美文网首页iOScomputer securityiOS 开发随笔
【原创】2015第2届移动安全挑战赛iOS第一题分析 by cr

【原创】2015第2届移动安全挑战赛iOS第一题分析 by cr

作者: crean | 来源:发表于2015-10-21 19:42 被阅读468次

    creantan/P.Y.G 转载请注明出处

    设备iphone6plus 拖到hopper分析,看了下label列表,看到敏感方法 onClick,静态分析如下:

     -[ViewController onClick]:
    0000b6a0         push       {r4, r5, r6, r7, lr}                                ; Objective C Implementation defined at 0x1cd38 (instance)
    0000b6a2         add        r7, sp, #0xc
    0000b6a4         push.w     {r8, r10, r11}
    0000b6a8         sub        sp, #0x20
    0000b6aa         str        r0, [sp, #0x10]
    0000b6ac         movw       r0, #0x355c
    0000b6b0         movt       r0, #0x1
    0000b6b4         movw       r1, #0x354e
    0000b6b8         movt       r1, #0x1
    0000b6bc         movw       r2, #0x3528
    0000b6c0         movt       r2, #0x1
    0000b6c4         movw       r3, #0x3534
    0000b6c8         add        r0, pc                                              ; @selector(decrypt:password:)
    0000b6ca         movt       r3, #0x1
    0000b6ce         movw       r5, #0x352c
    0000b6d2         add        r1, pc                                              ; @selector(originalMessage)
    0000b6d4         movt       r5, #0x1
    0000b6d8         movw       r6, #0x10e4
    0000b6dc         ldr        r0, [r0]                                            ; @selector(decrypt:password:)
    0000b6de         movt       r6, #0x1
    0000b6e2         str        r0, [sp, #0x1c]
    0000b6e4         add        r3, pc                                              ; @selector(setCodedMessage:)
    0000b6e6         ldr        r0, [r1]                                            ; @selector(originalMessage)
    0000b6e8         add        r5, pc                                              ; @selector(initWithCipherKey:)
    0000b6ea         str        r0, [sp, #0x18]
    0000b6ec         movw       r0, #0x343a
    0000b6f0         movt       r0, #0x1
    0000b6f4         add        r2, pc                                              ; @selector(decrypt)
    0000b6f6         add        r0, pc                                              ; @selector(alloc)
    0000b6f8         ldr.w      r8, [r3]                                            ; @selector(setCodedMessage:)
    0000b6fc         ldr.w      r10, [r5]                                           ; @selector(initWithCipherKey:)
    0000b700         add        r6, pc                                              ; @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU=="
    0000b702         ldr        r4, [r0]                                            ; @selector(alloc)
    0000b704         mov.w      r11, #0x5
    0000b708         ldr        r1, [r2]                                            ; @selector(decrypt)
    0000b70a         str        r1, [sp, #0x14]
    
    0000b70c         movw       r0, #0x38c2                                         ; XREF=-[ViewController onClick]+200
    0000b710         mov        r1, r4                                              ; argument #2 for method imp___symbolstub1__objc_msgSend
    0000b712         movt       r0, #0x1
    0000b716         add        r0, pc                                              ; objc_cls_ref_Ceasar_CipherModel
    0000b718         ldr        r0, [r0]                                            ; objc_cls_ref_Ceasar_CipherModel, argument #1 for method imp___symbolstub1__objc_msgSend
    0000b71a         blx        imp___symbolstub1__objc_msgSend
    0000b71e         sub.w      r11, r11, #0x1   ------>设置ceasar_cipher model 的cipherKey,循环5次解密4,3,2,1,0
    0000b722         mov        r1, r10                                             ; argument #2 for method imp___symbolstub1__objc_msgSend
    0000b724         mov        r2, r11
    0000b726         blx        imp___symbolstub1__objc_msgSend
    0000b72a         mov        r5, r0       
    0000b72c         mov        r1, r8    ------------>设置setCodedMessage           ; argument #2 for method imp___symbolstub1__objc_msgSend
    0000b72e         mov        r2, r6
    0000b730         blx        imp___symbolstub1__objc_msgSend
    0000b734         ldr        r1, [sp, #0x14]                                     ; argument #2 for method imp___symbolstub1__objc_msgSend
    0000b736         mov        r0, r5                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
    0000b738         blx        imp___symbolstub1__objc_msgSend
    0000b73c         ldr        r1, [sp, #0x18]                                     ; argument #2 for method imp___symbolstub1__objc_msgSend
    0000b73e         mov        r0, r5                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
    0000b740         blx        imp___symbolstub1__objc_msgSend
    0000b744         mov        r2, r0  ---->凯撒解密后的字符串用作aes解密
    0000b746         movw       r0, #0x388c
    0000b74a         movt       r0, #0x1
    0000b74e         ldr        r1, [sp, #0x1c]                                     ; argument #2 for method imp___symbolstub1__objc_msgSend
    0000b750         add        r0, pc                                              ; objc_cls_ref_AESCrypt
    0000b752         ldr        r0, [r0]                                            ; objc_cls_ref_AESCrypt, argument #1 for method imp___symbolstub1__objc_msgSend
    0000b754         movw       r3, #0x1098
    0000b758         movt       r3, #0x1
    0000b75c         add        r3, pc            --->aes解密秘钥                     ; @"ZGlhb2RhX2ppYW5rYW5nCg=="
    0000b75e         blx        imp___symbolstub1__objc_msgSend  ---->对凯撒解密后的数据进行aes解密
    0000b762         mov        r6, r0
    0000b764         cmp.w      r11, #0x0   ------>循环  5次
    0000b768         bgt        0xb70c
    
    0000b76a         movw       r0, #0x346c
    0000b76e         mov        r10, r4
    0000b770         movt       r0, #0x1
    0000b774         ldr.w      r8, [sp, #0x10]
    0000b778         add        r0, pc                                              ; @selector(textFeild)
    0000b77a         ldr        r1, [r0]                                            ; @selector(textFeild), argument #2 for method imp___symbolstub1__objc_msgSend
    0000b77c         mov        r0, r8                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
    0000b77e         blx        imp___symbolstub1__objc_msgSend
    0000b782         movw       r1, #0x349e
    0000b786         movt       r1, #0x1
    0000b78a         add        r1, pc                                              ; @selector(text)
    0000b78c         ldr        r1, [r1]                                            ; @selector(text), argument #2 for method imp___symbolstub1__objc_msgSend
    0000b78e         blx        imp___symbolstub1__objc_msgSend
    0000b792         movw       r1, #0x3492
    0000b796         movt       r1, #0x1
    0000b79a         add        r1, pc                                              ; @selector(UTF8String)
    0000b79c         ldr        r5, [r1]                                            ; @selector(UTF8String)
    0000b79e         mov        r1, r5                                              ; argument #2 for method imp___symbolstub1__objc_msgSend
    0000b7a0         blx        imp___symbolstub1__objc_msgSend
    0000b7a4         mov        r4, r0
    0000b7a6         mov        r0, r6                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
    0000b7a8         mov        r1, r5                                              ; argument #2 for method imp___symbolstub1__objc_msgSend
    0000b7aa         blx        imp___symbolstub1__objc_msgSend
    0000b7ae         mov        r5, r0
    0000b7b0         ldrb       r0, [r5]                                            ; "UTF8String"
    0000b7b2         cmp        r0, #0x0
    0000b7b4         beq        0xb7d6
    
    0000b7b6         ldrb       r1, [r4]
    0000b7b8         cmp        r1, r0
    0000b7ba         bne        0xb7d2
    
    0000b7bc         movs       r6, #0x1
    
    0000b7be         mov        r0, r5                                              ; argument #1 for method imp___symbolstub1__strlen, XREF=-[ViewController onClick]+304
    0000b7c0         blx        imp___symbolstub1__strlen
    0000b7c4         cmp        r6, r0
    0000b7c6         bhs        0xb7d6
    
    0000b7c8         ldrb       r0, [r5, r6]
    0000b7ca         ldrb       r1, [r4, r6]
    0000b7cc         adds       r6, #0x1
    0000b7ce         cmp        r1, r0
    0000b7d0         beq        0xb7be
    
    0000b7d2         movs       r4, #0x0                                            ; XREF=-[ViewController onClick]+282
    0000b7d4         b          0xb7d8
    
    0000b7d6         movs       r4, #0x1                                            ; XREF=-[ViewController onClick]+276, -[ViewController onClick]+294
    
    0000b7d8         movw       r0, #0x37fe                                         ; XREF=-[ViewController onClick]+308
    0000b7dc         mov        r1, r10                                             ; argument #2 for method imp___symbolstub1__objc_msgSend
    0000b7de         movt       r0, #0x1
    0000b7e2         add        r0, pc                                              ; objc_cls_ref_UIAlertView
    0000b7e4         ldr        r0, [r0]                                            ; objc_cls_ref_UIAlertView, argument #1 for method imp___symbolstub1__objc_msgSend
    0000b7e6         blx        imp___symbolstub1__objc_msgSend
    0000b7ea         movw       r1, #0x3438
    0000b7ee         cmp        r4, #0x1
    0000b7f0         movt       r1, #0x1
    0000b7f4         movw       r6, #0x1022
    0000b7f8         add        r1, pc                                              ; @selector(initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:)
    0000b7fa         movt       r6, #0x1
    0000b7fe         movw       r2, #0xffa
    0000b802         add        r6, pc                                              ; cfstring__S_m
    0000b804         movt       r2, #0x1
    0000b808         ldr        r1, [r1]                                            ; @selector(initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:)
    0000b80a         add        r2, pc                                              ; @""
    0000b80c         bne        0xb81a
    
    0000b80e         movw       r3, #0xffe
    0000b812         movt       r3, #0x1
    0000b816         add        r3, pc                                              ; cfstring____xcknx___b_R__eQ__
    0000b818         b          0xb824
    
    0000b81a         movw       r3, #0x1022                                         ; XREF=-[ViewController onClick]+364
    0000b81e         movt       r3, #0x1
    0000b822         add        r3, pc                                              ; cfstring____x______
    
    0000b824         movw       r5, #0x1002                                         ; XREF=-[ViewController onClick]+376
    0000b828         movs       r4, #0x0
    0000b82a         movt       r5, #0x1
    0000b82e         str.w      r8, [sp]
    0000b832         add        r5, pc                                              ; cfstring_nx__
    0000b834         str        r6, [sp, #0x4]
    0000b836         str        r5, [sp, #0x8]
    0000b838         str        r4, [sp, #0xc]
    0000b83a         blx        imp___symbolstub1__objc_msgSend
    0000b83e         movw       r1, #0x33ee
    0000b842         movt       r1, #0x1
    0000b846         add        r1, pc                                              ; @selector(show)
    0000b848         ldr        r1, [r1]                                            ; @selector(show)
    0000b84a         add        sp, #0x20
    0000b84c         pop.w      {r8, r10, r11}
    0000b850         pop.w      {r4, r5, r6, r7, lr}
    0000b854         b.w        0x179c0
                            ; endp
    

    用到加密方式:凯撒加密、AES

    还原代码如下:

    NSString* data = @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU==";
    NSString* password = @"ZGlhb2RhX2ppYW5rYW5nCg==";
    int times = 5;
    do{
        times--;
        Ceasar_CipherModel* model = [[Ceasar_CipherModel alloc] init];
        model.cipherKey = times;
        model.codedMessage = data;
        [model decrypt];
        data = [AESCrypt decrypt:model.originalMessage password:password];
    }while (times > 0);
    NSLog(@"result : %@",data);
    
    第一次: hDmx1/d5KNhr1BBYQlRNVsZSEaOdw4MtKTpT3082x/x9lZucw0qEm+UhMaOVuoSLyqD1x0elXGXqM4nFSP3W8khfyg1ynDEwLhLt12m68U8=
    第二次: e1s6fwEoaC3l/4VLi1DA4KKPJdGcGWK3elMxPqOuG7MNa9fcfWu6gpui+m3q1akL
    第三次: 4p2eb81lORtnnduYgcAc3pxfqGh8Fybny9NFnTzYJ6B=
    第四次: QNEcNAUUYKq5mMZJTh3J5w==
    第五次: Sp4rkDr0idKit
    

    最终结果为:

    Sp4rkDr0idKit
    

    相关文章

      网友评论

        本文标题:【原创】2015第2届移动安全挑战赛iOS第一题分析 by cr

        本文链接:https://www.haomeiwen.com/subject/rbqthttx.html