我个人感觉,搞逆向虽然动态是很总要,但不能一味的在动态过程中寻找。
1.动态调试不够灵活,很多时候即使断点有效监控过程很可能会比较漫长,最好通过挂钩或曝出栈信息来了解程序大致的调用方式,逻辑方式。
2.动态调试涉及到全局变量和多线程赋值,加锁等因素时,被混淆的代码可读性不高的情况下会增加代码调试难度,往往一个不小心就会走到逻辑混乱的地方,或则干脆走到错误的地方。
3.以上两条尤其适用于密码分析等在视图上难以直观观察到变化的过程中。
#include <CommonCrypto/CommonDigest.h>
#include <substrate.h>
unsigned char *(*old_CC_MD5)(const void *data, CC_LONG len, unsigned char *md);
unsigned char *new_CC_MD5(const void *data, CC_LONG len, unsigned char *md)
{
NSData* sd = [NSData dataWithBytes:data length:len];
unsigned char *r = old_CC_MD5(data, len, md);
NSString* ss = [[NSString alloc] initWithData:sd encoding:NSUTF8StringEncoding];
NSData* rd = [NSData dataWithBytes:md length:16];
NSLog(@"CC_MD5: %@ | %@ = %@", sd, ss, rd);
return r;
}
unsigned char *(*old_CC_SHA1)(const void *data, CC_LONG len, unsigned char *md);
unsigned char *new_CC_SHA1(const void *data, CC_LONG len, unsigned char *md)
{
NSData* sd = [NSData dataWithBytes:data length:len];
unsigned char *r = old_CC_SHA1(data, len, md);
NSString* ss = [[NSString alloc] initWithData:sd encoding:NSUTF8StringEncoding];
NSData* rd = [NSData dataWithBytes:md length:20];
NSLog(@"CC_SHA1: %@ | %@ = %@", sd, ss, rd);
return r;
}
%ctor
{
MSHookFunction(&CC_MD5, &new_CC_MD5, &old_CC_MD5);
MSHookFunction(&CC_SHA1, &new_CC_SHA1, &old_CC_SHA1);
}
这里还有个想法,就是在这些挂钩中放入NSLog(@”---%@”,[NSThread callStackSymbols]);
直接来追踪函数调用的地方,当然为了得到mach文件中的地址,我们需要获得内存中模块的基地址,如下:
#include <mach-o/dyld.h>
#include <mach/mach.h>
intptr_t _dyld_get_image_vmaddr_slide(uint32_t image_index);
// 获取第一个模块(主模块)的基址
intptr_t base_addr = _dyld_get_image_vmaddr_slide(0);
// 遍历所有模块的基址
_dyld_image_count()获取模块数量
for(init i = 0; i < _dyld_image_count(); i++)
{
intptr_t base_addr = _dyld_get_image_vmaddr_slide(i);
}
void test()
{
printf("www.dllhook.com\nDyld image count is: %d.\n", _dyld_image_count());
for (int i = 0; i < _dyld_image_count(); i++) {
char *image_name = (char *)_dyld_get_image_name(i);
const struct mach_header *mh = _dyld_get_image_header(i);
intptr_t vmaddr_slide = _dyld_get_image_vmaddr_slide(i);
printf("Image name %s at address 0x%llx and ASLR slide 0x%lx.\n",
image_name, (mach_vm_address_t)mh, vmaddr_slide);
}
}