Microsoft Word - iOSAppReverseEngineering.docx

include theos/makefiles/common.mk

APPLICATION_NAME = iOSRETargetApp

iOSRETargetApp_FILES = main.m iOSRETargetAppApplication.mm RootViewController.mm

iOSRETargetApp_FRAMEWORKS = UIKit CoreGraphics

include $(THEOS_MAKE_PATH)/application.mk

after-install::

install.exec "su mobile - c uicache"

In the above code, “su mobile - C uicache” is used to refresh the UI cache of SpringBoard so

that iOSRETargetApp’s icon can be shown on SpringBoard. Run “make package install” in

Terminal to install this tweak on the device. Launch iOSRETargetApp, ssh into iOS after the red

background shows, and see whether it outputs as expected:

FunMaker-5:~ root# grep iOSRE: /var/log/syslog

Nov 18 11:13:34 FunMaker- 5 iOSRETargetApp[5072]: iOSRE: CPPFunction: This is a C++

function!

Nov 18 11:13:34 FunMaker- 5 iOSRETargetApp[5072]: iOSRE: CFunction: This is a C function!

Nov 18 11:13:35 FunMaker- 5 iOSRETargetApp[5072]: iOSRE: CPPFunction: This is a short C

function!

4. Create iOSREHookerTweak with Theos, the commands are as follows:

snakeninnys-MacBook:Code snakeninny$ /opt/theos/bin/nic.pl

NIC 2.0 - New Instance Creator

------------------------------

[1.] iphone/application

[2.] iphone/library

[3.] iphone/preference_bundle

[4.] iphone/tool

[5.] iphone/tweak

Choose a Template (required): 5

Project Name (required): iOSREHookerTweak

Package Name [com.yourcompany.iosrehookertweak]: com.iosre.iosrehookertweak

Author/Maintainer Name [snakeninny]: snakeninny

[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]:

com.iosre.iosretargetapp

[iphone/tweak] List of applications to terminate upon installation (space-separated, '-'

for none) [SpringBoard]: iOSRETargetApp

Instantiating iphone/tweak in iosrehookertweak/...

Done.

5. Modify Tweak.xm as follows:

#import <substrate.h>

void (*old__ZN8CPPClass11CPPFunctionEPKc)(void *, const char *);

void new__ZN8CPPClass11CPPFunctionEPKc(void *hiddenThis, const char *arg0)

{

if (strcmp(arg0, "This is a short C function!") == 0)

old__ZN8CPPClass11CPPFunctionEPKc(hiddenThis, "This is a hijacked short C function from

new__ZN8CPPClass11CPPFunctionEPKc!");