Microsoft Word - iOSAppReverseEngineering.docx

(Romina) #1

Promise me you’ll remember “sentence of the book”, which is the key to most problems in


iOS reverse engineering!


This section just walked you through the most basic knowledge about ARM assembly; there


were omissions for sure. However, to be honest, with “sentence of the book” and the official


site of ARM, you can start reversing 99% of all Apps. Next, it’s time for us to figure out how to


use the knowledge we have just learned in practical iOS reverse engineering.


6.2 Advanced methodology of writing a tweak


In “Methodology of writing a tweak” of chapter 5, we have concluded the methodology


into 5 steps: 1. look for inspiration; 2. locate target files; 3. locate target functions; 4. test private


methods; 5. analyze method arguments. These steps seem reasonable, but the most important


step “locate target functions” is lame and untenable. Can we refer to “look for interesting


keywords in class-dump headers” as “locate target functions”? No.


In the vast majority of cases, only 2 elements of an App attract our interests: its function and


its data. What if we discover an interesting function, but fail to find the related keywords in


class-dump headers? And how can we track an interesting data till we know how it’s generated?


In these cases, class-dump is all thumbs. Thus, “look for interesting keywords in class-dump


headers” is just one scenario in “locate target functions”, we’ve overgeneralized. Therefore, in


more general cases, how should we locate target functions?


Functions and data that we’re interested in, are all presented in software in some intuitive


forms that we can see or feel. For example, figure 6-10 shows Mail App (hereafter referred to as


Mail), and the button at the right bottom has the function of composing an email; figure 6-11


shows phone settings view in Settings App (hereafter referred to as MobilePhoneSettings), its


top cell shows my number. App functions are provided by programmatic functions, and data is


generated by programmatic functions as well. That’s to say, from programmatic point of view,


the nature of what we’re interested in is programmatic functions. So, “locate target functions” is


actually the process of how we locate the source functions of our interested Apps’ visual


expressions.

Free download pdf