05-Theos

在前面的例子中,利用Cycript可以对某个App进行调试,But its effect is only temporary,Because once killedApp进程,will be restored to its original state.So how to modify itAPP后,It can keep the effect permanently？

Next you need to use itTheos,Theosis a collection of tools,可以通过Theos创建tweak项目,Hook目标App的一些方法,然后对tweak项目进行编译、打包,生成deb插件（In fact, it is a dynamic library file）,安装到iPhone上,The principle will be discussed next

Install the signing toolldid

ldidis a command line signing tool,Signature file that can be used for export、Re-sign files and other operations

• 首先安装homebrew（类似于iOS中的CocoaPods）

  $ /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

• 利用brew安装ldid

brew install ldid

修改环境变量

• 编辑用户的配置文件

vim ~/.bash_profile

• 在 .bash_profie Add two lines after the file

# THEOS represents the path ~/theos
export THEOS=~/theos
# 让~/theos/binThe configuration file of the directory can take effect globally, $PATH Represents some other global configuration files
export PATH=$THEOS/bin:$PATH

• 让 .bash_profie The configured environment variables take effect immediately

source ~/.bash_profile

配置好环境变量,可以打印查看

下载Theos

• It is recommended to download the code to $THEOS目录（也就是~/theos目录）

git clone --recursive https://github.com/theos/theos.git $THEOS

创建tweak项目

• cdto a storagetweak项目代码的地方（例如桌面）,创建项目

cd ~/Desktop
# 开始创建项目
nic.pl

• 选择 iphone/tweak项目
  

编写Tweak项目

After performing the previous steps,会在桌面生成一个tweaktest文件夹,里面有四个文件

编写Makefile文件

Add environment variables in front,That is, through whatIPand port to connect the phone（因为iPhone和Mac通过USB绑定,直接输入Mac的本地IPand bind the port）

export THEOS_DEVICE_IP=127.0.0.1
export THEOS_DEVICE_PORT=2222

include $(THEOS)/makefiles/common.mk
TWEAK_NAME = ting_tweak
ting_tweak_FILES = Tweak.xm
include $(THEOS_MAKE_PATH)/tweak.mk
after-install::
    install.exec "killall -9 SpringBoard"

If you don't want each item'sMakefileThe file needs to write the above environment variables,Can be added directly to the user profile（.bash_profile）中即可,$ source ~/.bash_profile 让配置文件生效

$ vim ~/.bash_profile
export THEOS=~/theos
export PATH=$THEOS/bin:$PATH
export THEOS_DEVICE_IP=127.0.0.1
export THEOS_DEVICE_PORT=2222

$ source ~/.bash_profile

编写代码

打开Tweak.xm文件,Enter the code that needs to be modified,例如hook某个方法：

#import <UIKit/UIKit.h>
%hook ViewController
// 对ViewController的声明,可识别self关键字
@interface ViewController
// Recognized at compile time[self view]代码
- (id)view;
@end

- (void)touchesBegan:(id)touches withEvent:(id)event
{
    
	UIView *v = [[UIView alloc] initWithFrame:CGRectMake(200, 200, 100, 100)];
 	v.backgroundColor = [UIColor greenColor];
   	[[self view] addSubview:v];
}

%end

编译、打包、安装

执行以下命令之前,Make sure to let it goMac和iPhone进行端口绑定

• 编译,执行 $ make
  
• 打包,执行 $ make package
  
• 安装, 执行 $ make install
  

make package时可能会出现如下错误：

错误1

package name has characters that aren't lowercase alphanums or '-+.'

• is because of the project name,bundleID有大写的,needs to be changed to lowercase

错误2

open2: exec of lzma -c1 failed at /Users/wushiguang/theos/bin/dm.pl line 116

• Packaging and compression problems,将deb.mk 文件第6行改成 _THEOS_PLATFORM_DPKG_DEB_COMPRESSION ?= gzip

vim $THEOS/makefiles/package/deb.mk
_THEOS_PLATFORM_DPKG_DEB_COMPRESSION ?= gzip

错误3

Error: You do not have an SDK in
/Library/Developer/CommandLineTools/Platforms/iPhoneOS.platform/Developer/S
DKs

• 多个Xcode问题,需要指定Xcode路径

sudo xcode-select --switch
/Applications/Xcode.app/Contents/Developer/

错误4

make
> Making all for tweak xxx...
make[2]: Nothing to be done for `internal-library-compile'.

• 之前编译过,有缓存导致的,clean一下即可

make clean

Logos常用语法

Logos的语法可以在这里看到,The following only introduces some commonly used syntax

• %hook、%end ,hook一个类的开始和结束
• %log,打印方法调用详情,可以通过Xcode -> Window -> Devices and Simulators 查看日志
• HBDebugLog,跟NSLog类似
• %new,添加一个新的方法（区别于hook的方法）
• %c(className) ,生成一个Class对象,例如%c（NSObject）,类似于NSStringFromClass()、objc_getClass
• %orig,Call the original code logic of the function
• %ctor,Loading dynamic libraries（That is, the code written）的时候调用
• %dtor,在App退出时调用
• logify.pl,Can be a needHookAll methods in the header file of the class are markedlog,and save to generate onexm文件,Convenient function call tracing

# testfor the target header file,xx为生成的xm文件
logify.pl test.h > xx.xm

logify.pl生成的xm文件 ,Many times the compilation fails,需要一些处理
1、删掉_weak
2、删掉inout
3、Delete the agreement,Or declare the agreement [email protected] xxxDelegate
4、删掉- (void).cxx_destruct { %log; %orig; }
5、删掉HBLogDebug(@" = 0x%x", (unsigned int)r);
6、替换类名为Void,比如将 XXPerson * 替换为 void *,Or declare class [email protected] XXPerson

TweakProject image management and multi-file development

图片资源的管理

如果有额外的资源文件,例如图片等,就新建一个layout文件夹（This folder corresponds to the root directory of the phone）,Then create the following directories in sequence /Library/PreferenceLoader/preferences/ 或/Library/Caches 文件夹,WechatIt is the project folder that needs to be reversed,WechatBelow is the resource file,Reference these resource files when writing code,Full path is required

• 路径1

• 路径2
  
  A closer look will reveal the path1的preferences目录下,有着reveal的图片资源,It means that the resource files in this path are partial to the whole system,So it is more recommended to put it in the path2目录下

多文件开发

在tweak项目开发中,There may be multiple files,例如增加 Dog.h 和 Dog.m,Several situations are described below

情况1

If executed directly at this timemake指令,就会报DogClass not found error message,所以需要指定Dog的路径,打开Makefile文件,tweaktest_FILESIt means the files that need to be involved in compilation,在Tweak.x后加上空格,然后写上Dog.m,就表示Tweak.x和Dog.m参与编译

tweaktest_FILES = Tweak.x Dog.m

情况2

创建一个src文件夹管理

In this case, add the corresponding folder in front of it,但是后面的Dog.mchanged to wildcards*.m,意思src目录下的.mfiles are involved in the compilation

tweaktest_FILES = src/Tweak.x src/*.m

情况3

移除插件

If no longer reverse aApp,在iPhone目录~/Library/MobileSubstrate/DynamicLibraries/下找到我们的deb插件生成的.dylib和.plist文件,删除这两个文件,然后重启SpringBoardThe plugin can be removed

还有一种办法就是在Cydia中找到该插件,然后卸载,This way is a bit cleaner,推荐使用

TweakThe realization principle process

• $ make,编译TweakThe code is a dynamic library（*.dylib）
  
• $ make package,将dylib打包为deb文件
• $ make install,将debThe file is transferred to the mobile phone,通过Cydia安装deb
• The plugin will be installed in /Library/MobileSubstrate/DynamicLibraries 文件夹中
  • *.dylib：编译后的Tweak代码
  • *.plist：stored as neededhook的AppID
• 当打开App时,Cydia Substrate（CydiaPlugins that are automatically installed）会让App去加载对应的dylib,修改AppCode logic in memory,去执行dylib中的函数代码
• theos的tweak并不会对AppThe original executable file is modified,Just modified the code logic in memory

Tweak的一些疑问点

• unshelledApp也是支持tweak的,因为tweakis implemented in memory,没有修改App的可执行文件
• tweakWhether the effect is permanent or not dependsApp代码是否被修改过
• Unjailbroken phones are not supportedtweak
• 可以对Swift/C函数进行tweak,But the way followsOC不一样
• Can also be played on the gametweak,But since the game is mostly passedC++/C#编写,而且类名、Function names are obfuscated