iOS逆向之移除Oplayer lite廣告
iOS逆向之移除Oplayer lite廣告
一、環境要求:
1、iPod touch6: iOS10.3.1(已經越獄)
2、Xcode安裝MonkeyDev
3、OPlayer Lite.ipa(Window PP助手獲取)【非必須】
二、lldb除錯定位
1、直接在app store上下載Oplayer lite播放神器,為了方便除錯,最好將裝置設定成語言英文,後面會用到!
2、通過ssh連線越獄裝置
ssh root@172.20.134.8
3、關閉裝置上的其他程式,最好只保留Oplayer lite,通過以下命令獲取裝置上所有執行的程式,只檢視目標程式:
iPod:~ root# ps aux | grep OPlayer
mobile 6593 3.6 6.5 1384832 66024 ?? Ss 5:27PM 0:20.84 /var/containers/Bundle/Application/AAAB1B0F-A9A6-455C-BE5B-8E0230A75252/OPlayer Lite.app/OPlayer Lite
root 6607 0.0 0.0 624224 8 s000 R+ 5:29PM 0:00.00 grep OPlayer
4、根據教程iOS10.3.1 砸殼之路使用兩種方式進行應用砸殼,這裡筆者就不詳述了。
筆者通過第一種靜態方式結果如下:
iPod:~ root# Clutch -i
Installed apps:
1: 快拍 - Snapchat <com.toyopagroup.picaboo>
2: 優酷視訊-世界盃賽事全程高清直播 <com.youku.YouKu>
3: 央視影音 <cn.vuclip.mobiletv>
4: A4 Player <com.pd.A4Player>
5: 可可英語-英語聽力口語訓練神器 <com.kekenet.kkyy>
6: VPN Plus Privacy Protector <vpn.free.proxy.FreeVPN-Plus>
7: 搜狐視訊-法醫秦明1、2兩季獨家連播 <com.sohu.iPhoneVideo>
8: 微博 <com.sina.weibo>
9: 騰訊視訊 <com.tencent.live4iphone>
10: Shazam 音樂神搜 <com.shazam.Shazam>
11: OPlayer Lite - media player <com.olimsoft.oplayer.lite>
12: VPN - Super Unlimited Proxy <mobi.mobilejump.freevpn>
13: 天天快報 - 騰訊興趣閱讀平臺 <com.tencent.reading>
iPod:~ root# Clutch -d 11
Zipping OPlayer Lite.app
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!
Error: Failed to dump <OPlayer WatchKit Extension> with arch arm64
2018-08-06 17:36:20.796 Clutch[6610:278690] failed operation :(
2018-08-06 17:36:20.796 Clutch[6610:278690] application <NSOperationQueue: 0x1004be080>{name = 'NSOperationQueue 0x1004be080'}
Error: Failed to dump <OPlayer WatchKit Extension>
2018-08-06 17:36:20.797 Clutch[6610:278690] failed operation :(
2018-08-06 17:36:20.797 Clutch[6610:278690] application <NSOperationQueue: 0x1004be080>{name = 'NSOperationQueue 0x1004be080'}
ASLR slide: 0x100020000
Dumping <OPlayer Lite> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Zipping OPlayer WatchKit Extension.appex
FAILED: <OPlayer Lite bundleID: com.olimsoft.oplayer.lite>
Finished dumping com.olimsoft.oplayer.lite in 20.9 seconds
很遺憾失敗了,其原因自行百度。。。
所以最好通過動態砸殼來解決,若是大佬能通過Clutch方式解決,請私信me!!!
5、檢視廣告存在的位置
iPod:~ root# cycript -p 6593
cy# [[UIApp keyWindow] recursiveDescription].toString()
`<UIWindow: 0x102661a40; frame = (0 0; 320 568); opaque = NO; autoresize = RM+BM; gestureRecognizers = <NSArray: 0x17024f540>; layer = <UIWindowLayer: 0x170229900>>
| <UITransitionView: 0x10d4e6eb0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x170634b40>>
| | <UIView: 0x10d43e5f0; frame = (0 0; 320 568); autoresize = W+H; autoresizesSubviews = NO; layer = <CALayer: 0x17042f420>>
| | | <UIView: 0x10d405740; frame = (0 0; 320 568); layer = <CALayer: 0x17042f620>>
| | | | <PlayerView: 0x10d43d560; frame = (0 0; 320 568); layer = <CAEAGLLayer: 0x17042f680>>
| | | | <AVPlayerDemoPlaybackView: 0x10d400320; frame = (0 0; 320 568); layer = <AVPlayerLayer: 0x170633d20>>
| | | | | <AVPlayerLayerIntermediateLayer: 0x1706344e0> (layer)
| | | | | | <FigVideoContainerLayer: 0x1704578b0> (layer)
| | | | | | | <FigVideoLayer: 0x17065cf80> (layer)
| | | | | | <FigSubtitleCALayer: 0x170457c40> (layer)
| | | | | | <AVPlayerLayerIntermediateLayer: 0x170628300> (layer)
| | | <SubtitleLabel: 0x1026f95d0; baseClass = UILabel; frame = (0 0; 320 40); text = ''; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x170291120>>
| | | <UILabel: 0x10d4025d0; frame = (0 62; 320 20); text = 'IMG_4758.MOV'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x170290360>>
| | | <UILabel: 0x10d410650; frame = (0 52; 320 50); text = ''; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17029e6e0>>
| | | <UIView: 0x1027b8070; frame = (0 0; 320 50); layer = <CALayer: 0x174229e20>>
| | | | <UIButton: 0x102734a50; frame = (0 0; 320 50); opaque = NO; layer = <CALayer: 0x174229dc0>>
| | | | | <UIImageView: 0x10d435250; frame = (0 0; 320 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635e80>>
| | | | <UILabel: 0x10271ed60; frame = (60 0; 260 50); text = 'Buy the full version to r...'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x174283fc0>>
| | | <RoundedRectView: 0x10265a540; frame = (0 0; 320 64); layer = <CALayer: 0x170429de0>>
| | | | <PlaySeekView: 0x10d40c050; frame = (39 22; 242 32); layer = <CALayer: 0x170427700>>
| | | | | <UILabel: 0x10d452980; frame = (0 3; 60 25); text = '00:00:03'; userInteractionEnabled = NO; tag = 10000; layer = <_UILabelLayer: 0x170292110>>
| | | | | <OBSlider: 0x10267c790; baseClass = UISlider; frame = (60 5; 118 22); opaque = NO; tag = 10002; layer = <CALayer: 0x170427000>; value: 3.000000>
| | | | | | <UIView: 0x10d42e1e0; frame = (39 7; 77 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635c80>>
| | | | | | | <UIImageView: 0x10d421cd0; frame = (-37 0; 114 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635cc0>>
| | | | | | <UIImageView: 0x10d429350; frame = (2 7; 37 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635d20>>
| | | | | | <UIImageView: 0x102692290; frame = (24 -4; 30 30); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635d80>>
| | | | | <UILabel: 0x10d425830; frame = (178 3; 64 25); text = '-00:00:07'; userInteractionEnabled = NO; tag = 10001; layer = <_UILabelLayer: 0x17028d9d0>>
| | | | <UIButton: 0x10d404790; frame = (258 6; 58 50); opaque = NO; layer = <CALayer: 0x1704351c0>>
| | | | <UIButton: 0x10d4192a0; frame = (0 6; 58 54); opaque = NO; layer = <CALayer: 0x1704298a0>>
| | | | <UIButton: 0x10d420dc0; frame = (268 16; 48 44); opaque = NO; layer = <CALayer: 0x170426760>>
| | | | | <UIImageView: 0x102770f80; frame = (2 7; 44 30); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17422c700>>
| | | | <UIButton: 0x10d424e50; frame = (4 16; 48 44); opaque = NO; layer = <CALayer: 0x170429c20>>
| | | | | <UIImageView: 0x10d4b9eb0; frame = (2 7; 44 30); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635c40>>
| | | <NewRoundedRectView: 0x10d4a96a0; frame = (-5 480; 330 90); layer = <CALayer: 0x17062cce0>>
| | | | <UIButton: 0x1026a2c40; frame = (34 4; 44 44); opaque = NO; layer = <CALayer: 0x170429780>>
| | | | | <UIImageView: 0x10d4e0240; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635bc0>>
| | | | <UIButton: 0x10d42f130; frame = (86 4; 44 44); opaque = NO; layer = <CALayer: 0x170424520>>
| | | | | <UIImageView: 0x10d4de1b0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635ae0>>
| | | | <UIButton: 0x10d404a60; frame = (138 4; 44 44); opaque = NO; layer = <CALayer: 0x170426040>>
| | | | | <UIImageView: 0x10d4dc1d0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635a20>>
| | | | <UIButton: 0x10d416000; frame = (190 4; 44 44); opaque = NO; layer = <CALayer: 0x170427220>>
| | | | | <UIImageView: 0x10d4d3830; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706359e0>>
| | | | <UIButton: 0x10d434c00; frame = (242 4; 44 44); opaque = NO; layer = <CALayer: 0x1704291c0>>
| | | | | <UIImageView: 0x10d4d58c0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635980>>
| | | | <MPVolumeView: 0x10d4c7520; frame = (20 56; 240 30); opaque = NO; layer = <CALayer: 0x170632ea0>>
| | | | | <MPButton: 0x10d4c80b0; baseClass = UIButton; frame = (218.5 2; 21.5 18); opaque = NO; autoresize = LM+BM; layer = <CALayer: 0x170428480>>
| | | | | | <UIImageView: 0x10d4c83e0; frame = (-39.25 -41; 100 100); alpha = 0; opaque = NO; userInteractionEnabled = NO; tag = 1886548836; layer = <CALayer: 0x170631b00>>
| | | | | | <UIImageView: 0x10d4d1850; frame = (0 0; 21.5 18); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706358e0>>
| | | | | <MPVolumeSlider: 0x10d4c7920; baseClass = UISlider; frame = (0 -5; 211.5 28); opaque = NO; autoresize = W+BM; layer = <CALayer: 0x17062b6c0>; value: 0.000000>
| | | | | | <UIView: 0x10d498720; frame = (2 10; 207.5 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635460>>
| | | | | | | <UIImageView: 0x10d425ac0; frame = (0 0; 207.5 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635560>>
| | | | | | <UIImageView: 0x10d4bc0f0; frame = (2 10; 0 8); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706355c0>>
| | | | | | <UIImageView: 0x10d4be180; frame = (-3 -1; 30 30); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170635620>>
| | | | <UIButton: 0x10d4a3210; frame = (276 40; 44 44); opaque = NO; layer = <CALayer: 0x170428180>>
| | | | | <UIImageView: 0x1027764c0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17422a9e0>>
| | | | <UIButton: 0x10d4a4cb0; frame = (276 40; 44 44); hidden = YES; opaque = NO; layer = <CALayer: 0x17042b500>>
| | | <FloatingView: 0x10d4add90; frame = (45 124; 230 160); hidden = YES; layer = <CALayer: 0x170429300>>
| | | | <UIButton: 0x10d41c3a0; frame = (21 4; 50 50); opaque = NO; layer = <CALayer: 0x1704330c0>>
| | | | | <UIImageView: 0x102700650; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17422aa80>>
| | | | <UIButton: 0x10d498e60; frame = (91 4; 50 50); opaque = NO; layer = <CALayer: 0x1704249a0>>
| | | | | <UIImageView: 0x102779690; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17423cb20>>
| | | | <UIButton: 0x10d4ae9f0; frame = (91 56; 50 50); opaque = NO; layer = <CALayer: 0x170432e00>>
| | | | | <UIImageView: 0x1027b2f20; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174229f00>>
| | | | <UIButton: 0x10d4b0900; frame = (21 106; 50 50); opaque = NO; layer = <CALayer: 0x1704328e0>>
| | | | | <UIImageView: 0x1026656e0; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170634d20>>
| | | | <UIButton: 0x102738580; frame = (91 106; 50 50); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x174223f40>>
| | | | | <UIImageView: 0x10d497630; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170634ba0>>
| | | | <UIButton: 0x10d4b2960; frame = (161 4; 50 50); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170425a80>>
| | | | | <UIImageView: 0x10d43f260; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170429160>>
| | | | <UIButton: 0x10d4b49a0; frame = (161 106; 50 50); opaque = NO; layer = <CALayer: 0x170627b20>>
| | | | | <UIImageView: 0x10d4b5500; frame = (0 0; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042f880>>
| | | <FloatingView: 0x10d4b67e0; frame = (-5 188; 62 192); layer = <CALayer: 0x170630ae0>>
| | | | <UIButton: 0x10d4b6d20; frame = (11 3.2; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170633160>>
| | | | | <UIImageView: 0x10d436ff0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170633ce0>>
| | | | <UIButton: 0x10d4b7db0; frame = (11 50.4; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x17062e040>>
| | | | | <UIImageView: 0x1026a9ad0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706337a0>>
| | | | <UIButton: 0x10d4ba170; frame = (11 97.6; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170632760>>
| | | | | <UIImageView: 0x10d402990; frame = (7 7; 30 30); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706344c0>>
| | | | <UIButton: 0x10d4bc3b0; frame = (11 144.8; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170632c20>>
| | | | | <UIImageView: 0x102797f20; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x174229de0>>
| | | <FloatingView: 0x10d4b69a0; frame = (263 188; 62 192); layer = <CALayer: 0x170632880>>
| | | | <UIButton: 0x10d4be440; frame = (6 3.2; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170632be0>>
| | | | | <UIImageView: 0x10d44d340; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062a280>>
| | | | <UIButton: 0x10d4c04b0; frame = (6 50.4; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x170629c00>>
| | | | | <UIImageView: 0x10d434ed0; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170632940>>
| | | | <UIButton: 0x10d4c2490; frame = (6 97.6; 44 44); opaque = NO; tintColor = UIExtendedGrayColorSpace 1 1; layer = <CALayer: 0x1702377c0>>
| | | | | <UIImageView: 0x10264f740; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170634b00>>
| | | | <UIButton: 0x10d4c4090; frame = (6 144.8; 44 44); opaque = NO; tintColor = UIExtendedSRGBColorSpace 0.192157 0.760784 0.486275 1; layer = <CALayer: 0x17062e5a0>>
| | | | | <UIImageView: 0x1026d5810; frame = (6.5 6.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062f7c0>>
| | | <UILabel: 0x10d4c6020; frame = (0 448; 320 30); text = ''; alpha = 0; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17048ae10>>
| | | <UILabel: 0x10d4c6b50; frame = (0 284; 320 100); userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17048a780>>
| | | | <_UILabelContentLayer: 0x1706337c0> (layer)
| | | <SingleHandRoundedRectView: 0x10d4d9d10; frame = (0 341; 227 227); hidden = YES; layer = <CALayer: 0x170432e80>>
| | | | <UIImageView: 0x10d4da0e0; frame = (0 0; 227 227); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170432de0>>
| | | | <UIButton: 0x10d4d5b80; frame = (80 165; 52 52); opaque = NO; layer = <CALayer: 0x170632dc0>>
| | | | | <UIImageView: 0x10268c4f0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170426d00>>
| | | | <UIButton: 0x10d4d1b10; frame = (150 160; 52 52); opaque = NO; layer = <CALayer: 0x17062c6a0>>
| | | | | <UIImageView: 0x10d40f400; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062abc0>>
| | | | <UIButton: 0x10d4cfa80; frame = (105 75; 52 52); opaque = NO; layer = <CALayer: 0x17062b9a0>>
| | | | | <UIImageView: 0x1026c59a0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170432940>>
| | | | <UIButton: 0x10d4d3af0; frame = (20 25; 52 52); opaque = NO; layer = <CALayer: 0x170630e20>>
| | | | | <UIImageView: 0x10d416a20; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706315a0>>
| | | | <UIButton: 0x10d4d7870; frame = (10 95; 52 52); opaque = NO; layer = <CALayer: 0x170433720>>
| | | | | <UIImageView: 0x10d4a5d50; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170629d00>>
| | | | <UIButton: 0x10d4d9910; frame = (10 170; 52 52); opaque = NO; layer = <CALayer: 0x170633c00>>
| | | | | <UIImageView: 0x10d403130; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706265c0>>
| | | <SingleHandRoundedRectView: 0x10d4e4690; frame = (93 341; 227 227); hidden = YES; layer = <CALayer: 0x170630000>>
| | | | <UIImageView: 0x10d4e4860; frame = (0 0; 227 227); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1706273c0>>
| | | | <UIButton: 0x10d4e0500; frame = (100 165; 52 52); opaque = NO; layer = <CALayer: 0x170424ba0>>
| | | | | <UIImageView: 0x10d4006c0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170632d60>>
| | | | <UIButton: 0x10d4dc490; frame = (25 160; 52 52); opaque = NO; layer = <CALayer: 0x170633100>>
| | | | | <UIImageView: 0x102655f40; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170632360>>
| | | | <UIButton: 0x10d4da2d0; frame = (75 75; 52 52); opaque = NO; layer = <CALayer: 0x170633180>>
| | | | | <UIImageView: 0x1026894c0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17062f220>>
| | | | <UIButton: 0x10d4de470; frame = (165 25; 52 52); opaque = NO; layer = <CALayer: 0x170433580>>
| | | | | <UIImageView: 0x10266a930; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17042f800>>
| | | | <UIButton: 0x10d4e21f0; frame = (165 95; 52 52); opaque = NO; layer = <CALayer: 0x170433920>>
| | | | | <UIImageView: 0x10d42adc0; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170426c40>>
| | | | <UIButton: 0x10d4e4290; frame = (170 170; 52 52); opaque = NO; layer = <CALayer: 0x1704293e0>>
| | | | | <UIImageView: 0x102663010; frame = (10.5 10.5; 31 31); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170426700>>
| | | <UIButton: 0x10d4e4a50; frame = (260 258; 52 52); hidden = YES; opaque = NO; layer = <CALayer: 0x17062eb20>>
| | | | <UIImageView: 0x10d41df50; frame = (1 1; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x170432820>>
| | | <UIButton: 0x10d4e4d20; frame = (10 258; 52 52); hidden = YES; opaque = NO; layer = <CALayer: 0x17062cf60>>
| | | | <UIImageView: 0x1026f92a0; frame = (1 1; 50 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x1704270e0>>`
這裡需要說明的是,[[UIApp keyWindow] recursiveDescription].toString()是檢視當前頁面的所有view。稍微仔細點的同學就會主要到,每次進入播放介面時,介面上方都有一個banner,內容是Buy the full version to remove ads?.所以簡單的方式是,通過搜尋關鍵字查詢控制元件。可得到如下結果:
<UILabel: 0x10271ed60; frame = (60 0; 260 50); text = 'Buy the full version to r...'; userInteractionEnabled = NO;
我們可以在後面進行lldb除錯的時候,根據這個為依據進行查詢除錯。
5、利用debugserver結合LLDB除錯app
debugserver *:1234 -a "OPlayer Lite"
6、新建終端LLDB連線App
lldb
process connect connect://172.20.128.176:1234
7、接下來檢視偏移地址
image list -o -f
[ 0] 0x000000000005c000 /var/containers/Bundle/Application/AAAB1B0F-A9A6-455C-BE5B-8E0230A75252/OPlayer Lite.app/OPlayer Lite(0x000000010005c000)
......
[ 7] 0x0000000000350000 /Users/weihua/Library/Developer/Xcode/iOS DeviceSupport/10.3.1 (14E304)/Symbols/System/Library/Frameworks/UIKit.framework/UIKit
通過hopper v4分析addSubview在UIKit框架的偏移地址:
addSubview:0x0000000187775d24
通過image list -o -f分析UIKit框架在模組中載入的的起始偏移地址:
UIKit: 0x0000000000350000
設定斷點:
br s -a 0x0000000000350000+0x0000000187775d24
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d24 <+0>: stp x24, x23, [sp, #-0x40]!
0x187ac5d28 <+4>: stp x22, x21, [sp, #0x10]
0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<PlayerView: 0x1027f27d0; frame = (0 0; 568 320); layer = <CAEAGLLayer: 0x1704298c0>>
(lldb) c
Process 432 resuming
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d24 <+0>: stp x24, x23, [sp, #-0x40]!
0x187ac5d28 <+4>: stp x22, x21, [sp, #0x10]
0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<UIView: 0x1027f32a0; frame = (0 0; 568 320); layer = <CALayer: 0x17042dc40>>
......
......
......
(lldb) po $x2
<UILayoutContainerView: 0x1027700d0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x1702374e0>>
(lldb) c
Process 432 resuming
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d24 <+0>: stp x24, x23, [sp, #-0x40]!
0x187ac5d28 <+4>: stp x22, x21, [sp, #0x10]
0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<UIButton: 0x10f23eb00; frame = (0 0; 320 50); opaque = NO; layer = <CALayer: 0x17042e180>>
(lldb) c
Process 432 resuming
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000187ac5d24 UIKit`-[UIView(Hierarchy) addSubview:]
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d24 <+0>: stp x24, x23, [sp, #-0x40]!
0x187ac5d28 <+4>: stp x22, x21, [sp, #0x10]
0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb) po $x2
<UILabel: 0x10f2009b0; frame = (60 0; 260 50); text = 'Buy the full version to r...'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x17028bc70>>
到此為止找到了相關控制元件,然後通過ni命令往回追溯目標模組呼叫時的起始地址。
(lldb) ni
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x0000000187ac5d28 UIKit`-[UIView(Hierarchy) addSubview:] + 4
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d28 <+4>: stp x22, x21, [sp, #0x10]
0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
0x187ac5d34 <+16>: add x29, sp, #0x30 ; =0x30
Target 0: (OPlayer Lite) stopped.
(lldb)
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x0000000187ac5d2c UIKit`-[UIView(Hierarchy) addSubview:] + 8
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d2c <+8>: stp x20, x19, [sp, #0x20]
0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
0x187ac5d34 <+16>: add x29, sp, #0x30 ; =0x30
0x187ac5d38 <+20>: mov x20, x0
Target 0: (OPlayer Lite) stopped.
(lldb)
(lldb)
error: invalid thread
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x0000000187ac5d30 UIKit`-[UIView(Hierarchy) addSubview:] + 12
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac5d30 <+12>: stp x29, x30, [sp, #0x30]
0x187ac5d34 <+16>: add x29, sp, #0x30 ; =0x30
0x187ac5d38 <+20>: mov x20, x0
0x187ac5d3c <+24>: mov x0, x2
Target 0: (OPlayer Lite) stopped.
(lldb)
........
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x0000000187ac6074 UIKit`-[UIView(Hierarchy) addSubview:] + 848
UIKit`-[UIView(Hierarchy) addSubview:]:
-> 0x187ac6074 <+848>: b 0x180414250 ; objc_release
UIKit`-[UIView(Internal) _addSubview:positioned:relativeTo:]:
0x187ac6078 <+0>: stp x28, x27, [sp, #-0x60]!
0x187ac607c <+4>: stp x26, x25, [sp, #0x10]
0x187ac6080 <+8>: stp x24, x23, [sp, #0x20]
Target 0: (OPlayer Lite) stopped.
(lldb)
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x00000001003d01f8 OPlayer Lite`_mh_execute_header + 3621368
OPlayer Lite`_mh_execute_header:
-> 0x1003d01f8 <+3621368>: adrp x8, 5089
0x1003d01fc <+3621372>: ldr x20, [x8, #0x630]
0x1003d0200 <+3621376>: mov x0, x19
0x1003d0204 <+3621380>: mov x1, x20
Target 0: (OPlayer Lite) stopped.
(lldb)
Process 432 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step over
frame #0: 0x00000001003d01fc OPlayer Lite`_mh_execute_header + 3621372
OPlayer Lite`_mh_execute_header:
-> 0x1003d01fc <+3621372>: ldr x20, [x8, #0x630]
0x1003d0200 <+3621376>: mov x0, x19
0x1003d0204 <+3621380>: mov x1, x20
0x1003d0208 <+3621384>: bl 0x10106f28c ; symbol stub for: objc_msgSend
Target 0: (OPlayer Lite) stopped.
由結果看來,OPlayer Lite模組起始基地址為0x1003d01f8,
然後通過減去OPlayer Lite偏移地址0x000000000005c000,
(lldb) p/x 0x1003d01f8-0x000000000005c000
(long) $74 = 0x00000001003741f8
然後把0x00000001003741f8放入已經開啟的Hopper Disassembler v4中,用快捷鍵G進行查詢,結果如下:
01.png
這裡我們進行更加結果進行猜測,addAds_OnLocalAds很有可能是我們需要查詢的結果。接下來,我們對其進行進行斷點除錯,先找到addAds_OnLocalAds的地址:
02.png
地址為:0x000000010037c518
(lldb) p/x 0x000000010037c518+0x000000000005c000
(long) $76 = 0x00000001003d8518
可能此時裝置卡頓不動,繼續執行,並且移除所有命令:
(lldb) c
Process 432 resuming
(lldb) br del
About to delete all breakpoints, do you want to do that?: [Y/n] y
All breakpoints removed. (1 breakpoint)
重新設定斷點,即addAds_OnLocalAds處設定斷點:
br s -a 0x00000001003d8518
然後返回上一介面,重新播放視訊,此時命令列輸出:
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
frame #0: 0x00000001003d8518 OPlayer Lite`_mh_execute_header + 3654936
OPlayer Lite`_mh_execute_header:
-> 0x1003d8518 <+3654936>: stp d9, d8, [sp, #-0x50]!
0x1003d851c <+3654940>: stp x24, x23, [sp, #0x10]
0x1003d8520 <+3654944>: stp x22, x21, [sp, #0x20]
0x1003d8524 <+3654948>: stp x20, x19, [sp, #0x30]
Target 0: (OPlayer Lite) stopped.
(lldb)
接下來獲取名稱及地址:
(lldb) p (char*)$x1
(char *) $78 = 0x0000000101454c97 "addAds_OnLocalAds"
方法執行完以後應該返回的地址
(lldb) p/x $lr
(unsigned long) $83 = 0x00000001003d01f8
(lldb) p/x 0x00000001003d01f8-0x000000000005c000
(long) $84 = 0x00000001003741f8
0x00000001003741f8是我們需要的地址,根據這個地址可以在Hopper V4中進行跳轉:
03.png
在上圖中,找了方法addAds_OnLocalAds方法,說明位置正確,然後根據彙編指令cbnz,可知這一處是一個判斷語句。
最關鍵的資訊是,我們還看到了在一個"PlayViewController"控制器中存在一個'localAdView'的成員變數。
同時繼續往上繼續查詢,可以找到該方法是在[PlayViewController viewWillAppear:]中呼叫的,如下圖:
04.png
接下來,我們進行確認。
通過class-dump的方式獲取標頭檔案。這裡不說具體原因了,命令如下:
class-dump OPlayer_Lite.decrypted -H -o header
然後在header資料夾中可以進行確認。
OK,到此為止,我們已經找到了 廣告載入的介面的了。我們需要通過工程來進行最後的實現。
三、MonkeyDev除錯定位
這裡為了簡單,我採用了MonkeyDev來實現,當然也可以通過 Theos 的方式,筆者親測成功!!!
關於如何安裝MonkeyDev,請移步MonkeyDev安裝教程及簡介。
需要說明的是,MonkeyDev的好處就是能通過介面除錯app,定位控制元件,當然如果安裝了Reveal那就更加簡單,iOS上面的介面除錯神器。但是
MonkeyDev需要已經破解了ipa,這裡可以通過Window上的PP助手獲取。
首先新建工程,命名Oplayerlite.其它的也不多了,直接貼關鍵程式碼。
07.png
然後執行工程,發現之前的 'Buy the full version to remove ads?' 相關的UIView已經沒了,但是又出現了新的廣告,以下截圖來自Reveal,Xcode也可以。
08.png
然後在PlayViewController中找到了相關的呼叫GADBannerView *gAdView;,然後通過標頭檔案查詢GADBannerView,結果找到了如下呼叫函式:
09.png
此時抱著懷疑的態度試了修改工程中OplayerliteDylib.xm內容如下:
// See http://iphonedevwiki.net/index.php/Logos
#import <UIKit/UIKit.h>
@interface PlayViewController
@property(strong, nonatomic) UIView *localAdView;
@end
%hook PlayViewController
- (void)viewWillAppear:(BOOL)arg1
{
self.localAdView = [[UIView alloc]initWithFrame:CGRectZero];
%orig;
}
%end
%hook GADBannerView
- (void)setFrame:(struct CGRect)arg1
{
NSLog(@"__%s__",__func__);
}
%end
然後run一下,結果居然成功了。
OK,恭喜,到此為止真的實現了Oplayer lite播放時移除廣告的功能。
四、打包安裝App至非越獄
後面,我想這如何將此app安裝的到非越獄的裝置上。
10.png
將此app進行到處,放入Payload檔案中壓縮,重新命名為.ipa的檔案。此時可能還無法進行安裝,需要最後一步操作,進行ipa重簽名。
具體請參考iOS重簽名操作
相關文章
- iOS逆向之工具使用iOS
- iOS開發之逆向工程iOS
- iOS逆向之 程式碼注入iOS
- iOS逆向之五 MACH O檔案解析iOSMac
- iOS逆向之四 FishHook的簡單使用iOSHook
- iOS逆向工程iOS
- iOS逆向學習之五(加殼?脫殼?)iOS
- iOS開發之通過代理逆向傳值iOS
- iOS逆向工程 iOS工具篇iOS
- iOS逆向筆記iOS筆記
- iOS逆向資料iOS
- iOS逆向工具-TheosiOS
- 十、iOS逆向之《越獄砸殼/ipa脫殼》iOS
- Android 社交類APP 豆瓣同城Lite(安全,無廣告)AndroidAPP
- iOS逆向環境搭建iOS
- iOS逆向之旅 — 總綱iOS
- iOS逆向入門解析iOS
- ios逆向工程連結iOS
- Material Design Lite元件之徽章Material Design元件
- iOS 如何自動移除KVO觀察者iOS
- iOS逆向工具學習之class-dump安裝與使用iOS
- iOS逆向 程式碼注入+HookiOSHook
- iOS逆向——從RSA說起iOS
- Alone_Monkey 逆向IOSiOS
- Material Design Lite元件之按鈕Material Design元件
- iOS 逆向 - Mach-O檔案iOSMac
- iOS逆向(1)-密碼學(RSA)iOS密碼學
- iOS逆向(3)-APP重簽名iOSAPP
- iOS逆向-彙編基礎(一)iOS
- iOS逆向與安全:基礎篇iOS
- iOS逆向-微信自動新增好友iOS
- iOS逆向-客戶端認證iOS客戶端
- iOS逆向--注入framework庫到appiOSFrameworkAPP
- 淺析iOS手遊逆向和保護iOS
- iOS逆向之旅(進階篇) — 工具(LLDB)iOSLLDB
- iOS逆向之旅(進階篇) — HOOK(FishHook)iOSHook
- iOS非越獄逆向--程式碼注入iOS
- iOS 逆向之 Cycript 高階玩法(非越獄) & .cy檔案的封裝iOS封裝