What's the routine to find apple private classes imp

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

What's the routine to find apple private classes imp

Postby Wingzero » Fri Oct 20, 2017 3:51 am

So I was studying the apple private frameworks. I learned what does dyld_shared_cache does, and how to use jtool to extract a specific framework out of the cache.

Now I was trying to find a class's implementation. Let's say it's called SKUITabBarItem. I searched through the run time headers, and found it's in /System/Library/PrivateFrameworks/StoreKitUI.framework/StoreKitUI

I extract StoreKitUI.framework out of dyld cache with cmd
Code: Select all
./jtool -extract StoreKitUI path/to/dyldcache
. However, when looking at the file StoreKitUI, I don't find SKUITabBarItem implementations. I can't even find the class name in this StoreKitUI file. What did I miss or wrong? Thanks!
Wingzero
 
Posts: 34
Joined: Thu Jul 27, 2017 2:35 am

Re: What's the routine to find apple private classes imp

Postby morpheus » Fri Oct 20, 2017 7:22 am

You don't need to extract anymore. Try jtool -d objc -v dyld_shared_cache:StoreKitUI. Should work well on 10.x, but there's a change in the cache format which breaks this on iOS 11 caches, though - and I'm working on bringing it back.
morpheus
Site Admin
 
Posts: 531
Joined: Thu Apr 11, 2013 6:24 pm

Re: What's the routine to find apple private classes imp

Postby Wingzero » Fri Oct 20, 2017 7:56 am

morpheus wrote:You don't need to extract anymore. Try jtool -d objc -v dyld_shared_cache:StoreKitUI. Should work well on 10.x, but there's a change in the cache format which breaks this on iOS 11 caches, though - and I'm working on bringing it back.


Hi morpheus. However, if I open the extracted StoreKitUI with IDA Pro, it only shows lots of sub_xxxxxxxx. And it's very short. If open with hopper v4, lots of <redacted>.
for example,
Code: Select all
        ; Section __text
        ; Range: [0x19f830594; 0x19f84eff8[ (125540 bytes)
        ; File offset : [5524; 131064[ (125540 bytes)
        ; Flags: 0x80000400
        ;   S_REGULAR
        ;   S_ATTR_PURE_INSTRUCTIONS
        ;   S_ATTR_SOME_INSTRUCTIONS



        ; ================ B E G I N N I N G   O F   P R O C E D U R E ================


                     <redacted>:
000000019f830594         stp        x20, x19, [sp, #-0x20]!
000000019f830598         stp        x29, x30, [sp, #0x10]
000000019f83059c         add        x29, sp, #0x10
000000019f8305a0         adrp       x19, #0x1ae8dd000
000000019f8305a4         add        x19, x19, #0x668                            ; cfstring_
000000019f8305a8         mov        x0, x19
000000019f8305ac         bl         0x197a29584
000000019f8305b0         mov        x0, x19
000000019f8305b4         ldp        x29, x30, [sp, #0x10]
000000019f8305b8         ldp        x20, x19, [sp]!, #0x20
000000019f8305bc         ret


I can't even find SKUITabBarItem class name in this file, though the run time header shows
Code: Select all
Viewing file: SKUITabBarItem.h
SKUITabBarItem was found in iOS 11.0, 10.2, 10.1.1, 9.3.3, 9.0, 8.0
/*
* This header is generated by classdump-dyld 0.1
* on Wednesday, September 20, 2017 at 9:49:47 PM Eastern European Summer Time
* Operating System: Version 11.0 (Build 15A372)
* Image Source: /System/Library/PrivateFrameworks/StoreKitUI.framework/StoreKitUI
* classdump-dyld is free of use, Copyright © 2013 by Elias Limneos


So the question is, how do I locate at the implementation of SKUITabBarItem for example?

UPDATE:
I used your
Code: Select all
xuan:ios10 xuan$ jtool -d objc -v dyld_shared_cache_arm64:StoreKitUI
Processing shared cache - cached file : StoreKitUI from dyld_shared_cache_arm64
/System/Library/PrivateFrameworks/StoreKitUI.framework/StoreKitUI located in mapping 0, address        18eea9000
Found but not extracting - Setting File Start to 0xeea9000
Processing cached file from offset eea9000  size: 30e1c000
/System/Library/AccessibilityBundles/StoreKitUI.axbundle/StoreKitUI located in mapping 0, address        1954d4000
Found but not extracting - Setting File Start to 0x154d4000
Processing cached file from offset 154d4000  size: 30e1c000
xuan:ios10 xuan$

Cannot understand what next..
Wingzero
 
Posts: 34
Joined: Thu Jul 27, 2017 2:35 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests