Microsoft Word - iOSAppReverseEngineering.docx

(Romina) #1

know a certain private class better. In this chapter, when we came across some suspicious


variables, we didn’t strictly analyze them with IDA and LLDB, but by only browsing


corresponding headers, guessing their prototypes and usages, then testing with Cycript to


achieve our goals. The famous leader in my country Deng Xiaoping once said:"It doesn’t matter


whether a cat is white or black, as long as it catches mice", which applies to iOS reverse


engineering too.



  1. Analyze functions in IDA to connect the dots and form a plane


As to inspect the implementation of a function, IDA is one of the most handy tools. Cross


references, addresses jumping, global search and whatever, they help us quickly locate what


we’re interested in, as well browse the context to form an overall understanding. In detecting


iMessages, we’ve straightened out the relationships of [CKMessageEntryView


updateEntryView], [CKPendingConversation sendingService], [CKPendingConversation


composeSendingService], IMChatCalculateServiceForSendingNewCompose and so on; among


them IMChatCalculateServiceForSendingNewCompose is a C function, hence is immune to


class-dump. In sending iMessages, we’ve traced from the high level method


[CKTranscriptController sendComposition:CKComposition], through [CKTranscriptController


_startCreatingNewMessageForSending:], [CKConversation sendMessage:newComposition:]


and [CKConversation sendMessage:onService:newComposition:], to the low level method


[IMChat sendMessage:IMMessage]. All these operations are picking call chains from a plane


according to keywords and clues provided by IDA. That’s a lot of handwork, but thanks to the


assistance of IDA, the workload is totally acceptable.



  1. Pick out the exact line, i.e. call chain from the plane with LLDB


LLDB plays a significant role throughout the whole chapter. Although we’ve tried to limit


its usage in section 10.3, we have to bring it out when tracing function callers and dynamically


analyzing arguments. Compared with GDB, LLDB is more iOS supportive, there’re rare crashes


and bugs; it works great on Objective-C objects, making our debugging much smoother. When


we were working on the detecting and sending of iMessages, LLDB helped us clarify great


amounts of details; based on the careful analysis of tightly related data sources, we’ve abstracted


a short piece of the working principles and designing ideas of iMessage: MobileSMS plays the

Free download pdf