iOS逆向之动态调试 (LLDB)介绍
1. 如果说IDA是倚天剑,LLDB就是屠龙刀.
创新互联是一家集网站建设,顺平企业网站建设,顺平品牌网站建设,网站定制,顺平网站建设报价,网络营销,网络优化,顺平网站推广为一体的创新建站企业,帮助传统企业提升企业形象加强企业竞争力。可充分满足这一群体相比中小企业更为丰富、高端、多元的互联网需求。同时我们时刻保持专业、时尚、前沿,时刻以成就客户成长自我,坚持不断学习、思考、沉淀、净化自己,让我们为更多的企业打造出实用型网站。
2. LLDB 全名为 Low Level Debugger ,由苹果出品,内置于Xcode中的动态调试工具.
3. LLDB是Xcode自带的调试工具,可以进行Mac应用/iPhone应用调试.
地址: LLDB地址
如果想了解更多关于LLDB内容,可以查看一下LLDB介绍网站.
我们对LLDB命令进行翻译
Debugger commands:
apropos -- List debugger commands related to a word or subject.
breakpoint -- Commands for operating on breakpoints (see 'help b' for
shorthand.)
bugreport -- Commands for creating domain-specific bug reports.
command -- Commands for managing custom LLDB commands.
disassemble -- Disassemble specified instructions in the current
target. Defaults to the current function for the
current thread and stack frame.
expression -- Evaluate an expression on the current thread. Displays
any returned value with LLDB's default formatting.
frame -- Commands for selecting and examing the current thread's
stack frames.
gdb-remote -- Connect to a process via remote GDB server. If no host
is specifed, localhost is assumed.
gui -- Switch into the curses based GUI mode.
help -- Show a list of all debugger commands, or give details
about a specific command.
kdp-remote -- Connect to a process via remote KDP server. If no UDP
port is specified, port 41139 is assumed.
language -- Commands specific to a source language.
log -- Commands controlling LLDB internal logging.
memory -- Commands for operating on memory in the current target
process.
platform -- Commands to manage and create platforms.
plugin -- Commands for managing LLDB plugins.
process -- Commands for interacting with processes on the current
platform.
quit -- Quit the LLDB debugger.
register -- Commands to access registers for the current thread and
stack frame.
reproducer -- Commands controlling LLDB reproducers.
script -- Invoke the script interpreter with provided code and
display any results. Start the interactive interpreter
if no code is supplied.
settings -- Commands for managing LLDB settings.
source -- Commands for examining source code described by debug
information for the current target process.
statistics -- Print statistics about a debugging session
target -- Commands for operating on debugger targets.
thread -- Commands for operating on one or more threads in the
current process.
type -- Commands for operating on the type system.
version -- Show the LLDB debugger version.
watchpoint -- Commands for operating on watchpoints.
Current command abbreviations (type 'help command alias' for more info):
add-dsym -- Add a debug symbol file to one of the target's current modules
by specifying a path to a debug symbols file, or using the
options to specify a module to download symbols for.
attach -- Attach to process by ID or name.
b -- Set a breakpoint using one of several shorthand formats.
bt -- Show the current thread's call stack. Any numeric argument
displays at most that many frames. The argument 'all' displays
all threads.
c -- Continue execution of all threads in the current process.
call -- Evaluate an expression on the current thread. Displays any
returned value with LLDB's default formatting.
continue -- Continue execution of all threads in the current process.
detach -- Detach from the current target process.
di -- Disassemble specified instructions in the current target.
Defaults to the current function for the current thread and
stack frame.
dis -- Disassemble specified instructions in the current target.
Defaults to the current function for the current thread and
stack frame.
display -- Evaluate an expression at every stop (see 'help target
stop-hook'.)
down -- Select a newer stack frame. Defaults to moving one frame, a
numeric argument can specify an arbitrary number.
env -- Shorthand for viewing and setting environment variables.
exit -- Quit the LLDB debugger.
f -- Select the current stack frame by index from within the current
thread (see 'thread backtrace'.)
file -- Create a target using the argument as the main executable.
finish -- Finish executing the current stack frame and stop after
returning. Defaults to current thread unless specified.
image -- Commands for accessing information for one or more target
modules.
j -- Set the program counter to a new address.
jump -- Set the program counter to a new address.
kill -- Terminate the current target process.
l -- List relevant source code using one of several shorthand formats.
list -- List relevant source code using one of several shorthand formats.
n -- Source level single step, stepping over calls. Defaults to
current thread unless specified.
next -- Source level single step, stepping over calls. Defaults to
current thread unless specified.
nexti -- Instruction level single step, stepping over calls. Defaults to
current thread unless specified.
ni -- Instruction level single step, stepping over calls. Defaults to
current thread unless specified.
p -- Evaluate an expression on the current thread. Displays any
returned value with LLDB's default formatting.
parray -- Evaluate an expression on the current thread. Displays any
returned value with LLDB's default formatting.
po -- Evaluate an expression on the current thread. Displays any
returned value with formatting controlled by the type's author.
poarray -- Evaluate an expression on the current thread. Displays any
returned value with LLDB's default formatting.
print -- Evaluate an expression on the current thread. Displays any
returned value with LLDB's default formatting.
q -- Quit the LLDB debugger.
r -- Launch the executable in the debugger.
rbreak -- Sets a breakpoint or set of breakpoints in the executable.
re -- Commands to access registers for the current thread and stack
frame.
repl -- Evaluate an expression on the current thread. Displays any
returned value with LLDB's default formatting.
run -- Launch the executable in the debugger.
s -- Source level single step, stepping into calls. Defaults to
current thread unless specified.
si -- Instruction level single step, stepping into calls. Defaults to
current thread unless specified.
sif -- Step through the current block, stopping if you step directly
into a function whose name matches the TargetFunctionName.
step -- Source level single step, stepping into calls. Defaults to
current thread unless specified.
stepi -- Instruction level single step, stepping into calls. Defaults to
current thread unless specified.
t -- Change the currently selected thread.
tbreak -- Set a one-shot breakpoint using one of several shorthand formats.
undisplay -- Stop displaying expression at every stop (specified by stop-hook
index.)
up -- Select an older stack frame. Defaults to moving one frame, a
numeric argument can specify an arbitrary number.
v -- Show variables for the current stack frame. Defaults to all
arguments and local variables in scope. Names of argument,
local, file static and file global variables can be specified.
Children of aggregate variables can be specified such as
'var-child.x'. The - and [] operators in 'frame variable' do
not invoke operator overloads if they exist, but directly access
the specified element. If you want to trigger operator
overloads use the expression command to print the variable
instead.
It is worth noting that except for overloaded operators, when
printing local variables 'expr local_var' and 'frame var
local_var' produce the same results. However, 'frame variable'
is more efficient, since it uses debug information and memory
reads directly, rather than parsing and evaluating an
expression, which may even involve JITing and running code in
the target program.
var -- Show variables for the current stack frame. Defaults to all
arguments and local variables in scope. Names of argument,
local, file static and file global variables can be specified.
Children of aggregate variables can be specified such as
'var-child.x'. The - and [] operators in 'frame variable' do
not invoke operator overloads if they exist, but directly access
the specified element. If you want to trigger operator
overloads use the expression command to print the variable
instead.
It is worth noting that except for overloaded operators, when
printing local variables 'expr local_var' and 'frame var
local_var' produce the same results. However, 'frame variable'
is more efficient, since it uses debug information and memory
reads directly, rather than parsing and evaluating an
expression, which may even involve JITing and running code in
the target program.
vo -- Show variables for the current stack frame. Defaults to all
arguments and local variables in scope. Names of argument,
local, file static and file global variables can be specified.
Children of aggregate variables can be specified such as
'var-child.x'. The - and [] operators in 'frame variable' do
not invoke operator overloads if they exist, but directly access
the specified element. If you want to trigger operator
overloads use the expression command to print the variable
instead.
It is worth noting that except for overloaded operators, when
printing local variables 'expr local_var' and 'frame var
local_var' produce the same results. However, 'frame variable'
is more efficient, since it uses debug information and memory
reads directly, rather than parsing and evaluating an
expression, which may even involve JITing and running code in
the target program.
x -- Read from the memory of the current target process.
iOS逆向之旅(越狱篇) — Cycript【优秀的调试工具】
在Cydia中,搜索并安装该插件,这个很简单,就不贴流程了
$cycript -p 可执行文件的名字/进程ID
基础的语法和其他使用,可以查阅 官方文档
我们除了使用常用的一些命令之外,我们编写自定义函数来实现我们的特殊功能,可以提高我们逆向调试的效率
大部分功能我都是从网上copy下来的,只有最后一个是自己动手写的,嘿嘿
相信大家大部分都能看得懂,这里的语法有点怪怪的,js+oc,我也是模仿着写的
现在我要找上面这个登录按钮是哪一个点击事件
现在你已经知道哪个控制器,哪个函数,想hook不就是分分钟的事吗?
非越狱环境下,同样也能使用我们的cy文件,由于MonkeyDev内置了Cycript
导入和使用的方式和上面说的方式是一样的~
iOS逆向工程 -- 看图层的工具
iOS逆向 Reveal FLEXLoader 图层结构
对于iOS逆向,在我们拿到解密后的可执行文件后,我们研究的突破口其实就是界面的所在信息,毕竟在没有任何的针对信息的情况下,去在Hopper中看可执行文件的数据,无异于大海捞针。所以这时候我们需要针对的信息,需要我们hook的控制器或是类名,这样接下来的研究就会有自己的方向了。
学iOS的童鞋都知道这个神器,不管我们在正向还是逆向开发中都可以用到这个查看图层信息的工具,当然在两种情况的使用的方法是不一样的,这儿我主要介绍Reveal在逆向开发中的使用方法。
在用这个工具的时候,其实是踩了很大的坑的。
利用两种方式的使用Reveal工具,在打开需要逆向的APP后,提示The network connection was lost
至于这两种方式:
打开Reveal ,Reveal菜单-Help-Show Reveal Library in Finder -iOS Library
方式一:
注意,这个plist文件的格式不能出错,不然killall SpringBoard命令后出现白苹果,至于他们的bundleid ,直接到APP的目录下看info.plist文件即可。
方式二:
推荐方式
/Library/RHRevealLoader,在手机的Library下建立RHRevealLoader文件夹,之后把libReveal.dylib放进这个文件夹下。
在手机中的设置中找到Reveal-Enabled Applications-你需要的app
之后将mac和iOS设备中连接同一个局域网中,打开APP后,在Reveal中查看图层信息
当然如果你也出现了Reveal中无法显示问题时:
解决方法:这个是你的libReveal.dylib有问题,这时候你需要换一个
github下的v2.0中的Reveal.dylib地址
这样将新的libReveal.dylib在手机中替换原来的即可,当然还有一种可能就是连接的局域网网速太差了。
我们期待的结果是:
这个工具是在怎么安装Reveal都安装不了的情况下,去了解的一个可以看图层的工具,这个工具和Reveal不同的是不需要连接Mac电脑,只需要在Cydia中安装并且在设置中开启需要的查看的图层的APP。
可以看到这个工具可以查看APP的文件目录,整个APP的视图构架,当前视图的图层结构,当然还有很多功能等着你去发现。
这个是我们的目标视图的图层结构。
这样通过图层工具我们就比较快的找到我们需要研究的对象了。
逆向需要的工具汇总(持续更新中)
一、砸壳工具
dumpdecrypted:
Clutch:
二、界面分析工具
Reveal:
三、监控工具
snoop-it:
introspy:
四、静态分析工具
IDA:
Hopper:
五、动态调试工具
lldb:
六、动态脚本工具
cycript:
frida:
七、抓包工具
BurpSuite:
Charles:
Wireshark:
八、Mac工具
MachOView:
九、导出头文件工具
class-dump:
十、THEOS越狱开发工具包
thoes:
十一、文件管理工具
Filza ios设备查看文件系统
iFunBox/iExplorer mac设备查看ios设备的文件系统
十二、debugserver (动态调试,附加子进程)
十三、常用Tweak.xm预处理指令
十四、符号表恢复工具(restore-symbol)
其他工具:
iOSOpenDev:
insert_dylib:
iTerm:
Alfred:
iTools:
更新:2018-8-16
phantomjs :提供一个浏览器环境的命令行接口,相当于"虚拟浏览器"。
PhantomJS官方地址: 。
PhantomJS官方API: 。
PhantomJS官方示例: 。
PhantomJS GitHub: 。
参考文档:
MonkeyDev :
这里我就直接copy功能点了:
原有iOSOpenDev的升级,非越狱插件开发集成神器!
frida-ios-dump :一键砸壳工具,非常的好用。
Hookzz :通过Hookzz可以快速找到调用的方法,理清程序调用逻辑。
源码:
文档:
iOS逆向之手机远程调试介绍
您可以看一下,这一篇文章 iOS逆向工具之Cydia(iOS)软件介绍
这一篇 iOS逆向工具之Cydia(iOS)软件介绍 文章大概就介绍这么多.
上面我知道密码,还是会输入错误.
正好引入我们的话题 SSH
iOS逆向工具之Cydia(iOS)软件介绍 这篇文章我只介绍了ssh的使用,本篇介绍一下ssh.
很多朋友会将SSH,OpenSSH,SSL,OpenSSL搞混
1. SSL (Secure Sockets Layer ),网络通信提供安全及数据完整性的一种安全协议,在传输层对网络连接进行加密.
2. OpenSSL是SSL的开源实现,绝大部分HTTPS请求为 HTTP + OpenSSL
3. OpenSSH的加密是通过OpenSSL完成的.
ssh协议一共2个版本 : SSH-1,SSH-2
现在用的比较多的是SSH-2, 注意 客户端和服务端版本要保持一致才能通信
如何在客户端生成一对相关联的密钥(Key Pair):
一个公钥 (Public Key) , 一个私钥 (Private Key)
mkdir .ssh
我已经创建了,这里报错:不能创建目录 .ssh,文件已经存在.
输入命令后,我们就可以免密登录
注意
如果你输入命令仍然要输入密码可以为authorized_keys文件授权
本篇文章介绍了如何免密远程登录手机.
同样,也介绍了SSL,OpenSSH,SSL,OpenSSL,详细介绍SSH.
相信你对远程调试应该是了解了.
iOS逆向工具之Theos(MacOS)介绍
终端执行这个命令就可以安装
正向iOS开发者,Mac上都安装着Xcode.如果你安装多个版本Xcode,指定其中一版本的Xcode就行.
终端执行命令
越狱iPhone下的签名工具(更改授权entitlements),可以为theos开发的程序进程签名 (支持在OS X和iOS上运行)。
我们可以通过终端命令进行安装
-ldid 用于签名
-fakeroot 用于模拟root权限
安装可能要花费一段时间,耐心等待一下.
注意:
关于ldid签名知识点补充
这里要提一下加密算法:
1. 对称加密算法:
RC4,DES,3DES,AES128,AES356等,加解密双方密钥相同.
2. 非对称加密算法:
RSA,Elgamal等,加解密双方使用密钥对.
3. 哈希算法:
注意
苹果签名:
1. 苹果签名 是苹果官方的私钥签名,公钥验证
2. 以数字签名形式进行签名
注意
数字签名
1. 数字签名是非对称密钥加密技术与数字摘要技术的应用.
2. 对指定信息使用哈希算法,得到一个固定长度的信息摘要.
3. 然后再使用 私钥 对该摘要加密,就得到了数字签名.
注意
数字证书:
1. 数字证书是一个文件,由苹果的Apple Worldwide Developer
Relations Certification Authority(WWDR)证书认证中心进行签名
2. 其主要作用是用来标识身份.
注意
证书文件主要包含两部分内容: 证书信息 和 证书签名
1.证书信息
包含用户的公钥,用户个人信息,证书颁发机构信息,证书有效期等信息
2.证书签名
WWDR将上述证书本身内容,通过哈希算法得到一个固定长度的信息摘要,然后使用自己的私钥对该信息摘要加密生成数字签名.
3.证书验证
注意
到这里,ldid介绍完成
dpkg:用于管理deb包.
deb是越狱开发安装包的标准格式,dpkg-deb是一个用于操作deb文件的工具,有了这个工具,Theos才能正确地把工程打包成为deb文件.
有的朋友会使用这个命令
报错 Error: invalid option: --from-bottle
大概意思是:无效的参数,这个有可能和安装的版本原因.
我多次安装后,把参数去掉了
到这里就完成了dpkg的安装.
我们在终端使用命令
sudo git clone --recursive /opt/theos
我们通过git clone 到/opt/theos目录下.
克隆需要一部分时间,我们需要耐心等待一会.
我们在终端添加/opt/thoes目录的所有者
sudo chown -R $(id -u):$(id -g) /opt/theos
source ~/.bash_profile
保存环境变量并生效
thoes到这里安装完成.
本篇文章主要介绍了Theos安装前准备.
我们下篇文章会介绍如何是theos,我们会创建tweak demo为大家介绍.
有问题请留言,持续关注.
网页名称:ios逆向开发工具,ios逆向开发工具有哪些
本文网址:http://scpingwu.com/article/dsgsdso.html