There are 3 bits set, check with above constants it will be this combination: 0001 0000 0000 | 0000 1000 0000 | 0000 0100 0000 or human-readable would be. 0x1c0 = 448 does not match any defined events, is Hopper Disassembler decompiler wrong? Convert 0x1c0 to binary will be 0001 1100 0000. But for clapButtonReleased: it is a bit tricky. The control event registered for clapButtonPressed: is easy to guess 0x1 = 1 =. With this kind of bitmask represents, multiple events can be represented in one number. extension UIControl // 256 = 0001 0000 0000Īs you can see the raw values pattern, they are all bitmask constants. Let have a look inside UIControl.Event declaration (I stripped public static modifiers for short) and put inline comments for raw values of each event in decimal and binary. Let figure out what are events ( 0x1 and 0x1c0 are in hexadecimal) of each action. This is the place to register actions for events of type UIControl.Event. [self is subclass of UIButton so it will inherit addTarget:action:forControlEvents: method. All can be rewritten like this: r0 = [NSTimer // 3.īase on this, we know that timer will be fired every 200 milliseconds to invoke Ĭheck references to clapButtonPressed and clapButtonReleased:, it’s showing this: /* ClapButton */ As you can see register d0 holding address 0x10060fae8, double click on this address it holding value 0.2 ( 000000010060fae8 dq 0.2), so it should be timer interval (200 milliseconds). They are instructions of NSTimer creation and my inline comments for each one. Movz w5, #0x1 repeats, argument "instance" for method imp_stubs_objc_msgSendīl imp_stubs_objc_msgSend objc_msgSend Mov x2, x22 target = self = LongPressClapController Switch to assembly mode and focus on these instructions. r22 suppose to be number but it’s WeakProxy… We have no choice, and we will find out soon. It creates a new NSTimer instance, but it seems the decompiler is taking wrong arguments, i.e.From apple document, invoke invalidate will stop the timer from ever firing again and request its removal from its run loop. This is the common syntax to access ivars, in this case it’s _clapTimer ivar (NSTimer). It tries to invoke the method invalidate from an unknown object at address *(self + 0x8).It invokes method tryToPerformClap, by the name we can guess it perform a clap, so it should be count as 1 clap.I put some inline comments, let focus on that, and ignore the rest: In this case, startTimer selector is referenced by multiple classes, so let select - option when popup appears to proceed, and this is implementation: /* LongPressClapController */ Just hover your mouse over startTimer and double click on it, it should navigate you to method implementation of this selector. Īs you can see, it invoked timer when button is pressed or tapped ( ). To do that, switch on Pseudo-code mode tab, you will be impressed with how great it is: /* ClapButton */ When it finishes, in the left panel make sure Labels tab is selected, let search for clapButtonPressed and click on - result you will be navigated to method implementation on the right, assembly instructions again!!! But don’t worry, this time we don’t need to read every instruction, we only need to understand what method is doing in general. ipa and navigate to Payload/hangtag.app folder.ĭrag and drop hangtag binary (MachO) file into Hopper Disassembler and wait for a while for it to disassemble. ipa file of Medium app on a jailbroken device, unzip. With the help of Frida iOS Dump or CrackerXI, we can easily pull out. We need to do some analysis on the Medium binary file. I bet it will be more hands-on than the previous post, please get our hands dirty!! □□ Clapping function behind the scene Static analysis using Hopper DisassemblerĪs promised in the previous post, we will reveal what’s going on in clapButtonPressed: and clapButtonReleased: methods. Spoil alert another thing we can tweak Medium.How to create a preference bundle that allows changing a number of claps instead of hard coding.Are there any alternative methods to hook?.What are clapButtonPressed: and clapButtonReleased: doing?.Let me list down things we will cover today: We will fix the problems encountered in the previous post. I will not be held accountable for any illegal activities, so please use it at your discretion and contact the app’s author if you find issues. How you use this information is your responsibility. This post is for educational purposes only. If you have not read part 1 yet, I suggest to have a look first before continuing. We will learn how to create a preference bundle and hook into Settings.app to configure default claps. In this post we will continue to enhance Medium tweak.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |