逆向基础知识及工具:class-dump

Class-dump

This is a command-line utility for examining the Objective-C runtime information stored in Mach-O files. It generates declarations for the classes, categories and protocols. This is the same information provided by using ‘otool -ov’, but presented as normal Objective-C declarations, so it is much more compact and readable.

• Why use class-dump?
  It’s a great tool for the curious. You can look at the design of closed source applications, frameworks, and bundles. Watch the interfaces evolve between releases. Experiment with private frameworks, or see what private goodies are hiding in the AppKit. Learn about the plugin API lurking in Mail.app.

上面是官方的介绍
一句话简介

普及一下什么是Mach-O文件

• Mach-O文件
  Mach-O格式全称为Mach Object文件格式的缩写

• Mach-O文件类型分类：
  1.Executable:应用可执行的二进制文件，如.m/.h文件经过编译后会生成对应的Mach-O文件
  2.Dylib Library:动态链接库
  3.Static Library:静态链接库
  4.Bundle:不能被链接 Dylib，只能在运行使用dlopen()加载
  5.Relocatable Object File:可重定向文件类型

Mach-O文件结构
参考苹果官方文档，Mach-O文件结构由Header,Load Commands,Data三部分组成
详细Mach-O文件,以后我们再详谈,类型1,2一般为我们常常分析的文件

---

下面开始介绍具体用法

这是一个只有不到500K的一个小工具,官网下载后双击打开,将class-dump复制到/usr/local/bin目录,方便以后使用

image.png

命令行验证是否安装成功

$  class-dump

出现一下内容,说明安装成功

class-dump 3.5 (64 bit)
Usage: class-dump [options] <mach-o-file>

  where options are:
        -a             show instance variable offsets
        -A             show implementation addresses
        --arch <arch>  choose a specific architecture from a universal binary (ppc, ppc64, i386, x86_64)
        -C <regex>     only display classes matching regular expression
        -f <str>       find string in method name
        -H             generate header files in current directory, or directory specified with -o
        -I             sort classes, categories, and protocols by inheritance (overrides -s)
        -o <dir>       output directory used for -H
        -r             recursively expand frameworks and fixed VM shared libraries
        -s             sort classes and categories by name
        -S             sort methods by name
        -t             suppress header in output, for testing
        --list-arches  list the arches in the file, then exit
        --sdk-ios      specify iOS SDK version (will look in /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS<version>.sdk
        --sdk-mac      specify Mac OS X version (will look in /Developer/SDKs/MacOSX<version>.sdk
        --sdk-root     specify the full SDK root path (or use --sdk-ios/--sdk-mac for a shortcut)

上面的基本介绍了class-dump的用法,大多数情况下,我们只需要用到一个命令,就是将Mach-O头文件导出

$ class-dump -H Mach-文件 -o 导出文件地址

导出的头文件,自己根据文件名和方法名猜吧,实际逆向过程中,很多工具需要配合使用,看自己习惯哪种工具MachOView、class-dump、Hopper Disassembler、ida

image.png

我没加密混淆的代码,基本把头文件都正确导出了.

image.png

• class-dump AppKit:

  class-dump /System/Library/Frameworks/AppKit.framework

• class-dump UIKit:

  class-dump /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk/System/Library/Frameworks/UIKit.framework

• class-dump UIKit and all the frameworks it uses:

  class-dump /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS4.3.sdk/System/Library/Frameworks/UIKit.framework -r --sdk-ios 4.3

• class-dump UIKit (and all the frameworks it uses) from developer tools that have been installed in /Dev42 instead of /Developer:

  class-dump /Dev42/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.0.sdk/System/Library/Frameworks/UIKit.framework -r --sdk-root /Dev42/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.0.sdk