preface
The last article on iOS reverse LLDB describes some basic LLDB usage, and does not involve too much other content, reverse process commonly used dynamic debugging methods actually have some, this article for the last article and the actual reverse application of a supplement.
Chisel and Cycript.
If I don’t have too much space, let’s talk about the custom CY directive.
Note for reverse debugging
-
Some students responded that the wechat app with re-signature was blocked. To explain, wechat/Douyin and other apps are protected and monitored. The author tested some logos code of wechat protection on the Internet, and the result was not 100%.
-
Debugging other people’s applications can cause similar problems, so try not to log in to personal accounts. If you do not have to log in, do not log in to accounts.
-
Do need to log in, log in a small account, and prepare another account in advance to unlock.
-
In the jailbreak environment, the use of plug-in debugging, no need to re-sign, the probability of being blocked is very low.
-
One last time: Reverse play is just for better protection.
Chisel
An overview of the
Chisel is also an LLDB plug-in published by Facebook that helps with debugging and provides user customization of instruction sets. The details will be elaborated next.
The installation
Command: brew install Chisel
(HomeBrew’s self-installation is not yet installed)
After installation, use: Brew List to view the installation results
configuration
How to configure it?
1 — Open the download directory
- Find the downloaded file first:
cd /usr/local/Cellar/chisel
open .
To findfblldb.py
Script file.
cmd + opt + c
Path to copy files.
2 — LLDB configuration script path loading
- If you don’t have one in your user home directory
.lldbinit
Documents, please refer to the previous articleIOS reverse – LLDBIn the final section of the autoenable load instruction, usevim
Create your own.
vim .lldbinit
s
Enter edit mode- Add load instruction:
The command script import/usr/local/Cellar/chisel, version 1.8.1 / libexec/FBLLDB py
(Change the path to your own)
ESC
,:wq
Save the exit
use
Test configuration Results
Let’s briefly test the configuration.
Note: If the project is running, you need to use command source ~/.lldbinit to reload the LLDB configuration file.
Open any project, enter breakpoint mode, and type pviews.
Pviews is a command provided by Chisel to view the view hierarchy. As you can see above, we have configured successfully.
Commonly used instructions
In order to simulate the actual dynamic debugging scene in the reverse process, I used the wechat application that I used before to re-sign with MonkeyDev to demonstrate the instruction. Students unfamiliar with re-signing can read the re-sign application debugging and code Modification (Hook), and shell script automatic re-signing and code injection. These two articles.
MonkeyDev installation and use are not described, after all, the re-signing principle is understood, the Monkey is essentially automatic script re-signing, and then the code injection hook part integrated with Cydia Substrate.
All we need to do is to put the broken IPA or APP package into the designated folder to complete the re-signature and code injection. It’s very convenient.
If you have any questions about using MonkeyDev, please leave a comment.
Operation engineering.
Pviews layer level
Open the registration page, pause. Enter breakpoint mode,
- Instructions:
pviews
- Results:
- Description:
pviews
This helps us to clearly see the layer logic hierarchy and memory location.
PVC view hierarchy
-
Instructions: PVC
-
Results:
-
Note: PVC can help us clearly see the view controller hierarchy and memory address.
Pactions Event search
Using pviews, find a random button and copy its memory address.
- Instructions:
pactions 0x10b06e5e0
- Results:
- Description:
pactions
You can getbutton
的target
As well asaction
Methods are needed in reversehook
It’s used a lot.
Presbonder response chain
Using pviews, find a random button and copy its memory address.
- Instructions:
presbonder 0x10b06e5e0
- Results:
- Description:
presbonder
You can view the complete response chain.
Pclass inheritance chain
Using pClass, find a random class and copy its memory address.
- Instructions:
pclass 0x10b910600
- Results:
- Description:
pclass
You can view the full inheritance chain.
Pmethods View class methods/instance methods
- Instructions:
pmethods 0x106b57bc0
- Results:
- Description:
pmethods
You can view the complete class methods and instance methods of a class.
Pinternals Views member variables
- Instructions:
pinternals 0x10b660df0
- Results:
fv / fvc
- Instructions:
fvc -v 0x10b8fe000
- Results:
- Description:
- View class name by memory address (Po also works)., used by view controller
fvc
The view withfv
. Fv + the name of the class
If the reverse is the same, go back to the project and search for the class to print its memory address.
- View class name by memory address (Po also works)., used by view controller
Key: the taplog
- Instructions:
taplog
- Description:
taplog
Enter and exit breakpoint mode, then click any responsive view on the screen, will automatically enterlldb
Mode and print buttons. - Results:
Key: flickr
- Instructions:
flicker 0x11827c040
- Note: By memory address, this instruction flashes when invoked in power off mode
view
, very easy to debug, and determine whether the memory address is the view we want to find.
Key: vs.
- Instructions:
vs 0x11827c040
- Through the memory address, enter the debug mode, the current view will be added red for viewing.
- Results:
(lldb) vs 0x1120f3390
Use the following and (q) to quit.
(w) move to superview // Go to the superview of the current view
(s) move to first subview // Go to the first subview of the current view
(a) move to previous sibling // go to the previous view in the sibling relationship of the current view
(d) move to next sibling // go to the next view in the sibling relationship of the current view
(p) print the hierarchy // Prints the hierarchy of the current view
<FixTitleColorButton: 0x1120f3390; baseClass = UIButton; frame = (20 112; 374 47); clipsToBounds = YES; opaque = NO; autoresize = W; layer = <CALayer: 0x1118c0900>>
Copy the code
- Exit VS debug mode,
q
The instructions.
prompt
The last three instructions are very common in the reverse process, we practice and master.
Lldb_commands plug-in
The LLDB plug-in is called lldb_commands. The address is github.com/DerekSeland…
The installation
- directly
Clone
Or download itlldb_commands
I’m going to save the folder, I’m going to put it/usr/local/Cellar
里
- Go to the home directory and find
.lldbinit
, add a directive:
command script import /usr/local/Cellar/lldb_commands/dslldb.py
Copy the code
Change the path to your lldb_Commands folder.
When the project is in LLDB mode, enter search UIView to test whether the configuration is successful.
Commonly used instructions
Methods Rapid location methods
Find the view controller address and use Methods to view all of its instance methods and properties.
Note: Breakpoints based on class and method names fail because the symbol of the method is not restored in reverse.
Function call stack
Since the symbol is not restored, the following happens when the BT instruction looks at the function call stack.
(How to use tools to recover Mach-O symbols will be covered later.)
At this point, the SBT instructions provided with lldb_Commands will help restore some symbols so that you can see the method name.
The Mach -o Section view
Section
The command allows us to look at it quicklyMach-O
What are theSection
Segment.
Section
Additional instructions can be added to viewMach-O
Specific content.
# Dump the Mach-O segments to the main executable
(lldb) section
# Dump the Mach-O segments to UIKit
(lldb) section UIKit
# Dump the Mach-O sections of the __TEXT segment of UIKit
(lldb) section UIKit __TEXT
# Get the load address of all the hard-coded uint8_t * strings in the UIKit binary
(lldb) section UIKit __TEXT.__cstring -l
# Get the entitlements for the executable (simulator only, entitlements for actual app in __LINKEDIT)
(lldb) section __TEXT.__entitlements
# Get all the load address to the lazy symbol stubs in the main executable
(lldb) section __DATA.__la_symbol_ptr -l
Copy the code
It looks like this, and you can see it with MachOView.
Cycript
An overview of the
Cycript is a scripting language developed by Saurik, the founder of Cydia. Cycript is a hybrid interpreter for OC and JavaScript syntax. This means we can use OC or JavaScript, or both, in one command.
It can hook up to running processes and modify a lot of things at run time.
Go to the official website and click Download SDK to Download.
The installation
- Place the downloaded folder in
/opt/
You can choose your own location.
- Configure environment variables.
- Note: this depends on what you are using
zsh
orbash
Go to the appropriate resource file configuration (in the home directory.zshrc
/.bash_profile
). - The author of the paper
.zshrc
Is also configuredbash_profile
So it is possible to configure the environment variable either way.
Configuration contents:
- Add:
Export CY = / opt/cycript_0. 9.594 /
, change to your own path. - Add it to export PATH=
:$CY
Restart iTerm and type cycript to view.
If had met ruby environment not to students, to download the corresponding version of can. / System/Library/Frameworks/ruby framework/Versions
use
In jailbreak environments, it is possible to install the Cycript plug-in directly in Cydia.
Jailbreak cell phone screenshots upload a little trouble, direct shot.. Please ignore the defects and see the meaning
In non-jailbreak environments, you need to inject it into the iOS Framework provided by Cycript. And in MonkeyDev, Cycript injection is already done by default.
And added the default port 6666 listening.
This means using MonkeyDev to re-check the running process, and port 6666 can be attached (of course, the code in the Monkey can define its own port number).
Ok, so with that said, let’s start using it.
- 1. Make sure your PC and phone are on the same LAN (for port mapping)
- 2. Run
MonkeyDev
Re-signing program/or directly open the previously re-signed project, no needXcode
Run it - 3. Terminal input
Cycript -r 192.168.0.116:6666
- Switch to your own phone
ip
address - Also, please do not put the application in the background, which will affect the attachment.
- Switch to your own phone
Congratulations, you’re good to go!
prompt
Using the TAB key, write code to complete.
UIWindow.keyWindow()
View the current Window.
UIApplication sharedApplication
Instruction: [UIApplication sharedApplication] can be abbreviated to UIApp
Custom variable
Instruction: Var an object ourselves, and then we can use it.
Note also that this variable is always present as long as the APP process is not hanging.
# + addresses can be used directly
The address of the object can call the object’s methods directly
View the view hierarchy
UIWindow.keyWindow().recursiveDescription().toString()
For example, if the registration page has a label with a.text of +86, fetch its memory address.
Command:
#0x10b95d800.text = "hhh"
Copy the code
According to the results
Based on this direct modification of process memory, you can go to play. For example, if you log in and change your wallet balance, then change the frame, practice.
The following command results I will not a tile, the article is too long to read, we try.
Gets all the controls on the page
choose(UIButton)
choose(UILabel)
Hide/show the status bar
[UIApp setStatusBarHidden:YES]
APP corner mark
[UIApp setApplicationIconBadgeNumber: 99]
Get the Bundle ID
APPID results:
@"com.libin.LBMonkeyApp"
Page level
pviews()
pvcs()
Gets the button target & Action based on the button address
pactions (#0x10b29da40)
Results:
"<WCAccountRegisterViewController: 0x10b9d9800> onAgreementCheckBoxClick:"
Copy the code
Gets the response chain based on the button address
rp(#0x10b29da40)
Exit cy debug mode
control
+ d
Note:
Pviews/PVC/pactions/rp these instructions are made by the Monkey in the mdconfig.plist package with custom cy source. This means that these directives are not available in the original Cycript plugin for jailbreak environments.
So if we’re not doing anything, let’s write a cy source and play with it, right?
Custom CY directive
-
Create a new empty file in our Main monkey project target, which I’ll call lb.cy.
-
Build Phases – Copy Files, import this file
-
Adding in the empty file we want to define your own instructions. Can refer to the two Monkey originally supplied to write raw.githubusercontent.com/AloneMonkey…
Here I have written some of my common commands, such as get APPID/APPPATH, current view, current page, etc. I have posted them below for your reference, or you can use them directly.
-
Rerun the project.
-
Enter our custom directive for example: LBCurrentVC()
-
No instructions found, because we haven’t introduced them yet, the monkey two will be automatically introduced in config.
-
@import lb
-
Type LBCurrentVC() again to get the result.
//IIFE anonymous function self-executing expression (function(exports){APPID = [NSBundle mainBundle]. BundleIdentifier, APPPATH = [NSBundle mainBundle]functionTo define!!!!! LBRootvc =function() {return UIApp.keyWindow.rootViewController;
};
LBKeyWindow = function() {return UIApp.keyWindow;
};
LBGetCurrentVCFromRootVc = function(rootVC){
var currentVC;
if([rootVC presentedViewController]){
rootVC = [rootVC presentedViewController];
}
if([rootVC isKindOfClass:[UITabBarController class]]){
currentVC = LBGetCurrentVCFromRootVc(rootVC.selectedViewController);
}else if([rootVC isKindOfClass:[UINavigationController class]]){
currentVC = LBGetCurrentVCFromRootVc(rootVC.visibleViewController);
}else{
currentVC = rootVC;
}
return currentVC;
};
LBCurrentVC = function() {return LBGetCurrentVCFromRootVc(LBRootvc());
};
})(exports);
Copy the code
tip
-
When using a cycript control/object memory address, pay attention to its life cycle. For example, if you use a label memory address to debug a page, you will exit the page and re-enter the page. The previous memory address will no longer be used. Don’t forget that.
-
Using Cycript requires a connection to the LAN every time, or any other initialization actions that we need to customize, we can write it in a script and configure it into the ZSH/bash environment variable. You can play around with it and discuss any questions you have.
-
View Debug and the Cycript Debug interface are very common tools used in the reverse process, so hopefully you will be familiar with these techniques.