# 14.反HOOK防护（二）：Monkey

## 一、安装：MonkeyDev

> [GitHub-MonkeyDev](https://github.com/AloneMonkey/MonkeyDev)

安装完成后，重启Xcode，就可以看到有个`MonkeyDev`

![1](/files/-M_uxpa44QbKvH-Dx71a)

## 二、重签名

创建一个`MonkeyApp`，我们看到目录下有个`TargetApp`，将需要重签名的`ipa包`或者`app文件`放进去。 并将Demo给为自己的一个可用的BundleID，运行即可！

![2](/files/-M_uxpa5f1kn_l1gyh9G)

## 三、Hook：Logos语法

> [Logos](http://iphonedevwiki.net/index.php/Logos)

![1](/files/-M_uxpa6_u-Z8MnqXBWy)

我们可以看到这个文件，没有高亮。

![1](/files/-M_uxpa7IaOY1_Zwe8VO)

在这里改一下类型为`ObjectiveC++Source`，切换一下文件就可以了。

### 3.1 试着Hook上一篇中我们做了防护的项目

> 这里我们准备Hook`ViewController`的`actionA`

#### a. 将编译出的app文件放进TargetApp目录下

#### b. 用Logos语法写Hook代码

```cpp
#import <UIKit/UIKit.h>

%hook ViewController

- (void)actionA:(id)sender {
    NSLog(@"action-A-(Hooked!)");
}

%end
```

就这么简单！

#### c. 运行查看Log

```
2021-05-16 23:10:24.635341+0800 AntiHook[3859:1526960] ⚠️检测到了Hook！
2021-05-16 23:10:24.635477+0800 AntiHook[3859:1526960] ⚠️检测到了Hook！
2021-05-16 23:10:24.635519+0800 AntiHook[3859:1526960] [AntiAntiDebug Init]
               🎉!!！congratulations!!！🎉
👍----------------insert dylib success----------------👍
[MethodTrace] 
📚--------------------OCMethodTrace(Usage)-------------------📚
https://github.com/omxcodec/OCMethodTrace/blob/master/README.md
📚--------------------OCMethodTrace(Usage)-------------------📚
[MethodTrace] logLevel: 0: logWhen: 0 traceFlag: 2 traceObject: 0(未指定类)
[MethodTrace] Method Trace is disabled

Download cycript(https://cydia.saurik.com/api/latest/3) then run: ./cycript -r 192.168.0.102:6666

2021-05-16 23:10:24.915464+0800 AntiHook[3859:1526960] result: <UIApplication: 0x1017100d0>
2021-05-16 23:10:24.996174+0800 AntiHook[3859:1526960]  INFO: Reveal Server started (Protocol Version 43).
2021-05-16 23:10:33.341774+0800 AntiHook[3859:1526960] action-A-(Hooked!)
```

虽然我们的防护代码检测到了Hook，但是依然成功了。

#### d. 思考

这里我们使用[反HOOK防护（一）](/wiki/ni-xiang/13.-fan-hook-fang-hu-yi-ji-yu-fishhook.md)中的技术去进行防护，并没有成功防护到`Monkey`的Hook。我们大概可以推测出：它使用的是Set和Get进行的Hook！

下面我们针对Set Get进行一下防护验证我们的想法！

## 四、Set/Get Hook防护

这里我们简单修改下防护代码。

```cpp
+ (void)load {
    struct rebinding exchange;
    exchange.name = "method_exchangeImplementations";
    exchange.replacement = my_exchange;
    exchange.replaced = (void *)&sysExchangePoint;

    struct rebinding get;
    get.name = "method_getImplementation";
    get.replacement = my_get;
    get.replaced = (void *)&sysExchangePoint;

    struct rebinding set;
    set.name = "method_setImplementation";
    set.replacement = my_set;
    set.replaced = (void *)&sysExchangePoint;

    struct rebinding bds[] = { exchange, get, set };

    rebind_symbols(bds, 3);
}

// 保存原函数的指针，这个可以暴露给自己使用
void (*sysExchangePoint)(Method _Nonnull methA, Method _Nonnull methB);

void my_exchange(Method _Nonnull methA, Method _Nonnull methB) {
    NSLog(@"⚠️检测到了Hook！-method_exchangeImplementations");
}

void my_get(Method _Nonnull methA, Method _Nonnull methB) {
    NSLog(@"⚠️检测到了Hook！-method_getImplementation");
}

void my_set(Method _Nonnull methA, Method _Nonnull methB) {
    NSLog(@"⚠️检测到了Hook！-method_setImplementation");
}
```

### 4.1 防护成果

```
2021-05-17 23:25:17.892661+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_getImplementation
2021-05-17 23:25:17.892798+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_exchangeImplementations
2021-05-17 23:25:17.892840+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_getImplementation
2021-05-17 23:25:17.892874+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_exchangeImplementations
2021-05-17 23:25:17.892912+0800 AntiHook[3999:1630972] [AntiAntiDebug Init]
               🎉!!！congratulations!!！🎉
👍----------------insert dylib success----------------👍
2021-05-17 23:25:17.914757+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_getImplementation
2021-05-17 23:25:17.914913+0800 AntiHook[3999:1630972] ⚠️检测到了Hook！-method_setImplementation
[MethodTrace] 
...
2021-05-17 23:25:26.987849+0800 AntiHook[3999:1630972] action-A
2021-05-17 23:25:27.952512+0800 AntiHook[3999:1630972] action-A
2021-05-17 23:25:28.803100+0800 AntiHook[3999:1630972] action-B
2021-05-17 23:25:29.170666+0800 AntiHook[3999:1630972] action-B
```

可以看到我们的`set`/`get`防护代码被触发了，并且输出了点击按钮输出了正确的Log！ 防护成功！也验证了我们的想法：***Monkey的Hook是基于Get/Set的***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ryukiedev.gitbook.io/wiki/ni-xiang/14.-fan-hook-fang-hu-er-monkey.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.