使用 CycriptTricks(Powerful private methods)、UIButton 的sendActionsForControlEvents、DerekSelander LLDB(Python scripts to aid in your debugging sessions)、frida 可以進行動態調試分析。
Start Cydia and add Frida’s repository by navigating to Manage -> Sources -> Edit -> Add and entering https://build.frida.re
apt-get update:
-rwxr-xr-x 1 root wheel 11292672 Oct 1400:54/usr/sbin/frida-server*-rw-r--r--1 root wheel 779 Oct 1400:54/Library/LaunchDaemons/re.frida.server.plist
② install frida on mac
安裝 pip, pip 是 Python 的包管理工具:
$ sudo easy_install pip
安裝:
$ sudo -H pip install frida
升級 frida:
$ sudo pip install --upgrade frida --ignore-installed six
通過 USB 連接設備,確保 Frida 正常工作:
-U,--usb connect to USB device -a,--applications list only applications -i,--installed include all installed applications
$ frida-ps -Uai
PID Name Identifier
------------------------------------------904 Cydia com.saurik.Cydia
856 微信 com.tencent.xin
858 郵件 com.apple.mobilemail
App Store com.apple.AppStore
③ debug
pdb.py can be invoked as a script to debug other scripts:
(Pdb) h
Documented commands(type help <topic>):========================================EOF bt cont enable jump pp run unt
a c continue exit l q s until
alias cl d h list quit step up
args clear debug help n r tbreak w
b commands disable ignore next restart u whatis
break condition down j p return unalias where
Operation not permitted: /var/folders/6t/h404bjcd5tb_4q86tpv_251rv_0h0j/T/pip-sYsqDS-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info;
This is because OS X El Capitan ships with six 1.4.1 installed already and when it attempts to uninstall it (because awscli depends on botocore, botocore depends on python-dateutil, and python-dateutil depends on six >= 1.5) it doesn’t have permission to do so because System Integrity Protection doesn’t allow even root to modify those directories.
$ frida -U -p 1262____/ _ | Frida 10.6.27- A world-class dynamic instrumentation framework|(_||> _ | Commands:/_/|_| help -> Displays the help system.... object?-> Display information about 'object'.... exit/quit -> Exit........ More info at http://www.frida.re/docs/home/[iPhone::PID::1262]->
③ 使用中文路徑導致 frida-ios-dump 失敗
具體的問題分析過程:
(Pdb) l
108 script =loadJsFile(session, APP_JS);109 name = target.decode('utf8');110 script.post(name);111 opened.wait();112 session.detach();113->createDir(os.getcwd()+"/"+OUTPUT)114 print "start dump target app......"115 session = device.attach(name);116 script =loadJsFile(session, DUMP_JS);117 script.post("dump");118 finished.wait();(Pdb) s
--Return-->/Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(113)main()->None
->createDir(os.getcwd()+"/"+OUTPUT)(Pdb) l
108 script =loadJsFile(session, APP_JS);109 name = target.decode('utf8');110 script.post(name);111 opened.wait();112 session.detach();113->createDir(os.getcwd()+"/"+OUTPUT)114 print "start dump target app......"115 session = device.attach(name);116 script =loadJsFile(session, DUMP_JS);117 script.post("dump");118 finished.wait();(Pdb) s
UnicodeDecodeError: UnicodeD...ge(128)')>/Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(127)<module>()->main(sys.argv[1])(Pdb) l
122iflen(sys.argv)<2:123 print "usage: ./dump.py 微信"124 sys.exit(0)125else:126 try:127->main(sys.argv[1])128 except KeyboardInterrupt:129if session:130 session.detach()131 sys.exit()132 except:(Pdb) s
>/Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/frida-ios-dump-master/dump.py(128)<module>()-> except KeyboardInterrupt:(Pdb) pp UnicodeDecodeError
<type 'exceptions.UnicodeDecodeError'>
