Use MonkeyDev installation to run any third app reverse debugging, more convenient, more powerful @alonemonkey
In the iOS reverse development, Cycript and Reveal are indispensable tools for analyzing third-party apps. They can be used to quickly locate the UI and find the corresponding controller, thus reducing the code area. Recently, LLDB was used for debugging, and it was found that LLDB can achieve similar results.
The first step is to debug any third-party app on a non-jailbroken deviceRefer to this article
Here again, take wechat as an example:
Here to achieve the effect is to find the memory address of the login button, and find the owning controller, modify the text of the login button. Let’s go!
Before we begin, a brief introduction to the LLDB common command,p & Po – print variables or objects
Because LLDB supports prefix matching, you can abbreviates print to p or pri, and print stands for expression –; Po stands for expression -o –, which means print object. Input p instruction can print specific information such as the object type, memory address and value of the object, while Po instruction can print the value obtained by calling the description method.
(Note: when printing objects of set type, the P instruction will omit the specific value and only prompt information such as the number of sets. Therefore, if you want to view the values in the set, you should use the Po instruction, as shown below:)
-
Print nsstrings:
-
Print NSDictionary:
expression
The expression command executes an expression and outputs the result returned by the expression. The full syntax for expression looks like this:
expression <cmd-options> -- <expr>
Copy the code: Command options. Generally, use the default command.
–: End of command options: indicates that all command options are set. If no command options are available, — can be omitted
: The expression to execute
Expression is the most important command in the LLDB. Because it can do two things.
-
When we run the code, we can dynamically change the trajectory of the program by executing a certain expression.
-
Let’s say we’re running and suddenly want to change the color of self.view to red. We don’t have to write code and run again, just pause the program, change the color with Expression, refresh the screen and see what happens
/ / change the color (LLDB) expression -- self. The backgroundColor = [UIColor redColor] / / refresh interface (LLDB) expression (void)[CATransaction flush]Copy the codeThat means we can print things through Expression.
Suppose we want to print self.view:
(lldb) expression -- self.view
(UIView *) The $1 = 0x00007fe322c18a10
Copy the codeCommand on the introduction of this several useful, the other can be their own baidu, here to debug it!
-
Debug the interface with Xcode first:
In fact, the above two screenshots already contain a lot of information we want, including the layout structure of the UI, the level, the content address corresponding to each UIView, and the parent control or container. Click the login button and you’ll find the following in the debug screen on the right side of Xcode:
Contains a lot of useful information, including the button’s class name, memory address, Action and Target, etc
In this case, YOU can always find the controller by calling UIButton’s nextResponder method. How to call this method? The LLDB expression command (e 0x105651b50) displays the memory address of the login button.
e 0x105651b50
Copy the codeWill print:
(long) The $188 = 4385479504
Copy the code$188 represents the login button object, of course you can directly use 0x105651b50(the login button object), try changing the text of the login button:
e [The $188 setTitle:@"Floating gold" forState:UIControlStateNormal]
Copy the codeThe result is as follows:
This is due to the lack of UIKit libraries
e @import UIKit
Trying to introduce UIKit library,What? Or wrong!
This is because $188 only represents the memory address where the login button is located. LLDB does not know what type of object it is, and tries to convert $188 strongly:
The login button type is FixTitleColorButton
/ / 0 x105651b50 andThe $188Same thing,e [(FixTitleColorButton *)0x105651b50setTitle:@"Floating gold" forState: UIControlStateNormal] is the same effect, you can have a try! e [(FixTitleColorButton *)The $188 setTitle:@"Floating gold" forState:UIControlStateNormal]
Copy the codeThis time, no error is reported, and no message is displayed, but there is no change in the UI. Try the command to refresh the interface:
expression (void)[CATransaction flush]
Copy the codeAfter the command is executed, there is no output. Step debugging next step:
c
Copy the codeAfter execution, look at the UI:
Successful,expression is powerful enough to execute OC code (just like cycript, you can print UIView structures with the method recursiveDescription and see information about each UIView), and we can define a variable like this
:
// Get UIApplication object, which must be preceded by variable"$", followed by references to defined objects"$", as quoted below$app
e UIApplication *$app= [UIApplication sharedApplication] // Get keyWindow$keyWindow
e UIWindow *$keyWindow = $app.keyWindow // Get the login button e FixTitleColorButton *$loginButton = (FixTitleColorButton *)0x15dd11770
//$loginButtonThis is just the e alias of 0x000000015DD11770$loginButton
(FixTitleColorButton *) $loginButton = 0x000000015dd11770
Copy the code### Find the controller where the login button is located, using the nextResponder method
(lldb) po [$loginButtonnextResponder] <UIView: 0x15dd0e080; frame = (0 582; 375, 65); autoresize = W+TM; layer = <CALayer: 0x174039640>> (lldb) po [(UIView *)0x15dd0e080 nextResponder] <UIView: 0x15de27410; frame = (0 0; 375, 667); autoresize = W+H; layer = <CALayer: 0x17022f760>> (lldb) po [(UIView *)0x15de27410 nextResponder] <WCAccountLoginFirstViewController: 0x15e80dc00>Copy the code