一、sbutils介绍
sbutils是一个开源的越狱手机基础功能的插件包,其中包含sblaunch这个启动插件,该插件可以实现命令行下面打开app并传递一个url。
sbutils下载地址:http://cydia.ppios.com/2013/06/sbutils-v1-0-2-1.html
sbutils的开源代码:https://github.com/innoying/iOS-sbutils
二、sblaunch的开源代码
1 #include <CoreFoundation/CoreFoundation.h> 2 #include <stdbool.h> 3 #define SBSApplicationLaunchUnlockDevice 4 4 #define SBSApplicationDebugOnNextLaunch_plus_SBSApplicationLaunchWaitForDebugger 0x402 5 6 bool SBSProcessIDForDisplayIdentifier(CFStringRef id, pid_t *pid); 7 int SBSLaunchApplicationWithIdentifier(CFStringRef id, char flags); 8 int SBSLaunchApplicationForDebugging(CFStringRef bundleID, CFURLRef openURL, CFArrayRef arguments, CFDictionaryRef environment, CFStringRef stdout, CFStringRef stderr, char flags); 9 10 int main(int argc, char **argv) { 11 bool p = false; 12 const char *url = NULL; 13 const char *bundle; 14 int flags = SBSApplicationLaunchUnlockDevice; 15 16 int c; 17 while((c = getopt(argc, argv, "pdbu:")) != -1) 18 switch(c) { 19 case 'p': p = true; break; 20 case 'd': flags |= SBSApplicationDebugOnNextLaunch_plus_SBSApplicationLaunchWaitForDebugger; break; 21 case 'b': flags |= 1; break; 22 case 'u': url = optarg; break; 23 default: goto usage; 24 } 25 if(optind == argc) goto usage; 26 bundle = argv[optind]; 27 28 CFMutableArrayRef arguments = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); 29 while(++optind != argc) CFArrayAppendValue(arguments, CFStringCreateWithCString(NULL, argv[optind], kCFStringEncodingUTF8)); 30 31 32 CFStringRef cs = CFStringCreateWithCString(NULL, bundle, kCFStringEncodingUTF8); 33 CFURLRef cu = url ? CFURLCreateWithBytes(NULL, (UInt8*)url, strlen(url), kCFStringEncodingUTF8, NULL) : NULL; 34 if(url && !cu) { 35 fprintf(stderr, "invalid URL "); 36 return 1; 37 } 38 int err; 39 if((err = SBSLaunchApplicationForDebugging(cs, cu, arguments, NULL, NULL, NULL, flags))) { 40 fprintf(stderr, "SBSLaunchApplicationWithIdentifier failed: %d ", err); 41 return 1; 42 } 43 if(p) { 44 pid_t pid; 45 while(!SBSProcessIDForDisplayIdentifier(cs, &pid)) { 46 usleep(50000); 47 } 48 printf("%d ", (int) pid); 49 } 50 return 0; 51 52 usage: 53 fprintf(stderr, "Usage: sblaunch [-p] [-d] [-b] [-u url] <bundle> [arguments...] " 54 " -p: print pid " 55 " -d: launch for debugging " 56 " -b: launch in background " 57 ); 58 return 1; 59 }
其中着色的函数是关键函数,找了好多资料没有发现这个函数的出处,没有资料显示这里的标准参数是什么。
仿照这个函数的用法,自己写了一段代码,发现同样调用中是可以打开一个app的,但是传递的url无论怎么传递都没有效果。
添加签名:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.launchapplications</key> <true/> </dict> </plist>
遂怀疑是参数的问题,用IDA反编译sblaunch,得到以下的C代码
1 int __cdecl main(int argc, const char **argv, const char **envp) 2 { 3 const char **v3; // r5@1 4 signed int v4; // r4@1 5 int v5; // r6@1 6 int v6; // r0@11 7 int v7; // r8@14 8 int i; // r2@14 9 int v9; // r0@15 10 int v10; // r5@16 11 size_t v11; // r2@18 12 FILE **v12; // r4@18 13 const void *v13; // r0@18 14 int v14; // r4@19 15 int v15; // r0@19 16 FILE *v16; // r3@26 17 const char *v18; // [sp+Ch] [bp-2Ch]@14 18 int v19; // [sp+10h] [bp-28h]@14 19 char v20; // [sp+14h] [bp-24h]@1 20 const char *v21; // [sp+18h] [bp-20h]@1 21 int v22; // [sp+1Ch] [bp-1Ch]@22 22 23 v3 = argv; 24 v4 = 4; 25 v20 = 0; 26 v21 = 0; 27 v5 = argc; 28 while ( 1 ) 29 { 30 v6 = getopt(v5, (char *const *)v3, "pdbu:"); 31 if ( v6 <= 97 ) 32 break; 33 if ( v6 > 111 ) 34 { 35 if ( v6 == 112 ) 36 { 37 v20 = 1; 38 } 39 else 40 { 41 if ( v6 != 117 ) 42 goto LABEL_25; 43 v21 = optarg; 44 } 45 } 46 else if ( v6 == 98 ) 47 { 48 v4 |= 1u; 49 } 50 else 51 { 52 if ( v6 != 100 ) 53 goto LABEL_25; 54 v4 |= 0x402u; 55 } 56 } 57 if ( v6 != -1 || optind == v5 ) 58 { 59 LABEL_25: 60 v11 = 134; 61 v12 = (FILE **)&__stderrp; 62 v13 = "Usage: sblaunch [-p] [-d] [-b] [-u url] <bundle> [arguments...] -p: print pid -d: launch for debugging -b: launch in background "; 63 goto LABEL_26; 64 } 65 v18 = v3[optind]; 66 v19 = 0; 67 v7 = CFArrayCreateMutable(0); 68 ++optind; 69 for ( i = optind; i != v5; optind = i ) 70 { 71 v9 = CFStringCreateWithCString(0, v3[i], 134217984); 72 CFArrayAppendValue(v7, v9); 73 i = optind + 1; 74 } 75 v10 = CFStringCreateWithCString(0, v18, 134217984); 76 if ( v21 ) 77 { 78 strlen(v21); 79 v19 = CFURLCreateWithBytes(0); 80 if ( !v19 ) 81 { 82 v11 = 12; 83 v12 = (FILE **)&__stderrp; 84 v13 = "invalid URL "; 85 LABEL_26: 86 v16 = *v12; 87 v14 = 1; 88 fwrite(v13, 1u, v11, v16); 89 return v14; 90 } 91 } 92 v14 = 0; 93 v15 = SBSLaunchApplicationForDebugging(v10, v19, v7, 0); 94 if ( v15 ) 95 { 96 fprintf(__stderrp, "SBSLaunchApplicationWithIdentifier failed: %d ", v15); 97 v14 = 1; 98 } 99 else if ( v20 ) 100 { 101 while ( !SBSProcessIDForDisplayIdentifier(v10, &v22) ) 102 usleep(0xC350u); 103 v14 = 0; 104 printf("%d ", v22); 105 } 106 return v14; 107 }
显示是4个参数,这个函数是位于以下目录中文件中
、
可是在越狱的手机中找了很久也找不到这个文件,不知道这个库的文件在哪里?