Use of Class-dump and Iosopendev

Class-dump Website address: here

I downloaded the CLASS-DUMP-3.5.DMG version number here.

Double-click the. dmg file to convert?? Pull down the/usr/local/bin folder so that you can use the Class-dump command at the terminal.

Here I show the calculator that comes with the dump system and export its header file.

Commands such as the following:

Class-dump-h/applications/calculator.app-o/users/rio/desktop/calculate\ Heads

Explain:

/applications/calculator.app is the path to the Calculator app, Note that the app suffix is the. App instead of. IPA, don't be silly to dump. IPA suffix. Will prompt "

class-dump:input file (Xxx.ipa) is neither a mach-o file nor a fat archive." It's wrong!

/users/rio/desktop/calculate\ heads is the folder path where dump header files are stored

Class-dump 3.5 (+ bit) usage:class-dump [options] <mach-o-file> where options is:-A show Inst ance variable offsets-a Show implementation addresses--arch <arch> choose A specific AR Chitecture from a Universal binary (PPC, PPC64, i386, x86_64)-C <regex> only display classes matching RE Gular expression-f <str> Find string in method Name-h generate headers files in cur Rent directory, or directory specified With-o-I sort classes, categories, and protocols by Inheritanc E (overrides-s)-o <dir> output directory used For-h-R recursively expand Framewo Rks and fixed VM shared libraries-s sort classes and categories by Name-s sort met Hods by name-t Suppress header in output, for testing--list-arches list The Arches in the FIL E, then Exit--SDK-ios Specify iOS SDK version (would look in/developer/platforms/iphoneos.platform/developer/sdks/iphoneos<version &GT;.SDK--sdk-mac Specify Mac OS X version (would look IN/DEVELOPER/SDKS/MACOSX&LT;VERSION&GT;.SDK--s Dk-root Specify the full SDK root path (or use--sdk-ios/--sdk-mac for a shortcut)

Executes the command. Can see the file has been dump, such as the following see:

Class-dump Although very practical, sometimes we find that class-dump execution fails to get the. h file we want, or the contents of the. h file are encrypted ciphertext.

This behavior occurs because the Class-dump action object must be an unencrypted executable file, and the app downloaded from the app Store is signed and encrypted . The executable is added with a "shell". Be able to use Appcrackr to self-smash shells.

----------2016.01.07 Update----------------

Apps downloaded from the app Store I'm here to smash the shells by clutch this.

SSH to the IPhone first. You may experience this problem:

macbook:~ aaron$ ssh [email protected]

Ssh:connect to host 172.17.24.70 Port 22:connection refused

No hurry, go to Cydia install OpenSSH can, install after again ssh to IPhone found already able.

To download clutch This software on the Internet, renamed Clutch (not change can also. Renamed here just for the next time to knock command when the first letter is always capitalized, trouble!

), and then copy to the IPhone's/usr/bin/folder below.

macbook:~ aaron$ scp/users/aaron/documents/kugou/doc/Jailbreak development/hack/clutch [email protected]:/usr/bin/

[email protected] ' s password:?

Clutch???????????????????????????? 100%? 915KB 914.8kb/s? 00:00?

God OK now, then change clutch to the highest privilege 777

Iphone:/usr/bin root# chmod 777./clutch

See if the changes were successful.

Iphone:/usr/bin root# Ls-al | grep Clutch

-rwxrwxrwx 1 root? Wheel? 936752 Jan? 7 16:02 Clutch

Can see that it is already the highest privilege.

Next is the use of clutch, the online said to install Mobile Terminal What what is not to control it, directly open dry.

Iphone:/usr/bin root# clutch-i?

Enter the command above to see a large stack of applications that can smash shells:

Installed apps:

1) <alipaywallet bundleid:com.alipay.iphoneclient>

2) <wechat bundleid:com.tencent.xin>

3) <yidian bundleid:com.yidian.zixun>

4) <youkuiphone bundleid:com.youku.youku>

5) < beep bundleid:com.xiaojukeji.didi>

6) <taobao4iphone bundleid:com.taobao.taobao4iphone>

7) <newsboard bundleid:com.netease.news>

8) <ilady bundleid:cn.com.modernmedia.imodernlady>

9) <netdisk_iphone bundleid:com.baidu.netdisk>

..........

Enter the application bundle identifier you want to smash shell

Iphone:/usr/bin root# clutch-d Com.yidian.zixun

After success you will be able to see the path after it has been cracked:

Done:/private/var/mobile/documents/dumped/com.yidian.zixun-ios7.0-(Clutch-2.0 RC2). IPA

After. Copy. IPA file on your computer,

macbook:~ aaron$ SCP root:172.17.24.70:/private/var/mobile/documents/dumped/com.yidian.zixun-ios7.0-(Clutch-2.0 RC2). IPA ~/desktop/

-bash:syntax error near unexpected token ' ('

Ah, there is a mistake, can not identify ' (', then change. IPA name in the SCP bar

iphone:/private/var/mobile/documents/dumped root# mv com.yidian.zixun-ios7.0-\ (clutch-2.0\ RC2\). IPA Yidian.ipa

Copy to PC Desktop:

macbook:~ aaron$ SCP [email Protected]:/private/var/mobile/documents/dumped/yidian.ipa ~/desktop/yidian.ipa

[email protected] ' s password:?

Yidian.ipa?????????????????????????????? 100%? 25MB? 1.5mb/s? 00:16

At this point, smashed the shell has been finished, now can use Class-dump head file dump out. cheer!

--------------------------------Cutting Line-----------------------------------

Installation? Apt-get:

Open cydia– Management - settings - Select " developer "- finished ,? Search apt. Installs APT 0.6 Transitional, it installs four or five other dependent packages, is not big .

after installation, you can use apt-get . For example apt-get install netstat, apt-get install PS and so on.

--------------------------------Cutting Line-----------------------------------

Another very important thing to do before you create a new project. Log used to install the print log.

# Look at log
Apt-get Install Socat

After installation, enter the following command to see log

Socat-unix-connect:/var/run/lockdown/syslog.sock
>watch

This error message appears when installing SOCAT:

E:could not get Lock/var/lib/dpkg/lock-open (35:resource temporarily unavailable)?

E:unable to lock the Administration directory (/var/lib/dpkg/), is another process using it?

Can try to use the solution here.

(Try the other methods mentioned in this post, and then use the following method, for example)

In order to make debugging more convenient when using Iosopendev, the machine needs to be installed in such environments as:

# This is when using Iosopendev development, Xcode installs the Deb package to the phone. Environmental conditions required for mobile phone first
Apt-get Install coreutils diskdev-cmds file-cmds system-cmds com.saurik.substrate.safemode mobilesubstrate Preferenceloader


In the case of "package diskdev-cmds are not available, it is referred to by the another package. This could mean the package is missing, have been obsoleted, or is only available from another source "when this installation is wrong. Executed such as the following command once again installed,
sudo apt-get update && && sudo apt-get upgrade-y && sudo apt-get dist-upgrade-y && sudo Apt-get Install PackageName
(OR)
Apt-get update && apt-get upgrade-y && apt-get dist-upgrade-y && apt-get Install PackageName
Source: http://www.blackmoreops.com/2014/12/13/ Fixing-error-package-packagename-not-available-referred-another-package-may-mean-package-missing-obsoleted-available-anot her-source-e-pa/

Some of the machine environment, can not install Netstat, socat and other environment, so it can not be copied through Iosopendev dylib. You cannot use Socat to view log. At this point, the solution is:
1. After compiling the Iosopendev, manually copy the dylib to the phone:
SCP Hookktv.dylib [Email protected]:/library/mobilesubstrate/dynamiclibraries/
2. Replace the original NSLog with a written document. Write the hook information to a file, and then export the file with a tool such as a phone helper.
3. Restart Springboard:
Killall Springboard

--------------------------------Cutting Line-----------------------------------

After all the above environment is done, you can create a new project:

Select Logos Tweak. Then go all the way next to create a new project.

A new. xm file will have a hint that you want to go?/opt/iosopendev/lib/folder dropdown a libsubstrate.dylib dynamic link library to project, as we are here to hook Springboard, To pop up a popup box. So we need to import uikit.framework again.

#error Iosopendev post-project creation from template requirements (remove these lines after completed)--\

Link to Libsubstrate.dylib: \

(1) Go to TARGETS > Build phases > Link Binary with Libraries and Add/opt/iosopendev/lib/libsubstrate.dylib \

(2) Remove these lines from *.XM files (not *.mm files as they ' re automatically generated from *.XM files)

Then write code like the following in. XM:

Logos by Dustin howett//see Http://iphonedevwiki.net/index.php/Logos#import <uikit/uikit.h>%hook springboard-(void) applicationdidfinishlaunching: (ID) application {    %orig;        NSLog (@ "Hook springboard: This is the test log output.
。。
");        Uialertview *alert =    [[Uialertview alloc]initwithtitle:@ "Welcome" message:@ "Hellowrold" Delegate:nil cancelbuttontitle:@ "Thanks" otherbuttontitles:nil];    [Alert show];    [Alert release];} %end%hook appdelegate-(void) Applicationdidenterbackground: (uiapplication *) application{    %orig;        NSLog (@ "Hook appdelegate: This is the test log output ...
。
");    Uialertview *alert =    [[Uialertview alloc]initwithtitle:@ "Hook" message:@ "Hellowrold" Delegate:nil cancelbuttontitle:@ "Thanks" otherbuttontitles:nil];    [Alert show];    [Alert release];} %end

You may encounter compilation errors such as the following when compiling:

The workaround is: Change targets-build settings-code signing-provisioning profile to IOS Team Provisioning Profile: * just fine.

SSL to Phone, execute

Socat-unix-connect:/var/run/lockdown/syslog.sock

>watch

This command. Prepare to view the output log.

The computer and jailbreak device are connected to the same network, then check the WiFi address of the device, write it down, and then fill in the Targets-build settings-user-defined-iosopendevdevice inside. For example, I am here 192.168.2.42, in order to wait for Profiling when the dynamic link library hooktest.dylb copy to the [email protected]:/library/mobilesubstrate/ The dynamiclibraries/folder.

If you can build the above environment, then it will be easy. Click Xcode--Product--, Build for-Profiling, and Xcode will help you hooktest.dylib the dynamic link library (my new project is called Hooktest, so this is hooktes T.dylib) and. plist (here is hooktest.plist) file copy to [email protected]:/library/mobilesubstrate/dynamiclibraries/this path, Then restart Springboard:
Execute the command killall Springboard, you will be able to see the phone when it starts to execute the just hooktest.dylib and then pop up a popup box.

Copy in. The role of the plist is that the system is based on the hook. plist to filter the hook application. assuming that the plist inside what filter conditions are not written, all applications will be loaded into the new copy into the dynamic library , the default is hook springboard.
。 For example, when you start the hook application now?

<del>-(void) Applicationdidenterbackground: (uiapplication *) application</del>

This method of words. Assuming that the. plist does not specify which application to load Hooktest.dylib, the default application will be loaded into the Hooktest.dylib dynamic library when it is launched.

Profiling after the end of a look. Library/mobilesubstrate/dynamiclibraries This folder is not generated, instead, package project into a. deb file and copy it to the Iosopendevpackages folder of the jailbreak device. For example, what did I generate?

Com.aaron.hooksb_1.0-1_iphoneos-arm.deb is this, Profiling after the end. The iphone will voluntarily reboot (kill Springboard) and execute the hook code.

Use the SCP command to copy files from your device to your computer to view:

SCP [Email Protected]:/var/root/iosopendevpackages/com.aaron.hooksb_1.0-1_iphoneos-arm.deb ~/Desktop/

Note: Problems that may be encountered in Profiling:?

1, Permission denied (publickey,password,keyboard-interactive)?

The relevant workarounds are:

The first step: Copy the public key to the iphone's ~/home/username folder (no new folder can be created, in fact I think it should be the iphone, no matter what folder is OK.) It's all for the second step)

SCP ~/.ssh/id_rsa.pub [Email protected]:/home/serverusername

The second step: write the key to the ~/.ssh/authorized_keys (same as no new folder)

Cat Id_rsa.pub >> ~/.ssh/authorized_keys

And then again Profiling on the compiler passed.

References Link: here

2, Permission denied,failed to create directory/var/root/iosopendevpackages on device 192.168.2.42 command/bin/sh Failed With exit code 255.

The problem seems to be the same as 1. Find a more elegant solution on the Web: Execute commands directly on the MacBook command line:iosod sshkey-h 192.168.2.42. And then Profiling it again.

References Link: here

If you have the above environment installation error, I'd better suggest you Google a bit. Of course, you can also choose to manually copy to the [email protected]:/library/mobilesubstrate/dynamiclibraries/folder after each change. Clearly can just click on the button to be able to take care of why every time you have to copy it manually, so do not think that very egg pain?

OK, here we go.

--------------------------2017.01.16 Changes----------------------

? Today, when I smashed a shell with a clutch, I found something wrong:

Com.tencent.xin contains WatchOS 2 compatible application. It's not possible-to-dump WatchOS 2 apps with clutch 2.0.3 on this moment.

Zipping Wechat.app

Killed:9

6.5.3 version number now with Clutch is not hit, then go directly to dumpdecrypted to hit:

DUMPDECRYPTD the shell of the procedure is basically to take this article to do:? iOS reverse project (simply using "dumpdecrypted" to the IPA shell)?,

What you want to record now is what you get when you hit the shell? wechat.decrypted Use this command only to dump one? CDStructures.h file

Class-dump-h wechat.decrypted--arch Arm64-o wechathead/

? This means that decryption is not complete. The ability to use the Otool command to view cryptid This field verifies the integrity of the decryption, 1 means no decryption, and 0 code has been decrypted.

?? Desktop otool-l wechat.decrypted | grep crypt

wechat.de Crypt Ed (architecture armv7):

?? ? Crypt off 16384

? ? Crypt size 48513024

? ? ? Crypt ID 0

wechat.de Crypt Ed (architecture arm64):

?? ? Crypt off 16384

? ? Crypt size 52133888

? ? ? Crypt ID 1

Can see the crypid is 1, indeed is not fully decrypted. It seems that it is not possible to decrypt with the arm64 architecture. Try a different architecture:

class - Dump -- arch? armv7? WeChat . decrypted - H - O? wechathead/

ARMv7 OK, wait a moment. The header file has been successfully dump out.

Extension Links:

1, hands-on teaching you to make an iOS jailbreak app, camouflage location

2, step by step to achieve iOS own initiative to rob Red Envelopes (not jailbreak)

3. Mobile app intrusion and reverse hack technology-iOS

Use of Class-dump and Iosopendev