未越狱 iPhone 中使用 cycript

kabiroberai/theos-jailed

1). 安装 Theos - Installation · theos/theos Wiki

sudo git clone --recursive https://github.com/theos/theos.git /opt/theos

export THEOS=/opt/theos
export PATH=$PATH:$THEOS/bin

source ~/.zshrc
➜  ~ cd /opt
➜  /opt ls -l
total 0
drwxr-xr-x  12 root  wheel  408 Nov  1 17:19 MonkeyDev
drwxr-xr-x  12 root  wheel  408 Dec 20  2016 chefdk
drwxr-xr-x  22 root  wheel  748 Nov  6 11:29 theos
drwxr-xr-x   4 root  wheel  136 Dec 20  2016 vagrant
➜  /opt sudo chown -R $(id -u):$(id -g) theos
➜  /opt ls -l
total 0
drwxr-xr-x  12 root  wheel  408 Nov  1 17:19 MonkeyDev
drwxr-xr-x  12 root  wheel  408 Dec 20  2016 chefdk
drwxr-xr-x  22 its   staff  748 Nov  6 11:29 theos
drwxr-xr-x   4 root  wheel  136 Dec 20  2016 vagrant

NIN: 需要change permission, 否则安装kabiroberai/theos-jailed的时候,会报错.

2). Install kabiroberai/theos-jailed - Installation · kabiroberai/theos-jailed Wiki

Usage

$ mkdir nino-demo
$ cd nino-demo
$ nic.pl -t iphone/jailed	// or nic.pl - choose [7.] iphone/jailed

It would then generate a similar instruction as below. Follow it along. It should install the app for you.

=================
= Prerequisites =
=================
1. Patience and luck
2. Xcode and the iOS SDK
3. A .ipa file that's already been decrypted using Clutch
   Note: Encrypted apps WILL NOT work. Don't bother trying. Use Clutch.

=====================================
= Creating the provisioning profile =
=====================================
Note: This only needs to be done once per app. You can skip this step
      if you have a wildcard profile.
1. Open up Xcode, and create a new project
2. Select iOS, followed by Single View Application, and then Next
3. For Product Name use kab-theos
4. For Organization Identifier use ID-32BDA28E.com.yourcompany
5. Click Next, and then choose a location to save the project. Uncheck
   Create Git repository before clicking Create
6. Plug in your device, and change Generic iOS Device in the toolbar to your
   device's name. Ignore any warnings, we'll fix them later
7. Set Deployment Target in Deployment Info to your device's version
8. Under Signing, change Team to your Apple ID
    Note: Select Add an Account if you don't see your Apple ID.
9. Click Fix Issue if it says No matching provisioning profiles found

====================================
= Install the provisioning profile =
====================================
1. Press the Run button in Xcode's toolbar to install the temporary app
   onto your device.
2. Delete the temporary app from your device once it loads.
3. Quit Xcode.
Note: This only needs to be done once per app.

=========================================
= Installing the tweak using ios-deploy =
=========================================
1. Run make package install PROFILE=ID-32BDA28E.com.yourcompany.kab-theos
   Note: If you omit the PROFILE=… part, the script will try to use
         Xcode's iOS Wildcard App ID. This will only work if you are enrolled
         in the Apple Developer Program.
2. If you get an error during installation, use the following method:

====================================
= Installing the tweak using Xcode =
====================================
1. In Xcode goto Window / Devices
2. Under Installed Apps click the + button
3. Choose the patched .ipa file and cross your fingers
4. The patched app should appear on your device

cycript 端口

Now it is time to play with cycript.

$ ./cycript -r 192.168.1.103:31337

AloneMonkey

Ref: 无须越狱、自动集成、只需要一个砸壳的应用---MonkeyDev | AloneMonkey

Troubleshooting

假如遇到以下错误, Ref: Q&A - Two


NIN: 两个都要加

packing...
Print: Entry, "CFBundleDisplayName", Does Not Exist
Print: Entry, "CFBundleURLTypes", Does Not Exist
cp: /Users/its/Library/Developer/Xcode/DerivedData/MonkeyApp-bgafwwmapknrprbeuryrgvngmwdi/Build/Products/Debug-iphoneos/libMonkeyAppDylib.dylib: No such file or directory
Found FAT Header
Found thin header...
Found thin header...
Inserting a LC_LOAD_DYLIB command for architecture: arm
Successfully inserted a LC_LOAD_DYLIB command for arm
Inserting a LC_LOAD_DYLIB command for architecture: arm64
Successfully inserted a LC_LOAD_DYLIB command for arm64
Writing executable to /Users/its/Library/Developer/Xcode/DerivedData/MonkeyApp-bgafwwmapknrprbeuryrgvngmwdi/Build/Products/Debug-iphoneos/MonkeyApp.app/TargetApp...
Found FAT Header
Found thin header...
Found thin header...
unrestricting for architecture arm...
Found no restrict section to remove
Command /bin/sh emitted errors but did not return a nonzero exit code to indicate failure
dyld: Library not loaded: @executable_path/Frameworks/libMonkeyAppDylib.dylib
  Referenced from: /var/mobile/Containers/Bundle/Application/16F87852-C381-4D63-A1C1-8CC5E65CCFA8/MonkeyApp.app/TargetApp
  Reason: image not found
(lldb) 

假如添加后, Build failed, 应该是THEOS安装路径的问题.

Ref: Issue #18

cycript 端口

$ ./cycript -r 192.168.1.103:31337

下面的项目也可以 inject frida, cycript, reveal.framework, 不过笔者无法成功 inject 他们, ticket 已 raise. 待解决.

BishopFox/theos-jailed

BishopFox/theos-jailed: A version of Theos/CydiaSubstrate for non-jailbroken iOS devices

NIN: No 64-bit support.

git clone https://github.com/BishopFox/theos-jailed.git bishopfox-theos-jailed

➜  bishop /Users/its/Project/tools/iOS/bishopfox-theos-jailed/bin/nic.pl
NIC 2.0 - New Instance Creator
------------------------------
  [1.] iphone/application
  [2.] iphone/library
  [3.] iphone/preference_bundle
  [4.] iphone/tool
  [5.] iphone/tweak
Choose a Template (required): 5
Project Name (required): bishop-test
Package Name [com.yourcompany.bishop-test]: com.its.bishop
Author/Maintainer Name [its]:
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]:
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]:
Instantiating iphone/tweak in bishoptest/...
Done.

clang: warning: libstdc++ is deprecated; move to libc++ with a minimum deployment target of iOS 7
ld: library not found for -ldylib1.o
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [obj/bishoptest.dylib.268bdb65.unsigned] Error 1
make[1]: *** [internal-library-all_] Error 2
make: *** [bishoptest.all.tweak.variables] Error 2

Ref: Rethinking & Repackaging iOS Apps: Part 2 - Bishop Fox

Show Comments