折腾了很久的逆向终于迈出了一小步，哈哈！

这里不想写太多，因为要展开讲有很多，一时半会讲不完，如果有不懂，可以看前面的两篇文章，也可以私信我一起研究学习

项目代码：http://git.oschina.net/lishangkai/reverseproject

砸壳：

localhost:~ shangkai$ ssh root@192.168.1.47

root@192.168.1.47's password:

lishangkaide-iPhone4:~ root# ps -e

注意看粗体(??表示tab)

535 ??0:00.03 /System/Library/PrivateFrameworks/CoreSymbolication.framework/coresymbolicationd

672 ??0:00.18 /System/Library/PrivateFrameworks/CommunicationsFilter.framework/CMFSyncAgent.app/CMFSyncAgent

867 ??0:00.23 /System/Library/PrivateFrameworks/CloudServices.framework/Support/EscrowSecurityAlert.app/EscrowS

941 ??0:00.25 /usr/libexec/adid

943 ??0:06.89 com.apple.StreamingUnzipService

1026 ??0:33.04 /System/Library/CoreServices/SpringBoard.app/SpringBoard

398 ??0:13.86 /System/Library/TextInput/kbd1041 ??0:31.91 /var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/WeChat.app/WeChat

lishangkaide-iPhone4:~ root# cd /var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Document

-sh: cd: /var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Document: No such file or directory

上面这样进路径不行(其实是少了S)，需要用cycript

lishangkaide-iPhone4:~ root# cycript -p WeChat

cy# NSHomeDirectory()

@"/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700"

lishangkaide-iPhone4: ~root# cd /var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents/

lishangkaide-iPhone4:~ root# ls

localhost:~ shangkai$ scp /Users/shangkai/Desktop/123/dumpdecrypted.dylib root@192.168.1.47:/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents/dumpdecrypted.dylib

dumpdecrypted.dylib100%81KB13.5KB/s00:06

localhost:~ shangkai$

重点来了，这是生成WeChat文件,也就是---砸壳

lishangkaide-iPhone4:/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents root# su mobile

lishangkaide-iPhone4:~/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents mobile$ DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib "/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/WeChat.app/WeChat"

mach-o decryption dumper

DISCLAIMER: This tool is only meant for security research purposes, not for application crackers.

[+] detected 32bit ARM binary in memory.

[+] offset to cryptid found: @0x3ea4c(from 0x3e000) = a4c

[+] Found encrypted data at address 00004000 of length 52756480 bytes - type 1.

[+] Opening /private/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/WeChat.app/WeChat for reading.

[+] Reading header

[+] Detecting header type

[+] Executable is a FAT image - searching for right architecture

[+] Correct arch is at offset 16384 in the file

[+] Opening WeChat.decrypted for writing.

[+] Copying the not encrypted start of the file

[+] Dumping the decrypted data into the file

[+] Copying the not encrypted remainder of the file

[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 4a4c

[+] Closing original file

[+] Closing dump file

lishangkaide-iPhone4:~/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents mobile$

高亮废代码

scp root@192.168.1.47:"/var/mobile/Applications/11960679-AB53-4C45-9563-3602C2995700/Documents/WeChat.decrypted" /Users/shangkai/Desktop/123/WeChat

此时桌面123文件夹多了一个WeChat的文件，可以关掉ssh连接了

localhost:bin shangkai$ class-dump --arch armv7 -H /Users/shangkai/Desktop/123/WeChat -o /Users/shangkai/Desktop/123/WeChatHeader

localhost:bin shangkai$

至此，2000+个微信头文件出现，砸壳并且class-dump（掏出）头文件成功！

我们发现在WCDeviceStepObject这个类里面有几个很显眼的属性m7StepCount,hkStepCount 等.  如下:

在终端运行命令创建Tweak工程

/opt/theos/bin/nic.pl

创建一个Tweak工程, 如下:

编写Tweak.xm和makefile文件。代码

make并install Tweak工程后在测试机查看结果：

附上贱贱的效果图

安装代码：

ps：后来试了一下hook QQ 更改步数，没有成功，源码已上传，有兴趣的可以看一下