前言
逆向开发的流程:静态分析结合动态调试来实现特定功能的tweak
利用Hopper、class-dump、ios-ssl-kill-switch、Keychain-Dumper、MachOParser进行静态分析;使用CycriptTricks(Powerful private methods)、UIButton的sendActionsForControlEvents、DerekSelander LLDB(Python scripts to aid in your debugging sessions)、frida 进行动态调试分析;采用Theos、MonkeyDev进行开发调试iphone/tool、iphone/tweak。
I、Frida
Frida是一款基于python + javascript 的hook框架,通杀android\ios\linux\win\osx各平台。Frida原理是手机端安装一个server程序把手机端的端口转到PC端写的python脚本进行通信,而python脚本中采用javascript语言编写hook代码。
1.1 install frida on device
Start Cydia and add Frida's repository by navigating to Manage -> Sources -> Edit -> Add and entering https://build.frida.re
- apt-get update
-rwxr-xr-x 1 root wheel 11292672 Dec 14 00:54 /usr/sbin/frida-server* -rw-r--r-- 1 root wheel 779 Dec 14 00:54 /Library/LaunchDaemons/re.frida.server.plist
1.2 install frida on mac
安装 pip, pip是python的包管理工具
$ sudo easy_install pip安装 :$ sudo -H pip install frida升级 frida:$ sudo pip install --upgrade frida --ignore-installed six通过USB连接设备,确保Frida正常工作
-U, --usb connect to USB device -a, --applications list only applications -i, --installed include all installed applications
$ frida-ps -Uai PID Name Identifier --- ------------ --------------------------- 904 Cydia com.saurik.Cydia 856 微信 com.tencent.xin 858 邮件 com.apple.mobilemail App Store com.apple.AppStore
1.3 debug
pdb.py can be invoked as a script to debug other scripts.
$ python -m pdb ./dump.py 微信 > /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(7)<module>() -> import sys
pdb 常用命令:
(Pdb) h Documented commands (type help <topic>): ======================================== EOF bt cont enable jump pp run unt a c continue exit l q s until alias cl d h list quit step up args clear debug help n r tbreak w b commands disable ignore next restart u whatis break condition down j p return unalias where
break 或b : 设置断点 设置断点
continue或c: 继续执行程序
list 或l : 查看当前行的代码段
step 或s : 进入函数
return 或r : 执行代码直到从当前函数返回
exit 或 q : 中止并退出
next 或 n : 执行下一行
pp : 打印变量的值
(Pdb) pp os.getcwd() '/Users/devzkn/Downloads/kevin\xef\xbc\x8dsoftware/ios-Reverse_Engineering/frida-ios-dump-master'
打印汉字
(Pdb) print sys.argv ['./dump.py', '\xe5\xbe\xae\xe4\xbf\xa1'] (Pdb) print sys.argv[1] 微信
1.4 利用frida进行dump
frida-ios-dump :https://github.com/zhangkn/frida-ios-dump
- 安装上面步骤install frida on device and mac
- 使用usbmuxd 进行端口转发 本地端口2222 转发到iOS的22端口
- 执行dump.py
devzkndeMacBook-Pro:bin devzkn$ frida-ps -Uai PID Name Identifier ---- ------------ --------------------------- 1314 App Store com.apple.AppStore 2151 微信 com.tencent.xin 2183 淘宝联盟 com.alimama.moon 1309 设置 com.apple.Preferences
必须在dump.py 所在的目录下执行。即使使用ln -l 也会失败。
devzkndeMacBook-Pro:frida-ios-dump-master devzkn$ ./dump.py 驱蚊大咖 open target app...... start dump target app......
II 常见问题
2.1 Operation not permitted
Operation not permitted: /var/folders/6t/h404bjcd5tb_4q86tpv_251rv_0h0j/T/pip-sYsqDS-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info
This is because OS X El Capitan ships with six 1.4.1 installed already and when it attempts to uninstall it (because awscli depends on botocore, botocore depends on python-dateutil, and python-dateutil depends on six >= 1.5) it doesn't have permission to do so because System Integrity Protection doesn't allow even root to modify those directories.
$ sudo -H pip install --ignore-installed six检测frida-server 没有启动
iPhone:/usr/sbin root# killall SpringBoard iPhone:/usr/sbin root# ps -e |grep frida-server 2290 ttys000 0:00.01 grep frida-server
2.1 frida Failed to spawn 的替代方案
1、先使用frida-ps -Uai 查看PID 2、使用 frida -p attach
$ frida -U -p 1262 ____ / _ | Frida 10.6.27 - A world-class dynamic instrumentation framework | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at http://www.frida.re/docs/home/ [iPhone::PID::1262]->
2.3 使用中文路径导致frida-ios-dump 失败
具体的问题分析过程
创建目录命名最好使用英文,否则脚本不支持中文路径的话,就容易出问题;比如frida-ios-dump就不支持存储路径是中文的。