成人国产在线小视频_日韩寡妇人妻调教在线播放_色成人www永久在线观看_2018国产精品久久_亚洲欧美高清在线30p_亚洲少妇综合一区_黄色在线播放国产_亚洲另类技巧小说校园_国产主播xx日韩_a级毛片在线免费

資訊專欄INFORMATION COLUMN

cycript的常用命令( Powerful private methods)

Hegel_Gu / 2079人閱讀

摘要:二次打包動態(tài)庫的注入二次打包動態(tài)庫的注入,是通過修改可執(zhí)行文件的來實(shí)現(xiàn)的在中增加一個寫入路徑這樣程序執(zhí)行的時(shí)候就會編譯這個找到要注入的加載動態(tài)庫的常用命令格式化根據(jù)地址獲取對象。

前言

Cycript 是一個能夠理解Objective-C語法的javascript解釋器, 它能夠掛鉤正在運(yùn)行的進(jìn)程, 以在運(yùn)行時(shí)修改很多東西, 一般我們用于動態(tài)調(diào)試應(yīng)用, 一般來說如果要調(diào)試的代碼是用OC編寫的,用cycript調(diào)試會很方便, 如果是用C編寫的,通過lldb來調(diào)試了.

安裝Cycript

官網(wǎng)地址:
Github地址:

@import Substrate, so we can use MS.hookFunction

cy# @import com.saurik.substrate.MS
iPhone:/usr/lib/cycript0.9/com/saurik/substrate root# ls -lrt
total 4
-rw-r--r-- 1 root staff 1968 Jan 11  2016 MS.cy

剛開始分析逆向的時(shí)候,常常利用它進(jìn)行控制器class的定位,完成類似功能的工具有AFlexLoader

注入方式

cycript注入

cycript注入動態(tài)庫的方式,這必須要在越獄環(huán)境下才能實(shí)現(xiàn)。

cycript的原理是動態(tài)庫注入,但是其動態(tài)庫注入的原理,與我們常見的通過LC_LOAD_DYLIB在可執(zhí)行文件中注入動態(tài)庫不同. cycript的操作是 : 抓取到要掛載的應(yīng)用, 由于越獄機(jī)上擁有權(quán)限,所以直接在掛載的進(jìn)程上創(chuàng)建一個掛起的線程, 然后在這個線程里申請一片用于加載動態(tài)庫的內(nèi)存,然后恢復(fù)線程,動態(tài)庫就被注入。

二次打包動態(tài)庫的注入

二次打包動態(tài)庫的注入,是通過修改可執(zhí)行文件的Load Commands來實(shí)現(xiàn)的. 在Load Commands中增加一個LC_LOAD_DYLIB , 寫入dylib路徑,這樣程序執(zhí)行的時(shí)候, 就會編譯這個 LC_LOAD_DYLIB 找到要注入的 dylib,加載動態(tài)庫 .

Powerful private methods

_ivarDescription

_shortMethodDescription

nextResponder

_autolayoutTrace

recursiveDescription

_methodDescription

cycript的常用命令

格式化

.toString()

根據(jù)地址獲取對象。

#address
cy# [#0x1031f9b0]
[#">"]

bundleIdentifier

 [[NSBundle mainBundle] bundleIdentifier]

可執(zhí)行文件

[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]

先查找進(jìn)程名稱

iPhone:~ root# ps -e |grep  /var/mobile*

Inject Into Processes

iPhone:~ root# cycript -p Moon

Objective-C Messages

cy# [UIApp description]
@""
cy# [#0x4870560 _ivarDescription].toString()
`:
in DFApplication:
in UIApplication:
	_delegate (*): 

JavaScript Extensions

cy# [for (x of [1,2,3]) x+1]
[2,3,4]

Bridged Object Model

cy# choose(CALayer) instanceof Array
true

Foreign Function Calls

cy# var a = malloc(128)
(typedef void*)(0x8b00b90)

Magical Tab-Complete

cy# a = ({m: 4, b: 5})
{m:4,b:5}
cy# a["m"]
4

C++11 Lambda Syntax

cy#  [&](int a)->int{return a}
(extern "C" int 80904192(int))
打印出當(dāng)前界面的view層級
cy# UIApp.keyWindow.recursiveDescription().toString()
`; layer = >
   | >
   |    | >
   |    |    | >
   |    |    |    | ; layer = >
   |    |    |    |    | >
   |    |    |    |    |    | >
   |    |    |    |    |    |    | >
   |    |    |    |    |    |    |    | >
   |    |    |    |    |    |    |    |    | >
   |    |    |    |    |    |    |    |    |    | >
   |    |    |    |    |    |    |    |    |    |    | >
   |    |    |    |    |    |    |    |    |    |    | >
   |    |    |    |    |    |    |    |    |    |    |    | >
   |    |    |    |    |    |    |    |    |    |    |    | 
通過view的nextResponder方法,可以找出它所屬的視圖控制器ViewController
cy# [#0x181009f0 nextResponder]
#""

接下來就可以對MoonWXParentViewController 進(jìn)行hook分析

Powerful private methods for debugging in Cycript & LLDB

_shortMethodDescription 用于LLDB 進(jìn)行打斷點(diǎn)

_printHierarchy

Shortcut to find the ViewController’s class name on the keyWindow

快捷的獲取 ViewController 的方法。

cy# [[[UIWindow keyWindow] rootViewController] _printHierarchy].toString()
`, state: appeared, view: 
   | , state: disappeared, view:  not in the window
   |    | , state: disappeared, view:  not in the window
   |    |    | , state: disappeared, view:  not in the window
   |    | , state: disappeared, view:  not in the window
   |    | , state: disappeared, view:  not in the window
   |    | , state: disappeared, view:  not in the window
   | , state: disappeared, view:  not in the window
   | , state: disappeared, view:  not in the window
   | , state: appeared, view: `

支持iOS8之后

_ivarDescription

Prints all names and values of instance variables of a specified object

比一個一個打印屬性方便多了

cy# [#0x5822600 _ivarDescription].toString()
cy# [#0x5822600 _ivarDescription].toString()
`:
in H5WebViewController:
	_fontScale (NSString*): @"100%"<__NSCFConstantString: 0x338132c>
	_is3DTouchPeek (BOOL): 0
	_is3DTouchPop (BOOL): 0
	_gestureBack (BOOL): 0
	_isFromNavigationBarHidden (BOOL): 0
	_webPageLoadSuccess (BOOL): 1
	_isBackProcessing (BOOL): 0
	_isBackProcessed (BOOL): 0
	_hideLeftButtonsByJs (BOOL): 0
	_isDefaultOptionMenu (BOOL): 0
	_isWebViewBackgroundColorSetted (BOOL): 1
	_pullRefreshing (BOOL): 1
	_isFromStatusBarHidden (BOOL): 0
	_isInitAsSubView (BOOL): 0
	_isDissmissProcess (BOOL): 0
	_isAphaOverLimit (BOOL): 0
	_isWebLoading (BOOL): 0
	_isWebFinishLoad (BOOL): 1
	_isViewAppeared (BOOL): 1
	_isViewAppearAgain (BOOL): 0
	_isViewWillDisAppear (BOOL): 0
	_isViewDidDisAppear (BOOL): 0
	_isAlipaySchemeWillRedirect (BOOL): 0
	_isAlipaySchemeDidRedirect (BOOL): 0
	_isAddObserver (BOOL): 0
	_isFromStartApp (BOOL): 0
	name (NSString*): nil
	_serviceDelegate (*): nil
	_contentView (PSDView*): nil
	_delegate (*): 
	_statesView (UIView*): 
	_customPreviewActionItems (NSArray*): nil
	_interceptUrl (NSString*): nil
	_appConfig (NSDictionary*): nil
	_url (NSURL*): https://render.alipay.com/p/f/fd-j6lzqrgm/addressbook.html
	_lastPageId (NSString*): nil
	_refreshHeaderView (AUPullLoadingView*): nil
	_stickyBouncer (H5StickyBouncer*): nil
	_backDate (NSDate*): nil
	_backBtnPressCount (int): 0
	_serverErrorView (APExceptionView*): nil
	_fontBar (H5AdjustFontControl*): nil
	_statusBarStyle (int): 0
	_htmlZoomValue (NSString*): @"1"<__NSCFString: 0x11130b50>
	_lastMainRequest (NSURLRequest*): 
	_failureNumber (int): 0
	_webviewDomainLabel (UILabel*): 
	_delayExecList (NSMutableArray*): <__NSArrayM: 0x110794a0>
	_paddingBottom (float): 0
	_externNativeApiManager (H5ExternNativeApiManager*): 
	_startLoadTime (NSDate*): <__NSDate: 0x11102510>
	_co
cy# [#0x5822600 url]
#"https://render.alipay.com/p/f/fd-j6lzqrgm/addressbook.html"
_autolayoutTrace

展示的架構(gòu)是基于layout

cy# [[UIApp keyWindow] _autolayoutTrace].toString()
`
UIWindow:0x46c54d0
|   UILayoutContainerView:0x8c1aa10
|   |   UINavigationTransitionView:0x8757090
|   |   |   UIViewControllerWrapperView:0xb68c2d0
|   |   |   |   DTBaseView:0xd8e9180
|   |   |   |   |   H5WebView:0x46ba350
|   |   |   |   |   |   UILabel:0xfb63630"u7f51u9875u7531 render.alipay.com u63d0u4f9b"
|   |   |   |   |   |   _UIWebViewScrollView:0xfaaacf0
|   |   |   |   |   |   |   UIWebBrowserView:0x5984a00
|   |   |   |   |   |   |   UIImageView:0xfaa4850
|   |   |   |   |   |   |   UIImageView:0xfaaa940
|   |   |   |   |   UIView:0xd9fa5d0
|   |   |   |   |   NBProgressView:0x1108ae60
|   |   |   |   |   |   UIView:0x1108c790
|   |   APNavigationBar:0x8734d50
|   |   |   _UINavigationBarBackground:0x8735800
|   |   |   |   _UIBackdropView:0x11106fd0
|   |   |   |   |   _UIBackdropEffectView:0x111018d0
|   |   |   |   |   UIView:0x11111bb0
|   |   |   |   UIImageView:0x8735c20
|   |   |   H5NavigationTitleView:0x1114f680
|   |   |   |   UIControl_mainTitleConten...:0xfbf7f70
|   |   |   |   |   UILabel:0x11100e30"u901au8bafu5f55u670bu53cb"
|   |   |   |   UIControl_subtitleContent...:0xfbf7a90
|   |   |   |   |   UILabel:0xb6f4050
|   |   |   |   UIControl_rightIconConten...:0xb681ca0
|   |   |   |   |   UIImageView:0xfbfa810
|   |   |   UIView:0x46a0090
|   |   |   AUBarButtonItemButton_bac...:0x11146fb0
|   |   |   |   UIImageView:0x1112ffe0
|   |   |   |   UILabel:0xfb8a8c0"u8fd4u56de"
|   |   |   _UINavigationBarBackIndicatorView:0x8c0a660`
查看安裝的app進(jìn)程
iPhone:~ root# ps -e |grep  /var/mobile*
  333 ??         0:13.39 /var/mobile/Containers/Bundle/Application/DB9E7889-BC60-4B5C-91BD-E59D08204958/WeChat.app/WeChat
  552 ??         0:34.13 /var/mobile/Containers/Bundle/Application/239A0B7E-AA8C-4E43-873D-16254934321A/Taobao4iPhone.app/Taobao4iPhone
  635 ??         5:42.15 /var/mobile/Containers/Bundle/Application/3FDB82B6-8D3A-47BF-A27C-184D1E052854/AlipayWallet.app/AlipayWallet
  923 ??         0:01.37 /var/mobile/Containers/Bundle/Application/3A5795F5-1E2B-42B6-A904-D7BF2178D5EB/KillOneMosquito.app/KillOneMosquito
  928 ttys000    0:00.01 grep /var/mobile
cycript @import

MS

/usr/lib/cycript0.9/com

MS.cy 位于/usr/lib/cycript0.9/com/saurik/substrate 因此可以使用`cy# @import com.saurik.substrate.MS
`進(jìn)行導(dǎo)入。

如果要導(dǎo)入Cycript utils的時(shí)候,用法:

Install to utils.cy to /usr/lib/cycript0.9/com/tyilo:

mkdir -p /usr/lib/cycript0.9/com
git clone https://github.com/Tyilo/cycript-utils.git /usr/lib/cycript0.9/com/tyilo
Then in cycript:

cy# @import com.tyilo.utils; 0

此時(shí)可以借助apt 進(jìn)行安裝git

iPhone:~ root# apt-get install git
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  curl expat
The following NEW packages will be installed:
  curl expat git
0 upgraded, 3 newly installed, 0 to remove and 16 not upgraded.
Need to get 3065kB of archives.
After this operation, 21.1MB of additional disk space will be used.
Do you want to continue [Y/n]? y
WARNING: The following packages cannot be authenticated!
  curl expat git
Install these packages without verification [y/N]? y
Get:1 http://apt.saurik.com ios/1141.14/main curl 7.33.0-9 [276kB]
Get:2 http://apt.saurik.com ios/1141.14/main expat 2.0.1-3 [69.3kB]
Get:3 http://apt.saurik.com ios/1141.14/main git 2.8.1-5 [2720kB]
Fetched 3065kB in 25s (120kB/s)                                                                                                                                           
Selecting previously unselected package curl.
(Reading database ... 1926 files and directories currently installed.)
Preparing to unpack .../curl_7.33.0-9_iphoneos-arm.deb ...
Unpacking curl (7.33.0-9) ...
Selecting previously unselected package expat.
Preparing to unpack .../expat_2.0.1-3_iphoneos-arm.deb ...
Unpacking expat (2.0.1-3) ...
Selecting previously unselected package git.
Preparing to unpack .../git_2.8.1-5_iphoneos-arm.deb ...
Unpacking git (2.8.1-5) ...
Setting up curl (7.33.0-9) ...
Setting up expat (2.0.1-3) ...
Setting up git (2.8.1-5) ...

apt-get 第一次通過Lydia下載“APT0.6 Transitional" 之后可以先update

iPhone:~ root#  git -c http.sslVerify=false clone https://github.com/zhangkn/cycript-utils.git /usr/lib/cycript0.9/com/tyilo
Cloning into "/usr/lib/cycript0.9/com/tyilo"...
remote: Counting objects: 46, done.
remote: Total 46 (delta 0), reused 0 (delta 0), pack-reused 46
Unpacking objects: 100% (46/46), done.
Checking connectivity... done.
choose : a = choose(MyClass) 當(dāng)前堆棧中查找到特定類的對象數(shù)據(jù) Effortless Exploration

返回值是一個 數(shù)組,表示在當(dāng)前堆棧中查找到的所有MyClass類的對象數(shù)據(jù)。

Effortless Exploration

cy# a = choose(UILabel).toString()
">,; layer = <_UILabelLayer: 0x10321d30>>,>,>,>,>,>,>,>,>,>,>,
hook OC函數(shù)

MS.HookMessage : 這個函數(shù)的實(shí)現(xiàn)是調(diào)用MSHookMessageEx ,用法如下 :

osx cycript image not found
devzkndeMacBook-Pro:lib devzkn$ /Users/devzkn/Downloads/cycript_0.9.594/cycript 
dyld: Library not loaded: /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
  Referenced from: /Users/devzkn/Downloads/cycript_0.9.594/Cycript.lib/cycript-apl
  Reason: image not found
Abort trap: 6

關(guān)掉sip創(chuàng)建個符號鏈接即可

devzkndeMacBook-Pro:.ssh devzkn$ sudo mkdir -p /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/
Password:
mkdir: /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/: Operation not permitted

先關(guān)閉系統(tǒng)的SIP,然后運(yùn)行如下命令,把原來引用的位置創(chuàng)建符號鏈接到現(xiàn)在新版本的位置:

sudo mkdir -p /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/
sudo ln -s /System/Library/Frameworks/Ruby.framework/Versions/2.3/usr/lib/libruby.2.3.0.dylib /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib

處理方法也很簡單,直接把2.3的復(fù)制一份,改為2.0即可

/System/Library/Frameworks/Ruby.framework/Versions/Current/usr/lib

文章版權(quán)歸作者所有,未經(jīng)允許請勿轉(zhuǎn)載,若此文章存在違規(guī)行為,您可以聯(lián)系管理員刪除。

轉(zhuǎn)載請注明本文地址:http://systransis.cn/yun/89324.html

相關(guān)文章

  • java面向?qū)ο?em>的三大特征

    摘要:面向?qū)ο蟮娜筇卣鞣庋b繼承多態(tài)。以本文為例,類中的變量為私有變量,只能通過創(chuàng)建對象此時(shí)構(gòu)造方法自動調(diào)用來賦值。 java面向?qū)ο蟮娜筇卣鳎悍庋b、繼承、多態(tài)。 以本文為例,User類中的變量為私有變量,只能通過創(chuàng)建對象(此時(shí)構(gòu)造方法自動調(diào)用)來賦值。外界只能通過公有方法api()來訪問User類。 Admin類繼承了User類,調(diào)用了其構(gòu)造方法,還重寫了method_1方法,增加了...

    susheng 評論0 收藏0

發(fā)表評論

0條評論

最新活動
閱讀需要支付1元查看
<