marlkiller / dylib_dobby_hook Goto Github PK

这是一个集成了 Dobby Hook 框架的 macOS dylib 项目，通过使用 Dobby Hook 框架来对软件进行辅助增强的操作。Dobby Hook 框架可以帮助实现钩子函数，从而在软件中注入自定义代码，拓展软件功能和提升用户体验。

License: MIT License

C 2.23% Objective-C 79.96% Shell 4.44% Python 9.84% CMake 2.93% DTrace 0.60%

dylib_dobby_hook's Introduction

About

该项目是一个 macOS dylib 项目，集成了 Dobby Hook 框架，旨在通过使用 Dobby Hook 框架对软件进行辅助增强。

开发环境:

MacOS (关闭 SIP & 允许任何来源)
xcode 15.2 | clion
dobby
insert_dylib
hopper | ida

目录结构 :

dylib_dobby_hook: 源码
libs: 项目依赖的开源 dobby 库
release: build 后的成品
script:
- hack.sh 自定义注入脚本 sudo sh hack.sh
- auto_hack.sh 妹妹全自动注入脚本 sudo sh auto_hack.sh
tools: insert_dylib 开源注入工具

Feat

跨平台 HOOK
Xcode|Clion 集成开发调试环境
特征码搜索

点击这里展开/收起

App	version	x86	arm	Download	remark	Author
TablePlus	6.*	✔	✔	https://tableplus.com/	inject_bin="/Applications/TablePlus.app/Contents/Frameworks/Sparkle.framework/Versions/B/Sparkle"
DevUtils	1.*	✔	✔	https://devutils.com/
AirBuddy	2.*	✔	✔	https://v2.airbuddy.app/download	inject_bin="/Applications/AirBuddy.app/Contents/Frameworks/LetsMove.framework/Versions/A/LetsMove"
Navicat Premium	17.*	✔	✔	App Store	inject_bin="/Applications/Navicat Premium.app/Contents/Frameworks/EE.framework/Versions/A/EE"	QiuChenlyOpenSource
Paste	4.1.3	✘	✔	App Store		LeeeMooo
Transmit	5.*	✔	✔	https://panic.com/transmit/#download
AnyGo	7.*	✔	✔	https://itoolab.com/gps-location-changer/	DMCA
Downie	4.*	✔	✔	https://software.charliemonroe.net/downie/	inject_bin="/Applications/Permute 3.app/Contents/Frameworks/Licensing.framework/Versions/A/Licensing"
Permute	3.*	✔	✔	https://software.charliemonroe.net/permute/	inject_bin="/Applications/Downie 4.app/Contents/Frameworks/Licensing.framework/Versions/A/Licensing"
ProxyMan	5.2	✔	✔	https://proxyman.io/	inject_bin="/Applications/Proxyman.app/Contents/Frameworks/HexFiend.framework/Versions/A/HexFiend"
Movist Pro	2.*	✔	✔	https://movistprime.com/	inject_bin="/Applications/Movist Pro.app/Contents/Frameworks/MediaKeyTap.framework/Versions/A/MediaKeyTap"
Surge	5.7.*	✔	✔	https://nssurge.com/	DMCA
Infuse	7.7.*	✔	✔	App Store	inject_bin="/Applications/Infuse.app/Contents/Frameworks/Differentiator.framework/Versions/A/Differentiator"
MacUpdater	3.	✔	✔	https://www.corecode.io/macupdater/#download	inject_bin="/Applications/MacUpdater.app/Contents/Frameworks/Sparkle.framework/Versions/B/Sparkle"
CleanShotX	4.	✔	✘	https://updates.getcleanshot.com/v3/	DMCA
ForkLift	4.	✔	✔	https://binarynights.com/	inject_bin="/Applications/ForkLift.app/Contents/Frameworks/UniversalDetector.framework/Versions/A/UniversalDetector"

Usage

download latest release

tar -xzvf dylib_dobby_hook.tar.gz
cd script 
sudo sh auto_hack.sh

Develop

0x0

基础代码已经完成, 为了兼容更多的 app 补丁, 使用了适配器模式来进行扩展

0x1 定义实现类(以当前 XXX 为例)

#import <Foundation/Foundation.h>
#import <objc/runtime.h>
#import "HackProtocol.h"


@interface XXXHack : NSObject <HackProtocol>

@end

@implementation XXXHack

- (NSString *)getAppName {
return @"com.dev.xxx";
}

- (NSString *)getSupportAppVersion {
return @"1.0";
}


- (BOOL)hack {

#if
defined(__arm64__) || defined(__aarch64__)
// do arm something..
#elif
defined(__x86_64__)
// do x86 something..
#endif
return YES;
}
@end

0x2 Build & 注入

编译后, 会得到一个我们的 dylib 补丁
然后编写 shell 脚本,来注入

current_path=$PWD
echo "当前路径：$current_path"

app_name="DevUtils"
# The default is injected into the main program, if you need to customize, please edit the variable inject_bin, otherwise do not touch it
# inject_bin="/Applications/Navicat Premium.app/Contents/Frameworks/EE.framework/Versions/A/EE"
# inject_bin="/Applications/${app_name}.app/Contents/MacOS//${app_name}"

dylib_name="dylib_dobby_hook"
prefix="lib"
insert_dylib="${current_path}/../tools/insert_dylib"
chmod a+x ${insert_dylib}

BUILT_PRODUCTS_DIR="${current_path}/../release"

app_bundle_path="/Applications/${app_name}.app/Contents/MacOS"
app_bundle_framework="/Applications/${app_name}.app/Contents/Frameworks/"

if [ ! -d "$app_bundle_framework" ]; then
  mkdir -p "$app_bundle_framework"
fi

if [ -n "$inject_bin" ]; then
    app_executable_path="$inject_bin"
else
    app_executable_path="${app_bundle_path}/${app_name}"
fi
app_executable_backup_path="${app_executable_path}_Backup"

# 备份注入程序
if [ ! -f "$app_executable_backup_path" ];
then
    cp "$app_executable_path" "$app_executable_backup_path"
fi


# copy dylib
cp -f "${BUILT_PRODUCTS_DIR}/${prefix}${dylib_name}.dylib" "${app_bundle_framework}"

# dylib 注入
"${insert_dylib}" --weak --all-yes "@rpath/${prefix}${dylib_name}.dylib" "$app_executable_backup_path" "$app_executable_path"

Sponsor

Ref

[MacOS逆向] MacOS TablePlus dylib注入 HOOK x86/arm 双插完美破解 https://www.52pojie.cn/thread-1739112-1-1.html
[C&C++ 原创] C++ 跨平台内联汇编集成 (MacOS,Linux,Windows) https://www.52pojie.cn/thread-1653689-1-1.html
jmpews/Dobby https://github.com/jmpews/Dobby

WARN

仅供研究学习使用，请勿用于非法用途
注：若转载请注明来源（本贴地址）与作者信息。

dylib_dobby_hook's People

Contributors

Stargazers

Watchers

dylib_dobby_hook's Issues

请教一个libdobby.a 的编译问题

大佬，我在M2的机器，你这个demo可以正常编译。自己Xcode15.3新建了一个动态库工程，为什么总是编译失败，不管是用你的libdobby.a，还是dobby官方的github的release产物的arm64 arm64e universal 的.a或者libdobby.dylib 都报错。用你的libdobby.a是下边的错误，是你的工程设置了什么编译参数吗？

TablePlus 6.0.6后x86架构hook失败,m系列正常

>>>>>> Constant initialize
>>>>>> DobbyGetVersion: Dobby-2024.05.21-b0176de
>>>>>> AppName is [com.tinyapp.TablePlus],Version is [6.0.6], myAppCFBundleVersion is [558].
>>>>>> App Architecture is: x86_64
>>>>>> App DebuggerAttached is: 1
>>>>>> plistPath is (null)
>>>>>> NSUserDefaultsPath is /Users/jerry/Library/Preferences/com.tinyapp.TablePlus.plist
>>>>>> License file path: /Users/jerry/Library/Application Support/com.tinyapp.TablePlus/.licensemac
>>>>>> License file: 1
>>>>>> Constant init
>>>>>> called - ret1
>>>>>> [hk_dataTaskWithHTTPMethod] Intercept url: https://events.tableplus.com/v1/events, req params: {
    action = Startup;
    build = 558;
    category = interaction;
    client = 1;
    "client_key" = VEMOjpX94ho6ws5Gr4wIZ9K7WjZfHZdUhPaNvoNsJsG4A2lrQkQkmJR0tscKOE0v;
    "cpu_arch" = "x86_64";
    "device_id" = d843f4b6e0d2390fb520c8af2144e176;
    "device_model" = "Macmini8,1";
    locale = "zh_CN";
    os = macos;
    "os_version" = "14.5.0";
    sig = "AwFZIZ1Xp0l5SZt1hc7tLyFWq1xXLSUp3kOTbh6UiO2CNSjBxTxrRJgSbvhB4u+pLoXVJFEZIkSOGx28AiKol6M/QnUmsKT+9T/alWECD3F9JQ==";
    type = session;
}
>>>>>> DummyURLSessionDataTask.resume
>>>>>> [hk_dataTaskWithHTTPMethod] Intercept url: https://tableplus.com/v1/apps/osx/tableplus, req params: (null)
>>>>>> DummyURLSessionDataTask.resume
>>>>>> [hk_dataTaskWithHTTPMethod] Intercept url: https://events.tableplus.com/v1/events, req params: {
    action = "Become active";
    build = 558;
    category = interaction;
    client = 1;
    "client_key" = VEMOjpX94ho6ws5Gr4wIZ9K7WjZfHZdUhPaNvoNsJsG4A2lrQkQkmJR0tscKOE0v;
    "cpu_arch" = "x86_64";
    "device_id" = d843f4b6e0d2390fb520c8af2144e176;
    "device_model" = "Macmini8,1";
    locale = "zh_CN";
    os = macos;
    "os_version" = "14.5.0";
    sig = "AwG8Dqb+74Kwi3msJRnzBXaBDDRR0sRUf0QWEJ1u3O5t3FhvkLPlNSy1HbkyzLTIGfu+dCYTVFh8FNIh1GT9e2xieqH2czSMAf1OA1LKmckkEw==";
    type = session;
}
>>>>>> DummyURLSessionDataTask.resume
nw_path_necp_check_for_updates Failed to copy updated result (22)
BOOL _NSPersistentUIDeleteItemAtFileURL(NSURL *const __strong) Failed to stat item: file:///Users/xxx/Library/Saved%20Application%20State/com.tinyapp.TablePlus.savedState/restorecount.plist

附上日志和截图，不知道为什么x86就是不可以，可能我用的是黑苹果？？？

自从6.0.6之后，hook后有个小BUG，导入链接配置不可用了，望大佬修复一下

编译出来的lib能否用于ios注入？

不熟悉ios开发，请问可以注入ios吗？

还是说需要重新编译dobbyhook再新建一个xcode for ios library?

贡献一个 Paste 4.1.3，arm可用

paste.zip

注入脚本要改一下，有些app没有Frameworks文件夹

请问大佬，这个脚本支持M系列处理器吗？我在的m1pro本上执行后tableplus无法打开...

tableplus Version 6.0.6 (558) 破解不能用了

返回好像不是LicenseModel了

TablePlus Version 6.0.8 (562) auto_hack后无法打开->奔溃

Intel芯片 MBP
系统10.15.7 (19H2026)
TablePlus Version 6.0.8 (562)

auto_hack：

奔溃日志（超出comment长度了，转为附件）：
TablePlus_2024-06-28-151553_Macintosh.txt

TablePlus无法在原生状态打开

机型M2 MacBook Air
下载安装官网版TablePlus后执行build
原生Arm版无法运行，提示应用程序“TablePlus”无法打开。
打开转译可以完美运行，请问这个是什么原因导致的
不仅是TablePlus，注入到其他程序，也是只有开启rosetta后才能打开，arm下无法打开

關於libdobby.dylib編譯

想請教一個問題，請問如何將libdobby項目編譯成dylib？
我通過官方編譯得出的是.a文件，但我想編譯成dylib。目前平台為macOS

您能否詳細告知如何編譯出dylib的詳細過程？萬分感恩！

git clone https://github.com/wangyinz/Dobby.git --depth=1
python3 scripts/platform_builder.py --platform=macos --arch=all

Build以后没有release产物

原样DEMO下载后Build,release文件下无更新的产物生成
请问一下如何得到产物呢?
另外run script会失败，permission denied

我编译出libdobby.dylib然后
gcc main.c -L. -I. -ldobby -o main
执行的时候就报错了
./main
dyld[43158]: Symbol not found: _DobbyHook
Referenced from: <9874E7BB-10B6-3E9D-BBCE-DBE1379425A1> /Users/xu/Desktop/run/main
Expected in: unknown
zsh: abort ./main
我使用dobby最新的release也会这样，这是啥问题啊

TablePlus 6.0支持

6.0版本会有不支持提醒

可以改进的地方

TablePlus


static int64_t* (*original_sub2)();
static int64_t* replaced_sub2() {
	int64_t* ret = original_sub2();
	NSObject* obj = (NSObject*)*(ret+5);
	g_licenseModel.deviceID = [obj description];
	return ret;
}

这样就不用hook_device_id了。这个函数是crash的根源。

app crash when launch

My environment
Processor: M2 Pro
OS: Sonoma 14.5
App name: tableplus
Xcode install: No

sudo sh auto_hack.sh

Script executed successfully but when launch app it crashed instantly. Did i miss anything?

Bad CPU type in executable

系统 macos14。m1 pro

fail crack

无法破解，显示如下错误

MacOS上另一款比Table Plus更好用的Mysql client - Querious, 大佬得空试试看

Querious
https://www.araelium.com/querious

使用writeMachineCodeString修改内存中的机器码奔溃问题

大佬，请教个问题，我想把000000010011970e je loc_10011972c 修改为----->> jne loc_10011972c 对应机器码是74改成75，用的大佬的项目中的writeMachineCodeString方法，为啥注入后程序奔溃呢，奔溃日志如图，代码拉取的最新main分支

Support for more Apps

Nektony App Cleaner & Uninstaller : https://download.nektony.com/download/app-cleaner-uninstaller/app-cleaner-uninstaller.dmg
Cleanshot X : https://cleanshot.com

Both of these are widely used and static patching of these apps are so tiresome as they have helper module which not works well unless we patch the sig in all files. I hope you can try dynamic patching these 2 apps. It would be really great.

Thank you so much.