抖音App動態調試

一、准備工作

　　1）接上一篇，下載砸過殼的抖音IPA

　　2）MonkeyDev環境

　　3）class_dump

 

二、使用MonkeyDev建立空的工程，拖入IPA到目標文件夾中

　　1）啟動Xcode進行編譯執行

　　一起動就crash，說明簽名校驗已經通過。

LLVM Profile Error: Failed to write file "default.profraw": Operation not permitted

　　遇到上面的錯誤，經過查詢說是，抖音App內部通過ptrace判斷是否有調試器掛載，判斷反調試的功能。

　　通過打開下面的代碼進行修改，可以避免crash

　　

　　2）啟動起來之后，可以調試，如下圖

　　

　　3）通過class dump dump出來可執行文件，得到頭文件列表

./class-dump Aweme -H ./Headers/

　　

　　4）Hook測試

　　追加代碼：

　　

 

　　

　　通過提示框證明代碼已經成功注入，下一步就是進行實質分析

 

三、路徑Shader提取

　　通過dump出的代碼，發現文件

　　

@interface HTSGLProgram : NSObject
{
    NSMutableArray *attributes;
    NSMutableArray *uniforms;
    unsigned int program;
    unsigned int vertShader;
    unsigned int fragShader;
    _Bool _initialized;
    NSString *_vertexShaderLog;
    NSString *_fragmentShaderLog;
    NSString *_programLog;
}

@property(copy, nonatomic) NSString *programLog; // @synthesize programLog=_programLog;
@property(copy, nonatomic) NSString *fragmentShaderLog; // @synthesize fragmentShaderLog=_fragmentShaderLog;
@property(copy, nonatomic) NSString *vertexShaderLog; // @synthesize vertexShaderLog=_vertexShaderLog;
@property(nonatomic) _Bool initialized; // @synthesize initialized=_initialized;
- (void).cxx_destruct;
- (void)dealloc;
- (void)validate;
- (void)use;
- (_Bool)link;
- (unsigned int)uniformIndex:(id)arg1;
- (unsigned int)attributeIndex:(id)arg1;
- (void)addAttribute:(id)arg1;
- (_Bool)compileShader:(unsigned int *)arg1 type:(unsigned int)arg2 string:(id)arg3;
- (id)initWithVertexShaderString:(id)arg1 fragmentShaderString:(id)arg2;

@end

　　

可以看到初始化方法中傳入頂點着色器

編寫hook方法：

CHDeclareClass(HTSGLProgram)
CHOptimizedMethod2(self,
                   id,
                   HTSGLProgram,
                   initWithVertexShaderString,
                   NSString *,
                   VertexShaderString,
                   fragmentShaderString,
                   NSString *, fragmentShaderString)
{
    
    NSLog(@"filter initWithVertexShaderString arg1 = %@ fragmentShaderString arg2 = %@",
          VertexShaderString, fragmentShaderString);

    return CHSuper2(HTSGLProgram, initWithVertexShaderString, VertexShaderString, fragmentShaderString, fragmentShaderString);
}

CHOptimizedMethod3(self, BOOL, HTSGLProgram, compileShader, unsigned int *, arg1, type, unsigned int, arg2, string, NSString *, arg3)
{
    NSLog(@"HTSGLProgram compileShader arg3 = %@",arg3);
    return CHSuper3(HTSGLProgram, compileShader, arg1, type, arg2, string, arg3);
}

CHConstructor{
    CHLoadLateClass(HTSGLProgram);
    CHHook2(HTSGLProgram, initWithVertexShaderString, fragmentShaderString);
    CHHook3(HTSGLProgram, compileShader, type, string);
}

　　得到log

2018-09-18 16:24:00.025744+0800 Aweme[446:72758] HTSGLProgram compileShader arg3 = attribute vec4 position; attribute vec4 inputTextureCoordinate; varying vec2 textureCoordinate; void main() { gl_Position = position; textureCoordinate = inputTextureCoordinate.xy; }
2018-09-18 16:24:00.025772+0800 Aweme[446:72758] HTSGLProgram compileShader arg3 = varying highp vec2 textureCoordinate; uniform sampler2D luminanceTexture; uniform sampler2D chrominanceTexture; uniform mediump mat3 colorConversionMatrix; void main() { mediump vec3 yuv; mediump vec3 rgb; yuv.x = texture2D(luminanceTexture, textureCoordinate).r; yuv.yz = texture2D(chrominanceTexture, textureCoordinate).ra - vec2(0.5, 0.5); rgb = colorConversionMatrix * yuv; gl_FragColor = vec4(rgb, 1); }

　　這里貌似處理的算法不在shader中，而是一個通用的腳本，具體參數在.m文件中

 

四、聲明

　　以上內容僅供學習，請不要用於非法目的