iOS安全攻防(六):使用class-dump-z分析支付宝app
为了了解支付宝app的源码结构,我们可以使用class-dump-z工具来分析支付宝二进制。
1.下载配置class_dump_z
前往 https://code.google.com/p/networkpx/wiki/class_dump_z ,下载tar包,然后解压配置到本地环境
- $ tar -zxvf class-dump-z_0.2a.tar.gz
- $ sudo cp mac_x86/class-dump-z /usr/bin/
2.class_dump支付宝app
- $ class-dump-z Portal > Portal-dump.txt
- @protocol XXEncryptedProtocol_10764b0
- -(?)XXEncryptedMethod_d109df;
- -(?)XXEncryptedMethod_d109d3;
- -(?)XXEncryptedMethod_d109c7;
- -(?)XXEncryptedMethod_d109bf;
- -(?)XXEncryptedMethod_d109b8;
- -(?)XXEncryptedMethod_d109a4;
- -(?)XXEncryptedMethod_d10990;
- -(?)XXEncryptedMethod_d1097f;
- -(?)XXEncryptedMethod_d10970;
- -(?)XXEncryptedMethod_d10968;
- -(?)XXEncryptedMethod_d10941;
- -(?)XXEncryptedMethod_d10925;
- -(?)XXEncryptedMethod_d10914;
- -(?)XXEncryptedMethod_d1090f;
- -(?)XXEncryptedMethod_d1090a;
- -(?)XXEncryptedMethod_d10904;
- -(?)XXEncryptedMethod_d108f9;
- -(?)XXEncryptedMethod_d108f4;
- -(?)XXEncryptedMethod_d108eb;
- @optional
- -(?)XXEncryptedMethod_d109eb;
- @end
查看得到的信息是加过密的,这个加密操作是苹果在部署到app store时做的,所以我们还需要做一步解密操作。
3.使用Clutch解密支付宝app
1)下载Clutch
iOS7越狱后的Cydia源里已经下载不到Clutch了,但是我们可以从网上下载好推进iPhone
地址:Clutch传送门
2)查看可解密的应用列表
- root# ./Clutch
- Clutch-1.3.2
- usage: ./Clutch [flags] [application name] [...]
- Applications available: 9P_RetinaWallpapers breadtrip Chiizu CodecademyiPhone FisheyeFree food GirlsCamera IMDb InstaDaily InstaTextFree iOne ItsMe3 linecamera Moldiv MPCamera MYXJ NewsBoard Photo Blur Photo Editor PhotoWonder POCO相机 Portal QQPicShow smashbandits Spark tripcamera Tuding_vITC_01 wantu WaterMarkCamera WeiBo Weibo
3)解密支付宝app
- root# ./Clutch Portal
- Clutch-1.3.2
- Cracking Portal...
- Creating working directory...
- Performing initial analysis...
- Performing cracking preflight...
- dumping binary: analyzing load commands
- dumping binary: obtaining ptrace handle
- dumping binary: forking to begin tracing
- dumping binary: successfully forked
- dumping binary: obtaining mach port
- dumping binary: preparing code resign
- dumping binary: preparing to dump
- dumping binary: ASLR enabled, identifying dump location dynamically
- dumping binary: performing dump
- dumping binary: patched cryptid
- dumping binary: writing new checksum
- Censoring iTunesMetadata.plist...
- Packaging IPA file...
- compression level: 0
- /var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipa
- elapsed time: 7473ms
- Applications Cracked:
- Portal
- Applications that Failed:
- Total Success: 1 Total Failed: 0
4)导出已解密的支付宝app
从上一步骤得知,已解密的ipa位置为:/var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipa
将其拷贝到本地去分析
4.class_dump已解密的支付宝app
解压.ipa后,到 支付宝钱包-v8.0.0-(Clutch-1.3.2)/Payload/Portal.app 目录下,class_dump已解密的二进制文件
- $ class-dump-z Portal > ~/Portal-classdump.txt
这回就可以得到对应的信息了:
- @protocol ALPNumPwdInputViewDelegate <NSObject>
- -(void)onPasswordDidChange:(id)onPassword;
- @end
- @protocol ALPContactBaseTableViewCellDelegate <NSObject>
- -(void)shareClicked:(id)clicked sender:(id)sender;
- @end
- @interface MMPPayWayViewController : XXUnknownSuperclass <SubChannelSelectDelegate, UITableViewDataSource, UITableViewDelegate, CellDelegate, UIAlertViewDelegate> {
- @private
- Item* channelSelected;
- BOOL _bCheck;
- BOOL _bOpenMiniPay;
- BOOL _bNeedPwd;
- BOOL _bSimplePwd;
- BOOL _bAutopayon;
- BOOL _bHasSub;
- BOOL _bFirstChannel;
- BOOL _bChangeSub;
- BOOL _bClickBack;
- UITableView* _channelListTableView;
- NSMutableArray* _channelListArray;
- NSMutableArray* _subChanneSelectedlList;
- NSMutableArray* _unCheckArray;
- UIButton* _saveButton;
- UILabel* _tipLabel;
- MMPPasswordSwichView* _payWaySwitch;
- MMPPopupAlertView* _alertView;
- UIView* _setView;
- int _originalSelectedRow;
- int _currentSelectedRow;
- NSString* _statusCode;
- ChannelListModel* _defaultChannelList;
- }
- @property(assign, nonatomic) BOOL bClickBack;
- @property(retain, nonatomic) ChannelListModel* defaultChannelList;
- @property(retain, nonatomic) NSString* statusCode;
- @property(assign, nonatomic) int currentSelectedRow;
- @property(assign, nonatomic) int originalSelectedRow;
- @property(retain, nonatomic) UIView* setView;
- @property(retain, nonatomic) MMPPopupAlertView* alertView;
- @property(retain, nonatomic) MMPPasswordSwichView* payWaySwitch;
- @property(assign, nonatomic, getter=isSubChannelChanged) BOOL bChangeSub;
- @property(assign, nonatomic) BOOL bFirstChannel;
- @property(assign, nonatomic) BOOL bHasSub;
- @property(assign, nonatomic) BOOL bAutopayon;
- @property(assign, nonatomic) BOOL bSimplePwd;
- @property(assign, nonatomic) BOOL bNeedPwd;
- @property(assign, nonatomic) BOOL bOpenMiniPay;
- @property(assign, nonatomic) BOOL bCheck;
- @property(retain, nonatomic) UILabel* tipLabel;
- @property(retain, nonatomic) UIButton* saveButton;
- @property(retain, nonatomic) NSMutableArray* unCheckArray;
- @property(retain, nonatomic) NSMutableArray* subChanneSelectedlList;
- @property(retain, nonatomic) NSMutableArray* channelListArray;
- @property(retain, nonatomic) UITableView* channelListTableView;
- -(void).cxx_destruct;
- -(void)subChannelDidSelected:(id)subChannel;
- -(void)switchCheckButtonClicked:(id)clicked;
- -(void)checkboxButtonClicked:(id)clicked;
- -(void)onCellClick:(id)click;
- -(void)showSubChannels;
- -(void)tableView:(id)view didSelectRowAtIndexPath:(id)indexPath;
- -(id)tableView:(id)view cellForRowAtIndexPath:(id)indexPath;
- -(int)tableView:(id)view numberOfRowsInSection:(int)section;
- -(float)tableView:(id)view heightForRowAtIndexPath:(id)indexPath;
- -(int)numberOfSectionsInTableView:(id)tableView;
- -(void)setTableViewFootView:(id)view;
- -(void)setTableViewHeaderView:(id)view;
- -(id)tableView:(id)view viewForHeaderInSection:(int)section;
- -(id)tableView:(id)view viewForFooterInSection:(int)section;
- -(float)tableView:(id)view heightForHeaderInSection:(int)section;
- -(float)tableView:(id)view heightForFooterInSection:(int)section;
- -(void)alertView:(id)view clickedButtonAtIndex:(int)index;
- -(void)clickSave;
- -(void)netWorkRequestWithPwd:(id)pwd;
- -(void)setPayWaySwitchStates:(id)states;
- -(void)changePayWaySwitch:(id)aSwitch;
- -(void)scrollToSelectedRow;
- -(void)didReceiveMemoryWarning;
- -(void)viewDidLoad;
- -(void)applicationEnterBackground:(id)background;
- -(void)dealloc;
- -(void)goBack;
- -(BOOL)isChannelsSetChanged;
- -(id)subChannelCode:(int)code;
- -(id)subChannelDesc:(int)desc;
- -(id)initWithDefaultData:(id)defaultData;
- -(id)initWithNibName:(id)nibName bundle:(id)bundle;
- -(void)commonInit:(id)init;
- @end
5.分析支付宝源码片段
1)使用了@private关键字限制成员访问权限
但是实际上,在Objective-C编程中,使用@private连Keypath访问都拦不住的
2)抛出了冗长的成员对象
这非常有利分析程序结构
6.进一步思考
1)如何利用 class-dump 结果,结合 cycript 进行攻击呢?
2)class-dump-z 如此强大,有什么方法可以减少暴露的信息吗?
接下来的博文将针对上面的思考,继续总结~
iOS安全攻防(六):使用class-dump-z分析支付宝app相关推荐
- ios--安全攻防--使用class-dump-z分析支付宝app
使用class-dump-z分析支付宝app 文章出处:http://blog.csdn.net/yiyaaixuexi/article/details/18353423#comments 为了了解支 ...
- iOS安全攻防(二十三):Objective-C代码混淆
iOS安全攻防(二十三):Objective-C代码混淆 class-dump可以很方便的导出程序头文件,不仅让攻击者了解了程序结构方便逆向,还让着急赶进度时写出的欠完善的程序给同行留下笑柄. 所以, ...
- [置顶] XMPPFrameWork IOS 开发(六)聊天室
原始地址:XMPPFrameWork IOS 开发(六)聊天室 聊天室 [cpp] view plain copy print ? //初始化聊天室 XMPPJID *roomJID = [XMPP ...
- iOS安全攻防 防 防 防 防不住 . . . . . .
iOS安全攻防 防 防 防 防不住 . . . . . . 移动端的攻防问题一直存在,一直有问题. 网上有很多前辈总结的经验,我现在站在巨人的肩膀上写个笔记. 先引入头文件 #import <s ...
- iOS安全攻防-李文瀚-专题视频课程
iOS安全攻防-343人已学习 课程介绍 关于iOS应用开发的安全,这块内容可无限的深入和延展 1.苹果的签名机制 2.代码注入的原理 3.HOOK的原理剖析 4.防护进阶 所有的防 ...
- iOS 安全攻防学习规划
[ 基础篇 ] 1. ARM 汇编语言. 书籍资料:<ARM体系结构与编程>杜春雷 苹果官方的参考资料<ARM® Architecture Reference Manual Extr ...
- iOS中ImageIO框架详解与应用分析
2019独角兽企业重金招聘Python工程师标准>>> iOS中ImageIO框架详解与应用分析 一.引言 ImageIO框架提供了读取与写入图片数据的基本方法,使用它可以直接获取到 ...
- 微信双开是定时炸弹?关于非越狱iOS上微信分身高危插件ImgNaix的分析
作者:蒸米@阿里移动安全 序言 微信作为手机上的第一大应用,有着上亿的用户.并且很多人都不只拥有一个微信帐号,有的微信账号是用于商业的,有的是用于私人的.可惜的是官方版的微信并不支持多开的功能,并且频 ...
- 微信双开还是微信定时炸弹?- 关于非越狱iOS上微信分身高危插件ImgNaix的分析...
蒸米 · 2016/04/28 11:01 [email protected] 0x00 序 微信作为手机上的第一大应用,有着上亿的用户.并且很多人都不只拥有一个微信帐号,有的微信账号是用于商业的,有 ...
最新文章
- java异常 The origin server did not find a current representation for the target resource or is not
- opencv中的imwrite如何保存_如何把公众号的文章用文档保存到电脑中?
- |Tyvj|NOIP2004|堆|贪心|P1066 合并果子
- java组合框的事件有哪些_博为峰Java技术文章 ——JavaSE Swing列表框选取事件的处理...
- mysql考勤系统设计函数_Mysql实战之员工考勤系统数据库建立
- 转 - 猴子都能看懂的比特币区块链技术之加密算法
- cocos2dx3.2 画图方法小修改之 C++ final学习
- Jquery easyui 密码两次输入相等的验证
- 进程篇—进程整理(转)
- Unity3D(六)光照系统
- 【前端模板之路】二、人肉非智举,让代码帮我们写代码才是王道
- 【图像分割】基于matlab粒子群优化T熵图像分割【含Matlab源码 286期】
- 游戏设计类毕业论文文献(推荐10篇)
- 计算机开机后无法正常显示桌面图标,电脑开机后不显示桌面图标怎么办
- android车载行业前景,车载 Android 系统快来了,但前景可能并不乐观
- java实现阿里云图片文字识别
- linux终端查找隐藏文件,如何在Linux服务器中查看或隐藏文件?
- An insecure WebSocket connection may not be initiated from a page loaded over HTTPS.
- python国际象棋规则_如何使用Python编写一个国际象棋AI程序
- 视频会议系统gk服务器,详解华为视频会议系统中信令之间如何实现跨GK呼叫