Promise me you’ll remember “sentence of the book”, which is the key to most problems in
iOS reverse engineering!
This section just walked you through the most basic knowledge about ARM assembly; there
were omissions for sure. However, to be honest, with “sentence of the book” and the official
site of ARM, you can start reversing 99% of all Apps. Next, it’s time for us to figure out how to
use the knowledge we have just learned in practical iOS reverse engineering.
6.2 Advanced methodology of writing a tweak
In “Methodology of writing a tweak” of chapter 5, we have concluded the methodology
into 5 steps: 1. look for inspiration; 2. locate target files; 3. locate target functions; 4. test private
methods; 5. analyze method arguments. These steps seem reasonable, but the most important
step “locate target functions” is lame and untenable. Can we refer to “look for interesting
keywords in class-dump headers” as “locate target functions”? No.
In the vast majority of cases, only 2 elements of an App attract our interests: its function and
its data. What if we discover an interesting function, but fail to find the related keywords in
class-dump headers? And how can we track an interesting data till we know how it’s generated?
In these cases, class-dump is all thumbs. Thus, “look for interesting keywords in class-dump
headers” is just one scenario in “locate target functions”, we’ve overgeneralized. Therefore, in
more general cases, how should we locate target functions?
Functions and data that we’re interested in, are all presented in software in some intuitive
forms that we can see or feel. For example, figure 6-10 shows Mail App (hereafter referred to as
Mail), and the button at the right bottom has the function of composing an email; figure 6-11
shows phone settings view in Settings App (hereafter referred to as MobilePhoneSettings), its
top cell shows my number. App functions are provided by programmatic functions, and data is
generated by programmatic functions as well. That’s to say, from programmatic point of view,
the nature of what we’re interested in is programmatic functions. So, “locate target functions” is
actually the process of how we locate the source functions of our interested Apps’ visual
expressions.