Skip to main content

注入闪退相关

快手相关#

问题描述#

将ipa脱壳后放入monkeydev中运行会crash,请问各位大佬这种错误是app做了什么检测,之前别的app没遇到过。。。
com_kwai_gif[728:296491] *** Terminating app due to uncaught exception ‘NSInvalidArgumentException’, reason:*** -[__NSSetM addObject:]: object cannot be nil’**
***** First throw call stack:**
(0x18bd7c86c 0x1a0cebc50 0x18bdece1c 0x18bdf44e0 0x18bc5e140 0x10c1bed4c 0x10c1bec9c 0x10c1bec34 0x10c1beb98 0x10619c810 0x18e72c290 0x18e72e388 0x18e733de4 0x18dd89f20 0x18e2f8054 0x18dd8aab8 0x18dd8a578 0x18dd8a8c8 0x18dd8a104 0x18dd92650 0x18e2046c4 0x18e31077c 0x18dd92348 0x18dbb984c 0x18dbb81c0 0x18dbb9474 0x18e731f84 0x18e22def0 0x19ba3d3bc 0x19ba68d04 0x19ba4c4a0 0x19ba689c8 0x10d2416c0 0x10d245000 0x19ba91250 0x19ba90ee0 0x19ba91434 0x18bcf876c 0x18bcf8668 0x18bcf7960 0x18bcf1a8c 0x18bcf121c 0x1a37f5784 0x18e72ffe0 0x18e735854 0x10235ff20 0x18b9b16b0)
libc++abi.dylib: terminating with uncaught exception of type NSException
*** Terminating app due to uncaught exception ‘NSInvalidArgumentException’, reason:*** -[__NSSetM addObject:]: object cannot be nil’
terminating with uncaught exception of type NSException

原因#

*** Terminating app due to uncaught exception ‘NSInvalidArgumentException’, reason:*** -[__NSSetM addObject:]: object cannot be nil’
答案就在这里,然后跟一跟发现原来这是快手的检测自身加载动态库耗时方面的性能检测

解决办法#

因为乱重签搞别人的App才会触发

/com_kwai_gif.app/ 换成 kuaishou [自己的项目名称]
MSHook(char *,strstr,const char *__big, const char *__little){
    char * ret;    if (!strcmp(__little, "/com_kwai_gif.app/") ) {
        const char * __newlittle = [@"/kuaishou.app/" UTF8String];
        ret  = _strstr(__big,__newlittle);
    } else {        ret = _strstr(__big,__little);    }
    return ret;}
%ctor{       MSHookFunction(strstr,MSHake(strstr));
}

Bundle Id 绕过问题#

%hook NSBundle
%new
(BOOL)isCallFromTaker{NSArray *address = [NSThread callStackReturnAddresses];Dl_info info = {0};if(dladdr((void *)[address[2] longLongValue], &info) == 0){return NO;}NSString *path = [NSString stringWithUTF8String:info.dli_fname];if ([path hasPrefix:NSBundle.mainBundle.bundlePath]) {// 二进制来自 ipa 包内if ([path.lastPathComponent isEqualToString:@“libTakerDylib.dylib”]) {// 二进制是插件本身return NO;} else {// 二进制是appreturn YES;}} else {// 二进制是系统或者越狱插件return NO;}}
(id)bundleIdentifier{
if([self isCallFromTaker]){return @“your bundleIdentifier”;}return %orig;}
%end

砸壳自签闪退,用了AppGroup,找不到AppGroup 路径#

%hook NSFileManager
- (NSURL *)containerURLForSecurityApplicationGroupIdentifier:(NSString *)groupIdentifier {    NSString *sandboxDocumentsPath =    [NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES) objectAtIndex:0];    NSFileManager *fileManager = [NSFileManager defaultManager];    [fileManager createDirectoryAtPath:[sandboxDocumentsPath    stringByAppendingPathComponent:@“OrigAppGroupFiles”]    withIntermediateDirectories:YES attributes:nil error:nil];    NSURL *path = [NSURL fileURLWithPath:[NSString stringWithFormat:@"%@/OrigAppGroupFiles", sandboxDocumentsPath]];return path;}%end

不是有验证,是因为它用了AppGroup,砸壳后找不到AppGroup的路径 在应用沙盒Documents文件夹里新建一个文件夹用于储存原本存储在AppGroup中的文件