@BACK123 wrote:
之前在iOS 8里面用 可以hook SpringBoard里面的 -(void) menuButtonDown:(id)down来hook home键;可是在iOS 10中就不起作用了。class-dump了SpringBoard,在头文件里面没找到 -(void)menuButtonDown:(id)down这个方法,貌似是被取代了,,,请问在iOS 10中还有什么方法能够hook 按下home键这个事件?谢谢各位啦!
Posts: 1
Participants: 1
@hjh90 wrote:
怎么我class-dump 的MobileSMS.app头文件才几个的?找不到书上说的那些头文件
我的才这几个
各位大神知道什么原因吗?
Posts: 1
Participants: 1
@wylf wrote:
直接贴码
Submodule 'LightMessaging' (git://github.com/rpetrich/LightMessaging.git) registered for path 'vendor/include/rocketbootstrap/LightMessaging'
Cloning into '/Users/lee/theos/vendor/include/rocketbootstrap/LightMessaging'...
remote: Counting objects: 83, done.
remote: Total 83 (delta 0), reused 0 (delta 0), pack-reused 83
Receiving objects: 100% (83/83), 34.81 KiB | 0 bytes/s, done.
Resolving deltas: 100% (45/45), done.
Submodule path 'vendor/include/rocketbootstrap/LightMessaging': checked out '496257b11c3e906333797639355db9a43015eb50'
Submodule path 'vendor/lib': checked out '639633b40f1b3e0b9cedfad7ec1feab2e5432033'
LEEdeMacBook-Pro:~ lee$ export THEOS=/opt/theos
LEEdeMacBook-Pro:~ lee$ cd /Users/lee/Desktop/iOS逆向/MailReProject/mobilemailtestreproject
LEEdeMacBook-Pro:mobilemailtestreproject lee$ make package install
==> Error: The vendor/include and/or vendor/lib directories are missing. Please rungit submodule update --init --recursivein your Theos directory. More information: https://github.com/theos/theos/wiki/Installation.
make: *** [before-all] Error 1
LEEdeMacBook-Pro:mobilemailtestreproject lee$ git submodule update --init --recursive
fatal: Not a git repository (or any of the parent directories): .git
LEEdeMacBook-Pro:mobilemailtestreproject lee$ cd /opt/theos
LEEdeMacBook-Pro:theos lee$ git submodule update --init --recursive
error: could not lock config file .git/config: Permission denied
fatal: Failed to register url for submodule path 'vendor/include'
LEEdeMacBook-Pro:theos lee$
按照书上的步骤尝试多遍还是不行 请大神指点 在新Mac上
Posts: 1
Participants: 1
@snakeninny wrote:
我写了一个framework(静态库),提供给第三方App调用;我拿不到第三方App的符号表(dSYM文件)。第三方App在调用framework时发生了崩溃,即崩溃是由framework导致的;但在查看崩溃日志时,只能看到第三方App的堆栈调用信息,而看不到framework的痕迹。
我可以拿到framework的dSYM文件,但在崩溃堆栈中没有看到framework的痕迹,因此framework的dSYM文件派不上用场;又因为没有第三方App的dSYM文件,因此崩溃日志里的堆栈调用信息是一堆地址,可读性很低。
在这种情况下,应该如何操作,才能在崩溃日志里,定位由framework导致的崩溃,并将其符号化呢?
Posts: 1
Participants: 1
@konfkof wrote:
如图所示basic_string类型初始化,看汇编代码是进行堆栈传参。
1.如果是结构体如何构造对应的结构体,查看xcode c++库代码没看到libc++.1.dylib对应的源码。
2.如何知道内容进行basic_string init后存储那在哪里。(x1存储了数组的指针,不明白为什么是x1)
Posts: 6
Participants: 2
@jokerding wrote:
详见闪退日志,hookApp后,直接闪退,日志如下,是什么问题啊?
Sep 14 18:17:58: --- last message repeated 1 time ---
Sep 14 18:17:58 dingbinde-iPhone kernel[0]: xpcproxy[7749] Container: /private/var/mobile/Containers/Data/Application/6EF531C4-B2D6-4C84-A87C-43519FB0A3F8 (sandbox)
Sep 14 18:17:58 dingbinde-iPhone locationd[103]: Gesture EnabledForTopCLient: 0, EnabledInDaemonSettings: 0
Sep 14 18:17:58 dingbinde-iPhone FlagFit[7749]: MS:Notice: Injecting: vv.flagfit.ute FlagFit
Sep 14 18:17:58 dingbinde-iPhone FlagFit[7749]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/Demo1080Tweak.dylib
Sep 14 18:17:58 dingbinde-iPhone FlagFit[7749]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/reveal2Loader.dylib
Sep 14 18:17:58 dingbinde-iPhone FlagFit[7749]: ERROR: Reveal Server requires UIApplication to be available. You may be trying to start Reveal Server too early or in an incompatible process.
Sep 14 18:17:58 dingbinde-iPhone FlagFit[7749]: Reveal2Loader loaded /Library/Frameworks/RevealServer.framework/RevealServer
Sep 14 18:17:58 dingbinde-iPhone FlagFit[7749]: assertion failed: 12A405: libxpc.dylib + 71820 [4BC9CA3D-4DEE-314C-ADBF-53BDCEEFE45C]: 0x7d
Sep 14 18:17:58 dingbinde-iPhone Unknown[7749]:
Sep 14 18:17:59 dingbinde-iPhone FlagFit[7749]: CoreLocation: Could not get ideal gyro update interval, assuming 0.005000 s
Sep 14 18:18:00 dingbinde-iPhone ReportCrash[7751]: MS:Notice: Injecting: (null) ReportCrash
Sep 14 18:18:00 dingbinde-iPhone ReportCrash[7751]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Sep 14 18:18:00 dingbinde-iPhone ReportCrash[7751]: task_set_exception_ports(B07, 400, F03, 0, 0) failed with error (4: (os/kern) invalid argument)
Sep 14 18:18:00 dingbinde-iPhone ReportCrash[7751]: ReportCrash acting against PID 7749
Sep 14 18:18:00 dingbinde-iPhone ReportCrash[7751]: Formulating crash report for process FlagFit[7749]
Sep 14 18:18:00 dingbinde-iPhone SpringBoard[7705]: BSXPCMessage received error for message: Connection invalid
Sep 14 18:18:00 dingbinde-iPhone com.apple.xpc.launchd1: Service exited due to signal: Segmentation fault: 11
Sep 14 18:18:00 dingbinde-iPhone ReportCrash[7751]: Saved report to /var/mobile/Library/Logs/CrashReporter/FlagFit_2017-09-14-181800_dingbinde-iPhone.ips
Sep 14 18:18:00 dingbinde-iPhone SpringBoard[7705]: Application 'UIKitApplication:vv.flagfit.ute[0x5273]' crashed.
Sep 14 18:18:00 dingbinde-iPhone assertiond[55]: Could not set priority of to 2, priority: No such process
Sep 14 18:18:00 dingbinde-iPhone assertiond[55]: Could not set priority of to 4096, priority: No such process
Sep 14 18:18:00 dingbinde-iPhone UserEventAgent[48]: id=vv.flagfit.ute pid=7749, state=0
Sep 14 18:18:00 dingbinde-iPhone SpringBoard[7705]: Unable to deliver -[UIRemoteApplication showTopMostMiniAlertWithSynchronizationPort:] message to port 0: (ipc/send) invalid destination port
Sep 14 18:18:00 dingbinde-iPhone locationd[103]: Gesture EnabledForTopCLient: 0, EnabledInDaemonSettings: 0
Posts: 3
Participants: 2
@sysprogram wrote:
char *env = getenv("DYLD_INSERT_LIBRARIES");
测试了两个越狱测试,获取环镜变量 DYLD_INSERT_LIBRARIES 都为空。一台是 iPhone5 iOS 8.2,一台是 iPhone5 iOS 9.0.1,我调试运行输入 image list -o -f 查看了下加载的模块,没有 /Library/MobileSubstrate/MobileSubstrate.dylib,这是怎么回事呢?
Posts: 2
Participants: 1
@wangdu wrote:
需求: 解決錯誤訊息,進而成功取得BundleExecutable
"OBJCCLASS_$_SBApplicationController", referenced from:
objc-class-ref in demoApp.m.a4bf09cc.o
ld: symbol(s) not found for architecture armv7
clang: error: linker command failed with exit code 1 (use -v to see invocation)
环境: ios 8.1.2操作步骤:
我的應用程式不是tweak,只是越獄application,我嘗試想使用SpringBoard裡面的方法:NSString *appStoreString = [[SBApplicationController.sharedInstance applicationWithBundleIdentifier:@"com.apple.AppStore"] displayName]; UIAlertView *alert = [[UIAlertView alloc] initWithTitle:appStoreString message:nil delegate:target cancelButtonTitle:@"OK" otherButtonTitles:nil]; [alert show]; [alert release];看到幾個網站的教學是將SpringBoard資料夾放到theos/include的路徑底下,但是我無論怎麼去import不同大大提供的headers檔進去我的theos/include裡面,總是出現少了哪個哪個檔案的錯誤訊息,我已經試著下載三個不同的headers來源限制在ios 8.1,還是無法complie成功,也無法使用SBApplicationController裡的方法取得executable id. 想請問各位大神,要如何在非tweak, 非hook的一般root越獄app使用springboard的方法?
我知道可以使用AppList去取得“類似”的資訊但不是我要的,我最只能從以下方法得到/private/var/mobile/Containers/Bundle/Application/xxxxxxxxxx/TargetApp.app。但我只希望得到TargetApp這個executable file的name而已,在valueForKey我自己嘗試輸入可能得值,只可得到path, displayName, displayIdentifier。
請大大可以告訴小弟要輸入哪個valueForKey的值可以直接拿到executable name?NSString *testBundlePath = [ALApplicationList.sharedApplicationList valueForKey:@"path" forDisplayIdentifier:@"com.Addcn.house591"]; UIAlertView *alert = [[UIAlertView alloc] initWithTitle:testBundlePath message:nil delegate:target cancelButtonTitle:@"OK" otherButtonTitles:nil]; [alert show]; [alert release];再麻煩各位大神了
參考網站:
Posts: 1
Participants: 1
@xelz wrote:
公司信息
【官网】https://www.dingxiang-inc.com/
在互联网技术深入发展的今天,社会秩序、组织结构以及业务模式发生巨大的变化;人工智能、云服务平台与物联网操作系统深入发展,人类、机器与设备将会在虚拟与真实交融的“新世界”,进行复杂的通信、分工与协作。技术对世界进行改变,网络犯罪将被重新定义,安全将不再有边界,安全的行业也需要被改写,所有一切呼唤着全新的防护系统来捍卫“新世界”的安全,于是北京顶象技术有限公司应运而生。
顶象技术有限公司是中国领先的业务安全产品与解决方案提供商,专注于业务安全领域,在互联网、云计算和大数据等领域构建了端到端、全环节、全链路和全维度的智能风险感知和防护体系--全景式业务安全风控体系,为企业客户提供国际领先、有竞争力的产品、解决方案和服务,致力于打破认知的边界,使客户能够共享风险防控经验,为客户的业务发展保驾护航。
顶象技术有限公司拥有由国内外顶级的互联网安全专家、人工智能和大数据科学家组成的强大技术团队。公司总部设立在北京,杭州、南京和广州均设有研发中心。目前已成功服务航空、电力、通信和互联网等行业客户。北京顶象技术有限公司以客户为中心,秉承生态开放理念,坚持安全知识与经验共享打破业务发展的壁垒,通过持续创新和业界开放合作,构建业务安全新生态,持续为客户和社会创造价值。
岗位名称
安全开发工程师
岗位职责:
1、代码混淆加固技术研究
2、虚拟机源码保护产品开发岗位要求:
1、精通C/C++、及Shell脚本语言
2、熟悉x86和ARM汇编,熟练使用IDA, GDB等逆向工具
3、熟悉LLVM编译框架与编译原理
4、熟悉Mach-O,ELF等二进制文件格式
5、熟悉Android、iOS开发
6、有代码混淆加固研究经验者优先待遇:
15k-35k + 股票期权,薪酬福利 同BAT水平
工作地点:
正式:杭州市文一西路海创园
实习:杭州、广州、南京、北京联系方式:
简历请邮件发至 career@dingxiang-inc.com
邮件标题请写:应聘职位 + 名字 + 手机号码
Posts: 3
Participants: 3
@ZH_8 wrote:
*** syscall(connect(socket, info->ai_addr, info->ai_addrlen)):../Console.cpp(306):CYSocketRemote [errno=61]
Posts: 4
Participants: 4
@wylf wrote:
贴出tweak代码
就是LocationRetriever这个类,然后在button的点击事件中创建一个LocationRetriever对象 并调用LocationRetriever的对象方法 在xcode控制台并没有打印,而且用lldb下断点也没反应,通过打印测试(“11111111111”) 可以确定点击事件确实执行了 懂得大神给小弟指点一下。%hook LocationRetriever
+ (double)getLocationAccuracy:(id)arg1 { %log; double r = %orig; HBLogDebug(@" = %f", r); return r; }
- (void)CancelRetrieveHeading { %log; %orig; }
- (void)CancelRetrieveLocation { %log; %orig; }
- (void)CleanDelegate { %log; %orig; }
- (void)Reset { %log; %orig; }
- (void)RetrieveHeading { %log; %orig; }
- (void)RetrieveLocation { %log; %orig; }
- (void)addToRecentLocationList:(id)arg1 { %log; %orig; }
- (unsigned int)countOfRecentLocationList { %log; unsigned int r = %orig; HBLogDebug(@" = %u", r); return r; }
- (void)dealloc { %log; %orig; }
- (id)getBestResultFromLocationList { %log; id r = %orig; HBLogDebug(@" = %@", r); return r; }
- (id)initWithDelegate:(id)arg1 { %log; id r = %orig; HBLogDebug(@" = %@", r); return r; }
- (BOOL)isHeadingOK:(id)arg1 { %log; BOOL r = %orig; HBLogDebug(@" = %d", r); return r; }
- (BOOL)isLocationOK:(id)arg1 { %log; BOOL r = %orig; HBLogDebug(@" = %d", r); return r; }
- (void)setM_bCanRepeatReportLocation:(BOOL )m_bCanRepeatReportLocation { %log; %orig; }
- (BOOL )m_bCanRepeatReportLocation { %log; BOOL r = %orig; HBLogDebug(@" = %d", r); return r; }
- (void)setM_bShieldAccuracy:(BOOL )m_bShieldAccuracy { %log; %orig; }
- (BOOL )m_bShieldAccuracy { %log; BOOL r = %orig; HBLogDebug(@" = %d", r); return r; }
- (void)setM_delegate:(id )m_delegate { %log; %orig; }
- (id )m_delegate { %log; id r = %orig; HBLogDebug(@" = 0x%@", r ); return r; }
- (void)setM_eBusType:(unsigned int )m_eBusType { %log; %orig; }
- (unsigned int )m_eBusType { %log; unsigned int r = %orig; HBLogDebug(@" = %u", r); return r; }
- (void)setM_geoMode:(int )m_geoMode { %log; %orig; }
- (int )m_geoMode { %log; int r = %orig; HBLogDebug(@" = %d", r); return r; }
- (void)setM_recentLocationList:(NSMutableArray *)m_recentLocationList { %log; %orig; }
- (NSMutableArray *)m_recentLocationList { %log; NSMutableArray * r = %orig; HBLogDebug(@" = %@", r); return r; }
- (void)setM_requiredAccuracy:(float )m_requiredAccuracy { %log; %orig; }
- (float )m_requiredAccuracy { %log; float r = %orig; HBLogDebug(@" = %f", r); return r; }
- (void)setM_sysCacheUpdater:(id )m_sysCacheUpdater { %log; %orig; }
- (id )m_sysCacheUpdater { %log; id r = %orig; HBLogDebug(@" = %@", r); return r; }
- (void)setM_timeoutCount:(int )m_timeoutCount { %log; %orig; }
- (int )m_timeoutCount { %log; int r = %orig; HBLogDebug(@" = %d", r); return r; }
- (id)objectInRecentLocationListAtIndex:(unsigned int)arg1 { %log; id r = %orig; HBLogDebug(@" = %@", r); return r; }
- (void)onGPSLocationChanged:(id)arg1 withTag:(unsigned long)arg2 { %log; %orig; }
- (void)onGPSLocationError:(int)arg1 withTag:(unsigned long)arg2 { %log; %orig; }
- (void)onGpsTimerTimeCheck { %log; %orig; }
- (void)onHeadingChanged:(id)arg1 withTag:(unsigned long)arg2 { %log; %orig; }
- (void)onHeadingTimeCheck { %log; %orig; }
- (void)onMapLocationChanged:(id)arg1 withTag:(int)arg2 { %log; %orig; }
- (void)onMapLocationError:(id)arg1 withTag:(int)arg2 { %log; %orig; }
- (void)reportRetriever:(id)arg1 retrieverSuccess:(BOOL)arg2 inCache:(BOOL)arg3 { %log; %orig; }
- (void)stopCheckTimer { %log; %orig; }
%end@interface SeePeopleNearByLogicController : NSObject
- (void)OnUpdateCertInfo;
- (void)updateLbsContactInfo;
@end
@interface SeePeopleNearbyViewController : UIViewController
@property(retain, nonatomic) SeePeopleNearByLogicController *logicController;
@property(null_resettable, nonatomic,strong) UIView *view;
- (void)onRefreshMyFriends;
- (void)startLoading;
@end%hook SeePeopleNearbyViewController
- (void)viewDidLoad{
%orig;
%log;
UIButton * button = [[UIButton alloc]initWithFrame:CGRectMake(100, 100, 100, 100)];
button.backgroundColor = [UIColor redColor];
[button addTarget:self action:@selector(redButtonClick) forControlEvents:UIControlEventTouchUpInside];
[self.view addSubview:button];}
%new
-(void)redButtonClick{//[self onRefreshMyFriends];
//[self startLoading];
// [self.logicController updateLbsContactInfo];LocationRetriever * retriever = [[%c(LocationRetrieve) alloc]initWithDelegate:self.logicController];NSLog(@"111111111111 ");
[retriever setM_eBusType:2];
[retriever Reset];
[retriever RetrieveLocation];}
%end
Posts: 10
Participants: 2
@houshuai08161 wrote:
我遇到这样一个问题。我准备Hook 一个dylib中的方法,但是hook不到这个类中的函数,打了日志也没有执行。
上面截图是我的部分代码。其中plist中已经声明了要注入的dylib 的包名和他plist的相同内容。 但这个函数死活就是Hook不住。 查看NSLog也没有执行。 但是却执行了这个类中 的这几个方法。我尝试Hook 其他类的方法,发现可以hook到,但是这个类的函数却hook不到。不知道是什么原因。
下面是他的头文件:这个是我精简后的头文件:
还请大佬可以提供下 思路。完全hook不到这个类中的函数。
Posts: 2
Participants: 1
@CCbird wrote:
改了bundle id 前两个前缀 com.xxx.wechat 也就是xxx里面的内容完全不一样 安装了五六个微信分身结果全部不用验证就可以直接登录之前在这儿设备验证过的一个号码
Posts: 5
Participants: 2
@albus123456 wrote:
越狱机iPhone5s, iOS9.0.2,创建了一个tweak项目,make出错,错误如下:
该怎么解决啊?
Posts: 2
Participants: 2
@Huayra-Dinastia wrote:
使用tweak调用私有API,使用传统OC调用方法报错:error: instance method not found (return type
defaults to 'id') [-Werror,-Wobjc-method-access],该怎么调用呢
Posts: 4
Participants: 2
