前幾天在github上看到一個不錯的第三方的調(diào)試庫DBDebugToolkit馋嗜,不過這是在開發(fā)環(huán)境中使用的词疼,做為逆向新手的我想把它通過tweak添加到其它StoreApp中去練練手烦租。
環(huán)境:
- iPhone6s (已越獄)
- iOS9.3.1
- 目標(biāo)app:Instagram
Instagram
1. 打包靜態(tài)庫
如果直接向tweak中添加第三方開源庫的話豺鼻,那需要在Makefile 中把所有的.m文件都要寫進去,太麻煩了挨约,所以我感覺應(yīng)該把開源庫打包成framework或者靜態(tài)庫比較方便些味混。一開始想打包成framwork产雹, 于是就按照大神的文章添加,但是不知什么原因一直加載不進去翁锡。
Reason: image not found
最后沒法解決只能用靜態(tài)庫解決了蔓挖。按照這里的方法生成靜態(tài)庫,加入到tweak可以正常加載馆衔。
注意:工程中默認是不加載靜態(tài)庫中的 category瘟判,這個庫中正好使用了好多 category,需要在Makefile中添加tweakName_LDFLAGS += -all_load才能加載分類角溃。
2. 添加bundle
DBDebugToolkit使用了大量的xib和storyboard來創(chuàng)建view拷获,所以還需要把這些文件添加到tweak中,源程序中使用了bundle我們也打包bundle添加到tweak中:
bundle
bundle位置改變了开镣,也需要更改庫的源碼:
+ (instancetype)debugToolkitBundle {
// NSBundle *podBundle = [NSBundle bundleForClass:[DBDebugToolkit class]];
// NSURL *bundleURL = [podBundle URLForResource:@"DBDebugToolkit" withExtension:@"bundle"];
// return [NSBundle bundleWithURL:bundleURL];
NSBundle *podBundle = [NSBundle bundleWithPath:@"/InsBundle/DBDebug.bundle"];
return podBundle;
}
3. Hook并配置DBDebugToolkit
Hook程序AppDelegate方法配置DBDebugToolkit
%hook AppDelegate
- (_Bool)application:(id)arg1 didFinishLaunchingWithOptions:(id)arg2 {
[DBDebug setup];
return %orig;
}
%end
另外:不知道什么原因刀诬,DBDebugToolkit中的+ (IMP)replaceMethodWithSelector:(SEL)originalSelector block:(id)block方法調(diào)用一直不成功,所以我又對源碼進行了更改邪财,并且Tweak.xm也需要hook一些其它方法(如有大神知道什么原因歡迎留言交流):
@implementation UIView (DBUserInterfaceToolkit)
#pragma mark - Method swizzling
- (void)hookInitMethod {
[self db_refreshDebugBorders];
[self db_registerForNotifications];
}
- (void)hookDellocMethod {
[[NSNotificationCenter defaultCenter] removeObserver:self];
}
//+ (void)load {
// static dispatch_once_t onceToken;
// dispatch_once(&onceToken, ^{
// __block IMP originalInitWithCoderIMP = [self replaceMethodWithSelector:@selector(initWithCoder:)
// block:^UIView * (UIView *blockSelf, NSCoder *aDecoder) {
// UIView *res = ((UIView * (*)(id, SEL, NSCoder *))originalInitWithCoderIMP)(blockSelf, @selector(initWithCoder:), aDecoder);
// [res db_refreshDebugBorders];
// [res db_registerForNotifications];
// return res;
// }];
// __block IMP originalInitWithFrameIMP = [self replaceMethodWithSelector:@selector(initWithFrame:)
// block:^UIView * (UIView *blockSelf, CGRect frame) {
// UIView *res = ((UIView * (*)(id, SEL, CGRect))originalInitWithFrameIMP)(blockSelf, @selector(initWithCoder:), frame);
// [res db_refreshDebugBorders];
// [res db_registerForNotifications];
// return res;
// }];
// __block IMP originalDeallocIMP = [self replaceMethodWithSelector:NSSelectorFromString(@"dealloc")
// block:^(__unsafe_unretained UIView *blockSelf) {
// [[NSNotificationCenter defaultCenter] removeObserver:blockSelf];
// ((void (*)(id, SEL))originalDeallocIMP)(blockSelf, NSSelectorFromString(@"dealloc"));
// }];
// });
//}
@implementation UIWindow (DBShakeTrigger)
#pragma mark - Recognizing shake motion
//+ (void)load {
// static dispatch_once_t onceToken;
// dispatch_once(&onceToken, ^{
// // Adding informing delegates about shake motion to the original implementation.
// __block IMP originalIMP = [self replaceMethodWithSelector:@selector(motionEnded:withEvent:)
// block:^(UIWindow *blockSelf, UIEventSubtype motion, UIEvent *event) {
// if (motion == UIEventSubtypeMotionShake) {
// [blockSelf.shakeDelegates makeObjectsPerformSelector:@selector(windowDidEndShakeMotion:) withObject:self];
// }
// ((void (*)(id, SEL, UIEventSubtype, UIEvent *))originalIMP)(blockSelf, @selector(motionEnded:withEvent:), motion, event);
// }];
// });
//}
@implementation UIWindow (DBUserInterfaceToolkit)
#pragma mark - Method swizzling
//+ (void)load {
// NSLog(@"load====DBUserInterfaceToolkit===========");
// static dispatch_once_t onceToken;
// dispatch_once(&onceToken, ^{
// __block IMP originalIMP = [self replaceMethodWithSelector:@selector(sendEvent:)
// block:^(UIWindow *blockSelf, UIEvent *event) {
// if (event.type == UIEventTypeTouches) {
// [blockSelf db_handleTouches:event.allTouches];
// }
// ((void (*)(id, SEL, UIEvent *))originalIMP)(blockSelf, @selector(sendEvent:), event);
// }];
// });
//}
Tweak.xm
%hook UIResponder
- (void)motionEnded:(UIEventSubtype)motion withEvent:(UIEvent *)event {
UIWindow* window = [UIApplication sharedApplication].keyWindow;
if (motion == UIEventSubtypeMotionShake) {
[[window shakeDelegates] makeObjectsPerformSelector:@selector(windowDidEndShakeMotion:) withObject:self];
}
}
%end
%hook UIWindow
- (void)sendEvent:(UIEvent *)event {
%orig;
[self db_handleTouches:event.allTouches];
}
%end
%hook UIView
- (id)initWithCoder:(NSCoder *)aDecod {
[self hookInitMethod];
return %orig;
}
- (id)initWithFrame:(CGRect)aDecod {
[self hookInitMethod];
return %orig;
}
- (void)dealloc {
[self hookDellocMethod];
%orig;
}
%end
編譯打包安裝陕壹,成功:
image.png
image.png
image.png
image.png
image.png
其中的網(wǎng)絡(luò)請求監(jiān)控還是挺好的,對逆向app有一定幫助树埠。
完
如有錯誤歡迎留言指正糠馆。
所有代碼已上傳github
