[iOS逆向]19、Theos
2022-02-07 本文已影响0人
史记_d5da
1、Cycript文件管理
1、在 cycript 环境下勾住某个应用
cycript -p AlipayWallet
2、查看脚本 MS.cy
cd /usr/lib/cycript0.9/com/saurik/substrate
3、导入脚本使用
@import com.saurik.substrate.MS
2、查看 AlipayWallet
支付宝
1、
cycript 勾住 AlipayWallet 进程cycript -p AlipayWallet2、将
sj.cy文件导入到 手机中scp -p 12345 sj.cy root@localhost:/usr/lib/cycript0.9/com/shiji/
// sj.cy
//IIFE 匿名函数自执行表达式
(function(exports){
APPID = [NSBundle mainBundle].bundleIdentifier,
APPPATH = [NSBundle mainBundle].bundlePath,
//如果有变化,就用function去定义!!
SJRootVC = function(){
return UIApp.keyWindow.rootViewController;
};
SJKeyWindow = function(){
return UIApp.keyWindow;
};
SJGetCurrentVCFromRootVC = function(rootVC){
var currentVC;
if([rootVC presentedViewController]){
rootVC = [rootVC presentedViewController];
}
if([rootVC isKindOfClass:[UITabBarController class]]){
currentVC = SJGetCurrentVCFromRootVC(rootVC.selectedViewController);
} else if ([rootVC isKindOfClass:[UINavigationController class]]) {
currentVC = SJGetCurrentVCFromRootVC(rootVC.visibleViewController);
} else {
currentVC = rootVC;
}
return currentVC;
};
SJCurrentVC = function(){
return SJGetCurrentVCFromRootVC(SJRootVC());
};
})(exports);
3、导入 sj.cy
@import com.shiji.sj
① 查看当前控制器
cy# SJCurrentVC()
#"<ALULoginInputController: 0x113089a00>"
② 查看当前的页面栈
#0x11308a000.view.recursiveDescription().toString()
views()
当前的登录按钮为
0x11954e240,它的父 view 为 ALULoginVerifyPasswordView③ 登录按钮的
allTargets#0x12147b9a0.allTargets
[NSSet setWithArray:@[#"<AUButton: 0x1214d52f0; baseClass = UIButton; frame = (20 95; 335 49); clipsToBounds = YES; opaque = NO; layer = <CALayer: 0x286d71e80>>",#"<ALULoginInputAccountViewModel: 0x28033e880>"]]]
④ 登录按钮的 allControlEvents
#0x1214d52f0.allControlEvents
64
⑤ 登录事件获取
[#0x1214d52f0 actionsForTarget: #0x28033e880 forControlEvent: 64]
["onLoginMainButtonClicked:"]
3、Theos
1、在终端输入 nic.pl
[1.] iphone/activator_event
[2.] iphone/activator_listener
[3.] iphone/application_modern
[4.] iphone/application_swift
[5.] iphone/cydget
[6.] iphone/flipswitch_switch
[7.] iphone/framework
[8.] iphone/library
[9.] iphone/notification_center_widget
[10.] iphone/notification_center_widget-7up
[11.] iphone/preference_bundle_modern
[12.] iphone/theme
[13.] iphone/tool
[14.] iphone/tool_swift
[15.] iphone/tweak
[16.] iphone/tweak_with_simple_preferences
[17.] iphone/xpc_service
Choose a Template (required):
接下来继续输入操作
// 选择15 代表 选择 iphone/tweak
Choose a Template (required): 15
// 项目名称
Project Name (required): AliPaypwdDemo
// 包名称
Package Name [com.yourcompany.alipaypwddemo]: com.shiji.alipaypwddemo
// 默认 shiji
Author/Maintainer Name [shiji]:
// 需要附加的进程 bundleid-com.alipay.iphoneclient
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.alipay.iphoneclient
// 需要杀掉的进程 AlipayWallet
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: AlipayWallet
Instantiating iphone/tweak in alipaypwddemo/...
Done.
创建完 tweak,会在当前目录下生成文件夹
alipaypwddemo
①
AliPaypwdDemo.plist
{ Filter = { Bundles = ( "com.alipay.iphoneclient" ); }; }
② control
Package: com.shiji.alipaypwddemo
Name: AliPaypwdDemo
Version: 0.0.1
Architecture: iphoneos-arm
Description: An awesome MobileSubstrate tweak!
Maintainer: shiji
Author: shiji
Section: Tweaks
Depends: mobilesubstrate (>= 0.9.5000)
③ MakeFile
// 新增,添加
export THEOS_DEVICE_IP=localhost
export THEOS_DEVICE_PORT=12345
TARGET := iphone:clang:latest:7.0
INSTALL_TARGET_PROCESSES = AlipayWallet
include $(THEOS)/makefiles/common.mk
TWEAK_NAME = AliPaypwdDemo
AliPaypwdDemo_FILES = Tweak.x
AliPaypwdDemo_CFLAGS = -fobjc-arc
include $(THEOS_MAKE_PATH)/tweak.mk
④ Tweak.x
#import <UIKit/UIKit.h>
%hook ALULoginVerifyPasswordViewModel
- (void)onLoginMainButtonClicked: (id)sender {
NSLog(@"\n\n\n -----------🍺🍺🍺🍺🍺🍺🍺🍺🍺🍺成功---------\n\n\n");
}
%end
2、终端输入以下指令
① make
② make package
③ make install
杀掉支付宝 app 重写启动,登录支付宝查看终端日志
4、Reveal
Reveal是一款iOS开发调试工具,可以浏览 iOS 应用层次结构,检查项目并立即解决渲染问题。
Reveal
使用步骤
1、
cd 到 RevealServer.framework 目录下,将 RevealServer 拷贝到 手机中scp -P 12345 RevealServer root@localhost:/Library/RHRevealLoader/libReveal.dylib2、在设置中
Reveal 选项,打开需要调试的 App。
Reveal
