Microsoft Word - iOSAppReverseEngineering.docx

Figure 3-54 Apple File Conduit 2 3.6 dyld_decache After installing iFunBox and AFC2, most of you would be eager to start browsin ...

snakeninnysiMac:~ snakeninny$ chmod +x /path/to/dyld_decache\[v0.1c\] Then extract binaries from the cache: snakeninnysiMac:~ sn ...

Chapter 4 iOS toolkit In chapter 3, we’ve introduced the OSX toolkit for iOS reverse engineering. To get our work done, we still ...

actually verifies whether an NSString object has a certain prefix. Isn’t it easy to understand? Logos syntax, which we’ve introd ...

Figure 4- 3 Replace Function A with B We can see in figure 4-3 that this process executes some instructions at first, but then c ...

talking about. Anyway, welcome to http://bbs.iosre.com for further discussion. Follow me: Create iOSRETargetApp with Theos. The ...

{ u_int32_t randomNumber; if (i % 3 == 0) randomNumber = arc4random_uniform(i); NSProcessInfo *processInfo = [NSProcessInfo proc ...

include theos/makefiles/common.mk APPLICATION_NAME = iOSRETargetApp iOSRETargetApp_FILES = main.m iOSRETargetAppApplication.mm R ...

else old__ZN8CPPClass11CPPFunctionEPKc(hiddenThis, "This is a hijacked C++ function!"); } void (*old_CFunction)(const char *); v ...

“symbol table”. “ symbol” is the name of the function, according to which the process locates the function’s address in memory a ...

all extracted via IDA, as illustrated in this example. Drag and drop iOSRETargetApp’s binary into IDA. The Functions window afte ...

Figure 4- 6 CFunction Figure 4- 7 ShortCFunction This approach of symbol locating applies to all kinds of symbols. In the beginn ...

void InitializeMSHookFunction(void) // This function is often called in %ctor i.e. constructor { MSImageRef image = MSGetImageBy ...

function. We could tell if the caller was ShortCFuncation by judging the callee’s argument, thus indirectly hooked short functio ...

Figure 4- 8 Safe mode In safe mode, all third-party tweaks that base on CydiaSubstrate will be disabled for troubleshooting. But ...

4.2 Cycript Figure 4- 9 Cycript Cycript (As shown in figure 4-9) is a scripting language developed by saurik. You can view Cycri ...

After that, you can start coding. Instead of writing Apps, we mainly use Cycript to test methods, so we need to inject and run c ...

that’s Cycript. If a function has a return value, Cycript will print its memory address and description in real time, which is v ...

would be enough. Let’s summarize the use of Cycript with an example of logging in to iMessage with my Apple ID. First we need to ...

Figure 4- 12 Select iMessage addresses The return value indicates our correctness by far. Finally, let’s check if my iMessage ac ...