2018-09-30

下载地址

http://www.cycript.org/

先查找进程名称

ps aux //查找所有进程
ps aux | grep HuaYang //查找指定进程名的进程信息

注入到进程 

cycript -p SpringBoard
//创建一个弹窗
var alert = [[UIAlertView alloc] initWithTitle:@"\u0063\u0079\u0063\u0072\u0069\u0070\u0074\u8c03\u8bd5" message:@"cp666" delegate:nil cancelButtonTitle:@"OK" otherButtonTitles:nil] 
return #"<UIAlertView: 0x10b0665a0; frame = (0 0; 0 0); layer = <CALayer: 0x170621280>>"
[alert show]
[alert release]
//如果知道一个对象在内存中的地址，可以通过“#”操作符来获取这个对象 
[#0x10b0665a0 show] 
//如果知道一个类对象存在当前进程中，却不知道它的地址，不能通过“#”操作符来获取它，此时，不妨试试choose命令
choose(UIAlertView)
return [#"<UIAlertView: 0x10b0665a0; frame = (0 0; 0 0); layer = <CALayer: 0x170621280>>"]

//打印出当前界面的view层级
UIApp.keyWindow.recursiveDescription().toString() 

//Now
/var/containers/Bundle/Application/7D69E3D5-8FF6-4BBD-937E-42A45C70C5E2/HuaYang.app/HuaYang
cycript -p HuaYang
UIApp.keyWindow.recursiveDescription().toString() //打印所有UI


//通过view的nextResponder方法，可以找出它所属的视图控制器ViewController
[#0x1552d1da0 nextResponder] 
#"<PLBorderButton: 0x155343ce0; baseClass = UIButton; frame = (164 0; 131 46); hidden = YES; opaque = NO; layer = <CALayer: 0x155343a30>>"
screen = #0x155343ce0
screen.hidden = NO 


recursiveDescription － 打印UIView对象
[[UIApp keyWindow] recursiveDescription].toString()

_printHierarchy － 直接打印所有UIViewController
[[[UIWindow keyWindow] rootViewController]  _printHierarchy].toString()
 
_autolayoutTrace - recursiveDescription的简化版，去掉了UIView的一些描述
[[UIApp keyWindow] _autolayoutTrace].toString()

_ivarDescription - 打印某个对象所有instance的名字和值
[choose(SBApplication)[0] _ivarDescription].toString()


_methodDescription - 打印某个对象的属性，实例和类方法
[choose(SBApplicationController)[0] _methodDescription].toString()
[#0x104cf95e0 _methodDescription].toString()

找到目标App的Documents目录路径
cycript -p TargetApp
[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0] 


获取bundle info
[[NSBundle mainBundle] infoDictionary].toString()

触发UIControlEventTouchUpInside事件。
[[choose(UIButton) objectAtIndex:0] sendActionsForControlEvents:UIControlEventTouchUpInside]
[#0x15d101c00 sendActionsForControlEvents:4095]


cy# var sender = [[[[[UIApplication sharedApplication] keyWindow] subviews] objctAtIndex:0] nextResponder]
#"<ViewController: 0x159d15770>"
cy# [sender showImage:sender]