IOS - 某驾宝典篇

首先挂上代理抓个登陆包，结果发现抓不到包，我们直接换个思路，采用vpn转发方式进行抓包；

sign, hsign，hext-union 三个参数加密；

hsign长度为32，可能为MD5 ，其他两个未确定；

直接上我们的url定位：我直接附加吧

frida-trace -UF -m "+[NSURL URLWithString:]"

是搞出来点东西，看样子有这个MD5, 先个堆栈追踪；

打开提示目录中的，URLWithString_.js 文件

C:\Users\Codeooo\__handlers__

把咱们万能堆栈加上去；

    log('堆栈 from:\n' +Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');

记录下堆栈，砸壳分析一波：

砸壳我这里用的是 CrackerXI ，https://blog.csdn.net/weixin_38927522/article/details/129497173

0x1024da038 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[AFHTTPRequestSerializer requestBySerializingRequest:withParameters:error:]
0x1024d9380 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[AFHTTPRequestSerializer requestWithMethod:URLString:parameters:error:]
0x1038de2a0 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkProxy dataTaskWithHTTPMethod:sessionManager:requestSerializer:URLString:parameters:uploadProgress:downloadProgress:constructingBodyWithBlock:error:]
0x1038de1a4 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkProxy dataTaskWithHTTPMethod:sessionManager:requestSerializer:URLString:parameters:uploadProgress:downloadProgress:error:]
0x1038de118 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkProxy sessionTaskForRequest:error:]
0x1038dd6a8 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkProxy addRequest:]
0x1038d89e8 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYBaseRequest start]
0x1038dc8f8 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkManager getWithUrl:param:header:progress:completion:]
0x1024ed940 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!+[DrLogin58NetworkManager request:withMethod:parameters:withTimeoutInterval:resultClassType:withSuccess:withFail:]
0x1024ee8c8 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!+[DrLogin58RequestManager login:success:Failure:]
0x10250f07c /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[DrUserLoginViewController passwordLoginRequestByPhone:ThePassword:]
0x102510b68 /var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[DrUserLoginViewController verifyLoginButtonClicked:]
0x1b2169300 UIKitCore!-[UIApplication sendAction:to:from:forEvent:]
0x1b1c12424 UIKitCore!-[UIControl sendAction:to:forEvent:]
0x1b1c12744 UIKitCore!-[UIControl _sendActionsForEvents:withEvent:]
0x1b1c117b0 UIKitCore!-[UIControl touchesEnded:withEvent:]8966 ms  +[NSURL URLWithString:]https://user.ksedt.com/api/login/v2?sign=314CEEC4B7FF8F7097990FA5FC412E635A31D4FA5760ECBBD3085C5C6F8C5E54A62F92A824DAF5C87E6708F21547BBCA09362643C2FFF4504B87EDC5247FA102

我们通过frida hook也是一样的：

var ClassName = "NSURL";
var MethodName = "+ URLWithString:";
var func = ObjC.classes[ClassName][MethodName];
Interceptor.attach(func.implementation, {onEnter: function (args) {console.log(Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n"));console.log("URL: ", ObjC.Object(args[2]), "\n");}, onLeave: function (retval) {}
});

hook第一个堆栈函数，看一下：

var requestBySerializingRequest = ObjC.classes.AFHTTPRequestSerializer['- requestBySerializingRequest:withParameters:error:'];
Interceptor.attach(requestBySerializingRequest.implementation, {onEnter: function (args) {console.log("args[2]: ", ObjC.Object(args[2]));console.log("args[3]: ", ObjC.Object(args[3]));console.log("args[4]: ", ObjC.Object(args[4]));this.arg4 = args[4];}, onLeave: function (retval) {console.log("args[4]: ", ObjC.Object(this.arg4.readPointer()));}
});

继续往上找吧；

找到这个堆栈：

// 0x1038dc8f8
/var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[XYNetworkManager
getWithUrl:param:header:progress:completion:]

var initWithMethod = ObjC.classes.XYHTTPRequest['+ initWithMethod:requestURL:requestParam:requestHeaderField:'];
Interceptor.attach(initWithMethod.implementation, {onEnter: function (args) {console.log('initWithMethod called from:\n' +Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');//console.log("args[2]: ", (args[2]));console.log("args[3]: ", ObjC.Object(args[3]));console.log("args[4]: ", ObjC.Object(args[4]));console.log("args[5]: ", ObjC.Object(args[5]));}, onLeave: function (retval) {}
});

看来还是不对，再继续往上找：

找到： // 0x1024ed940
/var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!+[DrLogin58NetworkManager
request:withMethod:parameters:withTimeoutInterval:resultClassType:withSuccess:withFail:]

这里有个方法比较特殊记录下：

有个类似于MD5的调用，再点进去看看

也是个cc_md5；
再往上找：

// 0x10250f07c
/var/containers/Bundle/Application/82E81B77-8825-4ABC-A91F-EABC37E3408D/Driver.app/Driver!-[DrUserLoginViewController
passwordLoginRequestByPhone:ThePassword:]

看到这个函数，我们搞一下：

+[DrGenerateLoginRequestSign generateLoginRequestSignByParamDict:]

var initWithMethod = ObjC.classes.DrGenerateLoginRequestSign['+ generateLoginRequestSignByParamDict:'];
Interceptor.attach(initWithMethod.implementation, {onEnter: function (args) {console.log("args[2]: ", ObjC.Object(args[2]));}, onLeave: function (retval) {console.log("retval: ", ObjC.Object(retval));}
});

这里面东西不少；

var initWithMethod = ObjC.classes.NSData['- jx_aes256EncryptWithKey:iv:'];
Interceptor.attach(initWithMethod.implementation, {onEnter: function (args) {console.log("args[0]: ", ObjC.Object(args[0]));console.log("args[2]: ", ObjC.Object(args[2]));console.log("args[3]: ", ObjC.Object(args[3]));}, onLeave: function (retval) {console.log("retval: ", ObjC.Object(retval));}
});

retval:则是 314CEEC4B7FF8F7097990FA5FC412E635A31D4FA5760ECBBD3085C5C6F8C5E54A62F92A824DAF5C87E6708F21547BBCA09362643C2FFF4504B87EDC5247FA102

那我们aes的key找到了， iv是 nil，那就是ecb模式，无需iv；
再看下data明文，62376363 37386263 31346130 37356639 34353462 62643733 33663564 62626164 7c70686f 6e653d31 38383838 38383838 38382670 77643d31 32333435 36

b7cc78bc14a075f9454bbd733f5dbbad|phone=18888888888&pwd=123456

b7cc78bc14a075f9454bbd733f5dbbad 哪里来？

var jx_toMD5 = ObjC.classes.NSString['- jx_toMD5'];
Interceptor.attach(jx_toMD5.implementation, {onEnter: function (args) {console.log("args[0]: ", ObjC.Object(args[0]));}, onLeave: function (retval) {console.log("retval: ", ObjC.Object(retval));}
});

这里就说看出来 b7cc78bc14a075f9454bbd733f5dbbad 这里来；

sign逆向完毕！

hsign值得到了，其他参数都在请求里，30319502d66d31a4779bf67a54588c4ec572b3b5 这个值哪里来的：固定的吗？固定盐？

MD5的时候，同时又把 hsign 直接给勾出来了；

hsign 逆向完毕！

继续看下，hext-union，直接shift + F12, 老话说的好，直接ida搜字符串；

再通过上面hook aes脚本，仔细观察看下：

这个是跟设备一些关联；

args[2]: <3338387a 7a683770 77346961 67307039>
args[3]: <336b796c 77676c6d 63376d7a 66783265>

说明秘钥没问题；

对比下确实是没问题，只不过他的base64将/ + 号等都做了替换；
我们去ida看下是不是码表也有变化，方便我们在页面调整：

码表搞出来，替换上来：

对比完美结束。

hext-union完毕！

所以说这个CyberChef是真的好用！！！

https://gchq.github.io/CyberChef/#recipe=To_Hex(‘Space’,0)AES_Encrypt(%7B’option’:‘Hex’,‘string’:‘3338387a%207a683770%2077346961%2067307039’%7D,%7B’option’:‘Hex’,‘string’:‘336b796c%2077676c6d%2063376d7a%2066783265’%7D,‘CBC’,‘Hex’,‘Raw’,%7B’option’:‘Hex’,‘string’:‘’%7D)To_Base64(‘A-Za-z0-9-_’)&input=eyJoY2l0eWlkIjoiMSIsImhpbWVpIjoiMzAzMTk1MDJkNjZkMzFhNDc3OWJmNjdhNTQ1ODhjNGVjNTcyYjNiNSIsInp4YWlkIjoiQTAxLU9zVmdZN2pcL0dYMmZwMXc1WDVkN1BaYVwvem00THBNUVgiLCJoZGV2aWNlaWQiOiI4MGQ3MWE3MmY4MDU0ZDIyODMzNTA0NWRjZjE5Zjk1OSIsImhvc3ZlciI6IjEyLjUuNyIsInp4aWQiOiJaMDEtMTY4MTI0ODkzNi15RjE2ZXdET3VmZzQxZG9DLUQ4OUEifQ