飘云 发表于 2016-10-30 01:23:16

绕过iOS版QQ签名校验实现多开 -- By 飘云/P.Y.G





目标QQ版本:6.5.8.437(2016-10-30最新版)

事情是酱紫滴。。。今天用PP助手多开了一个QQ来玩耍


发现不能登录~~ 艾玛。。


然后呢,拖入Hopper等了一段时间反汇编完成~~

首先理一下流程啊~ 签名校验无外乎那么几种
1.bundleID检测
2.签名段检测
3.代码段检测

我们从简单的bundleID检测入手~搜索"com.tencent.mqq",找到如下关键点:



往上找到函数头:


然后找0x18b0f8处的引用:


调试符号深深出卖了你~~~   都不用动态调试了~~~ 吼吼吼一万匹草泥马在疾驰...

我继续分析了一下,这货没对签名段进行校验~~ 那么事情就变得简单了~

我们找个优雅的点来Hook将bundleID替换掉即可~~

祭出cycript神器



cy# [ recursiveDescription ].toString()
`<UIWindow: 0x1445242f0; frame = (0 0; 320 568); opaque = NO; autoresize = LM+RM+TM+BM; gestureRecognizers = <NSArray: 0x17005f980>; layer = <UIWindowLayer: 0x1702398c0>>
   | <UITransitionView: 0x14586fc00; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x170e30440>>
   |    | <UILayoutContainerView: 0x1705e0e00; frame = (0 0; 320 568); autoresize = W+H; gestureRecognizers = <NSArray: 0x171045af0>; layer = <CALayer: 0x170e2e2e0>>
   |    |    | <UINavigationTransitionView: 0x14589fe30; frame = (0 0; 320 568); clipsToBounds = YES; autoresize = W+H; layer = <CALayer: 0x170e2dcc0>>
   |    |    |    | <UIViewControllerWrapperView: 0x17419a410; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174e325c0>>
   |    |    |    |    | <UIView: 0x1701900c0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174e2b400>>
   |    |    |    |    |    | <QQView: 0x1447689c0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174e2b7a0>>
   |    |    |    |    |    |    | <UIImageView: 0x1745e4b00; frame = (0 0; 320 568); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17463bc60>>
   |    |    |    |    |    |    |    | <AccountHeadView: 0x1741b4580; frame = (117.5 40; 85 85); layer = <CALayer: 0x174e2cba0>>
   |    |    |    |    |    |    |    |    | <QQAvatarView: 0x1446bbbc0; baseClass = UIButton; frame = (2.5 2.5; 80 80); opaque = NO; userInteractionEnabled = NO; tag = 2109; layer = <CALayer: 0x174e2a860>>
   |    |    |    |    |    |    |    |    |    | <UIImageView: 0x1743f7500; frame = (0 0; 80 80); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x175025e20>>
   |    |    |    |    |    |    | <AcountEditCellID: 0x144708410; baseClass = UITableViewCell; frame = (0 130; 320 50); alpha = 0.7; layer = <CALayer: 0x174a397e0>>
   |    |    |    |    |    |    |    | <UITableViewCellContentView: 0x1741993d0; frame = (0 0; 320 50); gestureRecognizers = <NSArray: 0x175040f90>; layer = <CALayer: 0x174e295e0>>
   |    |    |    |    |    |    |    | <UIIDTextField: 0x14468fc90; baseClass = UITextField; frame = (25 0; 270 50); text = '11223344'; clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x174e43330>; layer = <CALayer: 0x17502aaa0>>
   |    |    |    |    |    |    |    |    | <UIFieldEditor: 0x144775020; frame = (0 0; 243 50); text = '11223344'; clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x174e55300>; layer = <CALayer: 0x175026160>; contentOffset: {0, 0}; contentSize: {243, 50}>
...省略部分


   往上搜索 11223344(这是我输入的QQ号码,这里进行了替换~~)

   <UIFieldEditor: 0x144775020; frame = (0 0; 243 50); text = '11223344'; clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x174e55300>; layer = <CALayer: 0x175026160>; contentOffset: {0, 0}; contentSize: {243, 50}>


   现在找出 ViewController

   cy# [#0x144775020 nextResponder ]
#"<UIIDTextField: 0x14468fc90; baseClass = UITextField; frame = (25 0; 270 50); text = '11223344'; clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x174e43330>; layer = <CALayer: 0x17502aaa0>>"
cy# [#0x14468fc90 nextResponder ]
#"<AcountEditCellID: 0x144708410; baseClass = UITableViewCell; frame = (0 130; 320 50); alpha = 0.7; layer = <CALayer: 0x174a397e0>>"
cy# [#0x144708410 nextResponder ]
#"<QQView: 0x1447689c0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174e2b7a0>>"
cy# [#0x1447689c0 nextResponder ]
#"<UIView: 0x1701900c0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174e2b400>>"
cy# [#0x1701900c0 nextResponder ]
#"<QQLoginViewController: 0x144aa9c00>"




好了,现在愉快的找到了 QQLoginViewController


导出头文件分析下
// class-dump -A -a -S -H ./QQ -o ./Headers

@interface QQLoginViewController : QQViewController <QQAccountMenuDelegate, AccountEditCellPWDelegate, AcountEditCellIDDelegate, NIAttributedLabelDelegate, UIActionSheetDelegate, QQSmsLoginSetPhoneViewDelegate, QQSmsLoginFillVerifyViewDelegate>
{

....

}

继续转到父类来看看:

@interface QQViewController : UIViewController <UserSummaryNavBarItemDelagate, ISkinProtocol, IQQPreviewStatus>
{

- (void)viewDidLoad; // IMP=0x0000000100b78948 // 随便找个必然被调用的函数进行Hook吧

}



// Hook代码:
%hook QQViewController

- (void)viewDidLoad {
    NSLog(@"======%s=======", __FUNCTION__);
    NSLog(@"bundleIdentifier=%@", [ bundleIdentifier]);
    NSDictionary *dic = [infoDictionary];
    ;
    %orig;
}
没错,真传一句话,就这么简单!!!

避免伸手党,不提供deb,自行编译把~~













笑倾天下 发表于 2016-10-30 08:20:19

沙发,感谢坛主分享好东西

wmj517 发表于 2016-10-30 08:20:27

好贴总是看的我晕晕的,支持了

飞天 发表于 2016-10-30 09:14:50

老大对苹果研究的深入,安卓的漂漂哦。

kangaroo 发表于 2016-10-30 09:58:32

玩得6666

kangaroo 发表于 2016-10-30 09:59:05

玩得真6         666

雲裏霧裏 发表于 2016-10-30 10:24:39

老飄這麽玩法太神了,只能膜拜!!

Taobi 发表于 2016-10-30 10:53:31

城里人真会玩 牛!!

a'ゞ龙行天下 发表于 2016-10-30 11:13:20

真会玩,膜拜

orz 发表于 2016-10-30 12:30:19

膜拜玩IOS的。。借鉴下思路。
页: [1] 2 3
查看完整版本: 绕过iOS版QQ签名校验实现多开 -- By 飘云/P.Y.G