点击上方蓝字关注我们
设备信息的修改
是机刷必不可少的步骤
1、下载流程:清理进程和数据(包括keychain及修改设备信息)、切换IP、登录appID、打开App Store、在App Store搜索应用、下载并安装app(打码)、注销app ID、关闭App Store、卸载app 2、 评论流程:在下载流程的基础上进行评论
原文:https://kunnan.blog.csdn.net/article/details/114658476
MSHookFunction(&sysctlbyname, &new_sysctlbyname, &old_sysctlbyname);
MSHookFunction(&sysctlbyname, &new_sysctlbyname, &old_sysctlbyname)
使用capstone 对二进制文件进行反汇编来定位方法的地址,以便于MSHookFunctionlibMobileGestalt is a library that can be used to get various system values such as the UDID, disk usage, device version and much more. It is comparable to liblockdown.dylib. See also lockdownd.
WTHookFunction(((void*)MSFindSymbol(NULL, "_MGCopyAnswer")),(void*)MGCopyAnswer, (void**)&old_MGCopyAnswer);
One of the most abused API is MGCopyAnswer in libMobileGestalt, but directly hooking it will instantly crash the process with an invalid instruction.
Fortunately, we have Capstone Engine, which is a powerful disassembler based on LLVM’s MC to save the day.
void *Symbol = MSFindSymbol(MSGetImageByName("/usr/lib/libMobileGestalt.dylib"), "_MGCopyAnswer");
MSFindSymbol
void * Symbol=MSFindSymbol(MSGetImageByName("/usr/lib/libMobileGestalt.dylib"), "_MGCopyAnswer");
if (insn[j].id == ARM64_INS_BL){
#import <substrate.h>
#import "capstone.h"
static CFStringRef (*old_MGCA)(CFStringRef Key);
CFStringRef new_MGCA(CFStringRef Key){
CFStringRef Ret=old_MGCA(Key);
NSLog(@"MGHooker:%@\nReturn Value:%@",Key,Ret);
return Ret;
}
%ctor {
void * Symbol=MSFindSymbol(MSGetImageByName("/usr/lib/libMobileGestalt.dylib"), "_MGCopyAnswer");
NSLog(@"MG: %p",Symbol);
csh handle;
cs_insn *insn;
cs_insn BLInstruction;
size_t count;
unsigned long realMGAddress=0;
//MSHookFunction(Symbol,(void*)new_MGCA, (void**)&old_MGCA);
if (cs_open(CS_ARCH_ARM64, CS_MODE_ARM, &handle) == CS_ERR_OK) {
/*cs_disasm(csh handle,
const uint8_t *code, size_t code_size,
uint64_t address,
size_t count,
cs_insn **insn);*/
count=cs_disasm(handle,(const uint8_t *)Symbol,0x1000,(uint64_t)Symbol,0,&insn);
if (count > 0) {
NSLog(@"Found %lu instructions",count);
for (size_t j = 0; j < count; j++) {
NSLog(@"0x%" PRIx64 ":\t%s\t\t%s\n", insn[j].address, insn[j].mnemonic,insn[j].op_str);
if(insn[j].id==ARM64_INS_B){
BLInstruction=insn[j];
sscanf(BLInstruction.op_str, "#%lx", &realMGAddress);
break;
}
}
cs_free(insn, count);
} else{
NSLog(@"ERROR: Failed to disassemble given code!%i \n",cs_errno(handle));
}
cs_close(&handle);
//Now perform actual hook
MSHookFunction((void*)realMGAddress,(void*)new_MGCA, (void**)&old_MGCA);
}
else{
NSLog(@"MGHooker: CSE Failed");
}
}