iOS安全攻防-取消陌陌注册时必须添加头像的限制

背景

此文章只供学习研究，请勿用于非法活动
官方的陌陌注册需要头像，生日，家乡，性别等，如果没有这些是不能进行下一步的

准备

1、已越狱设备，已经安装了SSH、Cycript（类似javascript的一种调试脚本语言）、usbmuxd（快速连接设备的工具）、ps(查看运行线程的工具)、class-dump等工具
2、安装了已经砸壳的陌陌（砸壳方式本片文章不做介绍，可以参考我的砸壳文章）

步骤

1、通过ssh和usbmuxd登录设备

iproxy 2222 22 & iproxy 3333 1234
ssh root@localhost -p 2222

2、后台杀死所有的应用，只打开陌陌对应的注册页面，找到ps命令找到运行的陌陌名称

ps -e | grep var

得到：

349 ??         0:00.15 /usr/libexec/pkd -d/var/db/PlugInKit-Annotations
411 ??         0:00.27 /private/var/db/stash/_.4Ld9lT/Applications/MobileSafari.app/webbookmarksd
706 ??         0:00.84 /private/var/db/stash/_.4Ld9lT/Applications/Stocks.app/PlugIns/StocksWidget.appex/StocksWidget
709 ??         0:00.38 /private/var/db/stash/_.4Ld9lT/Applications/MobileCal.app/PlugIns/CalendarWidget.appex/CalendarWidget
873 ??         0:04.67 /var/mobile/Containers/Bundle/Application/6B906921-18FE-47EE-8D18-E1393E2A34DA/MomoChat.app/MomoChat
882 ttys000    0:00.01 grep var

可以看到MomoChat应用，是我们要hook的陌陌

3、通过cycript hook  MomoChat

Cycript -p MomoChat

4、输入命令，通过Cycript命令获取到运行的页面ViewController

cy# [[[UIWindow keyWindow]rootViewController] _printHierarchy].toString()
`, state: disappeared, view:  not in the window
| , state: disappeared, view:  not in the window
|    | , state: disappeared, view:  not in the window
+ , state: appeared, view: , presented with: <_UIFullscreenPresentationController 0x76c0f00>
|    | , state: disappeared, view:  not in the window
|    | , state: appeared, view: `
cy#

结果可以看出，state:appeared只有 MDRegisterProfileViewController，说明这个就是我们要hook的页面

5、class-dump 导出头文件

class-dump -H -o /Users/gjz/Downloads/PP\ 下载/应用/陌陌-7.0.7\(越狱应用\)/header /Users/gjz/Downloads/PP\ 下载/应用/陌陌-7.0.7\(越狱应用\)/Payload/MomoChat.app/MomoChat

6、可以看到

@interface MDRegisterProfileViewController : MDRegisterBaseViewController
{
MUButton *_avatarBtn;
UITableView *_myTableView;
UIView *_tableHeaderView;
UILabel *_birthLabel;
UILabel *_genderLabel;
UILabel *_homeLabel;
UIImageView *_avatarFrmView;
UIImageView *_avatarView;
UIDatePicker *_birthDatePicker;
MDLighthouseSelectedSitePicker *_sitePicker;
MDExtendSite *_homeTownSite;
long long _currentIndex;
double _moveHeight;
}

@property(nonatomic) double moveHeight; // @synthesize moveHeight=_moveHeight;
@property(nonatomic) long long currentIndex; // @synthesize currentIndex=_currentIndex;
@property(retain, nonatomic) MDExtendSite *homeTownSite; // @synthesize homeTownSite=_homeTownSite;
@property(retain, nonatomic) MDLighthouseSelectedSitePicker *sitePicker; // @synthesize sitePicker=_sitePicker;
@property(retain, nonatomic) UIDatePicker *birthDatePicker; // @synthesize birthDatePicker=_birthDatePicker;
@property(retain, nonatomic) UIImageView *avatarView; // @synthesize avatarView=_avatarView;
@property(retain, nonatomic) UIImageView *avatarFrmView; // @synthesize avatarFrmView=_avatarFrmView;
@property(retain, nonatomic) UILabel *homeLabel; // @synthesize homeLabel=_homeLabel;
@property(retain, nonatomic) UILabel *genderLabel; // @synthesize genderLabel=_genderLabel;
@property(retain, nonatomic) UILabel *birthLabel; // @synthesize birthLabel=_birthLabel;
@property(retain, nonatomic) UIView *tableHeaderView; // @synthesize tableHeaderView=_tableHeaderView;
@property(retain, nonatomic) UITableView *myTableView; // @synthesize myTableView=_myTableView;
@property(retain, nonatomic) MUButton *avatarBtn; // @synthesize avatarBtn=_avatarBtn;
- (void)next:(id)arg1;
- (void)selectedSitePickerDidStartHidingAnimation:(id)arg1;
- (void)selectedSitePicker:(id)arg1 didSelectedWithFirstItem:(id)arg2 secondItem:(id)arg3 selectedFirstRow:(long long)arg4 secondRow:(long long)arg5;
- (void)showSitePicker;
- (void)configSitePicker;
- (void)imagePickerController:(id)arg1 didFinishPickingImage:(id)arg2 editingInfo:(id)arg3;
- (void)imagePickerController:(id)arg1 didFinishPickingMediaWithInfo:(id)arg2;
- (void)tableView:(id)arg1 didSelectRowAtIndexPath:(id)arg2;
- (void)refreshCell:(id)arg1 atRow:(long long)arg2;
- (id)tableView:(id)arg1 cellForRowAtIndexPath:(id)arg2;
- (long long)tableView:(id)arg1 numberOfRowsInSection:(long long)arg2;
- (double)tableView:(id)arg1 heightForFooterInSection:(long long)arg2;
- (double)tableView:(id)arg1 heightForHeaderInSection:(long long)arg2;
- (double)tableView:(id)arg1 heightForRowAtIndexPath:(id)arg2;
- (void)didTouchedMaskView:(id)arg1;
- (id)birthTitleWithDate:(id)arg1;
- (void)showGenderActionSheet;
- (void)removeDatePicker;
- (void)showDatePicker;
- (void)setHome;
- (void)setGender;
- (void)setBirthday;
- (void)setAvatarImage:(id)arg1;
- (void)datePickerValueChanged:(id)arg1;
- (void)takePhoto;
- (void)pickImage;
- (void)selectGenderSheetIndex:(long long)arg1;
- (void)selectPhotoSheetIndex:(long long)arg1;
- (void)actionSheet:(id)arg1 clickedButtonAtIndex:(long long)arg2;
- (void)didClickSelecteAvatar:(id)arg1;
- (_Bool)nextBtnSelectedFirstLoaded;
- (_Bool)rightBarItemSelected;
- (void)removeAndSafeReleaseSubViews;
- (id)tableFooterView;
- (void)initTableView;
- (void)configureSubViews;
- (void)didReceiveMemoryWarning;
- (void)viewDidLoad;
- (void)dealloc;
- (id)initWithNibName:(id)arg1 bundle:(id)arg2;

里面并没有下一步相关的函数，我们看到MDRegisterProfileViewController继承MDRegisterBaseViewController

@interface MDRegisterBaseViewController : MDViewController
{
MBProgressHUD *_hud;
int _registerSource;
id  _delegate;
MDRegisterUserModel *_registerUser;
NSString *_mainTitle;
UILabel *_titleLabel;
MUButton *_nextStepBtn;
UIView *_contentView;
}

@property(retain, nonatomic) UIView *contentView; // @synthesize contentView=_contentView;
@property(retain, nonatomic) MUButton *nextStepBtn; // @synthesize nextStepBtn=_nextStepBtn;
@property(retain, nonatomic) UILabel *titleLabel; // @synthesize titleLabel=_titleLabel;
@property(retain, nonatomic) NSString *mainTitle; // @synthesize mainTitle=_mainTitle;
@property(readonly, retain, nonatomic) MDRegisterUserModel *registerUser; // @synthesize registerUser=_registerUser;
@property(nonatomic) id  delegate; // @synthesize delegate=_delegate;
@property(nonatomic) int registerSource; // @synthesize registerSource=_registerSource;
- (_Bool)gestureRecognizer:(id)arg1 shouldReceiveTouch:(id)arg2;
- (void)removeHud;
- (void)showHud;
- (void)didTapView;
- (void)removeAndSafeReleaseSubViews;
- (void)configureSubViews;
- (void)configureNavBar;
- (void)downMoveView:(double)arg1;
- (void)upMoveView:(double)arg1;
- (void)enableNextBtn:(_Bool)arg1;
- (void)next:(id)arg1;
- (void)back:(id)arg1;
- (void)resignAllFirstResponder;
- (void)didReceiveMemoryWarning;
- (void)viewDidUnload;
- (void)viewWillAppear:(_Bool)arg1;
- (void)viewDidLoad;
- (void)dealloc;
- (id)initWithNibName:(id)arg1 bundle:(id)arg2;
- (id)initWithRegisterUser:(id)arg1 andDelegate:(id)arg2 title:(id)arg3;
- (id)initWithRegisterUser:(id)arg1 andDelegate:(id)arg2 title:(id)arg3 registerSource:(int)arg4;
- (id)initWithRegisterUser:(id)arg1 andDelegate:(id)arg2;

// Remaining properties
@property(readonly, copy) NSString *debugDescription;
@property(readonly, copy) NSString *description;
@property(readonly) unsigned long long hash;
@property(readonly) Class superclass;

@end

里面有一个方法

- (void)enableNextBtn:(_Bool)arg1;

使用Cycript 调用此方法，发现可以使用了

[#0x7659ce0 enableNextBtn:YES]

结果：



7、编写theos代码

%hook MDRegisterProfileViewController

- (void)enableNextBtn:(_Bool)arg1 {

arg1 = YES;
%orig;
}

%end

总结：

在分析应用的时候，不要盲目的寻找，通过相应的场景，顺藤模块，逐步接近，在分析时，多考虑一下开发着的模式，可能会事半功倍