8.第一个逆向程序

• 创建tweak工程

  ➜  iOS /opt/theos/bin/nic.pl 
  NIC 2.0 - New Instance Creator
  ------------------------------
    [1.] iphone/activator_event
    [2.] iphone/application_modern
    [3.] iphone/cydget
    [4.] iphone/flipswitch_switch
    [5.] iphone/framework
    [6.] iphone/ios7_notification_center_widget
    [7.] iphone/library
    [8.] iphone/notification_center_widget
    [9.] iphone/preference_bundle_modern
    [10.] iphone/tool
    [11.] iphone/tweak
    [12.] iphone/xpc_service
   //选择tweak工程  
  Choose a Template (required): 11  
  
   //工程名称
  Project Name (required): MyFirstReProject  
  
  //deb包的名字（类似于bundle identifier)
  Package Name [com.yourcompany.myfirstreproject]: com.iosre.myfirstreproject  
  
  //tweak作者
  Author/Maintainer Name [System Administrator]: luz 
  
  //tweak作用对象的bundle identifier
  [iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.apple.springboard 
  
  //tweak安装完成后需要重启的应用
  [iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: SpringBoard
  Instantiating iphone/tweak in myfirstreproject/...
  Done.
  

• 工程文件结构介绍

• Makefile

  //工程包含的通用头文件
  include $(THEOS)/makefiles/common.mk
  
  //创建工程时指定的“Project Name，指定好之后一般不要再更改
  TWEAK_NAME = MyFirstReProject
  
  //tweak包含的源文件，指定多个文件时用空格隔开
  MyFirstReProject_FILES = Tweak.xm
  
  //tweak工程的头文件，一般有application.mk、tweak.mk和tool.mk几类
  include $(THEOS_MAKE_PATH)/tweak.mk
  
  //指定tweak安装之后，需要做的事情，这里是杀掉SpringBoard进程 
  after-install::
      install.exec "killall -9 SpringBoard"
      
  补充:
  //编译debug或者release
  DEBUG = 0
  
  //越狱iPhone的ip地址
  THEOS_DEVICE_IP = 192.168.1.113
  
  //指定支持的处理器架构
  ARCHS = armv7 arm64 
  
  //指定需要的SDK版本iphone:Base SDK:Deployment Target
  TARGET = iphone:latest:8.0  //最新的SDK，程序发布在iOS8.0以上
  
  //导入框架，多个框架时用空格隔开
  MyFirstReProject_FRAMEWORKS = UIKit 
  MyFirstReProject_PRIVATE_FRAMEWORKS = AppSupport
  
  //链接libsqlite3.0.dylib、libz.dylib和dylib1.o
  MyFirstReProject_LDFLAGS = -lz –lsqlite3.0 –dylib1.o
  
  //make clean
  clean::
      rm -rf ./packages/* 
  
  

• tweak文件
  “xm”中的“x”代表这个文件支持Logos语法，如果后缀名是单独一个“x”，说明源文件支持Logos和C语法；如果后缀名是“xm”
  ，说明源文件支持Logos和C/C++语法。

  /* How to Hook with Logos
  Hooks are written with syntax similar to that of an Objective-C @implementation.
  You don't need to #include <substrate.h>, it will be done automatically, as will
  the generation of a class list and an automatic constructor.
  
  %hook ClassName
  
  // Hooking a class method
  + (id)sharedInstance {
      return %orig;
  }
  
  // Hooking an instance method with an argument.
  - (void)messageName:(int)argument {
      %log; // Write a message about this call, including its class, name and arguments, to the system log.
  
      %orig; // Call through to the original function with its original arguments.
      %orig(nil); // Call through to the original function with a custom argument.
  
      // If you use %orig(), you MUST supply all arguments (except for self and _cmd, the automatically generated ones.)
  }
  
  // Hooking an instance method with no arguments.
  - (id)noArguments {
      %log;
      id awesome = %orig;
      [awesome doSomethingElse];
  
      return awesome;
  }
  
  // Always make sure you clean up after yourself; Not doing so could have grave consequences!
  %end
  */
  

  • %hook 指定需要hook的class，必须以%end结尾

  • %log 该指令在%hook内部使用，将函数的类名、参数等信息写入syslog
    Cydia内搜索安装syslogd

  • %orig该指令在%hook内部使用，执行被钩住（hook）的函数的原始代码。

• control
  control文件记录了deb包管理系统所需的基本信息，会被打包进deb包里。

• 编译工程

  • tweakxm 文件

    %hook SpringBoard 
    -  (void)applicationDidFinishLaunching:(id)application 
    { 
        %orig; 
        UIAlertView *alert = [[UIAlertView alloc]  
        initWithTitle:@"Hello，Tanzhou!" 
        message:nil 
        delegate:self cancelButtonTitle:@"OK"
        otherButtonTitles:nil]; 
        [alert show]; 
    }
    
    - (void)_menuButtonDown:(id)down  
    {  
        NSLog(@"x=%d, y=%d", 10, 20);
        %log((NSString *)@"iOSRE", (NSString *)@"Debug");  
        %orig; // call the original _menuButtonDown:
    }
    %end
    
    %hook SBLockScreenDateViewController
    - (void)setCustomSubtitleText:(id)arg1 withColor:(id)arg2
    {
    /*
       NSDate *date=[NSDate date];
       NSDateFormatter *format1=[[NSDateFormatter alloc]init];
       [format1 setDateFormat:@"yyyy/MM/dd HH:mm:ss"];   
       NSString *str1=[format1 stringFromDate:date];
    */
       struct tm *loctime;
       char timeBuf[1024] = {0};
       time_t now = time(NULL);
       loctime = localtime(&now);
       strftime(timeBuf, 30, "[%Y/%m/%d %H:%M:%S]", loctime);
       %orig([NSString stringWithUTF8String:timeBuf],arg2);   
    }
    %end
    
    

  • MakeFile文件

    DEBUG = 0
    THEOS_DEVICE_IP = 10.171.4.22 
    ARCHS = armv7 arm64 
    TARGET = iphone:latest:8.0  
    include $(THEOS)/makefiles/common.mk
    
    TWEAK_NAME = MyFirstReProject
    MyFirstReProject_FILES = Tweak.xm
    MyFirstReProject_FRAMEWORKS = UIKit 
    include $(THEOS_MAKE_PATH)/tweak.mk
    
    after-install::
        install.exec "killall -9 SpringBoard"
    clean::
        rm -rf ./packages/* 
    

  • control文件

    Package: com.iosre.myfirstreproject
    Name: MyFirstReProject
    Depends: mobilesubstrate
    Version: 1.0.1
    Architecture: iphoneos-arm
    Description: My first reproject!
    Maintainer: luz
    Author: luz
    Section: Tweaks
    Homepage: https://www.baidu.com
    

• 编译命令

  make  //编译
  
  make package  //打包
  
  make install  //安装
  

• 验证结果