2015第2届移动安全挑战赛iOS第一题分析
本帖最后由 creantan 于 2015-11-3 16:14 编辑creantan/P.Y.G 转载请注明出处
拖到hopper分析,看了下label列表,看到敏感方法onClick,静态分析如下: -:
0000b6a0 push {r4, r5, r6, r7, lr} ; Objective C Implementation defined at 0x1cd38 (instance)
0000b6a2 add r7, sp, #0xc
0000b6a4 push.w {r8, r10, r11}
0000b6a8 sub sp, #0x20
0000b6aa str r0,
0000b6ac movw r0, #0x355c
0000b6b0 movt r0, #0x1
0000b6b4 movw r1, #0x354e
0000b6b8 movt r1, #0x1
0000b6bc movw r2, #0x3528
0000b6c0 movt r2, #0x1
0000b6c4 movw r3, #0x3534
0000b6c8 add r0, pc ; @selector(decrypt:password:)
0000b6ca movt r3, #0x1
0000b6ce movw r5, #0x352c
0000b6d2 add r1, pc ; @selector(originalMessage)
0000b6d4 movt r5, #0x1
0000b6d8 movw r6, #0x10e4
0000b6dc ldr r0, ; @selector(decrypt:password:)
0000b6de movt r6, #0x1
0000b6e2 str r0,
0000b6e4 add r3, pc ; @selector(setCodedMessage:)
0000b6e6 ldr r0, ; @selector(originalMessage)
0000b6e8 add r5, pc ; @selector(initWithCipherKey:)
0000b6ea str r0,
0000b6ec movw r0, #0x343a
0000b6f0 movt r0, #0x1
0000b6f4 add r2, pc ; @selector(decrypt)
0000b6f6 add r0, pc ; @selector(alloc)
0000b6f8 ldr.w r8, ; @selector(setCodedMessage:)
0000b6fc ldr.w r10, ; @selector(initWithCipherKey:)
0000b700 add r6, pc ; @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU=="
0000b702 ldr r4, ; @selector(alloc)
0000b704 mov.w r11, #0x5
0000b708 ldr r1, ; @selector(decrypt)
0000b70a str r1,
0000b70c movw r0, #0x38c2 ; XREF=-+200
0000b710 mov r1, r4 ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b712 movt r0, #0x1
0000b716 add r0, pc ; objc_cls_ref_Ceasar_CipherModel
0000b718 ldr r0, ; objc_cls_ref_Ceasar_CipherModel, argument #1 for method imp___symbolstub1__objc_msgSend
0000b71a blx imp___symbolstub1__objc_msgSend
0000b71e sub.w r11, r11, #0x1 ------>设置ceasar_cipher model 的cipherKey,循环5次解密4,3,2,1,0
0000b722 mov r1, r10 ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b724 mov r2, r11
0000b726 blx imp___symbolstub1__objc_msgSend
0000b72a mov r5, r0
0000b72c mov r1, r8 ------------>设置setCodedMessage ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b72e mov r2, r6
0000b730 blx imp___symbolstub1__objc_msgSend
0000b734 ldr r1, ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b736 mov r0, r5 ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b738 blx imp___symbolstub1__objc_msgSend
0000b73c ldr r1, ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b73e mov r0, r5 ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b740 blx imp___symbolstub1__objc_msgSend
0000b744 mov r2, r0---->凯撒解密后的字符串用作aes解密
0000b746 movw r0, #0x388c
0000b74a movt r0, #0x1
0000b74e ldr r1, ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b750 add r0, pc ; objc_cls_ref_AESCrypt
0000b752 ldr r0, ; objc_cls_ref_AESCrypt, argument #1 for method imp___symbolstub1__objc_msgSend
0000b754 movw r3, #0x1098
0000b758 movt r3, #0x1
0000b75c add r3, pc --->aes解密秘钥 ; @"ZGlhb2RhX2ppYW5rYW5nCg=="
0000b75e blx imp___symbolstub1__objc_msgSend---->对凯撒解密后的数据进行aes解密
0000b762 mov r6, r0
0000b764 cmp.w r11, #0x0 ------>循环5次
0000b768 bgt 0xb70c
0000b76a movw r0, #0x346c
0000b76e mov r10, r4
0000b770 movt r0, #0x1
0000b774 ldr.w r8,
0000b778 add r0, pc ; @selector(textFeild)
0000b77a ldr r1, ; @selector(textFeild), argument #2 for method imp___symbolstub1__objc_msgSend
0000b77c mov r0, r8 ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b77e blx imp___symbolstub1__objc_msgSend
0000b782 movw r1, #0x349e
0000b786 movt r1, #0x1
0000b78a add r1, pc ; @selector(text)
0000b78c ldr r1, ; @selector(text), argument #2 for method imp___symbolstub1__objc_msgSend
0000b78e blx imp___symbolstub1__objc_msgSend
0000b792 movw r1, #0x3492
0000b796 movt r1, #0x1
0000b79a add r1, pc ; @selector(UTF8String)
0000b79c ldr r5, ; @selector(UTF8String)
0000b79e mov r1, r5 ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7a0 blx imp___symbolstub1__objc_msgSend
0000b7a4 mov r4, r0
0000b7a6 mov r0, r6 ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b7a8 mov r1, r5 ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7aa blx imp___symbolstub1__objc_msgSend
0000b7ae mov r5, r0
0000b7b0 ldrb r0, ; "UTF8String"
0000b7b2 cmp r0, #0x0
0000b7b4 beq 0xb7d6
0000b7b6 ldrb r1,
0000b7b8 cmp r1, r0
0000b7ba bne 0xb7d2
0000b7bc movs r6, #0x1
0000b7be mov r0, r5 ; argument #1 for method imp___symbolstub1__strlen, XREF=-+304
0000b7c0 blx imp___symbolstub1__strlen
0000b7c4 cmp r6, r0
0000b7c6 bhs 0xb7d6
0000b7c8 ldrb r0,
0000b7ca ldrb r1,
0000b7cc adds r6, #0x1
0000b7ce cmp r1, r0
0000b7d0 beq 0xb7be
0000b7d2 movs r4, #0x0 ; XREF=-+282
0000b7d4 b 0xb7d8
0000b7d6 movs r4, #0x1 ; XREF=-+276, -+294
0000b7d8 movw r0, #0x37fe ; XREF=-+308
0000b7dc mov r1, r10 ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7de movt r0, #0x1
0000b7e2 add r0, pc ; objc_cls_ref_UIAlertView
0000b7e4 ldr r0, ; objc_cls_ref_UIAlertView, argument #1 for method imp___symbolstub1__objc_msgSend
0000b7e6 blx imp___symbolstub1__objc_msgSend
0000b7ea movw r1, #0x3438
0000b7ee cmp r4, #0x1
0000b7f0 movt r1, #0x1
0000b7f4 movw r6, #0x1022
0000b7f8 add r1, pc ; @selector(initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:)
0000b7fa movt r6, #0x1
0000b7fe movw r2, #0xffa
0000b802 add r6, pc ; cfstring__S_m
0000b804 movt r2, #0x1
0000b808 ldr r1, ; @selector(initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:)
0000b80a add r2, pc ; @""
0000b80c bne 0xb81a
0000b80e movw r3, #0xffe
0000b812 movt r3, #0x1
0000b816 add r3, pc ; cfstring____xcknx___b_R__eQ__
0000b818 b 0xb824
0000b81a movw r3, #0x1022 ; XREF=-+364
0000b81e movt r3, #0x1
0000b822 add r3, pc ; cfstring____x______
0000b824 movw r5, #0x1002 ; XREF=-+376
0000b828 movs r4, #0x0
0000b82a movt r5, #0x1
0000b82e str.w r8,
0000b832 add r5, pc ; cfstring_nx__
0000b834 str r6,
0000b836 str r5,
0000b838 str r4,
0000b83a blx imp___symbolstub1__objc_msgSend
0000b83e movw r1, #0x33ee
0000b842 movt r1, #0x1
0000b846 add r1, pc ; @selector(show)
0000b848 ldr r1, ; @selector(show)
0000b84a add sp, #0x20
0000b84c pop.w {r8, r10, r11}
0000b850 pop.w {r4, r5, r6, r7, lr}
0000b854 b.w 0x179c0
; endp
用到加密方式:凯撒加密、AES
还原代码如下:
NSString* data = @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU==";
NSString* password = @"ZGlhb2RhX2ppYW5rYW5nCg==";
int times = 5;
do{
times--;
Ceasar_CipherModel* model = [ init];
model.cipherKey = times;
model.codedMessage = data;
;
data = ;
}while (times > 0);
NSLog(@"result : %@",data);
第一次: hDmx1/d5KNhr1BBYQlRNVsZSEaOdw4MtKTpT3082x/x9lZucw0qEm+UhMaOVuoSLyqD1x0elXGXqM4nFSP3W8khfyg1ynDEwLhLt12m68U8=
第二次: e1s6fwEoaC3l/4VLi1DA4KKPJdGcGWK3elMxPqOuG7MNa9fcfWu6gpui+m3q1akL
第三次: 4p2eb81lORtnnduYgcAc3pxfqGh8Fybny9NFnTzYJ6B=
第四次: QNEcNAUUYKq5mMZJTh3J5w==
第五次: Sp4rkDr0idKit
最终结果为:
Sp4rkDr0idKit
好强大的C版。。。。
前排学习了~ 牛犇的C版~~ 顶大牛 给力 这是C语言吗,@ 是何意? patton88 发表于 2015-10-22 11:18
这是C语言吗,@ 是何意?
不是C语言,是objective-c
网上查了一下,这是IOS的object-c的语法
@放在一个字符串前面代表的是你这个字符串是NSString类型的。不放的话,就代表你这个字符串是C风格的字符串。 creantan 发表于 2015-10-22 11:20
不是C语言,是objective-c
多谢,已经查了
objective-c里面的NSString的全称是什么?
2014-05-17 14:41八中陈晨 | 浏览 532 次来自:手机知道
我有更好的答案
分享到:
按默认排序 | 按时间排序
2条回答
2014-07-11 23:09 DONY743 | 来自:手机知道| 九级
就叫NSString,NS是前缀。ns是nextstep的简称。最初的Mac OS原型就是nextstep设计的,所以nsdictionary,nsobject,nsstring,nsarray都带ns前缀。string是字符串的意思。 恭喜恭喜
页:
[1]
2