鍍金池/ 教程/ iOS/ 使用 class-dump-z 分析支付寶 App
Hack 實(shí)戰(zhàn)——支付寶 App 手勢(shì)密碼校驗(yàn)欺騙
使用 Reveal 分析他人 App
后臺(tái) daemon 非法竊取用戶 iTunesstore 信息
使用 iNalyzer 分析應(yīng)用程序
越獄檢測(cè)的攻與防
使用 introspy 追蹤分析應(yīng)用程序
廢除應(yīng)用程序的 ASLR 特性
使用 Cycript 修改支付寶 App 運(yùn)行時(shí)
敏感邏輯的保護(hù)方案
Fishhook
使用 class-dump-z 分析支付寶 App
static 和被裁的符號(hào)表
iOS7 的動(dòng)態(tài)庫(kù)注入
二進(jìn)制和資源文件自檢
Hack 實(shí)戰(zhàn)——探究支付寶 App 手勢(shì)密碼
使用 Keychain-Dumper 導(dǎo)出 keychain 數(shù)據(jù)
數(shù)據(jù)擦除
Hack 實(shí)戰(zhàn)——解除支付寶 App 手勢(shì)解鎖錯(cuò)誤次數(shù)限制
Objective-C 代碼混淆
阻止 GDB 依附
基于腳本實(shí)現(xiàn)動(dòng)態(tài)庫(kù)注入
Hack 必備的命令與工具
鍵盤緩存與安全鍵盤
數(shù)據(jù)保護(hù) API

使用 class-dump-z 分析支付寶 App

為了了解支付寶 app 的源碼結(jié)構(gòu),我們可以使用 class-dump-z 工具來(lái)分析支付寶二進(jìn)制。

下載配置 class_dump_z

前往 https://code.google.com/p/networkpx/wiki/class_dump_z ,下載 tar 包,然后解壓配置到本地環(huán)境 

$ tar -zxvf class-dump-z_0.2a.tar.gz  
$ sudo cp mac_x86/class-dump-z /usr/bin/

class_dump 支付寶 App

$ class-dump-z Portal > Portal-dump.txt  

@protocol XXEncryptedProtocol_10764b0  
-(?)XXEncryptedMethod_d109df;  
-(?)XXEncryptedMethod_d109d3;  
-(?)XXEncryptedMethod_d109c7;  
-(?)XXEncryptedMethod_d109bf;  
-(?)XXEncryptedMethod_d109b8;  
-(?)XXEncryptedMethod_d109a4;  
-(?)XXEncryptedMethod_d10990;  
-(?)XXEncryptedMethod_d1097f;  
-(?)XXEncryptedMethod_d10970;  
-(?)XXEncryptedMethod_d10968;  
-(?)XXEncryptedMethod_d10941;  
-(?)XXEncryptedMethod_d10925;  
-(?)XXEncryptedMethod_d10914;  
-(?)XXEncryptedMethod_d1090f;  
-(?)XXEncryptedMethod_d1090a;  
-(?)XXEncryptedMethod_d10904;  
-(?)XXEncryptedMethod_d108f9;  
-(?)XXEncryptedMethod_d108f4;  
-(?)XXEncryptedMethod_d108eb;  
@optional  
-(?)XXEncryptedMethod_d109eb;  
@end

查看得到的信息是加過(guò)密的,這個(gè)加密操作是蘋果在部署到 app store時(shí)做的,所以我們還需要做一步解密操作。

使用 Clutch 解密支付寶 App

下載 Clutch

iOS7 越獄后的 Cydia 源里已經(jīng)下載不到 Clutch 了,但是我們可以從網(wǎng)上下載好推進(jìn) iPhone

地址:Clutch 傳送門

查看可解密的應(yīng)用列表

root# ./Clutch   

Clutch-1.3.2  
usage: ./Clutch [flags] [application name] [...]  
Applications available: 9P_RetinaWallpapers breadtrip Chiizu CodecademyiPhone FisheyeFree food GirlsCamera IMDb InstaDaily InstaTextFree iOne ItsMe3 linecamera Moldiv MPCamera MYXJ NewsBoard Photo Blur Photo Editor PhotoWonder POCO 相機(jī) Portal QQPicShow smashbandits Spark tripcamera Tuding_vITC_01 wantu WaterMarkCamera WeiBo Weibo

解密支付寶 App

root# ./Clutch Portal  

Clutch-1.3.2  
Cracking Portal...  
Creating working directory...  
Performing initial analysis...  
Performing cracking preflight...  
dumping binary: analyzing load commands  
dumping binary: obtaining ptrace handle  
dumping binary: forking to begin tracing  
dumping binary: successfully forked  
dumping binary: obtaining mach port  
dumping binary: preparing code resign  
dumping binary: preparing to dump  
dumping binary: ASLR enabled, identifying dump location dynamically  
dumping binary: performing dump  
dumping binary: patched cryptid  
dumping binary: writing new checksum  
Censoring iTunesMetadata.plist...  
Packaging IPA file...  

compression level: 0  
    /var/root/Documents/Cracked/支付寶錢包-v8.0.0-(Clutch-1.3.2).ipa  

elapsed time: 7473ms  

Applications Cracked:   
Portal  

Applications that Failed:  

Total Success: 1 Total Failed: 0

導(dǎo)出已解密的支付寶 App

從上一步驟得知,已解密的 ipa 位置為:/var/root/Documents/Cracked/支付寶錢包-v8.0.0-(Clutch-1.3.2).ipa 將其拷貝到本地去分析

class_dump 已解密的支付寶 App

解壓 .ipa 后,到支付寶錢包-v8.0.0-(Clutch-1.3.2)/Payload/Portal.app 目錄下,class_dump 已解密的二進(jìn)制文件 $ class-dump-z Portal > ~/Portal-classdump.txt

這回就可以得到對(duì)應(yīng)的信息了: 

@protocol ALPNumPwdInputViewDelegate <NSObject>  
-(void)onPasswordDidChange:(id)onPassword;  
@end  

@protocol ALPContactBaseTableViewCellDelegate <NSObject>  
-(void)shareClicked:(id)clicked sender:(id)sender;  
@end  

@interface MMPPayWayViewController : XXUnknownSuperclass <SubChannelSelectDelegate, UITableViewDataSource, UITableViewDelegate, CellDelegate, UIAlertViewDelegate> {  
@private  
    Item* channelSelected;  
    BOOL _bCheck;  
    BOOL _bOpenMiniPay;  
    BOOL _bNeedPwd;  
    BOOL _bSimplePwd;  
    BOOL _bAutopayon;  
    BOOL _bHasSub;  
    BOOL _bFirstChannel;  
    BOOL _bChangeSub;  
    BOOL _bClickBack;  
    UITableView* _channelListTableView;  
    NSMutableArray* _channelListArray;  
    NSMutableArray* _subChanneSelectedlList;  
    NSMutableArray* _unCheckArray;  
    UIButton* _saveButton;  
    UILabel* _tipLabel;  
    MMPPasswordSwichView* _payWaySwitch;  
    MMPPopupAlertView* _alertView;  
    UIView* _setView;  
    int _originalSelectedRow;  
    int _currentSelectedRow;  
    NSString* _statusCode;  
    ChannelListModel* _defaultChannelList;  
}  
@property(assign, nonatomic) BOOL bClickBack;  
@property(retain, nonatomic) ChannelListModel* defaultChannelList;  
@property(retain, nonatomic) NSString* statusCode;  
@property(assign, nonatomic) int currentSelectedRow;  
@property(assign, nonatomic) int originalSelectedRow;  
@property(retain, nonatomic) UIView* setView;  
@property(retain, nonatomic) MMPPopupAlertView* alertView;  
@property(retain, nonatomic) MMPPasswordSwichView* payWaySwitch;  
@property(assign, nonatomic, getter=isSubChannelChanged) BOOL bChangeSub;  
@property(assign, nonatomic) BOOL bFirstChannel;  
@property(assign, nonatomic) BOOL bHasSub;  
@property(assign, nonatomic) BOOL bAutopayon;  
@property(assign, nonatomic) BOOL bSimplePwd;  
@property(assign, nonatomic) BOOL bNeedPwd;  
@property(assign, nonatomic) BOOL bOpenMiniPay;  
@property(assign, nonatomic) BOOL bCheck;  
@property(retain, nonatomic) UILabel* tipLabel;  
@property(retain, nonatomic) UIButton* saveButton;  
@property(retain, nonatomic) NSMutableArray* unCheckArray;  
@property(retain, nonatomic) NSMutableArray* subChanneSelectedlList;  
@property(retain, nonatomic) NSMutableArray* channelListArray;  
@property(retain, nonatomic) UITableView* channelListTableView;  
-(void).cxx_destruct;  
-(void)subChannelDidSelected:(id)subChannel;  
-(void)switchCheckButtonClicked:(id)clicked;  
-(void)checkboxButtonClicked:(id)clicked;  
-(void)onCellClick:(id)click;  
-(void)showSubChannels;  
-(void)tableView:(id)view didSelectRowAtIndexPath:(id)indexPath;  
-(id)tableView:(id)view cellForRowAtIndexPath:(id)indexPath;  
-(int)tableView:(id)view numberOfRowsInSection:(int)section;  
-(float)tableView:(id)view heightForRowAtIndexPath:(id)indexPath;  
-(int)numberOfSectionsInTableView:(id)tableView;  
-(void)setTableViewFootView:(id)view;  
-(void)setTableViewHeaderView:(id)view;  
-(id)tableView:(id)view viewForHeaderInSection:(int)section;  
-(id)tableView:(id)view viewForFooterInSection:(int)section;  
-(float)tableView:(id)view heightForHeaderInSection:(int)section;  
-(float)tableView:(id)view heightForFooterInSection:(int)section;  
-(void)alertView:(id)view clickedButtonAtIndex:(int)index;  
-(void)clickSave;  
-(void)netWorkRequestWithPwd:(id)pwd;  
-(void)setPayWaySwitchStates:(id)states;  
-(void)changePayWaySwitch:(id)aSwitch;  
-(void)scrollToSelectedRow;  
-(void)didReceiveMemoryWarning;  
-(void)viewDidLoad;  
-(void)applicationEnterBackground:(id)background;  
-(void)dealloc;  
-(void)goBack;  
-(BOOL)isChannelsSetChanged;  
-(id)subChannelCode:(int)code;  
-(id)subChannelDesc:(int)desc;  
-(id)initWithDefaultData:(id)defaultData;  
-(id)initWithNibName:(id)nibName bundle:(id)bundle;  
-(void)commonInit:(id)init;  
@end

分析支付寶源碼片段

使用了 @private 關(guān)鍵字限制成員訪問(wèn)權(quán)限

但是實(shí)際上,在 Objective-C 編程中,使用 @private 連 Keypath 訪問(wèn)都攔不住的

拋出了冗長(zhǎng)的成員對(duì)象

這非常有利分析程序結(jié)構(gòu)

進(jìn)一步思考

1)如何利用 class-dump 結(jié)果,結(jié)合 cycript 進(jìn)行攻擊呢?

2)class-dump-z 如此強(qiáng)大,有什么方法可以減少暴露的信息嗎?

接下來(lái)的博文將針對(duì)上面的思考,繼續(xù)總結(jié)~