IOS 逆向(一) - otool 命令入门

首先可以拿自己的 ipa 包进行尝试。

选择你的 ipa 包,然后把后缀名改为 zip,解压缩得到 Payload 文件夹,里面就是你的 APP。

打开终端,直接 cd 到你的 xxxx.app 目录下。具体做法,输入 cd,然后把 xxxx.app 直接拖到终端里打个回车。

然后输入

1
otool

会得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Usage: /Applications/Xcode9.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool [-arch arch_type] [-fahlLDtdorSTMRIHGvVcXmqQjCP] [-mcpu=arg] [--version] <object file> ...
-f print the fat headers
-a print the archive header
-h print the mach header
-l print the load commands
-L print shared libraries used
-D print shared library id name
-t print the text section (disassemble with -v)
-p <routine name>  start dissassemble from routine name
-s <segname> <sectname> print contents of section
-d print the data section
-o print the Objective-C segment
-r print the relocation entries
-S print the table of contents of a library (obsolete)
-T print the table of contents of a dynamic shared library (obsolete)
-M print the module table of a dynamic shared library (obsolete)
-R print the reference table of a dynamic shared library (obsolete)
-I print the indirect symbol table
-H print the two-level hints table (obsolete)
-G print the data in code table
-v print verbosely (symbolically) when possible
-V print disassembled operands symbolically
-c print argument strings of a core file
-X print no leading addresses or headers
-m don't use archive(member) syntax
-B force Thumb disassembly (ARM objects only)
-q use llvm's disassembler (the default)
-Q use otool(1)'s disassembler
-mcpu=arg use `arg' as the cpu for disassembly
-j print opcode bytes
-P print the info plist section as strings
-C print linker optimization hints
--version print the version of /Applications/Xcode9.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool

有兴趣的同学可以仔细研究一下每个命令是干吗用的,这里介绍几个常用命令:

1
otool -L

可执行文件的名称可以右键 xxxx.app 文件,选择显示包内容,然后找到里面的 exec 文件,把名字打进去。一般来说这个文件的名字跟 xxxx 是一样的
然后奇迹就出现了。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
/System/Library/Frameworks/CoreBluetooth.framework/CoreBluetooth (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CoreData.framework/CoreData (compatibility version 1.0.0, current version 851.0.0)
/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1161.21.0)
/System/Library/Frameworks/MediaPlayer.framework/MediaPlayer (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
/System/Library/Frameworks/UserNotifications.framework/UserNotifications (compatibility version 1.0.0, current version 1.0.0)
@rpath/libswiftAVFoundation.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftAssetsLibrary.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftCore.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftCoreAudio.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftCoreData.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftCoreFoundation.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftCoreGraphics.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftCoreImage.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftCoreLocation.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftCoreMedia.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftDarwin.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftDispatch.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftFoundation.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftMetal.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftObjectiveC.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftQuartzCore.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftUIKit.dylib (compatibility version 1.0.0, current version 902.0.54)
@rpath/libswiftsimd.dylib (compatibility version 1.0.0, current version 902.0.54)
.............

是不是很熟悉?这个命令列出了你使用的所有库的名字。

查看 ipa 包是否加壳:

1
otool -l 可执行文件 | grep crypt

显示:

1
2
3
4
5
6
 cryptoff 16384
cryptsize 6651904
  cryptid 0
 cryptoff 16384
cryptsize 6553600
  cryptid 0

其中 cryptid 代表是否加壳,1 代表加壳,0 代表已脱壳。我们发现打印了两遍,其实代表着该可执行文件支持两种架构 armv7 和 arm64.

1
2
3
otool -hv filename #地址随机化测试
otool -Iv fielname | grep "chk_guard"#堆栈保护
otool –Iv filename | grep "objc_release"#自动引用计数

https://github.com/MobSF/Mobile-Security-Framework-MobSF

加壳查验

1
otool -l 可执行文件 | grep crypt

其中 cryptid 代表是否加壳,1 代表加壳,0 代表已脱壳。我们发现打印了两遍,其实代表着该可执行文件支持两种架构 armv7 和 arm64.

查看App所使用的动态库

1
otool -L Mach-O文件路径

祝老板天天开心

支付宝

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

资深废物,安服菜鸡<br/>常年内网迷路者<br/>非知名网络黑客<br/>专业端茶倒水选手<br/>