【iOS逆向与安全】在iOS状态栏中实现秒表功能的插件开辟指南 ...

媒介

在需要准确把握时间的场景中，比方抢购活动或需要在整点进行操作的环境下，用户往往需要正确相识当前的秒数。然而，iOS系统默认的状态栏时间体现并不包含秒数，这给用户带来了未便。
为相识决这一标题，开辟一个在状态栏体现秒数的插件，可以资助用户及时把握准确时间，提升在特定场景下的操作效率。
本篇文章将探讨如何在iOS系统中开辟如许一个插件，旨在为用户提供更准确的时间体现。

---

一、目标

见下图的状态栏时间位置：

二、开辟环境和工具清单

• mac系统
  
• frida：动态调试
  
• 已越狱iOS设备：脱壳及frida调试
  
• IDA Pro：静态分析
  

三、步骤

1、查找设置状态栏日期的调用栈

在终端执行下令frida-trace -U -m "*[UILabel setText:]" SpringBoard
并修改setText_.js：

1. defineHandler({
2.   onEnter(log, args, state) {
3.     log(`-[UILabel setText:${ObjC.Object(args[2])}]`);
4.     log('UILabel setText called from:\n' +
5.         Thread.backtrace(this.context, Backtracer.ACCURATE)
6.         .map(DebugSymbol.fromAddress).join('\n') + '\n');
7.   },
8.   onLeave(log, retval, state) {
9.   }
10. });

复制代码

当时间有变革时，获取到的堆栈信息如下：

1. -[_UIStatusBarStringView setText:0x282967570]
2. -[UILabel setText:下午9:56]
3. UILabel setText called from:
4. 0x1afd16180 UIKitCore!-[_UIStatusBarStringView setText:]
5. 0x1afcf71fc UIKitCore!-[_UIStatusBarTimeItem applyUpdate:toDisplayItem:]
6. 0x1afcfeca4 UIKitCore!-[_UIStatusBarItem _applyUpdate:toDisplayItem:]
7. 0x1afd5381c UIKitCore!-[_UIStatusBarDisplayItemState updateWithData:styleAttributes:]
8. 0x1afd3be04 UIKitCore!__78-[_UIStatusBar _updateDisplayedItemsWithData:styleAttributes:extraAnimations:]_block_invoke_2
9. 0x1ad1b2adc CoreFoundation!__NSDICTIONARY_IS_CALLING_OUT_TO_A_BLOCK__
10. 0x1ad129280 CoreFoundation!-[__NSDictionaryM enumerateKeysAndObjectsWithOptions:usingBlock:]
11. 0x1afd3bb60 UIKitCore!-[_UIStatusBar _updateDisplayedItemsWithData:styleAttributes:extraAnimations:]
12. 0x1afd3b7d0 UIKitCore!-[_UIStatusBar _updateWithAggregatedData:]
13. 0x1afd39af4 UIKitCore!__30-[_UIStatusBar initWithStyle:]_block_invoke
14. 0x1afd4f004 UIKitCore!-[_UIStatusBarDataAggregator _updateForCoalescedKeysWithData:]
15. 0x1afd4ea98 UIKitCore!-[_UIStatusBarDataAggregator _updateForDelayedKeysWithData:]
16. 0x1afd4e9d8 UIKitCore!-[_UIStatusBarDataAggregator _updateForOverlayWithData:]
17. 0x1afd4e3b0 UIKitCore!-[_UIStatusBarDataAggregator updateWithData:]
18. 0x1afd3b4f4 UIKitCore!-[_UIStatusBar _updateWithData:completionHandler:]
19. 0x1afd7d28c UIKitCore!-[UIStatusBar_Modern _updateWithData:force:]

复制代码

获取到关键方法：[_UIStatusBarTimeItem applyUpdate:toDisplayItem:]
2、检察[_UIStatusBarTimeItem applyUpdate:toDisplayItem:]的源码

使用ida pro9反编译dyld_shared_cache源码。并定位到该方法，获取到关键的伪代码如下：

1. v38 = objc_retainAutoreleasedReturnValue(objc_msgSend(v6, "data"));
2. v39 = objc_retainAutoreleasedReturnValue(objc_msgSend(v38, "shortTimeEntry"));
3. v40 = objc_retainAutoreleasedReturnValue(objc_msgSend(v39, "stringValue"));
4. v41 = -[_UIStatusBarTimeItem pillTimeView](self, "pillTimeView");
5. v42 = objc_retainAutoreleasedReturnValue(v41);
6. objc_msgSend(v42, "setText:", v40);

复制代码

获取到关键方法stringValue
3、trace stringValue方法

在终端执行下令frida-trace -U -m "*[* stringValue]" SpringBoard,当时间有变革时，获取到的堆栈信息如下：

1. -[_UIStatusBarDataStringEntry stringValue]
2. -[_UIStatusBarDataStringEntry stringValue]
3. -[_UIStatusBarDataStringEntry stringValue]
4. -[_UIStatusBarDataStringEntry stringValue]
5. -[_UIStatusBarDataStringEntry stringValue]

复制代码

修改__handlers__/_UIStatusBarDataStringEntry/stringValue.js

1. defineHandler({
2.   onEnter(log, args, state) {
3.     log(`-[_UIStatusBarDataStringEntry stringValue]`);
4.   },
6.   onLeave(log, retval, state) {
7.         log(`-[_UIStatusBarDataStringEntry stringValue]=${ObjC.Object(retval)}=`);
9.   }
10. });

复制代码

然后再次运行frida-trace -U -m "*[* stringValue]" SpringBoard,当时间有变革时，获取到的堆栈信息如下：

1. -[_UIStatusBarDataStringEntry stringValue]
2. -[_UIStatusBarDataStringEntry stringValue]=nil=
3. -[_UIStatusBarDataStringEntry stringValue]
4. -[_UIStatusBarDataStringEntry stringValue]=3月4日周二=
5. -[_UIStatusBarDataStringEntry stringValue]
6. -[_UIStatusBarDataStringEntry stringValue]=下午10:09=
7. -[_UIStatusBarDataStringEntry stringValue]
8. -[_UIStatusBarDataStringEntry stringValue]=10:09=
9. -[_UIStatusBarDataStringEntry stringValue]
10. -[_UIStatusBarDataStringEntry stringValue]=下午10:10=
11. -[_UIStatusBarDataStringEntry stringValue]
12. -[_UIStatusBarDataStringEntry stringValue]=nil=
13. -[_UIStatusBarDataStringEntry stringValue]
14. -[_UIStatusBarDataStringEntry stringValue]=3月4日周二=
15. -[_UIStatusBarDataStringEntry stringValue]
16. -[_UIStatusBarDataStringEntry stringValue]=下午10:10=
17. -[_UIStatusBarDataStringEntry stringValue]
18. -[_UIStatusBarDataStringEntry stringValue]=10:10=

复制代码

确定_UIStatusBarDataStringEntry就是状态栏时间的来源后，继续执行frida-trace -U -m "*[_UIStatusBarDataStringEntry *]" SpringBoard,当时间有变革时，获取到的堆栈信息如下：

1. -[_UIStatusBarDataStringEntry initFromData:0x1087fc000 type:0x0 string:0x1087fc02b maxLength:0x40]
2. _UIStatusBarDataStringEntry initFromData called from:
3. 0x1afd4fe8c UIKitCore!+[_UIStatusBarDataConverter convertData:fromReferenceData:]
4. 0x1afd7c788 UIKitCore!-[UIStatusBar_Modern _dataFromLegacyData:]
5. 0x1afd7e214 UIKitCore!-[UIStatusBar_Modern statusBarServer:didReceiveStatusBarData:withActions:]
6. 0x1afd5ec1c UIKitCore!-[UIStatusBarServer _receivedStatusBarData:actions:animated:]
7. 0x1afd5ee28 UIKitCore!_UIStatusBarReceivedStatusBarDataAndActions
8. 0x1b020f130 UIKitCore!_XReceivedStatusBarDataAndActions
9. 0x1b4413ef0 AppSupport!migHelperRecievePortCallout
10. 0x1ad1c8fe8 CoreFoundation!__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__
11. 0x1ad1c8378 CoreFoundation!__CFRunLoopDoSource1
12. 0x1ad1c208c CoreFoundation!__CFRunLoopRun
13. 0x1ad1c121c CoreFoundation!CFRunLoopRunSpecific
14. 0x1c4cc5784 GraphicsServices!GSEventRunModal
15. 0x1afbfffe0 UIKitCore!-[UIApplication _run]
16. 0x1afc05854 UIKitCore!UIApplicationMain
17. 0x1d2970194 SpringBoard!SBSystemAppMain
18. 0x1ace816b0 libdyld.dylib!start

复制代码

通过堆栈信息分析，确认-[UIStatusBarServer _receivedStatusBarData:actions:animated:]为我们的目标对象
4、使用frida验证使用结果：

执行下令frida-trace -U -m "-[UIStatusBarServer _receivedStatusBarData:actions:animated:]" SpringBoard后，修改该js文件内容为：

1. defineHandler({
2.   onEnter(log, args, state) {
3.     log(`-[UIStatusBarServer _receivedStatusBarData:${args[2]} actions:${args[3]} animated:${args[4]}]`);
4.     var structPtr = args[2];
6.     log("Original timeString:", structPtr.add(43).readCString(64));
8.     const now = new Date();
9.    
10.     const hours = String(now.getHours()).padStart(2, '0'); // 补零
11.     const minutes = String(now.getMinutes()).padStart(2, '0'); // 补零
12.     const seconds = String(now.getSeconds()).padStart(2, '0'); // 补零
13.    
14.     var newTimeString =  `${hours}:${minutes}:${seconds}`;
16.     structPtr.add(43).writeUtf8String(newTimeString);
18.     log("Updated timeString:", structPtr.add(43).readCString(64));
19.   },
21.   onLeave(log, retval, state) {
22.   }
23. });

复制代码

当状态栏日期变革后。日期正常体现秒表，说明该函数可用。
5、编写tweak代码

Tweak.x源码如下：

1. #import <CoreFoundation/CoreFoundation.h>
2. #import <Foundation/Foundation.h>
3. #import <Foundation/NSUserDefaults+Private.h>
4. #import "StatusBarUpdater.h"
5. #import "Structs.h"
6. #import "headers.h"
7. #include <string.h>
8. #include <sys/time.h>
9. static NSString * nsDomainString = @"com.witchan.precise-time";
10. static NSString * nsNotificationString = @"com.witchan.precise-time/preferences.changed";
11. static BOOL enabled;
13. static void notificationCallback(CFNotificationCenterRef center, void *observer, CFStringRef name, const void *object, CFDictionaryRef userInfo) {
14.         NSNumber * enabledValue = (NSNumber *)[[NSUserDefaults standardUserDefaults] objectForKey:@"enabled" inDomain:nsDomainString];
15.         enabled = (enabledValue)? [enabledValue boolValue] : YES;
16.         NSLog(@"=witchan= 插件状态：%d", enabled);
17. }
19. %hook UIStatusBarServer
20. %property (nonatomic, strong) StatusBarUpdater *updater;
22. // SCD_Struct_UI104结构请从ida pro复制
23. -(void)_receivedStatusBarData:(SCD_Struct_UI104*)arg1 actions:(int)arg2 animated:(BOOL)arg3 {
24.    if (self.updater == nil) {
25.       self.updater = [[StatusBarUpdater alloc] init];
26.    }
28.    if (!enabled) {
29.       [self.updater stopUpdating];
30.       %orig;
31.       return;
32.    }
33.         // 获取当前时间
34.    NSDate *currentDate = [NSDate date];
35.    
36.    // 创建日期格式化器
37.    NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
38.    
39.    // 设置日期格式
40.    [dateFormatter setDateFormat:@"HH:mm:ss"]; // 24小时制
41.    
42.    // 将当前日期格式化为字符串
43.    NSString *formattedTime = [dateFormatter stringFromDate:currentDate];
44.    NSLog(@"=witchan= now timeString: %@", formattedTime);
45.    
46.    // _statusBarData.var1 =     strcpy(ret->personName, "12:33:22");
48.    strcpy(arg1->var1, [formattedTime UTF8String]);
50.    %orig(arg1, arg2, arg3);
51.    NSLog(@"=witchan= _receivedStatusBarData: %d %d", arg2, arg3);
53.    // 创建一个新结构体用于复制
54.    //  SCD_Struct_UI104 copy;
55.    //  memcpy(&copy, arg1, sizeof(SCD_Struct_UI104));  // 正确复制结构体数据
57.    [self.updater updateStatusBarData:*arg1 statusBarServer: self];
58.    [self.updater startUpdating];
59. }
61. %end
63. %ctor {
65.         NSLog(@"=witchan= precise time plugin load success");
66.         notificationCallback(NULL, NULL, NULL, NULL, NULL);
68.         CFNotificationCenterAddObserver(CFNotificationCenterGetDarwinNotifyCenter(), NULL, notificationCallback, (CFStringRef)nsNotificationString, NULL, CFNotificationSuspensionBehaviorCoalesce);
69. }

复制代码

完备源码下载地址：https://pan.quark.cn/s/e1152c2f7899

---

总结

通过上述方法，用户可以在状态栏或屏幕上方及时检察秒数，满足在特定场景下对准确时间的需求，提升操作效率和成功率。
   提示：阅读此文档的过程中遇到任何标题，请关住工众好【移动端Android和iOS开辟技术分享】或+99 君羊【812546729】
  

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。