paradiseduo / ipapatch Goto Github PK

IPAPatch provide a simple way to patch iOS Apps, without needing to jailbreak.

[ 说明 • Features • Instructions • Example • FAQ • License ]

• 本项目改编于Naituw IPAPatch，站在巨人的肩膀上学习
• 本工程已集成Reavel 20的framework，直接运行即可添加
• 本工程集成了FLEX.framework，运行后即可动态调试
• 本工程集成了Dobby框架，使用方法见下方（Dobby默认不启用，需自行开启）
• 本工程集成了frida-gadget，基于frida 15.0.15版本重新编译，解决了线程阻塞问题，可以在非越狱手机上使用frida调试APP
• 本工程集成了常见的反调试方法的绕过，如ptrace，syscall，sysctl，isatty等（IPAPatchBypassAntiDebugging.m）
• 修复恢复符号表功能， 目前只能恢复arm64的machO文件，如果是Fat格式machO需要自己先瘦身
• 本工程集成了svc 0x80的反调试方法的绕过（IPAPatchBypassAntiDebugging.m），代码来自于xia0LLDB，未经完全测试，可能会有页边界问题
• 本工程利用OC的runtime机制，添加了替换任意方法(包括代理方法)的函数（Tools.m）
• 使用方法：将砸壳后的ipa包重命名为app.ipa，然后放入Assets文件夹下，打开IPAPatch工程直接运行即可，运行前请选好证书，改好bundleID
• 代替class-dump的新方案dsdump
• 在装有M1芯片的Mac上脱壳的方案appdecrypt

首先在option.plist中将Dobby的选项打开：

以hook sum方法为例，sum为写在app.ipa中的一个C语言函数：

int sum(int a,int b){
    return a + b;
}

在IPAPatchEntry.m内

#import <objc/message.h> //为了使用objc_msgSend

int (*originSum)(int a, int b); // 保留原始的方法实现的指针地址

//新函数
int hookSum(int a,int b){
    return a * b;
}

+ (void)load {
    static uintptr_t sumOffset = 0x100005724; // sum函数的偏移地址可以通过IDA去查看
    uintptr_t mainASLR = _dyld_get_image_vmaddr_slide(0); // 获取主程序的ASLR，因为sum函数在主程序的image中，因此这里的参数是0
    uintptr_t sumAddress = mainASLR + sumOffset;
    
    // 构造SEL，dobbyHookWith:replace:origin:是OC封装过得DobbyHook(void *address, void *replace_call, void **origin_call)
    SEL sel = NSSelectorFromString(@"dobbyHookWith:replace:origin:");
    // 通过反射寻找DobbyOC类，并调用SEL
    ((void (*) (id, SEL, void *, void *, void **)) objc_msgSend) (NSClassFromString(@"DobbyOC"), sel, (void *)sumAddress, hookSum, (void *)&originSum);
}

IPAPatch includes an template Xcode project, that provides following features:

• Build & Run third-party ipa with your code injected

  You can run your own code inside ipa file as a dynamic library. So you can change behavior of that app by utilizing Objective-C runtime.

  Presented an custom alert in Youtube app

  

• Step-by-step Debugging with lldb

  You can debug third-party apps like your own. For example:

  • Step-by-Step debug your code inside other app
  • Set Breakpoints
  • Print objects in Xcode console with lldb
  
  

  Debugging Youtube with Xcode

  

• Link external frameworks

  By linking existing frameworks, you can integrate third-party services to apps very easily, such as Reveal.

  Inspect Youtube by linking RevealServer.framework

  

• Generate distributable .ipa files

  You can distribute your patch/work to your friends very easily, with IPAPatch generated modified version of .ipa files

  Modified version of Facebook.ipa created by IPAPatch

  

1. Clone or Download This Project

   Download this project to your local disk

2. Prepare Decrypted IPA File

   The IPA file you use need to be decrypted, you can get a decrypted ipa from a jailbroken device or download it directly from an ipa download site, such as http://www.iphonecake.com

3. Replace Placeholder IPA

   Replace the IPA file located at IPAPatch/Assets/app.ipa with yours, this is a placeholder file. The filename should remain app.ipa after replacing.

4. Place External Resources/Frameworks (Optional)

   Follow types of external file are supported:

   • Frameworks:
     • External frameworks can be placed at IPAPatch/Assets/Frameworks folder.
     • Frameworks will be linked automatically.
     • For example IPAPatch/Assets/Frameworks/RevealServer.framework
   • Dynamic Libraries:
     • External dynamic libraries can be placed at IPAPatch/Assets/Dylibs folder.
     • Libraries will be linked automatically
   • Resources/Bundles:
     • Other resources or bundles can be placed at IPAPatch/Assets/Resources
     • Resources will be copied directly to the main bundle of original app

5. Configure Build Settings

   • Open IPAPatch.xcodeproj
   • In the Project Editor, Select Target IPAPatch-DummyApp
   • Display Name defaults to "💊", this is used as prefix of the final display name.
   • Change Bundle Identifier to match your provisioning profiles
   • Fix signing issues if any.

6. Configure IPPatch Options

   • You can config IPAPatch's behavior with Tools/options.plist

     Name	Description	Default
     RESTORE_SYMBOLS	When YES, IPAPatch will try to restore symbol table from Mach-O for debugging propose (with tools from https://github.com/tobefuturer/restore-symbol, also thanks to @henrayluo and @dannion)	NO
     CREATE_IPA_FILE	When YES, IPAPatch will generate a ipa file on each build. Genrated file is located at SRCROOT/Product	NO
     IGNORE_UI_SUPPORTED_DEVICES	When YES, IPAPatch will delete UISupportedDevices from source app's Info.plist	NO
     REMOVE_WATCHPLACEHOLDER	When YES, IPAPatch will remove com.apple.WatchPlaceholder folder from source app's bundle	YES
     USE_ORIGINAL_ENTITLEMENTS	When YES, IPAPatch will use source app's entitlements to resign, you need to make sure your Provisioning Profile matches the entitlements, or you need to disable AMFI on target device	NO

7. Code Your Patch

   The entry is at +[IPAPatchEntry load], you can write code start from here. To change apps' behavior, You may need to use some method swizzling library, such as steipete/Aspects.

8. Build and Run

   Select a real device, and hit the "Run" button at the top-left corner of Xcode. The code your wrote and external frameworks you placed will inject to the ipa file automatically.

I created some demo project, which shows you how to use IPAPatch:

• Reveal + Youtube:
  • https://github.com/Naituw/IPAPatch/releases/tag/1.0
• Cycript + Youtube (Idea from @phpmaple):
  • https://github.com/Naituw/IPAPatch/releases/tag/1.0.1

• Q: Library not loaded with reason: mach-o, but wrong architecture ?

  • A: Try set IPAPatch target's Valid Architectures to match your ipa binary's architecture.

• Q: process launch failed: Unspecified (Disabled) ?

  • A: The ipa file use with IPAPatch must be decrypted, See step.2 of Instructions.

• Q: dyld: Symbol not found: XXX, Referenced from: XXX, Expected in: XXX/libswiftXXX.dylib

  • The swift version the framework you injecting use, is incompatible with the version of your Xcode

   IPAPatch is licensed under the MIT license.

Copyright (c) 2017-present Wu Tian <[email protected]>.
  
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
  
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
  
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

Copyright (c) 2014, Alex Zielenski
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this
  list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice,
  this list of conditions and the following disclaimer in the documentation
  and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 2013, Facebook, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
  * Redistributions of source code must retain the above copyright notice,
    this list of conditions and the following disclaimer.
  * Redistributions in binary form must reproduce the above copyright notice,
    this list of conditions and the following disclaimer in the documentation
    and/or other materials provided with the distribution.
  * Neither the name Facebook nor the names of its contributors may be used to
    endorse or promote products derived from this software without specific
    prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

https://github.com/jmpews/Dobby

https://github.com/4ch12dy/xia0LLDB