標籤:
先說說為什麼要分析應用吧,如果你想從一個ios應用中擷取有用的資訊,或者你想修改該應用的一些功能,前提當然是要Crowdsourced Security Testing道該app的邏輯和結構了。
動態分享工具比較少,我們先分析個簡單的,全民工具Cycript
Cycript
參考資料:http://www.cycript.org/
http://iphonedevwiki.net/index.php/Cycript
cycript是一個指令碼語言,大家都說可以看做Objective-JavaScript,形容的非常貼切。Cycript在Cydia內建源Cydia/Telesphoreo中就有,安裝完以後用ssh登陸ios裝置
?| 1 | ssh [email protected] |
驅動你要分析的應用,查看PID,這裡就拿自動啟動的案頭SpringBoard做例子好了
?| 12 | ps aux | grep SpringBoardmobile 1514 0.7 10.6 577300 54720 ?? Ss 3:46PM 1:19.28 /System/Library/CoreServices/SpringBoard.app/SpringBoard |
找到PID(1514)後,用Cycript勾上應用
?| 12 | cycript -p 1514 cycript -p SpringBoard |
上面兩句都可以勾上應用,勾上以後你就可以為所欲為了,先彈個視窗吧
?| 123 | cy# var alert = [[UIAlertView alloc] initWithTitle:@"asd" message:nil delegate:nil cancelButtonTitle:@"ok" otherButtonTitles:nil];#"<UIAlertView: 0x19c200f0; frame = (0 0; 0 0); opaque = NO; layer = <CALayer: 0x19c8e730>>"cy# [alert show] |
可以看到,凡是賦值出來的資料,cycript都會列印出資訊來。在截個屏吧,這時候你會想,截屏怎麼調呢。。。。這也難倒我了,這樣我們先用靜態工具class-dump匯出標頭檔來,然後搜尋shot,哈哈,出來了
?| 123 | cy# var shot = [SBScreenShotter sharedInstance]#"<SBScreenShotter: 0x19ccda20>"cy# [shot saveScreenshot:YES] |
Ctrl+D 退出
2.GDB
cycript功能強大,文法類似oc,非常好用,但是就是有有一個致命缺點,就是不能斷點,無法停留在具體位置查看結果,這時候GDB就出來了,當然GDB早就出來了,GDB是強大的調試工具,怎麼用GDB調試ios應用呢
GDB全名the GNU Project Debugger在cydia(資料來源http://cydia.radare.org)中可以下到 .
GDB勾上應用,做法跟Cycript是一樣的,可以通過PID,也可以使用應用程式名稱
| 12 | gdb -p SpringBoardgdb -p 1514 |
或者可以先調用gdb ,後使用attach勾上應用也是一樣的,取消勾使用detach
2. 斷點break
?| 12 | b -[SpringBoard menuButtonDown:]b *(0xc41e) |
b斷點可以斷在函數上(但不是每次都能成功),也可以直接斷在記憶體位址上,大家會問我怎麼知道函數的記憶體位址是多少呢,這時候就請查看IDA吧
由於ASLR的原因,一般在IDA中獲得的記憶體位址是不準確的,因為每次運行程式,記憶體位址都會有一定的位移,在GDB中使用info sh獲得位移地址
?| 12345 | gdb$ info shThe DYLD shared library state has not yet been initialized. Requested State Current StateNum Basename Type Address Reason | | Source | | | | | | | | |
你妹啊,什麼都沒有!!!!!!(OK,就此打住)
於是我找到了SpringBoard應用的目錄檔案,用file 命令匯入
?| 12345678910111213141516171819202122232425262728293031323334353637383940414243 | yuchenghaide-iPod:~ root# ps aux | grep SpringBoradroot 1915 0.0 0.1 338564 520 s000 S+ 11:02AM 0:00.01 grep SpringBoradyuchenghaide-iPod:~ root# ps aux | grep SpringBoardmobile 1514 0.0 11.3 588168 58320 ?? Ss 3:46PM 1:39.55 /System/Library/CoreServices/SpringBoard.app/SpringBoardroot 1917 0.0 0.1 338608 512 s000 S+ 11:02AM 0:00.01 grep SpringBoardroot 1877 0.0 0.4 349304 2124 s000 S 10:18AM 0:00.29 cycript -p SpringBoardyuchenghaide-iPod:~ root# cd /System/Library/CoreServices/SpringBoard.app/yuchenghaide-iPod:/System/Library/CoreServices/SpringBoard.app root# gdbGNU gdb 6.3.50.20050815-cvs (Fri May 20 08:08:42 UTC 2011)Copyright 2004 Free Software Foundation, Inc.GDB is free software, covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain conditions.Type "show copying" to see the conditions.There is absolutely no warranty for GDB. Type "show warranty" for details.This GDB was configured as "--host=arm-apple-darwin9 --target=".gdb$ file SpringBoardunable to read unknown load command 0x80000028Reading symbols for shared libraries .. doneunable to read unknown load command 0x80000028gdb$ attach SpringBoardAttaching to program: `/System/Library/CoreServices/SpringBoard.app/SpringBoard‘, process 1514.0x3877aa58 in ?? ()Error while running hook_stop:Invalid type combination in equality test.gdb$ info shThe DYLD shared library state has been initialized from the executable‘s shared library information. All symbols should be present, but the addresses of some symbols may move when the program is executed, as DYLD may relocate library load addresses if necessary. Requested State Current StateNum Basename Type Address Reason | | Source | | | | | | | | 1 SpringBoard - - exec Y Y /System/Library/CoreServices/SpringBoard.app/SpringBoard (offset 0x0) 2 dyld - - init Y Y /usr/lib/dyld at 0x2be00000 with prefix "__dyld_" 3 StoreServices F - init Y ! /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices 4 AirTraffic F - init Y ! /System/Library/PrivateFrameworks/AirTraffic.framework/AirTraffic 5 IOSurface F - init Y ! /System/Library/PrivateFrameworks/IOSurface.framework/IOSurface 6 MultitouchSupport F - init Y ! /System/Library/PrivateFrameworks/MultitouchSupport.framework/MultitouchSupport 7 MobileWiFi F - init Y ! /System/Library/PrivateFrameworks/MobileWiFi.framework/MobileWiFi 8 libIOAccessoryManager.dylib - - init Y ! /usr/lib/libIOAccessoryManager.dylib 9 IOMobileFramebuffer F - init Y ! /System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer 10 CoreSurface F - init Y ! /System/Library/PrivateFrameworks/CoreSurface.framework/CoreSurface 11 BluetoothManager F - init Y ! /System/Library/PrivateFrameworks/BluetoothManager.framework/BluetoothManager 12 CrashReporterSupport F - init Y ! /System/Library/PrivateFrameworks/CrashReporterSupport.framework/CrashReporterSupport 13 EAP8021X F - init Y ! /System/Library/PrivateFrameworks/EAP8021X.framework/EAP8021X 14 libmis.dylib - - init Y Y /usr/lib/libmis.dylib at 0xa3e000 (offset -0xff5c2000) |
你妹!offset = 0x0 ,這怎麼回事!難倒真的是0嗎?我試了一下
?| 12345678 | gdb$ b -[SpringBoard menuButtonDown:]Function "-[SpringBoard menuButtonDown:]" not defined.gdb$ b *(0xc41e)Breakpoint 1 at 0xc41egdb$ info bNum Type Disp Enb Address What1 breakpoint keep y 0x0000c41e <_mh_execute_header+46110>gdb$ c |
info b是列印出所有的斷點,刪除斷點可以使用d 斷點編號
c 表示繼續程式,按home鍵-結果斷點根本沒有斷下來。好吧,打住,GDB的命令大家可以到網上隨意查詢!
經過《ios應用逆向工程》作者之一snakeninny的解答,終於瞭解到在ios7.x之後gdb可能被捨棄了,代替它的是lldb
關於lldb的使用方法: http://bbs.iosre.com/forum.php?mod=viewthread&tid=52
總結:
恩,下節為大家分享lldb的具體使用,另外值得一提的是xcode調試工具就是lldb,所有學會使用lldb是非常重要的。
另外,假設我們在不斷的努力下找到了我們想要的邏輯,我們應該怎麼攻擊或修改它呢。嘿嘿,還是等下回分解吧。
慢慢來!少年!
ios逆向工程-動態分析
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
