AppNinja 开发手记5: gdb&cycript用法 - aes加密key破解
来源:互联网 发布:php 获取跳转后的url 编辑:程序博客网 时间:2024/05/15 00:43
AppNinja 开发手记5: gdb&cycript用法 - aes加密key破解
学习心得: 动静hook结合,提高破解效率。cycript使用还需要深入。
Written by AppNinja 开发手记
ps aux
gdb -p pid
Reading symbols for shared libraries + done
0x3a4f3a58 in mach_msg_trap ()
1. 目标函数下断点
(gdb) break +[AESCrypt encrypt:password:]
Breakpoint 1 at 0xce95e
2.执行命中断点:
(gdb) po $r0
AESCrypt
(gdb) po $r1
0xd4628 does not appear to point to a valid object.
(gdb) x/s $r1
0xd4628: "encrypt:password:"
(gdb) po $r2
aefefefadfaefrefe3023232424242424242444a
(gdb) po $r3
keypassword
isEqualToString:
__text:00008958 ; id __cdecl +[AESCrypt encrypt:password:](struct AESCrypt *self, SEL, id, id)
Breakpoint 1 at 0xce95e
cycript
1. 教程
http://www.iphonedevwiki.net/index.php/Cycript_Tricks
http://www.cycript.org/manual/#7061c058-5485-4c00-be7e-b67accc55796
http://www.tuicool.com/articles/Ibayy2
http://danqingdani.blog.163.com/blog/static/18609419520135193830786/
http://iphonedevwiki.net/index.php/Cycript
http://www.securitylearn.net/2013/09/12/penetration-testing-of-iphone-applications-part-6/
2. 例子
function tryPrintIvars(a){ var x={}; for(i in *a){ try{ x[i] = (*a)[i]; } catch(e){} } return x; }
function printMethods(className) {
var count = new new Type("I");
var methods = class_copyMethodList(objc_getClass(className), count);
var methodsArray = [];
for(var i = 0; i < *count; i++) {
var method = methods[i];
methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)});
}
free(methods);
free(count);
return methodsArray;
}
NSLog_ = dlsym(RTLD_DEFAULT, "NSLog")
NSLog = function() { var types = 'v', args = [], count = arguments.length; for (var i = 0; i != count; ++i) { types += '@'; args.push(arguments[i]); } new Functor(NSLog_, types).apply(null, args); }
NSLog("w ivars: %@", tryPrintIvars(w))
cy# printMethods("NSData")
cy# printMethods("NSString")
cy# @import com.saurik.substrate.MS
cy# var oldm = {};
cy# MS.hookMessage(NSObject, @selector(description), function() {return oldm->call(this) + " (of doom)"; NSLog("ok");}, oldm)
cy# [new NSObject init]
#"<NSObject: 0x100203d10> (of doom)"
cy# @import com.saurik.substrate.MS
cy# fopen = dlsym(RTLD_DEFAULT, "fopen")
cy# fopen = @encode(void *(char *, char *))(fopen)
cy# var oldf = {}
cy# var log = []
# MS.hookFunction(fopen, function(path, mode) {
var file = (*oldf)(path, mode);
log.push([path, mode, file]);
return file;
}, oldf)
fopen("/bin/xx", "r");
cy# log
[["/etc/passwd","r",0x7fff72c14280]]
3. 测试 hook function
cy# @import com.saurik.substrate.MS
cy# var oldf = {}
cy# var log = []
cy# MS.hookFunction(fopen, function(path, mode) {
cy> if (path == "/etc/passwd")
cy> path = "/var/passwd-fake";
cy> var file = (*oldf)(path, mode);
cy> log.push([path, mode, file]);
cy> return file;
cy> }, oldf)
hook strlen app 马上闪退,为什么?
@import com.saurik.substrate.MS
strlen = dlsym(RTLD_DEFAULT, "strlen")
strlen = @encode(int (const char *))(strlen)
var oldstrlen = {}
var log = []
MS.hookFunction(strlen, function(path) {
var file = (*oldstrlen)(path);
log.push([path]);
return file;
}, oldstrlen)
4. 测试 hook Message
写法不对,暂时放着。
AESCrypt encrypt:password:
@import com.saurik.substrate.MS
var oldencrypt = {};
var log = []
MS.hookMessage(AESCrypt, @selector(encrypt:password:), function(data, key) {
log.push([data, key]);
return oldencrypt->call(this, data, key);
}, oldencrypt)
学习心得: 动静hook结合,提高破解效率。cycript使用还需要深入。
Written by AppNinja 开发手记
ps aux
gdb -p pid
Reading symbols for shared libraries + done
0x3a4f3a58 in mach_msg_trap ()
1. 目标函数下断点
(gdb) break +[AESCrypt encrypt:password:]
Breakpoint 1 at 0xce95e
2.执行命中断点:
(gdb) po $r0
AESCrypt
(gdb) po $r1
0xd4628 does not appear to point to a valid object.
(gdb) x/s $r1
0xd4628: "encrypt:password:"
(gdb) po $r2
aefefefadfaefrefe3023232424242424242444a
(gdb) po $r3
keypassword
isEqualToString:
__text:00008958 ; id __cdecl +[AESCrypt encrypt:password:](struct AESCrypt *self, SEL, id, id)
Breakpoint 1 at 0xce95e
cycript
1. 教程
http://www.iphonedevwiki.net/index.php/Cycript_Tricks
http://www.cycript.org/manual/#7061c058-5485-4c00-be7e-b67accc55796
http://www.tuicool.com/articles/Ibayy2
http://danqingdani.blog.163.com/blog/static/18609419520135193830786/
http://iphonedevwiki.net/index.php/Cycript
http://www.securitylearn.net/2013/09/12/penetration-testing-of-iphone-applications-part-6/
2. 例子
function tryPrintIvars(a){ var x={}; for(i in *a){ try{ x[i] = (*a)[i]; } catch(e){} } return x; }
function printMethods(className) {
var count = new new Type("I");
var methods = class_copyMethodList(objc_getClass(className), count);
var methodsArray = [];
for(var i = 0; i < *count; i++) {
var method = methods[i];
methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)});
}
free(methods);
free(count);
return methodsArray;
}
NSLog_ = dlsym(RTLD_DEFAULT, "NSLog")
NSLog = function() { var types = 'v', args = [], count = arguments.length; for (var i = 0; i != count; ++i) { types += '@'; args.push(arguments[i]); } new Functor(NSLog_, types).apply(null, args); }
NSLog("w ivars: %@", tryPrintIvars(w))
cy# printMethods("NSData")
cy# printMethods("NSString")
cy# @import com.saurik.substrate.MS
cy# var oldm = {};
cy# MS.hookMessage(NSObject, @selector(description), function() {return oldm->call(this) + " (of doom)"; NSLog("ok");}, oldm)
cy# [new NSObject init]
#"<NSObject: 0x100203d10> (of doom)"
cy# @import com.saurik.substrate.MS
cy# fopen = dlsym(RTLD_DEFAULT, "fopen")
cy# fopen = @encode(void *(char *, char *))(fopen)
cy# var oldf = {}
cy# var log = []
# MS.hookFunction(fopen, function(path, mode) {
var file = (*oldf)(path, mode);
log.push([path, mode, file]);
return file;
}, oldf)
fopen("/bin/xx", "r");
cy# log
[["/etc/passwd","r",0x7fff72c14280]]
3. 测试 hook function
cy# @import com.saurik.substrate.MS
cy# var oldf = {}
cy# var log = []
cy# MS.hookFunction(fopen, function(path, mode) {
cy> if (path == "/etc/passwd")
cy> path = "/var/passwd-fake";
cy> var file = (*oldf)(path, mode);
cy> log.push([path, mode, file]);
cy> return file;
cy> }, oldf)
hook strlen app 马上闪退,为什么?
@import com.saurik.substrate.MS
strlen = dlsym(RTLD_DEFAULT, "strlen")
strlen = @encode(int (const char *))(strlen)
var oldstrlen = {}
var log = []
MS.hookFunction(strlen, function(path) {
var file = (*oldstrlen)(path);
log.push([path]);
return file;
}, oldstrlen)
4. 测试 hook Message
写法不对,暂时放着。
AESCrypt encrypt:password:
@import com.saurik.substrate.MS
var oldencrypt = {};
var log = []
MS.hookMessage(AESCrypt, @selector(encrypt:password:), function(data, key) {
log.push([data, key]);
return oldencrypt->call(this, data, key);
}, oldencrypt)
0 0
- AppNinja 开发手记5: gdb&cycript用法 - aes加密key破解
- AppNinja 开发手记2: QQ iOS版 表情加密解密算法
- AppNinja 开发手记4: dmg kernelcache解密命令
- AppNinja 开发手记3: 安装 ipa 的本地 http 服务器 plist
- AppNinja 开发手记6: 编译 xnu-2050 内核,并用红雪启动内核
- AppNinja 开发手记1:debug wia wpd 利用 com 原理, 对照接口偏移量, 逆向出源代码
- OpenSSL中AES加密的用法
- 有固定的密钥key的AES加密
- AES加密解密代码,key是16位
- CryptoJS aes加密,需key 和偏移量 iv
- AES加密出现InvalidKeyException: Illegal key size解决方案
- AES加密 java.security.InvalidKeyException: Illegal key size
- Aladdin HASP SRM(AES-128)加密狗破解经验分享
- cycript
- Cycript
- AES加密(AES/ECB/PKCS5Padding)key UTF8 取前十六个字节
- AES加密
- AES加密
- 倒计时功能
- Oracle 11gR2 DNFS功能测试
- eclipse 代码 editor 界面出现奇怪符号解决
- 结合artTemplate一个jQuery小插件——下拉树
- word 中如何给一篇论文添加不同的页面
- AppNinja 开发手记5: gdb&cycript用法 - aes加密key破解
- CSS 3变形基础
- 普通链接与迅雷、旋风、快车链接相互转化的步骤
- solr5.1.0 部署配置
- mogodb相关信息整理
- 企业证书
- 常用控件应用之文本框(TextView)特效
- 第四章 重载课堂作业
- tableview 动画