How To Inject A Dylib Into An Ios App With Optools
Viviano Dean
I tried to inject my own library into an iOS binary(ipa) file. But I was not able to do it. This question may have suggestions in this site, but there is no proper solution. I already tried implementing some of the solutions or suggestions mentioned in the below links,
-load : It is variable we have to give to insert LC_LOAD_DYLIB-payload : it should be always in format of "@executable_path/name of Library.dylib" since we will be copy pasting .dylib file into myapp.app directory.- target : here need to mention the full path of executable binary. which will be contained in myapp.app directory
If I inject the library into the ipa, the ipa works as long my Swift function is not called. When it is called, the app freezes. (It does not print the log that would be printed as soon as the function starts).
I have been trying to insert a dylib for an 8 ball pool cheat that the developers of the cheat are no longer updating. I tried azule, theos-jailed and similar tools but the app always crashes instantly. I then used optool to make the MachO binary have the same exact load commands as the old version with the cheat. The app still crashes immediately. I know that other people have done this because I have encountered them in the game using the cheat. It seems to be possible but I must be missing something.
First, compile the following code (e.g. clang -framework AppKit -framework Foundation -o ProxyFix.dylib -dynamiclib /path/to/code.m) to create a library we can inject. This was also mostly written by 1110101001; I tweaked it to work with apps that use two-level namespaces.
We now need to insert this library into the Dictionary application. Luckily, macOS comes with a built-in mechanism for injecting code in the form of DYLD_INSERT_LIBRARIES. If you, like me, are running an ancient and lovably-hackable version of macOS such as 10.9, all you need to do is run your app after setting this environmental variable. For example, run in Terminal:
The jtool utility started as a companion utility to the 1st edition of MacOS internals, because I wanted to demonstrate Mach-O format intrinstics, and was annoyed with XCode's otool(1). Along the way, jtool absorbed additional Mach-O commands such as atos(1), dyldinfo(1), nm(1), segedit(1), pagestuff(1), strings(1) , and even codesign(1) and the informal ldid. Most importantly, it can be run on a variety of platforms - OS X, iOS, and even Linux, where Apple's tools don't exist. But that's not all. jtool provides many many novel features:
- in-binary search functionality
- symbol injection
- built-in disassembler functionality with (limited but constantly improving) emulation capabilities, which already outdo fancy commercial GUI disassemblers.
- Color terminal output, enabled by JCOLOR=1
- --analyze to automatically analyze any Mach-O, generating a companion file.
- kernelcache symbolication (what I formerly provided via joker) - which has become even more important since the advent of monolithic ("1469") kernelcaches, with no more symbols. jtool2 finds syscalls, Mach traps, MIG tables, interesting (for me, at least) functions, and IOKit objects - thousands of objects in all.
- Panic log symbolication: *OS panic logs are JSON and have little to no symbols - but --symbolicate (with a companion file prebuilt by --analyze) will rectify that.
Apple prelinks most dylibs and plugins into a "Shared Library Cache". The SLC is located in /var/db/dyld (OS X) and /System/Library/Caches/com.apple.dyld (iOS). The OS X cache also has a "map", but the iOS one doesn't have a map.
But why extract??? A key feature of Jtool that other decachers do not have, is its ability to work on a dylib while still in the cache! This not only saves you disk space, but also allows you to see how cached dylibs interact with eachother (e.g. cross dylib calls). To use this feature, simply specify ":" as a delimiter between the cache and the dylib name. All the standard features (e.g. -l, -S, etc), work, but the really useful feature is -d. For example:
Of course, tampering an app invalidates the main executable's code signature, so this won't run on a non-jailbroken device. You'll need to replace the provisioning profile and sign both the main executable and the files you've made include (e.g. FridaGadget.dylib) with the certificate listed in the profile.
It is convenient to create a sandbox application to the framework as well, so you can see your framework working in a sandbox environment before inject it directly into the Unity OSX player. Create an Application target called Override_OSX_Sandbox.
All default (private and public) libraries on iOS are combined into a big cache file to improve performance in /System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX (see dyld_shared_cache for more details). If you want to class-dump private frameworks, you can either install Xcode and class-dump the frameworks on your Mac using the above tools, or you can use classdump-dyld, which works right on your device (classdump-dyld can also be installed via its package hosted on BigBoss). Remember that the resulting files are not the original headers, so use them with caution.
InspectiveC allows you to log message hierarchies of certain objects, classes, and selectors. It is very useful if you're trying to figure out how a certain method or class works without having to go into the assembly. You can temporarily use InspectiveC in your tweak to log objects as needed.
Code injection is process of introducing external code into an existing software system. I've recently gave a talk on iOS Dynamic Library Code Injection and subsequently written a medium post presenting a proof of concept to inject a simple log message into an app using Xcode and into an .ipa file using optool (Command line tool for interacting with MachO binaries on OSX/iOS).
Here's the medium post that explains and gives a the step by step guide on how to perform code injection into your favourite apps. The best of it, you can then install your modified apps onto your non-jailbroken app. The scripts and tools are available at my repository
2. Method Swizzling: swapping method and function pointers after they are loaded into memory. To make the existing binary execute injected implementations instead of what it is supposed to at compile time
Socket filters are an interesting and powerful OS X feature. If you are interested in playing with them you should start with tcplognke source code because it implements packet reinjection. The code is old but it is still the best reference to date.
The easiest way to achieve this is to inject the library using the DYLD_INSERT_LIBRARIES environment variable. Remember that code injection by attaching to a process is protected by the kernel. Little Snitch developers obviously are aware of this and block DYLD_INSERT_LIBRARIES injection using a dyld (the linker) feature. If a __RESTRICT segment and a __restrict section exist, dyld will not load any library specified by the aforementioned environment variable which effectively blocks an easy injection vector into Little Snitch processes. For a good description about the dyld __RESTRICT feature, please refer to this blogpost.
The only argument wakeup() receives is the channel, in this case a pointer to address 0x196E4. This means the function will wakeup some kernel thread that was sleeping with msleep().
If we look at the references to the channel we get a data reference to the function responsible for sending that thread into sleep.
In that respect, this program is perfect if you want to save as many photos into one album with the ability to add profile data, music, and an easy-to-view layout along the way.A robot inspired by the building blocks of the human body could turn the design of buildings upside down.
aa06259810