逆向app的流程

前言

iosre：http://bbs.iosre.com/t/run-a-...
chinapyg：http://www.chinapyg.com/forum...
dllhook：http://www.dllhook.com/catego...

Requirements

• Device Tools

1、otool

otool  ——查看程序依赖哪些动态库信息，反编代码段

安装iNalyzer 即可

nm ② ——显示符号表
ldid ③ ——签名工具
gdb ——调试工具 patch ——补丁工具
SSH ——远程控制

class-dump、otool is included in the package called: BigBoss Recommended Tools

2、 gdb 、lldb
3、 class-dump

https://speakerdeck.com/tgrf/...

• 安装LLVM ，以便make class-dump-swift

cd llvm-3.9.0.src/
mkdir build
cd build
cmake ..
make && sudo make install
Then you can successfully compile this project with just make.

• 停止建立虚拟网络接口

devzkndeMacBook-Pro:~ devzkn$ rvictl -x 07cf5424d3844522c3396fc55f419a11633cb54c

查看进程

iPhone:~ root# ps aux|grep /var/mobile/Containers/Bundle/
mobile   15771  36.1 14.7   981872 152828   ??  Ss    3:01PM   4:20.37 /var/mobile/Containers/Bundle/Application/239A0B7E-AA8C-4E43-873D-16254934321A/Taobao4iPhone.app/Taobao4iPhone
mobile   15493   0.0  7.7   862412  79568   ??  Ss    5:58PM  13:11.90 /var/mobile/Containers/Bundle/Application/DB9E7889-BC60-4B5C-91BD-E59D08204958/WeChat.app/WeChat
mobile   11974   0.0  2.3   821156  24204   ??  Ss   Wed09AM   3:18.29 /var/mobile/Containers/Bundle/Application/472F4813-5586-49C7-BE0E-0A860C5001AC/Moon.app/Moon
root     15793   0.0  0.0   536236    384 s001  R+    3:14PM   0:00.01 grep /var/mobile/Containers/Bundle/

准备工作

http://blog.csdn.net/z9291189...

iPhone:~ root# cycript -p Taobao4iPhone
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/2A1297E2-A76F-4ABE-A01D-203A7EA72776/Documents/"

control+d 进行退出。

插入动态库

iPhone:/var/mobile/Containers/Data/Application/2A1297E2-A76F-4ABE-A01D-203A7EA72776/Documents root# DYLD_INSERT_LIBRARIES=./dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/239A0B7E-AA8C-4E43-873D-16254934321A/Taobao4iPhone.app/Taobao4iPhone

devzkndeMacBook-Pro:bin devzkn$ class-dump --arch armv7 /Users/devzkn/decrypted/Taobao4iPhoneV7.1.0/Taobao4iPhone.decrypted -H -o ~/decrypted/Taobao4iPhoneV7.1.0/Taobao4iPhoneHead

补充

安装llVM
https://github.com/Maximus-/c...

记得下载cmake

最新的 LLVM 只支持 cmake 来编译了，首先安装 cmake 。

brew install cmake
编译：

mkdir build
cmake /path/to/llvm/source
cmake --build .
编译时间比较长，而且编译结果会生成20G左右的文件。

编译完成后，就能在build/bin/目录下面找到生成的工具了。

bundleIdentifier

iPhone:~ root# cycript -p Taobao4iPhone
cy# [[NSBundle mainBundle] bundleIdentifier]
@"com.taobao.taobao4iphone"
cy# 

tweakTool

• plutil

iPhone:/System/Library/LaunchDaemons root# plutil com.apple.racoon.plist
{
    EnableTransactions = 1;
    Label = "com.apple.racoon";
    MachServices =     {
        "com.apple.SecureNetworking.IPSec" = 1;
    };
    ProgramArguments =     (
        "/usr/sbin/racoon",
        "-D"
    );
    RunAtLoad = 0;
    Sockets =     {
        Listeners =         {
            SockFamily = Unix;
            SockPathMode = 384;
            SockPathName = "/var/run/vpncontrol.sock";
        };
    };
}

通过launchctl命令来控制后台程序

• 停止xxx后台程序

lauchctl stop xxx.plist

• launchctl list 查看启动的后台程序

Phone:/System/Library/LaunchDaemons root# launchctl list 
PID    Status    Label
-    0    com.apple.mediastream.mstreamd
-    -44    com.apple.icloud.findmydeviced

第1栏 后台进程的PID
第2栏 最后一次退出的状态

• 停止进程

launchctl stop com.apple.DumpPanic

• 移除

launchctl remove com.apple.DumpPanic

Run a daemon (as root) on iOS

Because daemons are loaded by launchd, which is owned by root:wheel,

iPhone:/sbin root# ls -l /sbin/launchd
-rwxr-xr-x 1 root wheel 239536 Nov 19  2014 /sbin/launchd

so both a daemon and its config file must be owned by root:wheel too, it borns and runs as root. Take it in mind and we'll get back to this later.