【1】找到微信

在终端输入 ps -e

可以看到当前所有的进程。

wiki:~ root# ps -ePID TTY           TIME CMD1 ??         0:22.42 /sbin/launchd26 ??         1:26.53 /usr/libexec/UserEventAgent (System)27 ??         0:07.99 /usr/sbin/syslogd28 ??         0:18.55 /usr/sbin/wifid34 ??         0:04.56 /System/Library/CoreServices/powerd.bundle/powerd42 ??         0:07.36 /usr/libexec/lockdownd50 ??         0:02.88 /usr/sbin/mediaserverd52 ??         0:03.64 /usr/sbin/mDNSResponder -launchd54 ??         0:25.11 /usr/libexec/locationd56 ??         0:01.22 /System/Library/PrivateFrameworks/IMCore.framework/ima57 ??         0:03.16 /System/Library/PrivateFrameworks/IAP.framework/Suppor59 ??         0:06.36 /usr/libexec/fseventsd60 ??         0:02.62 /usr/sbin/fairplayd.N9463 ??         0:13.13 /usr/libexec/configd70 ??         0:00.51 /Applications/kbd.app/kbd72 ??         0:00.35 /usr/libexec/misd -d75 ??         0:13.28 /System/Library/Frameworks/CoreTelephony.framework/Sup76 ??         0:01.04 /usr/sbin/BTServer77 ??         0:03.32 /usr/libexec/sogou/imed113 ??         0:14.66 /usr/sbin/notifyd134 ??         0:04.20 /usr/libexec/networkd138 ??         0:02.89 /System/Library/PrivateFrameworks/AggregateDictionary.151 ??         0:05.32 /System/Library/PrivateFrameworks/ApplePushService.fra153 ??         0:00.05 /usr/sbin/distnoted daemon157 ??         0:01.96 /System/Library/Frameworks/SystemConfiguration.framewo295 ??         0:00.32 /System/Library/PrivateFrameworks/TCC.framework/tccd348 ??         0:00.08 /usr/sbin/filecoordinationd2061 ??         0:02.98 /System/Library/CoreServices/AppleIDAuthAgent2069 ??         0:00.14 /usr/libexec/networkd_privileged2092 ??         0:05.49 /System/Library/PrivateFrameworks/iTunesStore.framewor2094 ??         0:00.83 /usr/libexec/installd --idleExit2096 ??         0:01.82 /usr/libexec/lsd2228 ??         0:00.05 /usr/libexec/xpcd2244 ??         0:00.66 /usr/libexec/timed3018 ??        12:52.48 /usr/libexec/backboardd3022 ??        15:27.81 /System/Library/CoreServices/SpringBoard.app/SpringBoa3041 ??         0:01.51 /Applications/MobilePhone.app/MobilePhone3042 ??         0:01.50 /Applications/MobileMail.app/MobileMail3044 ??         0:00.19 /System/Library/Frameworks/Accounts.framework/accounts3055 ??         0:04.68 /System/Library/Frameworks/AssetsLibrary.framework/Sup3413 ??         0:00.12 /usr/libexec/notification_proxy3437 ??         0:00.10 /usr/libexec/afcd --xpc -d /private/var/mobile/Media4246 ??         0:02.57 /usr/libexec/ptpd -t usb4558 ??         0:00.40 sshd: root@ttys001 6373 ??         0:00.07 /usr/libexec/afcd --lockdown -d /6457 ??         0:00.17 /System/Library/PrivateFrameworks/Ubiquity.framework/V4561 ttys001    0:00.06 -sh6459 ttys001    0:00.01 ps -e
wiki:~ root# ps -ePID TTY           TIME CMD1 ??         0:22.55 /sbin/launchd26 ??         1:26.94 /usr/libexec/UserEventAgent (System)27 ??         0:08.03 /usr/sbin/syslogd28 ??         0:18.66 /usr/sbin/wifid34 ??         0:04.58 /System/Library/CoreServices/powerd.bundle/powerd42 ??         0:07.36 /usr/libexec/lockdownd50 ??         0:02.91 /usr/sbin/mediaserverd52 ??         0:03.65 /usr/sbin/mDNSResponder -launchd54 ??         0:25.18 /usr/libexec/locationd56 ??         0:01.22 /System/Library/PrivateFrameworks/IMCore.framework/ima57 ??         0:03.18 /System/Library/PrivateFrameworks/IAP.framework/Suppor59 ??         0:06.40 /usr/libexec/fseventsd60 ??         0:02.63 /usr/sbin/fairplayd.N9463 ??         0:13.18 /usr/libexec/configd70 ??         0:00.51 /Applications/kbd.app/kbd72 ??         0:00.35 /usr/libexec/misd -d75 ??         0:13.31 /System/Library/Frameworks/CoreTelephony.framework/Sup76 ??         0:01.05 /usr/sbin/BTServer77 ??         0:03.33 /usr/libexec/sogou/imed113 ??         0:14.74 /usr/sbin/notifyd134 ??         0:04.21 /usr/libexec/networkd138 ??         0:02.90 /System/Library/PrivateFrameworks/AggregateDictionary.151 ??         0:05.32 /System/Library/PrivateFrameworks/ApplePushService.fra153 ??         0:00.05 /usr/sbin/distnoted daemon157 ??         0:01.96 /System/Library/Frameworks/SystemConfiguration.framewo295 ??         0:00.32 /System/Library/PrivateFrameworks/TCC.framework/tccd348 ??         0:00.08 /usr/sbin/filecoordinationd2061 ??         0:03.00 /System/Library/CoreServices/AppleIDAuthAgent2069 ??         0:00.14 /usr/libexec/networkd_privileged2092 ??         0:05.52 /System/Library/PrivateFrameworks/iTunesStore.framewor2094 ??         0:00.85 /usr/libexec/installd --idleExit2096 ??         0:01.82 /usr/libexec/lsd2228 ??         0:00.05 /usr/libexec/xpcd2244 ??         0:00.66 /usr/libexec/timed3018 ??        12:54.49 /usr/libexec/backboardd3022 ??        15:35.95 /System/Library/CoreServices/SpringBoard.app/SpringBoa3041 ??         0:01.51 /Applications/MobilePhone.app/MobilePhone3042 ??         0:01.50 /Applications/MobileMail.app/MobileMail3044 ??         0:00.19 /System/Library/Frameworks/Accounts.framework/accounts3055 ??         0:04.69 /System/Library/Frameworks/AssetsLibrary.framework/Sup3413 ??         0:00.12 /usr/libexec/notification_proxy3437 ??         0:00.10 /usr/libexec/afcd --xpc -d /private/var/mobile/Media4246 ??         0:02.59 /usr/libexec/ptpd -t usb4558 ??         0:00.41 sshd: root@ttys001 6373 ??         0:00.07 /usr/libexec/afcd --lockdown -d /6492 ??         0:03.30 /var/mobile/Applications/89D9C604-7992-4144-9B7F-036036493 ??         0:00.06 /usr/libexec/securityd6496 ??         0:00.08 /System/Library/Frameworks/UIKit.framework/Support/pas6498 ??         0:00.17 /System/Library/PrivateFrameworks/Ubiquity.framework/V4561 ttys001    0:00.06 -sh6500 ttys001    0:00.01 ps -e

从这可以看到，我们的手机只要运行。就会有很多的进程在跑。

我们可以看到微信的app在这运动，

6492 ??         0:03.30 /var/mobile/Applications/89D9C604-7992-4144-9B7F-03603

【2】进入App查看view

我们使用进入此app

wiki:~ root# cycript -p 6492

然后请开始你的表演

cy# UIApp
#"<UIApplication: 0x1c5dbb80>"cy# #0x1c5dbb80.keyWindow
#"<iConsoleWindow: 0x1c5f3320; baseClass = UIWindow; frame = (0 0; 320 480); layer = <UIWindowLayer: 0x1c5f3500>>"cy# #0x1c5f3320.rootViewController
#"<MMUINavigationController: 0x1d1eca10>"cy# #0x1d1eca10.view
#"<UILayoutContainerView: 0x1d1ece90; frame = (0 0; 320 480); autoresize = W+H; layer = <CALayer: 0x1d1ecf50>>"cy# #0x1d1eca10.visibleViewController
#"<WCAccountLoginLastUserViewController: 0x1d1ec390>"cy# #0x1d1ec390.view
#"<UIView: 0x1d0da930; frame = (0 0; 320 460); autoresize = W+H; layer = <CALayer: 0x1d0da8c0>>"cy# view = #0x1d0da930
#"<UIView: 0x1d0da930; frame = (0 0; 320 460); autoresize = W+H; layer = <CALayer: 0x1d0da8c0>>"cy# *view
{isa:UIView,_layer:#"<CALayer: 0x1d0da8c0>",_tapInfo:null,_gestureInfo:null,_gestureRecognizers:null,_subviewCache:@[#"<MMTableView: 0x1cadd200; baseClass = UITableView; frame = (0 0; 320 460); clipsToBounds = YES; autoresize = W+H; gestureRecognizers = <NSArray: 0x1d0db020>; layer = <CALayer: 0x1d0daba0>; contentOffset: {-0, -44}>",#"<UIButton: 0x1d1129e0; frame = (134.5 409; 51 41); opaque = NO; autoresize = LM+RM+TM; tag = 2222; layer = <CALayer: 0x1d1129b0>>"],_charge:0,_tag:0,_viewDelegate:#"<WCAccountLoginLastUserViewController: 0x1d1ec390>",_backgroundColorSystemColorName:null,_viewFlags:@error,_retainCount:6,_boundsWidthVariable:null,_boundsHeightVariable:null,_minXVariable:null,_minYVariable:null,_internalConstraints:null,_constraintsExceptingSubviewAutoresizingConstraints:null,_dependentConstraints:null,_shouldArchiveUIAppearanceTags:0}
cy#

我们可以看到_subviewCache里面的内容，就是此页面的图层结构。

我们可以看到微信的登陆界面用的是UITabelView。。。。

【3】修改UI界面

我们把TableView和UIButton拿出来。

cy# #0x1cadd200
#"<MMTableView: 0x1cadd200; baseClass = UITableView; frame = (0 0; 320 460); clipsToBounds = YES; autoresize = W+H; gestureRecognizers = <NSArray: 0x1d0db020>; layer = <CALayer: 0x1d0daba0>; contentOffset: {-0, -44}>"cy# #0x1d1129e0
#"<UIButton: 0x1d1129e0; frame = (134.5 409; 51 41); opaque = NO; autoresize = LM+RM+TM; tag = 2222; layer = <CALayer: 0x1d1129b0>>"

修改TableView的背景颜色

cy# tb = #0x1cadd200
#"<MMTableView: 0x1cadd200; baseClass = UITableView; frame = (0 0; 320 460); clipsToBounds = YES; autoresize = W+H; gestureRecognizers = <NSArray: 0x1d0db020>; layer = <CALayer: 0x1d0daba0>; contentOffset: {-0, -44}>"cy# tb.backgroundColor = [UIColor blueColor]
#"UIDeviceRGBColorSpace 0 0 1 1"

不得不说，蓝色好丑。我们还是改回去吧。

cy# tb.backgroundColor = [UIColor whiteColor]
#"UIDeviceWhiteColorSpace 1 1"

隐藏这个Button和更改title

cy# btn = #0x1d1129e0
#"<UIButton: 0x1d1129e0; frame = (134.5 409; 51 41); opaque = NO; autoresize = LM+RM+TM; tag = 2222; layer = <CALayer: 0x1d1129b0>>"
cy# btn.frame
{0:{0:134.5,1:409},1:{0:51,1:41}}
cy# [btn frame]
{0:{0:134.5,1:409},1:{0:51,1:41}}
cy# btn.hidden = YES
true

我们会发现，微信登陆界面 “更多”按钮消失了。
所以这个button就是更多按钮！

如果输入btn.frame，有错误提示，这个一个C语言的结构体的话，那么就用[btn frame]

cy# btn.titleLabel.text = "hahahhahaahaha"
"hahahhahaahaha"

我们发现这个更多按钮变成了h...

咳咳，原来老版本的微信这块的frame是写死的噢，嘎嘎~~

查看UI的层级结构，一目了然

cy# UIApp.keyWindow.recursiveDescription()
throw new TypeError(`'<iConsoleWindow: 0x1c5f3320; baseClass = UIWindow; frame = (0 0; 320 480); layer = <UIWindowLayer: 0x1c5f3500>>| <UILayoutContainerView: 0x1d1ece90; frame = (0 0; 320 480); autoresize = W+H; layer = <CALayer: 0x1d1ecf50>>|    | <UINavigationTransitionView: 0x1d0d97f0; frame = (0 0; 320 480); clipsToBounds = YES; autoresize = W+H; layer = <CALayer: 0x1d0d98c0>>|    |    | <UIViewControllerWrapperView: 0x1d111d50; frame = (0 20; 320 460); autoresize = W+H; layer = <CALayer: 0x1d111cd0>>|    |    |    | <UIView: 0x1d0da930; frame = (0 0; 320 460); autoresize = W+H; layer = <CALayer: 0x1d0da8c0>>|    |    |    |    | <MMTableView: 0x1cadd200; baseClass = UITableView; frame = (0 0; 320 460); clipsToBounds = YES; autoresize = W+H; gestureRecognizers = <NSArray: 0x1d0db020>; layer = <CALayer: 0x1d0daba0>; contentOffset: {-0, -44}>|    |    |    |    |    | <UIView: 0x1d112190; frame = (0 0; 320 348); layer = <CALayer: 0x1d112160>>|    |    |    |    |    |    | <UIView: 0x1d11ac70; frame = (0 0; 320 348); autoresize = LM+RM; layer = <CALayer: 0x1d11acd0>>|    |    |    |    |    |    |    | <UIImageView: 0x1d22b5d0; frame = (120 44; 80 80); clipsToBounds = YES; opaque = NO; autoresize = LM+RM; userInteractionEnabled = NO; layer = <CALayer: 0x1d22b630>>|    |    |    |    |    |    |    | <MMUILabel: 0x1d22c0e0; baseClass = UILabel; frame = (118 139; 84 20); text = '1548388802'; clipsToBounds = YES; autoresize = LM+RM; userInteractionEnabled = NO; layer = <CALayer: 0x1d22c010>>|    |    |    |    |    |    |    | <UIView: 0x1d119390; frame = (0 189; 320 44); layer = <CALayer: 0x1d1193f0>>|    |    |    |    |    |    |    |    | <WCUITextField: 0x1d118e80; baseClass = UITextField; frame = (15 0; 295 44); clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x1d117810>; layer = <CALayer: 0x1d118e00>>|    |    |    |    |    |    |    |    |    | <MMUILabel: 0x1d232ba0; baseClass = UILabel; frame = (0 0; 93 44); text = '\u5bc6\u7801'; clips
cy#

【砸壳STEP2】使用cycript查看并修改微信UI界面相关推荐

为Android购买多个改装微信,分享外面高价售卖的修改微信号方法亲测成功仅限安卓手机...
分享外面在高价售卖的微信号修改方法亲测成功仅限安卓手机这个方法今天在外面看到很多人在代修改,转卖方法!小编觉得还是有必要发出来让大家去动手尝试一下! 实际上这个修改微信号的功能在内测版微信就可以 ...
ios安装python的步骤,iOS常见砸壳方法
Frida ios端配置: 1.安装frida启动cydia ,添加软件源:软件源 Sources-> 编辑 Edit(右上角)-> 添加Add(左上角)-> 输入[https:// ...
iOS 越狱-砸壳工具的使用
1.越狱概述 1.1 通过iOS系统安全启动链漏洞,从而禁止掉信任链中负责验证的组件.拿到iOS系统最大权限ROOT权限. 1.2 当启动一台iOS设备时,系统首先会从只读的ROM中读取初始化指令,也 ...
iOS测试软件砸壳,iOS应用砸壳
设备:iOS10.3.2的5s 一:设备越狱 1.使用g0blin 进入官网下载ipa 2.然后使用Impactor 安装到手机 3.打开应用进行越狱. 4.越狱安装OpenSSL和Openssh发现 ...
android r 编译找不到头文件_「投稿」iOS逆向——砸壳与反编译
作者:疯狂的蛋神近来对iOS逆向十分感兴趣,就在业余时间里自己在上网找了各种资料学习,发现许多资料对于一些细节描述的不够详细,所以也踩了很多坑,我也将自己踩的一些坑总结出来,希望对大家有所帮助. 注 ...
iOS10.2下的IPA砸壳
前言从App Store上下载的ipa里面的二进制文件是经过加密的,class-dump和Hopper Disassembler都需要用到未加密的二进制文件,需要通过砸壳得到.网上敲壳教程还是挺多的 ...
ipa砸壳+frida-ios-dump
前言当你从app store下载应用程序时,它们是已安装的ios应用程序(ipa)存储在设备上.这些应用程序通常具有受保护的代码和资源,以限制用户对其进行修改或反向工程. 但是,有时候需要查看应用程 ...
iOS逆向--dumpdecrypted砸壳
一.前提介绍 1,有些从 APPStore 商店下载安装的APP 默认都被苹果加了一层壳,加了壳后我们就无法使用dump导出头文件等其它操作,多亏了大神给我们提供了工具Dumpdecrypted让我们 ...
iOS逆向 -- 砸壳
直接上内容: 1.Clutch <1> 首先附上github链接,下载最新的release版本,我这里下载的是2.0.4 <2> 然后重命名 Clutch,usb链接手机并拷 ...

【砸壳STEP2】使用cycript查看并修改微信UI界面

【1】找到微信

【2】进入App查看view

【3】修改UI界面

查看UI的层级结构，一目了然

【砸壳STEP2】使用cycript查看并修改微信UI界面相关推荐

最新文章

热门文章