先说说为什么要分析应用吧,如果你想从一个ios应用中获取有用的信息,或者你想修改该应用的一些功能,前提当然是要先知道该app的逻辑和结构了。
动态分享工具比较少,我们先分析个简单的,全民工具Cycript
-
Cycript
http://iphonedevwiki.net/index.php/Cycript
cycript是一个脚本语言,大家都说可以看做Objective-JavaScript,形容的非常贴切。Cycript在Cydia自带源Cydia/Telesphoreo中就有,安装完以后用ssh登陆ios设备
|
1
|
ssh root@192.168.1.152 |
驱动你要分析的应用,查看PID,这里就拿自动启动的桌面SpringBoard做例子好了
|
1
2
|
ps aux | grep SpringBoardmobile 1514 0.7 10.6 577300 54720 ?? Ss 3:46PM 1:19.28 /System/Library/CoreServices/SpringBoard.app/SpringBoard |
找到PID(1514)后,用Cycript勾上应用
|
1
2
|
cycript -p 1514 cycript -p SpringBoard |
上面两句都可以勾上应用,勾上以后你就可以为所欲为了,先弹个窗口吧
|
1
2
3
|
cy# var alert = [[UIAlertView alloc] initWithTitle:@"asd" message:nil delegate:nil cancelButtonTitle:@"ok" otherButtonTitles:nil];#"<UIAlertView: 0x19c200f0; frame = (0 0; 0 0); opaque = NO; layer = <CALayer: 0x19c8e730>>"cy# [alert show] |
可以看到,凡是赋值出来的数据,cycript都会打印出信息来。在截个屏吧,这时候你会想,截屏怎么调呢。。。。这也难倒我了,这样我们先用静态工具class-dump导出头文件来,然后搜索shot,哈哈,出来了
|
1
2
3
|
cy# var shot = [SBScreenShotter sharedInstance]#"<SBScreenShotter: 0x19ccda20>"cy# [shot saveScreenshot:YES] |
Ctrl+D 退出
2.GDB
cycript功能强大,语法类似oc,非常好用,但是就是有有一个致命缺点,就是不能断点,无法停留在具体位置查看结果,这时候GDB就出来了,当然GDB早就出来了,GDB是强大的调试工具,怎么用GDB调试ios应用呢
GDB全名the GNU Project Debugger在cydia(数据源http://cydia.radare.org)中可以下到 .
-
GDB勾上应用,做法跟Cycript是一样的,可以通过PID,也可以使用应用名
|
1
2
|
gdb -p SpringBoardgdb -p 1514 |
或者可以先调用gdb ,后使用attach勾上应用也是一样的,取消勾使用detach
2. 断点break
|
1
2
|
b -[SpringBoard menuButtonDown:]b *(0xc41e) |
b断点可以断在函数上(但不是每次都能成功),也可以直接断在内存地址上,大家会问我怎么知道函数的内存地址是多少呢,这时候就请查看IDA吧
由于ASLR的原因,一般在IDA中获得的内存地址是不准确的,因为每次运行程序,内存地址都会有一定的偏移,在GDB中使用info sh获得偏移地址
|
1
2
3
4
5
|
gdb$ info shThe DYLD shared library state has not yet been initialized. Requested State Current StateNum Basename Type Address Reason | | Source | | | | | | | | |
你妹啊,什么都没有!!!!!!(OK,就此打住)
于是我找到了SpringBoard应用的目录文件,用file 命令导入
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
yuchenghaide-iPod:~ root# ps aux | grep SpringBoradroot 1915 0.0 0.1 338564 520 s000 S+ 11:02AM 0:00.01 grep SpringBoradyuchenghaide-iPod:~ root# ps aux | grep SpringBoardmobile 1514 0.0 11.3 588168 58320 ?? Ss 3:46PM 1:39.55 /System/Library/CoreServices/SpringBoard.app/SpringBoardroot 1917 0.0 0.1 338608 512 s000 S+ 11:02AM 0:00.01 grep SpringBoardroot 1877 0.0 0.4 349304 2124 s000 S 10:18AM 0:00.29 cycript -p SpringBoardyuchenghaide-iPod:~ root# cd /System/Library/CoreServices/SpringBoard.app/yuchenghaide-iPod:/System/Library/CoreServices/SpringBoard.app root# gdbGNU gdb 6.3.50.20050815-cvs (Fri May 20 08:08:42 UTC 2011)Copyright 2004 Free Software Foundation, Inc.GDB is free software, covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain conditions.Type "show copying" to see the conditions.There is absolutely no warranty for GDB. Type "show warranty" for details.This GDB was configured as "--host=arm-apple-darwin9 --target=".gdb$ file SpringBoardunable to read unknown load command 0x80000028Reading symbols for shared libraries .. doneunable to read unknown load command 0x80000028gdb$ attach SpringBoardAttaching to program: `/System/Library/CoreServices/SpringBoard.app/SpringBoard', process 1514.0x3877aa58 in ?? ()Error while running hook_stop:Invalid type combination in equality test.gdb$ info shThe DYLD shared library state has been initialized from the executable's shared library information. All symbols should be present, but the addresses of some symbols may move when the program is executed, as DYLD may relocate library load addresses if necessary. Requested State Current StateNum Basename Type Address Reason | | Source | | | | | | | | 1 SpringBoard - - exec Y Y /System/Library/CoreServices/SpringBoard.app/SpringBoard (offset 0x0) 2 dyld - - init Y Y /usr/lib/dyld at 0x2be00000 with prefix "__dyld_" 3 StoreServices F - init Y ! /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices 4 AirTraffic F - init Y ! /System/Library/PrivateFrameworks/AirTraffic.framework/AirTraffic 5 IOSurface F - init Y ! /System/Library/PrivateFrameworks/IOSurface.framework/IOSurface 6 MultitouchSupport F - init Y ! /System/Library/PrivateFrameworks/MultitouchSupport.framework/MultitouchSupport 7 MobileWiFi F - init Y ! /System/Library/PrivateFrameworks/MobileWiFi.framework/MobileWiFi 8 libIOAccessoryManager.dylib - - init Y ! /usr/lib/libIOAccessoryManager.dylib 9 IOMobileFramebuffer F - init Y ! /System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer 10 CoreSurface F - init Y ! /System/Library/PrivateFrameworks/CoreSurface.framework/CoreSurface 11 BluetoothManager F - init Y ! /System/Library/PrivateFrameworks/BluetoothManager.framework/BluetoothManager 12 CrashReporterSupport F - init Y ! /System/Library/PrivateFrameworks/CrashReporterSupport.framework/CrashReporterSupport 13 EAP8021X F - init Y ! /System/Library/PrivateFrameworks/EAP8021X.framework/EAP8021X 14 libmis.dylib - - init Y Y /usr/lib/libmis.dylib at 0xa3e000 (offset -0xff5c2000) |
你妹!offset = 0x0 ,这怎么回事!难倒真的是0吗?我试了一下
|
1
2
3
4
5
6
7
8
|
gdb$ b -[SpringBoard menuButtonDown:]Function "-[SpringBoard menuButtonDown:]" not defined.gdb$ b *(0xc41e)Breakpoint 1 at 0xc41egdb$ info bNum Type Disp Enb Address What1 breakpoint keep y 0x0000c41e <_mh_execute_header+46110>gdb$ c |
info b是打印出所有的断点,删除断点可以使用d 断点编号
c 表示继续程序,按home键-结果断点根本没有断下来。好吧,打住,GDB的命令大家可以到网上随意查询!
经过《ios应用逆向工程》作者之一snakeninny的解答,终于了解到在ios7.x之后gdb可能被舍弃了,代替它的是lldb
关于lldb的使用方法: http://bbs.iosre.com/forum.php?mod=viewthread&tid=52
总结:
恩,下节为大家分享lldb的具体使用,另外值得一提的是xcode调试工具就是lldb,所有学会使用lldb是非常重要的。
另外,假设我们在不断的努力下找到了我们想要的逻辑,我们应该怎么攻击或修改它呢。嘿嘿,还是等下回分解吧。
慢慢来!少年!