一、sbutils介绍
sbutils是一个开源的越狱手机基础功能的插件包,其中包含sblaunch这个启动插件,该插件可以实现命令行下面打开app并传递一个url。
sbutils下载地址:http://cydia.ppios.com/2013/06/sbutils-v1-0-2-1.html
sbutils的开源代码:https://github.com/innoying/iOS-sbutils
二、sblaunch的开源代码
#include <CoreFoundation/CoreFoundation.h>
#include <stdbool.h>
#define SBSApplicationLaunchUnlockDevice 4
#define SBSApplicationDebugOnNextLaunch_plus_SBSApplicationLaunchWaitForDebugger 0x402 bool SBSProcessIDForDisplayIdentifier(CFStringRef id, pid_t *pid);
int SBSLaunchApplicationWithIdentifier(CFStringRef id, char flags);
int SBSLaunchApplicationForDebugging(CFStringRef bundleID, CFURLRef openURL, CFArrayRef arguments, CFDictionaryRef environment, CFStringRef stdout, CFStringRef stderr, char flags); int main(int argc, char **argv) {
bool p = false;
const char *url = NULL;
const char *bundle;
int flags = SBSApplicationLaunchUnlockDevice; int c;
while((c = getopt(argc, argv, "pdbu:")) != -)
switch(c) {
case 'p': p = true; break;
case 'd': flags |= SBSApplicationDebugOnNextLaunch_plus_SBSApplicationLaunchWaitForDebugger; break;
case 'b': flags |= ; break;
case 'u': url = optarg; break;
default: goto usage;
}
if(optind == argc) goto usage;
bundle = argv[optind]; CFMutableArrayRef arguments = CFArrayCreateMutable(NULL, , &kCFTypeArrayCallBacks);
while(++optind != argc) CFArrayAppendValue(arguments, CFStringCreateWithCString(NULL, argv[optind], kCFStringEncodingUTF8)); CFStringRef cs = CFStringCreateWithCString(NULL, bundle, kCFStringEncodingUTF8);
CFURLRef cu = url ? CFURLCreateWithBytes(NULL, (UInt8*)url, strlen(url), kCFStringEncodingUTF8, NULL) : NULL;
if(url && !cu) {
fprintf(stderr, "invalid URL\n");
return ;
}
int err;
if((err = SBSLaunchApplicationForDebugging(cs, cu, arguments, NULL, NULL, NULL, flags))) {
fprintf(stderr, "SBSLaunchApplicationWithIdentifier failed: %d\n", err);
return ;
}
if(p) {
pid_t pid;
while(!SBSProcessIDForDisplayIdentifier(cs, &pid)) {
usleep();
}
printf("%d\n", (int) pid);
}
return ; usage:
fprintf(stderr, "Usage: sblaunch [-p] [-d] [-b] [-u url] <bundle> [arguments...]\n"
" -p: print pid\n"
" -d: launch for debugging\n"
" -b: launch in background\n"
);
return ;
}
其中着色的函数是关键函数,找了好多资料没有发现这个函数的出处,没有资料显示这里的标准参数是什么。
仿照这个函数的用法,自己写了一段代码,发现同样调用中是可以打开一个app的,但是传递的url无论怎么传递都没有效果。
添加签名:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.launchapplications</key> <true/> </dict> </plist>
遂怀疑是参数的问题,用IDA反编译sblaunch,得到以下的C代码
int __cdecl main(int argc, const char **argv, const char **envp)
{
const char **v3; // r5@1
signed int v4; // r4@1
int v5; // r6@1
int v6; // r0@11
int v7; // r8@14
int i; // r2@14
int v9; // r0@15
int v10; // r5@16
size_t v11; // r2@18
FILE **v12; // r4@18
const void *v13; // r0@18
int v14; // r4@19
int v15; // r0@19
FILE *v16; // r3@26
const char *v18; // [sp+Ch] [bp-2Ch]@14
int v19; // [sp+10h] [bp-28h]@14
char v20; // [sp+14h] [bp-24h]@1
const char *v21; // [sp+18h] [bp-20h]@1
int v22; // [sp+1Ch] [bp-1Ch]@22 v3 = argv;
v4 = ;
v20 = ;
v21 = ;
v5 = argc;
while ( )
{
v6 = getopt(v5, (char *const *)v3, "pdbu:");
if ( v6 <= )
break;
if ( v6 > )
{
if ( v6 == )
{
v20 = ;
}
else
{
if ( v6 != )
goto LABEL_25;
v21 = optarg;
}
}
else if ( v6 == )
{
v4 |= 1u;
}
else
{
if ( v6 != )
goto LABEL_25;
v4 |= 0x402u;
}
}
if ( v6 != - || optind == v5 )
{
LABEL_25:
v11 = ;
v12 = (FILE **)&__stderrp;
v13 = "Usage: sblaunch [-p] [-d] [-b] [-u url] <bundle> [arguments...]\n -p: print pid\n -d: launch for debugging\n -b: launch in background\n";
goto LABEL_26;
}
v18 = v3[optind];
v19 = ;
v7 = CFArrayCreateMutable();
++optind;
for ( i = optind; i != v5; optind = i )
{
v9 = CFStringCreateWithCString(, v3[i], );
CFArrayAppendValue(v7, v9);
i = optind + ;
}
v10 = CFStringCreateWithCString(, v18, );
if ( v21 )
{
strlen(v21);
v19 = CFURLCreateWithBytes();
if ( !v19 )
{
v11 = ;
v12 = (FILE **)&__stderrp;
v13 = "invalid URL\n";
LABEL_26:
v16 = *v12;
v14 = ;
fwrite(v13, 1u, v11, v16);
return v14;
}
}
v14 = ;
v15 = SBSLaunchApplicationForDebugging(v10, v19, v7, );
if ( v15 )
{
fprintf(__stderrp, "SBSLaunchApplicationWithIdentifier failed: %d\n", v15);
v14 = ;
}
else if ( v20 )
{
while ( !SBSProcessIDForDisplayIdentifier(v10, &v22) )
usleep(0xC350u);
v14 = ;
printf("%d\n", v22);
}
return v14;
}
显示是4个参数,这个函数是位于以下目录中文件中
、
可是在越狱的手机中找了很久也找不到这个文件,不知道这个库的文件在哪里?