- Update:
20231205
Forked from HeiTanBc/restore-symbol, do many furture optimization, to facilicate restore symbols for iOS Mach-O file
- Before restore symbol
- After restore symbol
- for:
restore-symbol=rs's ObjC + block - for:
IDA's Functions + Names + block
- for:
- get
restore-symbolexecutable file- download from release
- or download code then build by yourself
- then makesure workable
- show version
./restore-symbol --version
- show help
./restore-symbol --help==./restore-symbol
- show version
download from releases (then rename to restore-symbol)
- download code
git clone --recursive https://github.com/crifan/restore-symbol.git
- compile to generate
restore-symbolcd restore-symbol make
- Summary
- for anyone: have
IDA Pro- (1)
ida_search_block.py: scan and writeback block symbols to IDA - (2)
exportIDASymbol.py: export IDA (Functions(include ObjC) +Names+block) symbols to json file - (3)
restore-symbol: restore all symbols for iOS Mach-O binary file
- (1)
- for anyone: no
IDA Prorestore-symol: restore (only) ObjC symbols
- for anyone: have
- Details:
- (1) scan and writeback block symbols to IDA
- run
tools/IDAScripts/search_oc_block/ida_search_block.pyin IDA- default config:
enableWriteback = True: write back (scanned objc block symbol name) into IDAisExportToFile = True: meanwhile also export block symbol file (for furture use, or manual check)
- default config:
- Example
- WhatsApp
- WhatsApp
- run
- (2) export IDA symbols (
Functions(inside include ObjC symbols) +Names, and above block symbols) to json file- run
tools/IDAScripts/export_ida_symbol/exportIDASymbol.pyin IDA- default config
isVerbose = False: no verbose log- change to
isVerbose = Trueif you want see details
- change to
isExportToFile = True: export final all symbols to json fileenableDemangleName = True: for (Functions+Names) all symbol names, use demangle name if not NoneoutputFolder = None: default output exported file to current folder of IDA opened Mach-O file- set to your expected other folder if necessary
- default config
- Example
- WhatsApp
- WhatsApp
- Attention
- makesure
IDA's image base==Mach-O vmaddr baseis same- Example
- WhatsApp
- before: IDA image base=
0x100C00000 - after
Rebase program, IDA's image base=0x100000000 - same with (MachOView see) WhatsApp's vmaddr=
0x100000000
- before: IDA image base=
- WhatsApp
- Example
- makesure
- run
- (3) restore all symbols for iOS Mach-O binary file
- run
./restore-symbolto restore IDA exported all symbols (IDA's Functions+Names and block)restore-symbol -w true -s false -j {exported_IDA_symbols.json} -o {outputFile_RestoredSymbol} {inputMachOFile}
- Example
- WhatsApp
./restore-symbol -w true -s false -j tools/IDAScripts/export_ida_symbol/output/WhatsApp_IDASymbols_FunctionsNames_20231129_223621.json -o test/WhatsApp/output/WhatsApp_mergedSymbols_20231129 test/WhatsApp/input/WhatsApp
- WhatsApp
- run
use restore-symol to restore ObjC symbols, passing argument with -s true=--scan-objc-symbols true
restore-symbol -s true -o {outputFile_RestoredSymbol} {inputMachOFile}- Note
- after
restore-symbolrestored ObjC symbol, there are some wrong symbol- how to fix: use above (
exportIDASymbol.pyexpored) IDA symbols
- how to fix: use above (
- after
after export IDA symbol, if you want automate whole process of repack ipa, you can use:
crifan/AutoRepackIpa: Auto repack ipa
- 20231115
- other updates for
exportIDASymbo.py,mergeSymbols.py
- other updates for
- 20231103
- add
tools/IDAScripts/export_ida_symbol/exportIDASymbol.py- to export IDA symbols
- add
tools/mergeSymbols/mergeSymbols.py- to merge all symbols from restore-symbol restored, exported from IDA functions list, scanned from IDA block
- add
- 20231027
search_oc_block/ida_search_block.py- Converted to support IDA 7.4+ (
SegName->get_segm_name,Qword->get_qword, etc.) - Converted to Python 3.x(
print xxx->print(xxx),filter->listetc.) - Fixed bug:
RecursionError: maximum recursion depth exceeded while calling a Python object
- Converted to support IDA 7.4+ (
➜ restore-symbol git:(master) ✗ ./restore-symbol --help
restore-symbol 2.0 (64 bit)
Usage: restore-symbol [-o <output-file>] [-j <json-symbol-file>] [-w <true/false>] [-s <true/false>] [-b <objcSymbolsOutputFile>] [-r <true/false>] [-p] <input-mach-O-file>
where options are:
-h,--help Print this help info then exit
-v,--version Print version info then exit
-o,--output <output-file> New mach-O file path
default: null
-j,--json <json-symbol-file> Json file containing extra symbol info, the key is "name","address"
like this:
[
{
"name": "main",
"address": "0xXXXXXX"
},
{
"name": "-[XXXX XXXXX]",
"address": "0xXXXXXX"
},
...
]
default: null
-w,--overwrite-output-file <true/false> Overwrite output file if existed
default: false
-s,--scan-objc-symbols <true/false> Scan objc symbols or not
default: true
-m,--remove-duplicated-objc-symbols <true/false> Remove duplicated objc symbols or not after scan objc symbols
default: true
-b,--objc-symbols-output-file <objcSymbolsOutputFile> Export objc symbols to file
default: null
-r,--restore-symols <true/false> Restore symbol or not
default: true
-p,--replace-restrict New mach-O file will replace the LC_SEGMENT(__RESTRICT,__restrict)
with LC_SEGMENT(__restrict,__restrict) to close dylib inject protection
default: disabled- update
class-dumpto support new load command:0x80000033,0x80000034
A reverse engineering tool to restore stripped symbol table for iOS app.
Example: restore symbol for Alipay
-
- Download source code and compile.
git clone --recursive https://github.com/HeiTanBc/restore-symbol
cd restore-symbol && make
./restore-symbol-
- Restore symbol using this command. It will output a new mach-o file with symbol.
./restore-symbol /pathto/origin_mach_o_file -o /pathto/mach_o_with_symbol -
- Copy the new mach-o file (with symbol) to app bundle, replace the origin mach-o file with new mach-o file. Resign app bundle.
codesign -f -s - --timestamp=none --generate-entitlement-der --entitlement ./xxxx.app.xcent ./xxxx.app-
- Install the app bundle to iOS device, and use lldb to debug the app. Maybe you can use the
ios-deploy, or other way you like. If you useios-deploy, you can execute this command.
- Install the app bundle to iOS device, and use lldb to debug the app. Maybe you can use the
brew install ios-deploy
ios-deploy -d -b xxxx.app-
- Now you can use
b -[class method]to set breakpoint.
- Now you can use
-
- Search block symbol in IDA to get json symbol file, using script(
search_oc_block/ida_search_block.py) .
- Search block symbol in IDA to get json symbol file, using script(
-
- Use command line tool(restore-symbol) to inject oc method symbols and block symbols into mach o file.
./restore-symbol /pathto/origin_mach_o_file -o /pathto/mach_o_with_symbol -j /pathto/block_symbol.json-
- Other steps(resign, install, debug) are samen as above.
# ./restore-symbol --help
restore-symbol 1.0 (64 bit)
Usage: restore-symbol -o <output-file> [-j <json-symbol-file>] <mach-o-file>
where options are:
-o,--output <output-file> New mach-o-file path
-s,--scan-objc-symbols <true/false> true/false to enable/disable to disable scan objc symbols
-e,--export-objc-symbol <output-objc-symbol-file> Export ObjC symbol file while restore ObjC symbol
--replace-restrict New mach-o-file will replace the LC_SEGMENT(__RESTRICT,__restrict)
with LC_SEGMENT(__restrict,__restrict) to close dylib inject protection
-j,--json <json-symbol-file> Json file containing extra symbol info, the key is "name","address"
like this:
[
{
"name": "main",
"address": "0xXXXXXX"
},
{
"name": "-[XXXX XXXXX]",
"address": "0xXXXXXX"
},
....
]
-h,--help Print this help info then exit