[iOS]使用MonkeyDev完成Hook

一、确定目标

先定个小目标，使用七猫举个例，去移除小说阅读页底部广告和章节之间的广告。

二、HOOK

1. 创建MonkeyApp项目导入砸壳包

2. 使用Reveal工具确定“底部广告”和“章末广告”的视图名称

底部广告

View Controller:
Class: QMReader.YYReaderContainer
Memory Address: 0x107b1d200

NSObject:
Class: QMReader.YYReaderBottomBannerView
Memory Address: 0x11af3f700

 章末广告

View Controller:
Class: QMAd.YYReaderInsertAdVC
Memory Address: 0x108e81600

3. 使用Hopper Disassembler工具分析Mach-O确定类名

YYReaderContainer对应的类名为_TtC8QMReader17YYReaderContainer
YYReaderBottomBannerView对应的类名为_TtC8QMReader24YYReaderBottomBannerView

 YYReaderInsertAdVC对应的类名为_TtC4QMAd18YYReaderInsertAdVC

4. 项目中使用CaptainHook

（1）CaptainHook 使用方法

hook函数

/// hook类
CHDeclareClass(<#name#>)
 
/// hook类方法
CHOptimizedClassMethod0(<#optimization#>, <#return_type#>, <#class_type#>, <#name#>)
 
/// hook对象方法
/// optimization 当前self或者其他
/// return_type 需要传入什么类型
/// class_type 传入哪一个类
/// name 属性名称
CHOptimizedMethod0(<#optimization#>, <#return_type#>, <#class_type#>, <#name#>)

新增函数

/// 新增属性
CHPropertyRetainNonatomic(<#class#>, <#type#>, <#getter#>, <#setter#>)
 
/// 新增类方法
CHDeclareClassMethod0(<#return_type#>, <#class_type#>, <#name#>)
 
/// 新增对象方法
CHDeclareMethod0(<#return_type#>, <#class_type#>, <#name#>)

构造函数

/// 构造函数
CHConstructor{
	// hook类
	CHLoadLateClass(<#name#>);  
 
	// hook方法 (CHClassHook0、CHClassHook1... 数字表示有几个参数)     
	CHClassHook0(<#class#>, <#name#>)     
 
	// 添加属性时，需要这样写对应的set，get
	CHHook0(<#class#>, <#name#>)          
}

（2）完成hook

#import "MonkeyDevTestDemoDylib.h"
#import 
#import 
 
#pragma mark ----申明类可以调用属性和方法----
 
CHDeclareClass(_TtC8QMReader17YYReaderContainer)
CHDeclareClass(_TtC8QMReader24YYReaderBottomBannerView)
CHDeclareClass(_TtC4QMAd18YYReaderInsertAdVC)
 
#pragma mark ----实现方法----
 
/// 隐藏底部广告后，改变阅读区frame。
CHOptimizedMethod1(self, void, _TtC8QMReader17YYReaderContainer, viewDidAppear, BOOL, arg1) {
    CHSuper1(_TtC8QMReader17YYReaderContainer, viewDidAppear, arg1);
    UIView *view = [(UIViewController *)self view];
    NSArray *iArr = view.subviews;
    for (int i = 0 ; i < iArr.count ; i ++) {
        UIView *iView = iArr[i];
        if ([NSStringFromClass([iView class]) isEqualToString:@"UIView"]) {
            UIView *tempView = iView;
            do {
                NSArray *tempArr = tempView.subviews;
                for (int j = 0 ; j < tempArr.count ; j ++) {
                    UIView *subView = tempArr[j];
                    tempView = subView;
                }
            } while ([NSStringFromClass([tempView class]) isEqualToString:@"UIView"]);
 
            if ([NSStringFromClass([tempView class]) isEqualToString:@"UIScrollView"]) {
                UIScrollView *tempSV = (UIScrollView *)tempView;
                NSArray *jArr = tempSV.subviews;
                for (int j = 0 ; j < jArr.count ; j ++) {
                    UIView *jView = jArr[j];
                    if ([NSStringFromClass([jView class]) isEqualToString:@"UIView"]) {
                        NSArray *jArr = jView.subviews;
                        for (int k = 0 ; k < jArr.count ; k ++) {
                            UIView *kView = jArr[k];
                            if ([NSStringFromClass([kView class]) isEqualToString:@"UIView"]) {
                                kView.frame = CGRectMake(0, UIScreen.mainScreen.bounds.size.height, UIScreen.mainScreen.bounds.size.width, 0);
                            } else if ([NSStringFromClass([kView class]) isEqualToString:@"QMReader.QMContentView"]) {
                                kView.frame = CGRectMake(0, 0, UIScreen.mainScreen.bounds.size.width, UIScreen.mainScreen.bounds.size.height);
                            }
                        }
                    }
                }
            }
        }
    }
        
}
 
/// 例：hook包含多个参数的方法
CHOptimizedMethod3(self, void, _TtC8QMReader17YYReaderContainer, observeValueForKeyPath, id, arg1, ofObject, id, arg2, change, id, arg3) {
    
}
 
/// 例：hook类方法
CHOptimizedClassMethod0(self, void, _TtC8QMReader24YYReaderBottomBannerView, load) {
    NSObject *obj = (NSObject *)self;
}
 
/// 隐藏底部广告
CHOptimizedMethod1(self, void, _TtC8QMReader24YYReaderBottomBannerView, initWithFrame, CGRect, arg1) {
    CHSuper1(_TtC8QMReader24YYReaderBottomBannerView, initWithFrame, arg1);
    printf("nadd3");
    UIView *view = (UIView *)self;
    dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(0.1 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
        view.alpha = 0;
        view.hidden = YES;
        view.frame = CGRectMake(0, 0, 0, 0);
        [view removeFromSuperview];
    });
}
 
/// 隐藏章末广告
CHOptimizedMethod1(self, void, _TtC4QMAd18YYReaderInsertAdVC, viewDidAppear, BOOL, arg1) {
    UIView *view = [(UIViewController *)self view];
    view.alpha = 0;
    view.hidden = YES;
}
 
#pragma mark ----构造函数----
 
CHConstructor{
    // hook类
    CHLoadLateClass(_TtC8QMReader17YYReaderContainer);
    CHLoadLateClass(_TtC8QMReader24YYReaderBottomBannerView);
    CHLoadLateClass(_TtC4QMAd18YYReaderInsertAdVC);
    // hook方法
    CHClassHook3(_TtC8QMReader17YYReaderContainer, observeValueForKeyPath, ofObject, change);
    CHClassHook1(_TtC8QMReader17YYReaderContainer, viewDidAppear);
    CHClassHook0(_TtC8QMReader24YYReaderBottomBannerView, load);
    CHClassHook1(_TtC8QMReader24YYReaderBottomBannerView, initWithFrame);
    CHClassHook1(_TtC4QMAd18YYReaderInsertAdVC, viewDidAppear);
}

最终效果如下：
demo:https://download.csdn.net/download/u012881779/87148657

（3）顺便了解一下添加属性和方法

//  MonkeyDevTestDemoDylib.h
//  MonkeyDevTestDemoDylib
//
//  Created by Gamin on 2022/11/19.
//  Copyright (c) 2022 ___ORGANIZATIONNAME___. All rights reserved.
//
 
#import 
#import 
 
@interface _TtC8QMReader17YYReaderContainer
 
@property (nonatomic, strong) UIButton * alertButton;
 
- (void)tapAlertButton:(UIButton *)sender;
 
@end

//  weibo: http://weibo.com/xiaoqing28
//  blog:  http://www.alonemonkey.com
//
//  MonkeyDevTestDemoDylib.m
//  MonkeyDevTestDemoDylib
//
//  Created by Gamin on 2022/11/19.
//  Copyright (c) 2022 ___ORGANIZATIONNAME___. All rights reserved.
//
 
#import "MonkeyDevTestDemoDylib.h"
#import 
#import 
 
#pragma mark ----申明类可以调用属性和方法----
 
CHDeclareClass(_TtC8QMReader17YYReaderContainer)
 
#pragma mark ----实现方法----
 
/// 隐藏底部广告后，改变阅读区frame。
CHOptimizedMethod1(self, void, _TtC8QMReader17YYReaderContainer, viewDidAppear, BOOL, arg1) {
    CHSuper1(_TtC8QMReader17YYReaderContainer, viewDidAppear, arg1);
    UIView *view = [(UIViewController *)self view];
 
    // 提示
    self.alertButton = [[UIButton alloc] initWithFrame:CGRectMake(100, 100, 100, 40)];
    self.alertButton.backgroundColor = UIColor.redColor;
    [self.alertButton setTitle:@"提示" forState:UIControlStateNormal];
    [self.alertButton addTarget:self action:@selector(tapAlertButton:) forControlEvents:UIControlEventTouchUpInside];
    [view addSubview:self.alertButton];
        
}
 
/// 添加新属性
CHPropertyRetainNonatomic(_TtC8QMReader17YYReaderContainer, UIButton *, alertButton, setAlertButton);
 
/// 添加新方法
CHDeclareMethod1(void, _TtC8QMReader17YYReaderContainer, tapAlertButton, UIButton *, sender){
    NSLog(@"This is a new method : tapAlertButton");
}
 
 
#pragma mark ----构造函数----
 
CHConstructor{
    // hook类
    CHLoadLateClass(_TtC8QMReader17YYReaderContainer);
    // hook方法
    CHClassHook1(_TtC8QMReader17YYReaderContainer, viewDidAppear);
    // 新增提示按钮属性
    CHHook0(_TtC8QMReader17YYReaderContainer, alertButton);
    CHHook1(_TtC8QMReader17YYReaderContainer, setAlertButton);
    CHClassHook1(_TtC8QMReader17YYReaderContainer, tapAlertButton);
}
 

点击自定义的按钮，控制台输出打印内容。