iOS:在非越狱手机上进行Hook注入

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了iOS:在非越狱手机上进行Hook注入相关的知识,希望对你有一定的参考价值。

参考技术A 1.准备好一个自己写的app,用adhoc的证书打包

2.打包以后可以装在测试手机上

3.对这个ipa进行解压缩,得到一个app文件(先将.ipa重命名为zip,然后在解压得到.app文件)

4.显示包内容,查看原始包的内容

5.可以用命令行查看(注意当前路径). $otool -L YoungTest

6.安装iOSOpenDev

7.编写Hook,只在Hook1文件里写,其他文件均未改动

OSOpenDevDevice设置你设备的IP(例如:192.168.1.10).
iOSOpenDevInstallOnProfiling布尔值 默认为YES, 是否在build forprofiling的时候直接远程安装到设备上.
iOSOpenDevPath不要修改此项,是iOSOpenDev的安装路径.
iOSOpenDevRespringOnInstall布尔值 默认为YES,是否在安装后重启SpringBoard.
iOSOpenDev默认安装在/opt/iOSOpenDev里,在里面可以找到undocumentapi的头文件

8.把Hook1跟yololib都放到包里面(这个叫yololib的工具可以帮我们直接进行dylib的注入)

9.用yololib把hook注入到app里面
$./yololib YoungTest Hook1.dylib

10.检查一下,发现注入成功

11.注入成功以后把yololib删除,把_CodeSignature删除,把embedded.mobileprovision替换成自己的配置文件。(要在开发者账号里生成一套APP证书)

12.生成原app的配置信息(注意当前路径)

$ codesign -d --entitlements :- /Users/iOS/Desktop/ADHoc/Payload/YoungTest.app > sss.plist

13.对Hook1, YoungTest ,embedded.mobileprovision文件进行签名

youngstardeMacBook-Pro:Payload iOS$ codesign -f -s "iPhone Distribution: MingXing Yang (AX6366456P)" YoungTest.app/Hook1.dylib

youngstardeMacBook-Pro:Payload iOS$ codesign -f -s "iPhone Distribution: MingXing Yang (AX6366456P)" YoungTest.app/Sengled.mobileprovision

youngstardeMacBook-Pro:Payload iOS$ codesign -f -s "iPhone Distribution: MingXing Yang (AX6366456P)" YoungTest.app/YoungTest

如图所示

14.对整个app文件签名,根据刚生成的配置文件

codesign -f -s "iPhone Distribution: MingXing Yang (AX6366456P)" --entitlements sss.plist YoungTest.app/

15.HOOK注入已经完成,会退到上个文件,找到app,

16、通过iTunes生成ipa,在用iTool安装到手机上即可

我中间也走了很多弯路,主要是证书的混淆,最好在钥匙串里其他没用的证书都删除了,留下自己要打包的这个证书。已经尽可能的详细说明,有问题可以留言!

iOS逆向----获取手机安装的所有App列表及路径

其实就是iOS11之前获取App列表的代码,只不过iOS11及之后的版本在非越狱手机上无法使用这个API获取了,但是越狱手机不受限制,依然可以用。

+ (void)installedApplications 
    Class lsawsc = objc_getClass("LSApplicationWorkspace");
    NSObject* workspace = [lsawsc performSelector:NSSelectorFromString(@"defaultWorkspace")];
    NSArray *apps = [workspace performSelector:NSSelectorFromString(@"allInstalledApplications")];
    Class LSApplicationProxy_class = objc_getClass("LSApplicationProxy");
    for (int i = 0; i < apps.count; i++) 
        NSObject *temp = apps[i];
        if ([temp isKindOfClass:LSApplicationProxy_class]) 
            NSString *appBundleId = [temp performSelector:NSSelectorFromString(@"applicationIdentifier")];
            NSString *appName = [temp performSelector:NSSelectorFromString(@"localizedName")];
            NSString * type = [temp performSelector:NSSelectorFromString(@"applicationType")];
            NSString * shortVersionString = [temp performSelector:NSSelectorFromString(@"shortVersionString")];
            NSString * containerURL = [[temp performSelector:NSSelectorFromString(@"containerURL")] path];
            NSString * resourcesDirectoryURL = [[temp performSelector:NSSelectorFromString(@"resourcesDirectoryURL")] path];
            NSString * bundleExecutable = [temp performSelector:NSSelectorFromString(@"bundleExecutable")];
            NSLog(@"应用类型: %@", type);
            NSLog(@"BundleId: %@", appBundleId);
            NSLog(@"Name: %@", appName);
            NSLog(@"Version: %@", shortVersionString);
            NSLog(@"沙盒路径: %@", containerURL);
            NSLog(@"App包路径: %@", resourcesDirectoryURL);
            NSLog(@"TargetName: %@", bundleExecutable);
            NSLog(@"=============================================");
        
    

获取更多的信息,主要是有个公司名和证书序列号:

+ (void)listApps 
    id space = [NSClassFromString(@"LSApplicationWorkspace") performSelector:@selector(defaultWorkspace)];
    NSArray *plugins = [space performSelector:@selector(installedPlugins)];
    NSMutableSet *list = [[NSMutableSet alloc] init];
    for (id plugin in plugins) 
        id bundle = [plugin performSelector:@selector(containingBundle)];
        if (bundle)
            [list addObject:bundle];
    
    int a = 1;
    for (id plugin in list) 
        NSLog(@"================= %d =================",a);
        a++;
        NSLog(@"bundleIdentifier =%@", [plugin performSelector:@selector(bundleIdentifier)]);//bundleID
        
        NSLog(@"applicationDSID =%@", [plugin performSelector:@selector(applicationDSID)]);
        NSLog(@"applicationIdentifier =%@", [plugin performSelector:@selector(applicationIdentifier)]);
        NSLog(@"applicationType =%@", [plugin performSelector:@selector(applicationType)]);
        NSLog(@"dynamicDiskUsage =%@", [plugin performSelector:@selector(dynamicDiskUsage)]);

        NSLog(@"itemID =%@", [plugin performSelector:@selector(itemID)]);
        NSLog(@"itemName =%@", [plugin performSelector:@selector(itemName)]);
        NSLog(@"minimumSystemVersion =%@", [plugin performSelector:@selector(minimumSystemVersion)]);
        
        NSLog(@"requiredDeviceCapabilities =%@", [plugin performSelector:@selector(requiredDeviceCapabilities)]);
        NSLog(@"sdkVersion =%@", [plugin performSelector:@selector(sdkVersion)]);
        NSLog(@"shortVersionString =%@", [plugin performSelector:@selector(shortVersionString)]);
        
        NSLog(@"sourceAppIdentifier =%@", [plugin performSelector:@selector(sourceAppIdentifier)]);
        NSLog(@"staticDiskUsage =%@", [plugin performSelector:@selector(staticDiskUsage)]);
        NSLog(@"teamID =%@", [plugin performSelector:@selector(teamID)]);
        NSLog(@"vendorName =%@", [plugin performSelector:@selector(vendorName)]);
    

与50位技术专家面对面 20年技术见证,附赠技术全景图

以上是关于iOS:在非越狱手机上进行Hook注入的主要内容,如果未能解决你的问题,请参考以下文章

iOS 7 越狱调整需要帮助将方法从一个标头拉到另一个标头的 %hook

教你动手做一个 iOS 越狱 app

ios15.5越狱流程是啥?

iOS非越狱注入插件

iOS 越狱--OpenSSH连接(登录)手机 和 SSH公钥登录(免密登录)

苹果越狱后能不能直接root