Recently in the study of iOS reverse engineering, to view the information on the network is not too much, learn to summarize.
First study materials:
Read the blog of the Great God: http://nianxi.net
"Reverse engineering analysis and combat for iOS applications"
----------------------------------------------------Messy split-line------------------------------------------
Next talk about the tools to use (The iOS installation tool uses Cydia to search for installations, some of which need to be found by the data source itself):
Already jailbroken iOS devices: This is a must
OpenSSH (Data Source: http://apt.saurik.com): Used to telnet ssh and file transfer SCP
Class-dump-z: For simple analysis of the class name and function name in the project
IDA: Powerful anti-compilation tool
Hopper disassembler: Like Ida I prefer, can simply convert to OC function
Reveal:ui Layer Parsing Tool
IFunBox, Itools: Two are powerful iOS device management tools, after jailbreak can easily read the application files and other functions
----------------------------------------------------Messy split-line------------------------------------------
Well, that's pretty much all! Most of the above tools are charged, but there is a trial version, and then we analyze each:
iOS device jailbreak , this I will not speak, but I want to praise @ Pangu Team One, currently all iOS system can jailbreak (including ios8.x)
Download OpenSSH (data Source: http://apt.saurik.com) on your iOS device, and then telnet to iOS with your computer:
?
1 |
ACA80166:~ yuchenghai$ ssh [email protected] |
Then enter the password, after the @ is the phone's IP number, jailbreak after the default password appears to be 123456.
The command to transfer the file is
?
12 |
scp gdbinit [email protected]:/var/root scp [email protected]:/var/root/123.txt ~/ |
3. class-dump-z is a powerful function extraction tool, very useful, is also the basic tool
: Http://stevenygard.com/projects/class-dump
Https://code.google.com/p/networkpx/wiki/class_dump_z
Can be sent to the phone call, or can be called on the computer, to parse the file is in the application directory X.app (all of the files that are useful in the file resources) below the x(x is the application name you want to analyze) to sing it for example, Use Ifunbox to find the application into the application directory can see Ktv.app Open the package file can find KTV.
?
12 |
$ class -dump-z ktv > ktv.txt //导出所有内容到文件 $ class -dump-z -H ktv -o ktvdir/ //导出所有内容目录到文件夹(首先要创建ktvdir文件夹) |
* Here is a problem, that is downloaded from the App Store app will be garbled, because the app is encrypted. Solutions
Go to channel up and down applications like sync push, 91
Decryption tools such as Appcrackr (source http://cydia.xsellize.com), crackulous, Clutch
Class-dump can only solve the class name and function name, and can not see the concrete implementation logic. But it's intuitive.
4.ida and Hopper disassembler almost , can see the specific logic of each function (but-is the assembly) Ida is very powerful, can be marked in the following OC function name, but I prefer Hopper Disassembler, because he can easily simulate the OC source code, but also very simple. Both press the SPACEBAR to show branching logic.
The assembly is very ugly to understand, we need patience + patience. The latter can be combined with dynamic tools to make the analysis more effective .
The 5.Reveal feature is even more powerful , showing the specific structure of the UI to tell you what the type of each view is, which is often the starting point for analyzing an app that we often use.
: http://revealapp.com
After downloading, open the reveal in the menu directory help-show reveal library in Finder Open vault file, send two files to the phone
?
12 |
scp -r /Applications/Reveal.app/Contents/SharedSupport/iOS-Libraries/Reveal.framework [email protected]:/System/Library/Frameworks scp /Applications/Reveal.app/Contents/SharedSupport/iOS-Libraries/libReveal.dylib [email protected]:/Library/MobileSubstrate/DynamicLibraries |
Next edit the libreveal.plist file
Create a file libreveal.plist under/library/mobilesubstrate/dynamiclibraries/, specify the bundle for the app, and you can specify multiple
?
12345 |
{ Filter = { Bundles = ( "com.changba.ktv" ); }; } |
Students will ask, the app's Bundleid How to check it, we still use the Ifunbox tool to find the application directory, in the X.app folder will have info.plist files, open can be found.
Finally restart the device-open the application you want to analyze-the computer opens the reveal interface, you can click on the analysis
To summarize, the logic for analyzing an application is this:
Get a jailbreak-good tool.
Go to the jailbreak platform next to analyze the app (or go to the App Store and decrypt it with the decryption tool)
Import the reveal Analysis page to get the specific view class or approximate range you want to know
In Analysis Class-dump, find the classes and functions you want
Find the specific function in Ida to see the logic
Simple static analysis can only know the approximate, want to know the framework and concrete content also need dynamic analysis (analysis below) help. But want to know an application to use what library, interface is what structure, what picture resources, above absolutely enough. In short, reverse engineering is more boring things, less information, need is ..... Come on
IOS Reverse engineering-static analysis