iOS逆向-用Cycript进行运行时分析(微信应用)
用Cycript进行实时修改本文,我们将使用微信应用来执行所有的测试。一旦微信应用应用被安装好,请确保它运行在前台。这是因为如果应用在后台,那它就会被暂停,你也不能对它做啥。
1)使用ssh命令连接手机(SSH怎么用在搜索哈!)wanggangdeMacBook-Pro:~ wanggang$ ssh [email protected]//输入ssh 密码[email protected]'s password:
2)勾住进程一旦应用跑起来,你可以先找到其进程id,然后用cycript -p挂钩其进程。//连接手机wanggangdeMacBook-Pro:~ wanggang$ ssh [email protected]//输入密码[email protected]'s password: shujinokinakenkou:~ root# ps aux | grep "weather"mobile 15312 0.0 2.2 897008 21904 ?? Us 6:50PM 0:07.76 /var/mobile/Containers/Bundle/Application/A402E082-7FA0-40DC-9423-ADA502E06CE2/com.yahoo.weather-35524-distribution.app/yweatherroot 15352 0.0 0.0 538432 496 s000 R+ 7:04PM 0:00.02 grep weathershujinokinakenkou:~ root# cy#-sh: cy#: command not found//勾住we chat 列出 mobile idshujinokinakenkou:~ root# ps aux | grep WeChatroot 15361 7.1 0.1 538432 536 s000 S+ 7:08PM 0:00.05 grep WeChatmobile 15323 1.1 4.5 1041712 45096 ?? Ss 6:50PM 0:12.23 /var/mobile/Containers/Bundle/Application/B02EC742-D61A-4F7B-B5DC-9598FF2DD165/WeChat.app/WeChatshujinokinakenkou:~ root# cycript 15312*** _assert(!stream->fail()):../Console.cpp(1098):Main//勾住进程id 微信的进程id 是15323 mobile 后面的就是shujinokinakenkou:~ root# cycript -p 15323//下面使用cy语言愉快的调试了cy# var delegate = UIApp.delegate#""cy# var window = delegate.window#"; layer =>"
cy# var rootVC = windown.rootViewController
throw new ReferenceError("Can't find variable: windown")
出现下面代码说明勾住进程成功
root 15361 7.1 0.1 538432 536 s000 S+ 7:08PM 0:00.05 grep WeChat
mobile 15323 1.1 4.5 1041712 45096 ?? Ss 6:50PM 0:12.23/var/mobile/Containers/Bundle/Application/B02EC742-D61A-4F7B-B5DC-9598FF2DD165/WeChat.app/WeChat
如果挂钩成功,你可以得到一个Cycript解释器。你可以通过Objective-C的语法 [UIApplication sharedApplication].来得到实例。
3)实战
执行隐藏和显示状态栏的命令
cy# var delegate
cy# [[UIApplication sharedApplication] setStatusBarHidden:YES]
cy# [[UIApplication sharedApplication] setStatusBarHidden:NO]
cy# [[UIApplication sharedApplication] setStatusBarHidden:YES]
cy# [[UIApplication sharedApplication] setStatusBarHidden:YES]
cy# [[UIApplication sharedApplication] setStatusBarHidden:NO]
cy# [[UIApplication sharedApplication] setStatusBarHidden:YES]
cy# [[UIApplication sharedApplication] setStatusBarHidden:NO]
cy# [[UIApplication sharedApplication] setStatusBarHidden:NO]
显示结果,可以看到执行命令导航栏消失和隐藏
导航栏显示和隐藏.gif
在微信app内弹框执行以下命令
cy# [[[UIAlertView alloc]initWithTitle:@"cy" message:@"guanzhuwo" delegate:ni cancelButtonTitle:@"ok" otherButtonTitles:nil, nil] show]
cy# [[[UIAlertView alloc]initWithTitle:@"cy" message:@"guanzhuwo" delegate:ni cancelButtonTitle:@"ok" otherButtonTitles:nil, nil] show]
效果图
弹框提示.gif
更改badge 的值执行如下命令
cy# [[UIApplication sharedApplication] setApplicationIconBadgeNumber:1000]
cy# [[UIApplication sharedApplication] setApplicationIconBadgeNumber:1000]
cy# [[UIApplication sharedApplication] setApplicationIconBadgeNumber:100]
cy# [[UIApplication sharedApplication] setApplicationIconBadgeNumber:1]
效果图(观察微信图标右上角小圆点的变化)
badge更改.gif
有了头文件,有了ida反编译,配合上cycript,可以验证我们的各种关于微信代码的猜测,但要将这些猜测串成一个可执行的Tweak,就需要反复的大量的实验。