【原创】2015第2届移动安全挑战赛iOS第一题分析 by cr
2015-10-21 本文已影响468人
crean
creantan/P.Y.G 转载请注明出处
设备iphone6plus 拖到hopper分析,看了下label列表,看到敏感方法 onClick,静态分析如下:
-[ViewController onClick]:
0000b6a0 push {r4, r5, r6, r7, lr} ; Objective C Implementation defined at 0x1cd38 (instance)
0000b6a2 add r7, sp, #0xc
0000b6a4 push.w {r8, r10, r11}
0000b6a8 sub sp, #0x20
0000b6aa str r0, [sp, #0x10]
0000b6ac movw r0, #0x355c
0000b6b0 movt r0, #0x1
0000b6b4 movw r1, #0x354e
0000b6b8 movt r1, #0x1
0000b6bc movw r2, #0x3528
0000b6c0 movt r2, #0x1
0000b6c4 movw r3, #0x3534
0000b6c8 add r0, pc ; @selector(decrypt:password:)
0000b6ca movt r3, #0x1
0000b6ce movw r5, #0x352c
0000b6d2 add r1, pc ; @selector(originalMessage)
0000b6d4 movt r5, #0x1
0000b6d8 movw r6, #0x10e4
0000b6dc ldr r0, [r0] ; @selector(decrypt:password:)
0000b6de movt r6, #0x1
0000b6e2 str r0, [sp, #0x1c]
0000b6e4 add r3, pc ; @selector(setCodedMessage:)
0000b6e6 ldr r0, [r1] ; @selector(originalMessage)
0000b6e8 add r5, pc ; @selector(initWithCipherKey:)
0000b6ea str r0, [sp, #0x18]
0000b6ec movw r0, #0x343a
0000b6f0 movt r0, #0x1
0000b6f4 add r2, pc ; @selector(decrypt)
0000b6f6 add r0, pc ; @selector(alloc)
0000b6f8 ldr.w r8, [r3] ; @selector(setCodedMessage:)
0000b6fc ldr.w r10, [r5] ; @selector(initWithCipherKey:)
0000b700 add r6, pc ; @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU=="
0000b702 ldr r4, [r0] ; @selector(alloc)
0000b704 mov.w r11, #0x5
0000b708 ldr r1, [r2] ; @selector(decrypt)
0000b70a str r1, [sp, #0x14]
0000b70c movw r0, #0x38c2 ; XREF=-[ViewController onClick]+200
0000b710 mov r1, r4 ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b712 movt r0, #0x1
0000b716 add r0, pc ; objc_cls_ref_Ceasar_CipherModel
0000b718 ldr r0, [r0] ; objc_cls_ref_Ceasar_CipherModel, argument #1 for method imp___symbolstub1__objc_msgSend
0000b71a blx imp___symbolstub1__objc_msgSend
0000b71e sub.w r11, r11, #0x1 ------>设置ceasar_cipher model 的cipherKey,循环5次解密4,3,2,1,0
0000b722 mov r1, r10 ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b724 mov r2, r11
0000b726 blx imp___symbolstub1__objc_msgSend
0000b72a mov r5, r0
0000b72c mov r1, r8 ------------>设置setCodedMessage ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b72e mov r2, r6
0000b730 blx imp___symbolstub1__objc_msgSend
0000b734 ldr r1, [sp, #0x14] ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b736 mov r0, r5 ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b738 blx imp___symbolstub1__objc_msgSend
0000b73c ldr r1, [sp, #0x18] ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b73e mov r0, r5 ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b740 blx imp___symbolstub1__objc_msgSend
0000b744 mov r2, r0 ---->凯撒解密后的字符串用作aes解密
0000b746 movw r0, #0x388c
0000b74a movt r0, #0x1
0000b74e ldr r1, [sp, #0x1c] ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b750 add r0, pc ; objc_cls_ref_AESCrypt
0000b752 ldr r0, [r0] ; objc_cls_ref_AESCrypt, argument #1 for method imp___symbolstub1__objc_msgSend
0000b754 movw r3, #0x1098
0000b758 movt r3, #0x1
0000b75c add r3, pc --->aes解密秘钥 ; @"ZGlhb2RhX2ppYW5rYW5nCg=="
0000b75e blx imp___symbolstub1__objc_msgSend ---->对凯撒解密后的数据进行aes解密
0000b762 mov r6, r0
0000b764 cmp.w r11, #0x0 ------>循环 5次
0000b768 bgt 0xb70c
0000b76a movw r0, #0x346c
0000b76e mov r10, r4
0000b770 movt r0, #0x1
0000b774 ldr.w r8, [sp, #0x10]
0000b778 add r0, pc ; @selector(textFeild)
0000b77a ldr r1, [r0] ; @selector(textFeild), argument #2 for method imp___symbolstub1__objc_msgSend
0000b77c mov r0, r8 ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b77e blx imp___symbolstub1__objc_msgSend
0000b782 movw r1, #0x349e
0000b786 movt r1, #0x1
0000b78a add r1, pc ; @selector(text)
0000b78c ldr r1, [r1] ; @selector(text), argument #2 for method imp___symbolstub1__objc_msgSend
0000b78e blx imp___symbolstub1__objc_msgSend
0000b792 movw r1, #0x3492
0000b796 movt r1, #0x1
0000b79a add r1, pc ; @selector(UTF8String)
0000b79c ldr r5, [r1] ; @selector(UTF8String)
0000b79e mov r1, r5 ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7a0 blx imp___symbolstub1__objc_msgSend
0000b7a4 mov r4, r0
0000b7a6 mov r0, r6 ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b7a8 mov r1, r5 ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7aa blx imp___symbolstub1__objc_msgSend
0000b7ae mov r5, r0
0000b7b0 ldrb r0, [r5] ; "UTF8String"
0000b7b2 cmp r0, #0x0
0000b7b4 beq 0xb7d6
0000b7b6 ldrb r1, [r4]
0000b7b8 cmp r1, r0
0000b7ba bne 0xb7d2
0000b7bc movs r6, #0x1
0000b7be mov r0, r5 ; argument #1 for method imp___symbolstub1__strlen, XREF=-[ViewController onClick]+304
0000b7c0 blx imp___symbolstub1__strlen
0000b7c4 cmp r6, r0
0000b7c6 bhs 0xb7d6
0000b7c8 ldrb r0, [r5, r6]
0000b7ca ldrb r1, [r4, r6]
0000b7cc adds r6, #0x1
0000b7ce cmp r1, r0
0000b7d0 beq 0xb7be
0000b7d2 movs r4, #0x0 ; XREF=-[ViewController onClick]+282
0000b7d4 b 0xb7d8
0000b7d6 movs r4, #0x1 ; XREF=-[ViewController onClick]+276, -[ViewController onClick]+294
0000b7d8 movw r0, #0x37fe ; XREF=-[ViewController onClick]+308
0000b7dc mov r1, r10 ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7de movt r0, #0x1
0000b7e2 add r0, pc ; objc_cls_ref_UIAlertView
0000b7e4 ldr r0, [r0] ; objc_cls_ref_UIAlertView, argument #1 for method imp___symbolstub1__objc_msgSend
0000b7e6 blx imp___symbolstub1__objc_msgSend
0000b7ea movw r1, #0x3438
0000b7ee cmp r4, #0x1
0000b7f0 movt r1, #0x1
0000b7f4 movw r6, #0x1022
0000b7f8 add r1, pc ; @selector(initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:)
0000b7fa movt r6, #0x1
0000b7fe movw r2, #0xffa
0000b802 add r6, pc ; cfstring__S_m
0000b804 movt r2, #0x1
0000b808 ldr r1, [r1] ; @selector(initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:)
0000b80a add r2, pc ; @""
0000b80c bne 0xb81a
0000b80e movw r3, #0xffe
0000b812 movt r3, #0x1
0000b816 add r3, pc ; cfstring____xcknx___b_R__eQ__
0000b818 b 0xb824
0000b81a movw r3, #0x1022 ; XREF=-[ViewController onClick]+364
0000b81e movt r3, #0x1
0000b822 add r3, pc ; cfstring____x______
0000b824 movw r5, #0x1002 ; XREF=-[ViewController onClick]+376
0000b828 movs r4, #0x0
0000b82a movt r5, #0x1
0000b82e str.w r8, [sp]
0000b832 add r5, pc ; cfstring_nx__
0000b834 str r6, [sp, #0x4]
0000b836 str r5, [sp, #0x8]
0000b838 str r4, [sp, #0xc]
0000b83a blx imp___symbolstub1__objc_msgSend
0000b83e movw r1, #0x33ee
0000b842 movt r1, #0x1
0000b846 add r1, pc ; @selector(show)
0000b848 ldr r1, [r1] ; @selector(show)
0000b84a add sp, #0x20
0000b84c pop.w {r8, r10, r11}
0000b850 pop.w {r4, r5, r6, r7, lr}
0000b854 b.w 0x179c0
; endp
用到加密方式:凯撒加密、AES
还原代码如下:
NSString* data = @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU==";
NSString* password = @"ZGlhb2RhX2ppYW5rYW5nCg==";
int times = 5;
do{
times--;
Ceasar_CipherModel* model = [[Ceasar_CipherModel alloc] init];
model.cipherKey = times;
model.codedMessage = data;
[model decrypt];
data = [AESCrypt decrypt:model.originalMessage password:password];
}while (times > 0);
NSLog(@"result : %@",data);
第一次: hDmx1/d5KNhr1BBYQlRNVsZSEaOdw4MtKTpT3082x/x9lZucw0qEm+UhMaOVuoSLyqD1x0elXGXqM4nFSP3W8khfyg1ynDEwLhLt12m68U8=
第二次: e1s6fwEoaC3l/4VLi1DA4KKPJdGcGWK3elMxPqOuG7MNa9fcfWu6gpui+m3q1akL
第三次: 4p2eb81lORtnnduYgcAc3pxfqGh8Fybny9NFnTzYJ6B=
第四次: QNEcNAUUYKq5mMZJTh3J5w==
第五次: Sp4rkDr0idKit
最终结果为:
Sp4rkDr0idKit
