What is Cycript?

• Cycript is a mashup of Objective-C++, ES6 (JavaScript), Java, and more.
• You can click on the Cycript documentation to see how Cycript is used.
• To debug a running App on an iPhone, you need to install Cycript via Cydia.

Note: The App must be debugged at startup time

The ps command

Before introducing Cycript, learn about the ps directive, short for Process Status, which lists the system’s current processes

• First you need to install the Adv-CMDS plug-in on your iPhone
• Use the following command to list all processes running on the iPhone

ps -A
ps aux
Copy the code

• If there are many processes and you want to search by keyword, you can use grep

ps -A | grep 'Key words'
Copy the code

677?? 0:00. 04 / System/Library/CoreServices/CacheDeleteSystemFiles 679?? 0:00. 09 / System/Library/CoreServices/CacheDeleteITunesStore 681?? 0:00. 41 / Applications/MobileSafari. App/webbookmarksd 683?? 0:00. 27 / System/Library/CoreServices/CacheDeleteAppContainerCaches 700?? 0:00. 59 / Applications/SiriViewService. App/SiriViewService 707?? 0:00. 08 / System/Library/PrivateFrameworks/CoreFollowUp framework/followupd 724?? 0:01. 58 / usr/libexec/PTPD -t usb, 729 /usr/libexec/ self-expressive proxy 810 /System/Library/PrivateFrameworks/SafariShared.framework/XPCServices/com.apple.Safari.History.xpc/com.apple.Safar 845 ?? 0:00. 23 SSHD: Root @ ttys000? 849? 0:00. 85 / System/Library/PrivateFrameworks/AssistantServices framework/assistant_service 852?? 0:07. 95 / var/mobile/Containers/Bundle/Application / 5617 b333-7 d1 - B7D0 dc7-48 - A4EC07B8EE93 / Aweme app/Aweme 854?? 0:00. 05 . / System/Library/Frameworks/UIKit framework/Support/pasteboardd 857?? 0:00. 18 . / System/Library/PrivateFrameworks SyncedDefaults framework/Support/syncdefaultsd 860?? 0:00. 20 / usr/libexec/rtcreportingd 847 ttys000 0:00. 04-863 sh ttys000 0:00. 01 ps - A 508 sc: ~ root#
Copy the code

As shown above, the current leftmost number represents the process ID, the end of. App on the right represents the executable file of the process, and the name of the process on the right. For example, Aweme in the figure represents the tiktok process

How do I use Cycript?

With the PS-A command, we can see information about all the processes running on the iPhone. You can debug the specified process by using the following command.

Cycript-p Process ID or process nameCopy the code

After the terminal executes the command, the effect is as follows:

849?? 0:00. 85 / System/Library/PrivateFrameworks/AssistantServices framework/assistant_service 852?? 0:07. 95 / var/mobile/Containers/Bundle/Application / 5617 b333-7 d1 - B7D0 dc7-48 - A4EC07B8EE93 / Aweme app/Aweme 854?? 0:00. 05 . / System/Library/Frameworks/UIKit framework/Support/pasteboardd 857?? 0:00. 18 . / System/Library/PrivateFrameworks SyncedDefaults framework/Support/syncdefaultsd 860?? 0:00. 20 / usr/libexec/rtcreportingd 847 ttys000 0:00. 04-863 sh ttys000 0:00. 01 ps - A 508 sc: ~ root# cycript -p Aweme
cy#
508SC:~ root# cycript -p 852
cy#
Copy the code

Cycript can also do the following

# exit
control + D
# cancel input
control + C
# CLS
command + R
Copy the code

Cycript common syntax

UIApp

Since Cycript supports OC, JS, etc., we can debug our App directly using OC syntax

• Use [UIApplication sharedApplication] to print the UIApplication name and memory address information in the current Tiktok App

508SC:~ root# cycript -p Aweme
cy#
508SC:~ root# cycript -p 852
cy# [UIApplication sharedApplication]
#"<UIApplication: 0x14df29bd0>"
cy#
Copy the code

• In Cycript, UIApp directive is built in, which is equivalent to UIApplication sharedApplication

508SC:~ root# cycript -p Aweme
cy#
508SC:~ root# cycript -p 852
cy# [UIApplication sharedApplication]
#"<UIApplication: 0x14df29bd0>"
cy# UIApp
#"<UIApplication: 0x14df29bd0>"
cy#
Copy the code

Define variables

In Cycript, definition variables are defined by var, not OC

var app = UIApp
Copy the code

Get objects using memory addresses

In Cycript you can use # address information to get object information

cy# UIApp
#"<UIApplication: 0x14df29bd0>"
cy# UIApp.keyWindow.rootViewController
#"<AWETabBarController: 0x14e230200>"
cy# #0x14e230200.view
#"
      
       >"
      
cy#
Copy the code

ObjectiveC.classes

Use objectivec.classes to display all OC classes loaded in the current App

Use (* object) to get all the member variables of the object

Recursively prints all child controls of the View

Filter out objects of a certain type using the following command

Select all tiktok objects of UIViewController type
choose(UIViewController)
Select all objects of UITableViewCell type from Tiktok
choose(UITableViewCell)
Copy the code

Use of the Cycript tool library

• First download the corresponding tool library github.com/CoderMJLee/…

Mjcript encapsulates some common Cycript methods. See source code for more details

• Save the mjcript.cy file to your local directory and run the following command to copy mjcript.cy to /usr/lib/cycript0.9 on your iPhone

# copy mjcript.cy to /usr/lib/cycript0.9 on iPhoneSCP - 10088 - P/Desktop/Cycript/mjcript cy root @ localhost: / usr/lib/cycript0.9Copy the code

Note: the -p must be capitalized

• Mjcript. cy can also be dragged directly to the /usr/lib/cycript0.9 directory on the iPhone using iFunBox on the MAC
• Listen on the App with Cycript on the terminal and import MJcript with @import

# Monitor Douyin App
cycript -p Aweme
# Import mJcript library
@import mjcript
Copy the code

• You can then use some of the functions encapsulated in MJcript as follows

// Get App bundleId MJAppId // Get App executable path MJAppPath // get keyWindow MJKeyWinMJFrontVc(); MJFrontVc(); MJVcSubviews(MJFrontVc()); MJInstanceMethods(MJFrontVc())) or MJInstanceMethods(#0x15f2d3600)// Print all object method names MJInstanceMethodNames(MJFrontVc()) // Print all class method names MJClassMethods(MJFrontVc()) // Print all class method names MJClassMethodNames(MJFrontVc()) // Prints all member variables MJIvars(MJFrontVc()) // Prints all member variable names MJIvarNames(MJFrontVc()) MJPointMake(x,y) MJSizeMake(w,h) MJRectMake(x,y,w,h)Copy the code

For more information on how to use mjcript.cy, see the source code.

A profound

Now that we know so much about the use of Cycript, we can try debugging our existing projects.

WeChat

Try to modify the balance of wechat wallet, the core is the UILabel where the amount is obtained

• First, open wechat on iPhone and enter the wallet page
• Use the following command on the terminal to connect to iPhone and monitor wechat process at the same time

// Step 1: map MAC port 10088 to iPhone port 22./ / step 2: map MAC port 10088 to iPhone port 22. SSH root@localhost -p 10088 // Step 3: Listen to WeChat process cycript -p WeChatCopy the code

• Now, we can use the terminal to debug wechat App

MJSubviews(MJFrontVc().view) // Var moneyLabel = var moneyLabel = var moneyLabel = var moneyLabel =#0x12e7b35e0Moneylabel.text = moneylabel.text ="RMB 10000000"
moneyLabel.textColor = [UIColor redColor]
moneyLabel.frame = MJRectMake(20, 100, 100, 30)
......
Copy the code

String lookup

Since the Chinese characters displayed in UILabel printed by the terminal are all Encoded by Unicode, if we need to find the corresponding encoded characters according to the Chinese characters on the current page, we can use Python to convert the Chinese characters to the encoded characters.

• The first format

• Second format

UI debugger -Reveal

Reveal is a magic tool for debugging UI interface in iOS development. You can click on the official website to view the introduction and usage of Reveal, and click to download Reveal

Reveal4 and above support USB debugging for fast debugging. Reveal4 versions below only support wifi debugging and are slow

Reveal Debugging environment configuration

• First, install the Reveal Loader on iPhone using Cydia, add the software source apt.so/ Codermjlee, and download the Reveal Loader
• After installing the Reveal Loader, open the “Settings” drop-down list to find the Reveal option, click “Enter” and select “Enable Applications” to open the App you want to debug
• Find Mac pass Reveal the RevealServer file, cover on the iPhone/Library/RHRevealLoader/RevealServer files, specific path is as follows:

If you did not download the Reveal Loader from this software source, you can view the Installed Reveal Loader in Cydia, and the Description will show you the location of RevealServer.framework. Just overwrite the RevealServer file at this location with the RevealServer file on the Mac.

• To restart the SpringBoard or restart the mobile phone, you can enter terminal commands on the iPhone

// Restart SpringBoard killall SpringBoard // Reboot the mobile phoneCopy the code

• Open Reveal and open any App on iPhone at the same time. Then the App you want to debug will be displayed on the Reveal. Click the App icon to view the UI structure of the App