最近比较热Mach-O LC_LOAD_DYLIB Hook,自己的尝试


#16

和lz一样的os version,在越狱环境下成功无闪退,但是非越狱环境下安装失败,mobiledevice install_app报错!AMDeviceSecureInstallApplication, itune也无法安装。
查过并没有依赖mobilesubstrate。


#17

我在非越狱机器上使用企业证书尝试,签名后安装成功,但是闪退,不知道为啥。。。


#18

个人证书创建appid 的时候提示不能创建“com.tencent.xin”
没法修改embedded.mobileprovision了,这个怎么解决哈?
There were errors in the data supplied. Please correct and re-submit.
An App ID with Identifier ‘com.tencent.xin’ is not available. Please enter a different string.


#19

按照狗神的root注入dylib的方式对NZT 8.1.1版本实现注入,dylib就是打印========run_cmd begin: …===========的log有打印出来,但是NZT却挂了。。有谁知道怎么回事呢?

May 20 11:12:35 iPhone SpringBoard[56] : Can’t find any path
May 20 11:12:35 iPhone SpringBoard[56] : themedPath:/var/mobile/Media/PandaHome/res/ShortcutIcon.bundle/res/icon/ghost_green_48@2x.png
May 20 11:12:35 iPhone SpringBoard[56] : END
May 20 11:12:35 iPhone SpringBoard[56] : CGImageSourceCreateWithFile [end]:<CGImageSource 0x17036a740 [0x195106c80]>
May 20 11:12:35 iPhone NZT[605] : ========run_cmd begin: …===========
May 20 11:12:35 iPhone NZT[605] : NZT(605,0x331649dc) malloc: *** error for object 0x6c83e1: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
May 20 11:12:35 iPhone ReportCrash[607] : MS:Notice: Injecting: (null) [ReportCrash] (1141.16)
May 20 11:12:35 iPhone ReportCrash[607] : MS:Error: binary does not support this cpu type
May 20 11:12:35 iPhone ReportCrash[607] : MS:Error: failure to check PHNetWorkOpt.dylib
May 20 11:12:35 iPhone ReportCrash[607] : MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SBPandaHome.dylib
May 20 11:12:35 iPhone ReportCrash[607] : PandaHomeInitialize
May 20 11:12:35 iPhone ReportCrash[607] : MS:Warning: message not found [_UIAssetManager imageNamed:scale:idiom:subtype:cachingOptions:]
May 20 11:12:35 iPhone ReportCrash[607] : identifier (null)
May 20 11:12:35 iPhone ReportCrash[607] : folderBackground: (null)
May 20 11:12:35 iPhone ReportCrash[607] : reload
May 20 11:12:35 iPhone ReportCrash[607] : newversion
May 20 11:12:35 iPhone ReportCrash[607] : themes:(
)
May 20 11:12:35 iPhone ReportCrash[607] : themeInfoPlist: {
}
May 20 11:12:35 iPhone ReportCrash[607] : isIOS5
May 20 11:12:35 iPhone ReportCrash[607] : InitSafariWeb
May 20 11:12:35 iPhone ReportCrash[607] : UIKit had loaded.
May 20 11:12:35 iPhone ReportCrash[607] : _UIImageWithName:0x1884f9064
May 20 11:12:35 iPhone ReportCrash[607] : UIKit has end Load
May 20 11:12:35 iPhone ReportCrash[607] : _Z24GetFileNameForThisActionmPcRb: 0x0
May 20 11:12:35 iPhone ReportCrash[607] : _Z24GetFileNameForThisActionmPcmRb: 0x0
May 20 11:12:35 iPhone ReportCrash[607] : _Z24GetFileNameForThisActionjPcjRb: 0x1833162e4
May 20 11:12:35 iPhone ReportCrash[607] : ImageIO end
May 20 11:12:35 iPhone ReportCrash[607] : CPBitmapCreateImagesFromPath: 0x189c18a34
May 20 11:12:35 iPhone ReportCrash[607] : open sound library end
May 20 11:12:35 iPhone ReportCrash[607] : MS:Warning: nil class argument for selector imageNamed:
May 20 11:12:35 iPhone ReportCrash[607] : MS:Warning: nil class argument for selector initWithName:inBundle:
May 20 11:12:35 iPhone ReportCrash[607] : getTheme,FILE:(
“SMSBackground.png”,
“SMSBackground.jpg”,
“SMSBackground@2x.png”,
“SMSBackground@2x.jpg”,
“SMSBackground-568h@2x.png”,
“SMSBackground-375w-667h@2x.png”,
“SMSBackground-414w-736h@3x.png”
)
May 20 11:12:35 iPhone ReportCrash[607] : path: (null)
May 20 11:12:35 iPhone ReportCrash[607] : init finish
May 20 11:12:35 iPhone ReportCrash[607] : initWith
May 20 11:12:35 iPhone ReportCrash[607] : services
May 20 11:12:35 iPhone ReportCrash[607] : task_set_exception_ports(B07, 400, 1503, 0, 0) failed with error (4: (os/kern) invalid argument)
May 20 11:12:35 iPhone ReportCrash[607] : ReportCrash acting against PID 605
May 20 11:12:36 iPhone ReportCrash[607] : Formulating crash report for process NZT[605]
May 20 11:12:36 iPhone com.apple.xpc.launchd[1] (UIKitApplication:NZT[0xf60b][605]) : Service exited due to signal: Abort trap: 6
May 20 11:12:36 iPhone ReportCrash[607] : Saved report to /Library/Logs/CrashReporter/NZT_2016-05-20-111235_iPhone.ips
May 20 11:12:36 iPhone SpringBoard[56] : Application ‘UIKitApplication:NZT[0xf60b]’ crashed.
May 20 11:12:36 iPhone SpringBoard[56] : NSBundle$localizedStringForKey$value$table
May 20 11:12:36 iPhone SpringBoard[56] : WB:Debug:[NSBundle(com.apple.springboard) localizedStringForKey:“SEARCH_BAR_PLACEHOLDER_LOCAL_ONLY” value:"" table:“SpringBoard”] (zh)


#20

好像野指针了,但是把它原生的NZT可执行文件放进去又可以正常运行。。谁帮忙分析下什么情况撒?
NZT(605,0x331649dc) malloc: *** error for object 0x6c83e1: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug


#21

是按照这个贴子的方法做的
http://bbs.iosre.com/t/■■■■■■■■-hook-root-app/440


#22

请问找到解决方法了吗?我最近也遇到相同的问题


#23

么有啊。。没人关注回答呢


#24

@zoumadeng 能告诉我你的dylib怎么写的吗?我也在调试,但是我的出不来log


#25

你好,我用theos只生成了deb文件,obj文件夹下没有dylib,这是为什么啊


#26

新版是没有的可以用dpkg -X *.deb ./命令来解压获取


#27

恩 刚才知道 正在找解压方法。


#28

要沉了呢。。看到挺多人遇到这个问题。。没什么人回答呢。。是我没表达清楚还是都不爱说呢?


#29

我是ios9.0.2 的系统,脱壳后,用的一样的注入方式,可以成功的,微信也可以lldb 调试,应该没有自校验的!


#30

可以帮忙试下我这个应用不?
注入root app的dylib


#31

我在8.x的系统试的就是了


#32

root的应用哦


#33

不清楚啥是root 应用,这个就是deb 格式文件,他解压安装后就是动态库文件,你再注入动态库文件?


#34

SpringBoard 是root 应用这个我可以理解,他本来就有armv7 或者armv64的 执行文件,但是你给我的是dylib,这个动态库注入动态库,我暂且这么叫法,没有玩过,可以请教下其他大神


#35

我破解ALS了,nzt不好破解