前言
此工具可以实现the static analysis 和runtime analysis of iOS applications
- the static analysis of iOS application using iNalyzer
如果头文件很多的话,就会导致大量的图表等分析文件,很消耗资源,这种情况可考虑使用hopper进行静态分析
Running dot for graph 1175/42806
-rw-r--r--@ 1 devzkn staff 47328989 Dec 10 13:35 static_2017_12_10-13_33_12.zip
iNalyzer automates the efforts for decrypting the application, dumping class information
静态分析一条龙服务:
===Binary analysis:Dumping strings、Dumping classes、
===Analyze interfaces...
===Decode mobile provisioning files...
===Decode plist files...
- runtime analysis of iOS applications
We can invoke methods during runtime, find the value of a particular instance variable at a particular time in the app, and essentially do anything that we can do with Cycript.
https://appsec-labs.com/wp-co...
iNalyzer 安装
iphone :
- 1)进入 cydia 添加源: http://appsec-labs.com/cydia/
- 2)搜索 iNalyzer 并安装”
其中class_dump_z 也在这个软件源中
Class Dump Z
Cycript
Darwin CC Tools
iNalyzer
ldone
UUID Generator
otool.shDoxygen 和 Graphviz 的安装
uses DoxyGen and GraphViz to display the information in a much more presentable format
在 Mac 端:先安装Doxygen 后安装Graphviz,否则在osx10.13.1 (17B48)会找不到oxygen
No available formula with the name "oxygen" brew install graphviz
devzkndeMacBook-Pro:taoketool devzkn$ brew install graphviz
Updating Homebrew...
==> Installing dependencies for graphviz: libtool, libpng, freetype, fontconfig, jpeg, libtiff, webp, gd
devzkndeMacBook-Pro:taoketool devzkn$ brew install doxygen
==> Downloading https://homebrew.bintray.com/bottles/doxygen-1.8.13_1.high_sierra.bottle.1.tar.gz
######################################################################## 100.0%
==> Pouring doxygen-1.8.13_1.high_sierra.bottle.1.tar.gz
? /usr/local/Cellar/doxygen/1.8.13_1: 9 files, 13.2MB
“查看可解密的 App”
- iNalyzer.sh
iPhone:/Applications/iNalyzer.app root# /Applications/iNalyzer.app/iNalyzer.sh
Usage: /Applications/iNalyzer.app/iNalyzer.sh [list | clean | version | help]
Usage: /Applications/iNalyzer.app/iNalyzer.sh [info | ipa | sandbox | dynamic | nslog | cycript] <bundleGUID>
Usage: /Applications/iNalyzer.app/iNalyzer.sh [static] [auto | class-dump-z | classdump-dyld] <bundleGUID>
- 先使用 list 查询bundleGUID
iPhone:/Applications/iNalyzer.app root# /Applications/iNalyzer.app/iNalyzer.sh list
iPhone:/Applications/iNalyzer.app root# /Applications/iNalyzer.app/iNalyzer.sh ipa 2B559443-6CEE-4731-AA3B-7E587BE67219
appGuid=2B559443-6CEE-4731-AA3B-7E587BE67219
appDir=/var/mobile/Containers/Bundle/Application/2B559443-6CEE-4731-AA3B-7E587BE67219/KNMoon.app
appName=KNMoon
appBundleId=com.KNMoon.KNMoon
clutchAppId=3
mainExecutable=KNMoon
appExecutables=KNMoon
appExecutablesFullPath=/var/mobile/Containers/Bundle/Application/2B559443-6CEE-4731-AA3B-7E587BE67219/KNMoon.app/KNMoon
isEncrypted=1
appSandbox=/private/var/mobile/Containers/Data/Application/CC955B7F-E976-425F-ADB3-7F52D18B4EEF
Preparing folders for IPA...
Creating IPA file...
OUTPUTFILE:/var/root/Documents/iNalyzer/2B559443-6CEE-4731-AA3B-7E587BE67219/ipa/KNMoon.ipa
- scp 到Mac
iPhone:/Applications/iNalyzer.app root# scp /var/root/Documents/iNalyzer/2B559443-6CEE-4731-AA3B-7E587BE67219/ipa/KNMoon.ipa devzkn@192.168.2.186://Users/devzkn/decrypted/KNMoonV5.4.0
SSH 到Mac(iPhone SSH Mac)
可以使用命令开启和关闭
- sudo systemsetup -setremotelogin off
devzkndeMacBook-Pro:.ssh devzkn$ sudo systemsetup -setremotelogin off
Do you really want to turn remote login off? If you do, you will lose this connection and can only turn it back on locally at the server (yes/no)? yes
devzkndeMacBook-Pro:.ssh devzkn$ sudo systemsetup -getremotelogin
Remote Login: Off- sudo systemsetup -setremotelogin on
devzkndeMacBook-Pro:.ssh devzkn$ sudo systemsetup -setremotelogin on
devzkndeMacBook-Pro:.ssh devzkn$ sudo systemsetup -getremotelogin
Remote Login: OnTo log in to this computer remotely, type “ssh devzkn@192.168.2.186”.或者使用界面
在 Mac 上,打开“共享”偏好设置(选取苹果菜单 >“系统偏好设置”,然后点按“共享”)。
1、选择“远程登录”。
2、选择“远程登录”时,还会启用安全 FTP(SFTP)服务。
3、指定哪些用户可以登录:开始静态分析
iPhone:/Applications/iNalyzer.app root# /Applications/iNalyzer.app/iNalyzer.sh static 2B559443-6CEE-4731-AA3B-7E587BE67219
appGuid=2B559443-6CEE-4731-AA3B-7E587BE67219
clutchAppId=3
isEncrypted=1
appSandbox=/private/var/mobile/Containers/Data/Application/CC955B7F-E976-425F-ADB3-7F52D18B4EEF
Preparing folders for static...
Preparing doxigen folders...
Binary is encyrpted. Decrypting..
clutchTmpFile=/var/tmp/clutch/3AD5851D-99B4-4BCB-A644-91B6B05EA4EB
Coping the decrypted binaries to the decryptedBinaries folder
===Binary analysis
Fetching binary info
Fetching entitlements
Looking for interesting symbols
Dumping strings
Dumping classes
Running class-dump with 'auto' mode
Trying classdump-dyld...
Return:
Not a suitable image: /var/root/Documents/iNalyzer/2B559443-6CEE-4731-AA3B-7E587BE67219/static/decryptedBinaries/KNMoon
(dlopen_preflight(/var/root/Documents/iNalyzer/2B559443-6CEE-4731-AA3B-7E587BE67219/static/decryptedBinaries/Moon): Library not loaded: @rpath/libswiftCore.dylib
Reason: image not found)
classdump-dyld failed, trying class-dump-z...
./classdump.sh: line 52: 6963 Segmentation fault: 11 class-dump-z -H -k -k -o "$output" "$binary"
===Analyze interfaces...
===Decode mobile provisioning files...
Mobile provision file was not found
===Decode plist files...
Converted 1 files to XML format
Converted 1 files to XML format
Converted 1 files to XML format
Converted 1 files to XML format
Converted 1 files to XML format
Converted 1 files to XML format
Converted 1 files to XML format
OUTPUTFILE:/var/root/Documents/iNalyzer/2B559443-6CEE-4731-AA3B-7E587BE67219/static_2017_12_09-14_24_57.zip
iPhone:/Applications/iNalyzer.app root# ls -l /var/root/Documents/iNalyzer/2B559443-6CEE-4731-AA3B-7E587BE67219/static_2017_12_09-14_24_57.zip
-rw-r--r-- 1 root wheel 7173417 Dec 9 14:25 /var/root/Documents/iNalyzer/2B559443-6CEE-4731-AA3B-7E587BE67219/static_2017_12_09-14_24_57.zip
iPhone:/Applications/iNalyzer.app root# scp /var/root/Documents/iNalyzer/2B559443-6CEE-4731-AA3B-7E587BE67219/static_2017_12_09-14_24_57.zip devzkn@192.168.2.186://Users/devzkn/decrypted/MoonV5.4.0
Password:
static_2017_12_09-14_24_57.zip 100% 7005KB 1.7MB/s 00:04
- 执行 doxMe.sh 脚本
./doxMe.sh
devzkndeMacBook-Pro:static_2017_12_09-14_24_57 devzkn$ ./doxMe.sh
Searching for include files...
Searching for example files...
Searching for images...
Searching for dot files...
Searching for msc files...
Searching for dia files...
Searching for files to exclude
Searching INPUT for files to process...
完成后浏览器会自动 open 生成的html文件
- 查看信息
通过 index.html 我们可以直观的查看到
Binary info
►Entitlements
▼Interfaces
*.nib files
View Controllers
►Plist files
►Strings - KNMoon
►Symbols analysis - Memory functions解决cydia提示i wasn't able to locate file for the berkeleydb package
- 打开cydia。
- 点选下面的变更栏。
- 点选左上角的的刷新键。等待所有的packages加载完就可以了。(在此期间什么也别做)
classdump-dyld failed 分析
(dlopen_preflight(/var/root/Documents/iNalyzer/2B559443-6CEE-4731-AA3B-7E587BE67219/static/decryptedBinaries/): Library not loaded: @rpath/libswiftCore.dylib
Referenced from: /var/root/Documents/iNalyzer/2B559443-6CEE-4731-AA3B-7E587BE67219/static/decryptedBinaries/
Reason: image not found)iPhone:/ root# find . -name libswiftCore.dylib
./private/var/mobile/Containers/Bundle/Application/239A0B7E-AA8C-4E43-873D-16254934321A/Taobao4iPhone.app/Frameworks/libswiftCore.dylib
./private/var/mobile/Containers/Bundle/Application/2B559443-6CEE-4731-AA3B-7E587BE67219/Moon.app/Frameworks/libswiftCore.dylib
./private/var/mobile/Containers/Bundle/Application/DB9E7889-BC60-4B5C-91BD-E59D08204958/WeChat.app/Watch/WeChatWatchNative.app/PlugIns/WeChatWatchNativeExtension.appex/Frameworks/libswiftCore.dylib
devzkndeMacBook-Pro:/ devzkn$ find . -name libswiftCore.dylib
./System/Library/CoreServices/MRT.app/Contents/Frameworks/libswiftCore.dylib
./System/Library/PrivateFrameworks/Swift/libswiftCore.dylib
./Users/devzkn/Library/Developer/Xcode/iOS DeviceSupport/11.0.3 (15A432)/Symbols/System/Library/PrivateFrameworks/Swift/libswiftCore.dylib
[去掉PIE]
iPhone:~ root# toggle-pie
Usage: toggle-pie <path_to_binary>
iPhone:~ root# ps -e |grep /var*
1057 ttys004 0:00.01 grep /var
iPhone:~ root# otool -hv /var/mobile/Containers/Bundle/Application/2B559443-6CEE-4731-AA3B-7E587BE67219/
/var/mobile/Containers/Bundle/Application/2B559443-6CEE-4731-AA3B-7E587BE67219/.app/:
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC ARM 9 0x00 EXECUTE 75 7500 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE
iPhone:~ root# toggle-pie /var/mobile/Containers/Bundle/Application/2B559443-6CEE-4731-AA3B-7E587BE67219/.app/
[STEP 1] Backing up the binary file...
[STEP 1] Binary file successfully backed up to /var/mobile/Containers/Bundle/Application/2B559443-6CEE-4731-AA3B-7E587BE67219/.app/.bak
[STEP 2] Flip the 32-bit PIE...
Original Mach-O header: cefaedfe0c00000009000000020000004b0000004c1d000085802100
Original Mach-O header flags: 85802100
Flipping the PIE...
New Mach-O header flags: 85800100
[STEP 2] Successfully flipped the 32-bit PIE.
[STEP 3] Flip the 64-bit PIE...
Original Mach-O header: cffaedfe0c00000100000000020000004b000000982000008580210000000000
Original Mach-O header flags: 85802100
Flipping the PIE...
New Mach-O header flags: 85800100
[STEP 3] Successfully flipped the 64-bit PIE.
iPhone:~ root# otool -hv /var/mobile/Containers/Bundle/Application/2B559443-6CEE-4731-AA3B-7E587BE67219/.app/
/var/mobile/Containers/Bundle/Application/2B559443-6CEE-4731-AA3B-7E587BE67219/.app/:
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC ARM 9 0x00 EXECUTE 75 7500 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK __mh_execute_header:
00004000 struct __macho_header { ; DATA XREF=sub_756b0+62, sub_78252+8, sub_81f9c+128, sub_85f82+66, sub_86bd0+42, sub_87976+724, sub_89532+80, sub_8da68+64, switch_table_8ff1a+12252, switch_table_8ff1a+12270, sub_b1794+216, …
0xfeedface, // mach magic number identifier利用jtool 也可以去掉PIE
Destructive Options (will write output to /tmp):
-m Modify
__SEGMENT[.__section],[_offset][,size] (null)
-r Remove/Resize (Experimental)
-rL _dylib/soname_ Library
-rC _Load_Command_#_ Load Command
-/+pie Toggle Position Independent Executable (ASLR)
-/+lcmain Toggle pre-Mountain-Lion/iOS6 compatibility (LC_UNIXTHREAD/LC_MAIN)
-/+enc Mark as decrypted/encrypted (toggles cryptid of LC_ENCRYPTION_INFO[64])http://NewOSXBook.com/tools/j...
org.theos.dependencies
This package is intended for developers using the on-device toolchain and Theos.
What Theos needs.
Add coolstar's repository before installing this package https://coolstar.org/publicrepo/
class-dump
This is the same information provided by using ‘otool -ov’,
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/binlrwxr-xr-x 1 root wheel 5 Nov 27 17:04 c++ -> clang
lrwxr-xr-x 1 root wheel 5 Nov 27 17:04 cc -> clang
lrwxr-xr-x 1 root wheel 5 Nov 27 17:04 clang++ -> clang
lrwxr-xr-x 1 root wheel 13 Nov 27 17:04 dsymutil -> llvm-dsymutil
lrwxr-xr-x 1 root wheel 8 Nov 27 17:04 gcov -> llvm-cov
lrwxr-xr-x 1 root wheel 7 Nov 27 17:04 nm -> llvm-nm
lrwxr-xr-x 1 root wheel 12 Nov 27 17:04 objdump -> llvm-objdump
lrwxr-xr-x 1 root wheel 10 Nov 27 17:04 otool -> llvm-otool
lrwxr-xr-x 1 root wheel 7 Nov 27 17:04 ranlib -> libtool
lrwxr-xr-x 1 root wheel 9 Nov 27 17:04 size -> llvm-size
lrwxr-xr-x 1 root wheel 5 Nov 27 17:04 swiftc -> swiftclass_dump_z
https://code.google.com/archi...
classdump-dyld
- MachoOView is a useful visual Mach-O file browser that also allows
for in-file editing of ARM binaries. - otool is a tool for displays specified parts of object files or
libraries. It understands both Mach-O (Mach object) files and
universal file formats.
https://github.com/AloneMonke...
ipainstaller
iPhone:~ root# ipainstaller -b com.example.targetapp -o /tmp/example.ipa看LC_ENCRYPTION_INFO
iPhone:~ root# otool -l /var/mobile/Containers/Bundle/Application/239A0B7E-AA8C-4E43-873D-16254934321A/Taobao4iPhone.app/Taobao4iPhone | grep -A 4 LC_ENCRYPTION_INFO
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。