@yuzhouheike wrote:
写在前面的话.为什么要编译这个?因为想做个模拟点击,提供给做测试岗位的未来女朋友使用,解放测试小姑娘们的双手,但是自己很菜又搞不懂苹果底层的点击是怎做的.搜索了一下发现韩国人写的这个simulatetouch可以达到要求,但是人家已经不维护了.所以需要修改他的代码.目前只发现了这一个开源代码,可以直接手机上每一个角落,所以需要在这个基础上开发自己的模拟点击,也看到了其他人的模拟点击比如PTFaketouch,ZSFaketouch但是这两个都需要注入别人的App才能点击,考虑到大多数厉害点儿的App都会做防注入,所以放弃,继续研读simulatetouch源码.期望与有共同需求的爱好者一起讨论
开发环境
- Xcode9.4.1
- iOS8
- macOS10.13.6
接下来做好不断失败的准备,因为在论坛搜了一下大多数都是求助无果的帖子
0x1 下载源代码
git clone git@github.com:iolate/SimulateTouch.git git submodule init git submodule update0x02 tree一下
0x03 编译
make0x04 在电脑找一下这个文件,发现找不到
sudo find / -name IOKit/hid/IOHIDEvent.h0x05 去github找找
- 最后在zhangkn大佬的博客看到一个IOKit文件夹https://github.com/iosaso/KNtheos/tree/master/include/IOKit
- 把上面的IOKit文件夹下载下来放到
/opt/theos/include目录下即可
- 解决方式就是注释代码STLibrary的这些代码
// typedef enum { // UIInterfaceOrientationPortrait = 1,//UIDeviceOrientationPortrait, // UIInterfaceOrientationPortraitUpsideDown = 2,//UIDeviceOrientationPortraitUpsideDown, // UIInterfaceOrientationLandscapeLeft = 4,//UIDeviceOrientationLandscapeRight, // UIInterfaceOrientationLandscapeRight = 3,//UIDeviceOrientationLandscapeLeft // } UIInterfaceOrientation; // // @interface UIScreen // +(id)mainScreen; // -(CGRect)bounds; // @end0x06 去theos的git下载他们的SDK放在
/opt/theos/sdk目录下修改Makefile 为9.3的SDKinclude ${THEOS}/makefiles/common.mk export TARGET = iphone:clang:9.3:8.0 # export SDKVERSION=5.1 # export CURRENT_VERSION = 0800 # TARGET = iphone:11.0:8.0 TWEAK_NAME = SimulateTouch SimulateTouch_FILES = SimulateTouch.mm SimulateTouch_PRIVATE_FRAMEWORKS = IOKit SimulateTouch_LDFLAGS = -lsubstrate -lrocketbootstrap LIBRARY_NAME = libsimulatetouch libsimulatetouch_FILES = STLibrary.mm libsimulatetouch_LDFLAGS = -lrocketbootstrap libsimulatetouch_INSTALL_PATH = /usr/lib/ libsimulatetouch_FRAMEWORKS = UIKit CoreGraphics TOOL_NAME = stouch stouch_FILES = main.mm stouch_FRAMEWORKS = UIKit stouch_INSTALL_PATH = /usr/bin/ stouch_LDFLAGS = -lsimulatetouch include $(THEOS_MAKE_PATH)/tweak.mk include $(THEOS_MAKE_PATH)/library.mk include $(THEOS_MAKE_PATH)/tool.mk
- 这里的解决方案是把Makefile文件换成第7步的Makefile文件内容SDK版本用11.2的
0x07 修改下Makefile文件 先编译lib因为编译其他两个要用到它.编译成功后放大到
/opt/theos/lib目录下include ${THEOS}/makefiles/common.mk export TARGET = iphone:clang:11.2:8.0 # export SDKVERSION=5.1 # export CURRENT_VERSION = 0800 # TARGET = iphone:11.0:8.0 # TWEAK_NAME = SimulateTouch # SimulateTouch_FILES = SimulateTouch.mm # SimulateTouch_PRIVATE_FRAMEWORKS = IOKit # SimulateTouch_LDFLAGS = -lsubstrate -lrocketbootstrap LIBRARY_NAME = libsimulatetouch libsimulatetouch_FILES = STLibrary.mm libsimulatetouch_LDFLAGS = -lrocketbootstrap libsimulatetouch_INSTALL_PATH = /usr/lib/ libsimulatetouch_FRAMEWORKS = UIKit CoreGraphics # TOOL_NAME = stouch # stouch_FILES = main.mm # stouch_FRAMEWORKS = UIKit # stouch_INSTALL_PATH = /usr/bin/ # stouch_LDFLAGS = -lsimulatetouch include $(THEOS_MAKE_PATH)/tweak.mk include $(THEOS_MAKE_PATH)/library.mk include $(THEOS_MAKE_PATH)/tool.mk0x08 这样不就成功了.此刻觉得大佬们不分享可能因为觉得太简单了
0x09 接下来继续编译完整的项目
include ${THEOS}/makefiles/common.mk export TARGET = iphone:clang:11.2:8.0 # export SDKVERSION=5.1 # export CURRENT_VERSION = 0800 # TARGET = iphone:11.0:8.0 TWEAK_NAME = SimulateTouch SimulateTouch_FILES = SimulateTouch.mm SimulateTouch_PRIVATE_FRAMEWORKS = IOKit SimulateTouch_LDFLAGS = -lsubstrate -lrocketbootstrap LIBRARY_NAME = libsimulatetouch libsimulatetouch_FILES = STLibrary.mm libsimulatetouch_LDFLAGS = -lrocketbootstrap libsimulatetouch_INSTALL_PATH = /usr/lib/ libsimulatetouch_FRAMEWORKS = UIKit CoreGraphics TOOL_NAME = stouch stouch_FILES = main.mm stouch_FRAMEWORKS = UIKit stouch_INSTALL_PATH = /usr/bin/ stouch_LDFLAGS = -lsimulatetouch include $(THEOS_MAKE_PATH)/tweak.mk include $(THEOS_MAKE_PATH)/library.mk include $(THEOS_MAKE_PATH)/tool.mk0x10 重启手机 然后执行stouch 就可以了
由与SDK版本等各种环境问题你可能会遇到以下问题
- 估计不会遇到问题。但是遇到的话评论区评论就好了
虽然说是手把手,但是好多细节我也忘记了,因为编译这个花费了两三天时间了,如果您在编译的过程中遇到什么其他问题,可以在评论里面问我,
从这里开始讲iOS11遇到问题的解决办法
iOS11的解决办法
- killed:9问题,参考我的其他帖子http://iosre.com/t/ios11-iphone-tool-killed-9-killed/12819/3
yuzhouheike1haoji:~ root# stouch
Killed: 90x01 首先解决killed:9问题
yuzhouheike1haoji:~ root# exit logout Connection to 192.168.31.149 closed. ✘ hacker_hades@HadesdeMacBook-Pro ~/Desktop/SimulateTouch/SimulateTouch master ● cd ~/Desktop hacker_hades@HadesdeMacBook-Pro ~/Desktop !code hacker_hades@HadesdeMacBook-Pro ~/Desktop codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f stouch stouch: replacing existing signature hacker_hades@HadesdeMacBook-Pro ~/Desktop scp stouch root@192.168.31.149:/var stouch 100% 165KB 4.9MB/s 00:00 hacker_hades@HadesdeMacBook-Pro ~/Desktop !ssh hacker_hades@HadesdeMacBook-Pro ~/Desktop ssh root@192.168.31.149 Last login: Sat Sep 22 13:32:21 2018 from 192.168.31.217 yuzhouheike1haoji:~ root# mv /var/stouch /usr/bin/ yuzhouheike1haoji:~ root# stouch dyld: Library not loaded: /usr/lib//libsimulatetouch.dylib Referenced from: /usr/bin/stouch Reason: no suitable image found. Did find: /usr/lib//libsimulatetouch.dylib: code signing blocked mmap() of '/usr/lib//libsimulatetouch.dylib' /usr/lib/libsimulatetouch.dylib: code signing blocked mmap() of '/usr/lib/libsimulatetouch.dylib' Abort trap: 6
- 0x02 根据提示这个
/usr/lib//libsimulatetouch.dylib动态库没有签名yuzhouheike1haoji:~ root# exit logout Connection to 192.168.31.149 closed. hacker_hades@HadesdeMacBook-Pro ~/Desktop scp root@192.168.31.149:/usr/bin/stouch ./ stouch 100% 130KB 4.7MB/s 00:00 hacker_hades@HadesdeMacBook-Pro ~/Desktop !code hacker_hades@HadesdeMacBook-Pro ~/Desktop codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f stouch stouch: replacing existing signature hacker_hades@HadesdeMacBook-Pro ~/Desktop scp stouch root@192.168.31.149:/var stouch 100% 165KB 4.8MB/s 00:000x02 解决
libsimulatetouch.dylib签名✘ hacker_hades@HadesdeMacBook-Pro ~/Desktop scp root@192.168.31.149:/usr/lib//libsimulatetouch.dylib ./ libsimulatetouch.dylib 100% 134KB 4.3MB/s 00:00 hacker_hades@HadesdeMacBook-Pro ~/Desktop codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f libsimulatetouch.dylib libsimulatetouch.dylib: replacing existing signature hacker_hades@HadesdeMacBook-Pro ~/Desktop scp libsimulatetouch.dylib root@192.168.31.149:/var libsimulatetouch.dylib 100% 169KB 4.5MB/s 00:00 hacker_hades@HadesdeMacBook-Pro ~/Desktop !ssh hacker_hades@HadesdeMacBook-Pro ~/Desktop ssh root@192.168.31.149 Last login: Sat Sep 22 14:22:28 2018 from 192.168.31.217 yuzhouheike1haoji:~ root# mv /var/lib lib/ libsimulatetouch.dylib yuzhouheike1haoji:~ root# mv /var/libsimulatetouch.dylib /usr/lib// yuzhouheike1haoji:~ root# stouch dyld: Library not loaded: /usr/lib/librocketbootstrap.dylib Referenced from: /usr/lib//libsimulatetouch.dylib Reason: no suitable image found. Did find: /usr/lib/librocketbootstrap.dylib: code signing blocked mmap() of '/usr/lib/librocketbootstrap.dylib' /usr/lib/librocketbootstrap.dylib: code signing blocked mmap() of '/usr/lib/librocketbootstrap.dylib' Abort trap: 60x03 解决
librocketbootstrap.dylib签名✘ hacker_hades@HadesdeMacBook-Pro ~/Desktop scp root@192.168.31.149:/usr/lib/librocketbootstrap.dylib ./ librocketbootstrap.dylib 100% 217KB 6.1MB/s 00:00 hacker_hades@HadesdeMacBook-Pro ~/Desktop codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f librocketbootstrap.dylib librocketbootstrap.dylib: replacing existing signature hacker_hades@HadesdeMacBook-Pro ~/Desktop scp librocketbootstrap.dylib root@192.168.31.149:/var librocketbootstrap.dylib 100% 284KB 6.5MB/s 00:00 hacker_hades@HadesdeMacBook-Pro ~/Desktop !ssh hacker_hades@HadesdeMacBook-Pro ~/Desktop ssh root@192.168.31.149 Last login: Sat Sep 22 14:24:01 2018 from 192.168.31.217 yuzhouheike1haoji:~ root# mv /var/librocketbootstrap.dylib /usr/lib/librocketbootstrap.dylib yuzhouheike1haoji:~ root# stouch dyld: Library not loaded: /usr/lib/libsubstrate.dylib Referenced from: /usr/lib/librocketbootstrap.dylib Reason: no suitable image found. Did find: /usr/lib/libsubstrate.dylib: code signing blocked mmap() of '/usr/lib/libsubstrate.dylib' /usr/lib/libsubstrate.dylib: code signing blocked mmap() of '/usr/lib/libsubstrate.dylib' Abort trap: 60x04 解决
/usr/lib/libsubstrate.dylib签名yuzhouheike1haoji:~ root# exit logout Connection to 192.168.31.149 closed. ✘ hacker_hades@HadesdeMacBook-Pro ~/Desktop scp root@192.168.31.149:/usr/lib/libsubstrate.dylib ./ libsubstrate.dylib 100% 66KB 2.8MB/s 00:00 hacker_hades@HadesdeMacBook-Pro ~/Desktop codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f libsubstrate.dylib libsubstrate.dylib: replacing existing signature hacker_hades@HadesdeMacBook-Pro ~/Desktop scp libsubstrate.dylib root@192.168.31.149:/var libsubstrate.dylib 100% 85KB 3.3MB/s 00:00 hacker_hades@HadesdeMacBook-Pro ~/Desktop !ssh hacker_hades@HadesdeMacBook-Pro ~/Desktop ssh root@192.168.31.149 Last login: Sat Sep 22 14:26:20 2018 from 192.168.31.217 yuzhouheike1haoji:~ root# mv /var/libsubstrate.dylib /usr/lib/libsubstrate.dylib yuzhouheike1haoji:~ root# stouch dyld: Library not loaded: /usr/lib/libsubstitute.0.dylib Referenced from: /usr/lib/libsubstrate.dylib Reason: no suitable image found. Did find: /usr/lib/libsubstitute.0.dylib: code signing blocked mmap() of '/usr/lib/libsubstitute.0.dylib' /usr/lib/libsubstitute.0.dylib: code signing blocked mmap() of '/usr/lib/libsubstitute.0.dylib' Abort trap: 60x05 解决
/usr/lib/libsubstitute.0.dylib签名问题yuzhouheike1haoji:~ root# exit logout Connection to 192.168.31.149 closed. ✘ hacker_hades@HadesdeMacBook-Pro ~/Desktop scp root@192.168.31.149:/usr/lib/libsubstitute.0.dylib ./ libsubstitute.0.dylib 100% 104KB 4.1MB/s 00:00 hacker_hades@HadesdeMacBook-Pro ~/Desktop codesign -s "A2F872A1D9483EA7E16E6836CDF73B7917010A20" --entitlements demo.entitlements -f libsubstitute.0.dylib libsubstitute.0.dylib: replacing existing signature hacker_hades@HadesdeMacBook-Pro ~/Desktop scp libsubstitute.0.dylib root@192.168.31.149:/var libsubstitute.0.dylib 100% 124KB 1.9MB/s 00:00 hacker_hades@HadesdeMacBook-Pro ~/Desktop !ssh hacker_hades@HadesdeMacBook-Pro ~/Desktop ssh root@192.168.31.149 Last login: Sat Sep 22 14:29:17 2018 from 192.168.31.217 yuzhouheike1haoji:~ root# mv /var/libsubstitute.0.dylib /usr/lib/libsubstitute.0.dylib yuzhouheike1haoji:~ root# stouch [Usage] 1. Touch: stouch touch x y [orientation] 2. Swipe: stouch swipe fromX fromY toX toY [duration(0.3)] [orientation] 3. Button: stouch button Type State [Example] # stouch touch 50 100 # stouch swipe 50 100 100 200 0.5 # stouch button 0 1 # stouch button 1 0 [Orientation] Portrait:1 UpsideDown:2 Right:3 Left:4 [Button] Power:0 Home:1 [State] Up/Raise:0 Down/Press:1 yuzhouheike1haoji:~ root#0x06 问题解决了那么问题来了就没有简单点儿的解决办法吗。。
0x07 然而事情还是没有完
0x08 使用YZHK提权:
YZHK stouch touch 50 100
- 那么YZHK 是啥?http://iosre.com/t/ios-11-debugserver-lldb/12197 参考这个链接编译出一个命令行工具
#include <spawn.h> int main(int argc, char *argv[], char *envp[]) { if (argc < 2) { fprintf(stderr, "usage: %s program args...\n", argv[0]); return EXIT_FAILURE; } int ret, status; pid_t pid; posix_spawnattr_t attr; posix_spawnattr_init(&attr); posix_spawnattr_setflags(&attr, POSIX_SPAWN_START_SUSPENDED); ret = posix_spawnp(&pid, argv[1], NULL, &attr, &argv[1], envp); posix_spawnattr_destroy(&attr); if (ret != 0) { printf("posix_spawnp failed with %d: %s\n", ret, strerror(ret)); return ret; } char buf[200]; snprintf(buf, sizeof(buf), "/electra/jailbreakd_client %d 1", pid); system(buf); kill(pid, SIGCONT); waitpid(pid, &status, 0); return 0; }0x09 解决
MessagePort is invalid问题
- reboot即可
0x10 好了做完上面的,发现手机并没有被点击…
0x11 查看日志,
Posts: 44
Participants: 12