為了瞭解支付寶app的原始碼結構,我們可以使用class-dump-z工具來分析支付寶二進位制。
1.下載配置class_dump_z
前往 https://code.google.com/p/networkpx/wiki/class_dump_z ,下載tar包,然後解壓配置到本地環境
1 2 |
$ tar -zxvf class-dump-z_0.2a.tar.gz $ sudo cp mac_x86/class-dump-z /usr/bin/ |
2.class_dump支付寶app
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
$ class-dump-z Portal > Portal-dump.txt @protocol XXEncryptedProtocol_10764b0 -(?)XXEncryptedMethod_d109df; -(?)XXEncryptedMethod_d109d3; -(?)XXEncryptedMethod_d109c7; -(?)XXEncryptedMethod_d109bf; -(?)XXEncryptedMethod_d109b8; -(?)XXEncryptedMethod_d109a4; -(?)XXEncryptedMethod_d10990; -(?)XXEncryptedMethod_d1097f; -(?)XXEncryptedMethod_d10970; -(?)XXEncryptedMethod_d10968; -(?)XXEncryptedMethod_d10941; -(?)XXEncryptedMethod_d10925; -(?)XXEncryptedMethod_d10914; -(?)XXEncryptedMethod_d1090f; -(?)XXEncryptedMethod_d1090a; -(?)XXEncryptedMethod_d10904; -(?)XXEncryptedMethod_d108f9; -(?)XXEncryptedMethod_d108f4; -(?)XXEncryptedMethod_d108eb; @optional -(?)XXEncryptedMethod_d109eb; @end |
檢視得到的資訊是加過密的,這個加密操作是蘋果在部署到app store時做的,所以我們還需要做一步解密操作。
3.使用Clutch解密支付寶app
1)下載Clutch
iOS7越獄後的Cydia源裡已經下載不到Clutch了,但是我們可以從網上下載好推進iPhone
地址:Clutch傳送門
2)檢視可解密的應用列表
1 2 3 4 5 |
root# ./Clutch Clutch-1.3.2 usage: ./Clutch [flags] [application name] [...] Applications available: 9P_RetinaWallpapers breadtrip Chiizu CodecademyiPhone FisheyeFree food GirlsCamera IMDb InstaDaily InstaTextFree iOne ItsMe3 linecamera Moldiv MPCamera MYXJ NewsBoard Photo Blur Photo Editor PhotoWonder POCO相機 Portal QQPicShow smashbandits Spark tripcamera Tuding_vITC_01 wantu WaterMarkCamera WeiBo Weibo |
3)解密支付寶app
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
root# ./Clutch Portal Clutch-1.3.2 Cracking Portal... Creating working directory... Performing initial analysis... Performing cracking preflight... dumping binary: analyzing load commands dumping binary: obtaining ptrace handle dumping binary: forking to begin tracing dumping binary: successfully forked dumping binary: obtaining mach port dumping binary: preparing code resign dumping binary: preparing to dump dumping binary: ASLR enabled, identifying dump location dynamically dumping binary: performing dump dumping binary: patched cryptid dumping binary: writing new checksum Censoring iTunesMetadata.plist... Packaging IPA file... compression level: 0 /var/root/Documents/Cracked/支付寶錢包-v8.0.0-(Clutch-1.3.2).ipa elapsed time: 7473ms Applications Cracked: Portal Applications that Failed: Total Success: 1 Total Failed: 0 |
4)匯出已解密的支付寶app
從上一步驟得知,已解密的ipa位置為:/var/root/Documents/Cracked/支付寶錢包-v8.0.0-(Clutch-1.3.2).ipa
將其拷貝到本地去分析
4.class_dump已解密的支付寶app
解壓.ipa後,到 支付寶錢包-v8.0.0-(Clutch-1.3.2)/Payload/Portal.app 目錄下,class_dump已解密的二進位制檔案
1 |
$ class-dump-z Portal > ~/Portal-classdump.txt |
這回就可以得到對應的資訊了:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
@protocol ALPNumPwdInputViewDelegate <NSObject> -(void)onPasswordDidChange:(id)onPassword; @end @protocol ALPContactBaseTableViewCellDelegate <NSObject> -(void)shareClicked:(id)clicked sender:(id)sender; @end @interface MMPPayWayViewController : XXUnknownSuperclass <SubChannelSelectDelegate, UITableViewDataSource, UITableViewDelegate, CellDelegate, UIAlertViewDelegate> { @private Item* channelSelected; BOOL _bCheck; BOOL _bOpenMiniPay; BOOL _bNeedPwd; BOOL _bSimplePwd; BOOL _bAutopayon; BOOL _bHasSub; BOOL _bFirstChannel; BOOL _bChangeSub; BOOL _bClickBack; UITableView* _channelListTableView; NSMutableArray* _channelListArray; NSMutableArray* _subChanneSelectedlList; NSMutableArray* _unCheckArray; UIButton* _saveButton; UILabel* _tipLabel; MMPPasswordSwichView* _payWaySwitch; MMPPopupAlertView* _alertView; UIView* _setView; int _originalSelectedRow; int _currentSelectedRow; NSString* _statusCode; ChannelListModel* _defaultChannelList; } @property(assign, nonatomic) BOOL bClickBack; @property(retain, nonatomic) ChannelListModel* defaultChannelList; @property(retain, nonatomic) NSString* statusCode; @property(assign, nonatomic) int currentSelectedRow; @property(assign, nonatomic) int originalSelectedRow; @property(retain, nonatomic) UIView* setView; @property(retain, nonatomic) MMPPopupAlertView* alertView; @property(retain, nonatomic) MMPPasswordSwichView* payWaySwitch; @property(assign, nonatomic, getter=isSubChannelChanged) BOOL bChangeSub; @property(assign, nonatomic) BOOL bFirstChannel; @property(assign, nonatomic) BOOL bHasSub; @property(assign, nonatomic) BOOL bAutopayon; @property(assign, nonatomic) BOOL bSimplePwd; @property(assign, nonatomic) BOOL bNeedPwd; @property(assign, nonatomic) BOOL bOpenMiniPay; @property(assign, nonatomic) BOOL bCheck; @property(retain, nonatomic) UILabel* tipLabel; @property(retain, nonatomic) UIButton* saveButton; @property(retain, nonatomic) NSMutableArray* unCheckArray; @property(retain, nonatomic) NSMutableArray* subChanneSelectedlList; @property(retain, nonatomic) NSMutableArray* channelListArray; @property(retain, nonatomic) UITableView* channelListTableView; -(void).cxx_destruct; -(void)subChannelDidSelected:(id)subChannel; -(void)switchCheckButtonClicked:(id)clicked; -(void)checkboxButtonClicked:(id)clicked; -(void)onCellClick:(id)click; -(void)showSubChannels; -(void)tableView:(id)view didSelectRowAtIndexPath:(id)indexPath; -(id)tableView:(id)view cellForRowAtIndexPath:(id)indexPath; -(int)tableView:(id)view numberOfRowsInSection:(int)section; -(float)tableView:(id)view heightForRowAtIndexPath:(id)indexPath; -(int)numberOfSectionsInTableView:(id)tableView; -(void)setTableViewFootView:(id)view; -(void)setTableViewHeaderView:(id)view; -(id)tableView:(id)view viewForHeaderInSection:(int)section; -(id)tableView:(id)view viewForFooterInSection:(int)section; -(float)tableView:(id)view heightForHeaderInSection:(int)section; -(float)tableView:(id)view heightForFooterInSection:(int)section; -(void)alertView:(id)view clickedButtonAtIndex:(int)index; -(void)clickSave; -(void)netWorkRequestWithPwd:(id)pwd; -(void)setPayWaySwitchStates:(id)states; -(void)changePayWaySwitch:(id)aSwitch; -(void)scrollToSelectedRow; -(void)didReceiveMemoryWarning; -(void)viewDidLoad; -(void)applicationEnterBackground:(id)background; -(void)dealloc; -(void)goBack; -(BOOL)isChannelsSetChanged; -(id)subChannelCode:(int)code; -(id)subChannelDesc:(int)desc; -(id)initWithDefaultData:(id)defaultData; -(id)initWithNibName:(id)nibName bundle:(id)bundle; -(void)commonInit:(id)init; @end |
5.分析支付寶原始碼片段
1)使用了@private關鍵字限制成員訪問許可權
但是實際上,在Objective-C程式設計中,使用@private連Keypath訪問都攔不住的
2)丟擲了冗長的成員物件
這非常有利分析程式結構
6.進一步思考
1)如何利用 class-dump 結果,結合 cycript 進行攻擊呢?
2)class-dump-z 如此強大,有什麼方法可以減少暴露的資訊嗎?
接下來的博文將針對上面的思考,繼續總結~