一、准备工作
1)接上一篇,下载砸过壳的抖音IPA
2)MonkeyDev环境
3)class_dump
二、使用MonkeyDev建立空的工程,拖入IPA到目标文件夹中
1)启动Xcode进行编译执行
一起动就crash,说明签名校验已经通过。
LLVM Profile Error: Failed to write file "default.profraw": Operation not permitted
遇到上面的错误,经过查询说是,抖音App内部通过ptrace判断是否有调试器挂载,判断反调试的功能。
通过打开下面的代码进行修改,可以避免crash
2)启动起来之后,可以调试,如下图
3)通过class dump dump出来可执行文件,得到头文件列表
./class-dump Aweme -H ./Headers/
4)Hook测试
追加代码:
通过提示框证明代码已经成功注入,下一步就是进行实质分析
三、路径Shader提取
通过dump出的代码,发现文件
@interface HTSGLProgram : NSObject
{
NSMutableArray *attributes;
NSMutableArray *uniforms;
unsigned int program;
unsigned int vertShader;
unsigned int fragShader;
_Bool _initialized;
NSString *_vertexShaderLog;
NSString *_fragmentShaderLog;
NSString *_programLog;
}
@property(copy, nonatomic) NSString *programLog; // @synthesize programLog=_programLog;
@property(copy, nonatomic) NSString *fragmentShaderLog; // @synthesize fragmentShaderLog=_fragmentShaderLog;
@property(copy, nonatomic) NSString *vertexShaderLog; // @synthesize vertexShaderLog=_vertexShaderLog;
@property(nonatomic) _Bool initialized; // @synthesize initialized=_initialized;
- (void).cxx_destruct;
- (void)dealloc;
- (void)validate;
- (void)use;
- (_Bool)link;
- (unsigned int)uniformIndex:(id)arg1;
- (unsigned int)attributeIndex:(id)arg1;
- (void)addAttribute:(id)arg1;
- (_Bool)compileShader:(unsigned int *)arg1 type:(unsigned int)arg2 string:(id)arg3;
- (id)initWithVertexShaderString:(id)arg1 fragmentShaderString:(id)arg2;
@end
可以看到初始化方法中传入顶点着色器
编写hook方法:
CHDeclareClass(HTSGLProgram)
CHOptimizedMethod2(self,
id,
HTSGLProgram,
initWithVertexShaderString,
NSString *,
VertexShaderString,
fragmentShaderString,
NSString *, fragmentShaderString)
{
NSLog(@"filter initWithVertexShaderString arg1 = %@ fragmentShaderString arg2 = %@",
VertexShaderString, fragmentShaderString);
return CHSuper2(HTSGLProgram, initWithVertexShaderString, VertexShaderString, fragmentShaderString, fragmentShaderString);
}
CHOptimizedMethod3(self, BOOL, HTSGLProgram, compileShader, unsigned int *, arg1, type, unsigned int, arg2, string, NSString *, arg3)
{
NSLog(@"HTSGLProgram compileShader arg3 = %@",arg3);
return CHSuper3(HTSGLProgram, compileShader, arg1, type, arg2, string, arg3);
}
CHConstructor{
CHLoadLateClass(HTSGLProgram);
CHHook2(HTSGLProgram, initWithVertexShaderString, fragmentShaderString);
CHHook3(HTSGLProgram, compileShader, type, string);
}
得到log
2018-09-18 16:24:00.025744+0800 Aweme[446:72758] HTSGLProgram compileShader arg3 = attribute vec4 position; attribute vec4 inputTextureCoordinate; varying vec2 textureCoordinate; void main() { gl_Position = position; textureCoordinate = inputTextureCoordinate.xy; }
2018-09-18 16:24:00.025772+0800 Aweme[446:72758] HTSGLProgram compileShader arg3 = varying highp vec2 textureCoordinate; uniform sampler2D luminanceTexture; uniform sampler2D chrominanceTexture; uniform mediump mat3 colorConversionMatrix; void main() { mediump vec3 yuv; mediump vec3 rgb; yuv.x = texture2D(luminanceTexture, textureCoordinate).r; yuv.yz = texture2D(chrominanceTexture, textureCoordinate).ra - vec2(0.5, 0.5); rgb = colorConversionMatrix * yuv; gl_FragColor = vec4(rgb, 1); }
这里貌似处理的算法不在shader中,而是一个通用的脚本,具体参数在.m文件中
四、声明
以上内容仅供学习,请不要用于非法目的