iOS reverse -- Introduction to otool command

First, you can try your own ipa package. Select your ipa ...

First, you can try your own ipa package.

Select your ipa package, change the suffix to zip, and extract it to the Payload folder, which is your APP.

Open the terminal and cd it directly to your xxxx.app directory. For details, enter cd, and then drag xxxx.app directly to the terminal to enter.

Then input

otool

Will get

Usage: /Applications/Xcode9.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool [-arch arch_type] [-fahlLDtdorSTMRIHGvVcXmqQjCP] [-mcpu=arg] [--version] <object file> ... -f print the fat headers -a print the archive header -h print the mach header -l print the load commands -L print shared libraries used -D print shared library id name -t print the text section (disassemble with -v) -p <routine name> start dissassemble from routine name -s <segname> <sectname> print contents of section -d print the data section -o print the Objective-C segment -r print the relocation entries -S print the table of contents of a library (obsolete) -T print the table of contents of a dynamic shared library (obsolete) -M print the module table of a dynamic shared library (obsolete) -R print the reference table of a dynamic shared library (obsolete) -I print the indirect symbol table -H print the two-level hints table (obsolete) -G print the data in code table -v print verbosely (symbolically) when possible -V print disassembled operands symbolically -c print argument strings of a core file -X print no leading addresses or headers -m don't use archive(member) syntax -B force Thumb disassembly (ARM objects only) -q use llvm's disassembler (the default) -Q use otool(1)'s disassembler -mcpu=arg use `arg' as the cpu for disassembly -j print opcode bytes -P print the info plist section as strings -C print linker optimization hints --version print the version of /Applications/Xcode9.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool

Interested students can carefully study why each command is used. Here are some common commands:

otool -L

You can right-click the xxxx.app file for the name of the executable file, select display package content, find the exec file inside, and type in the name. Generally speaking, the name of this file is the same as XXXX
And then there's a miracle...

/System/Library/Frameworks/CoreBluetooth.framework/CoreBluetooth (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/CoreData.framework/CoreData (compatibility version 1.0.0, current version 851.0.0) /System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1161.21.0) /System/Library/Frameworks/MediaPlayer.framework/MediaPlayer (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0) /System/Library/Frameworks/UserNotifications.framework/UserNotifications (compatibility version 1.0.0, current version 1.0.0) @rpath/libswiftAVFoundation.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftAssetsLibrary.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftCore.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftCoreAudio.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftCoreData.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftCoreFoundation.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftCoreGraphics.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftCoreImage.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftCoreLocation.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftCoreMedia.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftDarwin.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftDispatch.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftFoundation.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftMetal.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftObjectiveC.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftQuartzCore.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftUIKit.dylib (compatibility version 1.0.0, current version 902.0.54) @rpath/libswiftsimd.dylib (compatibility version 1.0.0, current version 902.0.54) .............

Is it familiar? This command lists the names of all the libraries you use.

Check whether ipa package is shelled:

otool -l executable | grep crypt

Show:

cryptoff 16384 cryptsize 6651904 cryptid 0 cryptoff 16384 cryptsize 6553600 cryptid 0

Where cryptid represents whether to shell, 1 represents shell, and 0 represents shelled. We found that printing twice actually means that the executable supports two architectures: armv7 and arm64

Here is an artifact recommended:

https://github.com/MobSF/Mobile-Security-Framework-MobSF

Do your own research according to the Document.

9 February 2020, 15:06 | Views: 3320

Add new comment

For adding a comment, please log in
or create account

0 comments