class-dump逆向分析app

本文转载来源：http://blog.csdn.net/yiyaaixuexi/article/details/18353423

为了了解支付宝app的源码结构，我们可以使用class-dump-z工具来分析支付宝二进制。

1.下载配置class_dump_z

前往 https://code.google.com/p/networkpx/wiki/class_dump_z ，下载tar包，然后解压配置到本地环境

$ tar -zxvf class-dump-z_0.2a.tar.gz
$ sudo cp mac_x86/class-dump-z /usr/bin/

2.class_dump支付宝app

$ class-dump-z Portal > Portal-dump.txt
@protocol XXEncryptedProtocol_10764b0
-(?)XXEncryptedMethod_d109df;
-(?)XXEncryptedMethod_d109d3;
-(?)XXEncryptedMethod_d109c7;
-(?)XXEncryptedMethod_d109bf;
-(?)XXEncryptedMethod_d109b8;
-(?)XXEncryptedMethod_d109a4;
-(?)XXEncryptedMethod_d10990;
-(?)XXEncryptedMethod_d1097f;
-(?)XXEncryptedMethod_d10970;
-(?)XXEncryptedMethod_d10968;
-(?)XXEncryptedMethod_d10941;
-(?)XXEncryptedMethod_d10925;
-(?)XXEncryptedMethod_d10914;
-(?)XXEncryptedMethod_d1090f;
-(?)XXEncryptedMethod_d1090a;
-(?)XXEncryptedMethod_d10904;
-(?)XXEncryptedMethod_d108f9;
-(?)XXEncryptedMethod_d108f4;
-(?)XXEncryptedMethod_d108eb;
@optional
-(?)XXEncryptedMethod_d109eb;
@end

查看得到的信息是加过密的，这个加密操作是苹果在部署到app store时做的，所以我们还需要做一步解密操作。

3.使用Clutch解密支付宝app

1）下载Clutch
iOS7越狱后的Cydia源里已经下载不到Clutch了，但是我们可以从网上下载好推进iPhone
地址：Clutch传送门

2）查看可解密的应用列表

root# ./Clutch
Clutch-1.3.2
usage: ./Clutch [flags] [application name] [...]
Applications available: 9P_RetinaWallpapers breadtrip Chiizu CodecademyiPhone FisheyeFree food GirlsCamera IMDb InstaDaily InstaTextFree iOne ItsMe3 linecamera Moldiv MPCamera MYXJ NewsBoard Photo Blur Photo Editor PhotoWonder POCO相机 Portal QQPicShow smashbandits Spark tripcamera Tuding_vITC_01 wantu WaterMarkCamera WeiBo Weibo

3）解密支付宝app

root# ./Clutch Portal
Clutch-1.3.2
Cracking Portal...
Creating working directory...
Performing initial analysis...
Performing cracking preflight...
dumping binary: analyzing load commands
dumping binary: obtaining ptrace handle
dumping binary: forking to begin tracing
dumping binary: successfully forked
dumping binary: obtaining mach port
dumping binary: preparing code resign
dumping binary: preparing to dump
dumping binary: ASLR enabled, identifying dump location dynamically
dumping binary: performing dump
dumping binary: patched cryptid
dumping binary: writing new checksum
Censoring iTunesMetadata.plist...
Packaging IPA file...
compression level: 0
/var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipa
elapsed time: 7473ms
Applications Cracked:
Portal
Applications that Failed:
Total Success: 1 Total Failed: 0

4）导出已解密的支付宝app

从上一步骤得知，已解密的ipa位置为：/var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipa

将其拷贝到本地去分析

4.class_dump已解密的支付宝app

解压.ipa后，到支付宝钱包-v8.0.0-(Clutch-1.3.2)/Payload/Portal.app 目录下，class_dump已解密的二进制文件

$ class-dump-z Portal > ~/Portal-classdump.txt

这回就可以得到对应的信息了：

@protocol ALPNumPwdInputViewDelegate <NSObject>
-(void)onPasswordDidChange:(id)onPassword;
@end
@protocol ALPContactBaseTableViewCellDelegate <NSObject>
-(void)shareClicked:(id)clicked sender:(id)sender;
@end
@interface MMPPayWayViewController : XXUnknownSuperclass <SubChannelSelectDelegate, UITableViewDataSource, UITableViewDelegate, CellDelegate, UIAlertViewDelegate> {
@private
Item* channelSelected;
BOOL _bCheck;
BOOL _bOpenMiniPay;
BOOL _bNeedPwd;
BOOL _bSimplePwd;
BOOL _bAutopayon;
BOOL _bHasSub;
BOOL _bFirstChannel;
BOOL _bChangeSub;
BOOL _bClickBack;
UITableView* _channelListTableView;
NSMutableArray* _channelListArray;
NSMutableArray* _subChanneSelectedlList;
NSMutableArray* _unCheckArray;
UIButton* _saveButton;
UILabel* _tipLabel;
MMPPasswordSwichView* _payWaySwitch;
MMPPopupAlertView* _alertView;
UIView* _setView;
int _originalSelectedRow;
int _currentSelectedRow;
NSString* _statusCode;
ChannelListModel* _defaultChannelList;
}
@property(assign, nonatomic) BOOL bClickBack;
@property(retain, nonatomic) ChannelListModel* defaultChannelList;
@property(retain, nonatomic) NSString* statusCode;
@property(assign, nonatomic) int currentSelectedRow;
@property(assign, nonatomic) int originalSelectedRow;
@property(retain, nonatomic) UIView* setView;
@property(retain, nonatomic) MMPPopupAlertView* alertView;
@property(retain, nonatomic) MMPPasswordSwichView* payWaySwitch;
@property(assign, nonatomic, getter=isSubChannelChanged) BOOL bChangeSub;
@property(assign, nonatomic) BOOL bFirstChannel;
@property(assign, nonatomic) BOOL bHasSub;
@property(assign, nonatomic) BOOL bAutopayon;
@property(assign, nonatomic) BOOL bSimplePwd;
@property(assign, nonatomic) BOOL bNeedPwd;
@property(assign, nonatomic) BOOL bOpenMiniPay;
@property(assign, nonatomic) BOOL bCheck;
@property(retain, nonatomic) UILabel* tipLabel;
@property(retain, nonatomic) UIButton* saveButton;
@property(retain, nonatomic) NSMutableArray* unCheckArray;
@property(retain, nonatomic) NSMutableArray* subChanneSelectedlList;
@property(retain, nonatomic) NSMutableArray* channelListArray;
@property(retain, nonatomic) UITableView* channelListTableView;
-(void).cxx_destruct;
-(void)subChannelDidSelected:(id)subChannel;
-(void)switchCheckButtonClicked:(id)clicked;
-(void)checkboxButtonClicked:(id)clicked;
-(void)onCellClick:(id)click;
-(void)showSubChannels;
-(void)tableView:(id)view didSelectRowAtIndexPath:(id)indexPath;
-(id)tableView:(id)view cellForRowAtIndexPath:(id)indexPath;
-(int)tableView:(id)view numberOfRowsInSection:(int)section;
-(float)tableView:(id)view heightForRowAtIndexPath:(id)indexPath;
-(int)numberOfSectionsInTableView:(id)tableView;
-(void)setTableViewFootView:(id)view;
-(void)setTableViewHeaderView:(id)view;
-(id)tableView:(id)view viewForHeaderInSection:(int)section;
-(id)tableView:(id)view viewForFooterInSection:(int)section;
-(float)tableView:(id)view heightForHeaderInSection:(int)section;
-(float)tableView:(id)view heightForFooterInSection:(int)section;
-(void)alertView:(id)view clickedButtonAtIndex:(int)index;
-(void)clickSave;
-(void)netWorkRequestWithPwd:(id)pwd;
-(void)setPayWaySwitchStates:(id)states;
-(void)changePayWaySwitch:(id)aSwitch;
-(void)scrollToSelectedRow;
-(void)didReceiveMemoryWarning;
-(void)viewDidLoad;
-(void)applicationEnterBackground:(id)background;
-(void)dealloc;
-(void)goBack;
-(BOOL)isChannelsSetChanged;
-(id)subChannelCode:(int)code;
-(id)subChannelDesc:(int)desc;
-(id)initWithDefaultData:(id)defaultData;
-(id)initWithNibName:(id)nibName bundle:(id)bundle;
-(void)commonInit:(id)init;
@end

5.分析支付宝源码片段

1）使用了@private关键字限制成员访问权限
但是实际上，在Objective-C编程中，使用@private连Keypath访问都拦不住的

2）抛出了冗长的成员对象
这非常有利分析程序结构

class-dump逆向分析app相关推荐

Android无需权限显示悬浮窗, 兼谈逆向分析app
前言最近UC浏览器中文版出了一个快速搜索的功能, 在使用其他app的时候, 如果复制了一些内容, 屏幕顶部会弹一个窗口, 提示一些操作, 点击后跳转到UC, 显示这个悬浮窗不需要申请android. ...
Android手机跑逆向,Android 逆向工程：基于Xposed Hook实现动态逆向分析
Xposed是一个非常神奇的框架,对于普通用户,Xposed框架可以发挥Android系统更高的使用效率,可以随便折腾,美化优化系统.但是用于开发者而言,Xposed可以用于逆向工程,动态逆向分析A ...
知物由学 | 干货！一文了解安卓APP逆向分析与保护机制
"知物由学"是网易云易盾打造的一个品牌栏目,词语出自汉·王充<论衡·实知>.人,能力有高下之分,学习才知道事物的道理,而后才有智慧,不去求问就不会知道."知物 ...
基于Inspeckage的安卓APP抓包逆向分析——以步道乐跑APP为例
引言:本人最近稍微弄懂了inspeckage的用法,特在此以步道乐跑APP为例,较详细记录地记录APP抓包与简单的逆向分析过程,用于备忘与共同学习!另外,温馨提醒,本文图片较多,建议连接WiFi阅读! ...
Android逆向小技巧①：从Activity下手找到切入点，逆向分析支付宝APP
明确目标关于Android应用的解包.反编译,在网上已经有无数文章了,此处不再赘述.当你已经使用 [d2j-dex2jar] 和 [jd-gui] 得到了APK反编译后的JAVA代码,面对庞大的代码 ...
逆向分析：还原 App protobuf 协议加密
前言之前有记录js逆向.安卓逆向等,今天这里记录下一些协议逆向,这种一般出现在websocket 协议. protobuf 协议等,某音,B站 APP等都有用到这些协议加密,而我们不再是像 js 端 ...
Android逆向分析案例——某点评APP登陆请求数据解密
今天,七夕,单身23载的程序汪,默默地写着博客~ 上一次的逆向分析案例中讲了如何去分析某酒店的APP登陆请求,为了进一步学习如何逆向分析以及学习其他公司的网络传输加解密,本次案例将继续就登陆请求的数据 ...
对吃鸡APP的逆向分析
吃鸡的APP逆向分析涉及到动态调试分析,涉及到对arm汇编指令的掌握,涉及到一些反调试方案的绕过. 下面通过对吃鸡APP的逆向分析做了一次详解解析. 请点击文字进行阅读对android逆向吃鸡APP的 ...
APP逆向分析之XX音乐客户端下载歌曲权限绕过
很长一段时间没有做逆向分析相关的研究了,最近看了一部电影,电影有首插曲名字叫不见不散,那是相当的好听啊,打开XX音乐,准备下载,额-.弹出付费才能下载-.为了一首歌,开一个包月服务,显然不是我这个搞过 ...

class-dump逆向分析app

class-dump逆向分析app相关推荐

最新文章

热门文章