OPlayer lite 问题

问题
1）不能HOOK PlayViewController类的viewDidLoad ，代码跟书中相同都不能Hook住
** 但是 SpringBoard类的_menuButtonDown能hook 住**
**2) 有点不明白什么时候 应该执行 **
install.exec “killall -9 xxx”
HOOK的思想就是 改变 xxx 的执行流程，那么一定是它正在执行时，那么为什么要将它结束了，
dylib 加载时 是xxx 执行后，还是执行前，还是刚执行时？

#import <iAd/ADBannerView.h>
#import <UIKit/UIViewController.h>
@class ADBannerView;

@interface PlayViewController : UIViewController
@property(retain, nonatomic) ADBannerView *iAdView; // @synthesize iAdView;
@end
%hook PlayViewController
- (void)viewDidLoad
{
%orig;
ADBannerView* iAdView = self.iAdView;
iAdView.hidden = YES;
NSLog(@"OPlayerviewDidLoad was called %@",iAdView);
}
%end
%hook SpringBoard
- (void)_menuButtonDown:(struct __IOHIDEvent *)arg1
{
UIAlertView *alert = [UIAlertView alloc] initWithTitle:@"Hello2,welcome panda' tweak!" message:nil delegate:nil cancelButtonTitle:@"ok" otherButtonTitles:nil];
[alert show];
%orig;
%log((NSString *)@"test",(NSString *)@"debug2");
NSLog(@"NSLog2~_~");
}
%end
~~~~~~~~~~~~~
{
        Filter = {
                Bundles = (
                        "com.apple.springboard",
                        "com.olimsoft.oplayer.lite",
                );
        };
}
~~~~~~~~~~~~~~
THEOS_DEVICE_IP = 127.0.0.1
THEOS_DEVICE_PORT = 2222
ARCHS = arm64
TARGET = iPhone:8.1

include theos/makefiles/common.mk

TWEAK_NAME = OPlayer
OPlayer_FILES = Tweak.xm
OPlayer_FRAMEWORKS = UIKit iAd
include $(THEOS_MAKE_PATH)/tweak.mk
after-install::
        install.exec “killall -9 SpringBoard”

OPlayer Lite从出书到现在已经更新N版了，函数可能已经变了，但逆向的套路不变，你根据书上的套路再走一遍，找到新函数就可以hook了

之所以要kill掉目标进程，是因为CydiaSubstrate只会在一个进程启动时尝试对其注入所有tweak。kill掉一个进程，再由用户手动启动它，CydiaSubstrate就能生效

class-dump 下来是
attribute((visibility(“hidden”)))
@interface PlayViewController : UIViewController <ADBannerViewDelegate, GADBannerViewDelegate, UIAlertViewDelegate, WBEngineDelegate, WBLogInAlertViewDelegate, WBSendViewDelegate, RNGridMenuDelegate>
{
ADBannerView *iAdView;
GADBannerView *gAdView;
}
@property(retain, nonatomic) ADBannerView *iAdView; // @synthesize iAdView;
就是不能HOOK 住啊~~~~

类没变的话，那就是函数变了呗

但好像 函数没变呢~~~~
？？？

这个函数确实还在，但加载广告的功能可能没有放在这个函数里了，要重新找

还有问题就是 发现
install.exec “killall -9 OPlayer\ Lite” 不能kill 掉进程
即使 install.exec “kill -9 SpringBoard” 也是卡在make package install 或者说找不到SpringBoard

➜ oplayer make package install
Making all for tweak OPlayer…
Preprocessing Tweak.xm…
Compiling Tweak.xm…
Linking tweak OPlayer…
Stripping OPlayer…
Signing OPlayer…
Making stage for tweak OPlayer…
dm.pl: building package com.taihe.oplayer:iphoneos-arm' in ./com.taihe.oplayer_0.0.1-43_iphoneos-arm.deb’
install.exec “cat > /tmp/_theos_install.deb; dpkg -i /tmp/_theos_install.deb && rm /tmp/_theos_install.deb” < “./com.taihe.oplayer_0.0.1-43_iphoneos-arm.deb”
Selecting previously deselected package com.taihe.oplayer.
(Reading database … 4884 files and directories currently installed.)
Unpacking com.taihe.oplayer (from /tmp/_theos_install.deb) …
Setting up com.taihe.oplayer (0.0.1-43) …
install.exec “killall -9 OPlayer\ Lite”
make: install.exec: No such file or directory
make: *** [after-install] Error 1

:~ root# ps ax | grep .app
743 ?? Ss 0:02.07 /var/mobile/Containers/Bundle/Application/EA468FAA-CC33-4BF7-B6B1-4F933CA4D7A2/OPlayer Lite.app/OPlayer Lite

kill 不掉的原因 是 mac 的 textedit 有问题，导致写入的字符是gbk还是怎么样的，换个编辑器就没问题了

但是 Hook PlayViewController 类的 函数还是不能成功呢，】
我hook 了很多很函数， 但是还是不能成功。 它可以没有输出 iAdView 但是 连NSLog 都没有输出，难道这些函数 app 的这个PlayViewController类 都没有调用吗？
还是我Hook 的代码有问题？？？？？

#import <iAd/ADBannerView.h>
#import <UIKit/UIViewController.h>

@interface PlayViewController : UIViewController
@property(retain, nonatomic) ADBannerView *iAdView; // @synthesize iAdView;
@end

%hook PlayViewController
- (void)viewDidLoad
{
%orig;

ADBannerView* iAdView = self.iAdView;
iAdView.hidden = YES;
NSLog(@"123321viewDidLoad was called %@",iAdView);
}
- (void)loadView
{
%orig;

ADBannerView* iAdView = self.iAdView;
iAdView.hidden = YES;
NSLog(@"123321oadView was called %@",iAdView);
}

- (void)viewWillDisappear:(BOOL)animated
{
    %orig;

ADBannerView* iAdView = self.iAdView;
iAdView.hidden = YES;
NSLog(@"112332viewWillDisappearwas called %@",iAdView);
}

- (void)viewviewWillDisappear:(BOOL)animated
{
%orig;

ADBannerView* iAdView = self.iAdView;
iAdView.hidden = YES;
NSLog(@"123321viewviewWillDisappear was called %@",iAdView);
}

- (void)viewDidAppear:(BOOL)animated
{
    %orig;

ADBannerView* iAdView = self.iAdView;
iAdView.hidden = YES;
NSLog(@"123321viewDidAppear was called %@",iAdView);
}

- (void)viewWillAppear:(BOOL)animated
{
    %orig;

ADBannerView* iAdView = self.iAdView;
iAdView.hidden = YES;
NSLog(@"123321viewWillAppear was called %@",iAdView);
}
%end

当初以为是 类没有调用这个函数
但是 planAds 这个函数是肯定被调用的 但是还是没有成功打印消息

#import <iAd/ADBannerView.h>
#import <UIKit/UIViewController.h>

@interface PlayViewController : UIViewController
@property(retain, nonatomic) ADBannerView *iAdView; // @synthesize iAdView;
@end

@interface GADBannerView : UIView
@end

%hook PlayViewController
- (void)planAds
{
    %orig;
        NSLog(@"123321planAds");

GADBannerView * gAdView = MSHookIvar<GADBannerView *>(self,"gAdView");
NSLog(@"123321planAds was called %@",gAdView);

ADBannerView* iAdView = self.iAdView;
iAdView.hidden = YES;

NSLog(@"123321planAds was called %@",iAdView);
}
%end

那是你的工程有问题吧？filter和makefile怎么写的？

已经重建很多次了 大神再帮忙看下不用重启，直接打开app 吗？还是要 重启才能让 CydiaSubstrate 加载dylib ???
makefile:

THEOS_DEVICE_IP = 127.0.0.1
THEOS_DEVICE_PORT = 2222
ARCHS = arm64
TARGET = iPhone:8.1

include theos/makefiles/common.mk

TWEAK_NAME = OPlayer
OPlayer_FILES = Tweak.xm
OPlayer_FRAMEWORKS = UIKit iAd

include $(THEOS_MAKE_PATH)/tweak.mk

after-install::
        install.exec "killall -9 OPlayer\ Lite"

filter:

{ Filter = { Bundles = ( "com.olimsoft.oplayer.lite" ); }; }

你是什么设备？ssh过去输入

grep OPlayer.dylib /var/log/syslog

看看会输出什么

5s 8.12 SDK 是 8.1 没有找到 有8.12的sdk 了，但是书上前面的例子都是能成功的~~~这个不能成功了
另外检测dylib 我设置的makefile 就是 arm64啊
➜ DynamicLibraries lipo -info OPlayer.dylib
Non-fat file: OPlayer.dylib is architecture: arm64

➜ DynamicLibraries file OPlayer.dylib
OPlayer.dylib: Mach-O 64-bit dynamically linked shared library

➜ DynamicLibraries otool -h OPlayer.dylib
OPlayer.dylib:
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
0xfeedfacf 16777228 0 0x00 6 23 2296 0x00100085

iphone:~ root# grep OPlayer.dylib /var/log/syslog
Jan 12 18:20:15 Panda-iphone OPlayer Lite[5050]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/OPlayer.dylib
Jan 12 18:20:15 Panda-iphone OPlayer Lite[5050]: MS:Error: dlopen(/Library/MobileSubstrate/DynamicLibraries/OPlayer.dylib, 9): no suitable image found. Did find:
/Library/MobileSubstrate/DynamicLibraries/OPlayer.dylib: mach-o, but wrong architecture
Jan 18 21:24:34 Panda-iphone OPlayer Lite[4246]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/OPlayer.dylib

这一句的意思就是你的dylib指令集不对。这应该是因为OPlayer Lite的指令集是armv7/7s，而你的dyllib是arm64，指令集不能混用造成的。你把ARCHS里多加一个armv7，然后重新试试，应该就可以了

原来如此， 真得成功了~~~~~ 因为不知道 可以 直接 查 grep xxx.dylib /var/log/syslog 不知道有异常信息可以查问问大神 指定app 的指令集 怎么查得啊？
我还以为 只要是 arm64机器上得 app 都是 arm64指令集
还有能说一下 arm64 armv7 指定有什么意义吗？

armv7和armv7s的指令长度都是32位，可以混用，但arm64指令长度是64位，不能与32位指令混用，否则，iPhone到底是该以32位还是64位为长度解析指令呢？就乱套了。
App的指令集，可以通过

otool -h AppExecutable

命令查看，例如

snakeninnys-MacBook:~ snakeninny$ otool -h /Users/snakeninny/Code/SMSNinja（bigboss）/SMSNinjaNow/layout/Library/MobileSubstrate/DynamicLibraries/libsmsninja.dylib 
/Users/snakeninny/Code/SMSNinja（bigboss）/SMSNinjaNow/layout/Library/MobileSubstrate/DynamicLibraries/libsmsninja.dylib (architecture armv7):
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedface      12          9  0x00          6    27       3336 0x00100085
/Users/snakeninny/Code/SMSNinja（bigboss）/SMSNinjaNow/layout/Library/MobileSubstrate/DynamicLibraries/libsmsninja.dylib (architecture arm64):
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777228          0  0x00          6    29       3920 0x00100085

原来如此，感谢大神:loveliness: 结贴

又遇到问题了~~~~~~ 还是 oplayer app无法中断断点~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
现在是 lldb debugger 调试问题

__text:000F0BE0 ; id __cdecl -[GADBannerView delegate](struct GADBannerView *self, SEL)
__text:000F0BE0 __GADBannerView_delegate_               ; DATA XREF: __objc_const:017A0054o
__text:000F0BE0                 STMFD           SP!, {R4-R7,LR}
__text:000F0BE4                 MOV             R1, #(:lower16:(selRef_slot - 0xF0BF8))
__text:000F0BE8                 ADD             R7, SP, #0xC
__text:000F0BEC                 MOVT            R1, #(:upper16:(selRef_slot - 0xF0BF8))
__text:000F0BF0                 LDR             R1, [PC,R1] ; selRef_slot ; "slot"
__text:000F0BF4                 BL              _objc_msgSend
__text:000F0BF8                 MOV             R7, R7
__text:000F0BFC                 BL              _objc_retainAutoreleasedReturnValue
__text:000F0C00                 MOV             R1, #(:lower16:(selRef_delegateManager - 0xF0C14))
__text:000F0C04                 MOV             R4, R0
__text:000F0C08                 MOVT            R1, #(:upper16:(selRef_delegateManager - 0xF0C14))
__text:000F0C0C                 LDR             R1, [PC,R1] ; selRef_delegateManager ; "delegateManager"
__text:000F0C10                 BL              _objc_msgSend
__text:000F0C14                 MOV             R7, R7
__text:000F0C18                 BL              _objc_retainAutoreleasedReturnValue
__text:000F0C1C                 MOV             R1, #(:lower16:(selRef_bannerDelegate - 0xF0C30))
__text:000F0C20                 MOV             R5, R0
__text:000F0C24                 MOVT            R1, #(:upper16:(selRef_bannerDelegate - 0xF0C30))
__text:000F0C28                 LDR             R1, [PC,R1] ; selRef_bannerDelegate ; "bannerDelegate"
__text:000F0C2C                 BL              _objc_msgSend
__text:000F0C30                 MOV             R7, R7
__text:000F0C34                 BL              _objc_retainAutoreleasedReturnValue
__text:000F0C38                 MOV             R6, R0
__text:000F0C3C                 MOV             R0, R5
__text:000F0C40                 BL              _objc_release
__text:000F0C44                 MOV             R0, R4
__text:000F0C48                 BL              _objc_release
__text:000F0C4C                 MOV             R0, R6
__text:000F0C50                 LDMFD           SP!, {R4-R7,LR}
__text:000F0C54                 B               _objc_autoreleaseReturnValue
__text:000F0C54 ; End of function -[GADBannerView delegate]

Panda-iphone:~ root# debugserver *:1234 -a 1657

➜ panda lldb
(lldb) process connect connect://localhost:1234

error: unable to find section for section 35
error: unable to find section for section 35
error: unable to find section for section 34
error: unable to find section for section 33   等很久~~~~~听说是不影响调试的
(lldb)
error: Process 1783 is currently being debugged, kill the process before connecting.
(lldb)
error: Process 1783 is currently being debugged, kill the process before connecting.
(lldb)
error: Process 1783 is currently being debugged, kill the process before connecting.
(lldb)
error: Process 1783 is currently being debugged, kill the process before connecting.
Process 1783 stopped
* thread #1: tid = 0x6ade, 0x39ed14f0 libsystem_kernel.dylib`mach_msg_trap + 20, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x39ed14f0 libsystem_kernel.dylib`mach_msg_trap + 20
libsystem_kernel.dylib`mach_msg_trap + 20:
-> 0x39ed14f0:  pop    {r4, r5, r6, r8}
   0x39ed14f4:  bx     lr

不知道 这里  的 调试  是不是已经挂了？~~~~~~~~~~~~~~~~~

(lldb) image list -o -f
 0] 0x00000000 /private/var/mobile/Containers/Bundle/Application/EA468FAA-CC33-4BF7-B6B1-4F933CA4D7A2/OPlayer Lite.app/OPlayer Lite(0x0000000000004000)
 1] 0x02540000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x0000000002540000)
 2] 0x0a788000 /usr/lib/libbz2.1.0.dylib(0x000000003916b000)
 3] 0x0a788000 /usr/lib/libSystem.B.dylib(0x0000000038f46000)


000F0C54 + 0x00000000 = 000F0C54
(lldb) breakpoint l
Current breakpoints:
1: address = 0x000f0c54, locations = 1, resolved = 1, hit count = 0
  1.1: where = OPlayer Lite`� + 2915, address = 0x000f0c54, resolved, hit count = 0

下断 000F0C54 但还是没有断下~~~~