IOS Reverse engineering-static analysis

Recently in the study of iOS reverse engineering, to view the information on the network is not too much, learn to summarize.

First study materials:

1. Read the blog of the Great God: http://nianxi.net

2. "Reverse engineering analysis and combat for iOS applications"

----------------------------------------------------Messy split-line------------------------------------------

Next talk about the tools to use (The iOS installation tool uses Cydia to search for installations, some of which need to be found by the data source itself):

1. Already jailbroken iOS devices: This is a must

2. OpenSSH (Data Source: http://apt.saurik.com): Used to telnet ssh and file transfer SCP

3. Class-dump-z: For simple analysis of the class name and function name in the project

4. IDA: Powerful anti-compilation tool

5. Hopper disassembler: Like Ida I prefer, can simply convert to OC function

6. Reveal:ui Layer Parsing Tool

7. IFunBox, Itools: Two are powerful iOS device management tools, after jailbreak can easily read the application files and other functions

----------------------------------------------------Messy split-line------------------------------------------

Well, that's pretty much all! Most of the above tools are charged, but there is a trial version, and then we analyze each:

1. iOS device Jailbreak , I will not talk about it, but I want to praise @ Pangu Team One, currently all iOS systems can jailbreak (including ios8.x)

2. download OpenSSH on iOS devices (Data Source: http://apt.saurik.com), then telnet to iOS with your computer:

aca80166:~ yuchenghai$ ssh [email protected]

Then enter the password, after the @ is the phone's IP number, jailbreak after the default password appears to be 123456.

The command to transfer the file is

SCP gdbinit [email protected]:/var/rootscp [Email protected]:/var/root/123.txt ~/

3. class-dump-z is a powerful function extraction tool, very useful, is also the basic tool

: Http://stevenygard.com/projects/class-dump

Https://code.google.com/p/networkpx/wiki/class_dump_z

Can be sent to the phone call, or can be called on the computer, to parse the file is in the application directory X.app (all of the files that are useful in the file resources) below the X (x is the application name you want to analyze) to sing it for example, Use Ifunbox to find the application into the application directory can see Ktv.app Open the package file can find KTV.

$ class-dump-z KTV > Ktv.txt//Export all content to file $ class-dump-z-H ktv-o ktvdir///Export All content directory to folder (first to create Ktvdir folder)

* Here is a problem, that is downloaded from the App Store app will be garbled, because the app is encrypted. Solutions

1. Go to channel up and down applications like sync push, 91

2. Decryption tools such as Appcrackr (source http://cydia.xsellize.com), crackulous, Clutch

Class-dump can only solve the class name and function name, and can not see the concrete implementation logic. But it's intuitive.

4.ida and Hopper disassembler almost , you can see the specific logic of each function (but-it is a compilation) Ida is very powerful, can be tagged in the function name of OC, but I prefer Hopper disassembler, because he can easily simulate the OC source code, but also very simple. Both press the SPACEBAR to show branching logic.

The assembly is very difficult to see, we need patience + patience . The latter can be combined with dynamic tools to make the analysis more effective.

The 5.Reveal feature is even more powerful. , it can show the specific structure of the UI to tell you what the type of each view is, which is often the starting point for analyzing an app that we often use.

: http://revealapp.com

After downloading, open the reveal in the menu directory help-show reveal library in Finder Open vault file, send two files to the phone

Scp-r/applications/reveal.app/contents/sharedsupport/ios-libraries/reveal.framework [Email protected]:/System/ library/frameworksscp/applications/reveal.app/contents/sharedsupport/ios-libraries/libreveal.dylib [Email Protected]168.0.x:/library/mobilesubstrate/dynamiclibraries

Next edit the libreveal.plist file

Create a file libreveal.plist under/library/mobilesubstrate/dynamiclibraries/, specify the bundle for the app, and you can specify multiple

{Filter = {Bundles = ("Com.changba.ktv");   }; }

Students will ask, the app's Bundleid How to check it, we still use the Ifunbox tool to find the application directory, in the X.app folder will have info.plist files, open can be found.

Finally restart the device-open the application you want to analyze-the computer opens the reveal interface, you can click on the analysis

To summarize, the logic for analyzing an application is this:

1. Get a jailbreak-good tool.

2. Go to the jailbreak platform next to analyze the app (or go to the App Store and decrypt it with the decryption tool)

3. Import the reveal Analysis page to get the specific view class or approximate range you want to know

4. In Analysis Class-dump, find the classes and functions you want

5. Find the specific function in Ida to see the logic

Simple static analysis can only know the approximate, want to know the framework and concrete content also need dynamic analysis (analysis below) help. But want to know an application to use what library, interface is what structure, what picture resources, above absolutely enough. In short, reverse engineering is more boring things, less information, need is ..... Come on

IOS Reverse engineering-static analysis