IOS Reverse engineering-Dynamic analysis

First of all, why analyze the application, if you want to get useful information from an iOS app, or if you want to modify some of the app's features, it's important to know the logic and structure of the app first.

Dynamic sharing tools Less, we first analyze a simple, universal tool Cycript

1. Cycript

Reference: http://www.cycript.org/

Http://iphonedevwiki.net/index.php/Cycript

Cycript is a scripting language, everyone says can be regarded as objective-javascript, described is very appropriate. Cycript in Cydia self-contained source Cydia/telesphoreo, after installation, SSH to the iOS device

?

1	ssh [email protected]

Drive the application you want to analyze, look at the PID, and here's an example of an auto-starting desktop Springboard.

?

12	ps aux | grep SpringBoardmobile    1514   0.7 10.6   577300  54720   ??  Ss    3:46PM   1:19.28 /System/Library/CoreServices/SpringBoard.app/SpringBoard

After finding the PID (1514), use the Cycript hook to apply

?

12	cycript -p 1514 cycript -p SpringBoard

The above two sentences can be put on the application, after the hook you can do whatever you like, first play a window

?

123	cy# var alert = [[UIAlertView alloc] initWithTitle:@"asd"message:nil delegate:nil cancelButtonTitle:@"ok"otherButtonTitles:nil];#"<UIAlertView: 0x19c200f0; frame = (0 0; 0 0); opaque = NO; layer = <CALayer: 0x19c8e730>>"cy# [alert show]

As you can see, Cycript will print out any data that is assigned to it. In the screen bar, this time you will think, how to adjust the screenshot .... This also baffled me, so we first use the static tool Class-dump export header file, and then search shot, haha, come out

?

123	cy# var shot = [SBScreenShotter sharedInstance]#"<SBScreenShotter: 0x19ccda20>"cy# [shot saveScreenshot:YES]

Ctrl+d exit

2.GDB

Cycript powerful, similar to the syntax of OC, very useful, but there is a fatal disadvantage, is not a breakpoint, can not stay in the specific location to see the results, then gdb out, of course, GDB has come out, GDB is a powerful debugging tool, how to use GDB debugging iOS app?

GDB full Name the GNU Project debugger can be down in Cydia (data source http://cydia.radare.org).

1. GDB Hook on the application, the practice is the same as Cycript, you can use the PID, can also be used by the application name

?

12	gdb -p SpringBoardgdb -p 1514

Or you can call GDB first, then use the Attach hook application is the same, uncheck the use of detach

2. Breakpoint Break

?

12	b -[SpringBoard menuButtonDown:]b *(0xc41e)

b breakpoint can be broken on the function (but not every time can be successful), or can be directly broken in memory address, people will ask me how to know the memory address of the function is how much, this time please see Ida Bar

Due to ASLR, the memory addresses that are generally obtained in IDA are inaccurate because each time the program is run, the memory address will be offset to the offset address using info sh in gdb

?

12345

gdb$ info sh the dyld  shared library state has not yet been initialized.                               requested state current state num basename  type address          reason | | source         | |            |  |                     | | | |

Your sister, there's nothing!!!!!!. (OK, stop this)

So I found the directory file for the springboard application and imported it with the file command

?

12345678910111213141516171819202122232425262728293031323334353637383940414243

yuchenghaide-iPod:~ root# ps aux | grep SpringBoradroot      1915   0.0  0.1   338564    520 s000  S+   11:02AM   0:00.01 grep SpringBoradyuchenghaide-iPod:~ root# ps aux | grep SpringBoardmobile    1514   0.0 11.3   588168  58320   ??  Ss    3:46PM   1:39.55 /System/Library/CoreServices/SpringBoard.app/SpringBoardroot      1917   0.0  0.1   338608    512 s000  S+   11:02AM   0:00.01 grep SpringBoardroot      1877   0.0  0.4   349304   2124 s000  S    10:18AM   0:00.29 cycript -p SpringBoardyuchenghaide-iPod:~ root# cd /System/Library/CoreServices/SpringBoard.app/yuchenghaide-iPod:/System/Library/CoreServices/SpringBoard.app root# gdbGNU gdb 6.3.50.20050815-cvs (Fri May 20 08:08:42 UTC 2011)Copyright 2004 Free Software Foundation, Inc.GDB is freesoftware, covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain conditions.Type "show copying" to see the conditions.There is absolutely no warranty forGDB.  Type "show warranty"fordetails.This GDB was configured as "--host=arm-apple-darwin9 --target=".gdb$ file SpringBoardunable to read unknown load command 0x80000028Reading symbols forshared libraries .. doneunable to read unknown load command 0x80000028gdb$ attach SpringBoardAttaching to program: `/System/Library/CoreServices/SpringBoard.app/SpringBoard‘, process 1514.0x3877aa58 in ?? ()Error whilerunning hook_stop:Invalid type combination in equality test.gdb$ info shThe DYLD shared library state has been initialized from the executable‘s shared library information.  All symbols should be present, but the addresses of some symbols may move when the program is executed, as DYLD may relocate library load addresses ifnecessary.                                           Requested State Current StateNum Basename                 Type Address         Reason | | Source       | |                           | |                    | | | |            1 SpringBoard                 - -                 exec Y Y /System/Library/CoreServices/SpringBoard.app/SpringBoard (offset 0x0)  2 dyld                        - -                 init Y Y /usr/lib/dyld at 0x2be00000 with prefix "__dyld_"  3 StoreServices               F -                 init Y ! /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices  4 AirTraffic                  F -                 init Y ! /System/Library/PrivateFrameworks/AirTraffic.framework/AirTraffic  5 IOSurface                   F -                 init Y ! /System/Library/PrivateFrameworks/IOSurface.framework/IOSurface  6 MultitouchSupport           F -                 init Y ! /System/Library/PrivateFrameworks/MultitouchSupport.framework/MultitouchSupport  7 MobileWiFi                  F -                 init Y ! /System/Library/PrivateFrameworks/MobileWiFi.framework/MobileWiFi  8 libIOAccessoryManager.dylib - -                 init Y ! /usr/lib/libIOAccessoryManager.dylib  9 IOMobileFramebuffer         F -                 init Y ! /System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer 10 CoreSurface                 F -                 init Y ! /System/Library/PrivateFrameworks/CoreSurface.framework/CoreSurface 11 BluetoothManager            F -                 init Y ! /System/Library/PrivateFrameworks/BluetoothManager.framework/BluetoothManager 12 CrashReporterSupport        F -                 init Y ! /System/Library/PrivateFrameworks/CrashReporterSupport.framework/CrashReporterSupport 13 EAP8021X                    F -                 init Y ! /System/Library/PrivateFrameworks/EAP8021X.framework/EAP8021X 14 libmis.dylib                - -                 init Y Y /usr/lib/libmis.dylib at 0xa3e000 (offset -0xff5c2000)

Your sister! offset = 0x0, what's going on! Is it really 0? I tried.

?

12345678

gdb$ b -[springboard menubuttondown:] function    not defined. gdb$ b * (0xc41e) breakpoint 1 at 0xc41e gdb$ info b num type           disp  enb address    what 1   breakpoint      keep y   0x0000c41e <_mh_execute_header+46110> gdb$ c

Info B is to print out all breakpoints, delete breakpoint can use D breakpoint number

C means to continue the program, press the home button-the result breakpoint is not broken at all. OK, stop, gdb command you can go to the online random inquiry!

Snakeninny, one of the authors of iOS application reverse engineering, finally learned that GDB might have been abandoned after ios7.x, instead of LLDB

How to use LLDB: http://bbs.iosre.com/forum.php?mod=viewthread&tid=52

Summarize:

Well, the next section for you to share the specific use of lldb, but also worth mentioning is that the Xcode debugging tool is LLDB, all learn to use LLDB is very important.

Also, let's say we try to find the logic we want with constant effort and how we should attack or modify it. Hey, or wait for tell.

Take it easy! Juvenile!

IOS Reverse engineering-Dynamic analysis