用theos完成一个简单的越狱程序hook：
参考了以下链接
b6bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3A6G2k6i4W2A6L8#2)9J5k6h3y4G2L8g2)9J5c8X3W2G2M7#2)9J5c8U0t1H3x3e0c8Q4x3V1j5H3x3g2)9J5c8U0l9I4i4K6u0r3L8h3q4C8k6g2)9J5k6r3q4Q4x3X3c8E0L8$3u0A6L8r3g2Q4x3X3c8K6N6h3u0K6N6s2u0S2N6r3g2Q4x3X3c8@1N6$3g2S2K9#2)9J5k6s2g2K6K9h3&6Y4i4K6u0V1N6r3S2W2L8%4y4Q4x3V1j5`.

1bfK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6#2k6X3q4%4k6h3W2Q4x3X3g2U0L8$3#2Q4x3V1j5J5x3o6p5K6i4K6u0r3x3o6S2Q4x3V1k6A6e0#2y4Q4x3X3c8B7j5h3W2D9j5Y4u0G2K9$3g2F1i4K6u0V1M7s2u0G2k6%4u0S2L8h3#2A6L8X3N6Q4x3X3b7I4i4K6u0r3
524K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6#2k6X3q4%4k6h3W2Q4x3X3g2U0L8$3#2Q4x3V1j5J5x3o6p5K6i4K6u0r3x3o6S2Q4x3V1k6A6e0#2y4Q4x3X3c8B7j5h3W2D9j5Y4u0G2K9$3g2F1i4K6u0V1M7s2u0G2k6%4u0S2L8h3#2A6L8X3N6Q4x3X3b7J5i4K6u0r3
a34K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6#2k6X3q4%4k6h3W2Q4x3X3g2U0L8$3#2Q4x3V1j5J5x3o6p5K6i4K6u0r3x3o6S2Q4x3V1k6A6e0#2y4Q4x3X3c8B7j5h3W2D9j5Y4u0G2K9$3g2F1i4K6u0V1M7s2u0G2k6%4u0S2L8h3#2A6L8X3N6Q4x3X3b7K6i4K6u0r3
cf5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6#2k6X3q4%4k6h3W2Q4x3X3g2U0L8$3#2Q4x3V1j5J5x3o6p5K6i4K6u0r3x3o6S2Q4x3V1k6A6e0#2y4Q4x3X3c8B7j5h3W2D9j5Y4u0G2K9$3g2F1i4K6u0V1M7s2u0G2k6%4u0S2L8h3#2A6L8X3N6Q4x3X3b7@1i4K6u0r3

问题处理：
1.安装软件包除了macport ，brew也是个不错的选择，用macport往Lion安装dpkg
比macport更轻量级
f69K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4A6L8X3k6S2L8W2)9J5k6h3W2F1k6X3!0Q4x3V1k6T1L8r3!0Y4i4K6u0r3x3U0l9I4x3W2)9J5c8U0l9J5i4K6u0r3x3U0g2Q4x3V1k6Z5L8$3#2W2j5Y4u0W2N6#2)9J5k6r3W2F1M7%4c8S2L8r3I4S2N6r3W2G2L8W2)9J5k6r3q4F1k6q4)9J5k6s2g2K6j5h3N6W2i4K6u0r3
安装源：
b64K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0J5k6i4N6Q4x3X3g2K6K9q4)9J5c8R3`.`.

2.make package install时报错遇到的问题：
dpkg-deb: file `/tmp/_theos_install.deb' contains ununderstood data member data.tar.xz , giving up

修改     /opt/theos/makefiles/package/deb.mk
-    $(ECHO_NOTHING)COPYFILE_DISABLE=1 $(FAKEROOT) -r dpkg-deb -b "$(THEOS_STAGING_DIR)" "$(_THEOS_DEB_PACKAGE_FILENAME)" $(STDERR_NULL_REDIRECT)$(ECHO_END)

+    $(ECHO_NOTHING)COPYFILE_DISABLE=1 $(FAKEROOT) -r dpkg-deb -Zgzip -b "$(THEOS_STAGING_DIR)" "$(_THEOS_DEB_PACKAGE_FILENAME)" $(STDERR_NULL_REDIRECT)$(ECHO_END)

3.编译弹出对话框时的hook程序报错：
Undefined symbols for architecture armv7:
  "_OBJC_CLASS_$_UIAlertView", referenced from:
      objc-class-ref in Tweak.xm.30520078.o
ld: symbol(s) not found for architecture armv7

修改Makefile，增加如下条目解决：
XXX_FRAMEWORKS = UIKit

4.在Xcode 4.5环境下 编译两种hook程序成功，其中遇到一些问题基本可以解决，ios6版本上均正常显示，在ios7中未能显示
   在Xcode5.0.2环境下，编译两种hook程序失败

5.关于lipo的介绍：
ios开发中使用lipo用来合并模拟器和真机通用静态库
通常在项目中静态库都有两个版本，一个用于模拟器，一个用于真机，mac和iphone的CPU不同造成的
为了方便模拟器和真机间切换调试方便，制作通用版非常有必要
现在有两个版本的静态库libSQLite_i386.a（模拟器）与libSQLite_arm.a（真机）
执行：lipo -create libSQLite_i386.a libSQLite_arm.a -output libSQLite.a
我们可以lipo -info libSQLite.a命令，查看是否是通用的

6.关于在ios7及arm64上跑hook程序，跟进中···

跟进链接在ios7上编译没有问题，但是在真机上不起效果

a60K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3W2H3K9r3!0F1k6h3c8W2N6Y4N6A6K9$3W2Q4x3X3g2F1k6i4c8Q4x3V1k6A6L8X3c8W2P5q4)9J5k6i4m8Z5M7q4)9J5c8W2g2H3k6r3q4@1K9h3&6Y4i4K6g2X3k6i4S2@1k6h3&6K6K9h3!0F1M7#2)9#2k6X3k6G2M7W2)9#2k6X3W2a6f1#2)9#2k6U0M7`.

Xcode5还不支持工具链···，所以还要在Xcode4上搞···

[培训]科锐逆向工程师培训第53期2025年7月8日开班！