AppNinja 开发手记5: gdb&cycript用法 - aes加密key破解
2015-05-19 17:53
387 查看
AppNinja 开发手记5: gdb&cycript用法 - aes加密key破解
学习心得: 动静hook结合,提高破解效率。cycript使用还需要深入。
Written by AppNinja 开发手记
ps aux
gdb -p pid
Reading symbols for shared libraries + done
0x3a4f3a58 in mach_msg_trap ()
1. 目标函数下断点
(gdb) break +[AESCrypt encrypt:password:]
Breakpoint 1 at 0xce95e
2.执行命中断点:
(gdb) po $r0
AESCrypt
(gdb) po $r1
0xd4628 does not appear to point to a valid object.
(gdb) x/s $r1
0xd4628: "encrypt:password:"
(gdb) po $r2
aefefefadfaefrefe3023232424242424242444a
(gdb) po $r3
keypassword
isEqualToString:
__text:00008958 ; id __cdecl +[AESCrypt encrypt:password:](struct AESCrypt *self, SEL, id, id)
Breakpoint 1 at 0xce95e
cycript
1. 教程
http://www.iphonedevwiki.net/index.php/Cycript_Tricks http://www.cycript.org/manual/#7061c058-5485-4c00-be7e-b67accc55796 http://www.tuicool.com/articles/Ibayy2 http://danqingdani.blog.163.com/blog/static/18609419520135193830786/ http://iphonedevwiki.net/index.php/Cycript http://www.securitylearn.net/2013/09/12/penetration-testing-of-iphone-applications-part-6/
2. 例子
function tryPrintIvars(a){ var x={}; for(i in *a){ try{ x[i] = (*a)[i]; } catch(e){} } return x; }
function printMethods(className) {
var count = new new Type("I");
var methods = class_copyMethodList(objc_getClass(className), count);
var methodsArray = [];
for(var i = 0; i < *count; i++) {
var method = methods[i];
methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)});
}
free(methods);
free(count);
return methodsArray;
}
NSLog_ = dlsym(RTLD_DEFAULT, "NSLog")
NSLog = function() { var types = 'v', args = [], count = arguments.length; for (var i = 0; i != count; ++i) { types += '@'; args.push(arguments[i]); } new Functor(NSLog_, types).apply(null, args); }
NSLog("w ivars: %@", tryPrintIvars(w))
cy# printMethods("NSData")
cy# printMethods("NSString")
cy# @import com.saurik.substrate.MS
cy# var oldm = {};
cy# MS.hookMessage(NSObject, @selector(description), function() {return oldm->call(this) + " (of doom)"; NSLog("ok");}, oldm)
cy# [new NSObject init]
#"<NSObject: 0x100203d10> (of doom)"
cy# @import com.saurik.substrate.MS
cy# fopen = dlsym(RTLD_DEFAULT, "fopen")
cy# fopen = @encode(void *(char *, char *))(fopen)
cy# var oldf = {}
cy# var log = []
# MS.hookFunction(fopen, function(path, mode) {
var file = (*oldf)(path, mode);
log.push([path, mode, file]);
return file;
}, oldf)
fopen("/bin/xx", "r");
cy# log
[["/etc/passwd","r",0x7fff72c14280]]
3. 测试 hook function
cy# @import com.saurik.substrate.MS
cy# var oldf = {}
cy# var log = []
cy# MS.hookFunction(fopen, function(path, mode) {
cy> if (path == "/etc/passwd")
cy> path = "/var/passwd-fake";
cy> var file = (*oldf)(path, mode);
cy> log.push([path, mode, file]);
cy> return file;
cy> }, oldf)
hook strlen app 马上闪退,为什么?
@import com.saurik.substrate.MS
strlen = dlsym(RTLD_DEFAULT, "strlen")
strlen = @encode(int (const char *))(strlen)
var oldstrlen = {}
var log = []
MS.hookFunction(strlen, function(path) {
var file = (*oldstrlen)(path);
log.push([path]);
return file;
}, oldstrlen)
4. 测试 hook Message
写法不对,暂时放着。
AESCrypt encrypt:password:
@import com.saurik.substrate.MS
var oldencrypt = {};
var log = []
MS.hookMessage(AESCrypt, @selector(encrypt:password:), function(data, key) {
log.push([data, key]);
return oldencrypt->call(this, data, key);
}, oldencrypt)
学习心得: 动静hook结合,提高破解效率。cycript使用还需要深入。
Written by AppNinja 开发手记
ps aux
gdb -p pid
Reading symbols for shared libraries + done
0x3a4f3a58 in mach_msg_trap ()
1. 目标函数下断点
(gdb) break +[AESCrypt encrypt:password:]
Breakpoint 1 at 0xce95e
2.执行命中断点:
(gdb) po $r0
AESCrypt
(gdb) po $r1
0xd4628 does not appear to point to a valid object.
(gdb) x/s $r1
0xd4628: "encrypt:password:"
(gdb) po $r2
aefefefadfaefrefe3023232424242424242444a
(gdb) po $r3
keypassword
isEqualToString:
__text:00008958 ; id __cdecl +[AESCrypt encrypt:password:](struct AESCrypt *self, SEL, id, id)
Breakpoint 1 at 0xce95e
cycript
1. 教程
http://www.iphonedevwiki.net/index.php/Cycript_Tricks http://www.cycript.org/manual/#7061c058-5485-4c00-be7e-b67accc55796 http://www.tuicool.com/articles/Ibayy2 http://danqingdani.blog.163.com/blog/static/18609419520135193830786/ http://iphonedevwiki.net/index.php/Cycript http://www.securitylearn.net/2013/09/12/penetration-testing-of-iphone-applications-part-6/
2. 例子
function tryPrintIvars(a){ var x={}; for(i in *a){ try{ x[i] = (*a)[i]; } catch(e){} } return x; }
function printMethods(className) {
var count = new new Type("I");
var methods = class_copyMethodList(objc_getClass(className), count);
var methodsArray = [];
for(var i = 0; i < *count; i++) {
var method = methods[i];
methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)});
}
free(methods);
free(count);
return methodsArray;
}
NSLog_ = dlsym(RTLD_DEFAULT, "NSLog")
NSLog = function() { var types = 'v', args = [], count = arguments.length; for (var i = 0; i != count; ++i) { types += '@'; args.push(arguments[i]); } new Functor(NSLog_, types).apply(null, args); }
NSLog("w ivars: %@", tryPrintIvars(w))
cy# printMethods("NSData")
cy# printMethods("NSString")
cy# @import com.saurik.substrate.MS
cy# var oldm = {};
cy# MS.hookMessage(NSObject, @selector(description), function() {return oldm->call(this) + " (of doom)"; NSLog("ok");}, oldm)
cy# [new NSObject init]
#"<NSObject: 0x100203d10> (of doom)"
cy# @import com.saurik.substrate.MS
cy# fopen = dlsym(RTLD_DEFAULT, "fopen")
cy# fopen = @encode(void *(char *, char *))(fopen)
cy# var oldf = {}
cy# var log = []
# MS.hookFunction(fopen, function(path, mode) {
var file = (*oldf)(path, mode);
log.push([path, mode, file]);
return file;
}, oldf)
fopen("/bin/xx", "r");
cy# log
[["/etc/passwd","r",0x7fff72c14280]]
3. 测试 hook function
cy# @import com.saurik.substrate.MS
cy# var oldf = {}
cy# var log = []
cy# MS.hookFunction(fopen, function(path, mode) {
cy> if (path == "/etc/passwd")
cy> path = "/var/passwd-fake";
cy> var file = (*oldf)(path, mode);
cy> log.push([path, mode, file]);
cy> return file;
cy> }, oldf)
hook strlen app 马上闪退,为什么?
@import com.saurik.substrate.MS
strlen = dlsym(RTLD_DEFAULT, "strlen")
strlen = @encode(int (const char *))(strlen)
var oldstrlen = {}
var log = []
MS.hookFunction(strlen, function(path) {
var file = (*oldstrlen)(path);
log.push([path]);
return file;
}, oldstrlen)
4. 测试 hook Message
写法不对,暂时放着。
AESCrypt encrypt:password:
@import com.saurik.substrate.MS
var oldencrypt = {};
var log = []
MS.hookMessage(AESCrypt, @selector(encrypt:password:), function(data, key) {
log.push([data, key]);
return oldencrypt->call(this, data, key);
}, oldencrypt)
相关文章推荐
- AppNinja 开发手记2: QQ iOS版 表情加密解密算法
- 配置开发库FMDB支持加密、***.xcconfig的用法以及提供一个免费的数据库管理app
- AppNinja 开发手记4: dmg kernelcache解密命令
- ios开发 <AppName>-Prefix.pch文件的用法详解
- iOS开发之Objective-c的AES加密和解密算法的实现
- 【iOS开发】推送跳转处理&&UIApplicationLaunchOptionsRemoteNotificationKey
- 在Java中使用AES加密,并且加密的Key长度在16位以上
- 加密解密---------->用新的高级加密标准(AES)保持你的数据安全
- 使用AES加密的时候(encryptString:(NSString*)string withKey:(NSString*)key) 出现结果是nil
- 无需破解!激活正版Windows 7旗舰版 二枚"神KEY"
- iPhone开发之AES加密和解密
- AES加密解密&&SHA1、SHA加密&&MD5加密
- ios 10 开发-使用 Extension创建iMessage App & Sticker Pack Application
- polarssl rsa & aes 加密与解密
- Java加密技术(二)——对称加密算法DES&AES
- Android开发之App widget用法实例分析
- 关于<AppName>-Prefix.pch文件的科幻用法
- android app开发用好styles.xml==>方便,简洁明了,再也不用晕冗繁代码啦
- 基于AppDomain的"插件式"开发
- Java实现AES加密,异常java.security.InvalidKeyException: Illegal key size 的解决