This series is a compilation of my early listening to MJ’s class. Some of the references are quoted, and some may have forgotten to add. If there are some references, please contact me.

IOS Reverse (1) Environment setup iOS Reverse (2) Cycript iOS Reverse (3) Reverse tool iOS Reverse (4) Unshell audit iOS Reverse (5) Theos tool iOS Reverse (6) Dynamic debugging iOS reverse (7) re-signature

One, reverse process

1.1 Interface Analysis

1. Cycript: Interface analysis language for App debugging using Objective-C and Javascript. This was discussed in the previous reverse Cycript article.
2. Reveal: The Reveal interface analysis tool is very powerful and convenient.

1.2 Code Analysis

For static analysis of Mach-O files, the following tools are available:

1. Class-dump: a shucking tool, which will be covered in the next reverse shucking article.
2. MachOView: Mach-O viewing tool
3. Hopper Disassembler, IDA isa disassembly tool. Can directly rewrite the code.

1.3 Dynamic Debugging

For code debugging of the running APP, the tools include:

1. Debugserver: iPhone dynamic debugging command line tool, will be in reverse (6) dynamic debugging.
2. LLDB: debugging tool provided by Xcode.

1.4 Code Writing

Inject code into the APP and, if necessary, re-sign and package the IPA.

Specific implementation, refer to reverse (five) Theos tools, reverse (six) dynamic debugging.

2. Interface analysis

Cycript was introduced in the previous article. Reveal.

2.1 software

Mac version

Website: Revealapp.com is available via email for a 14-day trial period.

The mobile version

Add source: apt.so/codermjlee

Reveal Loader

Be sure to install the loader for this source.

2.2 debugging

2.2.1 Settings – pass Reveal

After installing the Reveal Loader, open [Settings], find the Reveal Loader, and select the APP to debug

2.2.2 load library

Find Mac pass Reveal the RevealServer file, cover the iPhone/Library/RHRevealLoader/RevealServer file

After that, you’d better restart your desktop and enter terminal commands on your iPhone

• Restart the SpringBoard: killall SpringBoard
• Restart the phone: reboot

2.2.3 debugging

If you open The Mac version of Reveal and enable the APP that allows Reveal debugging on your phone, the Reveal Mac APP will appear.

1) Install Reveal2Loader 2) Open Reveal And select Help->Show Reveal Library in Finder->iOS Library from the top menu. Copy revealServer. frameworkr to the Device->Library->Frameworks folder on the phone, which can be copied manually through iFunBox. 3) The App is displayed after restarting the phone

Iii. Code analysis

3.1 the class – the dump

As the name implies, it is used to dump the class information of a Mach-o file and generate the corresponding.h header file

After downloading, copy the class-dump file to the /usr/local/bin directory on the Mac so that the terminal can recognize the class-dump command

Commonly used formats

$class-dump ~/Desktop/jike // -h specifies the directory for storing header files. $class-dump -h Mach -o specifies the directory for storing header filesCopy the code

• Note: If you export in a shell application, only one header file will be exported. You need to unshell the file to export the complete header list.

3.2 Hopper Disassmbler

Hopper Disassmbler can decompile machine-language code from Mach-O files into assembly code, OC pseudocode, or Swift pseudocode

IDA is also a disassembly tool, similar to Hopper.

3.2.1 Code compilation process

Different OC code may compile the same assembly code

However, under the same architecture platform, each assembly instruction has a unique machine instruction corresponding to it

3.2.2 use

Common Shortcut keys

Shift + Option + X find out where this method is referenced

3.3 MachOView

MachOView is a tool for viewing Mach-O files. Mach-o is an executable file format for the Apple platform. For details, see Mach-O (1) structure and Mach-O (2) memory distribution.

The tool is open source and can be downloaded from Github.

MachOExploer, like the MachOView feature, is an open source tool. Making the address

4. Shared library cache extraction

In iOS, system libraries, such as UIKit and Foundation, are packaged into a dynamic library to improve efficiency and loaded when the system starts. This collection library is called shared library cache.

We need to extract this shared library in order to analyze the code when we reverse.

4.1 dsc_extractor extract

In macOS/iOS, the /usr/lib/dyld program is used to load the dynamic library.

Dyld, dynamic link Editor, also known as Dynamic loader.

So the first way is to extract directly in the dyLD way. Dyld source address reference end.

Download the latest code, which was dyLD-635.2 when this article was updated

4.4.1 compile dsc_extractor

You can use launch-cache/dsc_extractor.cpp in dyLD source code

Delete the code before #if 0 (including #if 0) and the last #endif

In the end only:

#include <stdio.h>
#include <stddef.h>
#include <dlfcn.h>

typedef int (*extractor_proc)(const char* shared_cache_file_path, const char* extraction_root_path,
													void (^progress)(unsigned current, unsigned total));

int main(int argc, const char* argv[])
{
	if( argc ! =3 ) {
		fprintf(stderr, "usage: dsc_extractor <path-to-cache-file> <path-to-device-dir>\n");
		return 1;
	}
	
	//void* handle = dlopen("/Volumes/my/src/dyld/build/Debug/dsc_extractor.bundle", RTLD_LAZY);
	void* handle = dlopen("/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/usr/lib/dsc_extractor.bundle", RTLD_LAZY);
	if ( handle == NULL ) {
		fprintf(stderr, "dsc_extractor.bundle could not be loaded\n");
		return 1;
	}
	
	extractor_proc proc = (extractor_proc)dlsym(handle, "dyld_shared_cache_extract_dylibs_progress");
	if ( proc == NULL ) {
		fprintf(stderr, "dsc_extractor.bundle did not have dyld_shared_cache_extract_dylibs_progress symbol\n");
		return 1;
	}
	
	int result = (*proc)(argv[1], argv[2], ^ (unsigned c, unsigned total) { printf("%d/%d\n", c, total); }); fprintf(stderr,"dyld_shared_cache_extract_dylibs_progress() => %d\n", result);
	return 0;
}
Copy the code

Compile dsc_extractor. CPP to obtain dsc_extractor

$ clang++ -o dsc_extractor dsc_extractor.cpp
Copy the code

or

• 1. Change if 0 to if 1 directly
• 2. Compile the code

$ clang++ -o dsc_extractor ./dsc_extractor.cpp dsc_iterator.cpp
Copy the code

4.1.2 using dsc_extractor

Dynamic Library share cached in the iPhone’s directory: / System/Library/Caches/com. Apple. Dyld, to copy it to a computer:

Then parse out the dynamic library:

Dsc_extractor Cache output folder $dsc_Extractor dyLD_SHARED_cache_armv7s armv7sCopy the code

4.2 jtool extract

Tool address: JTool

usage

$jtool -extract UIKit path/to/ dyLD_shared_cache // 10G+ $ jtool -lv cache_armv7 | cut -c 24- | tail +5 |while read line ; do jtool -extract $line cache_armv7 ; done
Copy the code

4.3 dyld_cache_extract

Dyld_cache_extract is a GUI tool, quite handy.

Dynamic debugging

5.1 MJAppTools

[Jailbreak – Reverse] Command line tool for processing iOS APP information. MJAppTools is explained in detail.

5.2 Other Commands

Other common commands, such as LLDB, otool, nm, codesign.

reference

link

1. Class – the dump’s official website
2. Pass Reveal software
3. Dyld source
4. lldb
5. MJAppTools