Loading iOS memory dump into a Disassembler for analysis

Scugn1zz0 · 2020 年5 月 5 日 07:49

Hi guys

I have dumped (with frida dump) the process memory of an APP i’m trying to reverse engineer. I got a file of about 700MB.

If I load it into Hopper, it does not find any code ore procedure, but if I look for strings in it, it is full of information. I guess I only need to set up the entry point and offset correctly. How can I do that?

Thanks

Zhang · 2020 年5 月 5 日 12:29

I mean why dont you use standard procedures to dump an actual loadable binary

Scugn1zz0 · 2020 年5 月 5 日 17:20

That’s a very nice question! I’m trying to reverse engineer an app made with Flutter from Google.
The app fist run an engine in executable format (which can be dumped with clutch, or any other usual way) which in turn deserializes and runs the actual application.

The actual application is in a super weird format, it is a Dart Snapshot. It’s a little to no documented at all file format which cannot be opened with any disassembler because the code is like compressed.

The thing is that when the Engine first runs, it deserialize the actual Application in form of ARM v7 procedures and loads it in memory. So i’m trying this bottom up approach to get the application to reverse engineer.

Do you know how to parse an iOS memory dump? Thanks!

Scugn1zz0 · 2020 年5 月 5 日 21:03

@Guodong this might be relevant to you as well! ~~

In the meanwhile I found this very useful tool to reverse flutter apps (tho you need the APK version of the app for this specific tool): https:// github .com/mildsunrise/darter
This tool decompile the App object to get classes and methods, but still I think it would be useful to dump and parse the process memory (this question topic)

Zhang · 2020 年5 月 5 日 22:12

Nope. You cant dynamically load ARM native code and execute it directly on iOS due to kernel code-signing requirements. I’ve never reversed Dart, but You are probably talking about ByteCode of the engine(which is likely in the engine’s own format and needs you to figure it out in other means), or AOT compiled into native code(which means the code already exists in main executable or some framework in the bundle)

Since there is no JIT process on iOS, your whole idea of “dumping out code page” wont do since it’s still bytecode and not actual code

Scugn1zz0 · 2020 年5 月 5 日 22:55

Ohh wow that’s bad news for me.

Anyway thanks a lot for taking the time to explain this to me, I really appreciate it, i will try another workaround!