1、iOS App运行的步骤为:
用户点击 -> load(各种framework和dylib, 包含MobileLoader加载的cydia dylib) -> main -> UIApplicationMain -> AppDelegate -> UIWindow -> ViewControllers -> ...
2、占得先机hook检测函数
对于App厂商而言,App越狱检测可能出现在main或以后的任何环节,为了掌控一切,占得先机很有必要。
经过实测,发现+[NSObject load]中进行hook居然比dylib的入口函数还快!
static __attribute__((constructor)) void _logosLocalInit() {
// TODO:
printf("DYLIB START RUNNING.");
}
那么,猜想+[NSObject load] hook 可以占得先机。
3、简单测试
部分代码如下:
#pragma mark - Hook before ready.
@interfaceNSObject(SuperHooker)
@end
@implementationNSObject(SuperHooker)
+ (void)load
{
staticdispatch_once_t once;
dispatch_once(&once, ^{
rebind_symbols((structrebinding[9]){
{"fork", replaced_fork, (void*)&original_fork},
{"stat", replaced_stat, (void*)&original_stat},
{"access", replaced_access, (void*)&original_access},
{"fopen", replaced_fopen, (void*)&original_fopen},
{"dlopen", replaced_dlopen, (void*)&original_dlopen},
{"dladdr", replaced_dladdr, (void*)&original_dladdr},
{"dlsym", replaced_dlsym, (void*)&original_dlsym},
{"dlopen_preflight", replaced_dlopen_preflight, (void*)&original_dlopen_preflight},
{"dyld_get_image_name", replaced_dyld_get_image_name, (void*)&original_dyld_get_image_name}
},9);
printf("NSObject load RUNNING.");
});
}
@end
可以在Xcode上新建一个App,然后结合tweak进行调试验证。
