iOS非越狱注入插件

准备工作

这里我们以QQ App来举例,这里需要注入的是我自己写的一个QQPlus这个插件; 首先我们需要准备以下文件:

.
├── CydiaSubstrate
├── QQ.ipa
├── QQPlus.dylib
├── QQPlusSetting.bundle
│   ├── Root.plist
│   ├── en.lproj
│   │   └── Root.strings
│   └── interface.json
├── blank.caf
├── cy.csv
└── libsubstitute.0.dylib
  • CydiaSubstrate: 从越狱手机目录/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate拷贝出来
  • libsubstitute.0.dylib: CydiaSubstrate依赖文件, 从越狱手机目录/usr/lib/libsubstitute.0.dylib拷贝出来
  • QQ.ipa: 一个砸壳后的ipa文件, 如果没有砸壳则无法进行以下操作, 可以使用otool验证是否加壳
  • QQPlus.dylib: 需要注入的插件(确保可用)
  • QQPlusSetting.bundle: QQPlus.dylib插件需要依赖文件
  • blank.caf: QQPlus.dylib插件需要依赖文件
  • cy.csv: QQPlus.dylib插件需要依赖文件

开始注入

  1. 首先我们把QQ.ipa包解压(ipa就是个压缩包, 直接解压或者使用命令解压都可)
unzip QQ.ipa

解压完成后我们先确认包是否加密, 使用otool命令

cd Payload/QQ.app/
otool -l QQ | grep crypt

输入以上命令后输出

cryptoff 28672
cryptsize 4096
cryptid 0

这里cryptid0则为未加密, 确认了未加密后我们就可以开始注入了;

  1. CydiaSubstrate改名为libsubstrate.dylib然后将以下文件拷贝至/Payload/QQ.app/Frameworks目录
libsubstrate.dylib
libsubstitute.0.dylib
QQPlus.dylib
  1. 修改libsubstrate.dylib依赖文件
    因为libsubstrate.dylib是从越狱手机上拷贝出来的, 他的一个依赖文件ibsubstitute.0.dylib的路径是/usr/lib/libsubstitute.0.dylib, 我们需要将他修改到Frameworks目录下, 否则会闪退, 使用otool命令查看:
aria@shenqiHyaliyadeMacBook-Pro  ~/Desktop/remake/QQ  otool -L libSubstrate.dylib
libSubstrate.dylib (architecture arm64):
    /usr/lib/libsubstrate.dylib (compatibility version 0.0.0, current version 0.0.0)
    /usr/lib/libsubstitute.0.dylib (compatibility version 0.0.0, current version 0.0.0)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)
CydiaSubstrate (architecture arm64e):
    /usr/lib/libsubstrate.dylib (compatibility version 0.0.0, current version 0.0.0)
    /usr/lib/libsubstitute.0.dylib (compatibility version 0.0.0, current version 0.0.0)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)

可以看到倒数第三个依赖, 我们需要使用install_name_tool命令修改他

install_name_tool -change "/usr/lib/libsubstitute.0.dylib" "@executable_path/Frameworks/libsubstitute.0.dylib" libSubstrate.dylib

然后再次使用otool命令查看是否修改成功

aria@shenqiHyaliyadeMacBook-Pro  ~/Desktop/remake/QQ  otool -L libSubstrate.dylib
libSubstrate.dylib (architecture arm64):
    /usr/lib/libsubstrate.dylib (compatibility version 0.0.0, current version 0.0.0)
    @executable_path/Frameworks/libsubstitute.0.dylib (compatibility version 0.0.0, current version 0.0.0)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)
libSubstrate.dylib (architecture arm64e):
    /usr/lib/libsubstrate.dylib (compatibility version 0.0.0, current version 0.0.0)
    @executable_path/Frameworks/libsubstitute.0.dylib (compatibility version 0.0.0, current version 0.0.0)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)

这里可以看到已经把/usr/lib/libsubstitute.0.dylib已经被修改为@executable_path/Frameworks/libsubstitute.0.dylib

  1. 修改QQPlus.dylib插件依赖
    因为是越狱插件, 所以他的依赖是/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate, 但是在非越狱手机上是肯定没有这个依赖的, 所以我们一样需要对他进行修改, 用otool命令查看依赖
aria@shenqiHyaliyadeMacBook-Pro  ~/Desktop/remake/QQ  otool -L QQPlus.dylib
QQPlus.dylib:
    /Library/MobileSubstrate/DynamicLibraries/QQPlus.dylib (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1355.22.0)
    /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1677.104.0)
    /System/Library/Frameworks/MobileCoreServices.framework/MobileCoreServices (compatibility version 1.0.0, current version 1069.25.0)
    /System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
    /System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, current version 59306.142.1)
    /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 1061.140.1)
    /System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 61000.0.0)
    /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate (compatibility version 0.0.0, current version 0.0.0)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
    /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 902.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.100.1)
    /System/Library/Frameworks/AVFoundation.framework/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
    /System/Library/Frameworks/CFNetwork.framework/CFNetwork (compatibility version 1.0.0, current version 0.0.0)
    /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1677.104.0)
    /System/Library/Frameworks/CoreTelephony.framework/CoreTelephony (compatibility version 1.0.0, current version 0.0.0)

这里可以很清楚的看到一个依赖/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate, 同样我们需要使用install_name_tool命令修改他把他修改到Frameworks目录下的libSubstrate.dylib

install_name_tool -change "/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate" "@executable_path/Frameworks/libSubstrate.dylib" QQPlus.dylib

再使用otool命令查看是否成功修改依赖

aria@shenqiHyaliyadeMacBook-Pro  ~/Desktop/remake/QQ  otool -L QQPlus.dylib
QQPlus.dylib:
    /Library/MobileSubstrate/DynamicLibraries/QQPlus.dylib (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1355.22.0)
    /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1677.104.0)
    /System/Library/Frameworks/MobileCoreServices.framework/MobileCoreServices (compatibility version 1.0.0, current version 1069.25.0)
    /System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
    /System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, current version 59306.142.1)
    /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 1061.140.1)
    /System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 61000.0.0)
    @executable_path/Frameworks/libSubstrate.dylib (compatibility version 0.0.0, current version 0.0.0)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
    /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 902.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.100.1)
    /System/Library/Frameworks/AVFoundation.framework/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
    /System/Library/Frameworks/CFNetwork.framework/CFNetwork (compatibility version 1.0.0, current version 0.0.0)
    /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1677.104.0)
    /System/Library/Frameworks/CoreTelephony.framework/CoreTelephony (compatibility version 1.0.0, current version 0.0.0)

这里可以看到依赖已经被修改为@executable_path/Frameworks/libSubstrate.dylib

  1. 拷贝QQPlus.dylib依赖文件到QQ.app根目录下(如果插件没有依赖文件则不需要此步骤, 由于我自己写的QQPlus.dylib需要依赖blank.cafcy.csvQQPlusSetting.bundle这三个文件, 所以需要一起拷贝进去)

  2. 修改QQ主程序, 插入Load Commands, 使用optool或者insert_dylib都行, 这里以optool进行操作:

aria@shenqiHyaliyadeMacBook-Pro  ~/Desktop/remake/QQ/Payload/QQ.app  optool install -c load -p "@executable_path/Frameworks/QQPlus.dylib" -t QQ
Found thin header...
Inserting a LC_LOAD_DYLIB command for architecture: arm64
Successfully inserted a LC_LOAD_DYLIB command for arm64
Writing executable to QQ...

再次使用otool命令查看是否注入成功

aria@shenqiHyaliyadeMacBook-Pro  ~/Desktop/remake/QQ/Payload/QQ.app  otool -L QQ
QQ:
    @rpath/QQMainProject.framework/QQMainProject (compatibility version 1.0.0, current version 1.0.0)
    ...
    @executable_path/Frameworks/QQPlus.dylib (compatibility version 0.0.0, current version 0.0.0)

这里可以看到我们已经插入了@executable_path/Frameworks/QQPlus.dylib

  1. 打包QQ.ipa, 使用zip命令
zip -ry target.ipa Payload

  1. 重新签名安装
    由于修改了包内容, 所以需要重新签名, 签名可以参考其他文章或者使用第三方软件;
    安装成功后插件成功被加载, 效果如下:


    IMG_3364.PNG

Support

个人Cydia源: https://moxcomic.github.io
QQ交流群: 821196802

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
【社区内容提示】社区部分内容疑似由AI辅助生成,浏览时请结合常识与多方信息审慎甄别。
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

友情链接更多精彩内容