Shulou(Shulou.com)06/02 Report--

This article introduces you how to inject the objective function into iOS, the content is very detailed, interested friends can refer to, hope to be helpful to you.

(1) an example of dynamic binding (1) locking the injection point

Find a random APP,classdump to get the structure information of all the classes.

For example, a class of "Wechat" is declared like this:

Inheritance of viewcontroller

This class inherits from UIViewController, that is, there is a message handler function called viewDidLoad. Here is a demonstration of replacing the MMUIViewController::viewDidLoad function and letting it execute into the new function.

(2) write injection code

First find a familiar editor, create a file named hookwx.m, and then add code like this:

The code for hookwx

And then there's the compilation. You can compile .o files directly with xcode, or you can compile .o files with clang. For example, Xiao Cheng uses an iphone4 phone, that is, the armv7 instruction set, to demonstrate, so you can compile the obj file like this:

Clang-c hookwx.m-arch armv7-isysroot / Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.1.sdk

Then use ld to link to a dynamic library (dylib):

Ld-dylib-lsystem-lobjc-syslibroot / Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.1.sdk/-o hookwx.dylib hookwx.o-framework Foundation-framework UIKit-ios_version_min 6.0

The parameters of the above compile link command are related to the sdk version used by the applet, and you should select the corresponding parameters if you try.

(3) copy dylib to DynamicLibraries

Scp hookwx.dylib root@192.168.1.100:/Library/MobileSubstrate/DynamicLibraries/

At this point, you also need to create a plist to specify which APP to load the dylib (which APP needs to be specified for future ios8.0 systems). For more information, please see the previous article-- plist was created when introducing the use of reveal. The bundleID of "Wechat" is "com.tencent.xin" or "com.tencent.xin1". Specify to load the dylib (several bundleID can be specified).

Remember to copy the plist file to the DynamicLibraries directory as well.

(4) Verification effect

Start "Wechat" and use socat to observe the log output. You can see:

Dec 2 11:22:05 810 MicroMessenger: = in initialize=

...

Dec 2 11:24:48 810 MicroMessenger:-in new_viewDidLoad-

That is, "Wechat" loads the dylib written by the small program and executes it into the new function.

The above examples are only "perceptual" to know the method of injection, and in the actual use scenario, we should use some mature frameworks that can do injection.

There are two common frameworks for Xiao Cheng, one is called fishhook and the other is called MobileSubstrate.

Fishhook, an open source tool for facebook, can change the address of the target function at run time to allow control points to execute their own code. Because you need to know the name of the target function, this is applicable for functions of the c runtime library, or for situations where you can locate the function name, but not for situations where you can't even get the name (for example, you can only locate the code address). If you can only get the address of the function, consider using MobileSubstrate's MSHookFunction for injection.

One of the biggest functions of MobileSubstrate (also known as CydiaSubstrate, hereinafter referred to as MS) is that it can dynamically bind new execution functions, which can already meet most of our needs. For example, the function MSHookMessageEx provided by MS can be used to hook oc code, in principle taking advantage of oc's runtime feature (runtime replacement execution function).

The function MSHookFunction provided by MS can be used to hook c code. For example, many APP use write or fwrite functions when writing files. By hook these two functions, you can see the data written to the file. You can write the code as follows:

MSHookFunction example

However, the direct use of MS functions is not the focus of this article. From a "practical" point of view, what Xiao Cheng wants to introduce is the use of iOSOpenDev.

On how to inject the objective function into the iOS to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.