1.定位目标文件

• ps方法

  ps -e | grep WeChat

• find方法

  find -name sshd
  

• 固定目录中查找

  AppStore App全部位于“/var/mobile/Containers/Bundle/Application/”下，
  系统App全部位于“/Applications/”下
  
  daemon的配置文件均位于
  “/System/Library/LaunchDaemons/”
  “/Library/LaunchDaemons”
  “/Library/LaunchAgents/”
  
  是一个plist格式的文件。其中的“ProgramArguments”字段，即是daemon可执行文件的绝对路径
    luz-iphone:/Library/LaunchDaemons root# cat com.openssh.sshd.plist 
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  
  <dict>
      <key>Label</key>
      <string>com.openssh.sshd</string>
  
      <key>Program</key>
      <string>/usr/libexec/sshd-keygen-wrapper</string>
  
      <key>ProgramArguments</key>
      <array>
          <string>/usr/sbin/sshd</string>
          <string>-i</string>
      </array>
  
      <key>SessionCreate</key>
      <true/>
  
      <key>Sockets</key>
      <dict>
          <key>Listeners</key>
          <dict>
              <key>SockServiceName</key>
              <string>ssh</string>
          </dict>
      </dict>
  
      <key>StandardErrorPath</key>
      <string>/dev/null</string>
  
      <key>inetdCompatibility</key>
      <dict>
          <key>Wait</key>
          <false/>
      </dict>
  </dict>
  
  </plist>
  

2.获取头文件信息和bundleid

• 砸壳
• 通过class-dump获取头文件
• 获取bundleid

  codesign -dvvv WeChat
  

3.分析头文件编写tweak代码

• Makefile文件

  THEOS_DEVICE_IP = 192.168.1.113
  DEBUG = 1
  ARCHS = armv7 arm64 
  TARGET = iphone:latest:8.0  
  include $(THEOS)/makefiles/common.mk
  
  TWEAK_NAME = WeChatReProject
  WeChatReProject_FILES = Tweak.xm
  WeChatReProject_FRAMEWORKS = UIKit 
  include $(THEOS_MAKE_PATH)/tweak.mk
  
  after-install::
      install.exec "killall -9 WeChat"
  
  clean::
      rm -rf ./packages/* 
  

• control文件

  Package: com.iosre.wechatreproject
  Name: WeChatReProject
  Depends: mobilesubstrate
  Version: 0.0.1
  Architecture: iphoneos-arm
  Description: WeChat Tweak
  Maintainer: luz
  Author: luz
  Section: Tweaks
  Homepage: https://www.baidu.com
  

• plist文件

{ Filter = { Bundles = ( "com.tencent.xin" ); }; }

• tweak.xm文件

  #import<UIKit/UIKit.h>
  #import <CoreLocation/CoreLocation.h>
  #import <CoreLocation/CLLocation.h>
  
  @interface SeePeopleNearByLogicController
  - (void)onRetrieveLocationOK:(id)arg1;
  @end
  
  %hook SeePeopleNearByLogicController
  - (void)onRetrieveLocationOK:(id)arg1
  {
      CLLocation *location = [[CLLocation alloc] initWithLatitude:31.154352 longitude:121.42562];
      %orig(location);
  
      UIAlertView *alertView = [[UIAlertView alloc] 
      initWithTitle:[@"onRetrieveLocationOK" 
      stringByAppendingString:[[NSString alloc] 
      initWithFormat:@"location is %@", location]] 
      message:nil 
      delegate:self 
      cancelButtonTitle:@"ok" 
      otherButtonTitles:nil];
  
      [alertView show];
  }
  %end