Development
for the iPhone is performed with Xcode and the iPhone SDK. Code can be
run either within the emulator or on a development device. For some
applications (for example, those using the Keychain), a physical device
is required. Debugging is done within Xcode via gdb, although for
jailbroken devices, a third-party gdb can be installed on the device
itself for debugging any phone application.
Decompilation and Disassembly
Objective-C applications
decompile fairly cleanly, if you have the right tools. Many Apple
developers may be familiar with otool, which comes with the OS X
developer tools. otool is a straightforward executable disassembler that
can parse Mach-O type executables.
otool has also been ported to ARM and is available via several sources.
otool is very flexible; see otool(1) for details. Here’s a common
usage:
Note
In
Cydia, the package that includes otool is Darwin CC Tools. We, of
course, take no responsibility for anything bad that happens from
running sketchy Cydia apps!
otool -toV /Applications/iCal.app/Contents/MacOS/iCal
/Applications/iCal.app/Contents/MacOS/iCal:
Objective-C segment
Module 0x22b52c
version 7
size 16
name
symtab 0x0022c940
sel_ref_cnt 0
refs 0x00000000 (not in an __OBJC section)
cls_def_cnt 1
cat_def_cnt 0
Class Definitions
defs[0] 0x00204360
is a 0x0020a560
super_class 0x001a5f44 CALCanvasItem
name 0x001c6574 CALCanvasAttributedText
version 0x00000000
info 0x00000001 CLS_CLASS
instance_size 0x0000015c
ivars 0x00224300
ivar_count 13
ivar_name 0x001a54e2 _text
ivar_type 0x001a53d0
@"NSMutableAttributedString"
ivar_offset 0x0000012c
ivar_name 0x001a54e8
_displayedTextNeedsUpdate
ivar_type 0x001a5940 c
ivar_offset 0x00000130
ivar_name 0x001a5502 _generalAttributes
ivar_type 0x001a665c @"NSMutableDictionary"
ivar_offset 0x00000134
ivar_name 0x001a66dc _fontName
ivar_type 0x001a6020 @"NSString"
ivar_offset 0x00000138
ivar_name 0x001a6034 _fontSize
<and much, much more>
For current versions of the iPhone OS (verified on 3.0), you can use the class-dump or class-dump-x tools (http://iphone.freecoder.org/classdump_en.html;
also available in Cydia and in MacPorts for OS X) to get very readable
information on class declarations and structs from Objective-C object
code. You have the option of either installing the iPhone binary on a
jailbroken device or running the binary under OS X. Because of the
architectural difference between the phone and Intel Macs, you’ll need
to run the tool against packages compiled for the iPhone simulator.
From the OS X Terminal (Applications | Utilities | Terminal), you can do the following:
class-dump-x /Developer/Platforms/iPhoneSimulator
.platform/Developer/ SDKs/iPhoneSimulator3.0.sdk/Applications
/MobileSafari.app
< snip >
protocol CALCanvasTextProtocol
- (id)attributes;
- (id)foregroundColor;
- (float)fontSize;
@end
@protocol CALDetachmentDelegate
- (int) decideDetachmentFor:(id)fp8 withOccurrence:(id)fp12 ;
@end
@protocol CALSubscribeOperationUIHandler
- (BOOL)acceptHandlingOfSubscribeCreationOperation:(id)fp8;
- (BOOL)handleSubscribeCreationErrorForOperation:(id)fp8;
- (id)displayStringForSubscribeCreationNotification:(id)fp8;
- (id)calendarIDOfSourceForOperation:(id)fp8;
- (id)handleSubscribeCreationPostDownloadForOperation:(id)fp8
autoRefreshChoices :(id)fp12;
@end
@protocol CalControllerProtocolDelegate
- (void)selectNode:(id)fp8 checked:(int)fp12 ;
- (void)selectAndShowEntity:(id)fp8;
- (void)removeAllSelectedObjects;
@end
Another tool that expands on the output of class-dump by resolving additional symbols is otx (http://otx.osxninja.com).
Although not runnable on the iPhone itself, otx is another tool that
can give you some insight into what is visible when others are examining
your applications. Listing 3-1 shows some otx output.
Listing 1. otx Output
-(BOOL)[NSString(NSStringExtras) isFeedURLString]
+0 00003488 55 pushl %ebp
+1 00003489 89e5 movl %esp,%ebp
+3 0000348b 53 pushl %ebx
+4 0000348c 83ec14 subl $0x14,%esp
+7 0000348f 8b5d08 movl 0x08(%ebp),%ebx
+10 00003492 c744240844430700 movl $0x00074344,0x08(%esp)
feed:
+18 0000349a a180a00700 movl 0x0007a080,%eax
_web_hasCaseInsensitivePrefix:
+23 0000349f 89442404 movl %eax,0x04(%esp)
+27 000034a3 891c24 movl %ebx,(%esp)
+30 000034a6 e850420800 calll 0x000876fb
-[(%esp,1) _web_hasCaseInsensitivePrefix:]
+35 000034ab 84c0 testb %al,%al
+37 000034ad 744b je 0x000034fa
+39 000034af c744240854430700movl $0x00074354,0x08(%esp) :
+47 000034b7 a184a00700 movl 0x0007a084,%eax
rangeOfString:
+52 000034bc 89442404 movl %eax,0x04(%esp)
+56 000034c0 891c24 movl %ebx,(%esp)
+59 000034c3 e833420800 calll 0x000876fb
-[(%esp,1) rangeOfString:]
+64 000034c8 3dffffff7f cmpl $0x7fffffff,%eax
+69 000034cd 742b je 0x000034fa
+71 000034cf 89442408 movl %eax,0x08(%esp)
+75 000034d3 a148a00700 movl 0x0007a048,%eax
substringToIndex:
+80 000034d8 89442404 movl %eax,0x04(%esp)
+84 000034dc 891c24 movl %ebx,(%esp)
+87 000034df e817420800 calll 0x000876fb
-[(%esp,1) substringToIndex:]
+92 000034e4 8b1544a00700 movl 0x0007a044,%edx
isSyndicationScheme
+98 000034ea 89550c movl %edx,0x0c(%ebp)
+101 000034ed 894508 movl %eax,0x08(%ebp)
+104 000034f0 83c414 addl $0x14,%esp
+107 000034f3 5b popl %ebx
|
Preventing Reverse-Engineering
At
this point, you may be asking yourself, “What can I do to prevent
people from reverse-engineering my programs?” The answer is quite
simply: You can’t do much. If someone is motivated to crack or
reverse-engineer your application, they can use far more powerful
commercial tools than these to make doing so even easier. Plus, the
development effort required to prevent reverse-engineering costs money,
especially if you have to revise your protection or obfuscation
mechanisms.
If you absolutely can’t
be dissuaded from implementing some form of “copy protection” or
activation scheme, you can try to hide from some of the aforementioned
mechanisms such as class-dump by putting your logic into plain C or C++
and ensuring that you strip your binaries. But don’t burn a lot of time
on this—remember that all these schemes can be easily defeated by a
knowledgeable attacker.
|
