mikeshihua

iOS逆向开发中十分有用的私有接口

介绍

在使用逆向中使用LLDB 或者Cycript来进行动态调试时,常常需要查看某个对象有哪些方法和变量,但是没有方便的方法。在通过LLDB下断点时,要通过反汇编找到代码地址以及加上偏移地址才能得到下断点的地址,每次都耗时耗力。下面方法能让你在调试时如虎添翼!

_shortMethodDescription打印方法及地址

就像方法名字一样,这个方法是打印这个对象的简短的方法描述,能打印出类方法、属性、以及对象方法,而括号内的就是他们的地址,可以直接用LLDB来设置断点。如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
(lldb) po [[UIApplication sharedApplication] _shortMethodDescription]
<UIApplication: 0x7faabf101700>:
in UIApplication:
Class Methods:
+ (Class) safeCategoryBaseClass; (0x127b7294b)
+ (void) shouldShowNetworkActivityIndicatorInRemoteApplication:(BOOL)arg1; (0x10d06bba1)
...
Properties:
@property (retain, nonatomic) NSDate* accessibilityLastGesturedTextInputStatusChange;
@property (nonatomic, getter=_isDisplayingActivityContinuationUI, setter=_setIsDisplayingActivityContinuationUI:) BOOL isDisplayingActivityContinuationUI; (@synthesize isDisplayingActivityContinuationUI = _isDisplayingActivityContinuationUI;)
...
Instance Methods:
- (BOOL) _accessibilityAllowsNotificationsDuringSuspension; (0x127b76db0)
...
(UIResponder ...)

设置断点

1
2
(lldb) breakpoint set -a 0x127b7d892
Breakpoint 20: where = UIKit`-[UIApplicationAccessibility _accessibilityNativeFocusElement], address = 0x0000000127b7d892

_methodDescription打印方法及地址

和上一个方法的功能类似,只不过这个方法打印的能把子类和父类的方法、属性等分开打印。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
(lldb) po [[UIApplication sharedApplication] _methodDescription]
<UIApplication: 0x7faabf101700>:
in UIApplication:
Class Methods:
+ (Class) safeCategoryBaseClass; (0x127b7294b)
+ (void) shouldShowNetworkActivityIndicatorInRemoteApplication:(BOOL)arg1; (0x10d06bba1)
...
Properties:
@property (retain, nonatomic) NSDate* accessibilityLastGesturedTextInputStatusChange;
...
Instance Methods:
- (BOOL) _accessibilityAllowsNotificationsDuringSuspension; (0x127b76db0)
...
in UIResponder:
Class Methods:
+ (Class) safeCategoryBaseClass; (0x127bc6750)
...
Properties:
@property (readonly, nonatomic) UIView* inputView;
...
Instance Methods:
- (void) _accessibilitySetSelectedTextRange:(struct _NSRange)arg1; (0x127bfe522)
...
in NSObject:
Class Methods:
+ (Class) safeCategoryBaseClass; (0x127d2d44c)
...
Properties:
@property (readonly, nonatomic) NSString* _atvaccessibilityITMLAccessibilityContent;
...
Instance Methods:
- (id) _accessibilityParentForSubview:(id)arg1; (0x12845bb34)
...

_ivarDescription打印变量

这个方法能打印某个对象的变量,包含了对象的类型还有值。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
(lldb) po [[UIApplication sharedApplication] _ivarDescription]
<UIApplication: 0x7faabf101700>:
in UIApplication:
_delegate (<UIApplicationDelegate>*): <AppDelegate: 0x61800006b600>
_exclusiveTouchWindows (NSMutableSet*): <__NSSetM: 0x61800005bc00>
_event (UIEvent*): <UIEvent: 0x618000036ba0>
_motionEvent (UIEvent*): <UIMotionEvent: 0x61800017a880>
_remoteControlEvent (UIEvent*): <UIRemoteControlEvent: 0x600000058cf0>
...
_applicationFlags (struct ?): {
deactivatingReasonFlags (b13): 0
isSuspended (b1): NO
isSuspendedEventsOnly (b1): NO
isLaunchedSuspended (b1): NO
...
}
...
isa (Class): UIApplication (isa, 0x10bc29958)