Difference between revisions of "Reverse Engineering Tools"

From iPhone Development Wiki
Jump to: navigation, search
(Added info about weak_classdump)
Line 1: Line 1:
 
'''This is a draft that needs your help. Can you help fix it? Add some details!'''
 
'''This is a draft that needs your help. Can you help fix it? Add some details!'''
  
The process for developing a tweak for jailbroken iOS can include: using a combination of class-dump, IDA, and GDB to locate functions/methods, using [[Cycript]] to prototype the tweak, and finishing it with Theos.
+
The process for developing a tweak may vary in complexity, and therefore might require different kinds of tools to analyze how stock software works precisely and where to best interpose your functionality.
  
See [[Getting Started#Looking at classes]] and [[Debugging on iOS 7#Class-dumping]]
+
== Runtime analysis ==
  
See [[Debugging on iOS 7]] for using GDB/LLDB.
+
The tools described following are useful for analyzing a program during runtime.
  
[[Logify]] might help you.
+
=== GDB / LLDB ===
 +
When writing software, the debugger's an incredibly helpful way to determine exactly what's causing a crash, to find backtrace information on the certain point of a program, and so on. Attaching the debugger to processes running standardly on the iPhone can be done with the description on [[Debugging on iOS 7]].
  
When working with App Store apps, you may need something like [https://github.com/stefanesser/dumpdecrypted dumpdecrypted].
+
=== Cycript ===
 +
[[Cycript]] allows you to run your own code in an attached process out-of-the-box, with some JavaScript-syntax goodies to make writing code more convenient. It allows for greatly useful runtime analysis of a program (such as for instance getting the complete view hierarchy, or checking out the properties of an object), and allows for easy prototyping of the tweak (by hooking methods with a Substrate bridge; changing objects freely and calling functions etc.).
  
== Class-dump'ing encrypted binaries ==
+
=== Logify ===
 +
While not a runtime analysis tool per-se, [[Logify]] takes an Objective-C header file containing a class interface and generates a Logos file hooking all methods in the given class, and for each hook logging the call of the method (with parameters) to the syslog. It allows for convenient analysis of what methods of a class get called during runtime, and when.
  
When binaries are encrypted with fairplay (e.g App Store apps), class-dump[-z] will produce garbage data. Therefore, it is necessary to use a runtime tool such as [https://github.com/limneos/weak_classdump weak_classdump].
+
=== weak_classdump ===
 +
When `class-dump` (described below) can't analyze an executable and generate header files with class interfaces (due to encryption, malformed binaries etc.), the resort is to get these definitions from the runtime. [https://github.com/limneos/weak_classdump weak_classdump] is a Cycript tool which attached into a project and generates `class-dump`-like output files.
  
 
weak_classdump can be used to dump a single class, like so:
 
weak_classdump can be used to dump a single class, like so:
Line 30: Line 34:
 
cy# weak_classdump_bundle([NSBundle mainBundle], "/tmp/SkypeHeaders")
 
cy# weak_classdump_bundle([NSBundle mainBundle], "/tmp/SkypeHeaders")
 
</source>
 
</source>
 +
 +
== Executable Analysis ==
 +
 +
The tools described here can be used to analyze an executable.
 +
 +
=== dumpdecrypted ===
 +
App Store app executables are always encrypted. [https://github.com/stefanesser/dumpdecrypted dumpdecrypted] allows one to easily generate a decrypted executable out of it:
 +
 +
<source>
 +
iPhone$ DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/.../Application.app/Application
 +
iPhone$ ls Application*
 +
Application
 +
Application.decrypted
 +
</source>
 +
 +
=== class-dump, class-dump-z ===
 +
From a given executable, these tools will generate header files with class interfaces. This allows for an analysis of what methods exist in the executable, and permits a guess of what one might hook to get given functionality.
 +
 +
See [[Getting Started#Looking at classes]] and [[Debugging on iOS 7#Class-dumping]]
 +
 +
=== IDA ===
 +
IDA (Interactive Disassembler) is the standard go-to tool when wanting to disassemble (that is, re-generate the app's code in Assembly form from the binary) an executable. It allows for a detailed analysis on how an application does something exactly down to the implementation itself.
 +
 +
It is a commercial application, and requires some time getting used to. Yet for analysing Objective-C applications, KennyTM's [https://github.com/kennytm/Miscellaneous/blob/master/fixobjc2.idc fixobjc2.idc script] is extremely useful exposing Objective-C method definitions and calls.

Revision as of 01:23, 5 March 2014

This is a draft that needs your help. Can you help fix it? Add some details!

The process for developing a tweak may vary in complexity, and therefore might require different kinds of tools to analyze how stock software works precisely and where to best interpose your functionality.

Runtime analysis

The tools described following are useful for analyzing a program during runtime.

GDB / LLDB

When writing software, the debugger's an incredibly helpful way to determine exactly what's causing a crash, to find backtrace information on the certain point of a program, and so on. Attaching the debugger to processes running standardly on the iPhone can be done with the description on Debugging on iOS 7.

Cycript

Cycript allows you to run your own code in an attached process out-of-the-box, with some JavaScript-syntax goodies to make writing code more convenient. It allows for greatly useful runtime analysis of a program (such as for instance getting the complete view hierarchy, or checking out the properties of an object), and allows for easy prototyping of the tweak (by hooking methods with a Substrate bridge; changing objects freely and calling functions etc.).

Logify

While not a runtime analysis tool per-se, Logify takes an Objective-C header file containing a class interface and generates a Logos file hooking all methods in the given class, and for each hook logging the call of the method (with parameters) to the syslog. It allows for convenient analysis of what methods of a class get called during runtime, and when.

weak_classdump

When `class-dump` (described below) can't analyze an executable and generate header files with class interfaces (due to encryption, malformed binaries etc.), the resort is to get these definitions from the runtime. weak_classdump is a Cycript tool which attached into a project and generates `class-dump`-like output files.

weak_classdump can be used to dump a single class, like so:

iPhone$ cycript -p Skype weak_classdump.cy; cycript -p Skype
'Added weak_classdump to "Skype" (1685)'
cy# weak_classdump(SkypeAppDelegate, "/tmp/")
"Wrote file to /tmp/SkypeAppDelegate.h"

It can also be used to dump all the classes in a bundle (in this case, the main bundle):

iPhone$ cycript -p Skype weak_classdump.cy; cycript -p Skype
'Added weak_classdump to "Skype" (1685)'
cy# weak_classdump_bundle([NSBundle mainBundle], "/tmp/SkypeHeaders")

Executable Analysis

The tools described here can be used to analyze an executable.

dumpdecrypted

App Store app executables are always encrypted. dumpdecrypted allows one to easily generate a decrypted executable out of it:

iPhone$ DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/.../Application.app/Application
iPhone$ ls Application*
Application
Application.decrypted

class-dump, class-dump-z

From a given executable, these tools will generate header files with class interfaces. This allows for an analysis of what methods exist in the executable, and permits a guess of what one might hook to get given functionality.

See Getting Started#Looking at classes and Debugging on iOS 7#Class-dumping

IDA

IDA (Interactive Disassembler) is the standard go-to tool when wanting to disassemble (that is, re-generate the app's code in Assembly form from the binary) an executable. It allows for a detailed analysis on how an application does something exactly down to the implementation itself.

It is a commercial application, and requires some time getting used to. Yet for analysing Objective-C applications, KennyTM's fixobjc2.idc script is extremely useful exposing Objective-C method definitions and calls.