Reverse Engineering Tools
This is a draft that needs your help. Can you help fix it? Add some details!
The process for developing a tweak may vary in complexity, and therefore might require different kinds of tools to analyze how stock software works precisely and where to best interpose your functionality.
The tools described following are useful for analyzing a program during runtime.
GDB / LLDB
When writing software, the debugger's an incredibly helpful way to determine exactly what's causing a crash, to find backtrace information on the certain point of a program, and so on. Attaching the debugger to processes running standardly on the iPhone can be done with the description on Debugging on iOS 7.
While not a runtime analysis tool per-se, Logify takes an Objective-C header file containing a class interface and generates a Logos file hooking all methods in the given class, and for each hook logging the call of the method (with parameters) to the syslog. It allows for convenient analysis of what methods of a class get called during runtime, and when.
When `class-dump` (described below) can't analyze an executable and generate header files with class interfaces (due to encryption, malformed binaries etc.), the resort is to get these definitions from the runtime. weak_classdump is a Cycript tool which attached into a project and generates `class-dump`-like output files.
weak_classdump can be used to dump a single class, like so:
iPhone$ cycript -p Skype weak_classdump.cy; cycript -p Skype 'Added weak_classdump to "Skype" (1685)' cy# weak_classdump(SkypeAppDelegate, "/tmp/") "Wrote file to /tmp/SkypeAppDelegate.h"
It can also be used to dump all the classes in a bundle (in this case, the main bundle):
iPhone$ cycript -p Skype weak_classdump.cy; cycript -p Skype 'Added weak_classdump to "Skype" (1685)' cy# weak_classdump_bundle([NSBundle mainBundle], "/tmp/SkypeHeaders")
The tools described here can be used to analyze an executable.
App Store app executables are always encrypted. dumpdecrypted allows one to easily generate a decrypted executable out of it:
iPhone$ DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/.../Application.app/Application iPhone$ ls Application* Application #original executable Application.decrypted #decrypted, generated executable
From a given executable, these tools will generate header files with class interfaces. This allows for an analysis of what methods exist in the executable, and permits a guess of what one might hook to get given functionality.
Disassemblers are useful when an in-depth analysis of a binary is needed. These programs convert the compiled code into assembly for a detailed examination to be performed. Assembly is hard to understand for beginners and is platform-dependent (e.g ARM assembly is very different from x86 assembly), therefore a good knowledge of it is almost mandatory to be able to use disassemblers correctly.
IDA (Interactive Disassembler) is the de-facto standard program used to disassemble binaries. It supports a plethora of processors. IDA has tons of features and has been in development for more than a decade.
It is a commercial application, and requires some time getting used to. Yet for analyzing Objective-C applications, KennyTM's fixobjc2.idc script is extremely useful exposing Objective-C method definitions and calls.
Hopper is quite recent and only supports a small subset of the features that IDA has. It is extremely fast and has a nice user interface. However, the produced assembly code is not nearly as good as the one produced by IDA.
write me please
strings is a simple utility that will print all the strings in a given binary.
bash$ strings crash_mover moveLogsAtPath Could not open and lock %s: %s. Proceeding with copy anyway. Extensions ...
nm is a utility that displays the symbol table of a given binary.
bash$ nm CoreTelephony 000234c4 t +[CTCall callForCTCallRef:] 0001ee90 t +[CTEmailAddress emailAddress:] 000199b8 t +[CTMessageCenter sharedMessageCenter] 0001db54 t +[CTMmsEncoder decodeMessageFromData:] ...