IOS逆向[一].Hopper反汇编形态
0x01. 源码包结构
手动添加FirstClass.h、FirstClass.m文件,主要分析反编译前后FirstClass的代码形态。
FirstClass.h实现如下
//
// FirstClass.h
// case2
//
// Created by apple on 14-11-19.
// Copyright (c) 2014年 apple. All rights reserved.
//
#import
#define STR @"just for test"
#define interger 100
@interface FirstClass : NSObject {
NSString *test;
}
- (void) sayHello : (NSString*)name;
@end
//
// FirstClass.m
// case2
//
// Created by apple on 14-11-19.
// Copyright (c) 2014年 apple. All rights reserved.
//
#import
#import "FirstClass.h"
@implementation FirstClass
- (id) init {
return self;
}
- (void) sayHello: (NSString *)name{
NSLog(@"Ha Ha %@ %d %@", STR, interger, name);
}
@end 在AppDelegate中插入调用代码
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
// Override point for customization after application launch.
NSLog(@"Hello,world.");
FirstClass *fc = [[FirstClass alloc] init];
[fc sayHello:(@"Success")];
return YES;
}0x02. class-dump还原头文件
使用class-dump命令还原头文件得到FirstClass.h文件。
cat文件内容如下
0x03.使用Hopper反汇编
0x031. 包结构
0x032. sayHello方法
================ B E G I N O F P R O C E D U R E ================
; Basic Block Input Regs: ebp - Killed Regs: eax ecx edx esp ebp esi edi
-[FirstClass sayHello:]_2890:
00002890 55 push ebp
00002891 89E5 mov ebp, esp
00002893 57 push edi
00002894 56 push esi
00002895 83EC30 sub esp, 0x30
00002898 E800000000 call 0x289d
0000289d 58 pop eax ; XREF=0x2898
0000289e 8B4D10 mov ecx, dword [ss:ebp-0x38+arg_8]
000028a1 8B550C mov edx, dword [ss:ebp-0x38+arg_4]
000028a4 8B7508 mov esi, dword [ss:ebp-0x38+arg_0]
000028a7 8D7DEC lea edi, dword [ss:ebp-0x38+var_36]
000028aa 8975F4 mov dword [ss:ebp-0x38+var_44], esi
000028ad 8955F0 mov dword [ss:ebp-0x38+var_40], edx
000028b0 C745EC00000000 mov dword [ss:ebp-0x38+var_36], 0x0
000028b7 893C24 mov dword [ss:esp], edi
000028ba 894C2404 mov dword [ss:esp+0x4], ecx
000028be 8945E8 mov dword [ss:ebp-0x38+_PIC_register_], eax
000028c1 E828050000 call imp___symbol_stub__objc_storeStrong
000028c6 8B45E8 mov eax, dword [ss:ebp-0x38+_PIC_register_]
000028c9 8D88371E0000 lea ecx, dword [ds:eax-0x289d+cfstring_Ha_Ha_____d___] ; @"Ha Ha %@ %d %@"
000028cf 8D90471E0000 lea edx, dword [ds:eax-0x289d+cfstring_just_for_test] ; @"just for test"
000028d5 BE64000000 mov esi, 0x64
000028da 8B7DEC mov edi, dword [ss:ebp-0x38+var_36]
000028dd 890C24 mov dword [ss:esp], ecx
000028e0 89542404 mov dword [ss:esp+0x4], edx
000028e4 C744240864000000 mov dword [ss:esp+0x8], 0x64
000028ec 897C240C mov dword [ss:esp+0xc], edi
000028f0 8975E4 mov dword [ss:ebp-0x38+var_28], esi
000028f3 E8C0040000 call imp___symbol_stub__NSLog
000028f8 B800000000 mov eax, 0x0
000028fd 8D4DEC lea ecx, dword [ss:ebp-0x38+var_36]
00002900 890C24 mov dword [ss:esp], ecx
00002903 C744240400000000 mov dword [ss:esp+0x4], 0x0
0000290b 8945E0 mov dword [ss:ebp-0x38+var_24], eax
0000290e E8DB040000 call imp___symbol_stub__objc_storeStrong
00002913 83C430 add esp, 0x30
00002916 5E pop esi
00002917 5F pop edi
00002918 5D pop ebp
00002919 C3 ret
; endp0x033. didFinishLaunchingWithOptions
再看看sayHello的调用
================ B E G I N O F P R O C E D U R E ================
; Basic Block Input Regs: ebp - Killed Regs: eax ecx edx ebx esp ebp esi edi
-[AppDelegate application:didFinishLaunchingWithOptions:]_2970:
00002970 55 push ebp
00002971 89E5 mov ebp, esp
00002973 53 push ebx
00002974 57 push edi
00002975 56 push esi
00002976 83EC4C sub esp, 0x4c
00002979 E800000000 call 0x297e
0000297e 58 pop eax ; XREF=0x2979
0000297f 8B4D14 mov ecx, dword [ss:ebp-0x58+arg_C]
00002982 8B5510 mov edx, dword [ss:ebp-0x58+arg_8]
00002985 8B750C mov esi, dword [ss:ebp-0x58+arg_4]
00002988 8B7D08 mov edi, dword [ss:ebp-0x58+arg_0]
0000298b 8D5DE8 lea ebx, dword [ss:ebp-0x58+var_64]
0000298e 897DF0 mov dword [ss:ebp-0x58+var_72], edi
00002991 8975EC mov dword [ss:ebp-0x58+var_68], esi
00002994 C745E800000000 mov dword [ss:ebp-0x58+var_64], 0x0
0000299b 891C24 mov dword [ss:esp], ebx
0000299e 89542404 mov dword [ss:esp+0x4], edx
000029a2 8945D8 mov dword [ss:ebp-0x58+_PIC_register_], eax
000029a5 894DD4 mov dword [ss:ebp-0x58+var_44], ecx
000029a8 E841040000 call imp___symbol_stub__objc_storeStrong
000029ad 8D45E4 lea eax, dword [ss:ebp-0x58+var_60]
000029b0 C745E400000000 mov dword [ss:ebp-0x58+var_60], 0x0
000029b7 8B4DD4 mov ecx, dword [ss:ebp-0x58+var_44]
000029ba 890424 mov dword [ss:esp], eax
000029bd 894C2404 mov dword [ss:esp+0x4], ecx
000029c1 E828040000 call imp___symbol_stub__objc_storeStrong
000029c6 8B45D8 mov eax, dword [ss:ebp-0x58+_PIC_register_]
000029c9 8D88761D0000 lea ecx, dword [ds:eax-0x297e+cfstring_Hello_world_] ; @"Hello,world."
000029cf 890C24 mov dword [ss:esp], ecx
000029d2 E8E1030000 call imp___symbol_stub__NSLog
000029d7 B800000000 mov eax, 0x0
000029dc 8D4DE0 lea ecx, dword [ss:ebp-0x58+var_56]
000029df 8B55D8 mov edx, dword [ss:ebp-0x58+_PIC_register_]
000029e2 8DB2861D0000 lea esi, dword [ds:edx-0x297e+cfstring_Success] ; @"Success"
000029e8 8BBAD21C0000 mov edi, dword [ds:edx-0x297e+0x4650]
000029ee 8B9AC21C0000 mov ebx, dword [ds:edx-0x297e+0x4640] ; @selector(alloc)
000029f4 893C24 mov dword [ss:esp], edi
000029f7 895C2404 mov dword [ss:esp+0x4], ebx
000029fb 8945D0 mov dword [ss:ebp-0x58+var_40], eax
000029fe 894DCC mov dword [ss:ebp-0x58+var_36], ecx
00002a01 8975C8 mov dword [ss:ebp-0x58+var_32], esi
00002a04 E8C7030000 call imp___symbol_stub__objc_msgSend
00002a09 8B4DD8 mov ecx, dword [ss:ebp-0x58+_PIC_register_]
00002a0c 8B91C61C0000 mov edx, dword [ds:ecx-0x297e+0x4644] ; @selector(init)
00002a12 890424 mov dword [ss:esp], eax
00002a15 89542404 mov dword [ss:esp+0x4], edx
00002a19 E8B2030000 call imp___symbol_stub__objc_msgSend
00002a1e 8945E0 mov dword [ss:ebp-0x58+var_56], eax
00002a21 8B45E0 mov eax, dword [ss:ebp-0x58+var_56]
00002a24 8B4DD8 mov ecx, dword [ss:ebp-0x58+_PIC_register_]
00002a27 8B91CA1C0000 mov edx, dword [ds:ecx-0x297e+0x4648] ; @selector(sayHello:)
00002a2d 890424 mov dword [ss:esp], eax
00002a30 89542404 mov dword [ss:esp+0x4], edx
00002a34 8B45C8 mov eax, dword [ss:ebp-0x58+var_32]
00002a37 89442408 mov dword [ss:esp+0x8], eax
00002a3b E890030000 call imp___symbol_stub__objc_msgSend
00002a40 C745DC01000000 mov dword [ss:ebp-0x58+var_52], 0x1
00002a47 8B45CC mov eax, dword [ss:ebp-0x58+var_36]
00002a4a 890424 mov dword [ss:esp], eax
00002a4d C744240400000000 mov dword [ss:esp+0x4], 0x0
00002a55 E894030000 call imp___symbol_stub__objc_storeStrong
00002a5a B800000000 mov eax, 0x0
00002a5f 8D4DE4 lea ecx, dword [ss:ebp-0x58+var_60]
00002a62 890C24 mov dword [ss:esp], ecx
00002a65 C744240400000000 mov dword [ss:esp+0x4], 0x0
00002a6d 8945C4 mov dword [ss:ebp-0x58+var_28], eax
00002a70 E879030000 call imp___symbol_stub__objc_storeStrong
00002a75 B800000000 mov eax, 0x0
00002a7a 8D4DE8 lea ecx, dword [ss:ebp-0x58+var_64]
00002a7d 890C24 mov dword [ss:esp], ecx
00002a80 C744240400000000 mov dword [ss:esp+0x4], 0x0
00002a88 8945C0 mov dword [ss:ebp-0x58+var_24], eax
00002a8b E85E030000 call imp___symbol_stub__objc_storeStrong
00002a90 B001 mov al, 0x1
00002a92 0FBEC0 movsx eax, al
00002a95 83C44C add esp, 0x4c
00002a98 5E pop esi
00002a99 5F pop edi
00002a9a 5B pop ebx
00002a9b 5D pop ebp
00002a9c C3 ret
; endp0x04. 小结
使用Hopper生成的汇编代码较IDA来说冗余度比较大,可读性较差。