├── .gitignore ├── ARM汇编相关的iOS逆向理论.md ├── CydiaSubstrate.md ├── Demo ├── AssetsImage │ └── MailShot │ │ ├── end.png │ │ ├── findLabel.png │ │ ├── findSuperView.png │ │ ├── finish.png │ │ ├── frame.gif │ │ ├── hiddenAll.png │ │ ├── hiddenNothing.png │ │ ├── hiddenText.png │ │ ├── middle.png │ │ ├── start.png │ │ ├── tata.png │ │ └── useAnotherAddr.png └── MobileHooker │ ├── Demo说明.md │ ├── hhlydemoioshookertweak │ ├── .theos │ │ ├── _ │ │ │ ├── DEBIAN │ │ │ │ └── control │ │ │ └── Library │ │ │ │ └── MobileSubstrate │ │ │ │ └── DynamicLibraries │ │ │ │ ├── HHLYDemoiOSHookerTweak.dylib │ │ │ │ └── HHLYDemoiOSHookerTweak.plist │ │ ├── build_session │ │ ├── fakeroot │ │ ├── last_package │ │ ├── obj │ │ │ └── debug │ │ │ │ ├── .stamp │ │ │ │ ├── HHLYDemoiOSHookerTweak.dylib │ │ │ │ ├── arm64 │ │ │ │ ├── HHLYDemoiOSHookerTweak.dylib │ │ │ │ └── Tweak.xm.e5b61511.o │ │ │ │ └── armv7 │ │ │ │ ├── HHLYDemoiOSHookerTweak.dylib │ │ │ │ └── Tweak.xm.ea6ec70c.o │ │ └── packages │ │ │ └── com.hhly.hhlydemoioshookertweak-1.0 │ ├── HHLYDemoiOSHookerTweak.plist │ ├── Makefile │ ├── Tweak.xm │ ├── control │ └── debs │ │ ├── com.hhly.hhlydemoioshookertweak_1.0-5+debug_iphoneos-arm.deb │ │ └── com.hhly.hhlydemoioshookertweak_1.0-6+debug_iphoneos-arm.deb │ └── iostargetapphhly │ ├── .theos │ ├── _ │ │ ├── Applications │ │ │ └── iostargetapphhly.app │ │ │ │ ├── Info.plist │ │ │ │ └── iostargetapphhly │ │ └── DEBIAN │ │ │ └── control │ ├── build_session │ ├── fakeroot │ ├── last_package │ ├── obj │ │ └── debug │ │ │ ├── .stamp │ │ │ ├── arm64 │ │ │ ├── RootViewController.mm.5d93aba5.o │ │ │ ├── iostargetapphhly.app │ │ │ │ └── iostargetapphhly │ │ │ ├── iostargetapphhlyApplication.mm.5d93aba5.o │ │ │ └── main.m.5d93aba5.o │ │ │ ├── armv7 │ │ │ ├── RootViewController.mm.738b1fed.o │ │ │ ├── iostargetapphhly.app │ │ │ │ └── iostargetapphhly │ │ │ ├── iostargetapphhlyApplication.mm.738b1fed.o │ │ │ └── main.m.738b1fed.o │ │ │ └── iostargetapphhly.app │ │ │ ├── Info.plist │ │ │ └── iostargetapphhly │ └── packages │ │ └── com.hhly.iostargetapphhly-0.0.1 │ ├── Makefile │ ├── Resources │ └── Info.plist │ ├── RootViewController.h │ ├── RootViewController.mm │ ├── control │ ├── debs │ └── com.hhly.iostargetapphhly_0.0.1-9+debug_iphoneos-arm.deb │ ├── iostargetapphhlyApplication.mm │ └── main.m ├── LICENSE ├── LLDB+debugserver.md ├── Logos Grammar Analysis.md ├── README.md └── 逆向过程思考(1).md /.gitignore: -------------------------------------------------------------------------------- 1 | # Xcode 2 | # 3 | # gitignore contributors: remember to update Global/Xcode.gitignore, Objective-C.gitignore & Swift.gitignore 4 | 5 | ## Build generated 6 | build/ 7 | DerivedData 8 | 9 | ## Various settings 10 | *.pbxuser 11 | !default.pbxuser 12 | *.mode1v3 13 | !default.mode1v3 14 | *.mode2v3 15 | !default.mode2v3 16 | *.perspectivev3 17 | !default.perspectivev3 18 | xcuserdata 19 | 20 | ## Other 21 | *.xccheckout 22 | *.moved-aside 23 | *.xcuserstate 24 | *.xcscmblueprint 25 | 26 | ## Obj-C/Swift specific 27 | *.hmap 28 | *.ipa 29 | 30 | # CocoaPods 31 | # 32 | # We recommend against adding the Pods directory to your .gitignore. However 33 | # you should judge for yourself, the pros and cons are mentioned at: 34 | # https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control 35 | # 36 | # Pods/ 37 | 38 | # Carthage 39 | # 40 | # Add this line if you want to avoid checking in source code from Carthage dependencies. 41 | # Carthage/Checkouts 42 | 43 | Carthage/Build 44 | 45 | # fastlane 46 | # 47 | # It is recommended to not store the screenshots in the git repo. Instead, use fastlane to re-generate the 48 | # screenshots whenever they are needed. 49 | # For more information about the recommended setup visit: 50 | # https://github.com/fastlane/fastlane/blob/master/docs/Gitignore.md 51 | 52 | fastlane/report.xml 53 | fastlane/screenshots 54 | -------------------------------------------------------------------------------- /ARM汇编相关的iOS逆向理论.md: -------------------------------------------------------------------------------- 1 | ## 1. ARM汇编基础 2 | 在逆向一个功能的时候,往往需要分析大量的汇编代码,在iOS逆向中,ARM汇编是必须掌握的语言,本文总结了ARM汇编的基础知识,如果你想了解更多,请参考狗神的小黄书《iOS逆向逆向工程》或[ARM官方手册](http://infocenter.arm.com). 3 | 4 | ##### 1.1 寄存器,内存和栈 5 | 在ARM汇编里,操作对象是寄存器,内存和栈 6 | ARM的栈遵循先进后出,是满递减的,向下增长,也就是开口向下,新的变量被存到栈底的位置;越靠近栈底,内存地址越小 7 | 一个名为stackPointer的寄存器保存栈的栈底地址,成为栈地址. 8 | 可以把一个变量给入栈(push)以保存它的值,也可以让它出栈(pop),恢复变量的原始值.在实际操作中,栈地址会不断变化;但是在执行一块代码的前后,栈地址应该是不变的,不然程序就要出问题, 9 | 10 | ##### 1.2 特殊用途的寄存器 11 | ARM处理器中的部分寄存器有特殊用途 如下所示: 12 | 13 | 寄存器 | 用途 14 | --- | ----- 15 | R0-R3 | 传递参数与返回值 16 | R7 | 帧指针,指向母函数与被调用子函数在栈中的交界 17 | R9 | 在iOS3.0以前被系统保留 18 | R12 | 内部过程调用存储器,dynamic linker会用到它 19 | R13 | sp寄存器 20 | R14 | LR寄存器,保存函数返回地址 21 | R15 | PC寄存器 22 | 23 | ##### 1.3 分支跳转与条件判断 24 | 25 | 处理器名为"Program counter"(简称PC)的寄存器用于存放下一条指令的地址.一般情况下,计算机一条接一条地顺序执行指令,处理器执行完一条指令后将PC加1,让它指向下一条指令.例如处理器顺序执行指令1到指令5,但是如果把PC的值变一变,指令执行的顺序就完全不同 26 | 27 | 指令执行顺序被打乱,变成了指令1,指令5,指令4,指令2,指令3,指令6,这种乱序的学名叫做"分支",或者"跳转",它使循环和subroutime(子程序)成为可能,例如: 28 | 29 | ``` 30 | // endless() 函数 31 | endless: 32 | 操作 操作数1, 操作数2 33 | 分支 endless 34 | 返回 // 死循环,执行不到这里啦! 35 | ``` 36 | 在实际情况中,满足一定条件才得以触发的分支是最实用的,这种分支成为条件分支.if else 和 while都是基于条件分支实现的,在ARM汇编中,分支的条件一般有4种: 37 | 38 | * □ 操作结果为0(或不为0); 39 | * □ 操作结果为负数; 40 | * □ 操作结果有进位; 41 | * □ 运算溢出(比如两个正数相加得到的数超过了寄存器位数). 42 | 43 | 这些条件的判断准则(flag)存放在程序状态寄存器(Program Status Register,PSR)中,数据处理相关指令会改变这些flag,分支指令再根据这些flag决定是否跳转.下面的伪代码展示了一个for循环 44 | 45 | ``` 46 | for: 47 | 相加 A,#1 48 | 比较 A,#16 49 | 不为0则跳转到for 50 | /* 此循环将A和#16作比较,如果两者不相等,则将A加1,继续比较. 51 | 如果两者相等,则不再循环,继续往下执行. */ 52 | ``` 53 | 54 | ## 2. ARM/THUMB指令解读 55 | 56 | ARM处理器用到的指令集分为ARM和THUMB两种:ARM指令长度均为32bit,THUMB指令长度为16bit.所有指令可大致分为三类,分别为,数组操作指令,内存操作指令和分支指令. 57 | 58 | ##### 2.1 数据操作指令 59 | 数据操作指令有以下2条规则: 60 | 61 | >* 所有的操作数均为32bit; 62 | >* 所有的结果均为32bit,且只能存放在寄存器当中. 63 | 总的来说,数据操作指令的基本格式是: 64 | 65 | >>``` 66 | op{cond}{s} Rd,Rn,Op2 67 | ``` 68 | 69 | 其中,"cond"和"s"是另个可选后缀;"cond"的作用是指定指令"op"在什么条件下执行,共有17中条件: 70 | 71 | 指令 | 条件 72 | --- | --- 73 | EQ | 结果为0(EQual to 0) 74 | NE | 结果不为0(Not Equal to 0) 75 | CS | 有进位或借位(Carry Set) 76 | HS | 同CS(unsigned Higer or Same) 77 | CC | 没有进位或借位(Carry Clear) 78 | LO | 同CC(unsigned LOwer) 79 | MI | 结果小于0(MInus) 80 | PL | 结果大于等于0(PLus) 81 | VS | 溢出(Overflow Set) 82 | VC | 无溢出(Overflow Clear) 83 | HI | 无符号比较大于(unsigned HIger) 84 | LS | 无符号比较小于等于(unsigned Lower or Same) 85 | GE | 有符号比较大于等于(signed Greater than or Equal) 86 | LT | 有符号比较小于(signed Less Than) 87 | GT | 有符号比较大于(signed Greater Than) 88 | LE | 有符号比较小于等于(signed Less than or Equal) 89 | AL | 无条件(Always,默认) 90 | 91 | "cond"的用法很简单,例如: 92 | 93 | ``` 94 | 比较 R0, R1 95 | 移动 GE R2, R0 96 | 移动 LT R2, R1 97 | ``` 98 | 99 | 比较R0和R1的值,如果R0大于等于R1,则R2 = R0;否则R2 = R1. 100 | "s"的作用是指定指令"op"是否设置了flag,共有下面**4种flag**: 101 | 102 | * ***N(Negative)***如果结果小于0则置1,否则置0; 103 | 104 | * ***Z(zero)***如果结果是0则置1,否则置0; 105 | 106 | * ***C(Carry)***对于加操作(包括CMN)来说,如果产生进位则置1,否则置0;对于减操作(包括CMP来说),Carry相当于Not-Borrow,如果产生借位则置0,否则置1;对于有移位的非加/减操作来说,C置移出值得最后一位;对于其他的非加/减操作来说,C的值一般不变; 107 | 108 | * ***V(overflow)***如果操作导致溢出,则置1,否则置0 109 | 110 | >需要注意一点的是,**C flag**表示**无符号数**运算结果是否**溢出**;**V flag**表示**有符号数**运算结果是否**溢出**. 111 | 112 | 算数操作指令可以大致分为4类: 113 | 114 | * 1.算数操作 115 | 116 | > ADD R0,R1,R2; ------------------> R0 = R1 + R2 117 | 118 | > ADC R0,R1,R2; ------------------> R0 = R1 + R2 + C(array) 119 | 120 | > SUB R0,R1,R2; ------------------> R0 = R1 - R2 121 | 122 | > SBC R0,R1,R2; ------------------> R0 = R1 - R2 - !C 123 | 124 | > RSB R0,R1,R2; ------------------> R0 = R2 - R1 125 | 126 | > RSC R0,R1,R2; ------------------> R0 = R2 - R1 - !C 127 | 128 | >算数操作中,ADD和SUB为基础操作,其他均为两者的变种.RSB是"Reverse Sub"的缩写,仅仅是把SUB的两个操作数调换了位置而已;以"C"结尾的变种代表没有进位和借位的加减法,当产生进位或者借位时,将Carrry flag 置为1. 129 | 130 | * 2.逻辑操作 131 | 132 | 133 | > AND R0,R1,R2; ------------------> R0 = R1 & R2 134 | 135 | > ORR R0,R1,R2; ------------------> R0 = R1 | R2 136 | 137 | > EOR R0,R1,R2; ------------------> R0 = R1 ^ R2 138 | 139 | > BIC R0,R1,R2; ------------------> R0 = R1 &~ R2 140 | 141 | > MOV RO,R2; ------------------> R0 = R2 142 | 143 | > MVN R0,R2; ------------------> R0 = ~R2 144 | 145 | >逻辑操作指令都已经用C操作符说明了作用,但是C操作符里的移位操作并没有对位的逻辑操作指令,ARM采用了桶式移位,共有四种指令: 146 | 147 | >LSL 逻辑左移 ![逻辑左移](http://o7pqb42yk.bkt.clouddn.com/LSL.jpg) 148 | 149 | >LSR 逻辑右移 ![逻辑右移](http://o7pqb42yk.bkt.clouddn.com/lsr.jpg) 150 | 151 | >ASR 算术右移 ![算术右移](http://o7pqb42yk.bkt.clouddn.com/asr.jpg) 152 | 153 | >ROR 循环右移 ![循环右移](http://o7pqb42yk.bkt.clouddn.com/ROR.jpg) 154 | 155 | * 3.比较操作 156 | >CMP R1,R2; ------------------> 执行R1 - R2并依结果设置flag 157 | 158 | >CMN R1,R2; ------------------> 执行R1 + R2并依结果设置flag 159 | 160 | >TST R1,R2; ------------------> 执行R1 & R2并依结果设置flag 161 | 162 | >TEQ R1,R2; ------------------> 执行R1 ^ R2并依结果设置flag 163 | 164 | > 比较操作其实就是改变flag的算术操作或逻辑操作,只是操作结果不保留在寄存器里而已. 165 | 166 | * 4.乘法操作 167 | 168 | > MUL R4,R3,R2 ------------------> R4 = R3 * R2 169 | 170 | > MLA R4,R3,R2,R1 ------------------> R4 = R3 * R2 + R1 171 | 172 | >乘法操作的操作数必须来自寄存器 173 | 174 | 175 | ##### 2.2 内存操作指令 176 | 内存操作指令的基本格式是: 177 | 178 | ``` 179 | op{cond}{type} Rd,[Rn,Op2] 180 | ``` 181 | 182 | 其中Rn是基址寄存器,用于存放基地址;"cond"的作用与数据操作指令相同;"type"指定指令"op"操作的数据类型,共有四种: 183 | 184 | ``` 185 | B(unsigned Byte) 186 | 无符号byte(执行时扩展到32bit,以0填充); 187 | 188 | SB(signed Byte) 189 | 有符号byte(仅用于LDR指令;执行时扩展到32bit,以符号位填充); 190 | 191 | H(unsigned Halfword) 192 | 无符号halfword(执行时扩展到32bit,以0填充); 193 | 194 | SH(Signed Halfword) 195 | 有符号halfword(仅用于LDR指令;执行时扩展到32bit,以符号位填充). 196 | ``` 197 | 198 | >如果不指定"type",则默认是word 199 | ARM内存操作基础指令只有2个,LDR(loaD Register)将数据从内存中读出来,存到寄存器中;STR(STore Register)将数组从寄存中读出来,存到内存中.两个指令的使用情况如下: 200 | 201 | * LDR 202 | 203 | ``` 204 | LDR Rt,[Rn {,#offset}] ; Rt = *(Rn {+ offset}),{}代表可选 205 | LDR Rt,[Rn, #offset]! ; Rt = *(Rn + offset);Rn = Rn + offset 206 | LDR Rt,[Rn], #offset ; Rt = *Rn;Rn = Rn + offset 207 | ``` 208 | 209 | * STR 210 | 211 | ``` 212 | STR Rt,[Rn {,#offset}] ; *(Rn {+ offset}) = Rt 213 | STR Rt,[Rn, #offset]! ; *(Rn + offset) = Rt; Rn = Rn + offset 214 | STR Rt,[Rn], #offset ; *Rn = Rt; Rn = Rn + offset 215 | ``` 216 | 217 | 此外,LDR和STR的变种LDRD和STRD还可以操作双字(DoubleWord),即一次性操作两个寄存器,其基本格式如下: 218 | 219 | ``` 220 | op{cond} Rt,Rt2, [Rn {, #offset}] 221 | ``` 222 | 223 | 其用法与原型类似,如下: 224 | 225 | * STRD 226 | 227 | ``` 228 | SRTD R4,R5, [R9,#offset] ; *(R9 + offset) = R4;*(R9 + offset + 4) = R5 229 | ``` 230 | 231 | * LDRD 232 | 233 | ``` 234 | LDRD R4,R5,[R9,#offset] ; R4 = *(R9 + offset); R5 = *(R9+offset+4) 235 | ``` 236 | 237 | 除LDR和STR外,还可以通过LDM(LoaD Multiple)和STM(STore Multipe)进行块传输,一次性操作多个寄存器.块传输指令的基本格式是 238 | 239 | ``` 240 | op{cond}{}mode] Rd{!},reglist 241 | ``` 242 | 243 | 其中Rd是基址寄存器,可选的"!"制定Rd变化后的值是否写会Rd, reglist是一系列寄存器,用大括号括起来,它们之间可以用","分割,也可以用"-"表示一个范围,比如,{R4-R6,R8}表示寄存器,R4,R5,R6,R8;这些寄存器的顺序是按照自身的编号由小到大排列的,与大括号内的排列顺序无关. 244 | 245 | 需要特别注意的是,**LDM和STM的操作方向与LDR和STR完全相反:LDM是把从Rd开始,地址连续的内存数据存入reglist中,STM是把reglist中的值存入从Rd开始,地址连续的内存中.此处特别容易混淆** 246 | 247 | "cond" 的作用与数据操作指令相同."mode"指定R4值得变化的4中规律,如下所示: 248 | 249 | ``` 250 | IA(Increament After)每次传输后增加Rd的值; 251 | 252 | IB(Increament Before)每次传输前增加Rd的值 253 | 254 | DA(Decrement After) 每次传输后减少Rd的值; 255 | 256 | DB(Decreament Before)每次传输前减少Rd的值. 257 | 258 | ``` 259 | 260 | >这是什么意思呢?下面以LDM为代表,举一个简单的例子,相信大家一看就明白了.在下图(块传输指令模拟环境)中,R0指向的值是5. 261 | 262 | ![块传输指令模拟环境](http://o7pqb42yk.bkt.clouddn.com/%E5%9D%97%E4%BC%A0%E8%BE%93%E6%8C%87%E4%BB%A4%E6%A8%A1%E6%8B%9F%E7%8E%AF%E5%A2%83.png) 263 | 264 | >在执行以下命令后,R4,R5,R6的值分别变成: 265 | 266 | ``` 267 | foo(): 268 | LDMIA R0, {R4 - R6}; R4 = 5, R5 = 6, R6 = 7 269 | LDMIB R0, {R4 - R6}; R4 = 6, R5 = 7, R6 = 8 270 | LDMDA R0, {R4 - R6}; R4 = 5, R5 = 4, R6 = 2 271 | LDMDB R0, {R4 - R6}; R4 = 4, R5 = 3, R6 = 3 272 | ``` 273 | >STM指令的作用方式与此类似,不再赘述.**LDM和STM的操作与LDR和STR完全相反** 274 | 275 | ##### 2.3 分支指令 276 | 分支指令可以分为无条件分支和条件分支两种. 277 | 278 | * 无条件分支 279 | 280 | ``` 281 | B Label;PC = Label 282 | BL Label;LR = PC - 4;PC = Label 283 | BX Rd ;PC = Rd并切换指令集 284 | eg: 285 | foo(): 286 | B Label ; 跳转到Label处并往下执行 287 | ...... ; 得不到执行 288 | Label: 289 | ...... 290 | ``` 291 | 292 | * 无条件分支 293 | 294 | 跳转分支的cond是依照前面的flag来判断的,它们的对应关系如下: 295 | 296 | cond | flag 297 | --- | --- 298 | EQ | Z = 1 299 | NE | Z = 0 300 | CS | C = 1 301 | HS | C = 1 302 | CC | C = 0 303 | LO | C = 0 304 | MI | N = 1 305 | PL | N = 0 306 | VS | V = 1 307 | VC | V = 0 308 | HI | C = 1 & Z = 0 309 | LS | C = 0 | Z = 1 310 | GE | N = V 311 | LT | N != V 312 | GT | Z = 0 & N = V 313 | LE | Z = 1 | N != V 314 | 315 | 在条件分支指令钱会有一条数据操作指令来设置flag,分支指令根据flag的值来决定代码走向,举例如下: 316 | 317 | ``` 318 | Label: 319 | Lable1: 320 | LDR R0, [R1], #4 321 | CMP R0, 0; 如果R0 == 0,Z =1 ; 否则Z = 0 322 | BNE Label ; Z == 0则跳转 323 | ``` 324 | 325 | ##### 2.4 THUMB指令 326 | THUMB指令集是ARM指令集的一个子集,每条THUMB指令均为16bit;因此THUMB指令比ARM指令更节省空间,且在16位数据总线上的传输效率更高.有得必有失,除了"b"之外,所有的THUMB指令均无法条件执行;桶式移位无法结合其他指令执行;大多数THUMB指令只能使用R0-R7这8个寄存器等.相对于ARM指令,THUMB指令的特点如下: 327 | 328 | * 指令数量减少 329 | * 没有条件执行 330 | * 所有指令默认附带* 331 | * 桶式移位无法结合其他指令执行 332 | * 寄存器使用受限 333 | * 立即数和第二操作数使用有限 334 | * 不支持数据写回 335 | -------------------------------------------------------------------------------- /CydiaSubstrate.md: -------------------------------------------------------------------------------- 1 | ## CydiaSubstrate 2 | 3 | *CydiaSubstrate 是绝大部分tweak正常工作的基础,主要分为三部分:MobileHooker,CydiaSubstrate,Safe mode* 4 | 5 | ##### *MobileHooker* 6 | 7 | >MobileHooker的作用是替换系统函数(即hook) 8 | 9 | ``` 10 | // 作用于OC函数,可直接替换掉方法 11 | void MSHookMessageEx(Class class, SEL selector, IMP replacement, IMP *result); 12 | ``` 13 | >(Logos语法对此函数进行了封装,但底层实现完全基于MSHookMessageEx) 14 | 15 | ``` 16 | // 作用于C , C++ 17 | void MSHookFunction(void* function, void* replacement, void** original); 18 | ``` 19 | >(通过编写汇编指令,在进程执行到function时转而执行replacement,同时保存function的指令返回其地址,可选择性的执行function,并保证进程能够执行完replacement后继续正常执行) 20 | ps:之前hook必须进行越狱才能操作,现在直接汇编就能实现hook 21 | 22 | 23 | >repalce替换进程--->下表进程由上向下执行进程 24 | 25 | >正常执行的进程1 | 勾住函数A替换为函数B的进程2 26 | >------------- | ------------- 27 | >☟Instructions | ☟Instructions 28 | >☟FunctionA | ☟FunctionB (FunctionA暂存) 29 | >☟Instructions | ☟Instructions 30 | 31 | >进程先执行一些指令,在原本应该执行的函数A的地方跳转到了函数B的位置执行函数B,同时函数A的 代码被MobielHooker暂时保存了下来。在函数B中,可以选择是否执行函数A,在函数B执行完成 后,则会继续执行剩下的指令。(ps:MSHookFunction的指令长度是有限制的,至少为8字节,如 果要hook住那些段函数该怎么办?---->一种变通的方法是hook住短函数内部调用的其他函数---- 短函数之所以短,是因为内部一般都是调用了其他函数,由其他函数来做出实际操作。因此,把长度 符合要求的其他函数作为MSHookFunction的目标,然后在replacement里做一些逻辑判断,将它 与函数关联上,再把对应的短函数的修改写在这里) 32 | 33 | ##### *MobileLoader* 34 | >MobileLoader的作用是加载第三方dylib。在iOS启动时,会由launched将MobileLoader载入内存,然后MobileLoader会根据dylib的同名plist文件指定的作用范围,有选择的在不同进程里通过dlopen函数打开目录/Library/MobileSubstrate/DynamicLibraries/下的所有dylib. 35 | 36 | ##### *Safe mode* 37 | >应用的质量良莠不齐,程序崩溃再说难免,因为tweak的本质是dylib,寄生在别的进程里,一旦出错,可能导致整个进程崩溃,而一旦崩溃的是SpringBoard等系统进程,则会造成iOS瘫痪,所以CydiaSubstrate引入了Safe mode,它会补获SIGTRAP、SIGTBRT、SIGILL、SIGBUS、SIGSEGV、SIGSYS这六种信号,然后进入安全模式。 38 | (ps:在安全模式里,所有基于CydiaSubstrate的第三方dylib会被禁用,便于查找于修复;如果设备因为dylib的原因无法进入系统,比如,开机一直卡在白苹果上,或者进度圈不停地转--->home+lock+然后音量上键禁用CydiaSubstrate,系统重启后再查错与排修,修复后重启iOS,CydiaSubstrate会自动重启) -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/end.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/end.png -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/findLabel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/findLabel.png -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/findSuperView.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/findSuperView.png -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/finish.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/finish.png -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/frame.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/frame.gif -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/hiddenAll.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/hiddenAll.png -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/hiddenNothing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/hiddenNothing.png -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/hiddenText.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/hiddenText.png -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/middle.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/middle.png -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/start.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/start.png -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/tata.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/tata.png -------------------------------------------------------------------------------- /Demo/AssetsImage/MailShot/useAnotherAddr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/AssetsImage/MailShot/useAnotherAddr.png -------------------------------------------------------------------------------- /Demo/MobileHooker/Demo说明.md: -------------------------------------------------------------------------------- 1 | ## Demo说明 2 | ####Demo--->iostargetapphhly目的:验证MSHookFunction对Function的指令总长度有限制 3 | * 说明:针对MobileHooker的使用,CPPClass::CPPFunction,一个CFunction和一个ShortCFunction,作为hook的对象,CPPClass::CPPFunction和CFunction的目的是为了增加这两个函数的长度,使得针对它们俩的MSHookFunction生效,而ShortCFunction会因长度太短,导致针对它的MSHookFunction失效 4 | 5 | ####Demo--->hhlydemoioshookertweak目的:间接hook短函数 6 | * 对函数(ShortCFunction)直接hook失败了,而对短函数内部调用的其他函数hook是有效的,可通过判断参数,检测它的调用者是ShortCFunction,这样既可实现间接hook短函数 7 | 8 | * MSHookFunction的指令长度是有限制的,至少为8字节,如果要hook住那些段函数该怎么办?---->一种变通的方法是hook住短函数内部调用的其他函数----短函数之所以短,是因为内部一般都是调用了其他函数,由其他函数来做出实际操作。因此,把长度符合要求的其他函数作为MSHookFunction的目标,然后在replacement里做一些逻辑判断,将它与函数关联上,再把对应的短函数的修改写在这里) -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/_/DEBIAN/control: -------------------------------------------------------------------------------- 1 | Package: com.hhly.hhlydemoioshookertweak 2 | Name: hhlydemoioshookertweak 3 | Depends: mobilesubstrate 4 | Architecture: iphoneos-arm 5 | Description: ByCXF160524! 6 | Maintainer: esirnus 7 | Author: esirnus 8 | Section: Tweaks 9 | Version: 1.0-6+debug 10 | Installed-Size: 136 11 | -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/_/Library/MobileSubstrate/DynamicLibraries/HHLYDemoiOSHookerTweak.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/hhlydemoioshookertweak/.theos/_/Library/MobileSubstrate/DynamicLibraries/HHLYDemoiOSHookerTweak.dylib -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/_/Library/MobileSubstrate/DynamicLibraries/HHLYDemoiOSHookerTweak.plist: -------------------------------------------------------------------------------- 1 | { Filter = { Bundles = ( "com.hhly.iostargetapphhly" ); }; } 2 | -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/build_session: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/hhlydemoioshookertweak/.theos/build_session -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/fakeroot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/hhlydemoioshookertweak/.theos/fakeroot -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/last_package: -------------------------------------------------------------------------------- 1 | ./debs/com.hhly.hhlydemoioshookertweak_1.0-6+debug_iphoneos-arm.deb 2 | -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/.stamp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/.stamp -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/HHLYDemoiOSHookerTweak.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/HHLYDemoiOSHookerTweak.dylib -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/arm64/HHLYDemoiOSHookerTweak.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/arm64/HHLYDemoiOSHookerTweak.dylib -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/arm64/Tweak.xm.e5b61511.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/arm64/Tweak.xm.e5b61511.o -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/armv7/HHLYDemoiOSHookerTweak.dylib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/armv7/HHLYDemoiOSHookerTweak.dylib -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/armv7/Tweak.xm.ea6ec70c.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/hhlydemoioshookertweak/.theos/obj/debug/armv7/Tweak.xm.ea6ec70c.o -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/.theos/packages/com.hhly.hhlydemoioshookertweak-1.0: -------------------------------------------------------------------------------- 1 | 6 -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/HHLYDemoiOSHookerTweak.plist: -------------------------------------------------------------------------------- 1 | { Filter = { Bundles = ( "com.hhly.iostargetapphhly" ); }; } 2 | -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/Makefile: -------------------------------------------------------------------------------- 1 | export THEOS=/opt/theos 2 | export THEOS_DEVICE_IP = 192.168.35.252 3 | ARCHS = armv7 arm64 4 | TARGET = iphone:8.1:8.0 5 | 6 | include $(THEOS)/makefiles/common.mk 7 | 8 | TWEAK_NAME = HHLYDemoiOSHookerTweak 9 | HHLYDemoiOSHookerTweak_FILES = Tweak.xm 10 | 11 | include $(THEOS_MAKE_PATH)/tweak.mk 12 | 13 | after-install:: 14 | install.exec "killall -9 iostargetapphhly" 15 | -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/Tweak.xm: -------------------------------------------------------------------------------- 1 | #import 2 | 3 | 4 | void (*old_ZN8CPPClass11CPPFuctionEPKc)(void *, const char *); 5 | 6 | void new__ZN8CPPClass11CPPFunctionEPKc(void *hiddenThis, const char *arg0) 7 | { 8 | if (strcmp(arg0,"this is a short C function!") == 0) 9 | old_ZN8CPPClass11CPPFuctionEPKc(hiddenThis,"this is a hijacked short C function form new__ZN8CPPClass11CPPFunctionEPKc!"); 10 | else old_ZN8CPPClass11CPPFuctionEPKc(hiddenThis,"this is a hijacked c++ function"); 11 | } 12 | 13 | void (*old_CFunction)(const char *); 14 | 15 | void new_CFunction(const char *arg0) 16 | { 17 | old_CFunction("this is a hijacked C function!"); // call the original CFunction 18 | } 19 | 20 | void (*old_ShortCFuntion)(const char *); 21 | 22 | void new_ShortCFunction(const char *arg0) 23 | { 24 | old_ShortCFuntion("this is a hijacked short C function form new_ShortCFunction!"); // call the original ShortCFunction 25 | } 26 | 27 | %ctor 28 | 29 | { 30 | @autoreleasepool 31 | { 32 | MSImageRef image = MSGetImageByName("/Application/iostargetapphhly.app/iostargetapphhly"); 33 | 34 | void *__ZN8CPPClass11CPPFunctionEPKc = MSFindSymbol(image,"__ZN8CPPClass11CPPFunctionEPKc"); 35 | if (__ZN8CPPClass11CPPFunctionEPKc) NSLog(@"iosre : found cppfunction!"); 36 | MSHookFunction((void *)__ZN8CPPClass11CPPFunctionEPKc, (void *)&new__ZN8CPPClass11CPPFunctionEPKc, (void **)&old_ZN8CPPClass11CPPFuctionEPKc); 37 | 38 | void *_CFunction = MSFindSymbol(image,"_CFunction"); 39 | if (_CFunction) NSLog(@"iosre:found CFunction"); 40 | MSHookFunction((void *)_CFunction, (void *)&new_CFunction, (void **)&old_CFunction); 41 | 42 | void *_ShortCFunction = MSFindSymbol(image, "_ShortCFunction"); 43 | if (_ShortCFunction) NSLog(@"iosre: found ShortCFunction"); 44 | MSHookFunction((void *)_ShortCFunction, (void *)&new_ShortCFunction, (void **)&old_ShortCFuntion); // This MSHookFunction will fail because ShortCFunction is too short to be hooked 45 | 46 | } 47 | } 48 | 49 | // MSFindSymbol的作用--->查找待hook的symbol,函数的指令被放在内存中,当进程需要执行这个函数时,它必须要知道去内存的哪个地方找到这个函数,然后执行它的指令,也就是说 50 | // 进程要根据函数名,找到它在内存中的地址,而这个名称与地址的映射关系,是存储在"symbol table"中的-----"symbol table" 中的symbol就是这个函数的名称,进程会根据这个 51 | // symbol找到它在内存中的地址.然后跳转过去执行. 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/control: -------------------------------------------------------------------------------- 1 | Package: com.hhly.hhlydemoioshookertweak 2 | Name: hhlydemoioshookertweak 3 | Depends: mobilesubstrate 4 | Version: 1.0 5 | Architecture: iphoneos-arm 6 | Description: ByCXF160524! 7 | Maintainer: esirnus 8 | Author: esirnus 9 | Section: Tweaks 10 | -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/debs/com.hhly.hhlydemoioshookertweak_1.0-5+debug_iphoneos-arm.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/hhlydemoioshookertweak/debs/com.hhly.hhlydemoioshookertweak_1.0-5+debug_iphoneos-arm.deb -------------------------------------------------------------------------------- /Demo/MobileHooker/hhlydemoioshookertweak/debs/com.hhly.hhlydemoioshookertweak_1.0-6+debug_iphoneos-arm.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/hhlydemoioshookertweak/debs/com.hhly.hhlydemoioshookertweak_1.0-6+debug_iphoneos-arm.deb -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/_/Applications/iostargetapphhly.app/Info.plist: -------------------------------------------------------------------------------- 1 | { 2 | CFBundleExecutable = "iostargetapphhly"; 3 | CFBundleIconFile = icon.png; 4 | CFBundleIdentifier = "com.hhly.iostargetapphhly"; 5 | CFBundleInfoDictionaryVersion = 6.0; 6 | CFBundlePackageType = APPL; 7 | CFBundleSignature = "????"; 8 | CFBundleSupportedPlatforms = ( 9 | iPhoneOS 10 | ); 11 | CFBundleVersion = 1.0; 12 | DTPlatformName = iphoneos; 13 | DTSDKName = iphoneos3.0; 14 | LSRequiresIPhoneOS = 1; 15 | MinimumOSVersion = 3.0; 16 | } 17 | -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/_/Applications/iostargetapphhly.app/iostargetapphhly: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/_/Applications/iostargetapphhly.app/iostargetapphhly -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/_/DEBIAN/control: -------------------------------------------------------------------------------- 1 | Package: com.hhly.iostargetapphhly 2 | Name: iostargetapphhly 3 | Depends: 4 | Architecture: iphoneos-arm 5 | Description: ByCXF160523!xinsaisai! 6 | Maintainer: esirnus 7 | Author: esirnus 8 | Section: Utilities 9 | Version: 0.0.1-9+debug 10 | Installed-Size: 140 11 | -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/build_session: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/build_session -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/fakeroot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/fakeroot -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/last_package: -------------------------------------------------------------------------------- 1 | ./debs/com.hhly.iostargetapphhly_0.0.1-9+debug_iphoneos-arm.deb 2 | -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/.stamp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/.stamp -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/arm64/RootViewController.mm.5d93aba5.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/arm64/RootViewController.mm.5d93aba5.o -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/arm64/iostargetapphhly.app/iostargetapphhly: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/arm64/iostargetapphhly.app/iostargetapphhly -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/arm64/iostargetapphhlyApplication.mm.5d93aba5.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/arm64/iostargetapphhlyApplication.mm.5d93aba5.o -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/arm64/main.m.5d93aba5.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/arm64/main.m.5d93aba5.o -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/armv7/RootViewController.mm.738b1fed.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/armv7/RootViewController.mm.738b1fed.o -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/armv7/iostargetapphhly.app/iostargetapphhly: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/armv7/iostargetapphhly.app/iostargetapphhly -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/armv7/iostargetapphhlyApplication.mm.738b1fed.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/armv7/iostargetapphhlyApplication.mm.738b1fed.o -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/armv7/main.m.738b1fed.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/armv7/main.m.738b1fed.o -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/iostargetapphhly.app/Info.plist: -------------------------------------------------------------------------------- 1 | { 2 | CFBundleExecutable = "iostargetapphhly"; 3 | CFBundleIconFile = icon.png; 4 | CFBundleIdentifier = "com.hhly.iostargetapphhly"; 5 | CFBundleInfoDictionaryVersion = 6.0; 6 | CFBundlePackageType = APPL; 7 | CFBundleSignature = "????"; 8 | CFBundleSupportedPlatforms = ( 9 | iPhoneOS 10 | ); 11 | CFBundleVersion = 1.0; 12 | DTPlatformName = iphoneos; 13 | DTSDKName = iphoneos3.0; 14 | LSRequiresIPhoneOS = 1; 15 | MinimumOSVersion = 3.0; 16 | } 17 | -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/iostargetapphhly.app/iostargetapphhly: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/.theos/obj/debug/iostargetapphhly.app/iostargetapphhly -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/.theos/packages/com.hhly.iostargetapphhly-0.0.1: -------------------------------------------------------------------------------- 1 | 9 -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/Makefile: -------------------------------------------------------------------------------- 1 | export THEOS=/opt/theos 2 | export THEOS_DEVICE_IP = 192.168.34.41 3 | ARCHS = armv7 arm64 4 | TARGET = iphone:8.1:8.0 5 | include $(THEOS)/makefiles/common.mk 6 | 7 | APPLICATION_NAME = iostargetapphhly 8 | iostargetapphhly_FILES = main.m iostargetapphhlyApplication.mm RootViewController.mm 9 | iostargetapphhly_FRAMEWORKS = UIKit CoreGraphics 10 | 11 | include $(THEOS_MAKE_PATH)/application.mk 12 | after-install:: 13 | install.exec "su mobile -c uicache" 14 | -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/Resources/Info.plist: -------------------------------------------------------------------------------- 1 | { 2 | CFBundleExecutable = "iostargetapphhly"; 3 | CFBundleIconFile = icon.png; 4 | CFBundleIdentifier = "com.hhly.iostargetapphhly"; 5 | CFBundleInfoDictionaryVersion = 6.0; 6 | CFBundlePackageType = APPL; 7 | CFBundleSignature = "????"; 8 | CFBundleSupportedPlatforms = ( 9 | iPhoneOS 10 | ); 11 | CFBundleVersion = 1.0; 12 | DTPlatformName = iphoneos; 13 | DTSDKName = iphoneos3.0; 14 | LSRequiresIPhoneOS = 1; 15 | MinimumOSVersion = 3.0; 16 | } 17 | -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/RootViewController.h: -------------------------------------------------------------------------------- 1 | @interface RootViewController: UIViewController { 2 | } 3 | @end 4 | -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/RootViewController.mm: -------------------------------------------------------------------------------- 1 | // 2 | // RootViewController.cpp 3 | // ssd 4 | // 5 | // Created by esirnus on 16/5/23. 6 | // Copyright © 2016年 esirnus. All rights reserved. 7 | // 8 | 9 | #import "RootViewController.h" 10 | 11 | 12 | class CPPClass 13 | { 14 | public: 15 | void CPPFunction(const char *); 16 | }; 17 | 18 | void CPPClass::CPPFunction(const char *args0) 19 | { 20 | for (int i = 0; i < 66; i++) // 这个循环可以有足够长的时间来验证 MSHookFunction 21 | { 22 | u_int32_t randomNumber; 23 | if (i % 3 == 0) randomNumber = arc4random_uniform(i); 24 | NSProcessInfo *processInfo = [NSProcessInfo processInfo]; 25 | NSString *hostName = processInfo.hostName; 26 | int pid = processInfo.processIdentifier; 27 | NSString *globallyUniqueString = processInfo.globallyUniqueString; 28 | NSString *processName = processInfo.processName; 29 | NSArray *junks = @[hostName,globallyUniqueString,processName]; 30 | NSString *junk = @""; 31 | for (int j = 0; j < pid; j++) 32 | { 33 | if (pid % 6 == 0) junk = junks[j % 3]; 34 | } 35 | if (i % 68 == 1) NSLog(@"Junk: %@",junk); 36 | } 37 | NSLog(@"HHLY: CPPFunction:%s",args0); 38 | } 39 | 40 | extern "C" void CFunction(const char *args0) 41 | { 42 | for (int i = 0; i < 66; i++) 43 | { 44 | u_int32_t randomNumber; 45 | if (i % 3 == 0) randomNumber = arc4random_uniform(i); 46 | NSProcessInfo *processInfo = [NSProcessInfo processInfo]; 47 | NSString *hostName = processInfo.hostName; 48 | int pid = processInfo.processIdentifier; 49 | NSString *globallyUniqueString = processInfo.globallyUniqueString; 50 | NSString *processName = processInfo.processName; 51 | NSArray *junks = @[hostName,globallyUniqueString,processName]; 52 | NSString *junk = @""; 53 | for (int j = 0; j < pid; j++) 54 | { 55 | if (pid % 6 == 0) junk = junks[j % 3]; 56 | } 57 | if (i % 68 == 1) NSLog(@"Junk: %@",junk); 58 | } 59 | NSLog(@"HHLY: CFunction:%s",args0); 60 | } 61 | 62 | extern "C" void shortCFunction(const char *args0) // shortCFunction is too short to be hooked 63 | { 64 | CPPClass cppclass; 65 | cppclass.CPPFunction(args0); 66 | } 67 | 68 | 69 | @implementation RootViewController 70 | 71 | 72 | - (void)loadView { 73 | self.view = [[[UIView alloc] initWithFrame:[[UIScreen mainScreen] applicationFrame]] autorelease]; 74 | // self.view = [[UIView alloc] initWithFrame:[UIScreen mainScreen].bounds]; 75 | self.view.backgroundColor = [UIColor redColor]; 76 | } 77 | 78 | - (void)viewDidLoad 79 | { 80 | [super viewDidLoad]; 81 | CPPClass cppclass; 82 | cppclass.CPPFunction("this is cpp function"); 83 | CFunction("this is c function"); 84 | shortCFunction("this is a short C function"); 85 | } 86 | 87 | 88 | @end 89 | -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/control: -------------------------------------------------------------------------------- 1 | Package: com.hhly.iostargetapphhly 2 | Name: iostargetapphhly 3 | Depends: 4 | Version: 0.0.1 5 | Architecture: iphoneos-arm 6 | Description: ByCXF160523!xinsaisai! 7 | Maintainer: esirnus 8 | Author: esirnus 9 | Section: Utilities 10 | -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/debs/com.hhly.iostargetapphhly_0.0.1-9+debug_iphoneos-arm.deb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cyhe/iOSSecurity-Attack/b1898014c052f278c242868a841aa6fe2a083144/Demo/MobileHooker/iostargetapphhly/debs/com.hhly.iostargetapphhly_0.0.1-9+debug_iphoneos-arm.deb -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/iostargetapphhlyApplication.mm: -------------------------------------------------------------------------------- 1 | #import "RootViewController.h" 2 | 3 | @interface iostargetapphhlyApplication: UIApplication { 4 | UIWindow *_window; 5 | RootViewController *_viewController; 6 | } 7 | @property (nonatomic, retain) UIWindow *window; 8 | @end 9 | 10 | @implementation iostargetapphhlyApplication 11 | @synthesize window = _window; 12 | - (void)applicationDidFinishLaunching:(UIApplication *)application { 13 | _window = [[UIWindow alloc] initWithFrame:[[UIScreen mainScreen] bounds]]; 14 | _viewController = [[RootViewController alloc] init]; 15 | [_window addSubview:_viewController.view]; 16 | [_window makeKeyAndVisible]; 17 | } 18 | 19 | - (void)dealloc { 20 | [_viewController release]; 21 | [_window release]; 22 | [super dealloc]; 23 | } 24 | @end 25 | 26 | // vim:ft=objc 27 | -------------------------------------------------------------------------------- /Demo/MobileHooker/iostargetapphhly/main.m: -------------------------------------------------------------------------------- 1 | int main(int argc, char **argv) { 2 | NSAutoreleasePool *p = [[NSAutoreleasePool alloc] init]; 3 | int ret = UIApplicationMain(argc, argv, @"iostargetapphhlyApplication", @"iostargetapphhlyApplication"); 4 | [p drain]; 5 | return ret; 6 | } 7 | 8 | // vim:ft=objc 9 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /LLDB+debugserver.md: -------------------------------------------------------------------------------- 1 | ## LLDB+debugserver动态调试 2 | 3 | ##LLDB(Low Level Debugger) 4 | * 内置于Xcode中的动态调试工具,通吃C,C++,OC,全盘支持OSX,iOS,iOS模拟器 5 | * 在指定的条件下启动程序; 6 | * 在指定的条件下停止程序; 7 | * 在程序停止的时候检查程序内部发生的事; 8 | * 在程序停止的时候对程序进行改动,观察程序的执行过程有什么变化 9 | 10 | >LLDB是运行在OSX中的,要想调试iOS,需要和debugserver进行配合. 11 | debugserver运行在iOS上,作为服务器,实际上执行LLDB传过来的命令,再把执行结果反馈给LLDB,显示给用户,即所谓的远程调试,默认iOS设备上并没有debugserver,只有在设备连接一次Xcode,在Windows-->Device菜单中添加此设备后, debugserver才会被Xcode安装到iOS的"/Developer/usr/bin/"目录下. 12 | 13 | 14 | -->上述是正向开发调试用的 15 | ##逆向要配置debugserver+LLDB 16 | 17 | ![操作步骤](http://o7pqb42yk.bkt.clouddn.com/%E6%AD%A5%E9%AA%A4.jpg) 18 | 19 | * 1.将未处理的debugserver拷贝到/User/esirnus下 20 | * 2.帮它瘦身(ps:我也🐘➖✈️) 21 | * 3.去下载ent.xml然后拷贝到/User/esirnus下,给debugserver添加task_for_pid权限,注意-Sent.xml之间没有空格 22 | * 4.将经过处理的debugserver拷贝回iOS的/usr/bin目录下 23 | * 5.ssh到iOS 24 | * 6.给拷贝回的debugserver添加权限 25 | * 没有将debugserver拷贝回原文件夹,一是因为/Developer/usr/bin下的原版debugserver是不可写的,二是因为/usr/bin下的命令无须输入全路径就可以执行,即在任意目录下运行debugserver都可以启动处理多的debugserver. 26 | 27 | 28 | ##debugserver最常用的是启动和附加进程 29 | 30 | * debugserver会启动executable,并开启port端口,等待来自IP的LLDB的接入 31 | 32 | ~~~ 33 | debugserver -x backboard IP:port /path/to/executable 34 | ~~~ 35 | 36 | * debugserver会附加ProcessName,并开启port端口,等待来自IP的LLDB的接入 37 | 38 | ~~~ 39 | debugserver IP:port -a "ProcessName" 40 | ~~~ 41 | 42 | *eg*: 43 | *启动AppStore,并开启1234端口,等待任意的IP地址的LLDB接入* 44 | 45 | ~~~ 46 | debugserver -x backboard 192.168.35.252:1234 /Applications/AppStore.app/AppStore 47 | ~~~ 48 | 49 | *eg:* 50 | *会附加AppStore,并开启1234端口,等待任意的IP地址的LLDB接入* 51 | 52 | ~~~ 53 | debugserver 192.168.35.252:1234 -a "AppStore" 54 | ~~~ 55 | 56 | **ps:两个注意点:1.一定要开启端口号(:1234),1234端口号是自己指定的;2.iOS上的"/Develpoer/"目录下缺少必要的调试数据,这种情况一般是没有在Xcode中添加设备,在Xcode-->Window-->Devices菜单中添加设备(靠....切记切记,折腾了一天,😢);** 57 | 58 | *配置好debugserver后启动Xcode的LLDB就可以调试了(注:X6的lldb有bug,在armv7和armv7s上设备上有时会混淆ARM和THUMB指令,导致无法调试,X7已修复)* 59 | 60 | ![启动连接命令](http://o7pqb42yk.bkt.clouddn.com/1DBBE39E-D211-4B7F-86FD-5E246E6CBFB2.png) 61 | 通过此命令启动后,耗时较长,在进程停止后就可以开始调试了 62 | 63 | ##LLDB命令 64 | #### 1.*imagelist* 65 | * **iamge list 与GDB中的"info shared"类似,用于列举当前进程中的所有模块(image).因为ASLR的关系,每次进程启动时候,同一进程的所有模块会在虚拟内存中的起始地址都会产生随机偏移** 66 | 67 | >**如**:*进程A中有一个模块B,B的模块大小是100字节,进程A第一次启动时,模块B可能会被加载到虚拟内存的0x00到oxC4,第二次启动会被加载到0x10到0x74,第三次启动会别加载到0x60到0xC4,也就是说它的大小虽然没变,但起始地址每次都在变化,而这个地址就是会频繁用到的一个关键数据---->获得这个数据的途径:LLDB启动后,输入"image list -o -f"命令* 68 | 69 | >*模块在内存中起始地址--->* **模块基地址(image base adress)** 70 | 71 | 72 | 73 | >**NSLog的基地址 = NSLog在Foundation中的相对位置 + Foudation的基地址** 74 | 75 | * 公式推导: 76 | 77 | >**偏移后模块基地址 = 偏移前模块基地址 + ALSR偏移** 78 | 79 | >**偏移后符号基地址 = 偏移前符号基地址 + 符号所在模块的ALSR偏移** 80 | 81 | >**偏移后指令基地址 = 偏移前符号基地址 + 指令所在模块的ALSR偏移** 82 | 83 | #### 2.*breakpoint* 84 | * "breakpoint"与GDB中的"break"类似,用于设置断点.在逆向工程中一般用到的是 85 | 86 | >b function 87 | >>在函数的起始位置设置断点,如:*(lldb) b NSLog* 88 | 89 | >或者 90 | 91 | >br s -a address **以及** br s -a "ASLROffset+address" 92 | >>后两者在地址处设置断点,如:*(lldb) br s -a 0XCCCCC* 93 | 94 | #### 3.*print* 95 | > 本文开头时说道LLDB的主要功能之一是"在程序停止的时候检查程序内部发生的事",而这一功能就是通过print命令完成的,它可以打印某处的值 96 | 97 | #### 4.*nexti&&stepi* 98 | >nexti和stepi的作用都是执行下一行机器指令,它们最大的区别是nexti不进入函数体,而stepi会进入函数体,可以简写为ni,si; 99 | 100 | #### 5.*register write* 101 | >register write 命令用于给指定的寄存器赋值,从而"对程序进行改动,观察程序的执行过程有什么变化". 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | -------------------------------------------------------------------------------- /Logos Grammar Analysis.md: -------------------------------------------------------------------------------- 1 | Logos语法解析 2 | 3 | * 1.%hook 4 | > 指定需要hook的class,必须以%end结尾。 5 | 6 | ~~~ 7 | // hook SpringBoard类里面的_menuButtonDown函数,先打印一句话,再之子那个函数原始的操作 8 | %hook SpringBorad 9 | - (void)_menuButtonDown:(id)down 10 | { 11 | NSLog(@"111111"); 12 | %orig; // 调用原始的_menuButtonDown函数 13 | } 14 | %end 15 | ~~~ 16 | 17 | * 2.%log 18 | > 该指令在%hook内部使用,将函数的类名、参数等信息写入syslog,可以%log([(),…..])的格式追加其他打印信息。 19 | 20 | ~~~ 21 | %hook SpringBorad 22 | - (void)_menuButtonDown:(id)down 23 | { 24 | %log((NSString *)@"iosre",(NSString *)@"Debug"); 25 | %orig; // 调用原始的_menuButtonDown方法 26 | } 27 | %end 28 | ~~~ 29 | 30 | * 3.%orig 31 | > 该指令在%hook内部使用,执行被hook的函数的原始代码;也可以用%orig更改原始函数的参数。 32 | 33 | ~~~ 34 | %hook SpringBorad 35 | - (void)setCustomSubtitleText:(id)arg1 withColor: (id)arg2 36 | { 37 | %orig(@"change arg2",arg2);// 将arg2的参数修 改为"change arg2" 38 | } 39 | %end 40 | ~~~ 41 | 42 | * 4.%group 43 | > 该指令用于将%hook分组,便于代码管理及按条件初始化分组,必须以%end结尾。 44 | > 一个%group可以包含多个%hook,所有不属于某个自定义group的%hook会被隐式归类到%group_ungrouped中。 45 | 46 | ~~~ 47 | /* 48 | 在%group iOS7Hook中钩住iOS7Class的iOS7Method,在%group iOS8Class中钩住iOS8Method函数,然后在%group _ungroup中钩住SpringBoard类的powerDown函数. 49 | */ 50 | %group iOS7Hook 51 | %hook iOS7Class 52 | - (id)ios7Method 53 | { 54 | id result = %orig; 55 | NSLog(@"这个方法只有iOS7适用"); 56 | return result; 57 | } 58 | %end 59 | %end // iOS7Method 60 | 61 | %group iOS8Hook 62 | %hook iOS8Class 63 | - (id)ios8Method 64 | { 65 | id result = %orig; 66 | NSLog(@"这个方法只有iOS7适用"); 67 | return result; 68 | } 69 | %end 70 | %end // iOS8Method 71 | 72 | %hook SpringBoard 73 | - (void)powerDown 74 | { 75 | %orig; 76 | } 77 | %end 78 | ~~~ 79 | 80 | 81 | * 5.%init 82 | > 该指令用于初始化某个%group,必须在%hook或%ctor内调用;如果带参数,则初始化指定的group,如果不带参数,则初始化_ungrouped. 83 | 注: 84 | 切记,只有调用了%init,对应的%group才能起作用! 85 | 86 | ~~~ 87 | #ifndef KCFCoreFoundationVersionNumber_iOS_8_0 88 | #define KCFCoreFoundationVersionNumber_iOS_8_0 1140.10 89 | #endif 90 | 91 | - (void)applicationDidFinishLaunching:(UIApplication *)application 92 | { 93 | %orig; 94 | 95 | %init; // Equals to init(_ungrouped) 96 | 97 | if (KCFCoreFoundationVersionNumber >= KCFCoreFoundationVersionNumber_iOS_7_0 && KCFCoreFoundationVersionNumber > KCFCoreFoundationVersionNumber_iOS_8_0) 98 | %init(iOS7Hook); 99 | if (KCFCoreFoundationVersionNumber >= KCFCoreFoundationVersionNumber_iOS_8_0) 100 | %init(iOS8Hook); 101 | } 102 | %end 103 | ~~~ 104 | 105 | 106 | * 6.%ctor 107 | > tweak的constructor,完成初始化工作;如果不显示定义,Theos会自动生成一个%ctor,并在其中调用%init(_ungrouped)。%ctor一般可以用来初始化%group,以及进行MSHookFunction等操作,如下: 108 | 109 | ~~~ 110 | #ifndef KCFCoreFoundationVersionNumber_iOS_8_0 111 | #define KCFCoreFoundationVersionNumber_iOS_8_0 1140.10 112 | #endif 113 | 114 | %ctor 115 | { 116 | %init; 117 | 118 | if (KCFCoreFoundationVersionNumber >= KCFCoreFoundationVersionNumber_iOS_7_0 && KCFCoreFoundationVersionNumber > KCFCoreFoundationVersionNumber_iOS_8_0) 119 | %init(iOS7Hook); 120 | if (KCFCoreFoundationVersionNumber >= KCFCoreFoundationVersionNumber_iOS_8_0) 121 | %init(iOS8Hook); 122 | MSHookFunction((void *)&AudioServicesPlaySystemSound,(void *)&replaced_AudioServerPlaySystemSound,(void **)&orginal_AudioServicesPlaySystemSound); 123 | } 124 | ~~~ 125 | 126 | * 7.%new 127 | > 在%hook内部使用,给一个现有class添加新函数,功能与class_addMethod相同. 128 | 129 | > 注: 130 | Objective-C的category与class_addMethod的区别: 131 | 前者是静态的而后者是动态的。使用%new添加,而不需要向.h文件中添加函数声明,如果使用category,可能与遇到这样那样的错误. 132 | 133 | ~~~ 134 | %hook SpringBoard 135 | %new 136 | - (void)addNewMethod 137 | { 138 | NSLog(@"动态添加一个方法到SpringBoard"); 139 | } 140 | %end 141 | ~~~ 142 | 143 | * 8.%c 144 | > 该指令的作用等同于objc_getClass或NSClassFromString,即动态获取一个类的定义,在%hook或%ctor内使用 。 145 | 146 | ##### [logos语法连接](http://iphonedevwiki.net/index.php/Logos) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # iOSSecurity-Attack 2 | ### iOS安全攻击篇 3 | 本文所有纯属个人学习使用,相关技术仅用于学习交流,请勿用于非法目的,不得有其他任何商业用途!!!,更多精彩内容强烈推荐狗神大作《iOS应用逆向工程》及[狗神官方论坛](http://iosre.com/) 4 | ####前言: 5 | 最近在研究**APP安全**,不知从何下手,翻来覆去的看了很多资料,越看越迷糊,所以觉得总最基础的逆向开始,iOS攻防,攻防,知道怎么攻击,才能知道怎么有效的去防护自己的APP,所以想来想去,还是先从攻击开始,本文用来总结自己在逆向时的笔记和踩过的坑,对自己学习经历有所记录. 6 | ####逆向的作用: 7 | * 安全相关:分析目标程序,拿到关键信息; 8 | * 开发相关:借鉴他人的程序功能; 9 | 10 | 11 | 12 | ####闲谈 13 | 资料和软件不同步,毕竟软件更新的太快,资料还是老版的,研究的时候有新东西出来,兴奋激动,遇到编译不过去就懵逼了,本周大致碰到的问题,绝大多数是不细心导致的,刚开始没头绪,到现在越来越嗨了,看了一段时间了,终于有头绪了,好嗨!! 14 | 15 | *ps:如果你觉得在github上阅读.md不方便,你可以前往[我的博客](http://blog.csdn.net/mercuryvenus)继续阅读* 16 | 17 | -------------------------------------------------------------------------------- /逆向过程思考(1).md: -------------------------------------------------------------------------------- 1 | ## 通过隐藏iOS系统自带APP-Mail底部的编辑按钮对逆向过程的思考 2 | 3 | 对于APP来说,我们感兴趣的往往体现在UI上,UI展示了函数的执行过程和结果.函数和UI之间的关联非常紧密,如果能够拿到感兴趣的UI对象,就可以找到它对应的函数,我们称该函数为UI函数.在这个过程中,一般是利用Cycript,结合UIView中的神奇私有函数recursiveDescription和UIResponder中的nextResponder来实现的,我们通过隐藏iOS系统自带Mail的底部编辑按钮来试着去找到最终想要的UI函数(操作机型为iPhone4S,越狱iOS8.1系统). 4 | 5 | ## 从现象切入APP,找出UI函数 6 | 7 | 需求:我们想将下图右下角的"邮件编辑"按钮隐藏掉,试着最终找到想要的UI函数 8 | 9 | ![原始界面图解](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/hiddenNothing.png) 10 | 11 | 1.用cycript定位Mail的进程并注入(如下图) 12 | 13 | ![定位mail文件图解](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/start.png) 14 | 15 | 2.查看当前界面的UI层次结构,定位到"邮件编辑"按钮 16 | 17 | UIView的私有函数recursiveDescription可以返回这个view的UI层次结构.一般来说,当前界面是由至少一个UIWindow构成的,而UIWindow继承自UIView,因此可以利用这个私有函数来查看当前界面的UI层次结构.```cy# [[UIApp keyWindow] recursiveDescription]``` 18 | 19 | **UIApp**是**[UIApplication sharedApplication]**的简写,两者等价,调用上面的方法就可以打印出keyWindow的图层结构,输出下面的信息: 20 | 21 | ![UIApp操作图解](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/middle.png) 22 | 23 | keyWindow的每个subview及二级subview的description会被完整的展示在<······>里,包括每个view的对象的在内存中的地址,frame,bounds,size等信息.其中,缩进表示了层级关系,缩进的多少体现了视图间的关系,同一缩进量的视图是平级的,如最下面的UIScrollView_TabGradientView及UIView;缩进少的视图是缩进多的视图的superview;如UIScrollView_TabGradientView及UIView都是MFTiltedTabView的subview.下面的gif动态图逐步滚动,展示了层级结构缩进及打印的信息,可仔细看一下(如下图:). 24 | 25 | ![层级结构gif图解](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/frame.gif) 26 | 27 | 通过Cycript的"#"操作符,就可以拿到这个window上的任意view.如:通过tabview = #0x0xxx这种操作方式,能够拿到subview和superview.利用这几个函数,就可以拿到UI上任意的view,为下一步做准备(如下图): 28 | 29 | ![findSuperview&Subviews](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/tata.png) 30 | 31 | 要定位"邮件编辑"按钮,就要寻找与这个按钮的相关的的控件,我们推测是不是底部的label和按钮是在同一个superview下,所以我们应该找到UILabel的text,看看是否有"Updated 3 minutes ago"的字样(我在操作当时,手机邮箱界面显示的是"Updated 3 minutes ago",这个是动态刷新的,文字会改变). 32 | 33 | ![UILabel上的文字](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/findLabel.png) 34 | 35 | 如上图,我们在某一UILabel中找到了"Updated 3 minutes ago"的字样,现在试着将它隐藏,UILabel是继承自UIView,对于形如***<···UIView : viewAddress···>***的view来说,我们可以使用[#viewAddress setHidden:YES]函数,来试着将按钮隐藏掉,从上图中我们看到UILbel的父控件是MailStatusUpdateView,我们把MailStatusUpdateView进行setHidden,如果"邮件编辑"按钮是MailStatusUpdateView的子控件,那么按钮也会隐藏掉 36 | 37 | ![](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/useAnotherAddr.png) 38 | 39 | 在上图第一个灰色方框中,我们操作的是MailStatusUpdateView的内存地址,进行隐藏,但是很遗憾,调用它隐藏的结果是下图这个样子滴,也就是说"邮件编辑"的按钮并不在MailStatusUpdateView下,既不是MailStatusUpdateView的subview.我们将UILabel上的文字还原回来,再继续找.我们再找上一层父控件,即MailStatusUpdateView的superview,我们找到了MailStatusUpdateView的父控件是MailStatusBarView,通过上图的第二个灰色方框进行setHidden操作,很遗憾,结果仍然是下图 40 | 41 | ![hiddenText](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/hiddenText.png) 42 | 43 | 试着隐藏他,但是并不受影响,说明MailStatusUpdateView的级别还不够高,那我们继续找MailStatusUpdateView的superview,即UIToolBar,如下图 44 | 45 | ![UIToolBar层级结构](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/findSuperView.png) 46 | 47 | 这次将UIToolBar进行隐藏(请注意对应空间的内存地址,截图顺序有点乱,没有一步一步截图) 48 | 49 | ![end](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/end.png) 50 | 51 | 这次我们实现了按钮文字全都隐藏了,囧!,我们只是要隐藏一个按钮而已~.~ 52 | 53 | ![hiddenAll](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/hiddenAll.png) 54 | 55 | 都隐藏了也好,反正我们都知道"邮件编辑"按钮在UIToolBar下了,那就不要一个找找了,费事~.~,直接拿着[#UIToolBar_Address subviews]看一下他的子控件,我们发现了一个UIToolBarButton,猜想这个button应该是了吧.我们对UIToolBarButton 进行hidden ,这次成功了,至此,我们完成了右下角的"邮件编辑"按钮隐藏,这是一个逆向过程的思考(本步骤请参考上上图) 56 | 57 | ![hiddenfinish](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/finish.png) 58 | 59 | 3.找到"邮件编辑"按钮的UI函数 60 | 61 | 按钮的UI函数,就是点击它之后响应函数,给UIView对象加上响应函数,一般是通过[UIControl addTatget:action:forEvents:]实现的,而UIControll提供了一个actionForTarget:forControlEvent:方法,来获得这个UIControl的响应函数,基于这个条件,只要定位到的view是UIControl的子类,就可以通过这种方式找到它的响应函数. 62 | 63 | ![end](https://github.com/Esirnus/iOSSecurity-Attack/blob/master/Demo/AssetsImage/MailShot/end.png) 64 | 65 | 因此,按下"邮件编辑"按钮,Mail会调用[ComposeButoonItem _sendAction:withEvent:],我们成功的找到了它的响应函数.完成了用Cycript注入,定位UI空间,找出UI函数. 66 | 67 | 68 | 69 | --------------------------------------------------------------------------------