利用Cycript調(diào)試App
一胎许、Cycript是什么?
-
Cycript是一種腳本語(yǔ)言,是Objective-C辜窑、JavaScript钩述、Java等語(yǔ)法的混合物,這就意味著我們可以在一條命令中使用這些語(yǔ)言的語(yǔ)法穆碎,甚至可以混合使用切距。(作者是Jay Freeman,沒(méi)錯(cuò)惨远,就是Cydia的作者,Jay Freeman出品必屬精品话肖,放心使用吧)
-
-
Cycript可以用來(lái)調(diào)試北秽、探索、修改正在運(yùn)行的Mac/iOS App最筒,只需要通過(guò)Cydia就可以安裝Cycript了贺氓,然后就可以盡情的在iPhone上調(diào)試運(yùn)行中的App了。
-
二床蜘、Cycript的用法
- 使用Cycript的前提是:Mac通過(guò)SSH遠(yuǎn)程登錄到了iPhone辙培,并且iPhone安裝了
Cycript腳本 (iPhone越獄后通過(guò)Cydia搜索安裝)
- 使用Cycript的前提是:Mac通過(guò)SSH遠(yuǎn)程登錄到了iPhone辙培,并且iPhone安裝了
- 想要調(diào)試某個(gè)App就需要知道此App的進(jìn)程名稱,在手機(jī)上打開想要調(diào)試的App邢锯,使用
ps -A命令扬蕊,列出來(lái)所有進(jìn)程后,找到想要調(diào)試的APP的進(jìn)程名即可丹擎。(例如:我們要調(diào)試皮皮蝦App尾抑,在手機(jī)上打開皮皮蝦,輸入ps -A命令蒂培,找到皮皮蝦的進(jìn)程名稱是Super再愈,如下圖所示)
利用ps -A命令,列出來(lái)當(dāng)前手機(jī)所有進(jìn)程
- 想要調(diào)試某個(gè)App就需要知道此App的進(jìn)程名稱,在手機(jī)上打開想要調(diào)試的App邢锯,使用
-
- 選擇某個(gè)進(jìn)程進(jìn)行掛載护戳,掛載某個(gè)進(jìn)程:
cycript -p 進(jìn)程名稱或者進(jìn)程ID
- 特別 特別 特別 要注意翎冲,這種掛載進(jìn)程的方法只適用于iOS12之前的系統(tǒng),iOS12及其以后的系統(tǒng)媳荒,要用另一種方法掛載抗悍,詳情請(qǐng)看下面的第五章
- 選擇某個(gè)進(jìn)程進(jìn)行掛載护戳,掛載某個(gè)進(jìn)程:
例如:想掛載皮皮蝦App,先讓皮皮蝦App在手機(jī)里跑起來(lái)肺樟,找到進(jìn)程名后檐春,輸入以下命令
cycript -p Super
- 利用以上三步就可以掛載某個(gè)進(jìn)程了,掛載之后么伯,出現(xiàn)
cy#疟暖,如下圖所示,就意味著進(jìn)入了Cycript腳本環(huán)境了,就可以輸入Cycript語(yǔ)法來(lái)調(diào)試這個(gè)進(jìn)程了
cy#
- 利用以上三步就可以掛載某個(gè)進(jìn)程了,掛載之后么伯,出現(xiàn)
-
- cycript環(huán)境下的快捷鍵:
- 退出:Ctrl + D
- 清屏:Command + R
- 取消輸入:Ctrl + C
- 總結(jié)一下俐巴,其實(shí)非常簡(jiǎn)單
1>.使用前提:MacSSH登錄了iPhone骨望,iPhone安裝了Cycript
2>.ps -A , 找出所有進(jìn)程
3>.cycript -p Super,掛載皮皮蝦欣舵,出現(xiàn)cy#擎鸠,說(shuō)明進(jìn)入到了Cycript環(huán)境
三、Cycript的常用語(yǔ)法
-
UIApp缘圈,就相當(dāng)于OC中的[UIApplication sharedApplication]
UIApp
-
-
定義變量:
var 變量名 = 變量值
定義變量
-
定義變量:
-
用變量地址獲取對(duì)象:
#內(nèi)存地址劣光,例如:#0x109703340,就拿到了這個(gè)地址的對(duì)象
#內(nèi)存地址
-
用變量地址獲取對(duì)象:
-
查看對(duì)象的所有成員變量:
*對(duì)象糟把,例如:*UIApp绢涡,就是拿到了UIApplication對(duì)象的所有變量
查看成員變量
-
查看對(duì)象的所有成員變量:
- 查看已經(jīng)加載的所有OC類,
ObjectiveC.classes
- 查看已經(jīng)加載的所有OC類,
- 遞歸打印所有View的子控件遣疯,
view.recursiveDescription().toString()
- 遞歸打印所有View的子控件遣疯,
-
篩選出某種類型的對(duì)象:
choose(類型名稱)雄可,例如choose(UIButton),找出所有UIButton類型的對(duì)象
篩選出某種類型的對(duì)象.png
-
篩選出某種類型的對(duì)象:
四缠犀、封裝并導(dǎo)入Cycript庫(kù)
- 大家是不是覺(jué)得上面的語(yǔ)法比較繁瑣数苫,用起來(lái)很不方便,我們可以把常用的語(yǔ)法封裝進(jìn)一個(gè)
.cy文件中辨液,以后直接用就可以了
- 大家是不是覺(jué)得上面的語(yǔ)法比較繁瑣数苫,用起來(lái)很不方便,我們可以把常用的語(yǔ)法封裝進(jìn)一個(gè)
- 例如把下面的代碼虐急,放到common.cy文件中 (大家仿照下面的代碼寫就可以了,exports參數(shù)是固定的室梅,不需要改)
(function(exports){
// app id
AppId = [NSBundle mainBundle].bundleIdentifier;
// mainBundlePath
BundlePath = [NSBundle mainBundle].bundlePath;
// keyWindow
KeyWin = function() {
return UIApp.keyWindow;
};
// rootView
RootVc = function() {
return UIApp.keyWindow.rootViewController;
};
})(exports);
- 然后把封裝好的
.cy文件放到手機(jī)的/usr/lib/cycript0.9目錄下
- 然后把封裝好的
- 以后進(jìn)入
cycript環(huán)境后戏仓,首先導(dǎo)入封裝好的cy文件,就可以使用封裝好的方法了亡鼠,命令是:@import xxx.cy
- 以后進(jìn)入
- MJ大佬封裝好了一個(gè).cy文件mjcript赏殃,大家可以去下載,放到手機(jī)的
/usr/lib/cycript0.9目錄下间涵,以后再進(jìn)入cycript環(huán)境后仁热,只需要@import mjcript,就可以使用里面的方法了勾哩。如下圖所示:
image.png
- MJ大佬封裝好了一個(gè).cy文件mjcript赏殃,大家可以去下載,放到手機(jī)的
五抗蠢、在iOS12及以后的系統(tǒng),掛載進(jìn)程的方法
- 在iOS12以后思劳,使用
cycript -p 進(jìn)程名的方法掛載進(jìn)程迅矛,就會(huì)報(bào)下面的錯(cuò)誤:
- 在iOS12以后思劳,使用
assert($mach_task_self != NULL)
*** _assert(status == 0):../Inject.cpp(143):InjectLibrary
- iOS12以后要使用cyrun掛載進(jìn)程,進(jìn)入cycript環(huán)境后潜叛,所有操作還跟以前一樣
-
-
cyrun安裝方法:
- (1). 通過(guò)Cydia安裝
New Curses秽褒、readline壶硅、adv-cmds、wget(wget主要為了在iPhone上可以下載deb文件) - (2). 以root賬戶登錄到iPhone上销斟,輸入以下命令庐椒,下載以下
deb文件
wget http://apt.saurik.com/debs/cycript_0.9.594_iphoneos-arm.deb wget http://www.tateu.net/repo/files/net.tateu.cycriptlistenertweak_1.0.0_iphoneos-arm.deb wget http://www.tateu.net/repo/files/net.tateu.cyrun_1.0.5_iphoneos-arm.deb- (3). 輸入以下命令,安裝下載好的deb
dpkg -i cycript_0.9.594_iphoneos-arm.deb dpkg -i net.tateu.cycriptlistenertweak_1.0.0_iphoneos-arm.deb net.tateu.cyrun_1.0.5_iphoneos-arm.deb -
- 安裝成功之后蚂踊,以后想進(jìn)入
cycript環(huán)境约谈,直接輸入cyrun -n 進(jìn)程名 -e -d -f或者cyrun -b bundleID -e命令就可以了,此命令會(huì)重啟相應(yīng)的進(jìn)程犁钟,然后自動(dòng)進(jìn)入cycript環(huán)境
- 安裝成功之后蚂踊,以后想進(jìn)入
- 想退出的時(shí)候棱诱,按
Control+D就可以退出cycript環(huán)境時(shí),退出后會(huì)自動(dòng)殺掉該進(jìn)程
- 想退出的時(shí)候棱诱,按
- 以皮皮蝦APP為例涝动,使用
cyrun命令進(jìn)入cycript環(huán)境军俊,導(dǎo)入寫好的mjcript庫(kù),查看皮皮蝦APP的當(dāng)前控制器和根控制器捧存,如下圖所示:
image.png
- 以皮皮蝦APP為例涝动,使用
六、知識(shí)點(diǎn)總結(jié)
1>.使用Cycript調(diào)試APP的前提:用Mac以SSH的方式登錄了iPhone担败,iPhone安裝了Cycript
2>.ps -A , 找出所有進(jìn)程昔穴,找到要調(diào)試的APP
3>.以皮皮蝦APP為例,掛載皮皮蝦APP的進(jìn)程:
- iOS12系統(tǒng)以前的掛載 :cycript -p Super
- iOS12系統(tǒng)以后的掛載 :cyrun -n Super -e -d -f 或者 cyrun -b bundleID -e
4>. 掛載后提前,會(huì)進(jìn)入cycript環(huán)境吗货,導(dǎo)入封裝好的庫(kù),使用其中的方法進(jìn)行調(diào)試: @import mjcript
5>. 找到皮皮蝦APP的當(dāng)前控制器: MJFrontVc()
6>. 退出cycript環(huán)境:Control + D
七狈网、修改皮皮蝦APP界面
- 利用上述所學(xué)宙搬,來(lái)實(shí)際改一下皮皮蝦APP的界面,將登錄界面中的"登錄"拓哺,改成"逆向調(diào)試"
-
- 流程如下:
- 首先勇垛,SSH到iPhone:
sh login.sh - 然后,掛載皮皮蝦APP:
cyrun -n Super -e -d -f - 然后士鸥,導(dǎo)入mjcipt庫(kù):
@import mjcript - 然后闲孤,用手機(jī)打開皮皮蝦的登錄界面
- 然后,查看登錄界面的控制器:
MJFrontVc() - 然后烤礁,查看登錄界面的View的層級(jí)結(jié)構(gòu):
MJVcSubviews(#0x107b0f400) - 然后讼积,輸入"登錄",查看”登錄“的unicode編碼
- 然后脚仔,搜索”登錄“的unicode編碼勤众,找到登錄所屬的
UILabel對(duì)象 - 然后,修改此UILabel的text屬性:
#0x117917e10.text = '逆向調(diào)試' - 然后鲤脏, 修改此UILabel的size屬性:
#0x117917e10.size = MJSizeMake(200,30) - 最后们颜,Control+D退出cycript環(huán)境
- 所有代碼如下:
songpengdeMBP:~ songpeng$ sh login.sh
iPhone7ceshiji:~ root# cyrun -n Super -e -d -f
applicationName: Super is not running (-1)
executableName: Super
bundleIdentifier: com.bd.iphone.super
Cycript is inactive:
Device is not passcode locked
Tweak Mode
Waiting for Cycript to become active...
Successfully enabled, you may now run
cycript -r 127.0.0.1:8556
cy# @import mjcript
{}
cy# MJFrontVc()
#"<BDSLoginViewController: 0x107b0f400>"
cy# MJVcSubviews(#0x107b0f400)
`<UIView: 0x11719b2b0; frame = (0 0; 375 667); autoresize = W+H; gestureRecognizers = <NSArray: 0x2836757d0>; layer = <CALayer: 0x283b2dea0>>
| <BDSNavigationBar: 0x117194a60; baseClass = UIControl; frame = (0 0; 375 64); layer = <CALayer: 0x283b2e060>>
| | <UIView: 0x106dc3600; frame = (0 20; 375 44); layer = <CALayer: 0x283b2aec0>>
| | | <BDSNavigationBarItem: 0x1179baa00; baseClass = UIControl; frame = (0 0; 48 44); layer = <CALayer: 0x283b29d80>>
| | | | <UIImageView: 0x1179b2870; frame = (12 10; 24 24); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x283b2ac60>>
| | | <BDSNavigationBarItem: 0x1179babf0; baseClass = UIControl; frame = (314 8; 48 36); hidden = YES; layer = <CALayer: 0x283b2ae40>>
| | | | <UILabel: 0x1179b2bc0; frame = (0 0; 48 36); text = '\u8df3\u8fc7'; clipsToBounds = YES; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x281a15e00>>
| | | <UILabel: 0x117196d00; frame = (187.5 0; 0 44); userInteractionEnabled = NO; layer = <_UILabelLayer: 0x281a137f0>>
| | | | <_UILabelContentLayer: 0x283b34c60> (layer)
| <UILabel: 0x117917e10; frame = (24 81.4815; 80 56); text = '\u767b\u5f55'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x281a15a40>>
| | <_UILabelContentLayer: 0x283b34b60> (layer)
| <UITextField: 0x117136290; frame = (26 186.37; 336 42); text = ''; opaque = NO; gestureRecognizers = <NSArray: 0x28349c5a0>; layer = <CALayer: 0x283b2dce0>>
| | <UITextFieldLabel: 0x11719a4c0; frame = (0 0; 309 42); text = '\u8f93\u5165\u624b\u673a\u53f7'; opaque = NO; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x281a11590>>
| | | <_UILabelContentLayer: 0x283b34a80> (layer)
| | <UIFieldEditor: 0x1073b4c00; frame = (0 0; 309 42); text = ''; clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x283652c70>; layer = <CALayer: 0x283b2dd00>; contentOffset: {0, 0}; contentSize: {309, 42}; adjustedContentInset: {0, 0, 0, 0}>
| | | <_UITextFieldCanvasView: 0x117169530; frame = (0 0; 309 42); opaque = NO; userInteractionEnabled = NO; layer = <_UITextTiledLayer: 0x28085d8c0>>
| | | | <UITextSelectionView: 0x1171a6d20; frame = (0 0; 0 0); userInteractionEnabled = NO; layer = <CALayer: 0x283b3a260>>
| | | | | <UIView: 0x1179a4810; frame = (0 0; 2 42); userInteractionEnabled = NO; layer = <CALayer: 0x283b3d9c0>>
| <UIView: 0x11712f6f0; frame = (24 233.556; 327 1); layer = <CALayer: 0x283b2e7e0>>
| <UIButton: 0x1171bbd80; frame = (0 401; 375 50); opaque = NO; layer = <CALayer: 0x283b2e880>>
| | <UIImageView: 0x117194e00; frame = (0 0; 375 50); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x283b34f20>>
| | <UIButtonLabel: 0x106cd0180; frame = (145 13; 85 24); text = '\u83b7\u53d6\u9a8c\u8bc1\u7801'; opaque = NO; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x281a1f840>>
| | | <_UILabelContentLayer: 0x283b35200> (layer)
| <UILabel: 0x1171b5b40; frame = (24 246.5; 327 20); text = '\u4e3a\u4e86\u60a8\u7684\u8d26\u53f7\u5b89\u5168\uff0c\u8bf7\u7ed1\u5b9a\u624b\u673a\u53f7'; hidden = YES; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x281a1f7f0>>
| | <_UILabelContentLayer: 0x283b34ec0> (layer)
| <UILabel: 0x11717c3d0; frame = (24 372.5; 327 18); userInteractionEnabled = NO; layer = <_UILabelLayer: 0x281a1dc70>>
| | <_UILabelContentLayer: 0x283b35140> (layer)
| <BDSVerifyCodeInputView: 0x117147b90; frame = (24 168.889; 327 54); hidden = YES; layer = <CALayer: 0x283b2eb00>>
| | <UITextField: 0x11718d1b0; frame = (0 8; 2 38); text = ''; opaque = NO; tintColor = UIExtendedGrayColorSpace 0.25098 1; gestureRecognizers = <NSArray: 0x283648720>; layer = <CALayer: 0x283b2eb20>>
| | | <_UITextFieldCanvasView: 0x1171bd3d0; frame = (0 0; 2 38); opaque = NO; userInteractionEnabled = NO; layer = <_UITextTiledLayer: 0x28085da70>>
| | <BDSVerifyCodeInputLabel: 0x1179b3330; baseClass = UILabel; frame = (0 0; 327 54); userInteractionEnabled = NO; layer = <_UILabelLayer: 0x281a15860>>
| | | <_UILabelContentLayer: 0x283b35820> (layer)
| <UILabel: 0x11792be30; frame = (0 231.778; 375 20); text = '\u9a8c\u8bc1\u7801\u9519\u8bef'; hidden = YES; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x281a15770>>
| | <_UILabelContentLayer: 0x283b35080> (layer)
| <BDSRegisterProtocolView: 0x117958e20; frame = (39 361; 297 38); layer = <CALayer: 0x283b32c20>>
| | <UIButton: 0x1179f8ec0; frame = (10 10; 18 18); opaque = NO; layer = <CALayer: 0x283b32b60>>
| | | <UIImageView: 0x11717e320; frame = (0 0; 18 18); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x283b359e0>>
| | <TTTAttributedLabel: 0x117920400; baseClass = UILabel; frame = (32 9; 255 20); text = '\u6211\u5df2\u9605\u8bfb\u5e76\u540c\u610f\u201c\u7528\u6237\u534f\u8bae\u201d\u548c\u201c\u9690\u79c1\u653f\u7b56\u201d'; gestureRecognizers = <NSArray: 0x28366c2a0>; layer = <_UILabelLayer: 0x281a145a0>>
| | | <_UILabelContentLayer: 0x283b35300> (layer)
| <UIButton: 0x1179dfa80; frame = (145 140.481; 17 17); hidden = YES; opaque = NO; layer = <CALayer: 0x283b32b20>>
| | <UIImageView: 0x11715ed00; frame = (0 0; 17 17); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x283b35a00>>
| <UIView: 0x1179bf5e0; frame = (24 249.5; 128 24); layer = <CALayer: 0x283b32500>>
| | <ArticlePlatformLoginView: 0x11791bb60; frame = (0 0; 128 24); layer = <CALayer: 0x283b32f60>>
| | | <BDSAlphaThemedButton: 0x117159ab0; baseClass = UIButton; frame = (104 0; 24 24); opaque = NO; layer = <CALayer: 0x283b2f300>>
| | | | <UIImageView: 0x11717a9b0; frame = (0 0; 24 24); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x283b35860>>
| | | <UILabel: 0x11710ec00; frame = (0 2; 84 20); text = '\u5176\u5b83\u65b9\u5f0f\u767b\u5f55'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x281a1f570>>
| | | | <_UILabelContentLayer: 0x283b357a0> (layer)`
cy# 登錄
throw new ReferenceError("Can't find variable: \u767b\u5f55")
cy# #0x117917e10.text = '逆向調(diào)試'
"\u9006\u5411\u8c03\u8bd5"
cy# #0x117917e10.size = MJSizeMake(200,30)
{0:200,1:30}
-
效果圖如下:
皮皮蝦APP吕朵,逆向調(diào)試
-
