Learn some summaries of the reverse process

Resources link

Data summary

Basic operation

unzip appname.ipa

Appname. app/appname is a binary file

file appname.app/appname

See what schemas are included

Armv7 32-bit real architecture

Arm64 64-bit real machine architecture

otool -l WeChat.app/WeChat | grep -B 2 crypt

Otool can print the load commands of the app and determine whether the app is encrypted by looking at the cryptid flag. 1 means encrypted, 0 means decrypted

Heavy signature

Resign specifies the IPA directly, and the certificate and configuration file are automatically re-signed to the app

Resign automatically re-sign all plugins that need to be re-signed

You can upload an FIR to check whether the signature is re-signed successfully

Replace Embedded. Mobileprovision (app Store doesn’t have this file, copy develop into it)(resign will process automatically)

Use Fastlane resign to re-sign your app and automatically re-download the required files, including those under the Plugin

resign(
  ipa: "./wangyi.ipa"
  signing_identity: "iPhone Distribution: XXX Technology XXXX Inc. (HAABBCCDD1122)".provisioning_profile: "./fastlane/XC_iOS_Ad_Hoc_.mobileprovision"
)
Copy the code

Static analysis

Class_dump (export headers) MonkeyDev is already integrated

User-defined ->MONKEYDEV_CLASS_DUMP set to YES MONKEYDEV_RESTORE_SYMBOL set to YES

Hopper disassembler using

IDA used

V8 stands for self objc_msgSend(v8, “accquirePendingLock”) stands for self accquirePendingLock; If (objc_msgSend(v8, “accquireLoginLock”) & 0xFF) means if ([self accquireLoginLock]) (*(v11 + 12))(v11, 1, v17); The block call &v48 passes the address to pass the block

A dynamic analysis

CaptainHook learningThe document

  • Method the hooks: CHOptimizedMethod(count, optimization, return_type, class_type, name1, type1, arg1) hook Method (); CHSuper (); count (); optimization (); self; return_type (); class_type (); Name1 is the method name, arg1 is the parameter, arg is left blank if there is no parameter, and so on. Class method: CHOptimizedClassMethod Instance method: CHOptimizedMethod Himalaya FM cannot play: The bundleID is AAA, and the version is the same as the application version

Logos Tweek

Logos Syntax After selecting Logos Tweak template, the new project directory structure will look like the following figure. Note that xM file format is not identified by Xcode. Select Objective-C++ Source Type on the right side of Xcode and reopen. Logify.pl uses $THEOS/bin/logify.pl./ ssDownloadasset.h

cycript

Download cycript, then go to the cycript directory and run the following command./cycript -r 192.168.0.103:6666

Common commandsChinese blog Cycript Tricks website

// Objective-C objects from addresses
cy# var p = #0x8614390
["<SKPaymentTransaction: 0x8613d80>"] // get the attribute cy# *controller// Get the view level cy# UIApp.keyWindow.recursiveDescription// Get the current controller cy# function currentVC() {
        var app = [UIApplication sharedApplication]
            var keyWindow = app.keyWindow
                var rootController = keyWindow.rootViewController
                    var visibleController = rootController.visibleViewController
                        if(! visibleController){return rootController
                                   }
                                       return visibleController.childViewControllers[0]
                                       }
cy# var vc = currentVC()

Copy the code

You can directly initialize the required class to see if the hook succeeds

LLDB + DebugServer (remote breakpoint debugging) needs to be learned