iOS11.3.1逆向触动精灵遇到的几个问题以及解决办法

技能讨论
1

问题

  • 11.3.1系统的两个问题

1. 触动精灵是不是有root权限?

  • lldb 打印的getuid() = 501 根据这个线索感觉它没有root权限

2. 触动精灵可以在App内重启手机,是不是又意味着触动精灵有root权限,下面是触动精灵App内执行重启的日志,

默认	13:43:53.592514 +0800	assertiond	[SpringBoard:60931] Attempting to acquire assertion for TouchSprite:61313: <BKProcessAssertion: 0x12de4f500; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…E3DAC93566D5>
默认	13:43:53.592900 +0800	assertiond	[TouchSprite:61313] Add assertion: <BKProcessAssertion: 0x12de4f500; id: 60931-6436B306-6942-4C84-974B-E3DAC93566D5; name: com.apple.UIKit.KeyboardManagement.message; state: active; reason: finishTask; duration: 180.0s> {
    owner = <BSProcessHandle: 0x12de0c370; SpringBoard:60931; valid: YES>;
    flags = preventSuspend, preventThrottleDownUI, preventThrottleDownCPU, preventSuspendOnSleep;
}
默认	13:43:53.593034 +0800	assertiond	[TouchSprite:61313] Activate assertion: <BKProcessAssertion: 0x12de4f500; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…E3DAC93566D5>
默认	13:43:53.593163 +0800	assertiond	[TouchSprite:61313] Setting jetsam priority to 10 [0x10108]
默认	13:43:53.651176 +0800	assertiond	[TouchSprite:61313] Deactivate assertion: <BKProcessAssertion: 0x12de4f500; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…E3DAC93566D5>
默认	13:43:53.651854 +0800	assertiond	[TouchSprite:61313] dump all assertions HWM:3 (deactivateAssertion): {
    <BKProcessAssertion: 0x12dd0e2e0; "Resume" (activation:inf); id:…0C396E8DA5E0> [active]
}
默认	13:43:53.656818 +0800	assertiond	[TouchSprite:61313] Setting jetsam priority to 10 [0x10100]
默认	13:43:53.660128 +0800	assertiond	[TouchSprite:61313] Remove assertion: <BKProcessAssertion: 0x12de4f500; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…E3DAC93566D5>
默认	13:43:55.405061 +0800	assertiond	[SpringBoard:60931] Attempting to acquire assertion for TouchSprite:61313: <BKProcessAssertion: 0x12dd67280; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…5844AD57B20C>
默认	13:43:55.406227 +0800	assertiond	[TouchSprite:61313] Add assertion: <BKProcessAssertion: 0x12dd67280; id: 60931-C5715F9D-F614-42F1-9F62-5844AD57B20C; name: com.apple.UIKit.KeyboardManagement.message; state: active; reason: finishTask; duration: 180.0s> {
    owner = <BSProcessHandle: 0x12de0c370; SpringBoard:60931; valid: YES>;
    flags = preventSuspend, preventThrottleDownUI, preventThrottleDownCPU, preventSuspendOnSleep;
}
默认	13:43:55.408729 +0800	assertiond	[TouchSprite:61313] Activate assertion: <BKProcessAssertion: 0x12dd67280; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…5844AD57B20C>
默认	13:43:55.408878 +0800	assertiond	[TouchSprite:61313] Setting jetsam priority to 10 [0x10108]
默认	13:43:55.443365 +0800	assertiond	[TouchSprite:61313] Deactivate assertion: <BKProcessAssertion: 0x12dd67280; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…5844AD57B20C>
默认	13:43:55.443552 +0800	assertiond	[TouchSprite:61313] dump all assertions HWM:3 (deactivateAssertion): {
    <BKProcessAssertion: 0x12dd0e2e0; "Resume" (activation:inf); id:…0C396E8DA5E0> [active]
}
默认	13:43:55.445079 +0800	assertiond	[TouchSprite:61313] Setting jetsam priority to 10 [0x10100]
默认	13:43:55.445243 +0800	assertiond	[TouchSprite:61313] Remove assertion: <BKProcessAssertion: 0x12dd67280; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…5844AD57B20C>
错误	13:43:55.811777 +0800	TouchSprite	Function boringssl_session_errorlog: line 2881 [boringssl_session_read] SSL_ERROR_ZERO_RETURN(6): operation failed because the connection was cleanly shut down with a close_notify alert
错误	13:43:55.811885 +0800	TouchSprite	Function boringssl_session_errorlog: line 2881 [boringssl_session_read] SSL_ERROR_ZERO_RETURN(6): operation failed because the connection was cleanly shut down with a close_notify alert
默认	13:43:55.811988 +0800	TouchSprite	TIC TCP Conn Event [5:0x1c416ca80]: 2
默认	13:43:55.812037 +0800	TouchSprite	TIC TCP Conn Cancel [5:0x1c416ca80]
默认	13:43:55.813345 +0800	TouchSprite	[5 <private> stream, pid: 61313, url: https://storeauth.touchsprite.com/api/auth?encrypt=true, tls] cancelled
	[5.1 F219E465-A921-493A-B268-E1A4AE18195F <private>.50806<-><private>]
	Connected Path: satisfied (Path is satisfied), interface: en0, ipv4, dns
	Duration: 15.393s, DNS @0.000s took 0.018s, TCP @0.025s took 0.036s, TLS took 0.166s
	bytes in/out: 7026/1388, packets in/out: 12/6, rtt: 0.033s, retransmitted packets: 0, out-of-order packets: 0
默认	13:43:56.784538 +0800	assertiond	[SpringBoard:60931] Attempting to acquire assertion for TouchSprite:61313: <BKProcessAssertion: 0x12dd70340; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…F69B3566EB12>
默认	13:43:56.785599 +0800	assertiond	[TouchSprite:61313] Add assertion: <BKProcessAssertion: 0x12dd70340; id: 60931-C6240876-0593-4FE2-9F68-F69B3566EB12; name: com.apple.UIKit.KeyboardManagement.message; state: active; reason: finishTask; duration: 180.0s> {
    owner = <BSProcessHandle: 0x12de0c370; SpringBoard:60931; valid: YES>;
    flags = preventSuspend, preventThrottleDownUI, preventThrottleDownCPU, preventSuspendOnSleep;
}
默认	13:43:56.791219 +0800	assertiond	[TouchSprite:61313] Activate assertion: <BKProcessAssertion: 0x12dd70340; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…F69B3566EB12>
默认	13:43:56.791337 +0800	assertiond	[TouchSprite:61313] Setting jetsam priority to 10 [0x10108]
默认	13:43:56.795744 +0800	assertiond	[TouchSprite:61313] Deactivate assertion: <BKProcessAssertion: 0x12dd70340; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…F69B3566EB12>
默认	13:43:56.795897 +0800	assertiond	[TouchSprite:61313] dump all assertions HWM:3 (deactivateAssertion): {
    <BKProcessAssertion: 0x12dd0e2e0; "Resume" (activation:inf); id:…0C396E8DA5E0> [active]
}
默认	13:43:56.796070 +0800	assertiond	[TouchSprite:61313] Setting jetsam priority to 10 [0x10100]
默认	13:43:56.796224 +0800	assertiond	[TouchSprite:61313] Remove assertion: <BKProcessAssertion: 0x12dd70340; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…F69B3566EB12>
错误	13:44:00.061369 +0800	TouchSprite	Status bar could not find cached time string image. Rendering in-process.
默认	13:44:07.293196 +0800	TouchSprite	Could not signal service com.apple.WebKit.WebContent: 113: Could not find specified service
默认	13:44:07.293413 +0800	TouchSprite	0x1c4273b40 - ~ProcessAssertion() Releasing process assertion
默认	13:44:07.302701 +0800	TouchSprite	Could not signal service com.apple.WebKit.Networking: 113: Could not find specified service
默认	13:44:07.302931 +0800	TouchSprite	0x1c4270300 - ~ProcessAssertion() Releasing process assertion
默认	13:44:12.147451 +0800	assertiond	[SpringBoard:60931] Attempting to acquire assertion for TouchSprite:61313: <BKProcessAssertion: 0x12dd67280; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…77C20E2B934B>
默认	13:44:12.147730 +0800	assertiond	[TouchSprite:61313] Add assertion: <BKProcessAssertion: 0x12dd67280; id: 60931-846D7E13-165F-4B6F-A45A-77C20E2B934B; name: com.apple.UIKit.KeyboardManagement.message; state: active; reason: finishTask; duration: 180.0s> {
    owner = <BSProcessHandle: 0x12de0c370; SpringBoard:60931; valid: YES>;
    flags = preventSuspend, preventThrottleDownUI, preventThrottleDownCPU, preventSuspendOnSleep;
}
默认	13:44:12.147901 +0800	assertiond	[TouchSprite:61313] Activate assertion: <BKProcessAssertion: 0x12dd67280; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…77C20E2B934B>
默认	13:44:12.148033 +0800	assertiond	[TouchSprite:61313] Setting jetsam priority to 10 [0x10108]
默认	13:44:12.162290 +0800	assertiond	[TouchSprite:61313] Deactivate assertion: <BKProcessAssertion: 0x12dd67280; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…77C20E2B934B>
默认	13:44:12.176561 +0800	assertiond	[TouchSprite:61313] dump all assertions HWM:3 (deactivateAssertion): {
    <BKProcessAssertion: 0x12dd0e2e0; "Resume" (activation:inf); id:…0C396E8DA5E0> [active]
}
默认	13:44:12.178633 +0800	assertiond	[TouchSprite:61313] Setting jetsam priority to 10 [0x10100]
默认	13:44:12.180611 +0800	assertiond	[TouchSprite:61313] Remove assertion: <BKProcessAssertion: 0x12dd67280; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…77C20E2B934B>
默认	13:44:12.553293 +0800	TouchSprite	[CLIoHidInterface] Adding new Device with usage pair {11, 1}
默认	13:44:12.560056 +0800	TouchSprite	[CLIoHidInterface] invalidating hid service refs
默认	13:44:12.560631 +0800	TouchSprite	[CLIoHidInterface] Refreshing service refs
默认	13:44:12.600519 +0800	TouchSprite	[CLIoHidInterface] Event system client initialized successfully
默认	13:44:12.602750 +0800	TouchSprite	[CLIoHidInterface] invalidating hid service refs
默认	13:44:12.603037 +0800	TouchSprite	[CLIoHidInterface] Refreshing service refs
默认	13:44:12.640785 +0800	TouchSprite	{"msg":"Manufacturing service", "event":"activity", "RequestedServiceName":"CLGeomagneticModelProvider", "EffectiveServiceName":"CLGeomagneticModelProvider"}
默认	13:44:12.643684 +0800	TouchSprite	Starting device motion, mode=0x22,useAccelerometer=0,useGyro=1,useCompass=0,fUseNorthRef=0,buildingGYTT=0
默认	13:44:12.644569 +0800	TouchSprite	[CLIoHidInterface] Adding new Device with usage pair {65280, 9}
默认	13:44:12.646563 +0800	TouchSprite	[CLIoHidInterface] invalidating hid service refs
默认	13:44:12.646888 +0800	TouchSprite	[CLIoHidInterface] Refreshing service refs
默认	13:44:12.649513 +0800	TouchSprite	{"msg":"CLGyroBiasEstimatorClientRemote::registerWithGyroBiasEstimatorPrivate", "event":"activity", "isBuildingGYTT":0, "client":"0x1c0232cc0", "info":"0x102f77c50"}
默认	13:44:12.649618 +0800	TouchSprite	[CLIoHidInterface] Adding new Device with usage pair {65280, 3}
默认	13:44:12.653962 +0800	TouchSprite	{"msg":"Sending cached messages to daemon", "event":"activity"}
默认	13:44:12.654595 +0800	TouchSprite	#Warning No cached registration message
默认	13:44:12.655087 +0800	locationd	{"msg":"state transition", "event":"state_transition", "state":"DaemonClient", "id":"0x105033800", "property":"clientName", "old":"", "new":"com.touchsprite.ios"}
默认	13:44:12.657337 +0800	TouchSprite	[CLIoHidInterface] invalidating hid service refs
默认	13:44:12.658029 +0800	TouchSprite	[CLIoHidInterface] Refreshing service refs
默认	13:44:12.660446 +0800	TouchSprite	{"msg":"CLGyroBiasEstimatorClientRemote::onWatchdogTimerExpiry", "event":"activity", "client":"0x1c0232cc0"}
默认	13:44:12.660534 +0800	locationd	{"msg":"Client visibility changed", "client":"com.touchsprite.ios", "is visible":1}
默认	13:44:12.660613 +0800	locationd	{"msg":"#CLIUA Marking change", "clientKey":"com.touchsprite.ios", "reason":"In-use halo-effect", "assertionLevel":3, "coming":1}
默认	13:44:12.660795 +0800	locationd	{"msg":"#CLIUA Marking change", "clientKey":"com.touchsprite.ios", "reason":"In-use halo-effect", "assertionLevel":4, "coming":1}
默认	13:44:12.660854 +0800	locationd	{"msg":"#CLIUA Marking change", "clientKey":"com.touchsprite.ios", "reason":"In-use halo-effect", "assertionLevel":3, "coming":0}
默认	13:44:12.661331 +0800	locationd	Client com.touchsprite.ios connected
默认	13:44:12.662539 +0800	locationd	{"msg":"#CLIUA Client CLIUA level changed", "name":"com.touchsprite.ios", "assertedInUseLevel":4}
默认	13:44:12.663140 +0800	locationd	Client com.touchsprite.ios (0x105033800) is subscribing to notification kCLConnectionMessageGyroBiasEstimation
默认	13:44:13.509083 +0800	TouchSprite	{"msg":"CLGyroBiasEstimatorClientRemote::unregisterWithGyroBiasEstimatorPrivate", "event":"activity", "client":"0x1c0232cc0"}
默认	13:44:13.514200 +0800	locationd	Client com.touchsprite.ios disconnected
默认	13:44:13.515223 +0800	locationd	{"msg":"#CLIUA Marking change", "clientKey":"com.touchsprite.ios", "reason":"In-use halo-effect", "assertionLevel":4, "coming":0}
默认	13:44:19.295467 +0800	assertiond	[SpringBoard:60931] Attempting to acquire assertion for TouchSprite:61313: <BKProcessAssertion: 0x12de15fb0; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…B62828ABF7CF>
默认	13:44:19.295672 +0800	assertiond	[TouchSprite:61313] Add assertion: <BKProcessAssertion: 0x12de15fb0; id: 60931-A14AC0A3-9C4F-4D78-8EA0-B62828ABF7CF; name: com.apple.UIKit.KeyboardManagement.message; state: active; reason: finishTask; duration: 180.0s> {
    owner = <BSProcessHandle: 0x12de0c370; SpringBoard:60931; valid: YES>;
    flags = preventSuspend, preventThrottleDownUI, preventThrottleDownCPU, preventSuspendOnSleep;
}
默认	13:44:19.295932 +0800	assertiond	[TouchSprite:61313] Activate assertion: <BKProcessAssertion: 0x12de15fb0; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…B62828ABF7CF>
默认	13:44:19.297081 +0800	assertiond	[TouchSprite:61313] Setting jetsam priority to 10 [0x10108]
默认	13:44:19.300663 +0800	assertiond	[TouchSprite:61313] Deactivate assertion: <BKProcessAssertion: 0x12de15fb0; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…B62828ABF7CF>
默认	13:44:19.301046 +0800	assertiond	[TouchSprite:61313] dump all assertions HWM:3 (deactivateAssertion): {
    <BKProcessAssertion: 0x12dd0e2e0; "Resume" (activation:inf); id:…0C396E8DA5E0> [active]
}
默认	13:44:19.302020 +0800	assertiond	[TouchSprite:61313] Setting jetsam priority to 10 [0x10100]
默认	13:44:19.302466 +0800	assertiond	[TouchSprite:61313] Remove assertion: <BKProcessAssertion: 0x12de15fb0; "com.apple.UIKit.KeyboardManagement.message" (finishTask:180s); id:…B62828ABF7CF>
默认	13:44:19.444005 +0800	TouchSprite	Stopping device motion, mode=0x22
错误	13:44:19.445133 +0800	TSDaemon	nw_path_close_fd Failed to close guarded necp fd 3 [9: Bad file descriptor]
默认	13:44:20.155892 +0800	TSDaemon	Connection interrupted for call observer <private>
默认	13:44:20.155988 +0800	TSDaemon	self.callUUIDToCallMap: <private>
默认	13:44:20.156043 +0800	TSDaemon	got event: Connection interrupted
默认	13:44:20.157034 +0800	TouchSprite	XPC connection interrupted
错误	13:44:20.157087 +0800	TouchSprite	LaunchServices: disconnect event (interruption) received for service com.apple.lsd.advertisingidentifiers
默认	13:44:20.157140 +0800	TouchSprite	got event: Connection interrupted
错误	13:44:20.157195 +0800	TouchSprite	LaunchServices: disconnect event (invalidation) received for service com.apple.lsd.advertisingidentifiers
错误	13:44:20.163759 +0800	TouchSprite	Exiting because the workspace server has disconnected.
默认	13:44:20.164022 +0800	TouchSprite	XPC connection interrupted (daemon probably exited)
错误	13:44:20.164259 +0800	TouchSprite	Terminating since there is no system app.

lldb 很复杂…记录学习点点滴滴

lldb 相关

br s -f [Classs Method]

br s -a (po [Class _shortMethodDescription]) http://iosre.com/t/lldb-objective-c/6711

继续单步运行 n

继续运行 c

打印当前界面(带导航栏)

po [[[UIWindow keyWindow] rootViewController] topViewController]

image
image1220×106 49.2 KB

打印这个类的函数

  • po [SysOptionViewController _shortMethodDescription]

  • 得到结果

in SysOptionViewController:
	Properties:
		@property (readonly) unsigned long hash;
		@property (readonly) Class superclass;
		@property (readonly, copy) NSString* description;
		@property (readonly, copy) NSString* debugDescription;
	Instance Methods:
		- (void) sysLogout; (0x10299ae34)
		- (void) sysRestart; (0x10299b004)
		- (void) sysClose; (0x10299b1d4)
		- (void) sysGPS; (0x10299b3a4)
		- (void) sysClearAPP; (0x10299b62c)
		- (void) didReceiveMemoryWarning; (0x10299ae00)
		- (void) viewDidLoad; (0x102999530)
		- (void) viewWillAppear:(BOOL)arg1; (0x102999448)
		- (void) viewWillDisappear:(BOOL)arg1; (0x1029994bc)
in FBaseViewController:
	Properties:
		@property (retain, nonatomic) FNavigationView* navBar;  (@synthesize navBar = _navBar;)
		@property (retain, nonatomic) FTabBarItem* tabItem;  (@synthesize tabItem = _tabItem;)
		@property (retain, nonatomic) UIView* contentView;  (@synthesize contentView = _contentView;)
		@property (retain, nonatomic) UIImageView* bgView;  (@synthesize bgView = _bgView;)
		@property (retain, nonatomic) FNoContentView* noContentView;  (@synthesize noContentView = _noContentView;)
		@property (retain, nonatomic) UIViewController* navViewController;  (@synthesize navViewController = _navViewController;)
		@property (retain, nonatomic, setter=setNavTitle:) NSString* navTitle;  (@synthesize navTitle = _navTitle;)
		@property (retain, nonatomic, setter=setNavTitleColor:) UIColor* navTitleColor;  (@synthesize navTitleColor = _navTitleColor;)
		@property (retain, nonatomic, setter=setBtnTitleColor:) UIColor* btnTitleColor;  (@synthesize btnTitleColor = _btnTitleColor;)
		@property (retain, nonatomic, setter=setLeftBtnTitle:) NSString* leftBtnTitle;  (@synthesize leftBtnTitle = _leftBtnTitle;)
		@property (retain, nonatomic, setter=setRightBtnTitle:) NSString* rightBtnTitle;  (@synthesize rightBtnTitle = _rightBtnTitle;)
		@property (nonatomic, setter=setIsShowNavBar:) BOOL isShowNavBar;  (@synthesize isShowNavBar = _isShowNavBar;)
		@property (nonatomic, setter=setIsNoContent:) BOOL isNoContent;  (@synthesize isNoContent = _isNoContent;)
		@property (readonly, nonatomic) BOOL isLoading;  (@synthesize isLoading = _isLoading;)
		@property (nonatomic, setter=setNavDelegate:) <FNavBarDelegate>* navDelegate;  (@synthesize navDelegate = _navDelegate;)
		@property (retain, nonatomic) LoadingView* webLoadingView;  (@synthesize webLoadingView = _webLoadingView;)
		@property (readonly) unsigned long hash;
		@property (readonly) Class superclass;
		@property (readonly, copy) NSString* description;
		@property (readonly, copy) NSString* debugDescription;
	Instance Methods:
		- (void) setNavTitleColor:(id)arg1; (0x1028608cc)
		- (void) setBtnTitleColor:(id)arg1; (0x10286095c)
		- (id) tabItem; (0x102860fdc)
		- (BOOL) isNoContent; (0x1028610f0)
		- (void) setBgView:(id)arg1; (0x102861034)
		- (id) bgView; (0x102861024)
		- (void) initView; (0x10285fbf8)
		- (void) setWebLoadingView:(id)arg1; (0x102861140)
		- (id) webLoadingView; (0x102861130)
		- (id) btnTitleColor; (0x1028610b0)
		- (id) navViewController; (0x10286106c)
		- (void) setIsShowNavBar:(BOOL)arg1; (0x10286072c)
		- (void) navBarToFront; (0x102860754)
		- (void) setNavDelegate:(id)arg1; (0x1028607c4)
		- (void) setLeftBtnTitle:(id)arg1; (0x102860a60)
		- (void) setRightBtnTitle:(id)arg1; (0x102860b0c)
		- (void) showTabRedPoint:(BOOL)arg1; (0x102860bb8)
		- (void) popViewControllerAnimatedOfNumber:(id)arg1; (0x102860f7c)
		- (void) setTabItem:(id)arg1; (0x102860fec)
		- (void) setNavViewController:(id)arg1; (0x10286107c)
		- (id) navTitleColor; (0x1028610a0)
		- (id) leftBtnTitle; (0x1028610c0)
		- (id) rightBtnTitle; (0x1028610d0)
		- (BOOL) isShowNavBar; (0x1028610e0)
		- (void) setIsNoContent:(BOOL)arg1; (0x102861100)
		- (id) navDelegate; (0x102861120)
		- (id) init; (0x10285fb08)
		- (void) setContentView:(id)arg1; (0x102861010)
		- (id) contentView; (0x102861000)
		- (void) .cxx_destruct; (0x102861154)
		- (void) popViewControllerAnimated:(BOOL)arg1; (0x102860dc0)
		- (void) viewDidLoad; (0x102860438)
		- (void) pushViewController:(id)arg1 animated:(BOOL)arg2; (0x102860c60)
		- (void) popToViewController:(id)arg1 animated:(BOOL)arg2; (0x102860e88)
		- (void) setNoContentView:(id)arg1; (0x102861058)
		- (id) noContentView; (0x102861048)
		- (BOOL) isLoading; (0x102861110)
		- (id) navTitle; (0x102861090)
		- (void) setNavBar:(id)arg1; (0x102860fc8)
		- (id) navBar; (0x102860fb8)
		- (void) setNavTitle:(id)arg1; (0x10286083c)
(UIViewController ...)

找到我想要的重启函数 - (void) sysRestart; () 地址为0x10299b004

断点这个地址 lldb) br s -a 0x10299b004

Breakpoint 2: where = TouchSprite`-[SysOptionViewController sysRestart], address = 0x000000010299b004

执行重启

expression -- [(SysOptionViewController*)0x103193f90 sysRestart]

  • 然而并没有重启

继续执行 process interrupt

(lldb) expression [(SysOptionViewController*)0x103193f90 sysLogout]
error: Process is running.  Use 'process interrupt' to pause execution.
(lldb) process interrupt

解决办法

  • 目前没有解决办法
1 个赞
2

触动精灵不能hook吗?有人Hook成功过吗?

image
image836×242 56.6 KB

  • 下面是我HOOK触动精灵3.0的代码 在11.3系统,但是hook不住
%hook AppDelegate

+(void)load{
    
    %log;
    
    NSLog(@"iOSRE: %d, %d", getuid(), geteuid());

    
    %orig;
}
-(void)setWindow:(id)window{
    
    %log;
    %orig;
    
    NSLog(@"iOSRE: %d, %d", getuid(), geteuid());

}

%end

%ctor {
    NSLog(@"iOSRE: %d, %d", getuid(), geteuid());
}

%hook SettingViewController

+(void)goAuth:(id)arg1{
    %log;
    NSLog(@"iOSRE: %d, %d", getuid(), geteuid());

    return %orig;
}

%end

  • 发现类似的帖子http://iosre.com/t/tweak/5784可能是做了什么防护

  • lldb 打印 getuid() 结果是 501是不是说明不是root权限的App

4

提示一下,iOS11获取root权限的方式比较特殊,可能是在需要root权限操作的时候才会去获取

5

那大佬知道怎么个特殊法吗?iOS11怎么获取root权限?

6

可能是有几个进程啊。发消息给别的进程让他重启设备,这你检查过没有

1 个赞
7

进程之间怎么发消息。

8

你搞错对象了,它能用lua执行shell当然必须有root权限了

9

root权限当然要有,楼主问的是是否通过App获取Root权限.答案是否.触动是通过TSDaemon 获得的Root权限

2 个赞
10

触动 有后代daemon进程, 前台app 和 daemon 通信实现相应的功能的.
触动ios上是有很明显的 bug, 就是网络请求有可能卡死(调用苏总的so)