MASTG-TOOL-0105 IPSW

IPSW は自らを "iOS/macOS Research Swiss Army Knife" と呼んでいます。一般的に、IPSW は iOS 固有のファイル (IPSW, OTA, ...) を取得し、それらを静的に解析することもできます。アプリケーション解析にとって最も興味深い機能は Objective-C と Swift のクラスダンプです。その他の機能 (カーネルキャッシュパーサー、デバイスツリーパーサー、逆アセンブラなど) も利用できますが、OS 自体のセキュリティを解析する場合にのみ役立ちます。

Objective-C クラス情報の抽出

IPSW は MachO バイナリから Objective-C クラス情報を抽出できます。ユニバーサル MachO ファイルの場合は --arch を使用して目的のアーキテクチャを指定できます。

$ ipsw class-dump --arch arm64 UnCrackable\ Level\ 1

@protocol NSObject

@required

...

-[UIApplicationDelegate applicationDidFinishLaunching:];
-[UIApplicationDelegate application:willFinishLaunchingWithOptions:];
-[UIApplicationDelegate application:didFinishLaunchingWithOptions:];
-[UIApplicationDelegate applicationDidBecomeActive:];

...

??? "Full command output"

```bash
$ ipsw class-dump --arch arm64 UnCrackable\ Level\ 1

@protocol NSObject

@required

@property (TQ,R) hash;
@property (T#,R) superclass;
@property (T@"NSString",R,C) description;
@property (T@"NSString",R,C) debugDescription;

/* required instance methods */
-[NSObject isEqual:];
-[NSObject class];
-[NSObject self];
-[NSObject performSelector:];
-[NSObject performSelector:withObject:];
-[NSObject performSelector:withObject:withObject:];
-[NSObject isProxy];
-[NSObject isKindOfClass:];
-[NSObject isMemberOfClass:];
-[NSObject conformsToProtocol:];
-[NSObject respondsToSelector:];
-[NSObject retain];
-[NSObject release];
-[NSObject autorelease];
-[NSObject retainCount];
-[NSObject zone];
-[NSObject hash];
-[NSObject superclass];
-[NSObject description];

@optional

/* optional instance methods */
-[NSObject debugDescription];

@end

@protocol UIApplicationDelegate <NSObject>

@required

@property (T@"UIWindow",&,N) window;

@optional

/* optional instance methods */
-[UIApplicationDelegate applicationDidFinishLaunching:];
-[UIApplicationDelegate application:willFinishLaunchingWithOptions:];
-[UIApplicationDelegate application:didFinishLaunchingWithOptions:];
-[UIApplicationDelegate applicationDidBecomeActive:];
-[UIApplicationDelegate applicationWillResignActive:];
-[UIApplicationDelegate application:handleOpenURL:];
-[UIApplicationDelegate application:openURL:sourceApplication:annotation:];
-[UIApplicationDelegate application:openURL:options:];
-[UIApplicationDelegate applicationDidReceiveMemoryWarning:];
-[UIApplicationDelegate applicationWillTerminate:];
-[UIApplicationDelegate applicationSignificantTimeChange:];
-[UIApplicationDelegate application:willChangeStatusBarOrientation:duration:];
-[UIApplicationDelegate application:didChangeStatusBarOrientation:];
-[UIApplicationDelegate application:willChangeStatusBarFrame:];
-[UIApplicationDelegate application:didChangeStatusBarFrame:];
-[UIApplicationDelegate application:didRegisterUserNotificationSettings:];
-[UIApplicationDelegate application:didRegisterForRemoteNotificationsWithDeviceToken:];
-[UIApplicationDelegate application:didFailToRegisterForRemoteNotificationsWithError:];
-[UIApplicationDelegate application:didReceiveRemoteNotification:];
-[UIApplicationDelegate application:didReceiveLocalNotification:];
-[UIApplicationDelegate application:handleActionWithIdentifier:forLocalNotification:completionHandler:];
-[UIApplicationDelegate application:handleActionWithIdentifier:forRemoteNotification:withResponseInfo:completionHandler:];
-[UIApplicationDelegate application:handleActionWithIdentifier:forRemoteNotification:completionHandler:];
-[UIApplicationDelegate application:handleActionWithIdentifier:forLocalNotification:withResponseInfo:completionHandler:];
-[UIApplicationDelegate application:didReceiveRemoteNotification:fetchCompletionHandler:];
-[UIApplicationDelegate application:performFetchWithCompletionHandler:];
-[UIApplicationDelegate application:performActionForShortcutItem:completionHandler:];
-[UIApplicationDelegate application:handleEventsForBackgroundURLSession:completionHandler:];
-[UIApplicationDelegate application:handleWatchKitExtensionRequest:reply:];
-[UIApplicationDelegate applicationShouldRequestHealthAuthorization:];
-[UIApplicationDelegate applicationDidEnterBackground:];
-[UIApplicationDelegate applicationWillEnterForeground:];
-[UIApplicationDelegate applicationProtectedDataWillBecomeUnavailable:];
-[UIApplicationDelegate applicationProtectedDataDidBecomeAvailable:];
-[UIApplicationDelegate application:supportedInterfaceOrientationsForWindow:];
-[UIApplicationDelegate application:shouldAllowExtensionPointIdentifier:];
-[UIApplicationDelegate application:viewControllerWithRestorationIdentifierPath:coder:];
-[UIApplicationDelegate application:shouldSaveApplicationState:];
-[UIApplicationDelegate application:shouldRestoreApplicationState:];
-[UIApplicationDelegate application:willEncodeRestorableStateWithCoder:];
-[UIApplicationDelegate application:didDecodeRestorableStateWithCoder:];
-[UIApplicationDelegate application:willContinueUserActivityWithType:];
-[UIApplicationDelegate application:continueUserActivity:restorationHandler:];
-[UIApplicationDelegate application:didFailToContinueUserActivityWithType:error:];
-[UIApplicationDelegate application:didUpdateUserActivity:];
-[UIApplicationDelegate application:userDidAcceptCloudKitShareWithMetadata:];
-[UIApplicationDelegate window];
-[UIApplicationDelegate setWindow:];

@end

@protocol __ARCLiteKeyedSubscripting__

@required

/* required instance methods */
-[__ARCLiteKeyedSubscripting__ objectForKeyedSubscript:];
-[__ARCLiteKeyedSubscripting__ setObject:forKeyedSubscript:];

@optional

@end

@interface AppDelegate : UIResponder <UIApplicationDelegate> {
    /* instance variables */
    @"UIWindow" _window;
}

@property (T@"UIWindow",&,N,V_window) window;
@property (TQ,R) hash;
@property (T#,R) superclass;
@property (T@"NSString",R,C) description;
@property (T@"NSString",R,C) debugDescription;

/* instance methods */
-[AppDelegate application:didFinishLaunchingWithOptions:];
-[AppDelegate applicationWillResignActive:];
-[AppDelegate applicationDidEnterBackground:];
-[AppDelegate applicationWillEnterForeground:];
-[AppDelegate applicationDidBecomeActive:];
-[AppDelegate applicationWillTerminate:];
-[AppDelegate window];
-[AppDelegate setWindow:];

@end

@interface ViewController : UIViewController {
    /* instance variables */
    @"UILabel" _theLabel;
    @"UILabel" _Hint;
    @"UITextField" _theTextField;
    @"UIButton" _bVerify;
}

@property (T@"UILabel",W,N,V_theLabel) theLabel;
@property (T@"UILabel",W,N,V_Hint) Hint;
@property (T@"UITextField",W,N,V_theTextField) theTextField;
@property (T@"UIButton",W,N,V_bVerify) bVerify;

/* instance methods */
-[ViewController viewDidLoad];
-[ViewController buttonClick:];
-[ViewController didReceiveMemoryWarning];
-[ViewController theLabel];
-[ViewController setTheLabel:];
-[ViewController Hint];
-[ViewController setHint:];
-[ViewController theTextField];
-[ViewController setTheTextField:];
-[ViewController bVerify];
-[ViewController setBVerify:];

@end
```

Swift クラス情報の抽出

IPSW は利用可能なシンボルを ipsw swift-dump で出力できます。デフォルトでは、識別された構造体とシンボルの位置は表示されませんが、これは -V フラグを使用することで有効にできます。

$ ipsw swift-dump --arch arm64 ./MASTestApp -V

Swift TOC
--------
  __swift5_builtin  = 0
  __swift5_types(2) = 3
  __swift5_protos   = 0
  __swift5_proto    = 2

TYPES
-----

// 0x10000a760
struct MASTestApp.ContentView { // accessor 0x1000081e4
    /* 0x10000b064 */ var _displayText: _$s7SwiftUI5StateVMn _$sSS
}

// 0x10000a7a4
struct MASTestApp.MASTestAppApp {} // accessor 0x10000a200

// 0x10000a7f0
class MASTestApp.ResourceBundleClass { // accessor 0x10000a2c4
  /* methods */
    /* 0x10000a824 */ // <stripped> static func init
}
...

??? "Full command output"

```bash
$ ipsw swift-dump --arch arm64 ./MASTestApp -V

Swift TOC
--------
__swift5_builtin  = 0
__swift5_types(2) = 3
__swift5_protos   = 0
__swift5_proto    = 2

TYPES
-----

// 0x10000a760
struct MASTestApp.ContentView { // accessor 0x1000081e4
    /* 0x10000b064 */ var _displayText: _$s7SwiftUI5StateVMn _$sSS
}

// 0x10000a7a4
struct MASTestApp.MASTestAppApp {} // accessor 0x10000a200

// 0x10000a7f0
class MASTestApp.ResourceBundleClass { // accessor 0x10000a2c4
/* methods */
    /* 0x10000a824 */ // <stripped> static func init
}

PROTOCOL CONFORMANCES
---------------------

// 0x10000a668
protocol conformance MASTestApp.ContentView : _$s7SwiftUI4ViewMp {
/* resilient witnesses */
    /* 0x10000a83d */ _$s7SwiftUI4ViewP4BodyAC_AaBTn
    /* 0x10000a845 */ _$s4Body7SwiftUI4ViewPTl
    /* 0x100009924 */ _$s7SwiftUI4ViewP05_makeC04view6inputsAA01_C7OutputsVAA11_GraphValueVyxG_AA01_C6InputsVtFZTq
    /* 0x100009928 */ _$s7SwiftUI4ViewP05_makeC4List4view6inputsAA01_cE7OutputsVAA11_GraphValueVyxG_AA01_cE6InputsVtFZTq
    /* 0x10000992c */ _$s7SwiftUI4ViewP14_viewListCount6inputsSiSgAA01_ceF6InputsV_tFZTq
    /* 0x100009944 */ _$s7SwiftUI4ViewP4body4BodyQzvgTq
}

// 0x10000a6fc
protocol conformance MASTestApp.MASTestAppApp : _$s7SwiftUI3AppMp {
/* resilient witnesses */
    /* 0x10000afff */ _$s7SwiftUI3AppP4BodyAC_AA5SceneTn
    /* 0x10000b007 */ _$s4Body7SwiftUI3AppPTl
    /* 0x10000a0d4 */ _$s7SwiftUI3AppP4body4BodyQzvgTq
    /* 0x10000a184 */ _$s7SwiftUI3AppPxycfCTq
}

ASSOCIATED TYPES
---------------------

// 0x10000b088
extension MASTestApp.ContentView: _$s7SwiftUI4ViewP {
    /* 0x10000b03f */ typealias Body = _$s7SwiftUI15ModifiedContentVMn _$s7SwiftUI6VStackVMn _$s7SwiftUI9TupleViewVMn _$syAA -> _$s7SwiftUI6HStackVMn _$syAC -> _$s7SwiftUI4TextVMn _$s_ _$s7SwiftUI6SpacerVMn _$sAAyAAyAA -> _$s7SwiftUI6ButtonVMn _$syAAyAAyAAyAE _$s7SwiftUI14_PaddingLayoutVMn _$sGAHG _$s7SwiftUI30_EnvironmentKeyWritingModifierVMn _$s7SwiftUI4FontVMn _$sSgGGG -> _$s7SwiftUI24_BackgroundStyleModifierVMn _$s7SwiftUI14LinearGradientVMn _$sGG -> _$s7SwiftUI11_ClipEffectVMn _$s7SwiftUI16RoundedRectangleVMn _$sGGAHGtGGAHG_AAyAAyAAyAA -> _$s7SwiftUI10ScrollViewVMn _$syAAyAAyAE _$s7SwiftUI16_FlexFrameLayoutVMn _$sGAHGGA2_GAQ -> _$s7SwiftUI5ColorVMn _$sGGAWGAHGtGGAH
}

// 0x10000b0a0
extension MASTestApp.MASTestAppApp: _$s7SwiftUI3AppP {
    /* 0x10000b044 */ typealias Body = _$s7SwiftUI11WindowGroupVMn MASTestApp.ContentView
}

```

PreviousMASTG-TOOL-0102 ios-app-signer NextMASTG-TOOL-0111 ldid

Last updated 5 months ago

Was this helpful?