需求: 绕过一款app的越狱检测.
现状: 打开app以后,页面空白,然后跳到safari页面,上面写了越狱设备不支持使用,重回app界面又会打开此页面. 我的思路有俩个但是行不通:
- 找出带有jailbreak字眼的函数进行hook. 但是没有进入我hook的函数
- 打开页面用的应该是 open函数, 用fishhook 进行hook,然后打印调用栈. 但是我不知道入口函数是哪个, 现在注入的这个也是没有生效的.
代码如下
// See http://iphonedevwiki.net/index.php/Logos
#import <UIKit/UIKit.h>
#include "fishhook.h"
#import <dlfcn.h>
%hook AppsFlyerUtils
- (bool) isJailBreakon
{
%log;
NSLog(@"Hey, appsflyer jailbreak ");
return NO;
}
%end
%hook SmartBeatUtil
- (bool) isJailbroken
{
%log;
NSLog(@"Hey, smartbeatutil jailbreak ");
return NO;
}
%end
static int (*orig_close)(int);
static int (*orig_open)(const char *, int, ...);
int my_close(int fd) {
NSLog(@"Calling real close(%d)\n", fd);
return orig_close(fd);
}
int my_open(const char *path, int oflag, ...) {
va_list ap = {0};
mode_t mode = 0;
if ((oflag & O_CREAT) != 0) {
// mode only applies to O_CREAT
va_start(ap, oflag);
mode = va_arg(ap, int);
va_end(ap);
NSLog(@"Calling real open('%s', %d, %d)\n", path, oflag, mode);
return orig_open(path, oflag, mode);
} else {
NSLog(@"Calling real open('%s', %d)\n", path, oflag);
return orig_open(path, oflag, mode);
}
}
%hook UIApplicationDelegate
- (_Bool)application:(UIApplication *)arg1 willFinishLaunchingWithOptions:(NSDictionary *)arg2 {
NSLog(@" inHook now");
// fishfook use
struct rebinding binds[2];
// orig_close是一个函数指针,(void *)&orig_close 是一个返回参数,所以用取地址,(void *)&orig_open也是类似的
struct rebinding bind1 = {"close", (void *)my_close, (void **)&orig_close};
binds[0] = bind1;
binds[1] = (struct rebinding){"open", (void *)my_open, (void **)&orig_open};
// rebind_symbols((struct rebinding[2]){{"close", my_close, (void *)&orig_close}, {"open", my_open, (void *)&orig_open}}, 2);
// 转换为:
rebind_symbols(binds, 2);
return %orig;
}
%end
大佬们帮我看下我的思路有没有问题,以及入口函数怎么找(来自萌新的提问)
2019-12-30-19:30 更新
印象里的open应该是swift调用的 UIApplication.shared.open(link)
…犯傻了.但是用 openURL也没生效
%hook UIApplication
+(void)load {
NSLog(@" inHook now");
return %orig;
}
-(BOOL)openURL:(NSURL *)url{
NSLog(@"openURL-url0:%@",url);
return %orig;
}
%end