iOS 逆向常用命令

1. 查看信息相关

  • 查看越狱设备所有的APP的BundleID (前提需要安装frida-iOS-dump)

MacBookPro:frida-ios-dump-master lemon$ ./dump.py -l

  • 查看设备UDID (前提需要安装ideviceinstall)

MacBookPro:~ lemon$ idevice_id -l

  • 查看iPA是否已经砸壳 (如果返回cryptid=0代表已砸壳,否则代表未砸壳)

MacBookPro:~ lemon$ otool -l target.app/target | grep cryptid

  • 查看设备日志

MacBookPro:~ lemon$ idevicesyslog -u deviceudid

  • 给特定的设备安装程序

MacBookPro:~ lemon$ ideviceinstaller -i target.ipa -u deviceudid

  • 砸壳 (使用frida)

MacBookPro:frida-ios-dump-master lemon$ ./dump.py BundleID

  • class-dump头文件

MacBookPro:~ lemon$ class-dump -s -S -H target.app/target -o /path/to/save/header

  • 查看动态库架构

lipo -info

  • ssh

ssh root@deviceip

  • 查找进程

ps aux | grep /App
ps -e | grep /Applications

  • 查找文件

grep -r Header /System/Library/

  • 分离fat binary

lipo -thin armv7 WeChat.decrypted -output WeChat_armv7.decrypted
lipo -thin arm64 xxx.decryptec -output xxx.arm64.decrypted

2. LLDB

  • 打印UI结构

po [[[UIWindow keyWindow] rootViewController] _printHierarchy] (iOS 8)
po [[UIWindow keyWindow] recursiveDescription]

  • 打印调用栈信息

bt (backtrace)
bt all (all threads)

  • objc_msgSend参数打印

po $xo

p (char*)$x1

p (SEL)$x1

  • 返回地址

p/x $lr

  • 增加断点

b -a ox00002224

  • 列举模块

image lisg -o -f

  • lldb基础指令

c
n
ni
br list
br del
br dis
br en

  • 远程调试

debugserver *:1234 -a pid

debugserver -x backboard *:1234 /var/mobile/Containers/Bundle/Application/9DB7CE45-3B4C-42A3-9D4D-49A3A5122903/AlipayWallet.app/AlipayWallet

  • 远程连接

proces connect connect://192.168.2.154:1234

  • lldb expr例子

(lldb) expr char $str = (char )malloc(8)

(lldb) expr (void)strcpy($str, “munkeys”)

(lldb) expr $str[1] = ‘o’

(char) $0 = ‘o’

(lldb) p $str

(char *) $str = 0x00007fd04a900040 “monkeys”

(lldb) x/4c $str

(lldb) x/1w $str + 3

(lldb) expr (void)free($str)

(lldb) expr id $myView = (id)0x7f82b1d01fd0

(lldb) expr (void)[$myView setBackgroundColor:[UIColor blueColor]]

(lldb) expr (void)[CATransaction flush]

(lldb) po [$myButton allTargets]

(lldb) p (ptrdiff_t)ivar_getOffset((struct Ivar *)class_getInstanceVariable([MyView class], “_layer”))

  • 给断点增加命令
1
2
3
4
5
6
(lldb) br command add 1
Enter your debugger command(s). Type 'DONE' to end.
> register read $rdi
> c
> DONE
(lldb)
  • 修改寄存器的值

register write x0 1

3. Cycript

  • 查看当前界面的元素层级结构

cy# [[UIApp keyWindow]recursiveDescription].toString()

  • 查看当前keywindow的根控制器的所有subView

cy# [[[UIApp keyWindow] rootViewController] _printHierarchy].toString()

  • 输出简单的视图信息

cy# [[UIApp keyWindow] _autolayoutTrace].toString()

  • 查看一个实例的所有ivar

cy# [choose(SBApplication)[0] _ivarDescription].toString()

  • 查看一个class的对象方法和类方法

cy# [choose(SBApplicationController)[0] _methodDescription].toString()

  • 访问对象和实例
1
2
3
4
5
6
7
8
cy# [#0xb226710 url]
@"ww4fd1rfRDShBo_4K6rqfwAAACMAAQED"

cy# c = #0x1752d8c0
cy#"<FavAudioPlayerController: 0x1752d8c0; frame = (0 0; 290 60); autoresize = W; layer = <CALayer: 0x172dc2b0>>"
cy# c->m_audioInfo
cy#"<FavAudioInfo: 0x172b2a30>"
cy# c->m_audioInfo.m_nsAudioPath

4. ARM

5. 工具

-------评论系统采用disqus,如果看不到需要翻墙-------------