前言

iosre：

chinapyg：dllhook：

Requirements

• Device Tools

1、otool

otool  ——查看程序依赖哪些动态库信息，反编代码段安装iNalyzer 即可

nm ② ——显示符号表ldid ③ ——签名工具gdb ——调试工具 patch ——补丁工具SSH ——远程控制

class-dump、otool is included in the package called: BigBoss Recommended Tools

2、 gdb 、lldb

3、 class-dump

• 安装LLVM ，以便make class-dump-swift

cd llvm-3.9.0.src/mkdir buildcd buildcmake ..make && sudo make installThen you can successfully compile this project with just make.

• 停止建立虚拟网络接口

devzkndeMacBook-Pro:~ devzkn$ rvictl -x 07cf5424d3844522c3396fc55f419a11633cb54c

查看进程

iPhone:~ root# ps aux|grep /var/mobile/Containers/Bundle/mobile   15771  36.1 14.7   981872 152828   ??  Ss    3:01PM   4:20.37 /var/mobile/Containers/Bundle/Application/239A0B7E-AA8C-4E43-873D-16254934321A/Taobao4iPhone.app/Taobao4iPhonemobile   15493   0.0  7.7   862412  79568   ??  Ss    5:58PM  13:11.90 /var/mobile/Containers/Bundle/Application/DB9E7889-BC60-4B5C-91BD-E59D08204958/WeChat.app/WeChatmobile   11974   0.0  2.3   821156  24204   ??  Ss   Wed09AM   3:18.29 /var/mobile/Containers/Bundle/Application/472F4813-5586-49C7-BE0E-0A860C5001AC/Moon.app/Moonroot     15793   0.0  0.0   536236    384 s001  R+    3:14PM   0:00.01 grep /var/mobile/Containers/Bundle/

准备工作

iPhone:~ root# cycript -p Taobao4iPhonecy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]#"file:///var/mobile/Containers/Data/Application/2A1297E2-A76F-4ABE-A01D-203A7EA72776/Documents/"

control+d 进行退出。

插入动态库

iPhone:/var/mobile/Containers/Data/Application/2A1297E2-A76F-4ABE-A01D-203A7EA72776/Documents root# DYLD_INSERT_LIBRARIES=./dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/239A0B7E-AA8C-4E43-873D-16254934321A/Taobao4iPhone.app/Taobao4iPhone

devzkndeMacBook-Pro:bin devzkn$ class-dump --arch armv7 /Users/devzkn/decrypted/Taobao4iPhoneV7.1.0/Taobao4iPhone.decrypted -H -o ~/decrypted/Taobao4iPhoneV7.1.0/Taobao4iPhoneHead

补充

最新的 LLVM 只支持 cmake 来编译了，首先安装 cmake 。brew install cmake编译：mkdir buildcmake /path/to/llvm/sourcecmake --build .编译时间比较长，而且编译结果会生成20G左右的文件。编译完成后，就能在build/bin/目录下面找到生成的工具了。

bundleIdentifier

iPhone:~ root# cycript -p Taobao4iPhonecy# [[NSBundle mainBundle] bundleIdentifier]@"com.taobao.taobao4iphone"cy#

tweakTool

• plutil

iPhone:/System/Library/LaunchDaemons root# plutil com.apple.racoon.plist{    EnableTransactions = 1;    Label = "com.apple.racoon";    MachServices =     {        "com.apple.SecureNetworking.IPSec" = 1;    };    ProgramArguments =     (        "/usr/sbin/racoon",        "-D"    );    RunAtLoad = 0;    Sockets =     {        Listeners =         {            SockFamily = Unix;            SockPathMode = 384;            SockPathName = "/var/run/vpncontrol.sock";        };    };}

• 停止xxx后台程序

lauchctl stop xxx.plist

• launchctl list 查看启动的后台程序

Phone:/System/Library/LaunchDaemons root# launchctl list PID    Status    Label-    0    com.apple.mediastream.mstreamd-    -44    com.apple.icloud.findmydeviced

第1栏 后台进程的PID

第2栏 最后一次退出的状态

• 停止进程

launchctl stop com.apple.DumpPanic

• 移除

launchctl remove com.apple.DumpPanic

Because daemons are loaded by launchd, which is owned by root:wheel,

iPhone:/sbin root# ls -l /sbin/launchd-rwxr-xr-x 1 root wheel 239536 Nov 19  2014 /sbin/launchd

so both a daemon and its config file must be owned by root:wheel too, it borns and runs as root. Take it in mind and we'll get back to this later.