手把手教你编译Simulatetouch

yuzhouheike · 2018 年9 月 21 日 05:39

写在前面的话.为什么要编译这个?因为想做个模拟点击,提供给做测试岗位的未来女朋友使用,解放测试小姑娘们的双手,但是自己很菜又搞不懂苹果底层的点击是怎做的.搜索了一下发现韩国人写的这个simulatetouch可以达到要求,但是人家已经不维护了.所以需要修改他的代码.目前只发现了这一个开源代码,可以直接手机上每一个角落,所以需要在这个基础上开发自己的模拟点击,也看到了其他人的模拟点击比如PTFaketouch,ZSFaketouch但是这两个都需要注入别人的App才能点击,考虑到大多数厉害点儿的App都会做防注入,所以放弃,继续研读simulatetouch源码.期望与有共同需求的爱好者一起讨论

开发环境

Xcode9.4.1
iOS8
macOS10.13.6

接下来做好不断失败的准备,因为在论坛搜了一下大多数都是求助无果的帖子

0x1 下载源代码

git clone git@github.com:iolate/SimulateTouch.git

git submodule init

git submodule update

0x02 tree一下

0x03 编译

make

0x04 在电脑找一下这个文件,发现找不到

sudo find / -name IOKit/hid/IOHIDEvent.h

0x05 去github找找

最后在zhangkn大佬的博客看到一个IOKit文件夹https://github.com/iosaso/KNtheos/tree/master/include/IOKit
把上面的IOKit文件夹下载下来放到/opt/theos/include目录下即可
解决方式就是注释代码STLibrary的这些代码

// typedef enum {
//     UIInterfaceOrientationPortrait           = 1,//UIDeviceOrientationPortrait,
//     UIInterfaceOrientationPortraitUpsideDown = 2,//UIDeviceOrientationPortraitUpsideDown,
//     UIInterfaceOrientationLandscapeLeft      = 4,//UIDeviceOrientationLandscapeRight,
//     UIInterfaceOrientationLandscapeRight     = 3,//UIDeviceOrientationLandscapeLeft
// } UIInterfaceOrientation;
//
// @interface UIScreen
// +(id)mainScreen;
// -(CGRect)bounds;
// @end

0x06 去theos的git下载他们的SDK放在`/opt/theos/sdk目录下`修改Makefile 为9.3的SDK

include ${THEOS}/makefiles/common.mk

export TARGET = iphone:clang:9.3:8.0
# export SDKVERSION=5.1
# export CURRENT_VERSION = 0800
# TARGET = iphone:11.0:8.0
TWEAK_NAME = SimulateTouch
SimulateTouch_FILES = SimulateTouch.mm
SimulateTouch_PRIVATE_FRAMEWORKS = IOKit
SimulateTouch_LDFLAGS = -lsubstrate -lrocketbootstrap

LIBRARY_NAME = libsimulatetouch
libsimulatetouch_FILES = STLibrary.mm
libsimulatetouch_LDFLAGS = -lrocketbootstrap
libsimulatetouch_INSTALL_PATH = /usr/lib/
libsimulatetouch_FRAMEWORKS = UIKit CoreGraphics

TOOL_NAME = stouch
stouch_FILES = main.mm
stouch_FRAMEWORKS = UIKit
stouch_INSTALL_PATH = /usr/bin/
stouch_LDFLAGS = -lsimulatetouch

include $(THEOS_MAKE_PATH)/tweak.mk
include $(THEOS_MAKE_PATH)/library.mk
include $(THEOS_MAKE_PATH)/tool.mk

这里的解决方案是把Makefile文件换成第7步的Makefile文件内容SDK版本用11.2的

0x07 修改下Makefile文件先编译lib因为编译其他两个要用到它.编译成功后放大到`/opt/theos/lib`目录下

include ${THEOS}/makefiles/common.mk

export TARGET = iphone:clang:11.2:8.0
# export SDKVERSION=5.1
# export CURRENT_VERSION = 0800
# TARGET = iphone:11.0:8.0
# TWEAK_NAME = SimulateTouch
# SimulateTouch_FILES = SimulateTouch.mm
# SimulateTouch_PRIVATE_FRAMEWORKS = IOKit
# SimulateTouch_LDFLAGS = -lsubstrate -lrocketbootstrap

LIBRARY_NAME = libsimulatetouch
libsimulatetouch_FILES = STLibrary.mm
libsimulatetouch_LDFLAGS = -lrocketbootstrap
libsimulatetouch_INSTALL_PATH = /usr/lib/
libsimulatetouch_FRAMEWORKS = UIKit CoreGraphics

# TOOL_NAME = stouch
# stouch_FILES = main.mm
# stouch_FRAMEWORKS = UIKit
# stouch_INSTALL_PATH = /usr/bin/
# stouch_LDFLAGS = -lsimulatetouch

include $(THEOS_MAKE_PATH)/tweak.mk
include $(THEOS_MAKE_PATH)/library.mk
include $(THEOS_MAKE_PATH)/tool.mk

0x08 这样不就成功了.此刻觉得大佬们不分享可能因为觉得太简单了

0x09 接下来继续编译完整的项目

include ${THEOS}/makefiles/common.mk

export TARGET = iphone:clang:11.2:8.0
# export SDKVERSION=5.1
# export CURRENT_VERSION = 0800
# TARGET = iphone:11.0:8.0
TWEAK_NAME = SimulateTouch
SimulateTouch_FILES = SimulateTouch.mm
SimulateTouch_PRIVATE_FRAMEWORKS = IOKit
SimulateTouch_LDFLAGS = -lsubstrate -lrocketbootstrap

LIBRARY_NAME = libsimulatetouch
libsimulatetouch_FILES = STLibrary.mm
libsimulatetouch_LDFLAGS = -lrocketbootstrap
libsimulatetouch_INSTALL_PATH = /usr/lib/
libsimulatetouch_FRAMEWORKS = UIKit CoreGraphics

TOOL_NAME = stouch
stouch_FILES = main.mm
stouch_FRAMEWORKS = UIKit
stouch_INSTALL_PATH = /usr/bin/
stouch_LDFLAGS = -lsimulatetouch

include $(THEOS_MAKE_PATH)/tweak.mk
include $(THEOS_MAKE_PATH)/library.mk
include $(THEOS_MAKE_PATH)/tool.mk

0x10 重启手机然后执行stouch 就可以了

由与SDK版本等各种环境问题你可能会遇到以下问题

估计不会遇到问题。但是遇到的话评论区评论就好了

虽然说是手把手,但是好多细节我也忘记了,因为编译这个花费了两三天时间了,如果您在编译的过程中遇到什么其他问题,可以在评论里面问我,

从这里开始讲iOS11遇到问题的解决办法

iOS11的解决办法

killed:9问题,参考我的其他帖子http://iosre.com/t/ios11-iphone-tool-killed-9-killed/12819/3
yuzhouheike1haoji:~ root# stouch
Killed: 9

0x01 首先解决killed:9问题


yuzhouheike1haoji:~ root# exit
logout
Connection to 192.168.31.149 closed.
 ✘ hacker_hades@HadesdeMacBook-Pro  ~/Desktop/SimulateTouch/SimulateTouch   master ●  cd ~/Desktop
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  !code
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f stouch
stouch: replacing existing signature
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  scp stouch root@192.168.31.149:/var
stouch                                                                                    100%  165KB   4.9MB/s   00:00
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  !ssh
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  ssh root@192.168.31.149
Last login: Sat Sep 22 13:32:21 2018 from 192.168.31.217
yuzhouheike1haoji:~ root# mv /var/stouch /usr/bin/
yuzhouheike1haoji:~ root# stouch
dyld: Library not loaded: /usr/lib//libsimulatetouch.dylib
  Referenced from: /usr/bin/stouch
  Reason: no suitable image found.  Did find:
	/usr/lib//libsimulatetouch.dylib: code signing blocked mmap() of '/usr/lib//libsimulatetouch.dylib'
	/usr/lib/libsimulatetouch.dylib: code signing blocked mmap() of '/usr/lib/libsimulatetouch.dylib'
Abort trap: 6

0x02 根据提示这个/usr/lib//libsimulatetouch.dylib动态库没有签名

yuzhouheike1haoji:~ root# exit
logout
Connection to 192.168.31.149 closed.

 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  scp root@192.168.31.149:/usr/bin/stouch ./
stouch                                                                                    100%  130KB   4.7MB/s   00:00
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  !code
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f stouch
stouch: replacing existing signature
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  scp stouch root@192.168.31.149:/var
stouch                                                                                    100%  165KB   4.8MB/s   00:00

0x02 解决`libsimulatetouch.dylib`签名

 ✘ hacker_hades@HadesdeMacBook-Pro  ~/Desktop  scp root@192.168.31.149:/usr/lib//libsimulatetouch.dylib ./
libsimulatetouch.dylib                                                                    100%  134KB   4.3MB/s   00:00
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f libsimulatetouch.dylib
libsimulatetouch.dylib: replacing existing signature
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  scp libsimulatetouch.dylib root@192.168.31.149:/var
libsimulatetouch.dylib                                                                    100%  169KB   4.5MB/s   00:00
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  !ssh
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  ssh root@192.168.31.149
Last login: Sat Sep 22 14:22:28 2018 from 192.168.31.217
yuzhouheike1haoji:~ root# mv /var/lib
lib/                    libsimulatetouch.dylib
yuzhouheike1haoji:~ root# mv /var/libsimulatetouch.dylib /usr/lib//
yuzhouheike1haoji:~ root# stouch
dyld: Library not loaded: /usr/lib/librocketbootstrap.dylib
  Referenced from: /usr/lib//libsimulatetouch.dylib
  Reason: no suitable image found.  Did find:
	/usr/lib/librocketbootstrap.dylib: code signing blocked mmap() of '/usr/lib/librocketbootstrap.dylib'
	/usr/lib/librocketbootstrap.dylib: code signing blocked mmap() of '/usr/lib/librocketbootstrap.dylib'
Abort trap: 6

0x03 解决`librocketbootstrap.dylib`签名


 ✘ hacker_hades@HadesdeMacBook-Pro  ~/Desktop  scp root@192.168.31.149:/usr/lib/librocketbootstrap.dylib ./
librocketbootstrap.dylib                                                                  100%  217KB   6.1MB/s   00:00
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f librocketbootstrap.dylib
librocketbootstrap.dylib: replacing existing signature
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  scp librocketbootstrap.dylib root@192.168.31.149:/var
librocketbootstrap.dylib                                                                  100%  284KB   6.5MB/s   00:00
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  !ssh
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  ssh root@192.168.31.149
Last login: Sat Sep 22 14:24:01 2018 from 192.168.31.217
yuzhouheike1haoji:~ root# mv /var/librocketbootstrap.dylib /usr/lib/librocketbootstrap.dylib
yuzhouheike1haoji:~ root# stouch
dyld: Library not loaded: /usr/lib/libsubstrate.dylib
  Referenced from: /usr/lib/librocketbootstrap.dylib
  Reason: no suitable image found.  Did find:
	/usr/lib/libsubstrate.dylib: code signing blocked mmap() of '/usr/lib/libsubstrate.dylib'
	/usr/lib/libsubstrate.dylib: code signing blocked mmap() of '/usr/lib/libsubstrate.dylib'
Abort trap: 6

0x04 解决`/usr/lib/libsubstrate.dylib`签名

yuzhouheike1haoji:~ root# exit
logout
Connection to 192.168.31.149 closed.
 ✘ hacker_hades@HadesdeMacBook-Pro  ~/Desktop  scp root@192.168.31.149:/usr/lib/libsubstrate.dylib ./
libsubstrate.dylib                                                                        100%   66KB   2.8MB/s   00:00
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f libsubstrate.dylib
libsubstrate.dylib: replacing existing signature
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  scp libsubstrate.dylib root@192.168.31.149:/var
libsubstrate.dylib                                                                        100%   85KB   3.3MB/s   00:00
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  !ssh
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  ssh root@192.168.31.149
Last login: Sat Sep 22 14:26:20 2018 from 192.168.31.217
yuzhouheike1haoji:~ root# mv /var/libsubstrate.dylib /usr/lib/libsubstrate.dylib
yuzhouheike1haoji:~ root# stouch
dyld: Library not loaded: /usr/lib/libsubstitute.0.dylib
  Referenced from: /usr/lib/libsubstrate.dylib
  Reason: no suitable image found.  Did find:
	/usr/lib/libsubstitute.0.dylib: code signing blocked mmap() of '/usr/lib/libsubstitute.0.dylib'
	/usr/lib/libsubstitute.0.dylib: code signing blocked mmap() of '/usr/lib/libsubstitute.0.dylib'
Abort trap: 6

0x05 解决`/usr/lib/libsubstitute.0.dylib`签名问题

yuzhouheike1haoji:~ root# exit
logout
Connection to 192.168.31.149 closed.
 ✘ hacker_hades@HadesdeMacBook-Pro  ~/Desktop  scp root@192.168.31.149:/usr/lib/libsubstitute.0.dylib ./
libsubstitute.0.dylib                                                                     100%  104KB   4.1MB/s   00:00
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f libsubstitute.0.dylib
libsubstitute.0.dylib: replacing existing signature
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  scp libsubstitute.0.dylib root@192.168.31.149:/var
libsubstitute.0.dylib                                                                     100%  124KB   1.9MB/s   00:00
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  !ssh
 hacker_hades@HadesdeMacBook-Pro  ~/Desktop  ssh root@192.168.31.149
Last login: Sat Sep 22 14:29:17 2018 from 192.168.31.217
yuzhouheike1haoji:~ root# mv /var/libsubstitute.0.dylib /usr/lib/libsubstitute.0.dylib
yuzhouheike1haoji:~ root# stouch
[Usage]
 1. Touch:
    stouch touch x y [orientation]

 2. Swipe:
   stouch swipe fromX fromY toX toY [duration(0.3)] [orientation]

 3. Button:
    stouch button Type State

[Example]
   # stouch touch 50 100
   # stouch swipe 50 100 100 200 0.5
   # stouch button 0 1
   # stouch button 1 0

[Orientation]
    Portrait:1 UpsideDown:2 Right:3 Left:4

[Button]
    Power:0 Home:1

[State]
    Up/Raise:0 Down/Press:1

yuzhouheike1haoji:~ root#

0x06 问题解决了那么问题来了就没有简单点儿的解决办法吗。。

0x07 然而事情还是没有完

0x08 使用YZHK提权: `YZHK stouch touch 50 100`

那么YZHK 是啥?http://iosre.com/t/ios-11-debugserver-lldb/12197 参考这个链接编译出一个命令行工具

#include <spawn.h>

int  main(int argc, char *argv[], char *envp[])
{
    if (argc < 2)
    {
   fprintf(stderr, "usage: %s program args...\n", argv[0]);
       
       return EXIT_FAILURE;
    }
    
    int ret, status;
    pid_t pid;
    posix_spawnattr_t attr;
    
    posix_spawnattr_init(&attr);
    posix_spawnattr_setflags(&attr, POSIX_SPAWN_START_SUSPENDED);
    
    ret = posix_spawnp(&pid, argv[1], NULL, &attr, &argv[1], envp);
    
    posix_spawnattr_destroy(&attr);
    
    if (ret != 0)
    {
        printf("posix_spawnp failed with %d: %s\n", ret, strerror(ret));
        return ret;
    }
    
    char buf[200];
    
    snprintf(buf, sizeof(buf), "/electra/jailbreakd_client %d 1", pid);
    system(buf);
    
    kill(pid, SIGCONT);
    waitpid(pid, &status, 0);
    
    return 0;
}

0x09 解决 `MessagePort is invalid`问题

reboot即可

0x10 好了做完上面的,发现手机并没有被点击…

0x11 查看日志,

andyok · 2018 年9 月 21 日 05:52

厉害厉害，牛逼牛逼

sailor · 2018 年9 月 21 日 06:54

前人种树后人乘凉，真得感谢别人韩国人，我前段时候也自己捣鼓编译了一下，改动基本很小

yuzhouheike · 2018 年9 月 21 日 06:57

除了这块改动还改那块儿了?

yuzhouheike · 2018 年9 月 21 日 07:01

还有你这个最后是什么解决方式贝塞尔曲线?

sailor · 2018 年9 月 21 日 07:01

大致跟你上面说的差不多，就是差一些头文件啥的，然后，我把它的swipe函数封装改了一下，换成可以变速曲线滑动

sailor · 2018 年9 月 21 日 07:08

simulateTouch源码里封装的swipe函数是匀速的，你自己去看实现，然后改成变速的，手动滑动多条轨迹，看看里面坐标变化，这样大致就可以模拟手指滑动了

yuzhouheike · 2018 年9 月 21 日 07:14

好的非常感谢,大佬有机会多指点指点小弟

Magic_Unique · 2018 年9 月 21 日 10:10

兄弟咱们可以探讨一下，公司现在要做模拟点击自动化测试这块了。

yuzhouheike · 2018 年9 月 22 日 00:33

好的。大佬。

andyok · 2018 年9 月 22 日 00:57

深圳人民发来贺电…

wangpeng · 2018 年9 月 22 日 05:34

你好你的手机是11系统吗
我的11.3.1遇到个问题
killed:9签名以后
暴露出了新的问题

dyld: Library not loaded: /usr/lib//libsimulatetouch.dylib
  Referenced from: /usr/bin/stouch
  Reason: no suitable image found.  Did find:
	/usr/lib//libsimulatetouch.dylib: code signing blocked mmap() of '/usr/lib//libsimulatetouch.dylib'
	/usr/lib/libsimulatetouch.dylib: code signing blocked mmap() of '/usr/lib/libsimulatetouch.dylib'
Abort trap: 6

wangxiaoning · 2018 年9 月 22 日 06:38

大号回答!

DaShuai73 · 2018 年9 月 26 日 02:07

你好, 这个需要只能使用越狱手机吧, 我用fakeTouch做的虚拟点击, 后屏点击会阻断前屏的点击, 现在在想办法解决这个问题, 请问如果我如何接收外设传来的touch而不调用系统的点击, 从而达到虚拟点击的效果???

wangxiaoning · 2018 年9 月 26 日 02:19

不好意思听不懂你在说啥,…
talk is cheap
show us the code!
应该没打错

DaShuai73 · 2018 年9 月 26 日 04:14

for (int i = 0; i < mPointArr.count; i++) {
    
    CGPoint point = CGPointFromString(mPointArr[i]);
    
    HSCTouch *touch = touches[i];

    if (touch.state == hscTouchStateBegan) {
        dispatch_async(dispatch_get_main_queue(), ^{
            [PTFakeTouch beginTouchWithPoint:point];
        });
        
    } else if (touch.state == hscTouchStateMoved) {
        dispatch_async(dispatch_get_main_queue(), ^{
            [PTFakeTouch moveTouchWithPoint:point];
        });
        
    } else {
        dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(0.1 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
            [PTFakeTouch endTouchWithPoint:point];
        });

        break;
        
    }
    
    
}

接收外设传来的point, 通过fakeTouch实现虚拟点击, 在点击外设的时候, 会阻断手机屏幕的点击反应

wangxiaoning · 2018 年9 月 26 日 07:41

意思就是虚拟点击和物理点击冲突了是吗?

DaShuai73 · 2018 年9 月 26 日 07:52

是的, 现在就在苦想解决办法

mj_rocky · 2018 年10 月 18 日 07:54

大神,可否借梯子一用.不借勿喷.准备造ing

sailor · 2018 年10 月 18 日 08:21

用梯子爬啥