1、准备工作

1、有ipa的包。
2、能够调试真机的开发者证书。

2、调式ipa包

1、创建一个空工程，配置好开发者证书，跑在真机上。
2、通过重签名的脚本，运行在真机上。

3、创建Cwwng Framework，将Framework关联信息注入到可执行文件

1、用yololib完成Framework关联信息注入。
2、用MachOView来验证动态库关联信息注入是否正确。

4、分析可执行文件

1、用class-dump分析可执行文件的类、属性、方法等信息

5、在步骤4中查找跟运动步数相关文件

#import "MMObject.h"

@class NSMutableArray;

@interface WCDeviceStepObject : MMObject
{
    unsigned int beginTime;
    unsigned int endTime;
    unsigned int m7StepCount;
    unsigned int hkStepCount;
    NSMutableArray *allHKSampleSource;
}

@property(retain, nonatomic) NSMutableArray *allHKSampleSource; // @synthesize allHKSampleSource;
@property(nonatomic) unsigned int hkStepCount; // @synthesize hkStepCount;
@property(nonatomic) unsigned int m7StepCount; // @synthesize m7StepCount;
@property(nonatomic) unsigned int endTime; // @synthesize endTime;
@property(nonatomic) unsigned int beginTime; // @synthesize beginTime;
- (void).cxx_destruct;

@end

6、在Cwwng Framework动态库中hook

截屏2020-11-28 下午7.46.34.png

//
//  DeviceStep.m
//  Cwwng
//
//  Created by Cwwng on 2020/11/28.
//

#import "DeviceStep.h"
#import <UIKit/UIKit.h>
#import <objc/runtime.h>

@implementation DeviceStep

+ (void)load {

    Method hkMethod = class_getInstanceMethod(objc_getClass("WCDeviceStepObject"), @selector(hkStepCount));

    Method hkCustomMethod = class_getInstanceMethod(self, @selector(myHkStepCount));

    method_exchangeImplementations(hkMethod, hkCustomMethod);
    
    Method m7Method = class_getInstanceMethod(objc_getClass("WCDeviceStepObject"), @selector(m7StepCount));

    Method m7CustomMethod = class_getInstanceMethod(self, @selector(myM7StepCount));

    method_exchangeImplementations(m7Method, m7CustomMethod);
}

- (unsigned int)myHkStepCount {
    
    return 89000;
}

- (unsigned int)myM7StepCount {
    
    return 89000;
}

@end