iOS 之逆向学习之root app

如何创建一个rootapp
1.先安装iosOpendev,详见(iOS之逆向学习之 iOSOpendev安装)
2.创建一个原生app工程
3.点击+号 Add User-defined settings,添加iOSOpenDev配置项,最主要的是添加CODE_SIGNING_ALLOWED为NO，关闭签名

4.还要手动设置证书为空,Targets-->buildSetting里搜索sign,@1 将Code Signing Identity设置为空 @2设置Code Signning Entitlements为本地的entitlements

entitlements内容为:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
    <key>com.apple.private.mobileinstall.allowedSPI</key>
    <array>
        <string>Lookup</string>
        <string>Install</string>
        <string>Browse</string>
        <string>Uninstall</string>
        <string>LookupForLaunchServices</string>
        <string>InstallForLaunchServices</string>
        <string>BrowseForLaunchServices</string>
        <string>UninstallForLaunchServices</string>
        <string>CopyDiskUsageForLaunchServices</string>
        <string>InstallLocalProvisioned</string>
    </array>
    <key>com.apple.private.security.no-container</key>
    <true/>
    <key>com.apple.private.skip-library-validation</key>
    <true/>
    <key>com.apple.lsapplicationworkspace.rebuildappdatabases</key>
    <true/>
    <key>com.apple.private.MobileContainerManager.allowed</key>
    <true/>
    <key>com.apple.private.MobileGestalt.AllowedProtectedKeys</key>
    <true/>
    <key>com.apple.managedconfiguration.profiled-access</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>dynamic-codesigning</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
</dict>
</plist>

5.在工程目录下创建一个Package目录,在其下创建Applications和DEBIAN两个文件夹,DEBIAN下创建prerm 、postinst、preinst、postrm、control三个文件

prerm:该脚本负责停止与软件包相关联的daemon服务。它在删除软件包关联文件之前执行。内容为:

#!/bin/bash

killall -9 TestRootApp > /dev/null

postinst
该脚本的主要任务是完成安装包时的配置工作。许多“postinst”脚本负责执行有关命令为新安装或升级的软件重启服务。内容为:

#!/bin/bash



get_ios_ver()
{
OSVERLINE=`grep -n 'ProductVersion' /System/Library/CoreServices/SystemVersion.plist | sed 's/:.*//'`
((OSVERLINE+=1))
OSVER=`cat /System/Library/CoreServices/SystemVersion.plist | sed -n "${OSVERLINE}p" | sed 's/^.*<string>//' | sed 's/<\/string>.*//'`
echo ${OSVER}
}


#cd "/Applications/TestRootApp.app/"
#
## process origin binary
#mv TestRootApp TestRootApp_
#chown root.wheel TestRootApp_
#chmod +s         TestRootApp_
#
#cont=`cat <<"EOF"
##!/bin/bash
#dir=$(dirname "$0")
#exec "${dir}"/TestRootApp_ "$@"
#EOF
#`
## create new fake binary
#echo -e "$cont" > TestRootApp
#chown root.wheel  TestRootApp
#chmod +x          TestRootApp

echo "Set permission..."

chown -R root:wheel /Applications/TestRootApp.app
chmod -R u=rwx,go=rx /Applications/TestRootApp.app
chmod ug=rwx,o=rx /Applications/TestRootApp.app
chown root:wheel /Applications/TestRootApp.app/TestRootApp  /Applications/TestRootApp.app/libs/* /Applications/TestRootApp.app/*.png /Applications/TestRootApp.app/*.plist
chown -R mobile:mobile /private/var/mobile/Media/TestRootApp





iOSVer=`get_ios_ver`
iOSVerArray=(${iOSVer//./ })
iOSVerCount=${#iOSVerArray[*]}
if [[ ${iOSVerCount} > 1 ]]; then
if [[ ${iOSVerArray[0]} == 11 ]]; then
chmod u+s /Applications/TestRootApp.app/TestRootApp
fi
fi


echo "Clean icon cache..."
su -c /usr/bin/uicache mobile > /dev/null


#The RESPRING script after Install
declare -a cydia
cydia=($CYDIA)

if [[ $1 == install || $1 == upgrade ]]; then
if [[ ${CYDIA+@} ]]; then
eval "echo 'finish:restart' >&${cydia[0]}"
fi
fi

exit 0

preinst,在Deb包文件解包之前，将会运行该脚本。许多“preinst”脚本的任务是停止作用于待升级软件包的服务，直到软件包安装或升级完成.内容为:

#!/bin/bash

#echo "Stop IDBScannerTool services..."
#killall -9 SlionDaemon STask IDBScannerTool > /dev/null

echo "Remove old files..."
rm -rf /Applications/IDBScannerTool.app > /dev/null

postrm.该脚本负责修改软件包链接或文件关联，或删除由它创建的文件。内容为:

#!/bin/bash

echo "Clean icon cache..."
su -c /usr/bin/uicache mobile > /dev/null
#rm -rf /Applications/TouchSprite.app

declare -a cydia
cydia=($CYDIA)

if [[ ${CYDIA+@} ]]; then
    eval "echo 'finish:respring' >&${cydia[0]}"
else
    echo "Please respring your device after this!"
fi

exit 0

control，主要是设置版本号、包名、依赖系统版本

Package: com.xx.crashDemo.TestRootApp
Name: rootApp
Version: 1.0.0
Description:
Section: System
Depends: firmware (>= 5.0)
Conflicts:
Replaces:
Priority: optional
Architecture: iphoneos-arm
Author: XX
dev:
Homepage:
Depiction:
Maintainer:XX
Icon:

6.在RunScript脚本里加上
/opt/iOSOpenDev/bin/iosod --xcbp

7.打包,只能通过Profiling方式打包,xcode-->product-->Build For-->Profiling

8.经历7步骤首次打包还没有问题,多次打包之后会报copy 错误,要解决这个要删除工程里的Package/Applications下的.app,可以写一个脚本专门删除这玩意,在RunScript里运行

work_path=$(dirname $0)
cd ${work_path}  # 当前位置跳到脚本位置
rm -rf Package/Applications/*

ps: 我用rootapp里面有个网络请求,我发现用un0cover越狱之后，网络请求死活是 the internet connection appears to be offline,这种情况先的确定是代码问题还是网络权限问题，我们随便写一个百度的get请求发现也是报这个错.顺速是网络权限没开.关键我首次打开app的时候，也没弹提示框啊，这就尴尬了，是不是rootapp都不弹这玩意,那咋能有网呢,我也很懵逼啊，越狱真不是人玩的.我在想各大做越狱root app的厂商也可能有这问题啊，于是玩找到了触动精灵的官网官网一顿找,反正就在常见问题和各种问题里一顿找,终于让我知道这个网站https://www.touchsprite.com/d...
于是发现他们教程里要三个系统联网配置文件

rm -rf /private/var/preferences/com.apple.networkextension.plist
rm -rf /private/var/preferences/com.apple.networkextensioncache.plist
rm -rf /private/var/preferences/com.apple.networkextension.necp.plist
killall -9 SpringBoard

真正试验发现只在iOS14上有效果(我只有13、14的机型)，在iOS13没效果,我查了半天试了下面方式:

rm -rf /private/var/preferences/com.apple.networkextension.plist
killall -9 CommCenter

为了兼容就写成

rm -rf /private/var/preferences/com.apple.networkextension.plist
rm -rf /private/var/preferences/com.apple.networkextensioncache.plist
rm -rf /private/var/preferences/com.apple.networkextension.necp.plist
killall -9 CommCenter
killall -9 SpringBoard

本文章引用https://www.touchsprite.com/d...、https://juejin.cn/post/684490...

iosOpendev

iOS 之逆向学习 之root app

iOS 之逆向学习之root app