前言
逆向开发的流程:静态分析结合动态调试来实现特定功能的tweak
利用Hopper、class-dump、ios-ssl-kill-switch、Keychain-Dumper、MachOParser进行静态分析;使用CycriptTricks(Powerful private methods)、hookClass_knhook_hookClassLog、UIButton的sendActionsForControlEvents:、DerekSelander LLDB(Python scripts to aid in your debugging sessions)、frida 进行动态调试分析;采用Theos、MonkeyDev进行开发调试iphone/tool、iphone/tweak。
I、Frida
Frida是一款基于python + javascript 的hook框架,通杀android\ios\linux\win\osx各平台。Frida原理是手机端安装一个server程序把手机端的端口转到PC端写的python脚本进行通信,而python脚本中采用javascript语言编写hook代码。
1.1 install frida on device
Start Cydia and add Frida's repository by navigating to Manage -> Sources -> Edit -> Add and entering build.frida.re
- apt-get update
-rwxr-xr-x 1 root wheel 11292672 Dec 14 00:54 /usr/sbin/frida-server*
-rw-r--r-- 1 root wheel 779 Dec 14 00:54
1.2 install frida on mac
安装 pip, pip是python的包管理工具
$ sudo easy_install pip
安装 : $ sudo -H pip install frida
升级 frida:$ sudo pip install --upgrade frida --ignore-installed six
通过USB连接设备,确保Frida正常工作
-U, --usb connect to USB device
-a, --applications list only applications -i, --installed include all installed applications
$ frida-ps -Uai
PID Name Identifier
--- ------------ ---------------------------
904 Cydia com.saurik.Cydia
856 微信 com.tencent.xin
858
1.3 debug
pdb.py can be invoked as a script to debug other scripts.
$ python -m pdb ./dump.py 微信
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(7)<module>()
-> import sys
pdb 常用命令:
(Pdb) h
Documented commands (type help <topic>):
========================================
EOF bt cont enable jump pp run unt
a c continue exit l q s until
alias cl d h list quit step up
args clear debug help n r tbreak w
b commands disable ignore next restart u whatis
break condition down j p return
break 或b : 设置断点 设置断点
continue或c: 继续执行程序
list 或l : 查看当前行的代码段
step 或s : 进入函数
return 或r : 执行代码直到从当前函数返回
exit 或 q : 中止并退出
next 或 n : 执行下一行
pp : 打印变量的值
(Pdb) pp os.getcwd()
'/Users/devzkn/Downloads/kevin\xef\xbc\x8dsoftware/ios-Reverse_Engineering/frida-ios-dump-master'
打印汉字
(Pdb) print sys.argv
['./dump.py', '\xe5\xbe\xae\xe4\xbf\xa1']
(Pdb) print sys.argv[1]
微信
1.4 利用frida进行dump
frida-ios-dump :github.com/zhangkn/fri…
- 安装上面步骤install frida on device and mac
- 使用usbmuxd 进行端口转发 本地端口2222 转发到iOS的22端口
- 执行dump.py
devzkndeMacBook-Pro:bin devzkn$ frida-ps -Uai
PID Name Identifier
---- ------------ ---------------------------
1314 App Store com.apple.AppStore
2151 微信 com.tencent.xin
2183 淘宝联盟 com.alimama.moon
1309
必须在dump.py 所在的目录下执行。即使使用ln -l 也会失败。
devzkndeMacBook-Pro:frida-ios-dump-master devzkn$ ./dump.py 驱蚊大咖
open target app......
start dump target app......
II 常见问题
2.1 Operation not permitted
Operation not permitted: /var/folders/6t/h404bjcd5tb_4q86tpv_251rv_0h0j/T/pip-sYsqDS-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info
This is because OS X El Capitan ships with six 1.4.1 installed already and when it attempts to uninstall it (because awscli depends on botocore, botocore depends on python-dateutil, and python-dateutil depends on six >= 1.5) it doesn't have permission to do so because System Integrity Protection doesn't allow even root to modify those directories.
$ sudo -H pip install --ignore-installed six
检测frida-server 没有启动
iPhone:/usr/sbin root# killall SpringBoard
iPhone:/usr/sbin root# ps -e |grep frida-server
2290 ttys000 0:00.01
2.1 frida Failed to spawn 的替代方案
1、先使用frida-ps -Uai 查看PID 2、使用 frida -p attach
$ frida -U -p 1262
____
/ _ | Frida 10.6.27 - A world-class dynamic instrumentation framework
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at http://www.frida.re/docs/home/
[iPhone::PID::1262]->
2.3 使用中文路径导致frida-ios-dump 失败
具体的问题分析过程
(Pdb) l
108 script = loadJsFile(session, APP_JS);
109 name = target.decode('utf8');
110 script.post(name);
111 opened.wait();
112 session.detach();
113 -> createDir(os.getcwd()+"/"+OUTPUT)
114 print "start dump target app......"
115 session = device.attach(name);
116 script = loadJsFile(session, DUMP_JS);
117 script.post("dump");
118 finished.wait();
(Pdb) s
--Return--
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(113)main()->None
-> createDir(os.getcwd()+"/"+OUTPUT)
(Pdb) l
108 script = loadJsFile(session, APP_JS);
109 name = target.decode('utf8');
110 script.post(name);
111 opened.wait();
112 session.detach();
113 -> createDir(os.getcwd()+"/"+OUTPUT)
114 print "start dump target app......"
115 session = device.attach(name);
116 script = loadJsFile(session, DUMP_JS);
117 script.post("dump");
118 finished.wait();
(Pdb) s
UnicodeDecodeError: UnicodeD...ge(128)')
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(127)<module>()
-> main(sys.argv[1])
(Pdb) l
122 if len(sys.argv) < 2:
123 print "usage: ./dump.py 微信"
124 sys.exit(0)
125 else:
126 try:
127 -> main(sys.argv[1])
128 except KeyboardInterrupt:
129 if session:
130 session.detach()
131 sys.exit()
132 except:
(Pdb) s
> /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(128)<module>()
-> except KeyboardInterrupt:
(Pdb) pp UnicodeDecodeError
<type 'exceptions.UnicodeDecodeError'>
创建目录命名最好使用英文,否则脚本不支持中文路径的话,就容易出问题;比如frida-ios-dump就不支持存储路径是中文的。
