Reverse Engineering Tools: Difference between revisions

From iPhone Development Wiki
(Refactored the disassemblers section and added info about Hopper.)
(nm and strings)
Line 64: Line 64:
==== Hopper ====
==== Hopper ====
[http://www.hopperapp.com/ Hopper] is quite recent and only supports a small subset of the features that IDA has. It is extremely fast and has a nice user interface. However, the produced assembly code is not nearly as good as the one produced by IDA.
[http://www.hopperapp.com/ Hopper] is quite recent and only supports a small subset of the features that IDA has. It is extremely fast and has a nice user interface. However, the produced assembly code is not nearly as good as the one produced by IDA.
==== otool ====
write me <sup>please</sup>
=== strings ===
[http://unixhelp.ed.ac.uk/CGI/man-cgi?strings strings] is a simple utility that will print all the strings in a given binary.
Example usage:
<source lang=text>
bash$ strings crash_mover
moveLogsAtPath
Could not open and lock %s: %s. Proceeding with copy anyway.
Extensions
...
</source>
=== nm ===
[http://unixhelp.ed.ac.uk/CGI/man-cgi?nm nm] is a utility that displays the symbol table of a given binary.
Example usage:
<source lang=text>
bash$ nm CoreTelephony
000234c4 t +[CTCall callForCTCallRef:]
0001ee90 t +[CTEmailAddress emailAddress:]
000199b8 t +[CTMessageCenter sharedMessageCenter]
0001db54 t +[CTMmsEncoder decodeMessageFromData:]
...
</source>

Revision as of 02:07, 5 March 2014

This is a draft that needs your help. Can you help fix it? Add some details!

The process for developing a tweak may vary in complexity, and therefore might require different kinds of tools to analyze how stock software works precisely and where to best interpose your functionality.

Runtime analysis

The tools described following are useful for analyzing a program during runtime.

GDB / LLDB

When writing software, the debugger's an incredibly helpful way to determine exactly what's causing a crash, to find backtrace information on the certain point of a program, and so on. Attaching the debugger to processes running standardly on the iPhone can be done with the description on Debugging on iOS 7.

Cycript

Cycript allows you to run your own code in an attached process out-of-the-box, with some JavaScript-syntax goodies to make writing code more convenient. It allows for greatly useful runtime analysis of a program (such as for instance getting the complete view hierarchy, or checking out the properties of an object), and allows for easy prototyping of the tweak (by hooking methods with a Substrate bridge; changing objects freely and calling functions etc.).

Logify

While not a runtime analysis tool per-se, Logify takes an Objective-C header file containing a class interface and generates a Logos file hooking all methods in the given class, and for each hook logging the call of the method (with parameters) to the syslog. It allows for convenient analysis of what methods of a class get called during runtime, and when.

weak_classdump

When `class-dump` (described below) can't analyze an executable and generate header files with class interfaces (due to encryption, malformed binaries etc.), the resort is to get these definitions from the runtime. weak_classdump is a Cycript tool which attached into a project and generates `class-dump`-like output files.

weak_classdump can be used to dump a single class, like so:

iPhone$ cycript -p Skype weak_classdump.cy; cycript -p Skype
'Added weak_classdump to "Skype" (1685)'
cy# weak_classdump(SkypeAppDelegate, "/tmp/")
"Wrote file to /tmp/SkypeAppDelegate.h"

It can also be used to dump all the classes in a bundle (in this case, the main bundle):

iPhone$ cycript -p Skype weak_classdump.cy; cycript -p Skype
'Added weak_classdump to "Skype" (1685)'
cy# weak_classdump_bundle([NSBundle mainBundle], "/tmp/SkypeHeaders")

Executable Analysis

The tools described here can be used to analyze an executable.

dumpdecrypted

App Store app executables are always encrypted. dumpdecrypted allows one to easily generate a decrypted executable out of it:

iPhone$ DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/.../Application.app/Application
iPhone$ ls Application*
Application #original executable
Application.decrypted #decrypted, generated executable

class-dump, class-dump-z

From a given executable, these tools will generate header files with class interfaces. This allows for an analysis of what methods exist in the executable, and permits a guess of what one might hook to get given functionality.

See Getting Started#Looking at classes and Debugging on iOS 7#Class-dumping

Disassemblers

Disassemblers are useful when an in-depth analysis of a binary is needed. These programs convert the compiled code into assembly for a detailed examination to be performed. Assembly is hard to understand for beginners and is platform-dependent (e.g ARM assembly is very different from x86 assembly), therefore a good knowledge of it is almost mandatory to be able to use disassemblers correctly.

IDA

IDA (Interactive Disassembler) is the de-facto standard program used to disassemble binaries. It supports a plethora of processors. IDA has tons of features and has been in development for more than a decade.

It is a commercial application, and requires some time getting used to. Yet for analyzing Objective-C applications, KennyTM's fixobjc2.idc script is extremely useful exposing Objective-C method definitions and calls.

Hopper

Hopper is quite recent and only supports a small subset of the features that IDA has. It is extremely fast and has a nice user interface. However, the produced assembly code is not nearly as good as the one produced by IDA.

otool

write me please

strings

strings is a simple utility that will print all the strings in a given binary.

Example usage:

bash$ strings crash_mover
moveLogsAtPath
Could not open and lock %s: %s. Proceeding with copy anyway.
Extensions
...

nm

nm is a utility that displays the symbol table of a given binary.

Example usage:

bash$ nm CoreTelephony
000234c4 t +[CTCall callForCTCallRef:]
0001ee90 t +[CTEmailAddress emailAddress:]
000199b8 t +[CTMessageCenter sharedMessageCenter]
0001db54 t +[CTMmsEncoder decodeMessageFromData:]
...