关于sbutils中的sblaunch插件的疑惑

时间:2021-05-04 15:58:48

一、sbutils介绍

  sbutils是一个开源的越狱手机基础功能的插件包,其中包含sblaunch这个启动插件,该插件可以实现命令行下面打开app并传递一个url。

  sbutils下载地址:http://cydia.ppios.com/2013/06/sbutils-v1-0-2-1.html

  sbutils的开源代码:https://github.com/innoying/iOS-sbutils

二、sblaunch的开源代码

  

 #include <CoreFoundation/CoreFoundation.h>

 #include <stdbool.h>

 #define SBSApplicationLaunchUnlockDevice 4

 #define SBSApplicationDebugOnNextLaunch_plus_SBSApplicationLaunchWaitForDebugger 0x402

 bool SBSProcessIDForDisplayIdentifier(CFStringRef id, pid_t *pid);

 int SBSLaunchApplicationWithIdentifier(CFStringRef id, char flags);

 int SBSLaunchApplicationForDebugging(CFStringRef bundleID, CFURLRef openURL, CFArrayRef arguments, CFDictionaryRef environment, CFStringRef stdout, CFStringRef stderr, char flags);

 int main(int argc, char **argv) {

     bool p = false;

     const char *url = NULL;

     const char *bundle;

     int flags = SBSApplicationLaunchUnlockDevice;

     int c;

     while((c = getopt(argc, argv, "pdbu:")) != -)

     switch(c) {

         case 'p': p = true; break;

         case 'd': flags |= SBSApplicationDebugOnNextLaunch_plus_SBSApplicationLaunchWaitForDebugger; break;

         case 'b': flags |= ; break;

         case 'u': url = optarg; break;

         default: goto usage;

     }

     if(optind == argc) goto usage;

     bundle = argv[optind];

     CFMutableArrayRef arguments = CFArrayCreateMutable(NULL, , &kCFTypeArrayCallBacks);

     while(++optind != argc) CFArrayAppendValue(arguments, CFStringCreateWithCString(NULL, argv[optind], kCFStringEncodingUTF8));

     CFStringRef cs = CFStringCreateWithCString(NULL, bundle, kCFStringEncodingUTF8);

     CFURLRef cu = url ? CFURLCreateWithBytes(NULL, (UInt8*)url, strlen(url), kCFStringEncodingUTF8, NULL) : NULL;

     if(url && !cu) {

         fprintf(stderr, "invalid URL\n");

         return ;

     }

     int err;

     if((err = SBSLaunchApplicationForDebugging(cs, cu, arguments, NULL, NULL, NULL, flags))) {

         fprintf(stderr, "SBSLaunchApplicationWithIdentifier failed: %d\n", err);

         return ;

     }

     if(p) {

         pid_t pid;

         while(!SBSProcessIDForDisplayIdentifier(cs, &pid)) {

             usleep();

         }

         printf("%d\n", (int) pid);

     }

     return ;

     usage:

     fprintf(stderr, "Usage: sblaunch [-p] [-d] [-b] [-u url] <bundle> [arguments...]\n"

                     "  -p: print pid\n"

                     "  -d: launch for debugging\n"

                     "  -b: launch in background\n"

                     );

     return ;

 }

其中着色的函数是关键函数,找了好多资料没有发现这个函数的出处,没有资料显示这里的标准参数是什么。

仿照这个函数的用法,自己写了一段代码,发现同样调用中是可以打开一个app的,但是传递的url无论怎么传递都没有效果。

添加签名:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.launchapplications</key> <true/> </dict> </plist>

遂怀疑是参数的问题,用IDA反编译sblaunch,得到以下的C代码

 int __cdecl main(int argc, const char **argv, const char **envp)

 {

   const char **v3; // r5@1

   signed int v4; // r4@1

   int v5; // r6@1

   int v6; // r0@11

   int v7; // r8@14

   int i; // r2@14

   int v9; // r0@15

   int v10; // r5@16

   size_t v11; // r2@18

   FILE **v12; // r4@18

   const void *v13; // r0@18

   int v14; // r4@19

   int v15; // r0@19

   FILE *v16; // r3@26

   const char *v18; // [sp+Ch] [bp-2Ch]@14

   int v19; // [sp+10h] [bp-28h]@14

   char v20; // [sp+14h] [bp-24h]@1

   const char *v21; // [sp+18h] [bp-20h]@1

   int v22; // [sp+1Ch] [bp-1Ch]@22

   v3 = argv;

   v4 = ;

   v20 = ;

   v21 = ;

   v5 = argc;

   while (  )

   {

     v6 = getopt(v5, (char *const *)v3, "pdbu:");

     if ( v6 <=  )

       break;

     if ( v6 >  )

     {

       if ( v6 ==  )

       {

         v20 = ;

       }

       else

       {

         if ( v6 !=  )

           goto LABEL_25;

         v21 = optarg;

       }

     }

     else if ( v6 ==  )

     {

       v4 |= 1u;

     }

     else

     {

       if ( v6 !=  )

         goto LABEL_25;

       v4 |= 0x402u;

     }

   }

   if ( v6 != - || optind == v5 )

   {

 LABEL_25:

     v11 = ;

     v12 = (FILE **)&__stderrp;

     v13 = "Usage: sblaunch [-p] [-d] [-b] [-u url] <bundle> [arguments...]\n  -p: print pid\n  -d: launch for debugging\n  -b: launch in background\n";

     goto LABEL_26;

   }

   v18 = v3[optind];

   v19 = ;

   v7 = CFArrayCreateMutable();

   ++optind;

   for ( i = optind; i != v5; optind = i )

   {

     v9 = CFStringCreateWithCString(, v3[i], );

     CFArrayAppendValue(v7, v9);

     i = optind + ;

   }

   v10 = CFStringCreateWithCString(, v18, );

   if ( v21 )

   {

     strlen(v21);

     v19 = CFURLCreateWithBytes();

     if ( !v19 )

     {

       v11 = ;

       v12 = (FILE **)&__stderrp;

       v13 = "invalid URL\n";

 LABEL_26:

       v16 = *v12;

       v14 = ;

       fwrite(v13, 1u, v11, v16);

       return v14;

     }

   }

   v14 = ;

   v15 = SBSLaunchApplicationForDebugging(v10, v19, v7, );

   if ( v15 )

   {

     fprintf(__stderrp, "SBSLaunchApplicationWithIdentifier failed: %d\n", v15);

     v14 = ;

   }

   else if ( v20 )

   {

     while ( !SBSProcessIDForDisplayIdentifier(v10, &v22) )

       usleep(0xC350u);

     v14 = ;

     printf("%d\n", v22);

   }

   return v14;

 }

显示是4个参数,这个函数是位于以下目录中文件中

关于sbutils中的sblaunch插件的疑惑

可是在越狱的手机中找了很久也找不到这个文件,不知道这个库的文件在哪里?

相关文章