iOS - 添加“对象”到现有应用程序(越狱) [英] iOS - Add "objects" to existing app (jailbroken)
问题描述
如何将对象添加到现有应用程序?
例如,
谢谢。
这个技巧涉及一些(非常基本的)逆向工程师由几个步骤组成;我会尝试尽可能清楚地解释它们。
零步:如果从AppStore下载应用程序,它就会被加密。您必须使用通常用于破解应用程序的脚本/应用程序之一来解密它;一个命令行脚本是poedCrack.sh(google it,你可以在其中一个粘贴网站上快速找到它),一个GUI应用程序是Crakculous(它可以在Cydia中找到)。请注意,其中一个是简单(自动)解密所必需的 - 手动解密方法太过涉及到StackOverflow的答案,这就是我建议使用这些工具的原因。)但是,我不以任何方式鼓励你破解应用程序! (基本上我要求你不要将这些工具用于其原始目的:)如果你想看看手动解密过程,来到这里。
第一步:你需要做应用程序使用/创建的类。为此,您需要class-dump或class-dump-z实用程序。此命令行应用程序反转应用程序的二进制可执行文件,并为应用程序使用并具有内部的所有Objective-C类生成接口声明。您可以在此处找到更高级和首选的变体class-dump-z。
第二步:在你有了类声明之后,你将不得不猜测哪个类做了什么以及什么时候(是的,有点令人困惑)。例如,在上面的应用程序Google Chrome中,通过class-dump-z生成的其中一个文件,您可能会发现类似的内容:
@interface ChromeUrlToolbar:UIToolbar {
UISearchBar * urlBar;
}
- (id)initWithFrame:(CGRect)frame;
- (void)loadURL:(NSURL *)url;
@end
嗯,听起来不错,不是吗?您可以看到它的实现有一个initWithFrame:方法(作为所有UIView子类) - 为什么不尝试修改它?
第三步:对于此修改,您需要 MobileSubstrate 。 MobileSubstrate是由Cydia的创建者Saurik创建的开发人员库,用于简化应用程序的代码注入。您可以在网上找到一些非常好的教程,包括这一个。
所以,你有一个课程,你想要挂钩它 - 所以你写了这样的代码:
static IMP __original_init; // A
id __modified_init(id __self,SEL __cmd,CGRect frame)// B
{
__self = __original_init(__ self,__ cmd,frame); // C
// D
UIButton * newButton = [UIButton buttonWithType:UIButtonTypeRoundedRect];
[newButton setTitle:@Chrome Pwned];
newButton.frame = CGRectMake(0,0,100,40);
[__ self addSubview:newButton];
返回__self;
}
// E
__attribute __((构造函数))
void init()
{
Class clazz = objc_getClass(ChromeUrlToolbar ); // F
MSHookMessageEx(clazz,@ selector(initWithFrame :),__ modified_init,& __ original_init); // G
}
说明:让我们从结束。 init 函数(E)声明为 __ attribute __((构造函数))。这意味着当我们将使用此代码创建的库加载到Chrome中时,会自动调用它。这正是我们想要的,因为我们想要在启动之前改变应用程序的行为。
在标有 // F ,我们捕获我们想要修改的类对象本身。 Objective-C是一种高度动态的语言;这意味着我们可以在运行时获取和修改有关类和对象的信息。在标记为 // G 的行上,我们使用MobileSubstrate API最重要的功能:MSHookMessageEx。要理解它是如何工作的(而不是它的作用),你必须知道以下内容:Objective-C本身是作为一个普通的C库实现的 - 语言本身,在简单的C之下。所以每个消息都在Obejctive中发送-C实际上是一个C函数调用。这些C函数有两个特殊参数: self 和 cmd - 前者是指向被消息对象的指针,后者是选择器(一个特殊的,唯一的指针,指向正在发送的消息的名称)。所以MSHookMessageEx所做的是它需要一个类和一个选择器,找到对应它们的函数的实现,并用它的第三个参数本身提供的函数交换该函数( __ modified_init 在这种情况下)。为了不丢失数据,它还返回第4个参数中的函数(这里是 __ original_init )。
那么,现在Chrome URL工具栏的初始化会重定向到我们的功能,下一步该怎么做?好吧,没有什么特别之处:首先我们只调用原始初始化函数(注意前两个特殊参数,__ self和__cmd!),这就像通常一样创建工具栏(这行代码用 // C表示)。然后,我们进行实际更改:在 // D 部分中,我们创建一个UIButton,设置其标题和位置,并将其作为子视图添加到我们新创建的工具栏中。然后,知道这是一个初始化函数,我们返回原始实例以及注入其中的按钮代码。
嗯,这基本上是你需要知道的对这个;如果您对Objective-C如何工作的深层细节以及如何创建酷炫的iOS调整感兴趣,我建议您阅读Apple的关于该主题的官方文档,您可以浏览我的一些开源Cydia调整。以及。
我希望这会对你有帮助!
How do you add "objects" to an existing app ?
For example, the EasyRefresh for Chrome tweak, enables a new button inside the iOS Chrome app, as do many other tweaks.
How may i add a simple UIButton to, for example, the Twitter app ?
Is there any GitHub projects that might help me to understand how it's done ?
Image Source: ModMyI
Thanks.
The trick involves some (very basic) reverse engineering and is made up of several steps; I'll try to explain them as clearly as possible.
Step Zero: if the app is downloaded from the AppStore, it's encrypted. You have to decrypt it using one of the scripts/applications normally used to crack apps; one command line script is poedCrack.sh (google it, you'll find it quickly on one of the paste sites), one GUI application is Crakculous (it's available in Cydia). Note that one of these are needed for easy (automatic) decryption -- the manual decryption method is way too involved to put in a StackOverflow answer, that's why I'm suggesting these tools.) However, I don't in any way encourage you to crack apps! (Basically I'm asking you not to use these tools for their original purpose :) If you want to have a look at the manual decryption process, head here.
Step One: you need to do what classes the application uses/creates. For this, you need the class-dump or class-dump-z utility. This command-line application reverses the app's binary executable file and generates interface declarations for all Objective-C classes the app uses and has inside. You can find class-dump-z, the more advanced and preferred variant here.
Step Two: after you have the class declarations, you'll have to guess which class does what and when (yep, a bit confusing). For example, in one of the files generated from above app, Google Chrome, by class-dump-z, you may find something similar:
@interface ChromeUrlToolbar: UIToolbar {
UISearchBar *urlBar;
}
- (id)initWithFrame:(CGRect)frame;
- (void)loadURL:(NSURL *)url;
@end
Well, that sounds good, doesn't it? You can see that its implementation has an initWithFrame: method (as all UIView subclasses) -- why not try to modify it?
Step Three: for this modification, you'll need MobileSubstrate. MobileSubstrate is a developer library created by Saurik, the creator of Cydia, in order to make code injection to apps easy. You can find some really good tutorials on the web, including this one. So, you've got a class and you wanna 'hook' it -- so you write some code like this:
static IMP __original_init; // A
id __modified_init(id __self, SEL __cmd, CGRect frame) // B
{
__self = __original_init(__self, __cmd, frame); // C
// D
UIButton *newButton = [UIButton buttonWithType:UIButtonTypeRoundedRect];
[newButton setTitle:@"Chrome Pwned"];
newButton.frame = CGRectMake(0, 0, 100, 40);
[__self addSubview:newButton];
return __self;
}
// E
__attribute__((constructor))
void init()
{
Class clazz = objc_getClass("ChromeUrlToolbar"); // F
MSHookMessageEx(clazz, @selector(initWithFrame:), __modified_init, &__original_init); // G
}
Explanation: let's begin from the end. The init function (E) is declared __attribute__((constructor)). That means it's automatically called when the library we'll create out of this code will be loaded into Chrome. That's exactly what we want beause we want to alter our application's behavior prior to having started it.
On the line marked // F, we capture the class object itself we want to modify. Objective-C is a highly dynamic language; that means we can get and modify information about the classes and objects at runtime. On the line marked // G, we use the most important function of the MobileSubstrate API: MSHookMessageEx. To understand how it works (rather what it does), you must know the following: Objective-C itself is implemented as a plain C library -- the language itself, under the hoods, is just simple C. So every message send in Obejctive-C is actually a C function call. These C function have two special arguments: self and cmd -- the former is the pointer to the object being messaged, the latter is the selector (a special, unique pointer to the name of the message being sent). So what MSHookMessageEx does is it takes a class and a selector, finds the implementation of the function corresponding them, and exchanges that function with the function supplied in its 3rd argument itself (__modified_init in this case). In order not to lose data, it also returns the function in its 4th parameter (here it's __original_init).
So, now the initialization of the Chrome URL toolbar is redirected to our function, what to do next? Well, nothing special: first we just call the original initialization function (notice the first two special arguments, __self and __cmd!) which creates the toolbar as if normally (this line of code is denoted by // C). Then, we do the actual alteration: in section // D, we create an UIButton, set its title and place, and add as a subview to our freshly created toolbar. Then, knowing this is an initalization function, we return back the original instance along with our button's code injected into it.
Well, that's basically what you'll need to know about this; if you're interested in deeper details of how Objective-C works and how you can create cool iOS tweaks, I suggest you to read Apple's official documentation on the topic and you can browse through some of my opensource Cydia tweaks. as well.
I hope this will help you!
这篇关于iOS - 添加“对象”到现有应用程序(越狱)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
