逆向第二课（Cycript）

Cycript是Objective-C++、ES6（JavaScript）、Java等语法的混合物
cycript是大神saurik开发的一个很强大的工具，能够让开发人员在命令行下和应用交互，在执行时查看和改动应用。
这个工具使用了Objective-C和Javascript的混合模式，能够实时的和应用交互甚至改动应用。它的网址请猛戳这里。在官网上能够下载到完整的软件包。使用的方式有两种，一种是在越狱的设备上通过MobileSubstrate加装，这样能够在全部的应用里使用；还有一种是通过静态库的方式把cycript集成到自己的应用，这样做不要求越狱，当然也仅仅能在自己的应用内使用了。

可以用来探索、修改、调试正在运行的Mac\iOS APP
官网： http://www.cycript.org/
文档： http://www.cycript.org/manual/
通过Cydia安装Cycript，即可在iPhone上调试运行中的APP

cycript.png

ps命令 安装adv-cmds

ps命令是process status的缩写，使用ps命令可以列出系统当前的进程
列出所有的进程

2137 ??         0:59.31 /var/mobile/Containers/Bundle/Application/D556338A-25F8-45CC-A150-AC939D6641CD/QQMusic.app/
 2179 ??         0:00.17 sshd: root@ttys000 
 2183 ??         0:15.22 /var/mobile/Containers/Bundle/Application/6A8651C7-BE70-40C7-B42B-6740D55DC000/pinduoduo.ap
可以看到在运行的app有拼多多和QQ音乐

ps –A
ps aux

adv-ps.png

Cycript的开启和关闭 常用语法

UIApp
[UIApplication sharedApplication]

用内存地址获取对象
#内存地址

定义变量
var 变量名 = 变量值

cycript
cycript -p 进程ID
cycript -p 进程名称

取消输入：Ctrl + C
退出：Ctrl + D
清屏：Command + R
NingPeiChaodeMacBook-Pro-3:python-client ning$ ssh root@192.168.1.21
130:~ root# cycript
130:~ root# cycript -p pinduoduo
cy# UIApp
#"<UIApplication: 0x17d8e7b0>"
cy# UIApp.keyWindow
#"<UIWindow: 0x19009d50; frame = (0 0; 320 568); gestureRecognizers = <NSArray: 0x19023540>; layer = <UIWindowLayer: 0x19095580>>"
cy# UIApp.keyWindow.rootViewController()
throw new TypeError("Instance is not a function (evaluating 'UIApp.keyWindow.rootViewController()')")
cy# UIApp.keyWindow.rootViewController
#"<AMTabBarController: 0x17e01610\xef\xbc\x8cselectedIndex = 0, presentedViewController = (null), viewControllers = (\n    \"<AMNavigationController: 0x1826b400, viewControllers = (\\n    \\\"<PDDHomeViewController: 0x17ff7650>\\\"\\n)>\",\n    \"<AMNavigationController: 0x18a1fc00, viewControllers = (\\n    \\\"<PDDPersonalizedRecommendViewController: 0x17e013c0>\\\"\\n)>\",\n    \"<AMNavigationController: 0x18a1a600, viewControllers = (\\n    \\\"<PDDSearchViewController: 0x1911fad0>\\\"\\n)>\",\n    \"<AMNavigationController: 0x18a64000, viewControllers = (\\n    \\\"<PDDChatTabViewController: 0x19122180>\\\"\\n)>\",\n    \"<AMNavigationController: 0x18a6c400, viewControllers = (\\n    \\\"<PDDNewPersonalSceneViewController: 0x190ba100>\\\"\\n)>\"\n)>"
cy# 

可以看到我们通过基本的语法打印出当前app的根控制器，内存地址

常用语法2

递归打印view的所有子控件（跟LLDB一样的函数）
view.recursiveDescription().toString()

筛选出某种类型的对象
choose(UIViewController)
choose(UITableViewCell)
通过基本的语法我们可以进到app调试基本的界面,这里封装了一个脚本https://github.com/CoderMJLee/mjcript，借用一下mj的资源，
将.cy文件存放到/usr/lib/cycript0.9目录下 scp这个拷贝文件到远端就不在叙述了，上面有讲过

cy# @import mjcript
{}
cy# MJFrontVc()
#"<PDDPhoneLoginViewController: 0x18c18c00>"
cy# MJVcSubviews(#0x18c18c00)
`<UIView: 0x1958f5d0; frame = (0 64; 320 504); autoresize = W+H; gestureRecognizers = <NSArray: 0x19511920>; layer = <CALayer: 0x1955b7f0>>
  | <UIView: 0x19597ae0; frame = (0 12; 320 92); layer = <CALayer: 0x19534c70>>
  |    | <UIView: 0x19595b80; frame = (0 0; 320 0.5); layer = <CALayer: 0x19569310>>
  |    | <UILabel: 0x192d9df0; frame = (15 14; 60 18); text = '\u624b\u673a\u53f7\u7801'; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x195885a0>>
  |    |    | <_UILabelContentLayer: 0x196cf880> (layer)
  |    | <UITextField: 0x1953b500; frame = (99 0.5; 213 45); text = ''; clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x1968de10>; layer = <CALayer: 0x1955d540>>
  |    |    | <UITextFieldLabel: 0x1957d430; frame = (0 0; 213 44); text = '\u8bf7\u8f93\u5165\u624b\u673a\u53f7\u7801'; opaque = NO; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x192ecba0>>
  |    |    |    | <_UILabelContentLayer: 0x196d09a0> (layer)
  |    |    | <UIFieldEditor: 0x1846d800; frame = (0 0; 213 45); text = ''; clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x1963a250>; layer = <CALayer: 0x1966b8f0>; contentOffset: {0, 0}; contentSize: {213, 45}>
  |    |    |    | <_UIFieldEditorContentView: 0x1968a8a0; frame = (0 0; 213 45); opaque = NO; userInteractionEnabled = NO; gestureRecognizers = <NSArray: 0x1957dce0>; layer = <CALayer: 0x19664ad0>>
  |    |    |    |    | <UITextSelectionView: 0x196caa70; frame = (0 0; 0 0); userInteractionEnabled = NO; layer = <CALayer: 0x196cac70>>
  |    |    |    |    |    | <UIView: 0x195c1e50; frame = (0 12; 2 19.395); alpha = 0; userInteractionEnabled = NO; animations = { opacity=<CABasicAnimation: 0x1952bff0>; }; layer = <CALayer: 0x195c1ec0>>
  |    |    |    | <UIImageView: 0x19699d60; frame = (210.5 -36; 2.5 36); alpha = 0; opaque = NO; autoresize = LM; userInteractionEnabled = NO; layer = <CALayer: 0x1964c9f0>>
  |    |    |    | <UIImageView: 0x1967f7b0; frame = (-36 42.5; 36 2.5); alpha = 0; opaque = NO; autoresize = TM; userInter
cy# MJInstanceMethodNames(#0x18c18c00)
[&"setupSubviews",&"setupLayout",&"setLoginButton:",&"startTimer:",&"bottomLine",&"setBottomLine:",&"successCallback",&"setSuccessCallback:",&"topLine",&"setTopLine:",&"constraintWithMASConstraint:",&"canChangeXibToCode",&"removeSubviews",&"licenseButton",&"setLicenseButton:",&"loginButtonText",&"setTrackerBlock:",&"serveForWechatUnusual",&"doneWithNumberPad",&"phoneTextField",&"onPhoneChange",&"codeTextField",&"onAccessCodeChange",&"enableCodeButton:",&"login:forEvent:",&"readedLabel",&"setPhoneEndTimeMap:",&"setValidPhone:",&"setValidCode:",&"setCodeButtonClicked:",&"setRiskTouchInfo:",&"refreshLoginButton",&"restartTimerIfNeeded",&"trackerBlock",&"pageViewLog",&"inputAreaView",&"phoneTipLabel",&"middleLine",&"codeTipLabel",&"codeButtonBorder",&"codeButton",&"licenseLabel",&"setTopViewTopConstraint:",&"setMiddleLineLeftConstraint:",&"setMiddleLineRightConstraint:",&"setPhoneTextFieldLeftConstraint:",&"setInputAreaView:",&"setPhoneTipLabel:",&"setPhoneTextField:",&"setMiddleLine:",&"setCodeTipLabel:",&"setCodeTextField:",&"setCodeButtonBorder:",&"setCodeButton:",&"sendCode:forEvent:",&"setReadedLabel:",&"viewLicense:",&"setLicenseLabel:",&"unlistenLoginVerifyResult",&"destroyTimer",&"validPhone",&"validCode",&"codeButtonClicked",&"getMobileMessageSuccess",&"startCountDownTimer:",&"riskTouchInfo",&"graphVerifyHandle",&"setGraphVerifyHandle:",&"doSendCode:",&"useLoginCredit",&"loginCredit",&"setIsRequestingCode:",&"presentVerificationViewController:",&"showErrorMessage:",&"isRequestingCode",&"gatherTouchEvent:forButton:",&"isPhoneStillInCountDown:",&"clickSendButtonLog",&"pushToWebViewTitle:",&"showErrorMessageOnSuperVC",&"showLoadingVisible:",&"handleLoginToVerify:",&"clickLoginButtonLog",&"listenLoginVerifyResult",&"onReceiveLoginVerifyResult:",&"checkPhone:",&"isPhoneStillCountDownForCurrentTimer:",&"phoneEndTimeMap",&"checkAccessCode:",&"fuzzyMobile",&"setPhoneInCountDown:",&"onCountdown",&"setCountdownTimer:",&"setLeftSeconds:",&"leftSeconds",&"countdownTimer",&"phoneInCountDown",&"setShowErrorMessageOnSupe
cy# 

可以看到我们指定控制器的内存地址，打印出来了所有的子类以及方法名。

IMG_0061.PNG

当然也可以调用方法，这里我演示一下

cy# [#0x18c18c00 doSendCode:@"123123"]

通过指定方法，我们猜测调用发送验证码可能是doSendCode这个方法，所以我们尝试一下

IMG_0063.PNG

这里我只是给大家演示一下基本的用法，还有很多大家可以自己去尝试，后面会给大家展示hookapp的方法从而调用我们自己的方法