靜態(tài)分析可執(zhí)行文件的frameworks
通過以下命令可以查看需要鏈接的動態(tài)庫:
? ~ otool -L /path/to/YourApp.app/YourApp
/path/to/YourApp.app/YourApp:
/System/Library/Frameworks/CallKit.framework/CallKit (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/Social.framework/Social (compatibility version 1.0.0, current version 87.0.0)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1349.55.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.dylib (compatibility version 1.0.0, current version 1238.50.2)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3600.7.47)
注意這兩個目錄:/System/Library/Frameworks和/usr/lib/轨香。
通過以下命令查看可執(zhí)行文件的所有load command:
? ~ otool -l /path/to/YourApp.app/YourApp
...
(內容太多潭苞,省去一部分)
Load command 12
cmd LC_LOAD_WEAK_DYLIB
cmdsize 80
name /System/Library/Frameworks/CallKit.framework/CallKit (offset 24)
time stamp 2 Thu Jan 1 08:00:02 1970
current version 1.0.0
compatibility version 1.0.0
Load command 13
cmd LC_LOAD_DYLIB
cmdsize 80
name /System/Library/Frameworks/Social.framework/Social (offset 24)
time stamp 2 Thu Jan 1 08:00:02 1970
current version 87.0.0
compatibility version 1.0.0
注意到,LC_LOAD_WEAK_DYLIB對應的是optional framework谋竖,LC_LOAD_DYLIB對應的是required framework。
修改load command
其實MacOS已經提供了修改load command的工具叫install_name_tool:
install_name_tool \
-change /System/Library/Frameworks/CallKit.framework/CallKit /System/Library/Frameworks/NotificationCenter.framework/NotificationCenter \
/path/to/YourApp.app/YourApp
# 用otool來驗證修改成功與否
? ~ otool -L /path/to/YourApp.app/YourApp
/path/to/YourApp.app/YourApp:
/System/Library/Frameworks/NotificationCenter.framework/NotificationCenter (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/Social.framework/Social (compatibility version 1.0.0, current version 87.0.0)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1349.55.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.dylib (compatibility version 1.0.0, current version 1238.50.2)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3600.7.47)
運行時加載動態(tài)庫
添加這樣一個命令到你的~/.lldbinit文件中:
command regex ls 's/(.+)/po @import Foundation; [[NSFileManager defaultManager] contentsOfDirectoryAtPath:@"%1" error:nil]/'
如果你的lldb已經運行,重新加載init文件:
(lldb) command source ~/.lldbinit
體驗下這個命令:
(lldb) image list -d UIKit
[ 0] /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/System/Library/Frameworks/UIKit.framework
(lldb) ls /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/System/Library/Frameworks/
<__NSArrayM 0x610000240270>(
Accelerate.framework,
Accounts.framework,
AddressBook.framework,
AddressBookUI.framework,
AdSupport.framework,
...(此處省略內容)
WatchKit.framework,
WebKit.framework
)
根據列出的framework范咨,嘗試加載Speechframework進來到app的進程空間:
(lldb) process load /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/System/Library/Frameworks/Speech.framework/Speech
Loading "/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/System/Library/Frameworks/Speech.framework/Speech"...ok
Image 0 loaded.
其實很有更酷的刹碾。dyld如果找不到framework會搜索一些目錄燥撞,你不需要指定framework的完整路徑:
(lldb) process load MessageUI.framework/MessageUI
完美!
探索frameworks
逆向的一個基礎是探索動態(tài)庫迷帜。雖然一個動態(tài)庫被編譯成一個位置不相關position independent的可執(zhí)行文件物舒,即使編譯器將debugging symbols去除了你,仍然可以獲取到關于這個動態(tài)庫的大量的信息戏锹。二進制需要位置不相關的代碼是因為當dyld完成它的事情后冠胯,編譯器并不知道代碼會存在內存的哪個位置。
清楚的了解一個應用如何和一個framework交互景用,同樣也會幫助你探究app是如何工作的涵叮。舉個栗子,如果一個stripped了的app(即去除了調試信息)使用了一個UITableView伞插,我們可以在UIKit的特定方法里設置斷點來判斷哪些代碼是與UITableViewDataSource相關的割粮。
添加這樣一個命令到你的~/.lldbinit文件中:
command regex dump_stuff "s/(.+)/image lookup -rn '\+\[\w+(\(\w+\))?\ \w+\]$' %1 /"
它接受一個或多個framework作為輸入,導出所有的沒有參數的oc方法(類方法)
可以嘗試一下:
(lldb) dump_stuff Social
71 matches found in /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/System/Library/Frameworks/Social.framework/Social:
Address: Social[0x00000000000019a4] (Social.__TEXT.__text + 0)
Summary: Social`+[SLInternalComposeServiceHostContext _extensionAuxiliaryVendorProtocol] Address: Social[0x0000000000001a10] (Social.__TEXT.__text + 108)
Summary: Social`+[SLInternalComposeServiceHostContext _extensionAuxiliaryHostProtocol] Address: Social[0x0000000000001b97] (Social.__TEXT.__text + 499)
Summary: Social`+[SLInternalComposeServiceVendorContext _extensionAuxiliaryVendorProtocol] Address: Social[0x0000000000001c03] (Social.__TEXT.__text + 607)
Summary: Social`+[SLInternalComposeServiceVendorContext _extensionAuxiliaryHostProtocol] Address: Social[0x0000000000005f85] (Social.__TEXT.__text + 17889)
Summary: Social`+[SLService allServices] Address: Social[0x000000000000c4b4] (Social.__TEXT.__text + 43792)
Summary: Social`+[SLWeiboSession _remoteInterface] Address: Social[0x000000000000c804] (Social.__TEXT.__text + 44640)
Summary: Social`+[SLWeiboUserRecord supportsSecureCoding] Address: Social[0x000000000000c9dc] (Social.__TEXT.__text + 45112)
Summary: Social`+[SLWeiboServerInterface consumerSecret] Address: Social[0x000000000000cacf] (Social.__TEXT.__text + 45355)
Summary: Social`+[SLWeiboServerInterface consumerKey] Address: Social[0x00000000000106db] (Social.__TEXT.__text + 60727)
Summary: Social`+[SLFacebookAlbumChooserViewController _blankSurrogateAlbumImage] Address: Social[0x000000000001685c] (Social.__TEXT.__text + 85688)
Summary: Social`+[SLComposeViewController _serviceTypeToExtensionIdentifierMap] Address: Social[0x00000000000174c3] (Social.__TEXT.__text + 88863)
Summary: Social`+[SLComposeViewController _isMultiUserDevice] Address: Social[0x000000000001f56c] (Social.__TEXT.__text + 121800)
Summary: Social`+[SLPlace supportsSecureCoding] Address: Social[0x000000000002de4c] (Social.__TEXT.__text + 181416)
...(此處省略)
這里還有一些有用的工具命令:
# 導出繼承NSObject的實例的所有ivars
command regex ivars 's/(.+)/expression -lobjc -O -- [%1 _ivarDescription]/'
# 導出出繼承NSObject的實例媚污,或NSObject類的所有方法
command regex methods 's/(.+)/expression -lobjc -O -- [%1 _shortMethodDescription]/'
# 遞歸導出繼承NSObject的類的實例的所有方法
command regex lmethods 's/(.+)/expression -lobjc -O -- [%1 _methodDescription]/'
舉個例子舀瓢,你可能需要研究SLFacebookUpload的實例:
(lldb) ivars [SLFacebookUpload new]
<SLFacebookUpload: 0x60000005ddc0>:
in SLFacebookUpload:
_uploadID (NSString*): nil
_uploadType (long): 0
_totalBytes (unsigned long): 0
_transferredBytes (unsigned long): 0
in NSObject:
isa (Class): SLFacebookUpload (isa, 0x10612b058)
又或者你可能對這個類實現了哪些方法比較好奇:
(lldb) methods SLFacebookUpload
<SLFacebookUpload: 0x10612b058>:
in SLFacebookUpload:
Class Methods:
+ (BOOL) supportsSecureCoding; (0x1060b001a)
Properties:
@property (retain, nonatomic) NSString* uploadID; (@synthesize uploadID = _uploadID;)
@property (nonatomic) long uploadType; (@synthesize uploadType = _uploadType;)
@property (nonatomic) unsigned long totalBytes; (@synthesize totalBytes = _totalBytes;)
@property (nonatomic) unsigned long transferredBytes; (@synthesize transferredBytes = _transferredBytes;)
Instance Methods:
- (id) uploadID; (0x1060b0022)
- (void) setUploadID:(id)arg1; (0x1060b0033)
- (long) uploadType; (0x1060b0047)
- (void) setUploadType:(long)arg1; (0x1060b0058)
- (unsigned long) transferredBytes; (0x1060b008b)
- (void) setTransferredBytes:(unsigned long)arg1; (0x1060b009c)
- (void) .cxx_destruct; (0x1060b00ad)
- (void) encodeWithCoder:(id)arg1; (0x1060aff5e)
- (id) initWithCoder:(id)arg1; (0x1060afe6b)
- (unsigned long) totalBytes; (0x1060b0069)
- (void) setTotalBytes:(unsigned long)arg1; (0x1060b007a)
(NSObject ...)
或者獲取這個類和所有父類的所有方法:
lldb) lmethods SLFacebookUpload
<SLFacebookUpload: 0x10612b058>:
in SLFacebookUpload:
Class Methods:
+ (BOOL) supportsSecureCoding; (0x1060b001a)
Properties:
@property (retain, nonatomic) NSString* uploadID; (@synthesize uploadID = _uploadID;)
@property (nonatomic) long uploadType; (@synthesize uploadType = _uploadType;)
@property (nonatomic) unsigned long totalBytes; (@synthesize totalBytes = _totalBytes;)
@property (nonatomic) unsigned long transferredBytes; (@synthesize transferredBytes = _transferredBytes;)
Instance Methods:
- (id) uploadID; (0x1060b0022)
- (void) setUploadID:(id)arg1; (0x1060b0033)
- (long) uploadType; (0x1060b0047)
- (void) setUploadType:(long)arg1; (0x1060b0058)
- (unsigned long) transferredBytes; (0x1060b008b)
- (void) setTransferredBytes:(unsigned long)arg1; (0x1060b009c)
- (void) .cxx_destruct; (0x1060b00ad)
- (void) encodeWithCoder:(id)arg1; (0x1060aff5e)
- (id) initWithCoder:(id)arg1; (0x1060afe6b)
- (unsigned long) totalBytes; (0x1060b0069)
- (void) setTotalBytes:(unsigned long)arg1; (0x1060b007a)
in NSObject:
Class Methods:
...
Instance Methods:
...
在真機上加載framework
真機上這個過程沒有什么不一樣,唯一區(qū)別是System/Library的位置不一樣耗美。
如果你在模擬器上運行京髓,公開Frameworks目錄在這個地方:
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator.sdk/System/Library/Frameworks/
但注意到上文中我們用otool -L得到的信息是路徑應該是/System/Library/Frameworks航缀。這到底神馬情況?
情況是堰怨,dyld會在一些目錄中查找framework芥玉。對應模擬器有一個dyld_sim。
所以备图,這個是在iOS設備上framework所在的正確路徑灿巧。如果你運行在真機上,frameworks們將會在/System/Library/Frameworks/揽涮。
這是有人或許會說抠藕,"不是有沙盒限制么?"
ios內核對不同目錄有著不同的限制。在iOS 10或更早的版本上蒋困,/System/Library目錄對于你的進程是可讀的盾似!這是合理的,因為你的進程在它的進程空間內需要調用一些公開或私有的framework雪标。如果沙盒機制限制了這些目錄的讀取零院,那么app就不能夠加載他們導致啟動失敗。
來嘗試一下:
(lldb) ls /
<__NSArrayM 0x17024ca20>(
.file,
.mb,
Applications,
Developer,
Library,
System,
bin,
cores,
dev,
etc,
private,
sbin,
tmp,
usr,
var
)
(lldb) ls /System/Library/
