiDebug…
rm /Users/tesi1a/Desktop/IOS/AntiAntiDebug/tweak/antiantidebug/.theos/obj/debug/arm64e/Tweak.xm.mm
==> Merging tweak AntiAntiDebug…
==> Signing AntiAntiDebug…➜ antiantidebug git:(master) ✗ make package
> Making all for tweak AntiAntiDebug…
make[2]: Nothing to be done for `internal-library-compile'.
> Making stage for tweak AntiAntiDebug…
dm.pl: building package `com.monkey.antiantidebug:iphoneos-arm' in `./packages/com.monkey.antiantidebug_0.0.1-1+debug_iphoneos-arm.deb'➜ antiantidebug git:(master) ✗ make install
==> Installing…
The authenticity of host '[127.0.0.1]:1025 ([127.0.0.1]:1025)' can't be established.
RSA key fingerprint is SHA256:vOmfbX3fg1QglwZBSc8owRA2vAe2PT6VLMuu82RzLGs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:1025' (RSA) to the list of known hosts.
Selecting previously unselected package com.monkey.antiantidebug.
(Reading database ... 2031 files and directories currently installed.)
Preparing to unpack /tmp/_theos_install.deb ...
Unpacking com.monkey.antiantidebug (0.0.1-1+debug) ...
Setting up com.monkey.antiantidebug (0.0.1-1+debug) ...
install.exec "killall -9 SpringBoard"
三部曲 make package install 安装生成deb文件到越狱后的手机
mac上使用theos
关于mac上的hook资料还是比较少的
下面以qq音乐的hook实际来演示hook代码再 https://github.com/AsTryE/QQMusicHelper
step1:下载monkeyDev
https://github.com/AloneMonkey/MonkeyDev
sudo git clone --recursive https://github.com/theos/theos.git /opt/theos
安装:
sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/AloneMonkey/MonkeyDev/master/bin/md-install)"
下载用于演示的Demo项目
git clone https://github.com/AsTryE/QQMusicHelper
双击打开.xodeproj文件
可以看到代码其实关键就hook两个函数
//
// QQMusicHelper.m
// QQMusicHelper
//
// Created by tangxianhai on 2018/5/4.
// Copyright © 2018年 tangxianhai. All rights reserved.
//#import "QQMusicHelper.h"
#import "substrate.h"@class DownLoadTask;static BOOL (*origin_DownLoadTask_checkHaveRightToDownload_rate)(DownLoadTask*,SEL,id,int);
static BOOL new_DownLoadTask_checkHaveRightToDownload_rate(DownLoadTask* self,SEL _cmd,id a3, int a4) {NSLog(@"QQMusicHelper助手 ---------- hook checkHaveRightToDownload is ok");return YES;
}static int (*origin_GetFlexBOOL)(int64_t a1, int64_t a2, int64_t a3, int64_t a4, int64_t a5, int64_t a6, int64_t a7, int64_t a8);
static int new_GetFlexBOOL(int64_t a1, int64_t a2, int64_t a3, int64_t a4, int64_t a5, int64_t a6, int64_t a7, int64_t a8) {NSLog(@"QQMusicHelper助手 ---------- hook GetFlexBOOL is ok");return 1;
}static void __attribute__((constructor)) initialize(void) {
NSLog(@"QQMusicHelper助手 ---------- im in");//其中加上一句我们的打印代码MSHookMessageEx(objc_getClass("DownLoadTask"), NSSelectorFromString(@"checkHaveRightToDownload:rate:"), (IMP)&new_DownLoadTask_checkHaveRightToDownload_rate, (IMP*)&origin_DownLoadTask_checkHaveRightToDownload_rate);MSImageRef image = MSGetImageByName("/Applications/QQMusic.app/Contents/MacOS/QQMusic");void *_GetFlexBOOL = MSFindSymbol(image, "_GetFlexBOOL");MSHookFunction(_GetFlexBOOL, &new_GetFlexBOOL, (void *)&origin_GetFlexBOOL);
}之后直接编译:
首先得把signing签名改为自己的的
问题一: Showing All Messages Command PhaseScriptExecution failed with a nonzero exit code
问题二:“Command /bin/sh failed with exit code 1”
勾选即可。
最后我们把dylib注入到QQ音乐进程。
ios的hook方案:
https://www.jianshu.com/p/3479f9632a6f
MSHookMessageEx hook oc函数
MSHookFunction hook c函数
安装分析:
#!/bin/bashapp_name="QQMusic"
app_extra_name="libsubstitute"
shell_path="$(dirname "$0")"
qq_path="/Applications/QQMusic.app"
framework_name="libQQMusicHelper"
app_bundle_path="/Applications/${app_name}.app/Contents/MacOS"
app_executable_path="${app_bundle_path}/QQMusic"
app_executable_backup_path="${app_executable_path}_backup"
framework_path="${app_bundle_path}/${framework_name}.dylib"# 对 QQ 赋予权限
if [ ! -w "$qq_path" ]
then
echo -e "\n\n为了将小助手写入QQ音乐, 请输入密码 : "
sudo chown -R $(whoami) "$qq_path"
fi# 备份 QQ 原始可执行文件
if [ ! -f "$app_executable_backup_path" ]
then
cp "$app_executable_path" "$app_executable_backup_path"
result="y"
else
read -t 150 -p "已安装QQ音乐小助手,是否覆盖?[y/n]:" result
fiif [[ "$result" == 'y' ]]; thencp -r "${shell_path}/Products/Debug/${framework_name}.dylib" ${app_bundle_path}cp -r "${shell_path}/Tools/${app_extra_name}.dylib" ${app_bundle_path}${shell_path}/insert_dylib --all-yes "${framework_path}" "$app_executable_backup_path" "$app_executable_path"
fi卸载分析:
# !/bin/bashapp_name="QQMusic"
framework_name="libQQMusicHelper"
app_bundle_path="/Applications/${app_name}.app/Contents/MacOS"
app_executable_path="${app_bundle_path}/QQMusic"
app_executable_backup_path="${app_executable_path}_backup"
framework_path="${app_bundle_path}/${framework_name}.dylib"
# 备份QQ原始可执行文件
if [ -f "$app_executable_backup_path" ]
then
rm "$app_executable_path"
rm -rf "$framework_path"
mv "$app_executable_backup_path" "$app_executable_path"
echo "\n\t卸载成功"
else
echo "\n\t未发现QQ音乐小助手"
fi参考:
https://www.jianshu.com/p/d8a7e0381ff7
http://www.alonemonkey.com/2017/05/31/get-start-with-mac-reverse/
这篇关于安装theos进行CydiaSubstrate Hook的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
