前几天在github上看到一个不错的第三方的调试库DBDebugToolkit,不过这是在开发环境中使用的,做为逆向新手的我想把它通过tweak添加到其它StoreApp中去练练手。
环境:
- iPhone6s (已越狱)
- iOS9.3.1
- 目标app:Instagram
Instagram
1. 打包静态库
如果直接向tweak中添加第三方开源库的话,那需要在Makefile 中把所有的.m文件都要写进去,太麻烦了,所以我感觉应该把开源库打包成framework或者静态库比较方便些。一开始想打包成framwork, 于是就按照大神的文章添加,但是不知什么原因一直加载不进去。
Reason: image not found
最后没法解决只能用静态库解决了。按照这里的方法生成静态库,加入到tweak可以正常加载。
注意:工程中默认是不加载静态库中的 category,这个库中正好使用了好多 category,需要在Makefile中添加tweakName_LDFLAGS += -all_load才能加载分类。
2. 添加bundle
DBDebugToolkit使用了大量的xib和storyboard来创建view,所以还需要把这些文件添加到tweak中,源程序中使用了bundle我们也打包bundle添加到tweak中:
bundle
bundle位置改变了,也需要更改库的源码:
+ (instancetype)debugToolkitBundle {
// NSBundle *podBundle = [NSBundle bundleForClass:[DBDebugToolkit class]];
// NSURL *bundleURL = [podBundle URLForResource:@"DBDebugToolkit" withExtension:@"bundle"];
// return [NSBundle bundleWithURL:bundleURL];
NSBundle *podBundle = [NSBundle bundleWithPath:@"/InsBundle/DBDebug.bundle"];
return podBundle;
}
3. Hook并配置DBDebugToolkit
Hook程序AppDelegate方法配置DBDebugToolkit
%hook AppDelegate
- (_Bool)application:(id)arg1 didFinishLaunchingWithOptions:(id)arg2 {
[DBDebug setup];
return %orig;
}
%end
另外:不知道什么原因,DBDebugToolkit中的+ (IMP)replaceMethodWithSelector:(SEL)originalSelector block:(id)block方法调用一直不成功,所以我又对源码进行了更改,并且Tweak.xm也需要hook一些其它方法(如有大神知道什么原因欢迎留言交流):
@implementation UIView (DBUserInterfaceToolkit)
#pragma mark - Method swizzling
- (void)hookInitMethod {
[self db_refreshDebugBorders];
[self db_registerForNotifications];
}
- (void)hookDellocMethod {
[[NSNotificationCenter defaultCenter] removeObserver:self];
}
//+ (void)load {
// static dispatch_once_t onceToken;
// dispatch_once(&onceToken, ^{
// __block IMP originalInitWithCoderIMP = [self replaceMethodWithSelector:@selector(initWithCoder:)
// block:^UIView * (UIView *blockSelf, NSCoder *aDecoder) {
// UIView *res = ((UIView * (*)(id, SEL, NSCoder *))originalInitWithCoderIMP)(blockSelf, @selector(initWithCoder:), aDecoder);
// [res db_refreshDebugBorders];
// [res db_registerForNotifications];
// return res;
// }];
// __block IMP originalInitWithFrameIMP = [self replaceMethodWithSelector:@selector(initWithFrame:)
// block:^UIView * (UIView *blockSelf, CGRect frame) {
// UIView *res = ((UIView * (*)(id, SEL, CGRect))originalInitWithFrameIMP)(blockSelf, @selector(initWithCoder:), frame);
// [res db_refreshDebugBorders];
// [res db_registerForNotifications];
// return res;
// }];
// __block IMP originalDeallocIMP = [self replaceMethodWithSelector:NSSelectorFromString(@"dealloc")
// block:^(__unsafe_unretained UIView *blockSelf) {
// [[NSNotificationCenter defaultCenter] removeObserver:blockSelf];
// ((void (*)(id, SEL))originalDeallocIMP)(blockSelf, NSSelectorFromString(@"dealloc"));
// }];
// });
//}
@implementation UIWindow (DBShakeTrigger)
#pragma mark - Recognizing shake motion
//+ (void)load {
// static dispatch_once_t onceToken;
// dispatch_once(&onceToken, ^{
// // Adding informing delegates about shake motion to the original implementation.
// __block IMP originalIMP = [self replaceMethodWithSelector:@selector(motionEnded:withEvent:)
// block:^(UIWindow *blockSelf, UIEventSubtype motion, UIEvent *event) {
// if (motion == UIEventSubtypeMotionShake) {
// [blockSelf.shakeDelegates makeObjectsPerformSelector:@selector(windowDidEndShakeMotion:) withObject:self];
// }
// ((void (*)(id, SEL, UIEventSubtype, UIEvent *))originalIMP)(blockSelf, @selector(motionEnded:withEvent:), motion, event);
// }];
// });
//}
@implementation UIWindow (DBUserInterfaceToolkit)
#pragma mark - Method swizzling
//+ (void)load {
// NSLog(@"load====DBUserInterfaceToolkit===========");
// static dispatch_once_t onceToken;
// dispatch_once(&onceToken, ^{
// __block IMP originalIMP = [self replaceMethodWithSelector:@selector(sendEvent:)
// block:^(UIWindow *blockSelf, UIEvent *event) {
// if (event.type == UIEventTypeTouches) {
// [blockSelf db_handleTouches:event.allTouches];
// }
// ((void (*)(id, SEL, UIEvent *))originalIMP)(blockSelf, @selector(sendEvent:), event);
// }];
// });
//}
Tweak.xm
%hook UIResponder
- (void)motionEnded:(UIEventSubtype)motion withEvent:(UIEvent *)event {
UIWindow* window = [UIApplication sharedApplication].keyWindow;
if (motion == UIEventSubtypeMotionShake) {
[[window shakeDelegates] makeObjectsPerformSelector:@selector(windowDidEndShakeMotion:) withObject:self];
}
}
%end
%hook UIWindow
- (void)sendEvent:(UIEvent *)event {
%orig;
[self db_handleTouches:event.allTouches];
}
%end
%hook UIView
- (id)initWithCoder:(NSCoder *)aDecod {
[self hookInitMethod];
return %orig;
}
- (id)initWithFrame:(CGRect)aDecod {
[self hookInitMethod];
return %orig;
}
- (void)dealloc {
[self hookDellocMethod];
%orig;
}
%end
编译打包安装,成功:
image.png
image.png
image.png
image.png
image.png
其中的网络请求监控还是挺好的,对逆向app有一定帮助。
完
如有错误欢迎留言指正。
所有代码已上传github
