iOS逆向基础整理

SwiftDump 的使用

./SwiftDump ./Test > result.txt

nm (names) 命名工具的使用

nm命令主要是用来列出某些文件中的符号(就是一些函数和全局变量等)

nm Test | xcrun swift-demangle

xcrun swift-demangle

mangled-name ::= '$s' global  // Swift stable mangling
mangled-name ::= '_T0' global // Swift 4.0
mangled-name ::= '$S' global  // Swift 4.2
ValueDescripitionNote
AThe symbol’s value is absolute, and will not be changed by further linking.符号绝对,链接过程不会改变
BThe symbol is in the uninitialized data section (known as BSS).非初始化符号
CThe symbol is common.公有符号,链接时会被同名符号覆盖
DThe symbol is in the initialized data section.初始化符号
GThe symbol is in an initialized data section for small objects.初始化符号,面向小数据访问优化
IThe symbol is an indirect reference to another symbol.其它符号的间接引用
NThe symbol is a debugging symbol.调试符号
PThe symbols is in a stack unwind section.栈区符号(清空)
RThe symbol is in a read only data section.符号只读
SThe symbol is in an uninitialized data section for small objects.非初始化符号,面向小数据访问优化
TThe symbol is in the text (code) section.代码区符号
UThe symbol is undefined.未定义或在外部定义的符号
uThe symbol is a unique global symbol.全局唯一,GNU保留符
VThe symbol is a weak object.弱定义符(详见C++强弱符号定义)
WThe symbol is a weak symbol that has not been specifically tagged as a weak object symbol.emm…绕口令符号
The symbol is a stabs symbol in an a.out object file.stabs格式符号
?The symbol type is unknown, or object file format specific.NM也不认识的符号

ida使用

运行:/Applications/IDA\ Pro\ 7.0\ 2/ida.app/Contents/MacOS/ida64

中文闪退解决方案:

下载 libqcocoa.dylib

替换:/Applications/IDA Pro 7.0/ida.app/Contents/PlugIns/platforms/libqcocoa.dylib

ida-swift-demangle

iOS hook技术

iOS中Hook技术的大致上分为5种:Method SwizzlefishhookCydia Substratelibffiinlinehook

monkey dev安装和使用

安装完闪退:

Backtrace:
0 -[IDEAssertionHandler handleFailureInMethod:object:fileName:lineNumber:assertionSignature:messageFormat:arguments:] (in IDEKit)
1 _DVTAssertionHandler (in DVTFoundation)
2 _DVTAssertionFailureHandler (in DVTFoundation)
3 +[XCSpecification registerSpecificationsFromDVTPlugInsForDomains:skippingDomains:] (in DevToolsCore)
4 XCInitializeCoreIfNeeded (in DevToolsCore)
5 +[Xcode3CoreInitializer ide_initializeWithOptions:error:] (in Xcode3Core)
6 _IDEInitializeBuildSystem (in IDEFoundation)
7 IDEInitialize (in IDEFoundation)
8 -[IDEApplicationController applicationWillFinishLaunching:] (in IDEKit)
9 CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER (in CoreFoundation)
10 ___CFXRegistrationPost_block_invoke (in CoreFoundation)
11 _CFXRegistrationPost (in CoreFoundation)
12 _CFXNotificationPost (in CoreFoundation)
13 -[NSNotificationCenter postNotificationName:object:userInfo:] (in Foundation)
14 -[NSNotificationCenter(DVTNSNotificationCenterAdditions_MRR) _dvt_postNotificationName:object:userInfo:] (in DVTFoundation)
15 -[NSApplication finishLaunching] (in AppKit)
16 -[DVTApplication finishLaunching] (in DVTKit)
17 -[NSApplication run] (in AppKit)
18 NSApplicationMain (in AppKit)
19 start (in libdyld.dylib)

解决方法:
/Applications/Xcode.app/Contents/PlugIns/IDEiOSSupportCore.ideplugin/Contents/Resources/Embedded-Device.xcspec
修改上述文件,文本编辑,删除<array>标签内中的起始的两个空<dict>,即<dict/> <dict/>,保存,即可

iOS砸壳

  1. dumpdecrypted dumpdecrypted这个工具就是通过建立一个名为dumpdecrypted.dylib的动态库,插入目标应用实现脱壳
  2. Clutch
  3. frida-ios-dump 该工具基于frida提供的强大功能,通过注入js实现内存dump,然后通过python自动拷贝到电脑生成ipa文件
    • iproxy 1234 22 端口转发
    • frida-ps -U 查看进程
    • python3 dump.py 微信 砸壳
    • otool -l weChat | grep crypt (cryptid = 0即表示没有加密的)

发表评论

邮箱地址不会被公开。 必填项已用*标注