最近在看《iOS逆向工程》，本篇是对Theos安装以及部署deb安装包到手机上的记录以及安装过程中遇到的坑。

安装Theos

书中有些步骤已经失效，所以我们按照官方安装Wiki来

• 安装ldid

brew install ldid dpkg-deb
sudo cpan IO::Compress::Lzma

• 安装Theos

把THEOS路径写进~/.bash_profile末尾

THEOS=/opt/theos
PATH=${PATH}:${THEOS}/bin

官方默认是放在~/theos下，但安装过程发现，在这个目录下会报错

<built-in>:1:10: error: non-portable path to file
      '"/UUsersGgkkttheosPPrefix.pch"'; specified path differs in case from file
      name on disk [-Werror,-Wnonportable-include-path]
#include "/Users/GKK/theos/Prefix.pch"
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         "/UUsersGgkkttheosPPrefix.pch"
1 error generated.
make[3]: *** [/Users/GKK/Desktop/test/.theos/obj/debug/armv7/Tweak.xm.7a3a1d98.o] Error 1
make[2]: *** [/Users/GKK/Desktop/test/.theos/obj/debug/armv7/Test.dylib] Error 2
make[1]: *** [internal-library-all_] Error 2
make: *** [Test.all.tweak.variables] Error 2

下载Theos到$THEOS位置，依次执行以下命令

git clone --recursive https://github.com/theos/theos.git $THEOS
sudo chown -R $(id -u):$(id -g) $THEOS
curl https://ghostbin.com/ghost.sh -o $THEOS/bin/ghost
chmod +x $THEOS/bin/ghost

生成tweak模板

通过nic.pl命令生成tweak项目

GKK:test $ nic.pl
NIC 2.0 - New Instance Creator
------------------------------
  [1.] iphone/activator_event
  [2.] iphone/application_modern
  [3.] iphone/cydget
  [4.] iphone/flipswitch_switch
  [5.] iphone/framework
  [6.] iphone/ios7_notification_center_widget
  [7.] iphone/library
  [8.] iphone/notification_center_widget
  [9.] iphone/preference_bundle_modern
  [10.] iphone/tool
  [11.] iphone/tweak
  [12.] iphone/xpc_service
Choose a Template (required):

输入11生成tweak模板

NIC 2.0 - New Instance Creator
------------------------------
  [1.] iphone/activator_event
  [2.] iphone/application_modern
  [3.] iphone/cydget
  [4.] iphone/flipswitch_switch
  [5.] iphone/framework
  [6.] iphone/ios7_notification_center_widget
  [7.] iphone/library
  [8.] iphone/notification_center_widget
  [9.] iphone/preference_bundle_modern
  [10.] iphone/tool
  [11.] iphone/tweak
  [12.] iphone/xpc_service
Choose a Template (required): 11
Project Name (required):

项目名字，我们这里输入Hello，接下来全部按回车即可。

NIC 2.0 - New Instance Creator
------------------------------
  [1.] iphone/activator_event
  [2.] iphone/application_modern
  [3.] iphone/cydget
  [4.] iphone/flipswitch_switch
  [5.] iphone/framework
  [6.] iphone/ios7_notification_center_widget
  [7.] iphone/library
  [8.] iphone/notification_center_widget
  [9.] iphone/preference_bundle_modern
  [10.] iphone/tool
  [11.] iphone/tweak
  [12.] iphone/xpc_service
Choose a Template (required): 11
Project Name (required): HelloTweak
Package Name [com.yourcompany.hellotweak]:
Author/Maintainer Name [GKK]:
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]:
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]:
Instantiating iphone/tweak in hellotweak/...
Adding 'HelloTweak' as an aggregate subproject in Theos makefile 'Makefile'.
Done.

编写Tweak

在生成的hellotweak目录下的Tweak.xm写入

%hook SpringBoard
- (void)applicationDidFinishLaunching:(id)applicaton
{
    %orig;
    
    UIAlertView *alert = [[UIAlertView alloc] initWithTitle: @"Hello Tweak" message: nil delegate: self cancelButtonTitle:@"Cool" otherButtonTitles: nil];
    [alert show];
    [alert release];
}
%end

大概就是在SpringBoard这个系统APP上hookapplicationDidFinishLaunching方法，也就是Method swizzling，通过%orig调用原先的方法。

安装到已越狱设备上

• 安装SSH

  通过设备上的Cydia安装OpenSSH，在设置-WIFI中找到当前WIFI的IP地址。
  在电脑上通过ssh root@这里填设备的IP来连接，默认的密码是alpine

• 安装tweak

  首先在Tweak项目目录下的Makefile中最上面加入THEOS_DEVICE_IP = 这里填设备的IP

  最后一步，在命令行输入make package install，在输入两次SSH root密码后，SpringBoard重启将看到Alter。

  如果安装这里提示substrate相关报错，建议在Cydia中重新安装下Substrate就好了