Generating dylib from theos and iosOpenDev
Insert dylib into the binary file.
Installation tool name
Modify dylib reference path
Binary files modified by some re-signing tools, such as I design, sigh resign and codesign, all need to be re-signed.
Second, the process
1, generate dylib.
Dylib can be generated by theos or iosOpenDev.
Theos is a tool specially developed for jailbreaking, and the generated dylib can be directly used on jailbreaking machines.
However, theos is not a tool supported by Apple. It compiles and generates the deb package on the Mac side, installs it into the IOS system, installs it into the plug-in mode by the dpkg of the IOS system, and then generates the dylib. Theos needs to call the IOS development SDK on the Mac side. At present, the SDK above 9.3 cannot be called, and the theos tool has not been updated.
IosOpenDev is an official plug-in generation tool supported by Apple, which can be generated directly with Xcode.
This kind of dylib includes two types: CaptainHookTweak and Logos Tweak.
However, there is no difference between the two: the syntax of Logos Tweak is relatively simple, which is consistent with the syntax of theos, while CaptainHookTweak is more complicated.
Step 2 insert dylib
All three tools can insert dylib into binary files, but each has its own advantages.
Yololib can only insert 32-bit inserts into 64-bit binary files, but it is shown below.
Insert_dylib can insert both 64 bits and 32 bits, and can also be used to choose whether to delete the original signature of the binary file, that is, LC_CODE_SIGNATURE.
Optool is more powerful. You can choose which LC LIB to insert. This example is not used for the time being.
3. Modify the dylib reference
After inserting dylib, you need to add a reference to it. That is, use the tool install_name_tool.
It is this place that was not done before, which caused the signed file to flash and Dylan Lib didn't call it.
Because there is no jailbreak mobile phone at hand at present, CydiaSubstrate Dylan has not been transferred before, so this step is temporarily suspended (mainly because CydiaSubstrate Dylan of each jailbreak version system is different. There is no jailbreak system at present, so there is no corresponding dylib).
However, you can think about it carefully, because cydiaSubstrate dylib itself exists on the jailbreak phone, so the theos plug-in itself does not need to import this dylib, just add a reference to it directly.
However, on a non-jailbreak phone, you need to put this cydiaSubstrate dylib in the app package and add its reference path at hand.
In that case, why does iosOpenDev, which originated from Apple, have tools to develop dylib?
That's because Apple introduced iosOpenDev to generate dylib, which is not for you to play like this at all? Apple asks you to add this dylib to the IOS project and add a reference to it in the project. If there are a few updates to the app in the future, you only need to update this dylib, not the whole app. This is called incremental update in IOS development.
You can use the hook interface used by openDev without using the hook interface provided by cydia at all.
The operation is as follows:
A: add dylib to the app package (if you need to call the MSHOOK function of cydia substrate, you need to add Cydia substrate dylib);
B: insertion tool insertion. Note that there is a pit here, that is, every package copied to dylib needs to add an executable path in addition to adding a reference to it by using install_name_tool and inserting the Mach-O LOAD command.
First, you need to put a cd in the application package.
And then /users/ Chen Dan/desktop/diff _ hook/insert _ dylib @ executable _ path/IOs _ hook.dylibhook _ demo _ demo.
C: Sign it later.
Sign each modified and added file in the application package.
Code sign-f-s "iPhone developer: 694708086 @ qq.com (T4M3JZDL2)" hook _ demo
Codesign -f -s "iPhone developer: 694708086 @ qq.com (T4m3JZDL2) "IOs _ hook.dylib.
Then add signing permission to the entire app package.
Code sign-f-s "iPhone developer: 694708086 @ qq.com (T4m3JZDL2)"-Entitlements. plisthook _ demo.app.
You can install the app package directly, or you can use xcrun to package it into ipa for installation.
Content in dylib
Step 4 re-sign
After completing these steps,
First of all, we should re-sign the modified binary files dylib and cydiaSubstrate dylib, that is, write iPhone developer: 694708086@qq.com(t 4 m3 jzdl 2) in them.
Then use xcrun to package the app file into ipa, and use tools such as iResign and sigh resign to re-sign the ipa package before installing it into the system.
Re-sign the rights file entitlements.plist.
You can use the ldid -e binary file to view the content generation of the license file.
Third, the difference
Theos and iosOpenDev
Distinguish theosiosOpenDev remarks
The source code jailbreak developer appletheos was developed by a third party, and iosOpenDev was supported by Apple's official Xcode.
UI does not have Xcodetheos, and UI interface has not been developed. iosOpenDev's development interface is Xcode.
Version support At present, theos only supports SDK, both of which support calling SDK below iOS 9.3, while theos only supports SDK below 9.3. At present, the author of theos has not updated the tool.
Hook language mode logo adjustment logo adjustment, CaptainHookTweak
Differences between insert_dylib, optool and yololib tools
Distinguish between insert _ dyliboptoolyololib comments
Support structure 64, all 32 bits support 64, and all 32 bits only support 64 bits.
Fourth, summary.
This method can only be used in the process of hook app itself, not in the process of hook system level.
Due to the sandbox mechanism on non-jailbreak, the local app can only access the data of this app and cannot access the data of other apps. Access system data (photo album, geographic location, etc.). ) also requires the user's permission. Not to mention hook system-level processes.
Of course, there is one technology that can bypass the sandbox mechanism without jailbreaking: http://chuansong.me/n/2248208.
For example, this person does not jailbreak the next app to uninstall another app, and one app obtains the file content in one app. However, this vulnerability technology has not been made public and only exists within the jailbreak team. Moreover, this vulnerability technology failed to hook system-level processes.
Theoretically, hook system level can be handled without jailbreaking, but it is quite difficult (in other words, if there are such loopholes and technologies that can be used without jailbreaking, why should the jailbreaking team jailbreak)