Reverse the general idea of App

Analysis of the UI

Cycript, pass Reveal;

The code analysis

The code is in a Mach-O file, so the Mach-O file is statically analyzed;

MachOView, class-dump, Hopper Disassember, IDA;

Dynamic debugging

Code debugging of running App

Debugserver, LLDB;

The code

Inject code into the app

If necessary, you may need to re-sign and package the IPA.

MonkeyDev installation and use

Non-jailbreaking plug-in development integration magic

The installation

MonkeyDev download: github.com/AloneMonkey…

Installation steps:

Official documentation address: github.com/AloneMonkey…

use

1, Click file-new-project… To create an iOS project, select MonkeyApp.

When created, this is a project;

MonkeyTestAppDylib this is a dynamic library that will be injected into the target App. You can write your own hook code in monkeyTestAppdylib. m file, support OC runtime hook, C function fishhook. AntiAntiDebug is the anti-debugging code.

Fishhook This is the automatically integrated Fishhook module. Framewroks for MonkeyDev already automatically integrates RevealServer.framework with libcycript.dylib. It won’t integrate if you choose Release to compile.

2. Prepare the unshelled IPA file, then right-click the TargetApp folder Show in Finder in the project and drag the IPA file into the following location. Do not delete the put IPa or app here file in the TargetApp folder.

3. Matters needing attention

Running on Xcode 12 causes two errors:

1. Dynamic library certificate error

Solution: Set CODE_SIGNING_ALLOWED to NO under the TARGETS Build Settings

2, ld: file not found: /usr/lib/libstdc++

Solutions:

Remove /usr/lib/libstdc++. Dylib and -weak_library from Other Linker Flags in Build Settings of MonkeyTestAppDylib.

Reveal installation and use

Reveal is a powerful UI analysis tool. UI analysis is very intuitive and easy to use to view the UI layout of your app.

The installation

Associate MonkeyDev, open the Reveal page, help-show Reveal Library in Finder-ios Library copy revealServer. framework, Then go to/opt/MonkeyDev/Frameworks replace RevealServer framework.

use

Run the monkeyDev project on the real computer. After the program is started, open the Reveal, select USB mode, click icon of app, and enter the UI analysis page.

Installation and use of class-dump

Class-dump is mainly used to extract header information from Mach-o files and generate. H files. By analyzing the generated.

The installation

Class – dump download address: stevenygard.com/projects/cl…

Download the DMG format of class-dump: class-dump-3.5.dmg

Installation operation:

1. Open the terminal and enter open /usr/local/bin

2. Copy the DMG class-dump file to /usr/local/bin

Sudo chmod 777 /usr/local/bin/class-dump

use

To export a text header file from a terminal, run the following command:

class-dump -H iQiYiPhoneVideo -o IQIY

For help, enter class-dump –help on the terminal

Hopper Disassembler introduction

Hopper Disassembler for Mac isa powerful Mac Disassembler that can disassemble, decomcompile and debug applications. It also supports iOS reverse, decompilating machine language code from Mach-O files into assembly code, OC or Swift pseudocode. Hopper Disassembler supports shredder of Mach-O, ARM and Windows binaries and isa great tool for programmers to disassemble code for debugging or learning.

Download Hopper Disassembler from www.hopperapp.com/

Cycript installation and environment configuration

Cycript is a mashup of Objective-C++, ES6 (JavaScript), Java, etc. You can use Cycript to dynamically debug your App.

The installation

Cycript can be downloaded from www.cycript.org/

Cycript official learning document: www.cycript.org/manual/

Download the SDK from Cycript, unzip it and put it in /opt.

Configuring environment Variables

Open the terminal and enter: open-e. bash_profile

Add the Cycript environment variable address to the open. Bash_profile file: export PATH=/opt/cycript_0.9.594/:$PATH

Problems encountered during installation

1. Cycript relies on older versions of ruby2.0.

dyld: Library not loaded: / System/Library/Frameworks/Ruby framework Versions / 2.0 / usr/lib/libruby 2.0.0. Dylib Referenced from: / opt/cycript_0. 9.594 /. / Cycript lib/Cycript - apl "Reason: image not found ZSH: abort. / Cycript - r 10.19.80.176:6666Copy the code

The solution

Dylib /opt/cycript_0.9.594/ cycript.lib/copy libruby.2.4.10.dylib to /opt/cycript_0.9.594/ cycript.lib /

use

Run the following command to open the cycript_0.9.594 directory: CD /opt/cycript_0.9.594

2. Enter the IP address in the same LAN as the real computer:./ cycript-r 10.19.80.176:6666

Press enter to see cy# indicating successful connection.

The running IP address can also be found in the log:

The Download cycript (cydia.saurik.com/api/latest/…). Then run:./cycript -r 10.19.80.176:6666

3, Control +D exit view.

Type after cy# : [[UIApp keyWindow]recursiveDescription].tostring ()

You can view the overall layout structure of the UI.

Find the root view

cy# UIApp.keyWindow.rootViewController

#”<RootViewController: 0x141150400>”

Get all member variables of the object using (* object)

cy# *UIApp.keyWindow.rootViewController

Filter out objects of a certain type

choose(UIViewController) choose(UITableViewCell)

Use problems encountered

*** _syscall(connect(socket_, info->ai_addr, info->ai_addrlen)):.. /Console.cpp(306):CYSocketRemote [errno=61]Copy the code

Change the value of PORT in mdcycriptManager. h to #define PORT 6666 and PORT 6688

Code injection Examples

@interface MyViewController @end %hook MyViewController \- (void)showLoginPopup{ NSLog(@"hook viewDidLoad method"); UIAlertView *alertView = [[UIAlertView alloc]initWithTitle:@" "message:@" My first tweak project created successfully" Delegate :self CancelButtonTitle :@" confirm "otherButtonTitles:@" cancel ",nil]; [alertView show]; UITableView* p = MSHookIvar<UITableView*>(self,"_tableView"); p.backgroundColor=[UIColor purpleColor]; } \- (void)toLogin{ %orig; UIAlertView *alertView = [[UIAlertView alloc]initWithTitle:@" warm prompt "message:@" you come here 😏😄😂👍 port notification" delegate:self CancelButtonTitle :@" confirm "otherButtonTitles:@" cancel ",nil]; [alertView show]; } %endCopy the code

conclusion

IOS reverse has pitfalls and surprises. It is necessary to understand and use various tools in reverse, and it is required to understand assembly language, be familiar with various scripting languages, and have a higher understanding of the underlying knowledge of the system. Reverse in jailbreak environment has higher freedom, but reverse in non-jailbreak environment is still full of challenges. When reverse-engineering someone else’s app, it also reminds us that the security of the core code involved in development projects is important to avoid leakage.