1). 安装 Theos - Installation · theos/theos Wiki
sudo git clone --recursive https://github.com/theos/theos.git /opt/theos export THEOS=/opt/theos export PATH=$PATH:$THEOS/bin source ~/.zshrc
➜ ~ cd /opt ➜ /opt ls -l total 0 drwxr-xr-x 12 root wheel 408 Nov 1 17:19 MonkeyDev drwxr-xr-x 12 root wheel 408 Dec 20 2016 chefdk drwxr-xr-x 22 root wheel 748 Nov 6 11:29 theos drwxr-xr-x 4 root wheel 136 Dec 20 2016 vagrant ➜ /opt sudo chown -R $(id -u):$(id -g) theos ➜ /opt ls -l total 0 drwxr-xr-x 12 root wheel 408 Nov 1 17:19 MonkeyDev drwxr-xr-x 12 root wheel 408 Dec 20 2016 chefdk drwxr-xr-x 22 its staff 748 Nov 6 11:29 theos drwxr-xr-x 4 root wheel 136 Dec 20 2016 vagrant
NIN: 需要change permission, 否则安装kabiroberai/theos-jailed的时候,会报错.
2). Install kabiroberai/theos-jailed - Installation · kabiroberai/theos-jailed Wiki
$ mkdir nino-demo $ cd nino-demo $ nic.pl -t iphone/jailed // or nic.pl - choose [7.] iphone/jailed
It would then generate a similar instruction as below. Follow it along. It should install the app for you.
================= = Prerequisites = ================= 1. Patience and luck 2. Xcode and the iOS SDK 3. A .ipa file that's already been decrypted using Clutch Note: Encrypted apps WILL NOT work. Don't bother trying. Use Clutch. ===================================== = Creating the provisioning profile = ===================================== Note: This only needs to be done once per app. You can skip this step if you have a wildcard profile. 1. Open up Xcode, and create a new project 2. Select iOS, followed by Single View Application, and then Next 3. For Product Name use kab-theos 4. For Organization Identifier use ID-32BDA28E.com.yourcompany 5. Click Next, and then choose a location to save the project. Uncheck Create Git repository before clicking Create 6. Plug in your device, and change Generic iOS Device in the toolbar to your device's name. Ignore any warnings, we'll fix them later 7. Set Deployment Target in Deployment Info to your device's version 8. Under Signing, change Team to your Apple ID Note: Select Add an Account if you don't see your Apple ID. 9. Click Fix Issue if it says No matching provisioning profiles found ==================================== = Install the provisioning profile = ==================================== 1. Press the Run button in Xcode's toolbar to install the temporary app onto your device. 2. Delete the temporary app from your device once it loads. 3. Quit Xcode. Note: This only needs to be done once per app. ========================================= = Installing the tweak using ios-deploy = ========================================= 1. Run make package install PROFILE=ID-32BDA28E.com.yourcompany.kab-theos Note: If you omit the PROFILE=… part, the script will try to use Xcode's iOS Wildcard App ID. This will only work if you are enrolled in the Apple Developer Program. 2. If you get an error during installation, use the following method: ==================================== = Installing the tweak using Xcode = ==================================== 1. In Xcode goto Window / Devices 2. Under Installed Apps click the + button 3. Choose the patched .ipa file and cross your fingers 4. The patched app should appear on your device
Now it is time to play with cycript.
$ ./cycript -r 192.168.1.103:31337
假如遇到以下错误, Ref: Q&A - Two
packing... Print: Entry, "CFBundleDisplayName", Does Not Exist Print: Entry, "CFBundleURLTypes", Does Not Exist cp: /Users/its/Library/Developer/Xcode/DerivedData/MonkeyApp-bgafwwmapknrprbeuryrgvngmwdi/Build/Products/Debug-iphoneos/libMonkeyAppDylib.dylib: No such file or directory Found FAT Header Found thin header... Found thin header... Inserting a LC_LOAD_DYLIB command for architecture: arm Successfully inserted a LC_LOAD_DYLIB command for arm Inserting a LC_LOAD_DYLIB command for architecture: arm64 Successfully inserted a LC_LOAD_DYLIB command for arm64 Writing executable to /Users/its/Library/Developer/Xcode/DerivedData/MonkeyApp-bgafwwmapknrprbeuryrgvngmwdi/Build/Products/Debug-iphoneos/MonkeyApp.app/TargetApp... Found FAT Header Found thin header... Found thin header... unrestricting for architecture arm... Found no restrict section to remove Command /bin/sh emitted errors but did not return a nonzero exit code to indicate failure
dyld: Library not loaded: @executable_path/Frameworks/libMonkeyAppDylib.dylib Referenced from: /var/mobile/Containers/Bundle/Application/16F87852-C381-4D63-A1C1-8CC5E65CCFA8/MonkeyApp.app/TargetApp Reason: image not found (lldb)
假如添加后, Build failed, 应该是THEOS安装路径的问题.
Ref: Issue #18
$ ./cycript -r 192.168.1.103:31337
下面的项目也可以 inject frida, cycript, reveal.framework, 不过笔者无法成功 inject 他们, ticket 已 raise. 待解决.
NIN: No 64-bit support.
git clone https://github.com/BishopFox/theos-jailed.git bishopfox-theos-jailed ➜ bishop /Users/its/Project/tools/iOS/bishopfox-theos-jailed/bin/nic.pl NIC 2.0 - New Instance Creator ------------------------------ [1.] iphone/application [2.] iphone/library [3.] iphone/preference_bundle [4.] iphone/tool [5.] iphone/tweak Choose a Template (required): 5 Project Name (required): bishop-test Package Name [com.yourcompany.bishop-test]: com.its.bishop Author/Maintainer Name [its]: [iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: [iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: Instantiating iphone/tweak in bishoptest/... Done.
clang: warning: libstdc++ is deprecated; move to libc++ with a minimum deployment target of iOS 7 ld: library not found for -ldylib1.o clang: error: linker command failed with exit code 1 (use -v to see invocation) make: *** [obj/bishoptest.dylib.268bdb65.unsigned] Error 1 make: *** [internal-library-all_] Error 2 make: *** [bishoptest.all.tweak.variables] Error 2