iOS逆向, 基础工具之class-dump

class-dump

顾名思义就是来dump头文件的工具, 简单好用
下载地址
先下载class-dump.dmg, 然后把里面的class-dump复制出来就可以用了, 如果希望直接运行可执行文件那么加到/usr/bin里.

但是macos的限制, /usr/bin不让写文件, 可以参考这里修改权限.

然后直接复制到/usr/bin下,

chomd 777 /usr/bin/class-dump

直接调用 class-dump使用即可.

另一种在自己的用户目录下配置(推荐)

在当前用户新建一个bash_profile

mkdir ~/bin

mv ../class-dump ~.bin

open -e .bash_profile 输入 export PATH=​$HOME/bin/:$PATH

source ~/.bash_profile

就可以了(后面theos的一些配置也可以放在bash_profile里, 还是比较方便的).

在dump有swift类可能会报错

Error: Cannot find offset for address 0x6800f3c2 in stringAtAddress:

swift的解决方案

运行实例

class-dump 
class-dump 3.5 (64 bit) (Debug version compiled Sep 17 2017 16:24:48)
Usage: class-dump [options] <mach-o-file>

  where options are:
        -a             show instance variable offsets
        -A             show implementation addresses
        --arch <arch>  choose a specific architecture from a universal binary (ppc, ppc64, i386, x86_64, armv6, armv7, armv7s, arm64)
        -C <regex>     only display classes matching regular expression
        -f <str>       find string in method name
        -H             generate header files in current directory, or directory specified with -o
        -I             sort classes, categories, and protocols by inheritance (overrides -s)
        -o <dir>       output directory used for -H
        -r             recursively expand frameworks and fixed VM shared libraries
        -s             sort classes and categories by name
        -S             sort methods by name
        -t             suppress header in output, for testing
        --list-arches  list the arches in the file, then exit
        --sdk-ios      specify iOS SDK version (will look for /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS<version>.sdk
                       or /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS<version>.sdk)
        --sdk-mac      specify Mac OS X version (will look for /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX<version>.sdk
                       or /Developer/SDKs/MacOSX<version>.sdk)
        --sdk-root     specify the full SDK root path (or use --sdk-ios/--sdk-mac for a shortcut)

一般用法

找到对应的xxx.app文件, 然后定位app的可执行文件

cd SpringBoard.app
plutil -p info.plist | grep CFBundleExecutable
  "CFBundleExecutable" => "SpringBoard"
class-dump -S -s -H SpringBoard -o ~/hfiles/SpringBoardHeaders

至此SpringBoard的所有头文件就dump出来了

SpringBoard.png

至于如何导出SpringBoard.app, 首先是需要一台越狱的设备, 使用SSH或者其他文件管理从手机中导出, 这里不多赘述, 会有其它文档详细介绍, 这里只记录工具的配置和基本使用.