思路
- 1、用ssp 导出 Springboard的二进制文件到OS。
- 2、用class-dump导出Springboard的所有头文件。
- 3、搜索有screenShot的文件。
- 4、对有screenShot的文件。用cycript进行调试
实践
经过分析后,已知 SBScreenShotter类里面有个函数叫saveScreenshot。这个函数比较可以。用cycript测试一下
1
2
3
4
| toufangde-iPod:~ root# cycript -p SpringBoard
cy# [[SBScreenShotter sharedInstance] saveScreenshot:YES]
cy# [[SBScreenShotter sharedInstance] saveScreenshot:NO]
cy#
|
两个调用都有产生截屏,只是参数为YES的会让屏幕闪了一下。说到闪光,继续查找文件可以找到一个 SBScreenFlash的类。里面有个- (void)flashColor:(id)arg1 withCompletion:(CDUnknownBlockType)arg2; 方法,貌似是改变闪屏的颜色的。写个tewak测试一下。
新建一个 theos工程。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| $ /opt/theos/bin/nic.pl
NIC 2.0 - New Instance Creator
------------------------------
[1.] iphone/application
[2.] iphone/library
[3.] iphone/preference_bundle
[4.] iphone/tool
[5.] iphone/tweak
Choose a Template (required): 5
Project Name (required): screenShotter
Package Name [com.yourcompany.screenshotter]: com.iosre.screenshotter
Author/Maintainer Name [陈建峰]: chenjianfeng
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.apple.springboard
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: SpringBoard
Instantiating iphone/tweak in screenshotter/...
Done.
|
编写Tweak.xm
1
2
3
4
5
6
7
| %hook SBScreenFlash
- (void)flashColor:(id)arg1 withCompletion:(id)arg2
{
%orig;
NSLog(@"iOSRE: flashColor: %s, %@", object_getClassName(arg1), arg1); // [arg1 description] 可以直接写成arg1
}
%end
|
编辑makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
| THEOS_DEVICE_IP = localhost -p 2222
ARCHS = armv7 arm64
TARGET = iphone:latest:8.0
include theos/makefiles/common.mk
TWEAK_NAME = screenShotter
screenShotter_FILES = Tweak.xm
include $(THEOS_MAKE_PATH)/tweak.mk
after-install::
install.exec "killall -9 SpringBoard"
|
注意:THEOS_DEVICE_IP = localhost -p 2222, 这个是因为用的是usb链接。
编译打包安装
查看 /var/log/syslog
1
2
3
| toufangde-iPod:~ root# grep iOSRE: /var/log/syslog
Apr 17 12:13:47 toufangde-iPod SpringBoard[78928]: iOSRE: flashColor: UICachedDeviceWhiteColor, UIDeviceWhiteColorSpace 1 1
toufangde-iPod:~ root#
|
如此看出,截屏的时候。SpringBoard调用了UICachedDeviceWhiteColor类,UICachedDeviceWhiteColor继承自UIDeviceWhiteColorSpace。于是继续往下找UIDeviceWhiteColorSpace这个类。
UIDeviceWhiteColorSpace
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| //
// Generated by class-dump 3.5 (64 bit).
//
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//
#import <UIKit/UIColor.h>
@interface UIDeviceWhiteColor : UIColor
{
float whiteComponent;
float alphaComponent;
struct CGColor *cachedColor;
long cachedColorOnceToken;
}
- (BOOL)getHue:(float *)arg1 saturation:(float *)arg2 brightness:(float *)arg3 alpha:(float *)arg4;
- (struct CGColor *)_createCGColorWithAlpha:(float)arg1;
- (id)colorSpaceName;
- (id)initWithCGColor:(struct CGColor *)arg1;
- (void)setStroke;
- (float)alphaComponent;
- (id)initWithWhite:(float)arg1 alpha:(float)arg2;
- (void)setFill;
- (BOOL)getRed:(float *)arg1 green:(float *)arg2 blue:(float *)arg3 alpha:(float *)arg4;
- (id)copyWithZone:(struct _NSZone *)arg1;
- (void)set;
- (BOOL)getWhite:(float *)arg1 alpha:(float *)arg2;
- (id)colorWithAlphaComponent:(float)arg1;
- (id)description;
- (unsigned int)hash;
- (BOOL)isEqual:(id)arg1;
- (struct CGColor *)CGColor;
- (void)dealloc;
@end
|
UIDeviceWhiteColorSpace 继承自 UIColor。如此我们来测试一下这个函数
1
2
| # cycript -p SpringBoard
cy# [[SBScreenFlash mainScreenFlasher]flashColor:[[UIColor magentaColor] colorWithAlphaComponent:0.8] withCompletion:nil]
|
屏幕闪过一道紫光。
到此,我们可以勾住这个函数,让截屏的时候闪过一道紫光。
截屏的时候闪过一道紫色的光
然后去截图,就可以看到紫色的闪屏了。