準(zhǔn)備工作
這里我們以QQ App來舉例近她,這里需要注入的是我自己寫的一個(gè)QQPlus這個(gè)插件; 首先我們需要準(zhǔn)備以下文件:
.
├── CydiaSubstrate
├── QQ.ipa
├── QQPlus.dylib
├── QQPlusSetting.bundle
│ ├── Root.plist
│ ├── en.lproj
│ │ └── Root.strings
│ └── interface.json
├── blank.caf
├── cy.csv
└── libsubstitute.0.dylib
- CydiaSubstrate: 從越獄手機(jī)目錄
/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate拷貝出來 - libsubstitute.0.dylib:
CydiaSubstrate依賴文件, 從越獄手機(jī)目錄/usr/lib/libsubstitute.0.dylib拷貝出來 - QQ.ipa: 一個(gè)砸殼后的ipa文件, 如果沒有砸殼則無法進(jìn)行以下操作, 可以使用
otool驗(yàn)證是否加殼 - QQPlus.dylib: 需要注入的插件
(確保可用) - QQPlusSetting.bundle:
QQPlus.dylib插件需要依賴文件 - blank.caf:
QQPlus.dylib插件需要依賴文件 - cy.csv:
QQPlus.dylib插件需要依賴文件
開始注入
- 首先我們把
QQ.ipa包解壓(ipa就是個(gè)壓縮包, 直接解壓或者使用命令解壓都可)
unzip QQ.ipa
解壓完成后我們先確認(rèn)包是否加密, 使用otool命令
cd Payload/QQ.app/
otool -l QQ | grep crypt
輸入以上命令后輸出
cryptoff 28672
cryptsize 4096
cryptid 0
這里cryptid為0則為未加密, 確認(rèn)了未加密后我們就可以開始注入了;
- 把
CydiaSubstrate改名為libsubstrate.dylib然后將以下文件拷貝至/Payload/QQ.app/Frameworks目錄
libsubstrate.dylib
libsubstitute.0.dylib
QQPlus.dylib
- 修改
libsubstrate.dylib依賴文件
因?yàn)?code>libsubstrate.dylib是從越獄手機(jī)上拷貝出來的, 他的一個(gè)依賴文件ibsubstitute.0.dylib的路徑是/usr/lib/libsubstitute.0.dylib, 我們需要將他修改到Frameworks目錄下, 否則會(huì)閃退, 使用otool命令查看:
aria@shenqiHyaliyadeMacBook-Pro ~/Desktop/remake/QQ otool -L libSubstrate.dylib
libSubstrate.dylib (architecture arm64):
/usr/lib/libsubstrate.dylib (compatibility version 0.0.0, current version 0.0.0)
/usr/lib/libsubstitute.0.dylib (compatibility version 0.0.0, current version 0.0.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)
CydiaSubstrate (architecture arm64e):
/usr/lib/libsubstrate.dylib (compatibility version 0.0.0, current version 0.0.0)
/usr/lib/libsubstitute.0.dylib (compatibility version 0.0.0, current version 0.0.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)
可以看到倒數(shù)第三個(gè)依賴, 我們需要使用install_name_tool命令修改他
install_name_tool -change "/usr/lib/libsubstitute.0.dylib" "@executable_path/Frameworks/libsubstitute.0.dylib" libSubstrate.dylib
然后再次使用otool命令查看是否修改成功
aria@shenqiHyaliyadeMacBook-Pro ~/Desktop/remake/QQ otool -L libSubstrate.dylib
libSubstrate.dylib (architecture arm64):
/usr/lib/libsubstrate.dylib (compatibility version 0.0.0, current version 0.0.0)
@executable_path/Frameworks/libsubstitute.0.dylib (compatibility version 0.0.0, current version 0.0.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)
libSubstrate.dylib (architecture arm64e):
/usr/lib/libsubstrate.dylib (compatibility version 0.0.0, current version 0.0.0)
@executable_path/Frameworks/libsubstitute.0.dylib (compatibility version 0.0.0, current version 0.0.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)
這里可以看到已經(jīng)把/usr/lib/libsubstitute.0.dylib已經(jīng)被修改為@executable_path/Frameworks/libsubstitute.0.dylib
- 修改
QQPlus.dylib插件依賴
因?yàn)槭窃姜z插件, 所以他的依賴是/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate, 但是在非越獄手機(jī)上是肯定沒有這個(gè)依賴的, 所以我們一樣需要對(duì)他進(jìn)行修改, 用otool命令查看依賴
aria@shenqiHyaliyadeMacBook-Pro ~/Desktop/remake/QQ otool -L QQPlus.dylib
QQPlus.dylib:
/Library/MobileSubstrate/DynamicLibraries/QQPlus.dylib (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1355.22.0)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1677.104.0)
/System/Library/Frameworks/MobileCoreServices.framework/MobileCoreServices (compatibility version 1.0.0, current version 1069.25.0)
/System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
/System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, current version 59306.142.1)
/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 1061.140.1)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 61000.0.0)
/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate (compatibility version 0.0.0, current version 0.0.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 902.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.100.1)
/System/Library/Frameworks/AVFoundation.framework/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
/System/Library/Frameworks/CFNetwork.framework/CFNetwork (compatibility version 1.0.0, current version 0.0.0)
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1677.104.0)
/System/Library/Frameworks/CoreTelephony.framework/CoreTelephony (compatibility version 1.0.0, current version 0.0.0)
這里可以很清楚的看到一個(gè)依賴/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate, 同樣我們需要使用install_name_tool命令修改他把他修改到Frameworks目錄下的libSubstrate.dylib
install_name_tool -change "/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate" "@executable_path/Frameworks/libSubstrate.dylib" QQPlus.dylib
再使用otool命令查看是否成功修改依賴
aria@shenqiHyaliyadeMacBook-Pro ~/Desktop/remake/QQ otool -L QQPlus.dylib
QQPlus.dylib:
/Library/MobileSubstrate/DynamicLibraries/QQPlus.dylib (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1355.22.0)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1677.104.0)
/System/Library/Frameworks/MobileCoreServices.framework/MobileCoreServices (compatibility version 1.0.0, current version 1069.25.0)
/System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
/System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, current version 59306.142.1)
/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 1061.140.1)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 61000.0.0)
@executable_path/Frameworks/libSubstrate.dylib (compatibility version 0.0.0, current version 0.0.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 902.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.100.1)
/System/Library/Frameworks/AVFoundation.framework/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
/System/Library/Frameworks/CFNetwork.framework/CFNetwork (compatibility version 1.0.0, current version 0.0.0)
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1677.104.0)
/System/Library/Frameworks/CoreTelephony.framework/CoreTelephony (compatibility version 1.0.0, current version 0.0.0)
這里可以看到依賴已經(jīng)被修改為@executable_path/Frameworks/libSubstrate.dylib
拷貝
QQPlus.dylib依賴文件到QQ.app根目錄下(如果插件沒有依賴文件則不需要此步驟, 由于我自己寫的QQPlus.dylib需要依賴blank.caf戚嗅、cy.csv、QQPlusSetting.bundle這三個(gè)文件, 所以需要一起拷貝進(jìn)去)修改
QQ主程序, 插入Load Commands, 使用optool或者insert_dylib都行, 這里以optool進(jìn)行操作:
aria@shenqiHyaliyadeMacBook-Pro ~/Desktop/remake/QQ/Payload/QQ.app optool install -c load -p "@executable_path/Frameworks/QQPlus.dylib" -t QQ
Found thin header...
Inserting a LC_LOAD_DYLIB command for architecture: arm64
Successfully inserted a LC_LOAD_DYLIB command for arm64
Writing executable to QQ...
再次使用otool命令查看是否注入成功
aria@shenqiHyaliyadeMacBook-Pro ~/Desktop/remake/QQ/Payload/QQ.app otool -L QQ
QQ:
@rpath/QQMainProject.framework/QQMainProject (compatibility version 1.0.0, current version 1.0.0)
...
@executable_path/Frameworks/QQPlus.dylib (compatibility version 0.0.0, current version 0.0.0)
這里可以看到我們已經(jīng)插入了@executable_path/Frameworks/QQPlus.dylib
- 打包
QQ.ipa, 使用zip命令
zip -ry target.ipa Payload
-
重新簽名安裝
由于修改了包內(nèi)容, 所以需要重新簽名, 簽名可以參考其他文章或者使用第三方軟件;
安裝成功后插件成功被加載, 效果如下:
IMG_3364.PNG
Support
個(gè)人Cydia源: https://moxcomic.github.io
QQ交流群: 821196802
