This article is a reverse engineering tool set that I sorted out when learning reverse engineering. It is only used as a record, not a detailed tutorial. Reading this tutorial requires you to have a certain knowledge of reverse engineering

1, Cyscript

introduce iOS runtime tools can hook runtime processes and provide the following capabilities 1. Developers can view and modify the application when the application is running, and get all the class names or method names being used 2. Modify the value of the instance variable at runtime 3. Method Swizzling, which replaces the implementation of a specific method 4. Call arbitrary code at runtime Of course, Cycript is much more than these. For more details, please refer to the following links: Official website User manual

hook SpringBaord process instance

ps -e | grep SpringBaord((process name)
//ps -e view all processes
cycript -p (pid) Injection process

Cycript syntax does not need to declare variable types There is no semicolon at the end, and the rest are consistent with oc syntax

alertView = [[UIAlertView alloc] initWithTitle:@"t"   message:@"msg" delegate:nil cancelButtonTitle:@"ok"    otherButtonTitles:nil][alertView show]

Or access the object through the memory address

[#0x13692f840 show] Don't forget it#

If you don't know the memory address of an object, you can The choose command found

 choose(UIViewController)

2, OpenSSH

openSSH provides remote login to iPhone You need to install OpenSSH tool in iPhone before use The default OpenSSH login password is: alpine

Remote login instance

ssh root@equipment ip address
ssh root@192.168.31.154

Modify the openSSH default password:

root# passwd  
 Changing password for root.  
New password:  
 Retype new password:  
root#  

3, theos

iOS jailbreak development framework simplifies the process of writing jailbreak programs

4, lldb + debugserver

iOS remote debugging APP

1. Copy the debug server file from the phone to the mac

scp root@192.168.31.154:/Developer/usr/bin/debugserver ~/

2. The slimming compressed file arm64 is specified according to the mobile phone

lipo -thin arm64 ~/debugserver -output ~/debugserver

3. Add a task to the debug server_ for_ PID permissions

download http://iosre.com/ent.xml to ~ / User / User name / execute command / opt / theos / bin / ldid - sent xml debug server

4. Copy the debugger to / usr/bin/debugserver

scp ~/debugserver root@iPhone equipment ip:/usr/bin/debugserver

5. Log in (ssh) to the mobile phone and start debugserver to listen

debug server *:1234(Listening port) -a "MobileSMS(Module name)"
perhaps debug server *:1234 -a   /Applications/MobileSMS.app/MobileSMS(Module address)

6. Start lldb (Mac terminal) Start: lldb connection to debug server:

 #Lldb execute lldb command
#process connect  connect://iOSIP: Port (this port must be consistent with the port specified by the debug server)

5, dyld_decache

Extract binary files in iOS system

Since iOS 3.1, many library files including frameworks have been placed in "/ System/Library/Caches/com.apple.dyld/dyld_shared_cache_armx" (dyld_shared_cache_armv7,dyld_shared_cache_armv7s,dyld_shared_cache_arm64). Dyld can be used_ Decache extracts the binary files from it

1. Copy dyld from mobile phone with ifumbox_ deache

System/Library/Caches/com.apple.dyld/ dyld_shared_cache_armx

2. Download the extraction tool dyld_decache

https://github.com/downloads/kennytm/Miscellaneous/dyld_decache[v0.1c].bz2 download dyld_decache

Dyld can be_ Decache [v0.1c] renamed dyld_decache1

3. Grant authority

 chmod +x dyld_decache((specific path)

4. Execute the extraction command

/Users/ligh/dyld_decache -o /Users/ligh/Desktop/binarys /Users/ligh/Desktop/dyld_shared_cache_armv7s(arm64)

6, dump decrypted extract header file

Class dump cannot extract the encrypted App (App downloaded by AppleStroe) header file In this case, you need to decrypt the App's executable file, commonly known as "sucking shell" dumpdecrypted, which is a tool for sucking shell

1. Download the dump decrypted source code and execute the following commands in turn mkdir Code cd Code/ git clone https://github.com/stefanesser/dumpdecrypted.git cd dumpdecrypted/ make

2. Close all applications and open the apps that need to be sucked

ps -e //Find the executable name of the App
cycript -p TargetApp // Attach the process
[[NSFileManager defaultManager ] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask

3. Copy dumpdecrypted Dylib to the TaregetApp Documents directory

scp /Users/ligh/Desktop/Code/dumpdecrypted/dumpdecrypted.dylib root@iPhoneip:/var/mobile/Applications/XXX/Documents/

4. Enter the TaregetApp Documents directory

cd /var/mobile/Applications/XXX/Documents/

5. Start sucking the shell

DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/557619D0-29AC-40DD-9266-8A0154F634AA/WeChat.app/WeChat //Executable address

XX will be generated in the current Documents directory Decrypted file Copy the file to OSX and analyze the file with class dump IDA

6, IOS runtime headers

1.iOS-Runtime-Headers: https://github.com/nst/iOS-Runtime-Headers

2.OSXRuntimeBrowser: https://github.com/nst/RuntimeBrowser

For more, please search: iOS private Headers

6, plutil

1. View plist content

plutil    -p /Users/ligh/Desktop/com.apple.SpringBoard.plist

2. Convert plist to xml

plutil -convert xml1 /Users/ligh/Desktop/com.apple.SpringBoard.plist

3. Use help

 man plutil

4. Syntax check

plutil -lint /Users/ligh/Desktop/com.apple.SpringBoard.plist

Due to my limited ability, I hope you can correct me if I have a wrong understanding The article will be continuously updated during the learning process