Foreword
Logos is a set of macro definitions CydiaSubstruct provided in the framework. Conducive developers use macros Hook operation, its syntax is simple, the function is very powerful and stable.
Details of logos syntax http://iphonedevwiki.net/index.php/Logos
grammar
1. Global
Logos grammar divided into three categories:
- Block level: This type of instruction would open up a block of code,% end to end. % Group,% hook,% subclass,% end
- Top level: TopLevel BlockLevel not placed in the instruction. % Config,% hookf,% ctor,% dtor
- Function level: this instruction in process. % Init,% class,% c,% orig,% log
2. Detailed
2.1 %hook
Specifies hook live class, must end with% end
%hook SpringBoard - (void)_menuButtonDown:(id)down { NSLog(@"你好"); %orig; // call the original __menuButtonDown } %end
Means hook (Hook) SpringBoard class _menuButtonDown, the first print, then execution of the function of the original operation.
2.2 %log
% Internal hook command then to use the class name and other information writing function parameters syslog.
%hoot SpringBoard - (void)_menubuttonDown:(id)down { %log((NSString *)@"iOSRE",(NSString *)@"Debug"); %orig;//call the original _menuButtonDown; } %end
2.3 %orig
% Internal directive is used in hook, the hook function executes live original code
%hook SpringBoard - (void)_menuButtonDown:(id)down { NSLog(@"你好"); %orig; // } %end
If you remove the% orig, the original function will not be executed
hook SpringBoard - (void)_menuButtonDown:(id)down { NSLog(@"你好"); } %end
You can also use% orig change the original number of lines of argument.
%hook SBLockScreenDateViewController - (void)setCustomSubtitleText:(id)arg1 withColor:(id)arg2 { %orig(@"Red",arg2); } %end
2.4 %group
Instructions for grouping% hook, to facilitate conditional code management and initialization packet, and must be at the end% end;% group may contain a number% hook, not all belong to a group of a custom% hook will also be categorized% group_ungroupes in.
%group iOS11Hook %hook iOS12Class - (id)iOS11Method { id result = %orig; NSLog(@"This class & method only exist in iOS 11."); return result; } %end %end // iOS11Hook %group iOS12Hook %hook iOS12Class - (id)iOS8Method { id result = %orig; NSLog(@"This class & method only exist in iOS 12."); return result; } %end %end // iOS12Hook
2.5 %init
Instructions for initiating a% group, or must call the% ctor% hook; if desired parameters, designated Group initializing, if no parameter, it initializes _ungrouped. Only call% init, which corresponds to the% group to be able to play a role.
#ifndef kCFCoreFoundationVersionNumber_iOS_11_0 #define kCFCoreFoundationVersionNumber_iOS_11_0 1140.10 #endif %hook SpringBoard - (void)applicationDidFinishLaunching:(id)application { %orig; %init; // Equals to %init(_ungrouped) if (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0 && kCFCoreFoundationVersionNumber < kCFCoreFoundationVersionNumber_iOS_11_0) %init(iOS12Hook); if (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_11_0) %init(iOS11Hook); } %end
2.6 %ctor
This initialization instruction is completed, if the definition is not displayed, automatically generates theos% ctor, also called% init
%hook SpringBoard - (void)reboot { NSLog(@"If rebooting doesn't work then I'm screwed."); %orig; } %end
Successful entry into force, Theos implicitly calls as follows
%ctor { %init(_ungrouped); }
and
%hook SpringBoard - (void)reboot{ NSLog(@"If rebooting doesn't work then I'm screwed."); %orig; } %end %ctor { // Need to call %init explicitly! }
% Hook which could not be effective, depending on the display defines% ctor, but does not define% ctor, does not require% end to end. It is generally used to initialize% group.
2.7 %new
% Hook used internally, the existing class to add new functions, features and class_addMethod the same meaning.
%hook SpringBoard %new - (void)namespaceNewMethod { NSLog(@"We've added a new method to SpringBoard."); } %end
%c
And instructions or objc_getClass NSClassFromString, dynamic access a class definition. % Hook for% ctor and use.
Summarized as follows
Demo
3.1 New Project Logos
3.2 with class-dump to export header file
$class-dump -H 001-LogosDemo -o /Users/yaoqi/Desktop/LogosHeaders
3.3 New MonkeyDev engineering, re-signing the LogosDemo
At this point MonkeyDev project will libsubstrate.dylib and RevealServer.framework into a project, which has libsubstrate.dylib can use logos grammar.
3.4 MonkeyDev the logos folder .xm written grammar Logos
_02_loginHookDemoDylib.xm
// See http://iphonedevwiki.net/index.php/Logos #import <UIKit/UIKit.h> @interface ViewController: UIViewController - (void)presentViewController:(UIViewController *)viewControllerToPresent animated: (BOOL)flag completion:(void (^ __nullable)(void))completion NS_AVAILABLE_IOS(5_0); + (void)CL_classMethod; @end %hook ViewController - (void)loginBtnClicked:(id)arg1 { %log; UIAlertController *alertVC = [UIAlertController alertControllerWithTitle:@"Hook成功了!!!" message:nil preferredStyle:(UIAlertControllerStyleAlert)]; [alertVC addAction:[UIAlertAction actionWithTitle:@"确定" style:(UIAlertActionStyleCancel) handler:nil]]; [self presentViewController:alertVC animated:YES completion:nil]; } %new - (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event { [self.view endEditing:YES]; [self.class CL_classMethod]; } %new + (void)CL_classMethod { NSLog(@"这是一个类方法!!!"); } %end
3.5 运行,MonkeyDev工程能Hook到LogosDemo的loginBtnClicked
FLEX库
4.1 在MonkeyDev的Dylib动态库注入Flex库
在MonkeyDev根目录添加Podfile文件,Target为Monkey动态库的Target
platform :ios, '9.0' target '002-loginHookDemoDylib' do use_frameworks! pod 'FLEX' end
4.2 界面展示
FlEX可以查看App的文件、数据库、界面层级以及沙盒
实例练习
要求:微信首页加个“+”按钮,左边按钮和右边的效果一样。
5.1 新建MonkeyDev工程,重签名韦小宝,将FLEX加入到动态库
5.2 Xcode界面调试,Class-dump,找到界面NewMainFrameViewController控制器
5.3 Xcode界面调试,找到右边按钮的showRightTopMenuBtn方法
Target <NewMainFrameRightTopMenuBtn: 0x104dd99d0> Action showRightTopMenuBtn
5.4 内存中查找导航栏右边按钮的视图
5.5 代码实现需求
#import <UIKit/UIKit.h> @interface NewMainFrameViewController :UIViewController @end @interface NewMainFrameRightTopMenuBtn: UIView - (void)showRightTopMenuBtn; @end @interface MMBarButtonItem: UIBarButtonItem @property(nonatomic,weak)NewMainFrameRightTopMenuBtn *view; @end %hook NewMainFrameViewController -(UINavigationItem *)navigationItem{ // NSLog(@"\n\n\n-------------navigationItem-----"); //方法交换! 调用自己! return %orig; } - (void)viewDidAppear:(_Bool)arg1{ %orig; UIButton * leftBtn = [UIButton buttonWithType:(UIButtonTypeContactAdd)]; [leftBtn addTarget:self action:@selector(CL_leftClick) forControlEvents:(UIControlEventTouchUpInside)]; [self.navigationItem setLeftBarButtonItem: [[UIBarButtonItem alloc] initWithCustomView:leftBtn]]; } - (void)viewDidLoad{ %orig; // NSLog(@"\n\n\n-----viewDidLoad-----------"); } %new -(void)CL_leftClick { /** 从内存中能查到调用该方法:[self.navigationItem.rightBarButtonItem.view showRightTopMenuBtn] self:代表NewMainFrameViewController控制器 */ MMBarButtonItem *btn = self.navigationItem.rightBarButtonItem; [btn.view showRightTopMenuBtn]; } %end
5.6 实现结果
总结
上面就是Logos语法及讲解,如果对大家有所帮助,希望大家关注,也可以点个喜欢,下一篇我们将讲解越狱的相关知识,请大家准备好越狱手机和PP助手!!!