(nm and strings) |
(copyedit) |
||
Line 1: | Line 1: | ||
'''This is a draft that needs your help. Can you | '''This is a draft that needs your help. Can you improve it? Add some details!''' | ||
While developing a tweak, you may find these tools useful to analyze how iOS and apps work, and to find where to interpose your functionality. | |||
== Runtime analysis == | == Runtime analysis == | ||
The tools | The following tools are useful for analyzing a program during runtime. | ||
=== GDB / LLDB === | === GDB / LLDB === | ||
When writing software, | When writing software, a debugger can help determine what is causing a crash, to find backtrace information on certain points of a program, and so on. Attaching the debugger to normal processes running on the iPhone can be done with the description on [[Debugging on iOS 7]]. | ||
=== Cycript === | === Cycript === | ||
[[Cycript]] allows you to run your own code in an attached process out-of-the-box, with some JavaScript-syntax goodies to make writing code more convenient. It allows for | [[Cycript]] allows you to run your own code in an attached process out-of-the-box, with some JavaScript-syntax goodies to make writing code more convenient. It allows for useful runtime analysis of a program (such as for instance getting the complete view hierarchy, or checking out the properties of an object), and it allows for easy prototyping of a tweak (by hooking methods with a Substrate bridge, changing objects freely and calling functions, etc.). | ||
=== Logify === | === Logify === | ||
While not a runtime analysis tool | While not a runtime analysis tool, [[Logify]] takes an Objective-C header file containing a class interface and generates a [[Logos]] file hooking all methods in the given class, and for each hook logging the call of the method (with parameters) to the [http://theiphonewiki.com/wiki/System_Log syslog]. Logify allows for convenient analysis of what methods of a class get called during runtime, and when. | ||
=== weak_classdump === | === weak_classdump === | ||
When | When <code>class-dump</code> (described below) can't analyze an executable and generate header files with class interfaces (due to encryption, malformed binaries etc.), another option is to get these definitions from the runtime. [https://github.com/limneos/weak_classdump <code>weak_classdump</code>] is a [[Cycript]] tool which attached into a project and generates <code>class-dump</code>-like output files. | ||
weak_classdump can be used to dump a single class, like | <code>weak_classdump</code> can be used to dump a single class, like this: | ||
<source lang=javascript> | <source lang=javascript> | ||
Line 35: | Line 35: | ||
</source> | </source> | ||
== Executable | == Executable analysis == | ||
The tools | The following tools can be used to analyze an executable. | ||
=== dumpdecrypted === | === dumpdecrypted === | ||
App Store app executables are | App Store app executables are encrypted. [https://github.com/stefanesser/dumpdecrypted dumpdecrypted] can generate a decrypted executable out of it: | ||
<source lang=bash> | <source lang=bash> | ||
Line 50: | Line 50: | ||
=== class-dump, class-dump-z === | === class-dump, class-dump-z === | ||
From a given executable, these tools will generate header files with class interfaces. This allows for an analysis of what methods exist in the executable, | From a given executable, these tools will generate header files with class interfaces. This allows for an analysis of what methods exist in the executable, which can help you guess which ones to hook to get given functionality. | ||
See [[Getting Started#Looking at classes]] and [[Debugging on iOS 7#Class-dumping]] | See [[Getting Started#Looking at classes]] and [[Debugging on iOS 7#Class-dumping]] | ||
=== Disassemblers === | === Disassemblers === | ||
Disassemblers are useful when an in-depth analysis of a binary | Disassemblers are useful when you need an in-depth analysis of a binary. These programs convert the compiled code into assembly for your examination. Assembly is hard to understand for beginners and is platform-dependent (ARM assembly is very different from x86 assembly), so you need a good knowledge of assembly to find disassemblers useful. | ||
==== IDA ==== | ==== IDA ==== | ||
[https://www.hex-rays.com/products/ida/ IDA] (Interactive Disassembler) is | [https://www.hex-rays.com/products/ida/ IDA] (Interactive Disassembler) is a popular program for disassembling binaries. It supports a [https://www.hex-rays.com/products/ida/processors.shtml plethora] of processors. IDA has tons of features and has been in development for more than a decade. | ||
It is a commercial application, and requires some time getting used to. | It is a commercial application, and it requires some time getting used to it. For analyzing Objective-C applications, KennyTM's [https://github.com/kennytm/Miscellaneous/blob/master/fixobjc2.idc fixobjc2.idc script] is useful for exposing Objective-C method definitions and calls. | ||
==== Hopper ==== | ==== Hopper ==== | ||
[http://www.hopperapp.com/ Hopper] is quite | [http://www.hopperapp.com/ Hopper] is quite new and only supports a small subset of the features that IDA has. It is fast and has a nice user interface. However, the produced assembly code is not as good as the one produced by IDA. | ||
==== otool ==== | ==== otool ==== | ||
write me <sup>please</sup> | '''write me <sup>please</sup>''' | ||
=== strings === | === strings === |
Revision as of 02:34, 5 March 2014
This is a draft that needs your help. Can you improve it? Add some details!
While developing a tweak, you may find these tools useful to analyze how iOS and apps work, and to find where to interpose your functionality.
Runtime analysis
The following tools are useful for analyzing a program during runtime.
GDB / LLDB
When writing software, a debugger can help determine what is causing a crash, to find backtrace information on certain points of a program, and so on. Attaching the debugger to normal processes running on the iPhone can be done with the description on Debugging on iOS 7.
Cycript
Cycript allows you to run your own code in an attached process out-of-the-box, with some JavaScript-syntax goodies to make writing code more convenient. It allows for useful runtime analysis of a program (such as for instance getting the complete view hierarchy, or checking out the properties of an object), and it allows for easy prototyping of a tweak (by hooking methods with a Substrate bridge, changing objects freely and calling functions, etc.).
Logify
While not a runtime analysis tool, Logify takes an Objective-C header file containing a class interface and generates a Logos file hooking all methods in the given class, and for each hook logging the call of the method (with parameters) to the syslog. Logify allows for convenient analysis of what methods of a class get called during runtime, and when.
weak_classdump
When class-dump
(described below) can't analyze an executable and generate header files with class interfaces (due to encryption, malformed binaries etc.), another option is to get these definitions from the runtime. weak_classdump
is a Cycript tool which attached into a project and generates class-dump
-like output files.
weak_classdump
can be used to dump a single class, like this:
iPhone$ cycript -p Skype weak_classdump.cy; cycript -p Skype
'Added weak_classdump to "Skype" (1685)'
cy# weak_classdump(SkypeAppDelegate, "/tmp/")
"Wrote file to /tmp/SkypeAppDelegate.h"
It can also be used to dump all the classes in a bundle (in this case, the main bundle):
iPhone$ cycript -p Skype weak_classdump.cy; cycript -p Skype
'Added weak_classdump to "Skype" (1685)'
cy# weak_classdump_bundle([NSBundle mainBundle], "/tmp/SkypeHeaders")
Executable analysis
The following tools can be used to analyze an executable.
dumpdecrypted
App Store app executables are encrypted. dumpdecrypted can generate a decrypted executable out of it:
iPhone$ DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/.../Application.app/Application
iPhone$ ls Application*
Application #original executable
Application.decrypted #decrypted, generated executable
class-dump, class-dump-z
From a given executable, these tools will generate header files with class interfaces. This allows for an analysis of what methods exist in the executable, which can help you guess which ones to hook to get given functionality.
See Getting Started#Looking at classes and Debugging on iOS 7#Class-dumping
Disassemblers
Disassemblers are useful when you need an in-depth analysis of a binary. These programs convert the compiled code into assembly for your examination. Assembly is hard to understand for beginners and is platform-dependent (ARM assembly is very different from x86 assembly), so you need a good knowledge of assembly to find disassemblers useful.
IDA
IDA (Interactive Disassembler) is a popular program for disassembling binaries. It supports a plethora of processors. IDA has tons of features and has been in development for more than a decade.
It is a commercial application, and it requires some time getting used to it. For analyzing Objective-C applications, KennyTM's fixobjc2.idc script is useful for exposing Objective-C method definitions and calls.
Hopper
Hopper is quite new and only supports a small subset of the features that IDA has. It is fast and has a nice user interface. However, the produced assembly code is not as good as the one produced by IDA.
otool
write me please
strings
strings is a simple utility that will print all the strings in a given binary.
Example usage:
bash$ strings crash_mover
moveLogsAtPath
Could not open and lock %s: %s. Proceeding with copy anyway.
Extensions
...
nm
nm is a utility that displays the symbol table of a given binary.
Example usage:
bash$ nm CoreTelephony
000234c4 t +[CTCall callForCTCallRef:]
0001ee90 t +[CTEmailAddress emailAddress:]
000199b8 t +[CTMessageCenter sharedMessageCenter]
0001db54 t +[CTMmsEncoder decodeMessageFromData:]
...