limneos / classdump-dyld Goto Github PK

View Code? Open in Web Editor NEW

584.0 38.0 99.0 29.7 MB

Class-dump any Mach-o file without extracting it from dyld_shared_cache

Objective-C 36.77% Makefile 0.61% Cycript 0.43% Logos 62.20%

classdump-dyld's Introduction

classdump-dyld

Major update

As of February 5 2016, I have added cycript integration.

You can now dlopen /usr/lib/libclassdumpdyld.dylib in cycript after injecting any application,

and dlsym the dumpClass and dumpBundle functions.

extern "C" NSString * dumpClass(Class *aClass);

extern "C" NSString * dumpBundle(NSBundle *aBundle);

extern "C" NSString * dumpBundleForClass(Class *aClass);

This is extremely useful in cases when classdump-dyld cannot inject and dump applications.

(This makes weak_classdump project obsolete)

A typical usage in cycript would be:

#cycript -p SpringBoard

@import net.limneos.classdumpdyld;

classdumpdyld.dumpClass(SpringBoard);
@"Wrote file /tmp/SpringBoard.h"

classdumpdyld.dumpBundle([NSBundle mainBundle]);
@"Wrote all headers to /tmp/SpringBoard"

// Dump any bundle other than the main bundle 
classdumpdyld.dumpBundle([NSBundle bundleWithIdentifier:@"com.apple.UIKit"]);
@"Wrote all headers to /tmp/UIKit"

// Dump any image loaded in the process using any class name it contains
classdumpdyld.dumpBundleForClass(CallBarControllerModern);
@"Wrote all headers to /tmp/CallBar7"

General Info

Added 64bit executables dumping and single class dumping

A class dumping command line tool that generates header files from app binaries, libraries, frameworks, bundles or the whole dyld_shared_cache.

Eliminates the need to extract files from the dyld_shared_cache in order to class-dump them or get symbols.

Mass-dumps whole dyld_shared_cache or directories containing any mach-o file recursively.

You can instantly classdump any compatible Mach-o file, either if it is physically stored on disk or it resides in the dyld_shared_cache.

Features and options:

Classdump files that appear malformed to the usual tools on device.
Classdump files or frameworks on runtime without extracting them from dyld_shared_cache.
Classdump files that reside on disk as usual
Recursively search for compatible files and dump them (e.g. whole directory of "/System/Library", "/Applications" or "/" )
Recursively dump all the images stored in dyld_shared_cache
Generate symbols list for files that are stored in dyld_shared_cache without extracting them.
Generation of all structs, symbols and necessary #imports to correctly fill up each header file. (I pray for that)

You can find a recursive sample output on this project under iphoneheaders. It also works on a Mac for dyld_shared_cache and some libraries

Usage: classdump-dyld [<options>] <filename|framework>

	   classdump-dyld [<options>] -r <sourcePath>
	   

Options:

	Structure:
		-g   Generate symbol names 
		-h   Add a \"Headers\" directory to place headers in
		-b   Build original directory structure in output dir
		-u   Do not include framework when importing headers ("Header.h" instead of <frameworkName/Header.h>)

	Output:
		-o   <outputdir> Save generated headers to defined path

	Single Class:
		-j   <className> Dump only the specified class name. (Does not work with -c or -r )
                    This might also dump additional imported or required headers.
	
	Mass dumping: (requires -o)
		-c   Dump all images found in dyld_shared_cache 
		-r   <sourcepath> Recursively dump any compatible Mach-O file found in the given path (requires -o) 
		-s   In a recursive dump, skip header files already found in the same output directory 
	
	Miscellaneous: 
		-D   Enable debug printing for troubleshooting errors
		-e   dpopen 32Bit executables instead of injecting them (iOS 5+, use if defaults fail.This will skip any 64bit executable) 
		-a   In a recursive dump, include 'Applications' directories (skipped by default)
	Examples:
		Example 1: classdump-dyld -o outdir /System/Library/Frameworks/UIKit.framework
		Example 2: classdump-dyld -o outdir /usr/libexec/backboardd
    	Example 3 (recursive): classdump-dyld -o outdir -c  (Dumps all files residing in dyld_shared_cache)
		Example 4 (recursive): classdump-dyld -o outdir -r /Applications
		Example 5 (recursive): classdump-dyld -o outdir -r / -c  (Mass-dumps almost everything on device)

Usage limitations

classdump-dyld works with Mach-o files only. Some files have protection against being dynamically loaded from a different process. In those cases, you can use weak_classdump or other tools.

by Elias Limneos

web: limneos.net

twitter: @limneos

Licence

Environment

classdump-dyld works in a command line shell on any iOS 5+ device and Mac OS X. Tested from iOS 5.x to iOS 8.x and Mac OSX 10.8+.

classdump-dyld's People

Contributors

Stargazers

Watchers

Forkers

gerryreggea packetfahrer nickviveiros csutanyu prathumca adozenlines jimmy54 suhang1982 talentpcb devsri ghalbi gwerz loyaltyarm rootkitt homecracker funny-sultan andyvand rubinghan cptfrazz zhuweicao lobster-king cuihujun planetminguez piaoyunsoft ggthedev dingronghui mail2chensh fxfactorial uroboro exxr admincaf iguchunhui houweifeng mdabbagh88 xuanliu-aa coolstar pi31415926535987932 doorxp benzeng sixleaves adm1n007 bigfoxses tateu lechium hl46000 erlangzhang jsj2008 fjh658 sweetloser zhangkn gtsifrikas 4ch12dy shuixi2013 holyswordman lgq2015 jesperflodin1 julianschuette yuzhouheike luckycoder-git zengqingf kings0527 393101641 piaoapiao skfly007 nobodyjee learn-app-develop sea777777 abjurato bojanin youngshingjun cokepokes cuihaixu adeee88eb gooichi q1f3 fidele007 mrcodechef mhdhejazi ardacoskunses mfkiwl mikeyshaned hyl946 xlsn0wkit zhaozhongke screwlou zerishpho ideacp cashtony guiyiview lovechen soheil 44510 royalgraphx strogo jefferyq2 ta01st genhack

classdump-dyld's Issues

classdump-dyld crashing while dumping dyld_shared_cache in iOS11.1.2

Dumping /System/Library/PrivateFrameworks/NewsFoundation.framework/NewsFoundation...(15 classes)
Dumping /System/Library/PrivateFrameworks/NewsTransport.framework/NewsTransport...(204 classes)
99% [================================================= ] 202/204
2018-03-26 22:15:22.839 classdump-dyld[1189:153748] *** Assertion failure in +[SpringBoardUI load], /BuildRoot/Library/Caches/com.apple.xbs/Sources/SpringBoardUI/SpringBoard-3752.24/SpringBoardUI.m:57
2018-03-26 22:15:22.841 classdump-dyld[1189:153748] *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'This process should not be linking or loading SpringBoardUI.framework (rdar://problem/26143166)'
*** First throw call stack:
(0x18672dd04 0x18597c528 0x18672dbd8 0x1870bdc24 0x19c94b818 0x18597e91c 0x18597fa84 0x104b3e4d4 0x104b43c18 0x104b44110 0x104b39018 0x104b40124 0x1861174d4 0x10499fc08 0x1049a3934 0x18611656c)
Abort trap: 6
X-4-Hack:~ root#

xcode 9.4.1(ios 11.4 sdk) build error: call to unavailable function 'system': not available on iOS 11.4 sdk

My-Mac:classdump-dyld user123$ make

Making all for tool classdump-dyld…
==> Preprocessing main.xm…
==> Compiling main.xm (armv7)…
*main.xm:313:4: error: call to unavailable function 'system': not available on iOS
system([tryWithLib UTF8String]);
^~~~~~
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.4.sdk/usr/include/stdlib.h:195:6: note: candidate function has
been explicitly made unavailable
int system(const char ) __DARWIN_ALIAS_C(system);
^
1 error generated.
make[3]: *** [/Users/user123/Documents/classdump-dyld/.theos/obj/debug/armv7/main.xm.5c0a3bf6.o] Error 1
make[2]: *** [/Users/user123/Documents/classdump-dyld/.theos/obj/debug/armv7/classdump-dyld] Error 2
make[1]: *** [internal-tool-all_] Error 2
make: *** [classdump-dyld.all.tool.variables] Error 2
My-Mac:classdump-dyld user123$

make error

Hello,

when i try to make command, it says :

Making all for tool classdump-dyld...
make[2]: Nothing to be done for `internal-tool-compile'.
Making all in classdumpdyldlib...
Makefile:1: theos/makefiles/common.mk: No such file or directory
Theos version mismatch! common.mk [version 0] loaded in tandem with rules.mk [version 1] Check that $(THEOS) is set properly!
make[1]: *** [all] Error 1
make: *** [internal-all] Error 2

what can be the problem ? There is theos/makefiles/common.mk file in folder.

iOS 7.1.2

In my console log for my iPhone 5 I am getting an error every second.

Aug 16 11:38:01 Roberts-iPhone DuetLST[93] : Core Data: error: -executeRequest: encountered exception = Fatal error. The database at /var/mobile/Library/Duet/DuetLST.duetlog is corrupted. SQLite error code:11, 'database disk image is malformed' with userInfo = {
NSFilePath = "/var/mobile/Library/Duet/DuetLST.duetlog";
NSSQLiteErrorDomain = 11;
}
This only happens while my iPhone is not in "sleep mode".

-o option permission error

classdump-dyld Crashing ~half way through dumping app

Hi,

I'm using classdump-dyld to dump Instagram's headers, and have been for a long time. At some point a couple months ago, I started running into issues where it would dump a certain number of files and then crash. Note that the files are never actually written to the output folder, as if they're just stored in memory and not written until it successfully completes, which it doesn't.

Gets to 42% here:

iPhone:~ root# classdump-dyld /var/mobile/Containers/Bundle/Application/176992E6-9F75-4A3D-BB05-1C1C6D5676B0/Instagram.app/Instagram -o ~/out
  Dumping /var/mobile/Containers/Bundle/Application/176992E6-9F75-4A3D-BB05-1C1C6D5676B0/Instagram.app/Instagram...(3075 classes)  (injected with libclassdumpdyld.dylib) 
 42% [=====================                             ]  1320/3075 <IGStatusBarWindow>

Then SSH is disconnected (killed?)

Connection to localhost closed by remote host.
Connection to localhost closed.

Not sure what's going on here. It's like Instagram is intentionally causing this to prevent the app from being dumped, but that doesn't sound right.

I can't find a way to enable a verbose mode, so I'm not too sure what's going on behind the scenes.

I've also tried to inject it into Cycript and run it that way, but I run into similar issues.

Said issue:

iPhone:~ root# cycript -p Instagram
cy# dlopen("/usr/lib/libclassdumpdyld.dylib",RTLD_NOW);
(typedef void*)(0x14f02db10)
cy# dumpBundle=@encode(id(id))(dlsym(RTLD_DEFAULT,"dumpBundle"));
(extern "C" id dumpBundle(id))
cy# dumpBundle([NSBundle mainBundle ])
MS:Error: _krncall(mach_vm_read_overwrite(task, data, sizeof(*baton), reinterpret_cast<mach_vm_address_t>(baton), &error)) =4
*** _assert(status == 0):../Inject.cpp(143):InjectLibrary

Any help would be appreciated..

iPhone 6s (Happened on i5 as well), iOS 9.0

-o option permission error

iPhone SE 13.2.2 w/ checkra1n jailbreak

Every time I run classdump-dyld with the -o outdir option I get the following error: 2019-11-27 12:21:17.581 classdump-dyld[43980:1265195] Could not create directory outdir. Check permissions.

The error appears if the directory already exists or not. I tried changing the outdir path to the fs root, /var/root/, /opt/, and editing permissions of the output directory with chmod 777 outdir.

Same results on both the cydia version (1.3-1) and the executble found in /iphone.

Undefined symbol "__dyld_get_all_image_infos"

> Making all for tool classdump-dyld…
==> Compiling main.xm (arm64)…
==> Linking tool classdump-dyld (arm64)…
Undefined symbols for architecture arm64:
  "__dyld_get_all_image_infos", referenced from:
      _parseImage in main.xm.2a5da891.o
ld: symbol(s) not found for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see invocation)

What happens if a class and a protocol exist with the same name?

For example, UITableViewDataSource is a private class and a public protocol, so I assume what happens is the protocol gets dumped and then is overwritten when the class gets dumped, and the class dumped file attempts to import the protocol, which means the class will import itself.

Was this overlooked or is this behavior defined somewhere? And if so, why does the class still import itself...

Can add support to OSX?

Seems OSX is lack of a useable tool to dump or decryption.

NSRangeException

Having a little problem dumping an app:

2017-10-23 23:07:23.496 BCApp[3259:162600] *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[__NSSingleObjectArrayI objectAtIndex:]: index 1 beyond bounds [0 .. 0]'
*** First throw call stack:
(0x18eaad1b8 0x18d4e455c 0x18ea9e420 0x1025b3ef4 0x1025b5e2c 0x1025b8410 0x10253995c 0x102539b84 0x102534f2c 0x102533f50 0x102534004 0x102526438 0x10252a8f4 0x102525044)
  Done. Check "headers" directory.

Please update the iOS Executable

Thanks

classdump-dyld(1038,0x102a19800) malloc: can't allocate region

1: command: classdump-dyld -o ./dyld_shared_cache_result/ -c
2: iOS Version: 13.3
3: Device:iPhoneSE
4:error message:
stringWithCString class_getImageName(protocol) empty

stringWithCString class_getImageName(protocol) empty

stringWithCString class_getImageName(protocol) empty
classdump-dyld(1038,0x102a19800) malloc: can't allocate region
*** mach_vm_map(size=32768) failed (error code=3)
classdump-dyld(1038,0x102a19800) malloc: *** set a breakpoint in malloc_error_break to debug
classdump-dyld(1038,0x102a19800) malloc: can't allocate region
*** mach_vm_map(size=32768) failed (error code=3)
classdump-dyld(1038,0x102a19800) malloc: *** set a breakpoint in malloc_error_break to debug
2020-01-09 11:07:45.006 classdump-dyld[1038:13256] *** Terminating app due to uncaught exception 'NSMallocException', reason: 'Out of memory. We suggest restarting the application. If you have an unsaved document, create a backup copy in Finder, then try to save.'
*** First throw call stack:
(0x1a423aa48 0x1a3f61fa4 0x1a4296220 0x1a4292104 0x1a41eff84 0x1a41dd66c 0x1a450f10c 0x10269c1f0 0x1a45390c8 0x102694f34 0x102691b50 0x1026986b8 0x10269b20c 0x1a403c360)
libc++abi.dylib: terminating with uncaught exception of type NSException
Abort trap: 6

How to install?

why libclassdumpdyld_FILES = classdumpdyldlib.mm instead of .mm

in classdumpdyldlib/Makefile,

why libclassdumpdyld_FILES = classdumpdyldlib.mm instead of .mm? Seems a bug tome.

I can't compile until I change .mm to .xm, and in classdumpdyldlib dir there in deed only a .xm file

Crashes target app if the Google Ad SDK is present

For example, try the Snapchat app v9.0. Dumps to about 60% & crashes

Ran into error while dumping

So i ran classdump-dyld -c -o headers
and got this error:

classdump-dyld[1672:183535] *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[__NSSingleObjectArrayI objectAtIndex:]: index 1 beyond bounds [0 .. 0]'
*** First throw call stack:
(0x187f251b8 0x18695c55c 0x187f16420 0x10009b84c 0x10009ded4 0x10009fb84 0x186de15b8)
Abort trap: 6

Any idea of what is causing this?

classdump installed application not working in iOS 9.3.3

i've compiled from code but when i run for example
classdump-dyld -D /private/var/containers/Bundle/Application/F5F581E5-E214-4FB7-8193-93D4D1402DE1/MyTalkingTom.app/mytalkingtom
it just returns nothing, i've tried the sample application on ios 9.2.0 and it works fine

when i run for example
classdump-dyld /System/Library/Frameworks/UIKit.framework
or
classdump-dyld /usr/libexec/backboardd
it works fine, am i missing something?

Cycript module not included in version in Cydia yet

Would be nice if you could ship an update to Lydia that includes the new cycript module from #8

iOS 11 with Unc0ver - output directory is empty

I have an iPad mini 2 with ios 11.1.2 jailbroken with Unc0ver.

I've downloaded and compiled the latest version however I'm having issues with no output being produced.

This following generates headers in the outdir folder as expected:
classdump-dyld -o outdir /System/Library/Frameworks/UIKit.framework

This generates no output:

classdump-dyld -o outdir /usr/libexec/backboardd
  Dumping /usr/libexec/backboardd...(96 classes)  (injected with libclassdumpdyld.dylib) 
  Writing /usr/libexec/backboardd headers to disk...
  All done for /usr/libexec/backboardd
  Done. Check "outdir" directory.

This is a app I am looking at is not encrypted and the output directory is empty:

classdump-dyld -o out /var/containers/Bundle/Application/A7F4E1DD-996F-48C4-99E5-E7803D36607B/blue.app/orange
  Done. Check "out" directory.

lipo -info /var/containers/Bundle/Application/A7F4E1DD-996F-48C4-99E5-E7803D36607B/blue.app/orange
Non-fat file: /var/containers/Bundle/Application/A7F4E1DD-996F-48C4-99E5-E7803D36607B/blue.app/orangeis architecture: arm64

otool -l /var/containers/Bundle/Application/A7F4E1DD-996F-48C4-99E5-E7803D36607B/blue.app/orange| grep -A 4 LC_ENCRYPTION_INFO
          cmd LC_ENCRYPTION_INFO_64
      cmdsize 24
     cryptoff 16384
    cryptsize 950272
      cryptid 0