Difference between revisions of "Reverse Engineering Tools"

From iPhone Development Wiki
Jump to: navigation, search
(dumpdecrypted)
(Refactored the disassemblers section and added info about Hopper.)
Line 54: Line 54:
 
See [[Getting Started#Looking at classes]] and [[Debugging on iOS 7#Class-dumping]]
 
See [[Getting Started#Looking at classes]] and [[Debugging on iOS 7#Class-dumping]]
  
=== IDA ===
+
=== Disassemblers ===
IDA (Interactive Disassembler) is the standard go-to tool when wanting to disassemble (that is, re-generate the app's code in Assembly form from the binary) an executable. It allows for a detailed analysis on how an application does something exactly down to the implementation itself.
+
Disassemblers are useful when an in-depth analysis of a binary is needed. These programs convert the compiled code into assembly for a detailed examination to be performed. Assembly is hard to understand for beginners and is platform-dependent (e.g ARM assembly is very different from x86 assembly), therefore a good knowledge of it is almost mandatory to be able to use disassemblers correctly.  
  
It is a commercial application, and requires some time getting used to. Yet for analysing Objective-C applications, KennyTM's [https://github.com/kennytm/Miscellaneous/blob/master/fixobjc2.idc fixobjc2.idc script] is extremely useful exposing Objective-C method definitions and calls.
+
==== IDA ====
 +
[https://www.hex-rays.com/products/ida/ IDA] (Interactive Disassembler) is the ''de-facto'' standard program used to disassemble binaries. It supports a [https://www.hex-rays.com/products/ida/processors.shtml plethora] of processors. IDA has tons of features and has been in development for more than a decade.
 +
 
 +
It is a commercial application, and requires some time getting used to. Yet for analyzing Objective-C applications, KennyTM's [https://github.com/kennytm/Miscellaneous/blob/master/fixobjc2.idc fixobjc2.idc script] is extremely useful exposing Objective-C method definitions and calls.
 +
 
 +
==== Hopper ====
 +
[http://www.hopperapp.com/ Hopper] is quite recent and only supports a small subset of the features that IDA has. It is extremely fast and has a nice user interface. However, the produced assembly code is not nearly as good as the one produced by IDA.

Revision as of 01:55, 5 March 2014

This is a draft that needs your help. Can you help fix it? Add some details!

The process for developing a tweak may vary in complexity, and therefore might require different kinds of tools to analyze how stock software works precisely and where to best interpose your functionality.

Runtime analysis

The tools described following are useful for analyzing a program during runtime.

GDB / LLDB

When writing software, the debugger's an incredibly helpful way to determine exactly what's causing a crash, to find backtrace information on the certain point of a program, and so on. Attaching the debugger to processes running standardly on the iPhone can be done with the description on Debugging on iOS 7.

Cycript

Cycript allows you to run your own code in an attached process out-of-the-box, with some JavaScript-syntax goodies to make writing code more convenient. It allows for greatly useful runtime analysis of a program (such as for instance getting the complete view hierarchy, or checking out the properties of an object), and allows for easy prototyping of the tweak (by hooking methods with a Substrate bridge; changing objects freely and calling functions etc.).

Logify

While not a runtime analysis tool per-se, Logify takes an Objective-C header file containing a class interface and generates a Logos file hooking all methods in the given class, and for each hook logging the call of the method (with parameters) to the syslog. It allows for convenient analysis of what methods of a class get called during runtime, and when.

weak_classdump

When `class-dump` (described below) can't analyze an executable and generate header files with class interfaces (due to encryption, malformed binaries etc.), the resort is to get these definitions from the runtime. weak_classdump is a Cycript tool which attached into a project and generates `class-dump`-like output files.

weak_classdump can be used to dump a single class, like so:

iPhone$ cycript -p Skype weak_classdump.cy; cycript -p Skype
'Added weak_classdump to "Skype" (1685)'
cy# weak_classdump(SkypeAppDelegate, "/tmp/")
"Wrote file to /tmp/SkypeAppDelegate.h"

It can also be used to dump all the classes in a bundle (in this case, the main bundle):

iPhone$ cycript -p Skype weak_classdump.cy; cycript -p Skype
'Added weak_classdump to "Skype" (1685)'
cy# weak_classdump_bundle([NSBundle mainBundle], "/tmp/SkypeHeaders")

Executable Analysis

The tools described here can be used to analyze an executable.

dumpdecrypted

App Store app executables are always encrypted. dumpdecrypted allows one to easily generate a decrypted executable out of it:

iPhone$ DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/.../Application.app/Application
iPhone$ ls Application*
Application #original executable
Application.decrypted #decrypted, generated executable

class-dump, class-dump-z

From a given executable, these tools will generate header files with class interfaces. This allows for an analysis of what methods exist in the executable, and permits a guess of what one might hook to get given functionality.

See Getting Started#Looking at classes and Debugging on iOS 7#Class-dumping

Disassemblers

Disassemblers are useful when an in-depth analysis of a binary is needed. These programs convert the compiled code into assembly for a detailed examination to be performed. Assembly is hard to understand for beginners and is platform-dependent (e.g ARM assembly is very different from x86 assembly), therefore a good knowledge of it is almost mandatory to be able to use disassemblers correctly.

IDA

IDA (Interactive Disassembler) is the de-facto standard program used to disassemble binaries. It supports a plethora of processors. IDA has tons of features and has been in development for more than a decade.

It is a commercial application, and requires some time getting used to. Yet for analyzing Objective-C applications, KennyTM's fixobjc2.idc script is extremely useful exposing Objective-C method definitions and calls.

Hopper

Hopper is quite recent and only supports a small subset of the features that IDA has. It is extremely fast and has a nice user interface. However, the produced assembly code is not nearly as good as the one produced by IDA.