Recommendation This article introduces a set of reverse engineering tools that can add plugins to any application on a non-jailbroken phone. In the example at the end of the article, the author uses WeChat as an example to show the function of printing and receiving messages in WeChat. This set of tools can speed up reverse development, and its re-signing concept can also be used for secondary distribution of other people's applications. In fact, this also shows that Apple’s application security protection needs to be strengthened. I hope "Ms. Dong" can see this article (snickering). About the author: Liu Peiqing, currently working in the information security department of NetEase. Personal blog address: http://www.alonemonkey.com/. Thanks to the author for authorizing the repost. background The author is an iOS reverse engineering enthusiast. When I was using iOSOpenDev to develop jailbreak plug-ins in Xcode, the tool had not been updated for several years and there were many problems with installation and use. So at first I just wanted to improve the compatibility issues of iOSOpenDev. Later, new ideas kept emerging during the development and were implemented in the tool. So there was MonkeyDev, a tool that I will strongly recommend to you in this article. use Before using it, everyone is concerned about its functions and what it can do. So what can MonkeyDev do? In summary, it can do the following:
After having a general understanding, let's experience its power through specific practical applications. Environment Preparation Before using it, you must first configure the environment. If the configuration is incorrect, some strange problems may occur. You can also use Wiki to operate it.
If it is used for jailbreak development, you need to configure password-free login to the jailbroken device. If you do not have a jailbroken machine, you can skip this step.
Install You can select a specific Xcode to install using the following command, or you can install it by default.
Module Introduction After the installation is complete, open Xcode, click File - New - Project..., select iOS and scroll to the bottom to see the modules provided by MonkeyDev: Here are the uses of these modules: Jailbreak module
Use the header file provided by CaptainHook to hook the OC function and obtain the attributes.
Use the logify.pl tool provided by theos to convert the .xm file into a .mm file for compilation. CydiaSubstrate is integrated by default. You can use MSHookMessageEx and MSHookFunction to Hook OC functions and specify addresses.
You can directly create command line tools that run on jailbroken devices Non-jailbreak module
This is a module that automatically integrates Reveal, Cycript and dylib injection into third-party applications. It supports debugging dylib and third-party applications, and supports Pod to integrate SDK into third-party applications. You only need to prepare a shelled ipa or app file. Function Introduction The use of CaptainHook Tweak, Logos Tweak and Command-line Tool will not be introduced here. If you have any questions, please check the project Wiki The following mainly introduces the use of MonkeyApp, starting your journey of non-jailbreak plug-in development~ Prepare Before you start using it, you need to prepare a shelled application. You can use a jailbroken phone to shell it, and then get the ipa or app. If you don't have a jailbroken phone, you can directly download the jailbroken application from an assistant. Create a project Click File - New - Project... to create an iOS project and select MonkeyApp. After the creation is complete, you will get a project like this: The name of the project I created here is MonkeyApp, so the following corresponds to MonkeyApp. The name of the project you create depends on your project name! In addition, Xcode 8 needs to add dynamic library dependencies to App, as follows: MonkeyAppDylib is the dynamic library that will be injected into the target App. You can write the code you want to hook in the MonkeyAppDylib.m file. I have written some Demo codes in it. You can run it directly to see the effect. It supports OC runtime HOOK and C function fishhook. AntiAntiDebug contains anti-debugging code. fishhook is an automatically integrated fishhook module. Below, Framewroks has automatically integrated Reveal.framework and Cycript.framework. Drag and drop the shell application to compile Open an assistant and select the jailbreak app in the app game. When you download an app, it will have its shell cracked. Then open the TargetApp directory and copy the ipa file to the current directory, as shown below: Then click Run. After running, you can see from the console that the dynamic library has been injected successfully and Reveal has been successfully loaded! Of course, it also runs on the phone! Open Reveal on Mac to view the interface structure of the application! As shown below: Cycript is also integrated by default. Download the SDK from the Cycript official website, then go into the SDK directory and run the following command:
Get WeChat messages Let's take a simple example of getting the messages received by WeChat to further introduce its use. First, open the MonkeyAppDylib.m file and write the following code at the bottom:
Then re-run to see the effect: Then you can happily develop non-jailbreak plugins and debug them directly! Integrate the SDK using CocoaPods
Here, the Target should be set to dynamic library instead of App, and then execute Pod install. Then change the following option back to Yes. Add SDK initialization code to the MonkeyAppDylib.m file:
The operation effect is as follows: Non-jailbreak add-on store Now that CocoaPods is supported, you can upload your own non-jailbreak plugins to CocoaPods and install them with one click through pod! Next, put the WeChat message plug-in written above into CocoaPods, create a new Cocoa Touch Framework project, then add the header file CaptainHook.h and your own source file PrintWXMessage.m, and copy the above code, as shown in the following figure: Then generate the framework into a zip package (the zip package needs to contain the architecture of the simulator and the real machine to pass local verification), edit the PrintWXMessage.podspec file as follows:
Here, source directly writes the address of the zip package, which contains the framework dynamic library generated by the author. Add private CocosPods:
Publish the PrintWXMessage package to a private Pod:
Modify the Podfile file content as follows, then run pod install, and delete the code for printing WeChat messages originally written in MonkeyAppDylib.m.
Run and you can see that the plug-in has been perfectly integrated!!! Please click here to view the MonkeyDev project address. |
<<: Summary of Commonly Used Open Source Frameworks on Android GitHub in 2017
>>: The opening is imminent! The full agenda of the iWeb Summit Beijing on August 12 is out!
Background knowledge: CAC = cost to acquire a sin...
Analysis of Huang Daozhu's Taobao virtual sid...
Ma Fang's 12 Lectures on "12 Principles ...
A set of bronze weights from the Yuan Dynasty, ra...
You must have heard “The best cultural relics in ...
Dear information flow optimizers , as you frequen...
If your app has been launched and follows the fol...
This explosive traffic platform, with its huge ce...
|Directory| 1. Xiaohongshu search ranking 2. The ...
I have watched quite a few product launch confere...
"Man is iron, rice is steel, and if you don&...
Dog meat is very rich in nutritional value, conta...
How much is the investment price in Chongzuo Ligh...
1. Structure and Architecture 1.1 Structure There...
[Shenzhen, China, January 18, 2024 ] Today , Huaw...