Performing an Analysis of the Application Binary
In order to enable idb’s remaining functions, the analysis of the application binary has to be triggered by clicking the ‘Analyze Binary’ button. This will download the decrypted application binary and perform some basic analysis to extract information such as:
Encryption?: Is a segment of the app marked as encrypted.
Cryptid: If so, which cryptid is assigned to that segments.
PIE: Is the application compiled as a Position-Independent Executable (PIE) and thus takes advantage of ASLR.
Stack Canaries: Are stack canaries enabled for the application.
ARC: Does the application use Automatic Reference Counting (ARC).
If the application binary is encrypted, idb uses Stefan Esser’s dumpdecryoted to decrypt it before downloading and analyzing it.
Once “Analyze App Binary” was clicked and completed, the “Application Binary” tab becomes fully active. It provides three functions: display shared libraries, display strings, and extract class signatures and functions.
The “Shared Libraries” tab allows you list all the external libraries the app references. This allows for the easy
discovery of any suspicious frameworks that may be in use by the app. Internally, idb uses
otool to analyze the
binary. Since idb runs
otool on the host, this is an OS X feature only at this point. There are plans
for moving the analysis onto the device which will make the feature available for other platforms as well.
Application binaries frequently include data of interest such as API keys, credentials, encryption keys, URLs, etc. The strings tab extracts all strings in the (decrypted!) application binary and displays them right in the UI.
Class and Method Signature Dumping
When reversing, instrumenting (e.g., using Cycript or Mobile Substrate), or simply trying to understand an app,
knowing all of the classes and method signatures of the app is of great help. idb provides a convenient way for
obtaining these from compiled iOS applications. Under the hood, this function uses
cycript and the
script by Elias Limneos. To use this, simply click the “Dump Classes”
button in idb while the device is unlocked.
Note: Since iOS 8, there seems to be some issue with running weak class-dump. Working on a better solution that works across platforms.
This will launch the app with cycript attached and dump all the class information. Depending on the size of the application, this process will take up to several minutes. There is no visual feedback that class information is being dumped, but the device will play the “locking” sound once the dump is complete. In some rare instances the app may crash during this process which may lead to an incomplete class dump.
At any time during the process the “List Results” button can be used to retrieve all of the class information that has
been collected thus far. To gain a full list, you should wait until the execution of
weak_classdump is finished.
The results will look similar to this: