首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. iOS安全
    3. 发新帖
[原创]【iOS逆向与安全】系统推送服务(APNS)拦截
发表于: 2023-1-16 13:14 16082

[原创]【iOS逆向与安全】系统推送服务(APNS)拦截

witchan 活跃值
2023-1-16 13:14
16082

前言

经过之前的分享,相信大家已经掌握了用户级的插件开发。勤奋好学的你是否对系统级的插件也有着浓厚的性趣,本篇文章将和大家一起学习如何分析并编写一款系统级的插件。

一、目标

一步步分析并编写一个拦截系统推送的deb插件

二、工具

  • mac系统
  • 已越狱iOS设备:脱壳及frida调试
  • IDA Pro:静态分析

三、步骤

1、守护进程

​ 守护进程(daemon)是一类在后台运行的特殊进程,用于执行特定的系统任务。例如:推送服务、人脸解锁、iCloud、查找我的iPhone、iMessage等。

 

相应的配置目录:

  • /Library/LaunchAgents:管理员控制特定用户的代理

  • /Library/LaunchDaemons:管理员提供的系统级守护进程(cydia、filza、frida等就在这)

  • /System/Library/LaunchDaemons:iOS提供的默认守护进程

常见的进程配置文件有:

名称 描述
com.apple.apsd 推送服务
com.apple.biometrickitd.pearl 人脸解锁
com.apple.cloudd iCloud
com.apple.icloud.findmydeviced 查找我的iPhone
com.apple.imagent 即时消息代理 (iMessage)
 

更多服务请参考https://www.theiphonewiki.com/wiki/Services

2、定位关键函数

使用命令frida-trace -U -m "*[UILabel setText:]" SpringBoard后,收到通知后的日志如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
66907 ms  -[UILabel setText:移动端小陈]
 66907 ms  UILabel setText called from:
0x1e54aa12c UserNotificationsUIKit!-[NCNotificationContentView setSecondaryText:]
0x1e5475474 UserNotificationsUIKit!-[NCNotificationShortLookView setSecondaryText:]
0x1e543bd1c UserNotificationsUIKit!-[NCNotificationViewController _updateWithProvidedStaticContent]
0x1e54b68b4 UserNotificationsUIKit!-[NCNotificationShortLookViewController _updateWithProvidedStaticContent]
0x1e543b6ec UserNotificationsUIKit!-[NCNotificationViewController setHasUpdatedContent]
0x1e543c450 UserNotificationsUIKit!-[NCNotificationViewController viewDidLoad]
0x1ea9fe224 UIKitCore!-[UIViewController loadViewIfRequired]
0x1ea9fe628 UIKitCore!-[UIViewController view]
0x1eaa15dd4 UIKitCore!-[UIViewController _setPresentationController:]
0x1eaa0e1f4 UIKitCore!-[UIViewController _presentViewController:modalSourceViewController:presentationController:animationController:interactionController:completion:]
0x1eaa0fccc UIKitCore!-[UIViewController _presentViewController:withAnimationController:completion:]
0x1eaa123a8 UIKitCore!__63-[UIViewController _presentViewController:animated:completion:]_block_invoke
0x1eaa128a4 UIKitCore!-[UIViewController _performCoordinatedPresentOrDismiss:animated:]
0x1eaa12300 UIKitCore!-[UIViewController _presentViewController:animated:completion:]
0x1eaa12560 UIKitCore!-[UIViewController presentViewController:animated:completion:]
0x1010d78e0 /System/Library/CoreServices/SpringBoard.app/SpringBoard!-[SBNotificationBannerDestination _presentNotificationViewController:modal:forRequest:sourceAction:completion:]

继续使用命令frida-trace -U -m "*[SBNotificationBannerDestination _presentNotificationViewController:modal:forRequest:sourceAction:completion:]" SpringBoard后,收到通知后的日志如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
13037 ms  -[SBNotificationBannerDestination _presentNotificationViewController:0x10286f400 modal:0x0 forRequest:0x2825bb2c0 sourceAction:0x0 completion:0x0]
 13037 ms  SBNotificationBannerDestination called from:
0x1013ba3e8 SpringBoard!0x4363e8 (0x1004363e8)
0x1be00ca38 libdispatch.dylib!_dispatch_call_block_and_release
0x1be00d7d4 libdispatch.dylib!_dispatch_client_callout
0x1bdfbb008 libdispatch.dylib!_dispatch_main_queue_callback_4CF$VARIANT$mp
0x1be560b20 CoreFoundation!__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__
0x1be55ba58 CoreFoundation!__CFRunLoopRun
0x1be55afb4 CoreFoundation!CFRunLoopRunSpecific
0x1c075d79c GraphicsServices!GSEventRunModal
0x1eafa7c38 UIKitCore!UIApplicationMain
0x1d4219a70 FrontBoard!FBSystemAppMain
0x10116db98 SpringBoard!0x1e9b98 (0x1001e9b98)
0x1be01e8e0 libdyld.dylib!start

根据以上日志,只能看到上一层级的函数是一个地址。咱们先把/System/Library/CoreServices/目录的SpringBoard.app文件导出到电脑(可使用爱思或其他工具),再使用IDA Pro工具打开,搜索_presentNotificationViewController后,找到该函数:

 

image-20230112194357180

 

image-20230112194452281

 

image-20230112194537298

 

一层层往上找,直到

 

image-20230112194751390

 

继续使用命令frida-trace -U -m "*[SBNotificationBannerDestination *]" SpringBoard -o a.log后,获取到日志如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
-[SBNotificationBannerDestination canReceiveNotificationRequest:<NCNotificationRequest: 0x2825a0e00; timestamp: 2023-01-12 11:55:55 +0000; sectionId: com.laiwang.DingTalk; threadId: 263527137:2653514294; notificationId: IM_2653514294_14628640765618; categoryId: category.message.reply.v2>]
-[SBNotificationBannerDestination _isPresentingStickyBanner]
-[SBNotificationBannerDestination presentedBanner]
-[SBNotificationBannerDestination _isPresentingBanner]
-[SBNotificationBannerDestination presentedBanner]
-[SBNotificationBannerDestination _isPresentedBannerBeingDragged]
-[SBNotificationBannerDestination _isPresentingBanner]
-[SBNotificationBannerDestination presentedBanner]
-[SBNotificationBannerDestination _isInSetupMode]
-[SBNotificationBannerDestination setupManager]
-[SBNotificationBannerDestination _isPendingBannerPresentation]
-[SBNotificationBannerDestination bannerPresentationSemaphore]
-[SBNotificationBannerDestination _canReceiveNotificationRequestIfLocked:0x2825a0e00]
-[SBNotificationBannerDestination _isUILocked]
-[SBNotificationBannerDestination lockScreenManager]
-[SBNotificationBannerDestination identifier]
-[SBNotificationBannerDestination _isPresentingStickyBanner]
-[SBNotificationBannerDestination presentedBanner]
-[SBNotificationBannerDestination _isPresentingBanner]
-[SBNotificationBannerDestination presentedBanner]
-[SBNotificationBannerDestination _isPresentedBannerBeingDragged]
-[SBNotificationBannerDestination _isPresentingBanner]
-[SBNotificationBannerDestination presentedBanner]
-[SBNotificationBannerDestination _isInSetupMode]
-[SBNotificationBannerDestination setupManager]
-[SBNotificationBannerDestination _isPendingBannerPresentation]
-[SBNotificationBannerDestination bannerPresentationSemaphore]
-[SBNotificationBannerDestination identifier]
-[SBNotificationBannerDestination postNotificationRequest:0x2825a0e00 forCoalescedNotification:0x281166e20]
-[SBNotificationBannerDestination _postNotificationRequest:0x2825a0e00 forCoalescedNotification:0x281166e20 modal:0x0 sourceAction:0x0 completion:0x0]
-[SBNotificationBannerDestination dndEventBehaviorResolutionService]
-[SBNotificationBannerDestination _isBundleIdentifierBlockedForScreenTimeExpiration:0x28118dc80]
-[SBNotificationBannerDestination _isPresentingBannerInLongLook]
-[SBNotificationBannerDestination _isPresentingBanner]
-[SBNotificationBannerDestination presentedBanner]
-[SBNotificationBannerDestination setBannerPresentationSemaphore:0x283fc5450]
-[SBNotificationBannerDestination _notificationViewControllerForRequest:0x2825a0e00]
-[SBNotificationBannerDestination notificationViewController:0x11683d000 staticContentProviderForNotificationRequest:0x2825a0e00]
-[SBNotificationBannerDestination _isContentSuppressedForNotificationRequest:0x2825a0e00]
-[SBNotificationBannerDestination _isDeviceAuthenticated]
-[SBNotificationBannerDestination notificationViewController:0x11683d000 auxiliaryOptionsContentProviderForNotificationRequest:0x2825a0e00 withLongLook:0x0]
-[SBNotificationBannerDestination _notificationSectionSettingsForSectionIdentifier:0x28118dc80]
-[SBNotificationBannerDestination delegate]
-[SBNotificationBannerDestination shouldLoadAudioAccessoryViewForNotificationViewController:0x11683d000]
-[SBNotificationBannerDestination notificationViewControllerIsReadyToBePresented:0x11683d000]
-[SBNotificationBannerDestination bannerPresentationSemaphore]
-[SBNotificationBannerDestination bannerPresentationSemaphore]
-[SBNotificationBannerDestination _scheduleNotificationViewControllerPresentationBlock:0x16ee7a4b8]
-[SBNotificationBannerDestination bannerPresentationSemaphore]
-[SBNotificationBannerDestination setBannerPresentationSemaphore:0x0]
-[SBNotificationBannerDestination _topPresentedViewController]
-[SBNotificationBannerDestination _rootViewController]
-[SBNotificationBannerDestination bannerWindow]

根据日志可确定函数为-[SBNotificationBannerDestination _postNotificationRequest:0x2825a64c0 forCoalescedNotification:0x281166e20 modal:0x0 sourceAction:0x0 completion:0x0]

 

继续trace该函数后获取到日志如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
-[SBNotificationBannerDestination _postNotificationRequest:0x2825a5ce0 forCoalescedNotification:0x281166e20 modal:0x0 sourceAction:0x0 completion:0x0]
_postNotificationRequest called from:
0x1010d681c /System/Library/CoreServices/SpringBoard.app/SpringBoard!-[SBNotificationBannerDestination postNotificationRequest:forCoalescedNotification:]
0x1dae97d10 UserNotificationsKit!__78-[NCNotificationAlertQueue _postNotificationRequest:forCoalescedNotification:]_block_invoke
0x1dae97fd0 UserNotificationsKit!-[NCNotificationAlertQueue _performDestinationOperationForRequest:block:]
0x1dae97a4c UserNotificationsKit!-[NCNotificationAlertQueue _postNotificationRequest:forCoalescedNotification:]
0x1dae95ed4 UserNotificationsKit!-[NCNotificationAlertQueue postNotificationRequest:forCoalescedNotification:]
0x1daea36bc UserNotificationsKit!-[NCNotificationDispatcher postNotificationWithRequest:]
0x1e54b0bcc UserNotificationsUIKit!-[NCBulletinNotificationSource observer:addBulletin:forFeed:playLightsAndSirens:withReply:]
0x1cdffd760 BulletinBoard!__49-[BBObserver _queue_updateAddBulletin:withReply:]_block_invoke
0x1be00ca38 libdispatch.dylib!_dispatch_call_block_and_release
0x1be00d7d4 libdispatch.dylib!_dispatch_client_callout
0x1bdfbb008 libdispatch.dylib!_dispatch_main_queue_callback_4CF$VARIANT$mp
0x1be560b20 CoreFoundation!__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__
0x1be55ba58 CoreFoundation!__CFRunLoopRun
0x1be55afb4 CoreFoundation!CFRunLoopRunSpecific
0x1c075d79c GraphicsServices!GSEventRunModal
0x1eafa7c38 UIKitCore!UIApplicationMain

继续跟踪-[BBObserver _queue_updateAddBulletin:withReply:]方法后,获取到日志如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
-[BBObserver _queue_updateAddBulletin:<BBBulletinAddUpdate: 0x281d2a440; Should Play Lights And Sirens: YES> withReply:<__NSMallocBlock__: 0x281290ed0>]
-[BBObserver _queue_updateAddBulletin:<BBBulletinAddUpdate: 0x281d78ce0; Should Play Lights And Sirens: YES> withReply:<__NSMallocBlock__: 0x281397150>]
 BBObserver_queue_updateAddBulletin called from:
0x1cdffd260 BulletinBoard!-[BBObserver _queue_updateBulletin:withReply:]
0x1be00ca38 libdispatch.dylib!_dispatch_call_block_and_release
0x1be00d7d4 libdispatch.dylib!_dispatch_client_callout
0x1bdfb6324 libdispatch.dylib!_dispatch_lane_serial_drain$VARIANT$mp
0x1bdfb6e74 libdispatch.dylib!_dispatch_lane_invoke$VARIANT$mp
0x1bdfbf4ac libdispatch.dylib!_dispatch_workloop_worker_thread
0x1be1ee114 libsystem_pthread.dylib!_pthread_wqthread
 
 BBObserver_queue_updateAddBulletin called from:
0x1cdffd260 BulletinBoard!-[BBObserver _queue_updateBulletin:withReply:]
0x1be00ca38 libdispatch.dylib!_dispatch_call_block_and_release
0x1be00d7d4 libdispatch.dylib!_dispatch_client_callout
0x1bdfbb008 libdispatch.dylib!_dispatch_main_queue_callback_4CF$VARIANT$mp
0x1be560b20 CoreFoundation!__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__
0x1be55ba58 CoreFoundation!__CFRunLoopRun
0x1be55afb4 CoreFoundation!CFRunLoopRunSpecific
0x1c075d79c GraphicsServices!GSEventRunModal
0x1eafa7c38 UIKitCore!UIApplicationMain
0x1d4219a70 FrontBoard!FBSystemAppMain
0x10116db98 SpringBoard!0x1e9b98 (0x1001e9b98)
0x1be01e8e0 libdyld.dylib!start

最终,拿到关键函数-[BBObserver _queue_updateBulletin:withReply:],我们发现关键类BBObserver在BulletinBoard动态库里,根据iphonedevwiki(原文地址:https://iphonedevwiki.net/index.php/BulletinBoard.framework),我们继续使用命令frida-trace -U -m "*[BBBulletin init]" SpringBoard -o a.log,收到通知后,获取到的日志如下:

1
2
3
4
5
6
7
8
9
10
11
-[BBBulletin init]
BBBulletin  init called from:
0x1e53f4748 UserNotificationsServer!-[UNSDefaultDataProvider _queue_bulletinForNotification:]
0x1e53f7e70 UserNotificationsServer!-[UNSDefaultDataProvider _queue_addBulletinForNotification:]
0x1e53f78cc UserNotificationsServer!-[UNSDefaultDataProvider _queue_notificationRepositoryDidPerformUpdates:]
0x1be00ca38 libdispatch.dylib!_dispatch_call_block_and_release
0x1be00d7d4 libdispatch.dylib!_dispatch_client_callout
0x1bdfb6324 libdispatch.dylib!_dispatch_lane_serial_drain$VARIANT$mp
0x1bdfb6e74 libdispatch.dylib!_dispatch_lane_invoke$VARIANT$mp
0x1bdfbf4ac libdispatch.dylib!_dispatch_workloop_worker_thread
0x1be1ee114 libsystem_pthread.dylib!_pthread_wqthread

继续使用命令frida-trace -U -m "*[UNSDefaultDataProvider *]" SpringBoard -o a.log跟踪后,获取到日志如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
-[UNSDefaultDataProvider notificationRepository:0x2833118f0 didPerformUpdates:0x283303840 forBundleIdentifier:0x2831142a0]
UNSDefaultDataProvider  notificationRepository called from:
0x1e53c52c0 UserNotificationsServer!-[UNSKeyedObservable _callOutQueue_notifyObserversKey:usingBlock:]
0x1e53c5158 UserNotificationsServer!__52-[UNSKeyedObservable notifyObserversKey:usingBlock:]_block_invoke
0x1be00ca38 libdispatch.dylib!_dispatch_call_block_and_release
0x1be00d7d4 libdispatch.dylib!_dispatch_client_callout
0x1bdfb6324 libdispatch.dylib!_dispatch_lane_serial_drain$VARIANT$mp
0x1bdfb6e74 libdispatch.dylib!_dispatch_lane_invoke$VARIANT$mp
0x1bdfbf4ac libdispatch.dylib!_dispatch_workloop_worker_thread
0x1be1ee114 libsystem_pthread.dylib!_pthread_wqthread
 
-[UNSDefaultDataProvider _queue_notificationRepositoryDidPerformUpdates:0x283303840]
-[UNSDefaultDataProvider _queue_addBulletinForNotification:0x13152f9f0]
-[UNSDefaultDataProvider _categoryForIdentifier:0x283367ba0]
-[UNSDefaultDataProvider sectionIdentifier]
-[UNSDefaultDataProvider sectionIdentifier]
-[UNSDefaultDataProvider _queue_bulletinForNotification:0x13152f9f0]
-[UNSDefaultDataProvider sectionIdentifier]
-[UNSDefaultDataProvider _defaultActionWithNotification:0x13152f9f0]
-[UNSDefaultDataProvider _categoryForIdentifier:0x283367ba0]
-[UNSDefaultDataProvider sectionIdentifier]
-[UNSDefaultDataProvider _dismissActionForCategory:0x281ba68e0]
-[UNSDefaultDataProvider _silenceActionForCategory:0x281ba68e0]
-[UNSDefaultDataProvider _supplementaryActionsForForCategoryRecord:0x281ba68e0]
-[UNSDefaultDataProvider _actionsFromActionRecords:0x283d74230]
-[UNSDefaultDataProvider _actionFromActionRecord:0x2814d3d40]
-[UNSDefaultDataProvider _pathForSoundName:0x98df68cf59d4b573]
-[UNSDefaultDataProvider _isResourceValidForPath:0x280636140 withContainerPath:0x28042acb0]
-[UNSDefaultDataProvider _isResourceValidForPath:0x280429790 withContainerPath:0x280a97300]
-[UNSDefaultDataProvider _addAttachments:0x283d180f0 toBulletinRequest:0x131156390]

根据日志,继续使用命令-[UNSDefaultDataProvider notificationRepository:didPerformUpdates:forBundleIdentifier:]

 

js代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
{
  onEnter(log, args, state) {
    var arg2 = new ObjC.Object(args[2]);
    var arg3 = new ObjC.Object(args[3]);
    var arg4 = new ObjC.Object(args[4]);
    log(`-[UNSDefaultDataProvider notificationRepository:${arg2} didPerformUpdates:${arg3} forBundleIdentifier:${arg4}]`);
 
    var array = arg3;
    var count = array.count().valueOf();
    for (var i = 0; i !== count; i++) {
      var element = array.objectAtIndex_(i);
      var vs =element.$ivars
      for (var key in vs) {
        log("k:" + key + " v:" + vs[key]);
      }
    }
  },
  onLeave(log, retval, state) {
  }
}

收到通知后,获取到的日志如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
-[UNSDefaultDataProvider notificationRepository:<UNSNotificationRepository: 0x2833118f0> didPerformUpdates:(
    "<UNSNotificationRecordAddUpdate: 0x283d703a0>"
) forBundleIdentifier:com.laiwang.DingTalk]
k:isa v:UNSNotificationRecordAddUpdate
k:_notificationRecord v:<UNSNotificationRecord: 0x131265a20> {
    Date = 2023-01-15 05:14:42 +0000;
    Identifier = IM_2653514294_14665184200561;
    ThreadIdentifier = 263527137:2653514294;
    CategoryIdentifier = category.message.reply.v2;
    Badge = 7;
    Body = 移动端小陈;
    SummaryArgument = 0x0;
    SummaryArgumentCount = 0;
    ContentAvailable = 0;
    MutableContent = 1;
    Title = 小陈;
    ToneAlertType = TLAlertTypeAppNotification;
    ToneFileName = general.mp3;
    DefaultDestinations = YES;
    LockScreenDestination = YES;
    NotificationCenterDestination = YES;
    AlertDestination = YES;
    CarPlayDestination = YES;
    TriggerType = Push;
    UserInfo = {
        feedbackInfo = {
            feedbackParam = kICibP7dH0S6Hh4A3zFVFg==&1673759682344&/gBKUiN/54;
            feedbackUrl = https://pnsfeedback.dingtalk.com/apple;
        }
        ctag = 0;
        content_type = 1;
        nick_name = 小陈;
        type = 1;
        cid = 263527137:2653514294;
        avatar = @lADPDhmOva64dWrNAtDNAtA;
        orgId = 0;
        aps = {
            interruption-level = time-sensitive;
            mutable-content = 1;
            alert = {
                title = 小陈;
                body = 移动端小陈;
            }
            badge = 7;
            category = category.message.reply;
            sound = general.mp3;
        }
        openId = 2653514294;
        msgId = 14665184200561;
        sender_id = 263527137;
    }
}

至此,方法-[UNSDefaultDataProvider notificationRepository:didPerformUpdates:forBundleIdentifier:]就是我们的目标函数,该方法位于UserNotificationsServer.framework私有库里,查了一圈资料,也没找着该库的相关说明。但从库名可以看出,该库是处理用户通知的服务。

3、编写deb插件

接下来,我们就编写deb插件,关键代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#if TARGET_OS_SIMULATOR
#error Do not support the simulator, please use the real iPhone Device.
#endif
 
#import "NSObject+YYModel.h"
#import <Foundation/Foundation.h>
#import "CaptainHook/CaptainHook.h"
#include <notify.h> // not required; for examples only
 
@interface UNSDefaultDataProvider : NSObject
 
- (void)notificationRepository:(id)arg1 didPerformUpdates:(NSArray *)arg2 forBundleIdentifier:(NSString *)arg3;
 
@end
 
 
@class UNSDefaultDataProvider;
 
CHDeclareClass(UNSDefaultDataProvider); // declare class
 
CHOptimizedMethod3(self, void, UNSDefaultDataProvider, notificationRepository, id, arg1, didPerformUpdates, NSArray *, arg2, forBundleIdentifier, NSString *, arg3) {
 
    @try {
 
          for (id record in arg2) {
              NSLog(@"witchan =obj0=%@=", record);
 
              if ([record isKindOfClass:NSClassFromString(@"UNSNotificationRecord")] || [record isKindOfClass:NSClassFromString(@"UNSNotificationRecordAddUpdate")]) {
                  UNSNotificationRecord *obj = [record valueForKey:@"_notificationRecord"];
                  obj.body = @"我是移动端的小陈";    // 修改推送内容
                  NSLog(@"witchan =obj=%@=", obj);
                  NSDictionary *content = [obj modelToJSONObject];
                  NSMutableDictionary *params = [NSMutableDictionary dictionary];
                  params[@"bundleid"] = arg3;
                  params[@"content"] = content;
                  NSLog(@"witchan =message=%@=", params);
              }
          }
    } @catch (NSException *exception) {
        NSLog(@"witchan =exception=%@=", exception);
    } @finally {
        CHSuper3(UNSDefaultDataProvider, notificationRepository, arg1, didPerformUpdates, arg2, forBundleIdentifier, arg3);                // 如果不需要显示通知,注释此此行代码即可
    }
}
 
CHConstructor // code block that runs immediately upon load
{
    @autoreleasepool
    {
        CHLoadLateClass(UNSDefaultDataProvider);
        NSLog(@"witchan =load success=");
                CHHook3(UNSDefaultDataProvider, notificationRepository, didPerformUpdates, forBundleIdentifier);
    }
}

需要hook的应用为springboard:

 

image-20230115235018421

总结

以上就是如何一步步查找到推送的关键函数,并对该函数进行操作,实现一个系统级的deb插件的示例。希望能对你有所启发。在iOS系统中,SpringBoard就是用户和iOS底层系统的桥梁,你可以在SpringBoard中,安装,卸载,使用其他App,也可以系统进行人性化的可配置等,SpringBoard之下,还有许多支撑整个系统私有库,这些库,有很多都是正向开发无法使用的,却一直在后台默默的运行着(LaunchDaemon)。如果你注意看守护进程那,是否有注意到一个com.apple.apsd的守护进程,这个进程也是处理推送的,你也可以用类似frida-trace -U -m "*[APS* *]" apsd的命令尝试去trace试一下。

提示:阅读此文档的过程中遇到任何问题,请关住工众好【移动端Android和iOS开发技术分享】或+99 君羊【812546729

 

image-20230115235018421


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//