新的博客
学习笔记
前言
软件环境:Xcode
硬件环境:iPhone5越狱手机、Mac
开发工具: Cycript、LLDB、logos Tweak、hopper、MonkeyDev、AFLEXLoader、dumpdecrypted、debugserver、ssh、class_dump、hook
本文采用tweak 的方式进行MSHookFunction
ptrace这个函数很容易修改,几种破解方式
- 运行时期,断点ptrace,直接返回 :
初始化应用程序,而不是运行中附着
iPhone:~ root# debugserver -x posix *:12345 /var/mobile/Containers/Bundle/Application/A612F542-81EF-456A-A6A0-B23046EF57BA/AlipayWallet.app/AlipayWallet
初始化程序,目的是从程序入口就开始进行附着,这样我们就可以在一些安全防护代码执行之前,进行破解。 最常用的就是跳过ptrace:
过命令thread return直接返回,以跳过函数的逻辑。
(lldb) br set -n ptrace
Breakpoint 2: where = libsystem_kernel.dylib`__ptrace, address = 0x00000001966af2d4
(lldb) br command add 2
Enter your debugger command(s). Type 'DONE' to end.
> thread return
> c
> DONE
- 通过tweak,替换disable_gdb函数
- 在二进制文件中 ,修改 PT_DENY_ATTACH的31,改成 任意一个值,如PT_ATTACH 0.
iOS逆向 砸壳
iPhone:~ root# ps -e |grep AlipayWallet
714 ?? 0:26.44 /var/mobile/Containers/Bundle/Application/A612F542-81EF-456A-A6A0-B23046EF57BA/AlipayWallet.app/AlipayWallet
736 ttys000 0:00.01 grep AlipayWallet
iPhone:~ root# cycript -p AlipayWallet
cy# [[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask][0]
#"file:///var/mobile/Containers/Data/Application/89313E1C-76C2-41E3-8ECD-F4BDC1A78524/Documents/"
devzkndeMacBook-Pro:decrypted devzkn$ scp /Users/devzkn/Downloads/kevin-software/ios-Reverse_Engineering/dumpdecrypted-master/dumpdecrypted.dylib iphone150:/var/mobile/Containers/Data/Application/89313E1C-76C2-41E3-8ECD-F4BDC1A78524/Documents/
devzkndeMacBook-Pro:decrypted devzkn$ scp iphone150:/var/mobile/Containers/Data/Application/89313E1C-76C2-41E3-8ECD-F4BDC1A78524/Documents/AlipayWallet.decrypted /Users/devzkn/decrypted/AlipayWallet
devzkndeMacBook-Pro:bin devzkn$ class-dump --arch armv7 /Users/devzkn/decrypted/AlipayWallet10.1.8/AlipayWallet.decrypted -H -o /Users/devzkn/decrypted/AlipayWallet10.1.8/head
定位目标app
TBSDKMTOPServer
bundleIdentifier
修改com.apple.springboard为iphoneclient
iPhone:~ root# cycript -p AlipayWallet
cy# [[NSBundle mainBundle] bundleIdentifier]
@"com.alipay.iphoneclient"
tweak
%hook DFClientDelegate
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
%log();
// 打印某个类的所有方法的,查看所有方法的执行顺序
[KNHook hookClass:@"H5WebViewController"];//aluLoginViewController
[KNHook hookClass:@"TBSDKServer"];//getUaPageName aluMTopService _tokenLoginInvoker
[KNHook hookClass:@"TBSDKMTOPServer"];//getUaPageName aluMTopService _tokenLoginInvoker
return %orig;
}
%end
Nov 28 18:36:20 iPhone AlipayWallet[1246] <War