IOS Reverse – LLDB Advanced chapter Chisel with Cycript

preface

The last article on iOS reverse LLDB describes some basic LLDB usage, and does not involve too much other content, reverse process commonly used dynamic debugging methods actually have some, this article for the last article and the actual reverse application of a supplement.

Chisel and Cycript.

If I don’t have too much space, let’s talk about the custom CY directive.

Note for reverse debugging

• Some students responded that the wechat app with re-signature was blocked. To explain, wechat/Douyin and other apps are protected and monitored. The author tested some logos code of wechat protection on the Internet, and the result was not 100%.

• Debugging other people’s applications can cause similar problems, so try not to log in to personal accounts. If you do not have to log in, do not log in to accounts.

• Do need to log in, log in a small account, and prepare another account in advance to unlock.

• In the jailbreak environment, the use of plug-in debugging, no need to re-sign, the probability of being blocked is very low.

• One last time: Reverse play is just for better protection.

Chisel

An overview of the

Chisel is also an LLDB plug-in published by Facebook that helps with debugging and provides user customization of instruction sets. The details will be elaborated next.

The installation

Command: brew install Chisel

(HomeBrew’s self-installation is not yet installed)

After installation, use: Brew List to view the installation results

configuration

How to configure it?

1 — Open the download directory

• Find the downloaded file first:cd /usr/local/Cellar/chisel
• open .To findfblldb.pyScript file.
  

  

• cmd + opt + cPath to copy files.

2 — LLDB configuration script path loading

• If you don’t have one in your user home directory.lldbinitDocuments, please refer to the previous articleIOS reverse – LLDBIn the final section of the autoenable load instruction, usevimCreate your own.
  

  

• vim .lldbinit
• sEnter edit mode
• Add load instruction:The command script import/usr/local/Cellar/chisel, version 1.8.1 / libexec/FBLLDB py(Change the path to your own)
  

  

• ESC , :wqSave the exit

use

Test configuration Results

Let’s briefly test the configuration.

Note: If the project is running, you need to use command source ~/.lldbinit to reload the LLDB configuration file.

Open any project, enter breakpoint mode, and type pviews.

Pviews is a command provided by Chisel to view the view hierarchy. As you can see above, we have configured successfully.

Commonly used instructions

In order to simulate the actual dynamic debugging scene in the reverse process, I used the wechat application that I used before to re-sign with MonkeyDev to demonstrate the instruction. Students unfamiliar with re-signing can read the re-sign application debugging and code Modification (Hook), and shell script automatic re-signing and code injection. These two articles.

MonkeyDev installation and use are not described, after all, the re-signing principle is understood, the Monkey is essentially automatic script re-signing, and then the code injection hook part integrated with Cydia Substrate.

All we need to do is to put the broken IPA or APP package into the designated folder to complete the re-signature and code injection. It’s very convenient.

If you have any questions about using MonkeyDev, please leave a comment.

Operation engineering.

Pviews layer level

Open the registration page, pause. Enter breakpoint mode,

• Instructions:pviews
• Results:
  

  

• Description:pviewsThis helps us to clearly see the layer logic hierarchy and memory location.

PVC view hierarchy

• Instructions: PVC

• Results:

  

• Note: PVC can help us clearly see the view controller hierarchy and memory address.

Pactions Event search

Using pviews, find a random button and copy its memory address.

• Instructions:pactions 0x10b06e5e0
• Results:
  

  

• Description:pactionsYou can getbutton 的 targetAs well asactionMethods are needed in reversehookIt’s used a lot.

Presbonder response chain

Using pviews, find a random button and copy its memory address.

• Instructions:presbonder 0x10b06e5e0
• Results:
  

  

• Description:presbonderYou can view the complete response chain.

Pclass inheritance chain

Using pClass, find a random class and copy its memory address.

• Instructions:pclass 0x10b910600
• Results:
  

  

• Description:pclassYou can view the full inheritance chain.

Pmethods View class methods/instance methods

• Instructions:pmethods 0x106b57bc0
• Results:
  

  

• Description:pmethodsYou can view the complete class methods and instance methods of a class.

Pinternals Views member variables

• Instructions:pinternals 0x10b660df0
• Results:
  

  

fv / fvc

• Instructions:fvc -v 0x10b8fe000
• Results:
  

  

• Description:
  • View class name by memory address (Po also works)., used by view controllerfvcThe view withfv .
  • Fv + the name of the classIf the reverse is the same, go back to the project and search for the class to print its memory address.

Key: the taplog

• Instructions:taplog
• Description:taplogEnter and exit breakpoint mode, then click any responsive view on the screen, will automatically enterlldbMode and print buttons.
• Results:
  

  

Key: flickr

• Instructions:flicker 0x11827c040
• Note: By memory address, this instruction flashes when invoked in power off modeview, very easy to debug, and determine whether the memory address is the view we want to find.

Key: vs.

• Instructions:vs 0x11827c040
• Through the memory address, enter the debug mode, the current view will be added red for viewing.
  

  

• Results:

(lldb) vs 0x1120f3390

Use the following and (q) to quit.
(w) move to superview    // Go to the superview of the current view
(s) move to first subview // Go to the first subview of the current view
(a) move to previous sibling  // go to the previous view in the sibling relationship of the current view
(d) move to next sibling     // go to the next view in the sibling relationship of the current view
(p) print the hierarchy   // Prints the hierarchy of the current view

<FixTitleColorButton: 0x1120f3390; baseClass = UIButton; frame = (20 112; 374 47); clipsToBounds = YES; opaque = NO; autoresize = W; layer = <CALayer: 0x1118c0900>>
Copy the code

• Exit VS debug mode,qThe instructions.

prompt

The last three instructions are very common in the reverse process, we practice and master.

Lldb_commands plug-in

The LLDB plug-in is called lldb_commands. The address is github.com/DerekSeland…

The installation

• directlyCloneOr download itlldb_commandsI’m going to save the folder, I’m going to put it/usr/local/Cellar 里

• Go to the home directory and find.lldbinit, add a directive:

command script import /usr/local/Cellar/lldb_commands/dslldb.py
Copy the code

Change the path to your lldb_Commands folder.

When the project is in LLDB mode, enter search UIView to test whether the configuration is successful.

Commonly used instructions

Methods Rapid location methods

Find the view controller address and use Methods to view all of its instance methods and properties.

Note: Breakpoints based on class and method names fail because the symbol of the method is not restored in reverse.

Function call stack

Since the symbol is not restored, the following happens when the BT instruction looks at the function call stack.

(How to use tools to recover Mach-O symbols will be covered later.)

At this point, the SBT instructions provided with lldb_Commands will help restore some symbols so that you can see the method name.

The Mach -o Section view

• SectionThe command allows us to look at it quicklyMach-OWhat are theSectionSegment.
  

  

• SectionAdditional instructions can be added to viewMach-OSpecific content.

  # Dump the Mach-O segments to the main executable
  (lldb) section

  # Dump the Mach-O segments to UIKit
  (lldb) section UIKit

  # Dump the Mach-O sections of the __TEXT segment of UIKit
  (lldb) section UIKit __TEXT

  # Get the load address of all the hard-coded uint8_t * strings in the UIKit binary
  (lldb) section UIKit __TEXT.__cstring -l

  # Get the entitlements for the executable (simulator only, entitlements for actual app in __LINKEDIT)
  (lldb) section  __TEXT.__entitlements

  # Get all the load address to the lazy symbol stubs in the main executable
  (lldb) section  __DATA.__la_symbol_ptr -l
Copy the code

It looks like this, and you can see it with MachOView.

Cycript

An overview of the

Cycript is a scripting language developed by Saurik, the founder of Cydia. Cycript is a hybrid interpreter for OC and JavaScript syntax. This means we can use OC or JavaScript, or both, in one command.

It can hook up to running processes and modify a lot of things at run time.

Go to the official website and click Download SDK to Download.

The installation

• Place the downloaded folder in/opt/You can choose your own location.
  

  

• Configure environment variables.
• Note: this depends on what you are usingzshorbashGo to the appropriate resource file configuration (in the home directory.zshrc / .bash_profile).
• The author of the paper.zshrcIs also configuredbash_profileSo it is possible to configure the environment variable either way.
  

  

Configuration contents:

• Add:Export CY = / opt/cycript_0. 9.594 /, change to your own path.
• Add it to export PATH=:$CY

Restart iTerm and type cycript to view.

If had met ruby environment not to students, to download the corresponding version of can. / System/Library/Frameworks/ruby framework/Versions

use

In jailbreak environments, it is possible to install the Cycript plug-in directly in Cydia.

Jailbreak cell phone screenshots upload a little trouble, direct shot.. Please ignore the defects and see the meaning

In non-jailbreak environments, you need to inject it into the iOS Framework provided by Cycript. And in MonkeyDev, Cycript injection is already done by default.

And added the default port 6666 listening.

This means using MonkeyDev to re-check the running process, and port 6666 can be attached (of course, the code in the Monkey can define its own port number).

Ok, so with that said, let’s start using it.

• 1. Make sure your PC and phone are on the same LAN (for port mapping)
• 2. RunMonkeyDevRe-signing program/or directly open the previously re-signed project, no needXcodeRun it
• 3. Terminal inputCycript -r 192.168.0.116:6666
  • Switch to your own phoneipaddress
  • Also, please do not put the application in the background, which will affect the attachment.

Congratulations, you’re good to go!

prompt

Using the TAB key, write code to complete.

UIWindow.keyWindow()

View the current Window.

UIApplication sharedApplication

Instruction: [UIApplication sharedApplication] can be abbreviated to UIApp

Custom variable

Instruction: Var an object ourselves, and then we can use it.

Note also that this variable is always present as long as the APP process is not hanging.

# + addresses can be used directly

The address of the object can call the object’s methods directly

View the view hierarchy

UIWindow.keyWindow().recursiveDescription().toString()

For example, if the registration page has a label with a.text of +86, fetch its memory address.

Command:

#0x10b95d800.text = "hhh"
Copy the code

According to the results

Based on this direct modification of process memory, you can go to play. For example, if you log in and change your wallet balance, then change the frame, practice.

The following command results I will not a tile, the article is too long to read, we try.

Gets all the controls on the page

choose(UIButton)

choose(UILabel)

Hide/show the status bar

[UIApp setStatusBarHidden:YES]

APP corner mark

[UIApp setApplicationIconBadgeNumber: 99]

Get the Bundle ID

APPID results:

@"com.libin.LBMonkeyApp"

Page level

pviews()

pvcs()

Gets the button target & Action based on the button address

pactions (#0x10b29da40)

Results:

"<WCAccountRegisterViewController: 0x10b9d9800> onAgreementCheckBoxClick:"
Copy the code

Gets the response chain based on the button address

rp(#0x10b29da40)

Exit cy debug mode

control + d

Note:

Pviews/PVC/pactions/rp these instructions are made by the Monkey in the mdconfig.plist package with custom cy source. This means that these directives are not available in the original Cycript plugin for jailbreak environments.

So if we’re not doing anything, let’s write a cy source and play with it, right?

Custom CY directive

• Create a new empty file in our Main monkey project target, which I’ll call lb.cy.

• Build Phases – Copy Files, import this file

  

• Adding in the empty file we want to define your own instructions. Can refer to the two Monkey originally supplied to write raw.githubusercontent.com/AloneMonkey…

  Here I have written some of my common commands, such as get APPID/APPPATH, current view, current page, etc. I have posted them below for your reference, or you can use them directly.

• Rerun the project.

• Enter our custom directive for example: LBCurrentVC()

• No instructions found, because we haven’t introduced them yet, the monkey two will be automatically introduced in config.

• @import lb

• Type LBCurrentVC() again to get the result.

  

//IIFE anonymous function self-executing expression (function(exports){APPID = [NSBundle mainBundle]. BundleIdentifier, APPPATH = [NSBundle mainBundle]functionTo define!!!!! LBRootvc =function() {return UIApp.keyWindow.rootViewController;
     };

     LBKeyWindow = function() {return UIApp.keyWindow;
     };

    LBGetCurrentVCFromRootVc = function(rootVC){
        var currentVC;
        if([rootVC presentedViewController]){
            rootVC = [rootVC presentedViewController];
        }

        if([rootVC isKindOfClass:[UITabBarController class]]){
            currentVC = LBGetCurrentVCFromRootVc(rootVC.selectedViewController);
        }else if([rootVC isKindOfClass:[UINavigationController class]]){
            currentVC = LBGetCurrentVCFromRootVc(rootVC.visibleViewController);
        }else{
            currentVC = rootVC;
        }

        return currentVC;
    };

    LBCurrentVC = function() {return LBGetCurrentVCFromRootVc(LBRootvc());
    };
 
})(exports);
Copy the code

tip

• When using a cycript control/object memory address, pay attention to its life cycle. For example, if you use a label memory address to debug a page, you will exit the page and re-enter the page. The previous memory address will no longer be used. Don’t forget that.

• Using Cycript requires a connection to the LAN every time, or any other initialization actions that we need to customize, we can write it in a script and configure it into the ZSH/bash environment variable. You can play around with it and discuss any questions you have.

• View Debug and the Cycript Debug interface are very common tools used in the reverse process, so hopefully you will be familiar with these techniques.