iOS的封闭性极大地增大研究它的难度。为使系统更加安全,iOS引入了很多安全机制;如代码加密,使得分析前先要解密代码,SandBox(沙盒),code signing(代码签名),使得不能运行未签名的代码。这些安全机制使得研究它的难度比Linux/Windows要大。
尽管这样,并不能阻挡我们前进的脚步。 必要的硬件准备:一个越狱的设备,最好是iPhone
越狱是必要的,因为只有越狱才能运行非AppStore上的软件。 必要的软件准备:在Cydia里安装下面的软件
1.OpenSSH,OpenSSH是Linux下常用的服务,装上后设备可充当服务SSH服务端
2.GNU Debugger(gdb)调试工具
3.adv-cmds(ps命令)
4. darwin cc tools (otools)
5. Link Identity Editor (ldid)
PC端安装SSH Secure Shell Client或putty等SSH客户端软件,以便能通过SSH建立到设备的连接。
Ida pro,该软件搞过逆向的都熟悉,静态分析功能很强大,特别是大于或等于6.2的版本,能识别Objective-C结构,能把Objective-C函数名显示如下图:
Hopper Disassembler,该软件是刚出来没多久的,我还没用过,据说功能也很强大。不管怎么说ida pro是太贵了,一般个人很少买得起,这时候Hopper Disassembler是另一个选择。最后是class-dump-z,在没有上面两个工具的情况下用它能获得符号信息。
有了软硬件的准备,便可以开始调试了。
1.PC端运行SSH客户端,连接到设备,输入用户名:root,默认密码:alpine,第一次连接上去后建议用passwd命令改掉默认密码,以防黑客通过局域网入侵。
2.在设备上运行想调试的程序,如iRead,运行命令ps –ax可以看到所有运行的进程id,gdb –p pid这样就可以调试指定进程(gdb –p 10110)。
另外,可以通过otool –l | grep crypt 输出可知道已加密代码的位置。有这些准备后,我们可以先运行下面命令测试一下。
SSH Secure Shell 3.2.9 (Build 283)
Copyright (c) 2000-2003 SSH Communications Security Corp - http://www.ssh.com/
This copy of SSH Secure Shell is a non-commercial version.
This version does not include PKI and PKCS #11 functionality.
MMs-iPod:~ root# passwd
Changing password for root.
New password:
Retype new password:
MMs-iPod:~ root# ps -ax
PID TTY TIME CMD
……(省略部分无关记录)
12416 ?? 0:02.52 /var/mobile/Applications/4DFD17D1-39AC-4F10-8AB8-3A4CB99E9E77/iRead.app/iRead
……(省略部分无关记录)
MMs-iPod:~ root# gdb -p 12416
/usr/bin/gdb: line 55: awk: command not found
warning: unrecognized host cpusubtype , defaulting to host==armv7.
GNU gdb 6.3.50-20050815 (Apple version gdb-1708 + reverse.put.as patches v0.4) (Mon Apr 16 00:53:47 UTC 2012)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "arm-apple-darwin".
/private/var/root/12416: No such file or directory
Attaching to process 12416.
Reading symbols for shared libraries . done
Reading symbols for shared libraries ............................................................................................................................................. done
Reading symbols for shared libraries + done
0x39556eb4 in mach_msg_trap ()
(gdb) quit
The program is running. Quit anyway (and detach it)? (y or n) y
Detaching from process 12416.
MMs-iPod:~ root# otool -l /var/mobile/Applications/4DFD17D1-39AC-4F10-8AB8-3A4CB99E9E77/iRead.app/iRead | grep crypt
cryptoff 8192
cryptsize 8601600
cryptid 1