IOS-H5app逆向笔记

可通过ui来查看界面布局，来确定是否是 webview控件;

再继续砸壳后，找到 www

找到 app-service 进行 格式化分析，关键词定位等；

注：
可修改该文件，修改后将文件再 scp 进手机目录里，进行插桩调试；

进入根目录后： cd /

查找项目目录：

find . name app-service.js

运行沙盒目录

/private/var/mobile/Containers/Data/Application/

安装目录

/private/var/containers/Bundle/Application/

我们改动插桩的话，直接推到沙盒目录，一些缓存，临时文件等操作使用；

扫描二维码关注公众号，回复： 14718194 查看本文章

scp  修改后app-service.js  root@ip:/var/mobile/Containers/Data/Application/xxx

重新打开 app 即可进行插桩运行

抓包忽略~

frida-trace -UF -m "-[WXStreamModule _buildRequestWithOptions:callbackRsp:]"

替换js:

/*
 * Auto-generated by Frida. Please modify to match the signature of -[WXStreamModule _buildRequestWithOptions:callbackRsp:].
 * This stub is currently auto-generated from manpages when available.
 *
 * For full API reference, see: https://frida.re/docs/javascript-api/
 */

{
    
    
  /**
   * Called synchronously when about to call -[WXStreamModule _buildRequestWithOptions:callbackRsp:].
   *
   * @this {object} - Object allowing you to store state for use in onLeave.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {array} args - Function arguments represented as an array of NativePointer objects.
   * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.
   * It is also possible to modify arguments by assigning a NativePointer object to an element of this array.
   * @param {object} state - Object allowing you to keep state across function calls.
   * Only one JavaScript function will execute at a time, so do not worry about race-conditions.
   * However, do not use this to store function arguments across onEnter/onLeave, but instead
   * use "this" which is an object for keeping state local to an invocation.
   */
  onEnter(log, args, state) {
    
    
    log(`-[WXStreamModule _buildRequestWithOptions:${
      
      ObjC.Object(args[2])} callbackRsp:${
      
      ObjC.Object(args[3])}]`);
  },

  /**
   * Called synchronously when about to return from -[WXStreamModule _buildRequestWithOptions:callbackRsp:].
   *
   * See onEnter for details.
   *
   * @this {object} - Object allowing you to access state stored in onEnter.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {NativePointer} retval - Return value represented as a NativePointer object.
   * @param {object} state - Object allowing you to keep state across function calls.
   */
  onLeave(log, retval, state) {
    
    
  }
}