{"id":15127488,"url":"https://github.com/urinx/iosapphook","last_synced_at":"2025-05-15T17:05:47.448Z","repository":{"id":52241438,"uuid":"61122405","full_name":"Urinx/iOSAppHook","owner":"Urinx","description":"专注于非越狱环境下iOS应用逆向研究，从dylib注入，应用重签名到App Hook","archived":false,"fork":false,"pushed_at":"2018-12-14T02:59:42.000Z","size":16279,"stargazers_count":2423,"open_issues_count":27,"forks_count":453,"subscribers_count":107,"default_branch":"master","last_synced_at":"2025-05-15T17:05:41.973Z","etag":null,"topics":["cycript","dylib","hooks","ios"],"latest_commit_sha":null,"homepage":"","language":"Swift","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Urinx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-06-14T12:50:00.000Z","updated_at":"2025-05-15T15:39:37.000Z","dependencies_parsed_at":"2022-08-26T05:40:41.297Z","dependency_job_id":null,"html_url":"https://github.com/Urinx/iOSAppHook","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Urinx%2FiOSAppHook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Urinx%2FiOSAppHook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Urinx%2FiOSAppHook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Urinx%2FiOSAppHook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Urinx","download_url":"https://codeload.github.com/Urinx/iOSAppHook/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254384988,"owners_count":22062422,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cycript","dylib","hooks","ios"],"created_at":"2024-09-26T02:04:01.394Z","updated_at":"2025-05-15T17:05:42.439Z","avatar_url":"https://github.com/Urinx.png","language":"Swift","readme":"# iOSAppHook [![star this repo](http://github-svg-buttons.herokuapp.com/star.svg?user=Urinx\u0026repo=iOSAppHook\u0026style=flat\u0026background=1081C1)](http://github.com/Urinx/iOSAppHook) [![fork this repo](http://github-svg-buttons.herokuapp.com/fork.svg?user=Urinx\u0026repo=iOSAppHook\u0026style=flat\u0026background=1081C1)](http://github.com/Urinx/iOSAppHook/fork) ![platform](https://img.shields.io/badge/platform-Xcode%208.1%20\u0026%20iOS%2010-lightgrey.svg) [![download](https://img.shields.io/github/downloads/Urinx/iOSAppHook/total.svg)](https://github.com/Urinx/iOSAppHook/releases)\n专注于非越狱环境下iOS应用逆向研究，从dylib注入，应用重签名到App Hook。\n\n\u003e 注意！本文所有操作均在以下环境下成功进行，不同平台或环境可能存在某些问题，欢迎大家在[issue](https://github.com/Urinx/iOSAppHook/issues)中提出问题以及相互讨论。\n\u003e \n\u003e Mac OS X 10.11.6 (15G12a) - macOS Sierra 10.12.4 (16E144f)\u003cbr\u003e\n\u003e Xcode 7.3.1 (7D1014) - 8.1 (8B62) \u003cbr\u003e\n\u003e iPhone 5s, iOS 9.3.3 (13G21) - iOS 10.3 (14E5230e) \u003cbr\u003e\n\u003e 免费开发者账号 \u003cbr\u003e\n\u003e 示例App：微信 6.3.19.18 - 6.5.4\n\n## 目录\n* [前言](#前言)\n* [应用脱壳](#应用脱壳)\n* [应用重签名](#应用重签名)\n* [安装iOSOpenDev](#安装iOSOpenDev)\n* [App Hook](#App Hook)\n* [一个简单的CaptainHook载入Cycript](#一个简单的CaptainHook载入Cycript)\n* [使用Reveal调试微信的App界面](#使用Reveal调试微信的App界面)\n* [后续](#后续)\n* [常见问题](#常见问题)\n* [参考链接](#参考链接)\n\n## 前言\n提到非越狱环境下`App Hook`大家早就已经耳熟能详，已经有很多大神研究过，这方面相关的资料和文章也能搜到很多。我最早是看到乌云知识库上[蒸米](http://drops.wooyun.org/author/蒸米)的文章才对这方面有所了解，当时就想试试，整个过程看似简单（大神总是一笔带过），然而当自己真正开始动手时一路上遇到各种问题（一脸懵逼），在[iOSRE论坛](http://bbs.iosre.com)上也看到大家遇到的各种问题，其实阻扰大家的主要是一些环境的搭建以及相关配置没设置好，结果导致dylib编译过程各种错误，重签名不成功，各种闪退等。所以本文里的每一步操作都会很详细的交代，确保大家都能操作成功。\n\n## 应用脱壳\n我们知道，App Store里的应用都是加密了的，直接拿上来撸是不正确的，所以在此之前一般会有这么一个砸壳的过程，其中用到的砸壳工具就是[dumpdecrypted](https://github.com/stefanesser/dumpdecrypted)，其原理是让app预先加载一个解密的dumpdecrypted.dylib，然后在程序运行后，将代码动态解密，最后在内存中dump出来整个程序。然而砸壳是在越狱的环境下进行的，鉴于本文主要关注点在非越狱环境下，再者我手里也没有越狱设备（有就不会这么蛋疼了）。\n\n所以这里我们选择的是直接从PP助手等各种xx助手里面下载，注意的是这里下载的是越狱应用（不是正版应用），也就是所谓的脱过壳的应用。\n\n为了谨慎起见，这里我们还需要确认一下从xx助手里下载的应用是否已解密，毕竟有好多应用是只有部分架构被解密，还有就是Watch App以及一些扩展依然加密了，所以最好还是确认一下，否则的话，就算hook成功，签名成功，安装成功，app还是会闪退。\n\n首先，找到应用对应的二进制文件，查看包含哪些架构：\n```\n\u003e file WeChat.app/WeChat\nWeChat.app/WeChat: Mach-O universal binary with 2 architectures\nWeChat.app/WeChat (for architecture armv7):\tMach-O executable arm\nWeChat.app/WeChat (for architecture arm64):\tMach-O 64-bit executable\n```\n可以看到微信包含两个架构，armv7和arm64。关于架构与设备之间的对应关系可以从[iOS Support Matrix](http://iossupportmatrix.com)上查看。理论上只要把最老的架构解密就可以了，因为新的cpu会兼容老的架构。\n\n`otool`可以输出app的load commands，然后通过查看cryptid这个标志位来判断app是否被加密。1代表加密了，0代表被解密了：\n```\n\u003e otool -l WeChat.app/WeChat | grep -B 2 crypt\n          cmd LC_ENCRYPTION_INFO\n      cmdsize 20\n     cryptoff 16384\n    cryptsize 40534016\n      cryptid 0\n--\n          cmd LC_ENCRYPTION_INFO_64\n      cmdsize 24\n     cryptoff 16384\n    cryptsize 43663360\n      cryptid 0\n```\n可以看到微信已经被解密了，第一个对应的是较老的armv7架构，后者则是arm64架构。\n\n鉴于微信是一个多targets的应用，包含一个Watch App和一个分享扩展。所以同理，我们还需要依次确认以下二进制文件，这里就跳过了。\n```\nWeChat.app/Watch/WeChatWatchNative.app/WeChatWatchNative\nWeChat.app/Watch/WeChatWatchNative.app/PlugIns/WeChatWatchNativeExtension.appex/WeChatWatchNativeExtension\nWeChat.app/PlugIns/WeChatShareExtensionNew.appex/WeChatShareExtensionNew\n```\n\n## 应用重签名\n在第二部分我们将要进行的是应用重签名，注意这里并不是按照整个操作流程的顺序来讲，而是跳过编译dylib，因为我觉得如果现在你没有把重签名拿下的话，写tweak写hook都是白搭。所以从这里在开始，我们不需要对App进行任何修改和处理，仅仅对其进行重签名，然后将其安装到设备上能够正常的运行。再次提醒的是重签名用的是脱壳后的App，加密的App重签名成功安到设备上也会闪退。\n\n关于iOS应用重签名的文章有很多，签名方法都是一样，个别地方会有些小出入，然后按照里面给出的步骤手动一步一步的来操作，不知道是由于免费的开发者证书的原因还是哪一步漏掉了或者是什么其它的原因，总之就是不成功。就在一筹莫展的时候，偶然发现了一个名为[iOS App Signer](https://github.com/DanTheMan827/ios-app-signer)的Mac上的应用，这款重签名工具能够用免费的开发者账号重签名应用。我试了下，用这个工具重签名了一个应用，并且成功安装到手机上，尽管打开时闪退，但至少总算能安装到设备上去了。\n\n看到签名成功心里一阵高兴，并且由于该应用开源，于是就到Github上阅读源码看其具体的实现。该应用是用Swift语音所写，代码量也不多，阅读起来没有问题。由于整个操作都是在终端下进行的，从终端到图形界面来回切换实在是麻烦，所以在其代码基础上稍作修改写了一个`Command Line Tool`工具在命令行下使用。\n\n下面就来具体交代下这个重签名工具到底做了什么。\n\n**1. 获取到本地上的开发者签名证书和所有的Provisioning文件**\n\n获取本机上的Provisioning文件主要是调用了`populateProvisioningProfiles()`方法，该方法调用了`ProvisioningProfile.getProfiles()`将结果封装到`ProvisioningProfile`结构体中以数组的形式返回，并对其结果做了一个刷选，去掉了那些过期的证书。\n\n```\nstruct ProvisioningProfile {\n    ...\n    static func getProfiles() -\u003e [ProvisioningProfile] {\n        var output: [ProvisioningProfile] = []\n        \n        let fileManager = NSFileManager()\n        if let libraryDirectory = fileManager.URLsForDirectory(.LibraryDirectory, inDomains: .UserDomainMask).first, libraryPath = libraryDirectory.path {\n            let provisioningProfilesPath = libraryPath.stringByAppendingPathComponent(\"MobileDevice/Provisioning Profiles\") as NSString\n            \n            if let provisioningProfiles = try? fileManager.contentsOfDirectoryAtPath(provisioningProfilesPath as String) {\n                for provFile in provisioningProfiles {\n                    if provFile.pathExtension == \"mobileprovision\" {\n                        let profileFilename = provisioningProfilesPath.stringByAppendingPathComponent(provFile)\n                        if let profile = ProvisioningProfile(filename: profileFilename) {\n                            output.append(profile)\n                        }\n                    }\n                }\n            }\n        }\n        return output\n    }\n    ...\n}\n```\n简单点用shell表示就是，先列出所有的`~/Library/MobileDevice/Provisioning Profiles`路径下所有的后缀为`.mobileprovision`的文件，然后依次获取文件的信息（plist格式）。\n```\nsecurity cms -D -i \"~/Library/MobileDevice/Provisioning Profiles/xxx.mobileprovision\"\n```\n\n获取开发者签名证书：\n```\nfunc populateCodesigningCerts() {\n    var output: [String] = []\n    \n    let securityResult = NSTask().execute(securityPath, workingDirectory: nil, arguments: [\"find-identity\",\"-v\",\"-p\",\"codesigning\"])\n    if securityResult.output.characters.count \u003e= 1 {\n        let rawResult = securityResult.output.componentsSeparatedByString(\"\\\"\")\n        \n        for index in 0.stride(through: rawResult.count - 2, by: 2) {\n            if !(rawResult.count - 1 \u003c index + 1) {\n                output.append(rawResult[index+1])\n            }\n        }\n    }\n    self.codesigningCerts = output\n    \n    Log(\"Found \\(output.count) Codesigning Certificates\")\n}\n```\n以上代码相当于：\n```\n\u003e security find-identity -v -p codesigning\n1) 1234567890123456789012345678901234567890 \"iPhone Developer: XXX (xxxxxxxxxx)\"\n2) 1234567890123456789012345678901234567890 \"Mac Developer: XXX (xxxxxxxxxx)\"\n```\n\n**2. 一些准备工作**\n\n创建临时目录，`makeTempFolder()`方法：\n```\n\u003e mktemp -d -t com.eular.test\n/var/folders/qr/8_n21zhd4f993khcsh_qll000000gp/T/com.eular.test.6aHPpdBZ\n```\n\n处理不同格式的输入文件，包括`deb`，`ipa`，`app`，`xcarchive`：\n```\ndeb -\u003e ar -x xxx.deb -\u003e tar -xf xxx.tar -\u003e mv Applications/ -\u003e Payload/\nipa -\u003e unzip -\u003e Payload/\napp -\u003e copy -\u003e Payload/\nxcarchive -\u003e copy .xcarchive/Products/Applications/ -\u003e Payload/\n```\n\n**3. 重签名**\n\n首先，复制provisioning文件到app目录里：\n```\ncp xxx.mobileprovision Payload/xxx.app/embedded.mobileprovision\n```\n\n根据provisioning文件导出entitlements.plist：\n```\nif provisioningFile != nil || useAppBundleProfile {\n    print(\"Parsing entitlements\")\n                    \n    if let profile = ProvisioningProfile(filename: useAppBundleProfile ? appBundleProvisioningFilePath : provisioningFile!){\n        if let entitlements = profile.getEntitlementsPlist(tempFolder) {\n            Log(\"–––––––––––––––––––––––\\n\\(entitlements)\")\n            Log(\"–––––––––––––––––––––––\")\n            do {\n                try entitlements.writeToFile(entitlementsPlist, atomically: false, encoding: NSUTF8StringEncoding)\n                Log(\"Saved entitlements to \\(entitlementsPlist)\")\n            } catch let error as NSError {\n                Log(\"Error writing entitlements.plist, \\(error.localizedDescription)\")\n            }\n        } else {\n            Log(\"Unable to read entitlements from provisioning profile\")\n            warnings += 1\n        }\n        if profile.appID != \"*\" \u0026\u0026 (newApplicationID != \"\" \u0026\u0026 newApplicationID != profile.appID) {\n            Log(\"Unable to change App ID to \\(newApplicationID), provisioning profile won't allow it\")\n            cleanup(tempFolder); return\n        }\n    } else {\n        Log(\"Unable to parse provisioning profile, it may be corrupt\")\n        warnings += 1\n    }\n    \n}\n```\n\n修复可执行文件的权限：\n```\nif let bundleExecutable = getPlistKey(appBundleInfoPlist, keyName: \"CFBundleExecutable\"){\n    NSTask().execute(chmodPath, workingDirectory: nil, arguments: [\"755\", appBundlePath.stringByAppendingPathComponent(bundleExecutable)])\n}\n```\n\n替换所有Info.plist里的`CFBundleIdentifier`：\n```\nif let oldAppID = getPlistKey(appBundleInfoPlist, keyName: \"CFBundleIdentifier\") {\n                        \n    func changeAppexID(appexFile: String){\n        \n        func shortName(file: String, payloadDirectory: String) -\u003e String {\n            return file.substringFromIndex(payloadDirectory.endIndex)\n        }\n        \n        let appexPlist = appexFile.stringByAppendingPathComponent(\"Info.plist\")\n        if let appexBundleID = getPlistKey(appexPlist, keyName: \"CFBundleIdentifier\"){\n            let newAppexID = \"\\(newApplicationID)\\(appexBundleID.substringFromIndex(oldAppID.endIndex))\"\n            print(\"Changing \\(shortName(appexFile, payloadDirectory: payloadDirectory)) id to \\(newAppexID)\")\n            \n            setPlistKey(appexPlist, keyName: \"CFBundleIdentifier\", value: newAppexID)\n        }\n        if NSTask().execute(defaultsPath, workingDirectory: nil, arguments: [\"read\", appexPlist,\"WKCompanionAppBundleIdentifier\"]).status == 0 {\n            setPlistKey(appexPlist, keyName: \"WKCompanionAppBundleIdentifier\", value: newApplicationID)\n        }\n        recursiveDirectorySearch(appexFile, extensions: [\"app\"], found: changeAppexID)\n    }\n    \n    recursiveDirectorySearch(appBundlePath, extensions: [\"appex\"], found: changeAppexID)\n}\n...\n```\n\n然后对所有的`dylib`，`so`，`0`，`vis`，`pvr`，`framework`，`appex`，`app`以及`egg`文件用`codesign`命令进行签名。代码略长，此处不写。\n\n**4. 打包**\n\n最后将上述目录用zip打包成ipa文件就可以了。\n\n**5. 安装ipa文件**\n\n这里用到的是`mobiledevice`工具，执行下列命令安装ipa文件到手机上：\n```\n./mobiledevice install_app xxx.ipa\n```\n当然，你也可以使用`ideviceinstaller`工具。\n```\n./ideviceinstaller -i xxx.ipa\n```\n\n总之，上述步骤较多，主要集中在前4个步骤上，不建议自己操作，你可以选择使用图形界面的`iOS App Signer`应用，也可以使用我提供的根据其开源代码写的命令行工具，`AppResign`，你可以直接下载编译好的[二进制文件](https://github.com/Urinx/iOSAppHook/releases)。\n\n使用方法：\n```\n./AppResign input out\n```\n\n这里以微信为例，我们一开始直接对其重签名，总是不成功，我猜问题主要在里面的Watch App上。于是乎便采取的最简单粗暴的方法，解压ipa文件，将`WeChat.app`里面的`Watch`文件夹，连同`PlugIns`文件夹一起删去。再用`AppResign`重签名，如图所示：\n\n![AppResign](Screenshot/AppResign.png)\n\n这时候将其安装到设备上，成功，并能够正常的打开。至此，这一步就大功告成了。\n\n最后一点要注意的是，由于中国的开发者利用免费的证书大量对应用进行重签名，所以目前苹果加上了许多限制，免费开发者的provisioning证书有效时间从之前的30天改为7天，过期后需要重新签名。另外就是一个星期内最多只能申请到10个证书。\n\n## 安装iOSOpenDev\n如果上面的重签名步骤你能够成功的进行，接下来便开始考虑搭建编写dylib的越狱开发环境了。这里我们选择的是iOSOpenDev这个越狱开发平台工具，该工具集成到Xcode里面，提供了编写越狱应用插件的各种模版。所以下面就讲讲如何以正确的姿势安装iOSOpenDev。\n\n一般一开始我们会去其官网上下载了一个pkg安装文件然后点击安装，结果一般会安装失败，接下来就开始尝试了各种姿势。其实那个pkg安装文件也没干啥，就是执行了一个iod-setup脚本，好吧于是就手工执行了这个脚本，发现其中下载github上的东西老是失败，然后翻了个墙，然后就好了。。。\n```\nsudo ./iod-setup base\nsudo ./iod-setup sdk -sdk iphoneos\n```\n\n执行第二步会出现一个错误就是链接iOS 9.3的private framework失败，主要是在9.3的SDK里去掉了private framework。\n```\nPrivateFramework directory not found: /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS9.3.sdk/System/Library/PrivateFrameworks\n```\n\n解决办法：\n\n    1. 在[这里](https://jbdevs.org/sdks/)下载9.2的SDK。\n    2. 解压后放到/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs。\n    3. 你可以把9.2里面的PrivateFrameworks文件夹复制到9.3对应的位置里path/to/iPhoneOS9.3.sdk/System/Library/。\n    4. 或者是修改/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Info.plist文件，将`MinimumSDKVersion`改为9.2。\n    5. 再次运行`sudo ./iod-setup sdk -sdk iphoneos`命令。\n\n![iOSOpenDev](Screenshot/iOSOpenDev.png)\n\n新建个CaptainHook连上设备编译一下，就可以发现编译成功了。\n\n## App Hook\n在这部分里，我们便开始动手编写dylib并将其注入到目标应用中。首先打开Xcode，新建一个项目，模版选择iOSOpenDev里的CaptainHook Tweak，项目名为hook。\n\n删除hook.mm文件里的模版内容，替换为以下内容：\n```\n__attribute__((constructor)) static void entry() {\n    NSLog(@\"hello, world!\");\n}\n```\n`Cmd+B`编译，打开LatestBuild文件夹，得到编译好的dylib文件。\n\n使用[yololib](https://github.com/KJCracks/yololib)工具对对二进制文件进行dylib的注入。\n```\n\u003e./yololib WeChat.app/WeChat hook.dylib\n2016-06-16 07:35:06.014 yololib[49519:642763] dylib path @executable_path/hook.dylib\n2016-06-16 07:35:06.016 yololib[49519:642763] dylib path @executable_path/hook.dylib\nReading binary: WeChat.app/WeChat\n\n2016-06-16 07:35:06.016 yololib[49519:642763] FAT binary!\n2016-06-16 07:35:06.016 yololib[49519:642763] Injecting to arch 9\n2016-06-16 07:35:06.016 yololib[49519:642763] Patching mach_header..\n2016-06-16 07:35:06.016 yololib[49519:642763] Attaching dylib..\n\n2016-06-16 07:35:06.016 yololib[49519:642763] Injecting to arch 0\n2016-06-16 07:35:06.016 yololib[49519:642763] 64bit arch wow\n2016-06-16 07:35:06.016 yololib[49519:642763] dylib size wow 56\n2016-06-16 07:35:06.017 yololib[49519:642763] mach.ncmds 75\n2016-06-16 07:35:06.017 yololib[49519:642763] mach.ncmds 76\n2016-06-16 07:35:06.017 yololib[49519:642763] Patching mach_header..\n2016-06-16 07:35:06.017 yololib[49519:642763] Attaching dylib..\n\n2016-06-16 07:35:06.017 yololib[49519:642763] size 51\n2016-06-16 07:35:06.017 yololib[49519:642763] complete!\n```\n\n注入成功后可以用MachOView程序查看整个MachO文件的结构，比如在`Load Commands`这个数据段里，可以看到`LC_LOAD_DYLIB`加载动态库。我们使用MachOView打开，可以看到已经被注入hook.dylib，如图所示。\n\n![MachOView](Screenshot/MachOView.png)\n\n别忘了，我们还需要将我们注入的dylib文件放到WeChat.app目录下。\n```\ncp hook.dylib WeChat.app/\n```\n\n接下来就是之前的老套路了，先重签名然后安装到设备上。安装完后，我们用idevicesyslog查看log信息。在命令行中输入命令：\n```\nidevicesyslog\n```\n然后打开我们修改过的微信应用，可以看到如下图的log输出信息。\n\n![Log1](Screenshot/Log1.png)\n\n可以看到`hello, world!`成功输出，表示我们的dylib的代码已经能够执行。\n\n## 一个简单的CaptainHook载入Cycript\n当然不可能一个NSLog结束了，所以接下来我们将编写一个dylib来载入Cycript工具方便我们以后调试目标应用。\n\n新建一个CaptainHook，项目名为loadCycript。首先，导入`Cycript.framework`，另外还需要导入其依赖的`JavaScriptCore.framework`，`libsqlite3.0.tbd`和`libstdc++.6.0.9.tbd`。\n\n然后，在Build Settings里面的搜索bitcode，将`Enable Bitcode`选项设为`NO`。\n\n![bitcode](Screenshot/bitcode.png)\n\n一开始编写loadCycript.mm文件的内容是这样的：\n```\n#import \u003cCycript/Cycript.h\u003e\n#import \u003cCaptainHook/CaptainHook.h\u003e\n\n#define CYCRIPT_PORT 8888\n\nCHDeclareClass(AppDelegate);\nCHDeclareClass(UIApplication);\n\nCHOptimizedMethod2(self, void, AppDelegate, application, UIApplication *, application, didFinishLaunchingWithOptions, NSDictionary *, options)\n{\n    CHSuper2(AppDelegate, application, application, didFinishLaunchingWithOptions, options);\n    \n    NSLog(@\"## Start Cycript ##\");\n    CYListenServer(CYCRIPT_PORT);\n}\n\n__attribute__((constructor)) static void entry() {\n    CHLoadLateClass(AppDelegate);\n    CHHook2(AppDelegate, application, didFinishLaunchingWithOptions);\n}\n```\n上述代码hook了AppDelegate里的`application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)`方法，在该方法里开启Cycript并绑定到8888端口。\n\n编译该项目生成dylib文件，注入到微信App中，重签名后安装到手机里，然后在idevicesyslog输出的日志里看看有没有我们输出的信息，结果找了半天，嗯哼，还真没有。。。\n\n问题出在哪了呢，难道是`application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)`这个方法没有hook成功吗？好吧，随后又试了试hook`applicationDidEnterBackground`等方法，结果没一个成功，然后就一脸懵逼了，此时第一反应就是不会没有`AppDelegate`这个类吧。\n\n没办法，只有导出微信的头文件看看了。\n```\nclass-dump -H -o header WeChat.app/WeChat\n```\n结果一看，还真没有(°_°)… 通过搜索关键字`AppDelegate`终于找到了其真身`MicroMessengerAppDelegate`，虽说穿了个马甲，但依然还是它。\n\n![MicroMessengerAppDelegate](Screenshot/MicroMessengerAppDelegate.png)\n\n该有的方法都有，这样我就放心了。于是对之前的代码稍作修改就可以了。\n```\n#import \u003cCycript/Cycript.h\u003e\n#import \u003cCaptainHook/CaptainHook.h\u003e\n\n#define CYCRIPT_PORT 8888\n\nCHDeclareClass(UIApplication);\nCHDeclareClass(MicroMessengerAppDelegate);\n\nCHOptimizedMethod2(self, void, MicroMessengerAppDelegate, application, UIApplication *, application, didFinishLaunchingWithOptions, NSDictionary *, options)\n{\n    CHSuper2(MicroMessengerAppDelegate, application, application, didFinishLaunchingWithOptions, options);\n    \n    NSLog(@\"## Start Cycript ##\");\n    CYListenServer(CYCRIPT_PORT);\n}\n\n\nCHConstructor {\n    @autoreleasepool {\n        CHLoadLateClass(MicroMessengerAppDelegate);\n        CHHook2(MicroMessengerAppDelegate, application, didFinishLaunchingWithOptions);\n    }\n}\n```\n再跑一遍，这会我们就能在log日志里能看到Cycript成功开启的消息了。\n\n![Log2](Screenshot/Log2.png)\n\n我们用Cycript远程连上去调试看看，比如说修改发现页的tableView背景颜色。\n\n![Cycript](Screenshot/Cycript.png)\n\n![wechat](Screenshot/wechat.png)\n\n注：本文中用到的AppResign重签名工具，以及编译好的loadCycript.dylib可以在[这里](https://github.com/Urinx/iOSAppHook/releases)下载。\n\n## 使用Reveal调试微信的App界面\nReveal这个调试应用UI界面的神器这里就不再介绍了，本文所有的相关资料都在参考链接里请自行查看。\n\n首先从Reveal应用中找到提供的静态库文件。\n\n![wechat](Screenshot/Reveal0.png)\n\n将`Reveal.framework`从`Build Phase`里面的`Link Binary`里面去掉，然后添加其它的相关依赖库: `UIKit.framework`，`CoreGraphics.framework`，`QuartzCore.framework`，`CFNetwork.framework`，`libz.tbd`。\n\n接着在`Build Settings`里面搜索`Other Linker Flags`，将其设置为：\n```\n-ObjC -lz -framework Reveal\n```\n\n![wechat](Screenshot/Reveal1.png)\n\n接下来编译项目就可以了，你甚至都不用写一句代码。编译好的dylib按照前面说的方法注入到微信App中，打开Reveal应用就可以连接上手机了。\n\n![wechat](Screenshot/Reveal2.png)\n\n注：编译好的Reveal.dylib以及Cycript和Reveal结合的dylib都可以在[这里](https://github.com/Urinx/iOSAppHook/releases)下载。\n\n## 后续\n至于之后该做什么，你想干嘛就干嘛。Cycript在手，天下我有，Reveal一出，谁与争锋。你可以使用Class-dump工具dump出应用的头文件，或者是将二进制文件拖到ida或hopper里面反汇编分析，写tweak插件，实现各种姿势抢红包等等，本文就不讨论这些了。\n\n## 常见问题\n\n**1. Invalid or unsupported format for signature**\n\n一般我们拿到越狱脱壳后的应用什么都不做直接重签名后时是可以成功安装的，然而一旦注入dylib之后再进行重签名时就可能遇到此错误，原因一般出在注入dylib过程中。\n\n例如，在国内某助手的越狱应用商店上下载了一个`6.5.3`版本的微信，通过`file`命令可以看到可执行文件里还包含了一个奇葩的`x86_64`指令集（你确定这不是模拟器上跑的）：\n\n```bash\n\u003e file WeChat.app/WeChat\nWeChat.app/WeChat: Mach-O universal binary with 2 architectures: [arm_v7: Mach-O executable arm_v7] [x86_64]\nWeChat.app/WeChat (for architecture armv7): Mach-O executable arm_v7\nWeChat.app/WeChat (for architecture x86_64):    Mach-O 64-bit executable x86_64\n```\n\n挂上dylib后再重签名就报错了：\n\n![problem_0](Screenshot/problem_0.png)\n\n如果用`MachOView`软件看看是否注入成功，可以发现在`x86_64`上出错了。\n\n![problem_1](Screenshot/problem_1.png)\n\n这个不能怪我咯，要怪只能怪`yololib`工具了。\n\n**2. 应用只有一个指令集**\n\n在重签名`3.4.0`版本的`Malody`应用时，通过`file`命令可以看到该执行文件只有一个`armv7`指令集：\n\n```bash\n\u003e file Malody.app/Malody\\ Mobile \nMalody.app/Malody Mobile: Mach-O universal binary with 1 architecture: [arm_v7: Mach-O executable arm_v7]\nMalody.app/Malody Mobile (for architecture armv7):  Mach-O executable arm_v7\n```\n\n如果此时对其重签名则会报如下错误：\n\n![problem_2](Screenshot/problem_2.png)\n\n解决方法是在执行`codesign`命令时需要指定选项`-a armv7`，不然默认的参数是`--all-architectures`。此bug已修复，如遇到此问题，请使用最新版的AppResign。\n\n## 参考链接\n之前看的都没记录，下列都是后来想到才记下来的。\n\n蒸米的iOS冰与火之歌系列：\n- http://drops.wooyun.org/author/蒸米\n- http://drops.wooyun.org/papers/12803\n- http://drops.wooyun.org/papers/13824\n\n微信重签名相关：\n- https://testerhome.com/topics/4558\n- http://www.jianshu.com/p/3f57d51f770a/comments/1757000\n- http://iosre.com/t/topic/2966\n- http://bbs.iosre.com/t/targets-app/2664/15\n\niOSOpenDev：\n- https://github.com/wzqcongcong/iOSOpenDev\n- http://www.aichengxu.com/view/6004431\n- http://bbs.iosre.com/t/xcode7-iosopendev-iosopendev-ios9/1963\n- http://bbs.iosre.com/t/xcode-7-3-ios-9-3-sdk-theos-private-framework/3200\n\nReveal\n- http://blog.devzeng.com/blog/ios-reveal-integrating.html\n- http://support.revealapp.com/kb/getting-started/integrating-reveal-with-your-ios-app\n- https://github.com/QQVIPTeam/practice-of-ios/issues/10\n- https://hurui.gitbooks.io/reveal-debug/content/noModify.html\n\n其它：\n- http://apple.stackexchange.com/questions/213440/remotely-distribute-an-ios-app-compiled-in-xcode-7-without-app-store-developer\n- https://gist.github.com/chaitanyagupta/9a2a13f0a3e6755192f7\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Furinx%2Fiosapphook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Furinx%2Fiosapphook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Furinx%2Fiosapphook/lists"}