iOS安全攻防（六）：使用class-dump-z分析支付宝app

为了了解支付宝app的源码结构，我们可以使用class-dump-z工具来分析支付宝二进制。

1.下载配置class_dump_z

前往 https://code.google.com/p/networkpx/wiki/class_dump_z ，下载tar包，然后解压配置到本地环境

$ tar -zxvf class-dump-z_0.2a.tar.gz
$ sudo cp mac_x86/class-dump-z /usr/bin/

2.class_dump支付宝app

$ class-dump-z Portal > Portal-dump.txt
@protocol XXEncryptedProtocol_10764b0
-(?)XXEncryptedMethod_d109df;
-(?)XXEncryptedMethod_d109d3;
-(?)XXEncryptedMethod_d109c7;
-(?)XXEncryptedMethod_d109bf;
-(?)XXEncryptedMethod_d109b8;
-(?)XXEncryptedMethod_d109a4;
-(?)XXEncryptedMethod_d10990;
-(?)XXEncryptedMethod_d1097f;
-(?)XXEncryptedMethod_d10970;
-(?)XXEncryptedMethod_d10968;
-(?)XXEncryptedMethod_d10941;
-(?)XXEncryptedMethod_d10925;
-(?)XXEncryptedMethod_d10914;
-(?)XXEncryptedMethod_d1090f;
-(?)XXEncryptedMethod_d1090a;
-(?)XXEncryptedMethod_d10904;
-(?)XXEncryptedMethod_d108f9;
-(?)XXEncryptedMethod_d108f4;
-(?)XXEncryptedMethod_d108eb;
@optional
-(?)XXEncryptedMethod_d109eb;
@end

查看得到的信息是加过密的，这个加密操作是苹果在部署到app store时做的，所以我们还需要做一步解密操作。

3.使用Clutch解密支付宝app

1）下载Clutch
iOS7越狱后的Cydia源里已经下载不到Clutch了，但是我们可以从网上下载好推进iPhone
地址：Clutch传送门

2）查看可解密的应用列表

root# ./Clutch
Clutch-1.3.2
usage: ./Clutch [flags] [application name] [...]
Applications available: 9P_RetinaWallpapers breadtrip Chiizu CodecademyiPhone FisheyeFree food GirlsCamera IMDb InstaDaily InstaTextFree iOne ItsMe3 linecamera Moldiv MPCamera MYXJ NewsBoard Photo Blur Photo Editor PhotoWonder POCO相机 Portal QQPicShow smashbandits Spark tripcamera Tuding_vITC_01 wantu WaterMarkCamera WeiBo Weibo

3）解密支付宝app

root# ./Clutch Portal
Clutch-1.3.2
Cracking Portal...
Creating working directory...
Performing initial analysis...
Performing cracking preflight...
dumping binary: analyzing load commands
dumping binary: obtaining ptrace handle
dumping binary: forking to begin tracing
dumping binary: successfully forked
dumping binary: obtaining mach port
dumping binary: preparing code resign
dumping binary: preparing to dump
dumping binary: ASLR enabled, identifying dump location dynamically
dumping binary: performing dump
dumping binary: patched cryptid
dumping binary: writing new checksum
Censoring iTunesMetadata.plist...
Packaging IPA file...
compression level: 0
/var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipa
elapsed time: 7473ms
Applications Cracked:
Portal
Applications that Failed:
Total Success: 1 Total Failed: 0

4）导出已解密的支付宝app

从上一步骤得知，已解密的ipa位置为：/var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipa
将其拷贝到本地去分析

4.class_dump已解密的支付宝app

解压.ipa后，到支付宝钱包-v8.0.0-(Clutch-1.3.2)/Payload/Portal.app 目录下，class_dump已解密的二进制文件

$ class-dump-z Portal > ~/Portal-classdump.txt

这回就可以得到对应的信息了：

@protocol ALPNumPwdInputViewDelegate <NSObject>
-(void)onPasswordDidChange:(id)onPassword;
@end
@protocol ALPContactBaseTableViewCellDelegate <NSObject>
-(void)shareClicked:(id)clicked sender:(id)sender;
@end
@interface MMPPayWayViewController : XXUnknownSuperclass <SubChannelSelectDelegate, UITableViewDataSource, UITableViewDelegate, CellDelegate, UIAlertViewDelegate> {
@private
Item* channelSelected;
BOOL _bCheck;
BOOL _bOpenMiniPay;
BOOL _bNeedPwd;
BOOL _bSimplePwd;
BOOL _bAutopayon;
BOOL _bHasSub;
BOOL _bFirstChannel;
BOOL _bChangeSub;
BOOL _bClickBack;
UITableView* _channelListTableView;
NSMutableArray* _channelListArray;
NSMutableArray* _subChanneSelectedlList;
NSMutableArray* _unCheckArray;
UIButton* _saveButton;
UILabel* _tipLabel;
MMPPasswordSwichView* _payWaySwitch;
MMPPopupAlertView* _alertView;
UIView* _setView;
int _originalSelectedRow;
int _currentSelectedRow;
NSString* _statusCode;
ChannelListModel* _defaultChannelList;
}
@property(assign, nonatomic) BOOL bClickBack;
@property(retain, nonatomic) ChannelListModel* defaultChannelList;
@property(retain, nonatomic) NSString* statusCode;
@property(assign, nonatomic) int currentSelectedRow;
@property(assign, nonatomic) int originalSelectedRow;
@property(retain, nonatomic) UIView* setView;
@property(retain, nonatomic) MMPPopupAlertView* alertView;
@property(retain, nonatomic) MMPPasswordSwichView* payWaySwitch;
@property(assign, nonatomic, getter=isSubChannelChanged) BOOL bChangeSub;
@property(assign, nonatomic) BOOL bFirstChannel;
@property(assign, nonatomic) BOOL bHasSub;
@property(assign, nonatomic) BOOL bAutopayon;
@property(assign, nonatomic) BOOL bSimplePwd;
@property(assign, nonatomic) BOOL bNeedPwd;
@property(assign, nonatomic) BOOL bOpenMiniPay;
@property(assign, nonatomic) BOOL bCheck;
@property(retain, nonatomic) UILabel* tipLabel;
@property(retain, nonatomic) UIButton* saveButton;
@property(retain, nonatomic) NSMutableArray* unCheckArray;
@property(retain, nonatomic) NSMutableArray* subChanneSelectedlList;
@property(retain, nonatomic) NSMutableArray* channelListArray;
@property(retain, nonatomic) UITableView* channelListTableView;
-(void).cxx_destruct;
-(void)subChannelDidSelected:(id)subChannel;
-(void)switchCheckButtonClicked:(id)clicked;
-(void)checkboxButtonClicked:(id)clicked;
-(void)onCellClick:(id)click;
-(void)showSubChannels;
-(void)tableView:(id)view didSelectRowAtIndexPath:(id)indexPath;
-(id)tableView:(id)view cellForRowAtIndexPath:(id)indexPath;
-(int)tableView:(id)view numberOfRowsInSection:(int)section;
-(float)tableView:(id)view heightForRowAtIndexPath:(id)indexPath;
-(int)numberOfSectionsInTableView:(id)tableView;
-(void)setTableViewFootView:(id)view;
-(void)setTableViewHeaderView:(id)view;
-(id)tableView:(id)view viewForHeaderInSection:(int)section;
-(id)tableView:(id)view viewForFooterInSection:(int)section;
-(float)tableView:(id)view heightForHeaderInSection:(int)section;
-(float)tableView:(id)view heightForFooterInSection:(int)section;
-(void)alertView:(id)view clickedButtonAtIndex:(int)index;
-(void)clickSave;
-(void)netWorkRequestWithPwd:(id)pwd;
-(void)setPayWaySwitchStates:(id)states;
-(void)changePayWaySwitch:(id)aSwitch;
-(void)scrollToSelectedRow;
-(void)didReceiveMemoryWarning;
-(void)viewDidLoad;
-(void)applicationEnterBackground:(id)background;
-(void)dealloc;
-(void)goBack;
-(BOOL)isChannelsSetChanged;
-(id)subChannelCode:(int)code;
-(id)subChannelDesc:(int)desc;
-(id)initWithDefaultData:(id)defaultData;
-(id)initWithNibName:(id)nibName bundle:(id)bundle;
-(void)commonInit:(id)init;
@end

5.分析支付宝源码片段

1）使用了@private关键字限制成员访问权限
但是实际上，在Objective-C编程中，使用@private连Keypath访问都拦不住的

2）抛出了冗长的成员对象
这非常有利分析程序结构

6.进一步思考

1）如何利用 class-dump 结果，结合 cycript 进行攻击呢？
2）class-dump-z 如此强大，有什么方法可以减少暴露的信息吗？

接下来的博文将针对上面的思考，继续总结～

iOS安全攻防（六）：使用class-dump-z分析支付宝app相关推荐

ios--安全攻防--使用class-dump-z分析支付宝app
使用class-dump-z分析支付宝app 文章出处:http://blog.csdn.net/yiyaaixuexi/article/details/18353423#comments 为了了解支 ...
iOS安全攻防（二十三）：Objective-C代码混淆
iOS安全攻防(二十三):Objective-C代码混淆 class-dump可以很方便的导出程序头文件,不仅让攻击者了解了程序结构方便逆向,还让着急赶进度时写出的欠完善的程序给同行留下笑柄. 所以, ...
[置顶] XMPPFrameWork IOS 开发（六）聊天室
原始地址:XMPPFrameWork IOS 开发(六)聊天室聊天室 [cpp] view plain copy print ? //初始化聊天室 XMPPJID *roomJID = [XMPP ...
iOS安全攻防防防防防不住 . . . . . .
iOS安全攻防防防防防不住 . . . . . . 移动端的攻防问题一直存在,一直有问题. 网上有很多前辈总结的经验,我现在站在巨人的肩膀上写个笔记. 先引入头文件 #import <s ...
iOS安全攻防-李文瀚-专题视频课程
iOS安全攻防-343人已学习课程介绍关于iOS应用开发的安全,这块内容可无限的深入和延展 1.苹果的签名机制 2.代码注入的原理 3.HOOK的原理剖析 4.防护进阶所有的防 ...
iOS 安全攻防学习规划
[ 基础篇 ] 1. ARM 汇编语言. 书籍资料:<ARM体系结构与编程>杜春雷苹果官方的参考资料<ARM® Architecture Reference Manual Extr ...
iOS中ImageIO框架详解与应用分析
2019独角兽企业重金招聘Python工程师标准>>> iOS中ImageIO框架详解与应用分析一.引言 ImageIO框架提供了读取与写入图片数据的基本方法,使用它可以直接获取到 ...
微信双开是定时炸弹？关于非越狱iOS上微信分身高危插件ImgNaix的分析
作者:蒸米@阿里移动安全序言微信作为手机上的第一大应用,有着上亿的用户.并且很多人都不只拥有一个微信帐号,有的微信账号是用于商业的,有的是用于私人的.可惜的是官方版的微信并不支持多开的功能,并且频 ...
微信双开还是微信定时炸弹？- 关于非越狱iOS上微信分身高危插件ImgNaix的分析...
蒸米 · 2016/04/28 11:01 [email protected] 0x00 序微信作为手机上的第一大应用,有着上亿的用户.并且很多人都不只拥有一个微信帐号,有的微信账号是用于商业的,有 ...

iOS安全攻防（六）：使用class-dump-z分析支付宝app

iOS安全攻防（六）：使用class-dump-z分析支付宝app相关推荐

最新文章

热门文章