tweak插件开发

1、连接手机 usb或者wifi 通过ssh连手机

2、ps -A查看所有应用

ps -A

找到目标应用

3、导出目标应用到mac端

scp -r -p 12345 root@localhost:/System/Library/CoreServices/SpringBoard.app

拷贝成功

4.导出头文件

加载进内存中Macho文件为已解密Macho 可直接导出有文件

class-dump -H SpringBoard -o sps/

导出成功

5.cy或者lldb调试

6.Monkey写tweak插件

1. 新建logos tweak项目

新建tweak项目

2.配置注入程序
Package/Library/MobileSubstrate/DynamicLibraries/BadgeTweak.plist 文件 Filter/Bundles 字段 可多个程序注入

配置注入程序

3.配置打包信息
Build Setiings -> 搜索MONKEY

image.png

打包配置

连接信息

安装生效配置

• 免配置连接信息

1. monkey配置
   修改zshrc文件 monkey环境配置在zshrc，不在base_profile

vi ~./zshrc

在Monkey环境变量下插入 设备ip和设备端口，保存生效即可，在monkey项目中可不用再配置设备ip和设备端口

插入设备ip和设备端口

1. theos 配置
   theos 项目目录必须为英文
   加入THEOS_DEVICE_IP和THEOS_DEVICE_PORT
   修改base_profile theos 环境配置在base_profile文件中

vi ~./base_profile

配置theos设备ip和端口

tweak插件原理

tweak插件打包deb，安装到手机后
在手机Library/MobileSubstrate/DynamicLibraries目录下
有dylid文件和plist配置文件

deb包安装目录

手机控制台查看注入进程

插件注入成功

tweak插件通过环境变量插入动态库到应用从而达到改变应用的目的

DYLD_INSERT_LIBRARIES 防护 tweak插件

dyld加载应用过程，是否设置限制插入动态库，如果限制限制插入动态库，所有插入动态库被设为空。

dyld判断是否限制插入动态库

• Macho文件中__RESTRICT 字段不为空，并且值为__restrict，则设置了限制插入动态库。

  
  
  判断Macho文件"__RESTRICT"字段和值"__restrict"

判断Macho文件"__RESTRICT"字段和值"__restrict"

• 设置_RESTRICT和值__restrict，设置了限制插入动态库，做防护

项目中 Build Settings -> other Linker Flags 添加字段

Build Settings -> other Linker Flags 添加
-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null

添加RESTRICT限制动态库插入

添加RESTRICT限制动态库插入 dump砸壳会失效

破解RESTRICT字段防护，破解限制动态库注入防护

• 可直接修改Macho文件中的RESTRICT来破解限制动态库注入防护。

1. Synalyze it! Pro 工具修改

   
   
   image.png

image.png

1. MachoView 工具修改

MachoView修改

修改完签名被破坏，需要重新签名。

dyld加载，限制动态库注入防护检测

RESTRICT字段限制动态库注入防护升级
防止macho文件中RESTRICT被修改，从而防护失效

注意 iOS10 以后，苹果的LYLD 不再检测 RESTRICT字段了，改方法不适应iOS10以后

防护相关的检测，bool类型！！

#import <mach-o/loader.h>
#import <mach-o/dyld.h>

#if __LP64__
#define macho_header               mach_header_64
#define LC_SEGMENT_COMMAND        LC_SEGMENT_64
#define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT
#define LC_ENCRYPT_COMMAND        LC_ENCRYPTION_INFO
#define macho_segment_command    segment_command_64
#define macho_section            section_64
#else
#define macho_header               mach_header
#define LC_SEGMENT_COMMAND        LC_SEGMENT
#define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT_64
#define LC_ENCRYPT_COMMAND        LC_ENCRYPTION_INFO_64
#define macho_segment_command    segment_command
#define macho_section            section
#endif

+(void)load
{
    const struct mach_header_64 * header = _dyld_get_image_header(0);//我自己？？
    if (hasRestrictedSegment(header)) {
        NSLog(@"防止Tweak注入状态！！");
    }else{
        NSLog(@"被修改了！！");//做相应处理
    }
    
}


static bool hasRestrictedSegment(const struct macho_header* mh){

    const uint32_t cmd_count = mh->ncmds;
    const struct load_command* const cmds = (struct load_command*)(((char*)mh)+sizeof(struct macho_header));
    const struct load_command* cmd = cmds;
    for (uint32_t i = 0; i < cmd_count; ++i) {
        switch (cmd->cmd) {
            case LC_SEGMENT_COMMAND:
            {
                const struct macho_segment_command* seg = (struct macho_segment_command*)cmd;
                
                printf("seg name: %s\n", seg->segname);
                if (strcmp(seg->segname, "__RESTRICT") == 0) {
                    const struct macho_section* const sectionsStart = (struct macho_section*)((char*)seg + sizeof(struct macho_segment_command));
                    const struct macho_section* const sectionsEnd = &sectionsStart[seg->nsects];
                    for (const struct macho_section* sect=sectionsStart; sect < sectionsEnd; ++sect) {
                        if (strcmp(sect->sectname, "__restrict") == 0)
                            return true;
                    }
                }
            }
                break;
        }
        cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
    }
    
    return false;
} 
   }

白名单检测防护

#import <mach-o/dyld.h>
#import <mach-o/loader.h>

+(void)load
{
    HKCheckWhitelist();
}


bool HKCheckWhitelist(){
    
    int count = _dyld_image_count();//原app加载了多少数量
    
    for (int i = 0; i < count; i++) {
        //遍历拿到库名称！
       const char * imageName = _dyld_get_image_name(i);
      
       // libraries(白名单)是否包含imageName库名，var/mobile/Containers/Bundle/Application目录为应用本身不检测，
        if (!strstr(libraries, imageName)&&!strstr(imageName, "/var/mobile/Containers/Bundle/Application")) {
            printf("该库非白名单之内！！\n%s",imageName);
//            return NO;
        }
    }
    return YES;
}


const char * libraries = "/var/mobile/Containers/Bundle/Application/AD8D84E6-E893-4C96-A29A-FBD13AF4B461/WhitelistDemo.app/WhitelistDemo/Library/MobileSubstrate/MobileSubstrate.dylib/Developer/usr/lib/libBacktraceRecording.dylib/Developer/Library/PrivateFrameworks/DTDDISupport.framework/libViewDebuggerSupport.dylib/System/Library/Frameworks/Foundation.framework/Foundation/usr/lib/libobjc.A.dylib/usr/lib/libSystem.B.dylib/System/Library/Frameworks/UIKit.framework/UIKit/usr/lib/libextension.dylib/usr/lib/libarchive.2.dylib/usr/lib/libicucore.A.dylib/usr/lib/libxml2.2.dylib/usr/lib/libz.1.dylib/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation/System/Library/Frameworks/CFNetwork.framework/CFNetwork/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration/System/Library/Frameworks/Security.framework/Security/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit/usr/lib/libCRFSuite.dylib/usr/lib/liblangid.dylib/usr/lib/libc++abi.dylib/usr/lib/libc++.1.dylib/usr/lib/system/libcache.dylib/usr/lib/system/libcommonCrypto.dylib/usr/lib/system/libcompiler_rt.dylib/usr/lib/system/libcopyfile.dylib/usr/lib/system/libcorecrypto.dylib/usr/lib/system/introspection/libdispatch.dylib/usr/lib/system/libdyld.dylib/usr/lib/system/liblaunch.dylib/usr/lib/system/libmacho.dylib/usr/lib/system/libremovefile.dylib/usr/lib/system/libsystem_asl.dylib/usr/lib/system/libsystem_blocks.dylib/usr/lib/system/libsystem_c.dylib/usr/lib/system/libsystem_configuration.dylib/usr/lib/system/libsystem_containermanager.dylib/usr/lib/system/libsystem_coreservices.dylib/usr/lib/system/libsystem_coretls.dylib/usr/lib/system/libsystem_dnssd.dylib/usr/lib/system/libsystem_info.dylib/usr/lib/system/libsystem_kernel.dylib/usr/lib/system/libsystem_m.dylib/usr/lib/system/libsystem_malloc.dylib/usr/lib/system/libsystem_network.dylib/usr/lib/system/libsystem_networkextension.dylib/usr/lib/system/libsystem_notify.dylib/usr/lib/system/libsystem_platform.dylib/usr/lib/system/libsystem_pthread.dylib/usr/lib/system/libsystem_sandbox.dylib/usr/lib/system/libsystem_trace.dylib/usr/lib/system/libunwind.dylib/usr/lib/system/libvminterpose.dylib/usr/lib/system/libxpc.dylib/usr/lib/libbz2.1.0.dylib/usr/lib/liblzma.5.dylib/usr/lib/libMobileGestalt.dylib/usr/lib/libsqlite3.dylib/usr/lib/libenergytrace.dylib/usr/lib/libbsm.0.dylib/System/Library/PrivateFrameworks/UIFoundation.framework/UIFoundation/System/Library/PrivateFrameworks/IOSurface.framework/IOSurface/System/Library/PrivateFrameworks/PowerLog.framework/PowerLog/System/Library/PrivateFrameworks/HangTracer.framework/HangTracer/usr/lib/liblockdown.dylib/System/Library/PrivateFrameworks/MobileKeyBag.framework/MobileKeyBag/System/Library/PrivateFrameworks/UserNotificationServices.framework/UserNotificationServices/System/Library/PrivateFrameworks/FrontBoardServices.framework/FrontBoardServices/System/Library/PrivateFrameworks/BaseBoard.framework/BaseBoard/System/Library/PrivateFrameworks/CoreUI.framework/CoreUI/System/Library/Frameworks/CoreVideo.framework/CoreVideo/System/Library/Frameworks/OpenGLES.framework/OpenGLES/System/Library/Frameworks/VideoToolbox.framework/VideoToolbox/System/Library/PrivateFrameworks/MobileAsset.framework/MobileAsset/System/Library/PrivateFrameworks/BackBoardServices.framework/BackBoardServices/System/Library/Frameworks/CoreImage.framework/CoreImage/System/Library/PrivateFrameworks/DictionaryServices.framework/DictionaryServices/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics/System/Library/Frameworks/ImageIO.framework/ImageIO/System/Library/Frameworks/QuartzCore.framework/QuartzCore/System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices/System/Library/PrivateFrameworks/AppSupport.framework/AppSupport/System/Library/Frameworks/CoreText.framework/CoreText/System/Library/PrivateFrameworks/TextInput.framework/TextInput/System/Library/Frameworks/MobileCoreServices.framework/MobileCoreServices/System/Library/PrivateFrameworks/WebKitLegacy.framework/WebKitLegacy/System/Library/PrivateFrameworks/WebCore.framework/WebCore/System/Library/PrivateFrameworks/ProofReader.framework/ProofReader/usr/lib/libAccessibility.dylib/System/Library/Frameworks/Accelerate.framework/Accelerate/System/Library/PrivateFrameworks/PhysicsKit.framework/PhysicsKit/System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer/System/Library/PrivateFrameworks/IOSurfaceAccelerator.framework/IOSurfaceAccelerator/System/Library/Frameworks/Metal.framework/Metal/System/Library/PrivateFrameworks/FontServices.framework/FontServices/System/Library/PrivateFrameworks/FontServices.framework/libFontParser.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vImage.framework/vImage/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/vecLib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libvDSP.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libLAPACK.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libBLAS.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libvMisc.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libLinearAlgebra.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libSparseBLAS.dylib/System/Library/PrivateFrameworks/AppleJPEG.framework/AppleJPEG/System/Library/PrivateFrameworks/GPUCompiler.framework/libmetal_timestamp.dylib/System/Library/Frameworks/OpenGLES.framework/libCoreFSCache.dylib/System/Library/PrivateFrameworks/IOAccelerator.framework/IOAccelerator/System/Library/Frameworks/OpenGLES.framework/libGFXShared.dylib/System/Library/Frameworks/OpenGLES.framework/libGLImage.dylib/System/Library/Frameworks/OpenGLES.framework/libCVMSPluginSupport.dylib/System/Library/Frameworks/OpenGLES.framework/libCoreVMClient.dylib/System/Library/PrivateFrameworks/MobileSystemServices.framework/MobileSystemServices/System/Library/PrivateFrameworks/AssertionServices.framework/AssertionServices/System/Library/Frameworks/MetalPerformanceShaders.framework/MetalPerformanceShaders/System/Library/PrivateFrameworks/Quagga.framework/Quagga/System/Library/PrivateFrameworks/FaceCore.framework/FaceCore/System/Library/Frameworks/CoreMedia.framework/CoreMedia/System/Library/PrivateFrameworks/ColorSync.framework/ColorSync/usr/lib/libiconv.2.dylib/System/Library/PrivateFrameworks/UserFS.framework/UserFS/System/Library/PrivateFrameworks/CrashReporterSupport.framework/CrashReporterSupport/System/Library/Frameworks/CoreAudio.framework/CoreAudio/System/Library/PrivateFrameworks/AggregateDictionary.framework/AggregateDictionary/usr/lib/libxslt.1.dylib/usr/lib/libmarisa.dylib/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore/System/Library/Frameworks/AudioToolbox.framework/AudioToolbox/System/Library/PrivateFrameworks/TCC.framework/TCC/System/Library/PrivateFrameworks/LanguageModeling.framework/LanguageModeling/usr/lib/libcmph.dylib/System/Library/Frameworks/MediaAccessibility.framework/MediaAccessibility/usr/lib/libstdc++.6.dylib/Library/Frameworks/CydiaSubstrate.framework/Libraries/SubstrateLoader.dylib/Library/MobileSubstrate/DynamicLibraries/RHRevealLoader.dylib/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate";