Shulou(Shulou.com)06/01 Report--

IOS reverse development how to lock APP target classes and functions, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can get something.

I explained how to get the structure information of all the classes in APP. What's the use of this? It is of great use, for example, based on this step, and the next step is to do more research through injection.

The smallest unit of injection is the function. In fact, after the compiled program is compiled, the class no longer exists, leaving only the binary code (the instructions or data are all the same binary code). Fortunately, we are not dealing with binaries (which would be much more difficult), but functions, and functions of a certain class.

So, after getting thousands of classes and functions with classdump, which function do we care about? How do we lock them down?

Here are some possible ways to lock target classes and functions.

Basically, the goal of Xiaocheng research, APP, has a rich interface, and the scenarios that Xiaocheng cares about are basically triggered by a specific interface, so it is a good choice to start with the interface.

Is there any way to find out which class corresponds to an interface? In this way, you can carefully study the functions and member variables owned by this interface class among the many classes that classdump gets.

Xiao Cheng thinks that the best way at present is to use the Reveal tool.

(I) use Reveal

First download a Reveal (there is a cracked version), such as version 1.6 or 1.5, or version 2.0.

(1) copy libReveal.dylib to the phone

One of the biggest functions of Reveal is to synchronize the interface of an APP on the phone to the computer. To achieve this effect, Reveal needs to run on the computer while at the same time putting a "mole" into the phone. The "mole" who got into the phone is libReveal.dylib.

After running Reveal on your computer, click the menu Help, select Show Reveal Library in Finder, and then click iOS Library to find libReveal.dylib.

Copy to the DynamicLibrary directory:

Scp libReveal.dylib root@192.168.2.57:/Library/MobileSubstrate/DynamicLibraries

Basically, after the APP on the phone is up and running, you can load the dynamic library in the DynamicLibraries (with the suffix of dylib), and it is up to the plist file to decide which dynamic library to load. This knowledge point is important, which means that you can write a plist file and have some APP load the dynamic library you wrote at startup, which is a prerequisite for injection.

/ Library/MobileSubstrate/DynamicLibraries, this directory, will exist after the phone has successfully escaped from prison.

For the Reveal2.0 version, you also use the above method to locate the dynamic library file, but this file is called "RevealServer" and can be copied and named "libReveal.dylib".

(2) copy libReveal.plist to the phone

Find a plist file to modify, or write a plist file directly, named libReveal.plist.

The libReveal.plist file specifies which APP should load Reveal.dylib when it starts, for example:

Filter

Bundles

Com.tencent.QQKSong

The above plist content allows "singing for all" to start when loading Reveal.dylib.

Com.tencent.QQKSong is the BoudleID of "singing for all". As for the BoundleID of the target APP, there are many ways to find out, such as finding its plist file to view, such as ps to see process information, such as dynamic debugging and so on.

Xiaobai: if you don't specify this Filter, will all APP be loaded when you start?

Xiao Cheng: previous versions of iOS8 are like this, but later versions need to specify APP. So, no matter 3724, you can't go wrong with this Filter.

Then, copy the libReveal.plist to the phone:

Scp libReveal.plist root@192.168.2.57:/Library/MobileSubstrate/DynamicLibraries

After that, start Reveal again on the computer to connect the target APP to analyze the interface class.

For example, restart popular singing on your mobile phone, restart Reveal on your computer and select menu items to connect to popular singing. As you can see, one of the national singing pages is like this (the class name in the lower right corner is the focus):

National singing page (2) let the national singing automatically switch to the singer page

In order to be "emotional", Xiao Cheng made a demonstration to locate the target category of national singing through Reveal, and let the whole people automatically switch to the singer page after singing.

First through Reveal, the viewcontroller class that locates to the bottom navigation bar is KSRootTabBarController.

Then, find the class by looking at the class structure that classdump translated into. As you can see, clicking the "I want to sing" button actually triggers the KSRootTabBarController::onClickTabBarItem function.

Then, you can hook the class, allowing the target APP to jump automatically. The specific operation of this step, Xiao Cheng will be described in detail later, you only need to know this matter "emotionally".

In the end, the effect of the automatic jump is as follows:

Automatic switching

The above explains the use of Reveal. Reveal is an effective way to locate target classes and functions. In addition to this method, another way is to observe the class names of all classes, guess the classes that may be related (for example, they should have a certain keyword), then inject the functions of these classes and output information with NSLog, or dynamically debug and observe the implementation of the process, and finally determine the target class and function.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.