1找到应用执行文件
使用端口转发,增加反应速度,如果网络好的话可不用。
sudo tcprelay.py -t 22:22
使用ssh远程登录越狱手机,打开备忘录,查找进程
ps -e | grep /Applications/
找到最可疑的/Applications/MobileNotes.app/MobileNotes
使用killall命令killall MobileNotes如果备忘录被关闭,那么就是它了
2使用cycript调试
使用cycritpt附着应用
cycript -p MobileNotes
查看应用层次
cy#[UIApp.keyWindow recursiveDescription].toString()
查找到
cy# #0x100597670.nextResponder
#"
cy# #0x10103f800.title = "123"
发现title变化为123,所以是可以控制title的,我们就把title显示在这上面
查找到所属的ViewController,因为NotesBackgroundView是背景,所以用它来找比较容易
3查找dump方法
查找dump出的ICNoteEditorViewController头文件
看到了方法,这就是熟悉的代理方法,可以用来监控文字的变化
-(void)textViewDidChange:(id)arg1;
4使用lldb调试
使用lldb调试我们来看下这个方法是否被调用
使用ida查看方法地址
0000000100033738
使用debugserver *:1234 -a 1220来为lldb提供服务
/Applications/Xcode.app/Contents/Developer/usr/bin/lldb
process connect connect://192.168.1.10:1234
image list -o -f
[ 0]0x00000000000c4000 /Applications/MobileNotes.app/MobileNotes(0x00000001000c4000)
br s -a 0x1000F7738
添加断点,可以拿到内容,拿到内容更新长度
(lldb)po $x0
(lldb)po(char*)$x1
"textViewDidChange:"
(lldb)po $x2
clipsToBounds = YES;gestureRecognizers = ;layer = ;contentOffset: {0,-84};contentSize: {375,61}>
我们确定这个方法是可以用的
5制作tweak
然后制作tweak
nic.pl
NIC 2.0 - New Instance Creator
------------------------------
[1.]iphone/activator_event
[2.]iphone/application_modern
[3.]iphone/application_swift
[4.]iphone/flipswitch_switch
[5.]iphone/framework
[6.]iphone/library
[7.]iphone/preference_bundle_modern
[8.]iphone/tool
[9.]iphone/tool_swift
[10.]iphone/tweak
[11.]iphone/xpc_service
Choose a Template(required): 10
Project Name(required): Characcount
Package Name[com.yourcompany.characcount]: com.lemon.characcount
Author/Maintainer Name[zj]: zj
[iphone/tweak]MobileSubstrate Bundle filter[com.apple.springboard]: com.apple.mobilenotes
[iphone/tweak]List of applications to terminate upon installation(space-separated,'-' for none) [SpringBoard]: MobileNotes
tweak.xm内容为
%hook ICNoteEditorViewController
- (void)viewWillAppear:(BOOL)animated{
%orig;
UITextView * tv = [self performSelector:@selector(textView)];
NSString * str = [NSString stringWithFormat:@"%lu",(unsigned long)tv.text.length];
[self performSelector:@selector(setTitle:) withObject:str];
}
- (void)viewWillDisappear:(BOOL)animated{
%orig;
[self performSelector:@selector(setTitle:) withObject:@""];
}
- (void)textViewDidChange:(id)arg1{
%orig;
NSString * str = [NSString stringWithFormat:@"%lu",(unsigned long)((UITextView*)arg1).text.length];
[self performSelector:@selector(setTitle:) withObject:str];
}
%end
然后makefile的内容为
THEOS_DEVICE_IP=192.168.1.10
ARCHS = armv7 arm64
TARGET = iPhone:latest:8.0
include /opt/theos/makefiles/common.mk
TWEAK_NAME = Characount
Characount_FILES = Tweak.xm
Characount_FRAMEWORKS=UIKit
include /opt/theos/makefiles/Tweak.mk
after-install::
install.exec "killall -9 MobileNotes"
这样的话,就可以运行tweak了
命令 make package install即可
于是就可以看到
