根据书上例子实战1,使用class-dump dump出来NoteObject.h NoteContentLayerDelegate-Protocol.h文件无法找到。
手机系统版本多少?
dump出来是啥?
线索太少
iPhone 5 系统版本9.0.1 之前使用class-dump 3.1 dump出来的头文件数量更少,换成3.5版本后头文件多一些,但是还是有些头文件没有,比如NoteObject.h.
iphone5 系统版本9.0.1 class-dump 3.5版本,dump出来的是一堆头文件啊。只是书上的例子上有些头文件找不到。比如NoteObject.h。之前使用class-dump 3.1版本,dump下来的头文件更少。换成3.5版本后,还是觉得少一些头文件。
NoteObject应该是不在app二进制里
书上的例子是iOS8,iOS9可能有些变化。
另外,书上有个查找 类在哪个库的方法。找下。grep 命令的。
如果有这个方法那就太好了,但是找了半天没找到啊,能说具体一点么。
From the result, we can see that the method appears in dyld_shared_cache_armv7s. Now, we can use grep again in the decached dyld_shared_cache_armv7s:
snakeninnysiMac:~ snakeninny$ grep -r initWithAccountID:defaults:service: /Users/snakeninny/Code/iOSSystemBinaries/8.1_iPhone5
Binary file /Users/snakeninny/Code/iOSSystemBinaries/8.1_iPhone5/dyld_shared_cache_armv7s matches grep: /Users/snakeninny/Code/iOSSystemBinaries/8.1_iPhone5/System/Library/Caches/com.apple.xpc /sdk.dylib: Too many levels of symbolic links
grep: /Users/snakeninny/Code/iOSSystemBinaries/8.1_iPhone5/System/Library/Frameworks/OpenGLES. framework/libLLVMContainer.dylib: Too many levels of symbolic links
Binary file /Users/snakeninny/Code/iOSSystemBinaries/8.1_iPhone5/System/Library/PrivateFrameworks/IM DaemonCore.framework/IMDaemonCore matches
You can see that in the “/System/Library/” directory, [IMDAccount initWithAccountID:defaults:service:] appears in IMDaemonCore, so we can start our analysis from this binary.
https://github.com/iosre/iOSAppReverseEngineering/blob/master/iOSAppReverseEngineering.pdf
谢谢大牛指教。