iOS应用逆向工程资料

  • 环境
  • 书籍
  • 资料
  • PWN
  • 论坛
  • 又是很久不逆向App了,近期有点需求需要看看其他App怎么实现的,想来复习一下。以及这两年也有若干常用工具发生了变化,产生了一些新的工具。这篇文章总结下基础的App逆向的方法、工具和一些书籍。以后有新的发现也会尽量更新到这篇文章。

    环境

    硬件

    1. iOS系统的iPhone或iPad
    2. macOS系统的MacBook等

    越狱

    手机是否可以越狱可通过这个网站来确定: https://canijailbreak.com/ 越狱用的软件也有链接可下载。

    工具

    frida

    官网 https://www.frida.re/

    Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.

    cycript

    http://www.cycript.org/


    Cycript allows developers to explore and modify running applications on either iOS or Mac OS X using a hybrid of Objective-C++ and JavaScript syntax through an interactive console that features syntax highlighting and tab completion.

    chisel (lldb script)

    https://github.com/facebook/chisel

    Chisel is a collection of LLDB commands to assist debugging iOS apps.

    最常用的就是pviewpvc两个命令了。 所有支持的命令可以参考Wiki:https://github.com/facebook/chisel/wiki

    MonkeyDev

    https://github.com/AloneMonkey/MonkeyDev

    原有iOSOpenDev的升级,非越狱插件开发集成神器!

    1. 可以使用Xcode开发CaptainHook Tweak、Logos Tweak 和 Command-line Tool,在越狱机器开发插件,这是原来iOSOpenDev功能的迁移和改进。
    2. 只需拖入一个砸壳应用,自动集成class-dump、restore-symbol、Reveal、Cycript和注入的动态库并重签名安装到非越狱机器。
    3. 支持调试自己编写的动态库和第三方App
    4. 支持通过CocoaPods第三方应用集成SDK以及非越狱插件,简单来说就是通过CocoaPods搭建了一个非越狱插件商店。

    新生力量,诞生于2017年。已经是分析闭源应用的必备工具。

    passionfruit

    https://github.com/chaitin/passionfruit

    基于frida开发,逆向必备,可以很容易看到第三方应用的各类信息。

    • Cross plarform web GUI!
    • Also supports non-jailbroken device (see Non-jailbroken device).
    • List all url schemes.
    • Check signature entitlements.
    • List human readable app meta info (Info.plist).
    • Capture screenshot.
    • Checksec: see if target app is encrypted, and has enabled PIE, ARC and stack canary.
    • App sandbox file browser. Directly preview images, SQLite databases and plist files on device. You can always download the file for further investigation.
    • 等等

    objection

    https://github.com/sensepost/objection

    基于frida的工具集。

    objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.

    theos

    https://github.com/theos/theos

    提供了各类逆向开发的模板及工具。

    A cross-platform suite of tools for building and deploying software for iOS and other platforms.

    HookZz

    https://github.com/jmpews/HookZz

    a hook framework for arm/arm64/ios/android

    AppleTrace

    https://github.com/everettjf/AppleTrace

    Objective C message tracing tool for iOS/macOS based on HookZz

    dump

    frida-ios-dump

    https://github.com/AloneMonkey/frida-ios-dump

    可以很方便的dump应用。可替代 Clutch。

    pull decrypted ipa from jailbreak device

    Clutch

    https://github.com/KJCracks/Clutch

    Fast iOS executable dumper

    dumpdecrypted

    https://github.com/AloneMonkey/dumpdecrypted

    在原版的基础上增加了dump 动态库的功能。

    Dumps decrypted mach-o files from encrypted applications、framework or app extensions.

    dump class

    Generate Objective-C headers from Mach-O files.

    class-dump/class-dump-z/classdump-dyld

    swift class dump

    Hikari

    https://github.com/HikariObfuscator/Hikari

    Reveal

    https://revealapp.com/

    IDA

    神器

    Hopper

    轻量级反编译

    Flex

    https://github.com/Flipboard/FLEX

    其他

    strings、nm、weak_classdump

    http://iphonedevwiki.net/index.php/Reverse_Engineering_Tools

    书籍

    iOS应用逆向工程

    中文:http://item.jd.com/11670145.html 英文:https://github.com/iosre/iOSAppReverseEngineering

    Hacking iOS Applications

    http://iosre.com/t/hacking-ios-applications/8014

    security.ios-wiki.com

    https://wizardforcel.gitbooks.io/ios-sec-wiki/

    Advanced Apple Debugging & Reverse Engineering

    https://store.raywenderlich.com/products/advanced-apple-debugging-and-reverse-engineering

    Reverse Engineering for Beginners

    https://beginners.re/ 中文 https://item.jd.com/12166962.html

    Beginner’s Guide to Exploitation on ARM

    http://zygosec.com/Products/

    *OSInternals

    • Volume I - User Mode
    • Volume III - Security & Insecurity

    据说Volume II 今年(2018年)秋天出来。

    http://newosxbook.com/

    资料

    反调试资料、Hook检测

    AttackingBYODEnterpriseMobileSecuritySolutions

    OWASP Mobile Security Testing Guide

    https://www.gitbook.com/book/b-mueller/the-owasp-mobile-security-testing-guide

    iOS 安全 Wiki

    https://legacy.gitbook.com/book/wizardforcel/ios-sec-wiki/details http://security.ios-wiki.com

    其他

    http://iphonedevwiki.net/ http://www.cydiasubstrate.com/ https://www.theiphonewiki.com/

    https://github.com/michalmalik/osx-re-101 https://github.com/kpwn/iOSRE https://github.com/pandazheng/IosHackStudy

    http://www.droidsec.cn/category/ios%e5%ae%89%e5%85%a8%e6%94%bb%e9%98%b2/

    https://github.com/nygard https://github.com/saurik

    PWN

    安全类入门文章

    https://www.fuzzysecurity.com/tutorials.html

    入门pwn

    http://pwnable.kr/

    Iot安全 AzeriaLabs

    https://azeria-labs.com/writing-arm-shellcode/

    ARM汇编 iOS调试进阶

    https://zhuanlan.zhihu.com/c_142064221

    论坛

    http://iosre.com