How are headers and functions obtained from iOS private api binaries ? How to reverse engineer an app?

Question

I have read that class-dump utility is used to dump headers from iphone private api's. However, it does work only for objective-c frameworks. I wanted to know how it works for frameworks written in C, example - IOSurface, IOMobileFramebuffer etc.

The second part of the question is very generic. I have an app with me downloaded from cydia or istore. How do i go about reverse engineering the app on a jailbroken deivce (if that is actually needed). To be specifc, I am able to locate the executable binary and the dylibs. I am able to see the frameworks being used. But, how do I make out what functions inside the frameworks are being called by the app ?

Thanks.

Answer 1

I would recommend to break down this question to two questions:

1) "I wanted to know how it works for frameworks written in C, example - IOSurface, IOMobileFramebuffer etc."

I had exactly the same question: Getting signatures of private API methods for iOS

The answer is

   a) Try to google C method to see whether somebody else has disassembled it and found method signature.

   b) If nobody did this before, you can be the first who will do it

2) "how do I make out what functions inside the frameworks are being called by the app ?"

There are two types of references to functions in frameworks/libraries:

• Compile time references

You use some disassembler, it will list all compile time references to frameworks/dylibs.

• Runtime references

These are references when somebody does dlopen, dlsym or NSBundle to use some functions. You will have to disassemble and look/grep through disassembled code to find where they are used. There will be strings with the names of methods which are used.