Comment on page
14.反HOOK防护(二):Monkey
安装完成后,重启Xcode,就可以看到有个
MonkeyDev

1
创建一个
MonkeyApp
,我们看到目录下有个TargetApp
,将需要重签名的ipa包
或者app文件
放进去。 并将Demo给为自己的一个可用的BundleID,运行即可!
2

1
我们可以看到这个文件,没有高亮。

1
在这里改一下类型为
ObjectiveC++Source
,切换一下文件就可以了。这里我们准备HookViewController
的actionA
#import <UIKit/UIKit.h>
%hook ViewController
- (void)actionA:(id)sender {
NSLog(@"action-A-(Hooked!)");
}
%end
就这么简单!
2021-05-16 23:10:24.635341+0800 AntiHook[3859:1526960] ⚠️检测到了Hook!
2021-05-16 23:10:24.635477+0800 AntiHook[3859:1526960] ⚠️检测到了Hook!
2021-05-16 23:10:24.635519+0800 AntiHook[3859:1526960] [AntiAntiDebug Init]
🎉!!!congratulations!!!🎉
👍----------------insert dylib success----------------👍
[MethodTrace]
📚--------------------OCMethodTrace(Usage)-------------------📚
https://github.com/omxcodec/OCMethodTrace/blob/master/README.md
📚--------------------OCMethodTrace(Usage)-------------------📚
[MethodTrace] logLevel: 0: logWhen: 0 traceFlag: 2 traceObject: 0(未指定类)
[MethodTrace] Method Trace is disabled
Download cycript(https://cydia.saurik.com/api/latest/3) then run: ./cycript -r 192.168.0.102:6666
2021-05-16 23:10:24.915464+0800 AntiHook[3859:1526960] result: <UIApplication: 0x1017100d0>
2021-05-16 23:10:24.996174+0800 AntiHook[3859:1526960] INFO: Reveal Server started (Protocol Version 43).
2021-05-16 23:10:33.341774+0800 AntiHook[3859:1526960] action-A-(Hooked!)
虽然我们的防护代码检测到了Hook,但是依然成功了。
下面我们针对Set Get进行一下防护验证我们的想法!
这里我们简单修改下防护代码。
+ (void)load {
struct rebinding exchange;
exchange.name = "method_exchangeImplementations";
exchange.replacement = my_exchange;
exchange.replaced = (void *)&sysExchangePoint;
struct rebinding get;
get.name = "method_getImplementation";
get.replacement = my_get;
get.replaced = (void *)&sysExchangePoint;
struct rebinding set;
set.name = "method_setImplementation";
set.replacement = my_set;
set.replaced = (void *)&sysExchangePoint;
struct rebinding bds[] = { exchange, get, set };
rebind_symbols(bds, 3);
}
// 保存原函数的指针,这个可以暴露给自己使用
void (*sysExchangePoint)(Method _Nonnull methA, Method _Nonnull methB);
void my_exchange(Method _Nonnull methA, Method _Nonnull methB) {
NSLog(@"⚠️检测到了Hook!-method_exchangeImplementations");
}
void my_get(Method _Nonnull methA, Method _Nonnull methB) {
NSLog(@"⚠️检测到了Hook!-method_getImplementation");
}
void my_set(Method _Nonnull methA, Method _Nonnull methB) {
NSLog(@"⚠️检测到了Hook!-method_setImplementation");
}
2021-05-17 23:25:17.892661+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_getImplementation
2021-05-17 23:25:17.892798+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_exchangeImplementations
2021-05-17 23:25:17.892840+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_getImplementation
2021-05-17 23:25:17.892874+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_exchangeImplementations
2021-05-17 23:25:17.892912+0800 AntiHook[3999:1630972] [AntiAntiDebug Init]
🎉!!!congratulations!!!🎉
👍----------------insert dylib success----------------👍
2021-05-17 23:25:17.914757+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_getImplementation
2021-05-17 23:25:17.914913+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_setImplementation
[MethodTrace]
...
2021-05-17 23:25:26.987849+0800 AntiHook[3999:1630972] action-A
2021-05-17 23:25:27.952512+0800 AntiHook[3999:1630972] action-A
2021-05-17 23:25:28.803100+0800 AntiHook[3999:1630972] action-B
2021-05-17 23:25:29.170666+0800 AntiHook[3999:1630972] action-B
可以看到我们的
set
/get
防护代码被触发了,并且输出了点击按钮输出了正确的Log! 防护成功!也验证了我们的想法:Monkey的Hook是基于Get/Set的Last modified 2yr ago