思路

  • 1、用ssp 导出 Springboard的二进制文件到OS。
  • 2、用class-dump导出Springboard的所有头文件。
  • 3、搜索有screenShot的文件。
  • 4、对有screenShot的文件。用cycript进行调试

实践

经过分析后,已知 SBScreenShotter类里面有个函数叫saveScreenshot。这个函数比较可以。用cycript测试一下

1
2
3
4
toufangde-iPod:~ root# cycript -p SpringBoard
cy# [[SBScreenShotter sharedInstance] saveScreenshot:YES]
cy# [[SBScreenShotter sharedInstance] saveScreenshot:NO]
cy#

两个调用都有产生截屏,只是参数为YES的会让屏幕闪了一下。说到闪光,继续查找文件可以找到一个 SBScreenFlash的类。里面有个- (void)flashColor:(id)arg1 withCompletion:(CDUnknownBlockType)arg2; 方法,貌似是改变闪屏的颜色的。写个tewak测试一下。

新建一个 theos工程。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ /opt/theos/bin/nic.pl                                                                                                                         
NIC 2.0 - New Instance Creator
------------------------------
  [1.] iphone/application
  [2.] iphone/library
  [3.] iphone/preference_bundle
  [4.] iphone/tool
  [5.] iphone/tweak
Choose a Template (required): 5
Project Name (required): screenShotter
Package Name [com.yourcompany.screenshotter]: com.iosre.screenshotter
Author/Maintainer Name [陈建峰]: chenjianfeng
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.apple.springboard
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: SpringBoard
Instantiating iphone/tweak in screenshotter/...
Done.

编写Tweak.xm

1
2
3
4
5
6
7
%hook SBScreenFlash 
- (void)flashColor:(id)arg1 withCompletion:(id)arg2
{ 
        %orig; 
        NSLog(@"iOSRE: flashColor: %s, %@", object_getClassName(arg1), arg1); // [arg1 description] 可以直接写成arg1
} 
%end

编辑makefile

1
2
3
4
5
6
7
8
9
10
11
12
13
THEOS_DEVICE_IP = localhost -p 2222
ARCHS = armv7 arm64
TARGET = iphone:latest:8.0

include theos/makefiles/common.mk

TWEAK_NAME = screenShotter
screenShotter_FILES = Tweak.xm

include $(THEOS_MAKE_PATH)/tweak.mk

after-install::
	install.exec "killall -9 SpringBoard"

注意:THEOS_DEVICE_IP = localhost -p 2222, 这个是因为用的是usb链接。

编译打包安装

1
make package install

查看 /var/log/syslog

1
2
3
toufangde-iPod:~ root# grep iOSRE: /var/log/syslog
Apr 17 12:13:47 toufangde-iPod SpringBoard[78928]: iOSRE: flashColor: UICachedDeviceWhiteColor, UIDeviceWhiteColorSpace 1 1
toufangde-iPod:~ root#

如此看出,截屏的时候。SpringBoard调用了UICachedDeviceWhiteColor类,UICachedDeviceWhiteColor继承自UIDeviceWhiteColorSpace。于是继续往下找UIDeviceWhiteColorSpace这个类。

UIDeviceWhiteColorSpace

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
//
//     Generated by class-dump 3.5 (64 bit).
//
//     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//

#import <UIKit/UIColor.h>

@interface UIDeviceWhiteColor : UIColor
{
    float whiteComponent;
    float alphaComponent;
    struct CGColor *cachedColor;
    long cachedColorOnceToken;
}

- (BOOL)getHue:(float *)arg1 saturation:(float *)arg2 brightness:(float *)arg3 alpha:(float *)arg4;
- (struct CGColor *)_createCGColorWithAlpha:(float)arg1;
- (id)colorSpaceName;
- (id)initWithCGColor:(struct CGColor *)arg1;
- (void)setStroke;
- (float)alphaComponent;
- (id)initWithWhite:(float)arg1 alpha:(float)arg2;
- (void)setFill;
- (BOOL)getRed:(float *)arg1 green:(float *)arg2 blue:(float *)arg3 alpha:(float *)arg4;
- (id)copyWithZone:(struct _NSZone *)arg1;
- (void)set;
- (BOOL)getWhite:(float *)arg1 alpha:(float *)arg2;
- (id)colorWithAlphaComponent:(float)arg1;
- (id)description;
- (unsigned int)hash;
- (BOOL)isEqual:(id)arg1;
- (struct CGColor *)CGColor;
- (void)dealloc;
@end

UIDeviceWhiteColorSpace 继承自 UIColor。如此我们来测试一下这个函数

1
2
# cycript -p SpringBoard
cy# [[SBScreenFlash mainScreenFlasher]flashColor:[[UIColor magentaColor] colorWithAlphaComponent:0.8] withCompletion:nil]

屏幕闪过一道紫光。
到此,我们可以勾住这个函数,让截屏的时候闪过一道紫光。

截屏的时候闪过一道紫色的光

  • 1、修改tweak.xm

    1
    2
    3
    4
    5
    6
    %hook SBScreenFlash 
    - (void)flashColor:(id)arg1 withCompletion:(id)arg2
    { 
            %orig([[UIColor magentaColor] colorWithAlphaComponent:0.8],arg2);
    } 
    %end

  • 2、makefile配置, 注意引入UIKit 这个framework

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    THEOS_DEVICE_IP = localhost -p 2222
    ARCHS = armv7 arm64
    TARGET = iphone:latest:8.1:8.0

    include theos/makefiles/common.mk

    TWEAK_NAME = screenShotter
    screenShotter_FILES = Tweak.xm
    screenShotter_FRAMEWORKS = UIKit Foundation

    include $(THEOS_MAKE_PATH)/tweak.mk

    after-install::
    	install.exec "killall -9 SpringBoard"

然后去截图,就可以看到紫色的闪屏了。