Cycript: Objective-JavaScript ,它懂 Objective-C,也懂javascript 。
我们能够借助 Cycript 使用 Objective-C 或者 javascript ,给某个正在运行的进程的 runtime 发送消息。
本文以修改支付宝 app 界面为例,介绍 Cycript 的使用方法。
安装 Cycript
到 Cycript 官方网站下载资源工具,然后推进已越狱的 iPhone 中,进行安装:
dpkg -i cycript_0.9.461_iphoneos-arm.deb
dpkg -i libffi_1-3.0.10-5_iphoneos-arm.deb
确定支付宝进程
运行支付宝 app,然后获取它的进程号:
Primer:/ root# ps aux | grep Portal
mobile 479 0.6 4.3 590776 44956 ?? Ss 5:14PM 0:09.58 /var/mobile/Applications/8723004E-9E54-4B37-856D-86292780E958/Portal.app/Portal
root 497 0.0 0.0 329252 176 s000 R+ 5:21PM 0:00.00 grep Portal
Cycript 钩住支付宝进程
Primer:/ root# cycript -p 479
cy#
获取当前界面的 viewController 并修改背景色
cy# var app = [UIApplication sharedApplication] @"" cy# app.delegate @"" cy# var keyWindow = app.keyWindow @"; layer =>" cy# var rootController = keyWindow.rootViewController @"" cy# var visibleController = rootController.visibleViewController @"" cy# visibleController.childViewControllers @["","","",""] cy# var assetsController = new Instance(0x16577250) @""
cy# assetsController.view.backgroundColor = [UIColor blueColor]
@"UIDeviceRGBColorSpace 0 0 1 1"
使用 class-dump-z 分析支付宝 App
为了了解支付宝 app 的源码结构,我们可以使用 class-dump-z 工具来分析支付宝二进制。
下载配置 class_dump_z 下载 tar 包,然后解压配置到本地环境
$ tar -zxvf class-dump-z_0.2a.tar.gz
$ sudo cp mac_x86/class-dump-z /usr/bin/
class_dump 支付宝 App
$ class-dump-z Portal > Portal-dump.txt
@protocol XXEncryptedProtocol_10764b0
-(?)XXEncryptedMethod_d109df;
-(?)XXEncryptedMethod_d109d3;
-(?)XXEncryptedMethod_d109c7;
-(?)XXEncryptedMethod_d109bf;
-(?)XXEncryptedMethod_d109b8;
-(?)XXEncryptedMethod_d109a4;
-(?)XXEncryptedMethod_d10990;
-(?)XXEncryptedMethod_d1097f;
-(?)XXEncryptedMethod_d10970;
-(?)XXEncryptedMethod_d10968;
-(?)XXEncryptedMethod_d10941;
-(?)XXEncryptedMethod_d10925;
-(?)XXEncryptedMethod_d10914;
-(?)XXEncryptedMethod_d1090f;
-(?)XXEncryptedMethod_d1090a;
-(?)XXEncryptedMethod_d10904;
-(?)XXEncryptedMethod_d108f9;
-(?)XXEncryptedMethod_d108f4;
-(?)XXEncryptedMethod_d108eb;
@optional
-(?)XXEncryptedMethod_d109eb;
@end
查看得到的信息是加过密的,这个加密操作是苹果在部署到 app store时做的,所以我们还需要做一步解密操作。
使用 Clutch 解密支付宝 App
下载 Clutch
iOS7 越狱后的 Cydia 源里已经下载不到 Clutch 了,但是我们可以从网上下载好推进 iPhone
查看可解密的应用列表
root# ./Clutch
Clutch-1.3.2
usage: ./Clutch [flags] [application name] [...]
Applications available: 9P_RetinaWallpapers breadtrip Chiizu CodecademyiPhone FisheyeFree food GirlsCamera IMDb InstaDaily InstaTextFree iOne ItsMe3 linecamera Moldiv MPCamera MYXJ NewsBoard Photo Blur Photo Editor PhotoWonder POCO 相机 Portal QQPicShow smashbandits Spark tripcamera Tuding_vITC_01 wantu WaterMarkCamera WeiBo Weibo
解密支付宝 App
root# ./Clutch Portal
Clutch-1.3.2
Cracking Portal...
Creating working directory...
Performing initial analysis...
Performing cracking preflight...
dumping binary: analyzing load commands
dumping binary: obtaining ptrace handle
dumping binary: forking to begin tracing
dumping binary: successfully forked
dumping binary: obtaining mach port
dumping binary: preparing code resign
dumping binary: preparing to dump
dumping binary: ASLR enabled, identifying dump location dynamically
dumping binary: performing dump
dumping binary: patched cryptid
dumping binary: writing new checksum
Censoring iTunesMetadata.plist...
Packaging IPA file...
compression level: 0
/var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipa
elapsed time: 7473ms
Applications Cracked:
Portal
Applications that Failed:
Total Success: 1 Total Failed: 0
导出已解密的支付宝 App
从上一步骤得知,已解密的 ipa 位置为:/var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipa 将其拷贝到本地去分析
class_dump 已解密的支付宝 App
解压 .ipa 后,到支付宝钱包-v8.0.0-(Clutch-1.3.2)/Payload/Portal.app 目录下,class_dump 已解密的二进制文件 $ class-dump-z Portal > ~/Portal-classdump.txt
这回就可以得到对应的信息了:
@protocol ALPNumPwdInputViewDelegate-(void)onPasswordDidChange:(id)onPassword; @end @protocol ALPContactBaseTableViewCellDelegate-(void)shareClicked:(id)clicked sender:(id)sender; @end @interface MMPPayWayViewController : XXUnknownSuperclass{
@private
Item* channelSelected;
BOOL _bCheck;
BOOL _bOpenMiniPay;
BOOL _bNeedPwd;
BOOL _bSimplePwd;
BOOL _bAutopayon;
BOOL _bHasSub;
BOOL _bFirstChannel;
BOOL _bChangeSub;
BOOL _bClickBack;
UITableView* _channelListTableView;
NSMutableArray* _channelListArray;
NSMutableArray* _subChanneSelectedlList;
NSMutableArray* _unCheckArray;
UIButton* _saveButton;
UILabel* _tipLabel;
MMPPasswordSwichView* _payWaySwitch;
MMPPopupAlertView* _alertView;
UIView* _setView;
int _originalSelectedRow;
int _currentSelectedRow;
NSString* _statusCode;
ChannelListModel* _defaultChannelList;
}
@property(assign, nonatomic) BOOL bClickBack;
@property(retain, nonatomic) ChannelListModel* defaultChannelList;
@property(retain, nonatomic) NSString* statusCode;
@property(assign, nonatomic) int currentSelectedRow;
@property(assign, nonatomic) int originalSelectedRow;
@property(retain, nonatomic) UIView* setView;
@property(retain, nonatomic) MMPPopupAlertView* alertView;
@property(retain, nonatomic) MMPPasswordSwichView* payWaySwitch;
@property(assign, nonatomic, getter=isSubChannelChanged) BOOL bChangeSub;
@property(assign, nonatomic) BOOL bFirstChannel;
@property(assign, nonatomic) BOOL bHasSub;
@property(assign, nonatomic) BOOL bAutopayon;
@property(assign, nonatomic) BOOL bSimplePwd;
@property(assign, nonatomic) BOOL bNeedPwd;
@property(assign, nonatomic) BOOL bOpenMiniPay;
@property(assign, nonatomic) BOOL bCheck;
@property(retain, nonatomic) UILabel* tipLabel;
@property(retain, nonatomic) UIButton* saveButton;
@property(retain, nonatomic) NSMutableArray* unCheckArray;
@property(retain, nonatomic) NSMutableArray* subChanneSelectedlList;
@property(retain, nonatomic) NSMutableArray* channelListArray;
@property(retain, nonatomic) UITableView* channelListTableView;
-(void).cxx_destruct;
-(void)subChannelDidSelected:(id)subChannel;
-(void)switchCheckButtonClicked:(id)clicked;
-(void)checkboxButtonClicked:(id)clicked;
-(void)onCellClick:(id)click;
-(void)showSubChannels;
-(void)tableView:(id)view didSelectRowAtIndexPath:(id)indexPath;
-(id)tableView:(id)view cellForRowAtIndexPath:(id)indexPath;
-(int)tableView:(id)view numberOfRowsInSection:(int)section;
-(float)tableView:(id)view heightForRowAtIndexPath:(id)indexPath;
-(int)numberOfSectionsInTableView:(id)tableView;
-(void)setTableViewFootView:(id)view;
-(void)setTableViewHeaderView:(id)view;
-(id)tableView:(id)view viewForHeaderInSection:(int)section;
-(id)tableView:(id)view viewForFooterInSection:(int)section;
-(float)tableView:(id)view heightForHeaderInSection:(int)section;
-(float)tableView:(id)view heightForFooterInSection:(int)section;
-(void)alertView:(id)view clickedButtonAtIndex:(int)index;
-(void)clickSave;
-(void)netWorkRequestWithPwd:(id)pwd;
-(void)setPayWaySwitchStates:(id)states;
-(void)changePayWaySwitch:(id)aSwitch;
-(void)scrollToSelectedRow;
-(void)didReceiveMemoryWarning;
-(void)viewDidLoad;
-(void)applicationEnterBackground:(id)background;
-(void)dealloc;
-(void)goBack;
-(BOOL)isChannelsSetChanged;
-(id)subChannelCode:(int)code;
-(id)subChannelDesc:(int)desc;
-(id)initWithDefaultData:(id)defaultData;
-(id)initWithNibName:(id)nibName bundle:(id)bundle;
-(void)commonInit:(id)init;
@end
分析支付宝源码片段
使用了 @private 关键字限制成员访问权限
但是实际上,在 Objective-C 编程中,使用 @private 连 Keypath 访问都拦不住的
抛出了冗长的成员对象
这非常有利分析程序结构
进一步思考
1)如何利用 class-dump 结果,结合 cycript 进行攻击呢?
2)class-dump-z 如此强大,有什么方法可以减少暴露的信息吗?
接下来的博文将针对上面的思考,继续总结~