输入otool我们可以看到很多的参数,如下:
Usage: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool [-arch arch_type] [-fahlLDtdorSTMRIHGvVcXmqQjCP] [-mcpu=arg] [--version] <object file> ... -f print the fat headers -a print the archive header -h print the mach header -l print the load commands -L print shared libraries used -D print shared library id name -t print the text section (disassemble with -v) -p <routine name> start dissassemble from routine name -s <segname> <sectname> print contents of section -d print the data section -o print the Objective-C segment -r print the relocation entries -S print the table of contents of a library -T print the table of contents of a dynamic shared library -M print the module table of a dynamic shared library -R print the reference table of a dynamic shared library -I print the indirect symbol table -H print the two-level hints table -G print the data in code table -v print verbosely (symbolically) when possible -V print disassembled operands symbolically -c print argument strings of a core file -X print no leading addresses or headers -m don't use archive(member) syntax -B force Thumb disassembly (ARM objects only) -q use llvm's disassembler (the default) -Q use otool(1)'s disassembler -mcpu=arg use `arg' as the cpu for disassembly -j print opcode bytes -P print the info plist section as strings -C print linker optimization hints --version print the version of /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool |
这里不难看出,原来是xcode自带的commond tool。首先我们来看下怎么用,开始其实我并不知道这个命令后面到底跟的是什么文件类型。然后otool一直提示需要提供object file,最后我才明白这个object file是个什么东西,这里以JD的ipa为例。
如果是debug签名的.app那么我们右键之后可以看到包的展开,但线上下来的.app默认是没有这个选项的。我们需要先解压缩之后看到如下的界面,这个.app是可以有包展开的。
展开之后我们可以看到很多文件,需要找到如下高亮的文件,这个文件就是otool可以识别的object file,这点大家要注意。
找到了这个可以执行的文件之后,我们就开始落地尝试了。首先我们输入
otool -L ~/Payload/JD4iPhone.app/JD4iPhone
这条命令可以让我们知道这个ipa中引用了哪些库并且是什么版本的,结果如下:
/usr/lib/libstdc++.6.dylib (compatibility version 7.0.0, current version 104.2.0) /System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/CoreData.framework/CoreData (compatibility version 1.0.0, current version 519.15.0) /System/Library/Frameworks/AdSupport.framework/AdSupport (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1144.17.0) /System/Library/Frameworks/CoreAudio.framework/CoreAudio (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libicucore.A.dylib (compatibility version 1.0.0, current version 53.1.0) /System/Library/Frameworks/CoreTelephony.framework/CoreTelephony (compatibility version 1.0.0, current version 2651.0.0) /System/Library/Frameworks/Accelerate.framework/Accelerate (compatibility version 1.0.0, current version 4.0.0) /System/Library/Frameworks/CoreImage.framework/CoreImage (compatibility version 1.0.0, current version 4.0.0) /System/Library/Frameworks/CoreMotion.framework/CoreMotion (compatibility version 1.0.0, current version 1756.0.20) /System/Library/Frameworks/AssetsLibrary.framework/AssetsLibrary (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/AddressBookUI.framework/AddressBookUI (compatibility version 1.0.0, current version 33.0.0) /System/Library/Frameworks/AddressBook.framework/AddressBook (compatibility version 1.0.0, current version 30.0.0) /System/Library/Frameworks/CoreLocation.framework/CoreLocation (compatibility version 1.0.0, current version 1756.0.20) /System/Library/Frameworks/MessageUI.framework/MessageUI (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0) /System/Library/Frameworks/CoreText.framework/CoreText (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/ImageIO.framework/ImageIO (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3347.44.0) /System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 600.0.0) /System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0) /usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 169.2.0) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 700.20.6) /System/Library/Frameworks/CFNetwork.framework/CFNetwork (compatibility version 1.0.0, current version 711.3.18) /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5) /usr/lib/libxml2.2.dylib (compatibility version 10.0.0, current version 10.9.0) /System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, current version 0.0.0) /System/Library/Frameworks/MobileCoreServices.framework/MobileCoreServices (compatibility version 1.0.0, current version 66.0.0) /System/Library/Frameworks/OpenGLES.framework/OpenGLES (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/AudioToolbox.framework/AudioToolbox (compatibility version 1.0.0, current version 492.0.0) /System/Library/Frameworks/OpenAL.framework/OpenAL (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/AVFoundation.framework/AVFoundation (compatibility version 1.0.0, current version 2.0.0) /System/Library/Frameworks/CoreMedia.framework/CoreMedia (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/CoreVideo.framework/CoreVideo (compatibility version 1.2.0, current version 1.8.0) /System/Library/Frameworks/MapKit.framework/MapKit (compatibility version 1.0.0, current version 14.0.0) /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1214.5.1) /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1144.17.0) |
当然,这些是不够的,我们继续来看一下这条命令。
otool -v -arch armv7 -s __TEXT __cstring ~/Payload/JD4iPhone.app/JD4iPhone > ipa_Str.txt
我们打开txt之后可以看到如下的内容:
0187be4a addNewAddress 0187be58 addressDefault 0187be67 kShowPickSitesMap 0187be79 kPickViewWillApperNotifaction 0187be97 kPickViewWillDisapperNotifaction 0187beb8 kOrderPaymentTypeChangedNotification 0187bedd OrderPickSieTypeChangedNotification 0187bf01 kToOrderPickSieTypeVcNotification 0187bf23 kSelectedPickSiteNotification 0187bf41 PayAndShipmentTypeViewController 0187bf62 DeliveryPayType_Confirm 0187bf7a complatePayAndShiment 0187bf90 OrderInfoViewController 0187bfa8 pickSites 0187bfb2 kUpdatePickSiteLocation 0187bfca paymentType |
这其实是会将ipa中在代码中hard code或者配置文件中的字符串都拉出来,一般有几万行,这里的字符串其实就如同Android中我们查看logcat中有没有敏感词是一样的,这里我们也可以去看看在代码中有没有什么私钥或者其他的敏感信息。我们可以通过一些小技巧来做过滤,比如我们在sublime text中find的时候打开正则匹配,使用正则表达式之后可以简单的找到一些符合我们规律的字符串