逆向工程一：逆向iOS桌面

当iPhone启动的时候，我们所看到的界面以及进行交互的界面是系统的springboard进程，bundle id为com.apple.springboard。通过ssh登录iPhonessh root@192.168.2.24, 查看进程信息ps -e | grep SpringBoard。

创建theos工程

创建tweak工程:/opt/theos/bin/nic.pl

NIC 2.0 - New Instance Creator
------------------------------
[1.] iphone/activator_event
[2.] iphone/application_modern
[3.] iphone/cydget
[4.] iphone/flipswitch_switch
[5.] iphone/framework
[6.] iphone/ios7_notification_center_widget
[7.] iphone/library
[8.] iphone/notification_center_widget
[9.] iphone/preference_bundle_modern
[10.] iphone/tool
[11.] iphone/tweak
[12.] iphone/xpc_service
Choose a Template (required):

选择11创建tweak工程

//项目名称    
Project Name (required): demo 
//项目的包名，即bundle id
Package Name [com.yourcompany.demo]: cc.onezen.demo
//开发者名称
Author/Maintainer Name [wz]: wz 
//需要注入的进程的 bundle id
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.apple.springboard
//deb包安装完成后需要重启的进程名字
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: SpringBoard    
Instantiating iphone/tweak in demo/...
Done.

theos工程文件

Makefile 默认生成信息如下

#theos通用头文件
include $(THEOS)/makefiles/common.mk
#项目名 -> Project Name
TWEAK_NAME = demo
#tweak包含的源文件，指定多个文件时用空格隔开
demo_FILES = Tweak.xm

#tweak工程的头文件，一般有application.mk、tweak.mk和tool.mk几类
include $(THEOS_MAKE_PATH)/tweak.mk

#安装之后，需要做的事情，这里是杀掉SpringBoard进程，SpringBoard是系统进程杀掉会重启
after-install::
install.exec "killall -9 com.apple.springboard"

tweak.xm文件：xm中的x代表这个文件支持Logos语法，如果后缀名是单独一个x，说明源文件支持Logos和C语法；如果后缀名是xm，说明源文件支持Logos和C/C++语法。

%hook 指定需要hook的class，必须以%end结尾
%log 该指令在%hook内部使用，将函数的类名、参数等信息写入syslog
%orig该指令在%hook内部使用，执行被hook的函数的原始代码

/* How to Hook with Logos
Hooks are written with syntax similar to that of an Objective-C @implementation.
You don't need to #include <substrate.h>, it will be done automatically, as will
the generation of a class list and an automatic constructor.

%hook ClassName

// Hooking a class method
+ (id)sharedInstance {
return %orig;
}

// Hooking an instance method with an argument.
- (void)messageName:(int)argument {
%log; // Write a message about this call, including its class, name and arguments, to the system log.

%orig; // Call through to the original function with its original arguments.
%orig(nil); // Call through to the original function with a custom argument.

// If you use %orig(), you MUST supply all arguments (except for self and _cmd, the automatically generated ones.)
}

// Hooking an instance method with no arguments.
- (id)noArguments {
%log;
id awesome = %orig;
[awesome doSomethingElse];

return awesome;
}

// Always make sure you clean up after yourself; Not doing so could have grave consequences!
%end
*/

control 文件记录了deb包所需的基本信息，会被打包进deb包里

Package: cc.onezen.demo
Name: demo
Depends: mobilesubstrate
Version: 0.0.1
Architecture: iphoneos-arm
Description: An awesome MobileSubstrate tweak!
Maintainer: wz
Author: wz
Section: Tweaks

手动安装包

根据上面介绍的默认生成的Makefile，是手动安装deb包的配置。

修改Tweak里的代码

%hook SpringBoard

- (void)_menuButtonDown:(struct __IOHIDEvent *)arg1 {
%orig;
 UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"Hello" message:@"wz hook the iphone test" delegate:nil cancelButtonTitle:@"owesome" otherButtonTitles:nil, nil];
 [alert show];
 [alert release];
}
%end

编译：make

打包：make package

拷贝到iPhone scp packages/cc.onezen.demo_0.0.1-1+debug_iphoneos-arm.deb root@192.168.2.24:/tmp

切换到iphone上安装： dpkg -i /tmp/cc.onezen.demo_0.0.1-1+debug_iphoneos-arm.deb

重启springboard killall -9 SpringBoard。这时候会出现白苹果，几秒后会重新到桌面

点击home键，效果图

自动安装包

修改Makefile文件

#debug=0是release包
DEBUG = 0
#iphone的ip地址
THEOS_DEVICE_IP = 192.168.2.24
#当前包支持的cpu架构
ARCHS = armv7 arm64 
#支持的ios版本
TARGET = iphone:latest:8.0  
include $(THEOS)/makefiles/common.mk

TWEAK_NAME = demo
demo_FILES = Tweak.xm
#需要导入的库
demo_FRAMEWORKS = UIKit 
demo_PRIVATE_FRAMEWORKS = AppSupport
include $(THEOS_MAKE_PATH)/Tweak.mk

#clean 是指调用make clean的时执行的操作
after-install::
install.exec "killall -9 SpringBoard"
clean::
rm -rf ./packages/*
rm -rf ./.theos/*

编译make

安装make package install

输入两次密码后到桌面

➜  demo make package install
> Making all for tweak demo…
make[2]: Nothing to be done for `internal-library-compile'.
> Making stage for tweak demo…
dpkg-deb: warning: deprecated compression type 'lzma'; use xz instead
dpkg-deb: warning: ignoring 1 warning about the control file(s)
dpkg-deb: building package 'cc.onezen.demo' in './packages/cc.onezen.demo_0.0.1-2_iphoneos-arm.deb'.
==> Installing…
root@192.168.2.24's password: 
(Reading database ... 4547 files and directories currently installed.)
Preparing to unpack /tmp/_theos_install.deb ...
Unpacking cc.onezen.demo (0.0.1-2) over (0.0.1-1+debug) ...
Setting up cc.onezen.demo (0.0.1-2) ...
install.exec "killall -9 SpringBoard"
root@192.168.2.24's password:

deb包

删除原先的包 dpkg -r cc.onezen.demo 然后手动重启 killall -9 SpringBoard

查看包的结构：dpkg -c cc.onezen.demo_0.0.1-1+debug_iphoneos-arm.deb

drwxr-xr-x wz/staff          0 2017-09-21 18:19 ./
drwxr-xr-x wz/staff          0 2017-09-21 18:19 ./Library/
drwxr-xr-x wz/staff          0 2017-09-21 18:19 ./Library/MobileSubstrate/
drwxr-xr-x wz/staff          0 2017-09-21 18:19 ./Library/MobileSubstrate/DynamicLibraries/
-rwxr-xr-x wz/staff     116368 2017-09-21 18:19 ./Library/MobileSubstrate/DynamicLibraries/demo.dylib
-rw-r--r-- wz/staff         57 2017-09-21 18:19 ./Library/MobileSubstrate/DynamicLibraries/demo.plist

dpkg 打包的时候会把theos根目录下的layout文件夹，映射到安装的设备的根目录下。

脚本文件

 preinst
 在Deb包文件解包之前，运行的脚本。许多“preinst”脚本的任务是停止作用于待升级软件包的服务，直到软件包安装或升级完成。

 postinst
 该脚本的主要任务是完成安装包时的配置工作。许多“postinst”脚本负责执行有关命令为新安装或升级的软件重启服务。

 prerm
该脚本负责停止与软件包相关联的daemon服务。它在删除软件包关联文件之前执行。

 postrm
 该脚本负责修改软件包链接或文件关联，或删除由它创建的文件。

LeavesLife`s blog & note