iOS安全攻防(六):使用class-dump-z分析支付宝app

为了了解支付宝app的源码结构,我们可以使用class-dump-z工具来分析支付宝二进制。


1.下载配置class_dump_z


前往 https://code.google.com/p/networkpx/wiki/class_dump_z ,下载tar包,然后解压配置到本地环境

  1. $ tar -zxvf class-dump-z_0.2a.tar.gz  
  2. $ sudo cp mac_x86/class-dump-z /usr/bin/  



2.class_dump支付宝app


  1. $ class-dump-z Portal > Portal-dump.txt  
  2.   
  3. @protocol XXEncryptedProtocol_10764b0  
  4. -(?)XXEncryptedMethod_d109df;  
  5. -(?)XXEncryptedMethod_d109d3;  
  6. -(?)XXEncryptedMethod_d109c7;  
  7. -(?)XXEncryptedMethod_d109bf;  
  8. -(?)XXEncryptedMethod_d109b8;  
  9. -(?)XXEncryptedMethod_d109a4;  
  10. -(?)XXEncryptedMethod_d10990;  
  11. -(?)XXEncryptedMethod_d1097f;  
  12. -(?)XXEncryptedMethod_d10970;  
  13. -(?)XXEncryptedMethod_d10968;  
  14. -(?)XXEncryptedMethod_d10941;  
  15. -(?)XXEncryptedMethod_d10925;  
  16. -(?)XXEncryptedMethod_d10914;  
  17. -(?)XXEncryptedMethod_d1090f;  
  18. -(?)XXEncryptedMethod_d1090a;  
  19. -(?)XXEncryptedMethod_d10904;  
  20. -(?)XXEncryptedMethod_d108f9;  
  21. -(?)XXEncryptedMethod_d108f4;  
  22. -(?)XXEncryptedMethod_d108eb;  
  23. @optional  
  24. -(?)XXEncryptedMethod_d109eb;  
  25. @end  

查看得到的信息是加过密的,这个加密操作是苹果在部署到app store时做的,所以我们还需要做一步解密操作。



3.使用Clutch解密支付宝app


1)下载Clutch
iOS7越狱后的Cydia源里已经下载不到Clutch了,但是我们可以从网上下载好推进iPhone
地址:Clutch传送门


2)查看可解密的应用列表

  1. root# ./Clutch   
  2.   
  3. Clutch-1.3.2  
  4. usage: ./Clutch [flags] [application name] [...]  
  5. Applications available: 9P_RetinaWallpapers breadtrip Chiizu CodecademyiPhone FisheyeFree food GirlsCamera IMDb InstaDaily InstaTextFree iOne ItsMe3 linecamera Moldiv MPCamera MYXJ NewsBoard Photo Blur Photo Editor PhotoWonder POCO相机 Portal QQPicShow smashbandits Spark tripcamera Tuding_vITC_01 wantu WaterMarkCamera WeiBo Weibo    


3)解密支付宝app

  1. root# ./Clutch Portal  
  2.   
  3. Clutch-1.3.2  
  4. Cracking Portal...  
  5. Creating working directory...  
  6. Performing initial analysis...  
  7. Performing cracking preflight...  
  8. dumping binary: analyzing load commands  
  9. dumping binary: obtaining ptrace handle  
  10. dumping binary: forking to begin tracing  
  11. dumping binary: successfully forked  
  12. dumping binary: obtaining mach port  
  13. dumping binary: preparing code resign  
  14. dumping binary: preparing to dump  
  15. dumping binary: ASLR enabled, identifying dump location dynamically  
  16. dumping binary: performing dump  
  17. dumping binary: patched cryptid  
  18. dumping binary: writing new checksum  
  19. Censoring iTunesMetadata.plist...  
  20. Packaging IPA file...  
  21.   
  22. compression level: 0  
  23.     /var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipa  
  24.   
  25. elapsed time: 7473ms  
  26.   
  27. Applications Cracked:   
  28. Portal  
  29.   
  30. Applications that Failed:  
  31.   
  32. Total Success: 1 Total Failed: 0  



4)导出已解密的支付宝app

从上一步骤得知,已解密的ipa位置为:/var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipa
将其拷贝到本地去分析




4.class_dump已解密的支付宝app


解压.ipa后,到 支付宝钱包-v8.0.0-(Clutch-1.3.2)/Payload/Portal.app 目录下,class_dump已解密的二进制文件

  1. $ class-dump-z Portal > ~/Portal-classdump.txt  

这回就可以得到对应的信息了:

  1. @protocol ALPNumPwdInputViewDelegate <NSObject>  
  2. -(void)onPasswordDidChange:(id)onPassword;  
  3. @end  
  4.   
  5. @protocol ALPContactBaseTableViewCellDelegate <NSObject>  
  6. -(void)shareClicked:(id)clicked sender:(id)sender;  
  7. @end  
  8.   
  9. @interface MMPPayWayViewController : XXUnknownSuperclass <SubChannelSelectDelegate, UITableViewDataSource, UITableViewDelegate, CellDelegate, UIAlertViewDelegate> {  
  10. @private  
  11.     Item* channelSelected;  
  12.     BOOL _bCheck;  
  13.     BOOL _bOpenMiniPay;  
  14.     BOOL _bNeedPwd;  
  15.     BOOL _bSimplePwd;  
  16.     BOOL _bAutopayon;  
  17.     BOOL _bHasSub;  
  18.     BOOL _bFirstChannel;  
  19.     BOOL _bChangeSub;  
  20.     BOOL _bClickBack;  
  21.     UITableView* _channelListTableView;  
  22.     NSMutableArray* _channelListArray;  
  23.     NSMutableArray* _subChanneSelectedlList;  
  24.     NSMutableArray* _unCheckArray;  
  25.     UIButton* _saveButton;  
  26.     UILabel* _tipLabel;  
  27.     MMPPasswordSwichView* _payWaySwitch;  
  28.     MMPPopupAlertView* _alertView;  
  29.     UIView* _setView;  
  30.     int _originalSelectedRow;  
  31.     int _currentSelectedRow;  
  32.     NSString* _statusCode;  
  33.     ChannelListModel* _defaultChannelList;  
  34. }  
  35. @property(assign, nonatomic) BOOL bClickBack;  
  36. @property(retain, nonatomic) ChannelListModel* defaultChannelList;  
  37. @property(retain, nonatomic) NSString* statusCode;  
  38. @property(assign, nonatomic) int currentSelectedRow;  
  39. @property(assign, nonatomic) int originalSelectedRow;  
  40. @property(retain, nonatomic) UIView* setView;  
  41. @property(retain, nonatomic) MMPPopupAlertView* alertView;  
  42. @property(retain, nonatomic) MMPPasswordSwichView* payWaySwitch;  
  43. @property(assign, nonatomic, getter=isSubChannelChanged) BOOL bChangeSub;  
  44. @property(assign, nonatomic) BOOL bFirstChannel;  
  45. @property(assign, nonatomic) BOOL bHasSub;  
  46. @property(assign, nonatomic) BOOL bAutopayon;  
  47. @property(assign, nonatomic) BOOL bSimplePwd;  
  48. @property(assign, nonatomic) BOOL bNeedPwd;  
  49. @property(assign, nonatomic) BOOL bOpenMiniPay;  
  50. @property(assign, nonatomic) BOOL bCheck;  
  51. @property(retain, nonatomic) UILabel* tipLabel;  
  52. @property(retain, nonatomic) UIButton* saveButton;  
  53. @property(retain, nonatomic) NSMutableArray* unCheckArray;  
  54. @property(retain, nonatomic) NSMutableArray* subChanneSelectedlList;  
  55. @property(retain, nonatomic) NSMutableArray* channelListArray;  
  56. @property(retain, nonatomic) UITableView* channelListTableView;  
  57. -(void).cxx_destruct;  
  58. -(void)subChannelDidSelected:(id)subChannel;  
  59. -(void)switchCheckButtonClicked:(id)clicked;  
  60. -(void)checkboxButtonClicked:(id)clicked;  
  61. -(void)onCellClick:(id)click;  
  62. -(void)showSubChannels;  
  63. -(void)tableView:(id)view didSelectRowAtIndexPath:(id)indexPath;  
  64. -(id)tableView:(id)view cellForRowAtIndexPath:(id)indexPath;  
  65. -(int)tableView:(id)view numberOfRowsInSection:(int)section;  
  66. -(float)tableView:(id)view heightForRowAtIndexPath:(id)indexPath;  
  67. -(int)numberOfSectionsInTableView:(id)tableView;  
  68. -(void)setTableViewFootView:(id)view;  
  69. -(void)setTableViewHeaderView:(id)view;  
  70. -(id)tableView:(id)view viewForHeaderInSection:(int)section;  
  71. -(id)tableView:(id)view viewForFooterInSection:(int)section;  
  72. -(float)tableView:(id)view heightForHeaderInSection:(int)section;  
  73. -(float)tableView:(id)view heightForFooterInSection:(int)section;  
  74. -(void)alertView:(id)view clickedButtonAtIndex:(int)index;  
  75. -(void)clickSave;  
  76. -(void)netWorkRequestWithPwd:(id)pwd;  
  77. -(void)setPayWaySwitchStates:(id)states;  
  78. -(void)changePayWaySwitch:(id)aSwitch;  
  79. -(void)scrollToSelectedRow;  
  80. -(void)didReceiveMemoryWarning;  
  81. -(void)viewDidLoad;  
  82. -(void)applicationEnterBackground:(id)background;  
  83. -(void)dealloc;  
  84. -(void)goBack;  
  85. -(BOOL)isChannelsSetChanged;  
  86. -(id)subChannelCode:(int)code;  
  87. -(id)subChannelDesc:(int)desc;  
  88. -(id)initWithDefaultData:(id)defaultData;  
  89. -(id)initWithNibName:(id)nibName bundle:(id)bundle;  
  90. -(void)commonInit:(id)init;  
  91. @end  



5.分析支付宝源码片段


1)使用了@private关键字限制成员访问权限
但是实际上,在Objective-C编程中,使用@private连Keypath访问都拦不住的


2)抛出了冗长的成员对象
这非常有利分析程序结构




6.进一步思考


1)如何利用 class-dump 结果,结合 cycript 进行攻击呢?
2)class-dump-z 如此强大,有什么方法可以减少暴露的信息吗?


接下来的博文将针对上面的思考,继续总结~

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值