cycript使用方法

1. Basics

$ ssh root@IP_ADDRESS
$ cycript -p APPNAME

// Dump all classes
cy# ObjectiveC.classes

2. 枚举现时controller的view

// display output nicely
$ ?expand

$ [[UIApp keyWindow] recursiveDescription]

Update 6 Nov 2017:

枚举Current View

$ [[[UIWindow keyWindow] rootViewController] _printHierarchy].toString()

3. 获取现时View的controller

方法1: visibleViewController

cy# UIApp.keyWindow.rootViewController.visibleViewController

方法2: nextResponder

// Using the “nextResponder” ObjectiveC method, determine the current view controller
// 0x135d13fe0 是UIView的内存地址
$ [#0x135d13fe0 nextResponder]
#"<OPLockedViewController: 0x13602fad0>"

4. 获得class的实例

cy# choose(SomeClass)
#"<SomeClass: 0x28a600>"

cy# choose(ViewController)

// or
cy# choose(ViewController)[0]

5. 获得class Methods

// print methods: http://iphonedevwiki.net/index.php/Cycript_Tricks

function printMethods(className, isa) {
  var count = new new Type("I");
  var classObj = (isa != undefined) ? objc_getClass(className).constructor : objc_getClass(className);
  var methods = class_copyMethodList(classObj, count);
  var methodsArray = [];
  for(var i = 0; i < *count; i++) {
    var method = methods[i];
    methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)});
  }
  free(methods);
  return methodsArray;
}

$ printMethods(ViewController)

此外,还可以使用

cy# UIApp.delegate->isa.messages

6. 调用Methods

cy# [somCls someMethod: someParam]

// call method
// 0x135d13fe0是 viewcontroller的地址, class的内存地址
$ [#0x135d13fe0 showSuccess]

7. Hide View

// e.g. [#0x12eebee90 setHidden:YES]
cy# [#viewAddress setHidden:YES]   

// dump class methods with class dump
// [#0x12ed902b0 dismissLockScreen]    
cy# [#viewControllerAddress classMethod]       

8. Dump class information

// Dumps the current visible view controller of the app, along with any references to other objects inside the view controller.
cy# var vvc = UIApp.keyWindow.rootViewController.visibleViewController
cy# *vvc

9. Change Property

cy# var textbox = new Instance(0x12345678)
cy# testbox.text = @”The App with Cycript”;

10. Get Document Path

cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask]
@[#"file:///var/mobile/Containers/Data/Application/ACC9AC92-7303-4DB3-AB76-FF025F69EABF/Documents/"]

11. Attach to instance of a class

cy# var somcls = new Instance(0x28a600)

12. Method Swizzling

cy# SomeClass.messages

cy# SomeClass.messages['someMethod'] = function() {return true;}

13. Class-dump

Class-Dumping with Cycript - Hacking Dartmouth

Bonus

• Protection against Cycript/Runtime | 0xBBC
• 保护App重要数据，防止Cycript/Runtime修改 | 0xBBC
• iOS App 的逆向工程: Hacking on Lyft
• Breaking into and Reverse Engineering iOS Photo Vaults_HackDig
• Reverse Engineering iOS Apps | White Hack
• Runtime Manipulation of Android and iOS Applications - OWASP AppSecUSA 2014