This allows you to install themes such as: Auxo which customises the application switcher bar or Boss.ios which alters the whole look of the interface.
How does "Winterboard" work?
The "WinterBoard" application works by "hooking" the existing internal classes using the Objective-C Runtime Library. This library is loaded by all Objective-C applications to support the dynamic features of the language which means that we can utlilise is to perform our own alterations to the OS and applications.
This allows for the alteration of icons, sounds and textures without having to touch the originals supplied with the device. This means that you can alter the device without the risk of breaking the device.
The CaptainHook framework
This is a header file created by Ryan Petrich(http://rpetri.ch/) to assist with the creation of hooking libraries using the Objective-C runtime. This provides a functions to assist in the setting up of custom hooking code. Documentation is a little scant so hopefully this blog can help you begin to create your own hooks.Getting started
I've altered the sample code provided at the Github as the function used has been depreciated by Applehook source code and a makefile
#import <CaptainHook/CaptainHook.h>
CHDeclareClass(NSString); //set up the Captain Hook Library
//function called when hook is encountered
CHMethod(4, void, NSString, writeToFile, NSString *, path,
atomically, BOOL, useAuxiliaryFile, encoding,
NSStringEncoding, end, error, NSError **, error)
{
NSLog(@"Writing string to %@: %@", path, self);
//send received arguments to the original class
CHSuper(4, NSString, writeToFile, path, atomically,
useAuxiliaryFile, encoding, end, error, error);
}
//create the hook
CHConstructor
{
CHLoadClass(NSString); //setup the class
//hook the chosen method
CHHook(4, NSString, writeToFile, atomically, encoding,
error);
}
link to test program and makefile
#import <Foundation/Foundation.h>
#import <Foundation/NSString.h>
int main(void) {
NSAutoreleasePool *pool = \
[[NSAutoreleasePool alloc] init];
NSString *testString = @"Hello, I am the test string";
[testString
writeToFile:@"test.txt"
atomically:YES
encoding:NSASCIIStringEncoding
error:NULL];
[pool release];
return 0;
}
Compiling
Compiling works on OS X with xCode 4.x and iOS SDK version 6.0 in the default library locations.Copy the compiled "testhook" and "stringHook.dylib" to your device. SSH in, export DYLD_INSERT_LIBRARIES and then execute "testhook" e.g:
desktop$ scp ./hooktest ./stringHook.dylib \
root@<device ip>:/var/root/
desktop$ ssh root@<device ip>
device # export \
DYLD_INSERT_LIBRARIES="/var/root/stringHook.dylib"
device # /var/root/hooktest
2013-02-01 21:40:58.710 hooktest[562:707] Writing string to
test.txt: Hello, I am the test string
Which only works for command line apps as export DYLD... does not get performed by SpringBoardA bit of explanation
The CHMethod function declaration is:
CHMethod(number of inputs, return type, class name, name1, type1,
arg1, name2, type2, arg2 ...(number of inputs));
[NSString writeToFile: atomically: encoding: error:]
-(BOOL)writeToFile:(NSString *)path atomically:
(BOOL)useAuxiliaryFile encoding:(NSStringEncoding)enc error
(NSError **)error
CHMethod(4, void, NSString, writeToFile, NSString *, path,
atomically, BOOL, useAuxiliaryFile, encoding, NSStringEncoding,
end, error, NSError **, error)
The function declaration of CHSuper and CHHook are:
CHSuper(number of inputs, class name, name1, arg1, name2,
arg2 ...(number of inputs)
CHHook(number of inputs, class name,name1,name2,
...(num of inputs)
launchctl setenv DYLD_INSERT_LIBRARIES "/path/to/dylib"
which can be used for individual SpringBoard apps
or you can insert this plist key into one of the plists in "/System/Library/LaunchDaemons/"
although be careful! i screwed up my SpringBoard.plist editing it which caused the SpringBoard to stop loading(i.e no icons), so make a backup of the file just to be sure.
<key>EnvironmentVariables</key>
<dict>
<key>DYLD_FORCE_FLAT_NAMESPACE</key>
<string>1</string>
<key>DYLD_INSERT_LIBRARIES</key>
<string>/path/to/dylib</string>
</dict>
reload the plist using
launchctl unload <chosen plist>
then reload
launchctl load <chosen plist>
Another easy method is to install MobileSubstrate and copy the dylib to "/Library/MobileSubstrate/DynamicLibraries" and reload the SpringBoard. MobileSubstrate loads all the dylibs in this folder automatically.
Heres another piece of sample hooking code i created playing this stuff: https://github.com/peterfillmore/touchHook
This changes the status bar each time a touch is detected.
A great use of this hooking in security testing has been recently released by Jeremy Allen which uses it to disable certificate verification. http://intrepidusgroup.com/insight/2013/01/scorched-earth-how-to-really-disable-certificate-verification-on-ios/
So play around with it and see what fun you can have.
arg2 ...(number of inputs)
CHHook(number of inputs, class name,name1,name2,
...(num of inputs)
Other ways of inserting the injection library
Using launchctl seems to be a great way.launchctl setenv DYLD_INSERT_LIBRARIES "/path/to/dylib"
which can be used for individual SpringBoard apps
or you can insert this plist key into one of the plists in "/System/Library/LaunchDaemons/"
although be careful! i screwed up my SpringBoard.plist editing it which caused the SpringBoard to stop loading(i.e no icons), so make a backup of the file just to be sure.
<key>EnvironmentVariables</key>
<dict>
<key>DYLD_FORCE_FLAT_NAMESPACE</key>
<string>1</string>
<key>DYLD_INSERT_LIBRARIES</key>
<string>/path/to/dylib</string>
</dict>
reload the plist using
launchctl unload <chosen plist>
then reload
launchctl load <chosen plist>
Another easy method is to install MobileSubstrate and copy the dylib to "/Library/MobileSubstrate/DynamicLibraries" and reload the SpringBoard. MobileSubstrate loads all the dylibs in this folder automatically.
Heres another piece of sample hooking code i created playing this stuff: https://github.com/peterfillmore/touchHook
This changes the status bar each time a touch is detected.
A great use of this hooking in security testing has been recently released by Jeremy Allen which uses it to disable certificate verification. http://intrepidusgroup.com/insight/2013/01/scorched-earth-how-to-really-disable-certificate-verification-on-ios/
So play around with it and see what fun you can have.
No comments:
Post a Comment