最近比较热Mach-O LC_LOAD_DYLIB Hook,自己的尝试

砸壳这些不表了,我们拿Wechat来实验把.

设备 iPhone6 9.0.2

1.编写dylib

我是用theos里面的library来创建的

创建后代码:

__attribute__((constructor)) static void entry() {
	NSLog(@"hook success");
}

然后make编译成 hook1.dylib

2. 修改微信的二进制文件,加入LC_LOAD_DYLIB

我是用https://github.com/KJCracks/yololib这个工具一键注入的

ScholardeMacBook-Pro:WeChat.app scholar$ yololib WeChat hook1.dylib
2016-02-24 15:16:02.766 yololib[19207:715790] dylib path @executable_path/hook1.dylib
2016-02-24 15:16:02.767 yololib[19207:715790] dylib path @executable_path/hook1.dylib
Reading binary: WeChat

2016-02-24 15:16:02.768 yololib[19207:715790] FAT binary!
2016-02-24 15:16:02.768 yololib[19207:715790] Injecting to arch 9
2016-02-24 15:16:02.768 yololib[19207:715790] Patching mach_header..
2016-02-24 15:16:02.768 yololib[19207:715790] Attaching dylib..

2016-02-24 15:16:02.768 yololib[19207:715790] Injecting to arch 0
2016-02-24 15:16:02.768 yololib[19207:715790] 64bit arch wow
2016-02-24 15:16:02.768 yololib[19207:715790] dylib size wow 56
2016-02-24 15:16:02.768 yololib[19207:715790] mach.ncmds 73
2016-02-24 15:16:02.768 yololib[19207:715790] mach.ncmds 74
2016-02-24 15:16:02.768 yololib[19207:715790] Patching mach_header..
2016-02-24 15:16:02.768 yololib[19207:715790] Attaching dylib..

2016-02-24 15:16:02.768 yololib[19207:715790] size 52
2016-02-24 15:16:02.768 yololib[19207:715790] complete!

注入完成,我们用MathOView查看一下

可以看到写入成功了,然后把hook1.dylib放到同一个目录下面

3. 重新打包,安装

因为我是做测试,测试机器已经越狱并且安装了appsync,就跳过签名这一步直接打包安装了.

xcrun -sdk iphoneos PackageApplication -v /Users/scholar/Downloads/微信-6.3.13/Payload/WeChat.app /Users/scholar/Downloads/mywechat.ipa

打包完成,安装进设备运行会闪退,错误


Feb 24 15:25:39 -iPhone com.apple.xpc.launchd[1] (UIKitApplication:com.tencent.xin[0xc6c8][1141]): Service exited due to signal: Killed: 9
Feb 24 15:25:39 -iPhone assertiond[113]: Unable to obtain a task name port right for pid 1141: (os/kern) failure (5)
Feb 24 15:25:39 -iPhone SpringBoard[95]: Unable to register for exec notifications: No such process
Feb 24 15:25:39 -iPhone SpringBoard[95]: Unable to obtain a task name port right for pid 1141: (os/kern) failure (5)
Feb 24 15:25:39 -iPhone SpringBoard[95]: Unable to obtain a task name port right for <FBApplicationProcess: 0x1247438d0; com.tencent.xin; pid: 1141>
Feb 24 15:25:39 -iPhone SpringBoard[95]: Application 'UIKitApplication:com.tencent.xin[0xc6c8]' exited abnormally via signal.
Feb 24 15:25:39 -iPhone SpringBoard[95]: Application '(null)' exited for an unknown reason.

请问哪里出错了