1.安装iOSOpenDev。 安装自行google

2.打开xcode,新建项目,选择iOSOpenDev的模板,这里做一个支付宝的咻咻插件,选择CaptainHook。

3.更改项目中plist的app过滤设置

<dict>
<key>Filter</key>
<dict>
<key>Bundles</key>
<array>
<string>com.alipay.iphoneclient</string>
</array>
</dict>
</dict>

4.打开项目中的.mm文件开始写Hook函数
所有待定的class名替换为

MYMainController

这是咻咻的页面名称

Hook这个页面的viewDidLoad函数,给它加个label用来展示插件信息。

CHOptimizedMethod0(self, void, MYMainController, viewDidLoad){
CHSuper0(MYMainController, viewDidLoad);

UILabel *indicatorLabel = [[UILabel alloc] initWithFrame:CGRectMake(0, 232, 320, 25)];
indicatorLabel.backgroundColor = [UIColor colorWithWhite:1 alpha:0.3];
indicatorLabel.textAlignment = NSTextAlignmentCenter;
indicatorLabel.textColor = [UIColor blackColor];
indicatorLabel.font = [UIFont boldSystemFontOfSize:13];
indicatorLabel.tag = kTagIndicatorLabel;

UIView *view = [(UIViewController*)self view];
[view addSubview:indicatorLabel];

}

Hook点击咻咻按钮的touchup事件,实现点击一次咻咻按钮开始自动咻咻,再点击一次暂停
CHOptimizedMethod0(self, void, MYMainController, action_xiuxiuButtonTouchUp){
CHSuper0(MYMainController, action_xiuxiuButtonTouchUp);
[AlipayTweak shared].targetVC = (UIViewController*)self;
[[AlipayTweak shared] toggleXiuXiu];
}

Hook MYPopupManager的isPerformingPopup,让插件始终运行

CHOptimizedMethod0(self, BOOL, MYPopupManager, isPerformingPopup)
{
return NO;
}

支付宝的咻咻有*小请求间隔,大概3秒左右。我们把它干掉。

CHOptimizedMethod0(self, NSDate*, MYMainSceneManager, lastTriggerDate){
return [NSDate dateWithTimeIntervalSinceNow:-30];
}
总是返回比当前时间要早30秒的时间作为上次发请求的时间

CHConstructor中

CHLoadLateClass(MYMainController); // load class (that will be “available later”)
CHLoadLateClass(MYPopupManager); // load class (that will be “available later”)
<p class=”p1″><span class=”s1″> </span><span class=”s2″>CHLoadLateClass</span><span class=”s1″>(MYMainSceneManager); </span><span class=”s3″>// load class (that will be “available later”)</span></p>
CHHook(0, MYMainController, viewDidLoad); // register hook
CHHook(0, MYMainController, action_xiuxiuButtonTouchUp); // register hook
<p class=”p1″><span class=”s1″> </span><span class=”s2″>CHHook</span><span class=”s1″>(</span><span class=”s3″>0</span><span class=”s1″>, </span><span class=”s4″>MYMainSceneManager</span><span class=”s1″>, </span><span class=”s4″>lastTriggerDate</span><span class=”s1″>); </span><span class=”s5″>// register hook</span></p>
CHHook(0, MYPopupManager, isPerformingPopup); // register hook

主类中添加timer实现自动咻咻功能,不再赘述。

5.破解支付宝9.5.1

注意:支付宝新增加了__RESTRICTED segment,需要用二进制编辑软件重命名,否则不能注入。