1. 查看信息相关
- 查看越狱设备所有的APP的BundleID (前提需要安装frida-iOS-dump)
MacBookPro:frida-ios-dump-master lemon$ ./dump.py -l
- 查看设备UDID (前提需要安装ideviceinstall)
MacBookPro:~ lemon$ idevice_id -l
- 查看iPA是否已经砸壳 (如果返回cryptid=0代表已砸壳,否则代表未砸壳)
MacBookPro:~ lemon$ otool -l target.app/target | grep cryptid
- 查看设备日志
MacBookPro:~ lemon$ idevicesyslog -u deviceudid
- 给特定的设备安装程序
MacBookPro:~ lemon$ ideviceinstaller -i target.ipa -u deviceudid
- 砸壳 (使用frida)
MacBookPro:frida-ios-dump-master lemon$ ./dump.py BundleID
- class-dump头文件
MacBookPro:~ lemon$ class-dump -s -S -H target.app/target -o /path/to/save/header
- 查看动态库架构
lipo -info
- ssh
ssh root@deviceip
- 查找进程
ps aux | grep /App
ps -e | grep /Applications
- 查找文件
grep -r Header /System/Library/
- 分离fat binary
lipo -thin armv7 WeChat.decrypted -output WeChat_armv7.decrypted
lipo -thin arm64 xxx.decryptec -output xxx.arm64.decrypted
2. LLDB
- 打印UI结构
po [[[UIWindow keyWindow] rootViewController] _printHierarchy] (iOS 8)
po [[UIWindow keyWindow] recursiveDescription]
- 打印调用栈信息
bt (backtrace)
bt all (all threads)
- objc_msgSend参数打印
po $xo
p (char*)$x1
p (SEL)$x1
- 返回地址
p/x $lr
- 增加断点
b -a ox00002224
- 列举模块
image lisg -o -f
- lldb基础指令
c
n
ni
br list
br del
br dis
br en
- 远程调试
debugserver *:1234 -a pid
debugserver -x backboard *:1234 /var/mobile/Containers/Bundle/Application/9DB7CE45-3B4C-42A3-9D4D-49A3A5122903/AlipayWallet.app/AlipayWallet
- 远程连接
proces connect connect://192.168.2.154:1234
- lldb expr例子
(lldb) expr char *$str = (char *)malloc(8)
(lldb) expr (void)strcpy($str, "munkeys")
(lldb) expr $str[1] = 'o'
(char) $0 = 'o'
(lldb) p $str
(char *) $str = 0x00007fd04a900040 "monkeys"
(lldb) x/4c $str
(lldb) x/1w
$str + 3(lldb) expr (void)free($str)
(lldb) expr id $myView = (id)0x7f82b1d01fd0
(lldb) expr (void)[$myView setBackgroundColor:[UIColor blueColor]]
(lldb) expr (void)[CATransaction flush]
(lldb) po [$myButton allTargets]
(lldb) p (ptrdiff_t)ivar_getOffset((struct Ivar *)class_getInstanceVariable([MyView class], "_layer"))
- 给断点增加命令
(lldb) br command add 1
Enter your debugger command(s). Type 'DONE' to end.
> register read $rdi
> c
> DONE
(lldb)
- 修改寄存器的值
register write x0 1
3. Cycript
- 查看当前界面的元素层级结构
cy# [[UIApp keyWindow]recursiveDescription].toString()
- 查看当前keywindow的根控制器的所有subView
cy# [[[UIApp keyWindow] rootViewController] _printHierarchy].toString()
- 输出简单的视图信息
cy# [[UIApp keyWindow] _autolayoutTrace].toString()
- 查看一个实例的所有ivar
cy# [choose(SBApplication)[0] _ivarDescription].toString()
- 查看一个class的对象方法和类方法
cy# [choose(SBApplicationController)[0] _methodDescription].toString()
- 访问对象和实例
cy# [#0xb226710 url]
@"ww4fd1rfRDShBo_4K6rqfwAAACMAAQED"
cy# c = #0x1752d8c0
cy#"<FavAudioPlayerController: 0x1752d8c0; frame = (0 0; 290 60); autoresize = W; layer = <CALayer: 0x172dc2b0>>"
cy# c->m_audioInfo
cy#"<FavAudioInfo: 0x172b2a30>"
cy# c->m_audioInfo.m_nsAudioPath
网友评论