其他
分析屏保区TOP1的一款MacOS软件
本文为看雪论坛优秀文章
看雪论坛作者ID:Mr.梵高
1、HopperDisassember
2、Frida
3、class-dump
-[SiShiPurchaseWindowController restorePurchaseAction]:000000010002650c push rbp ; Objective C Implementation defined at 0x1001137f0 (instance method), Begin of try block, DATA XREF=0x1001137f0000000010002650d mov rbp, rsp0000000100026510 push r150000000100026512 push r140000000100026514 push r130000000100026516 push r120000000100026518 push rbx0000000100026519 sub rsp, 0x58// 调用 indicatorView方法,不重要000000010002651d mov r14, rdi0000000100026520 mov rsi, qword [0x100143648] ; argument "selector" for method _objc_msgSend, @selector(indicatorView)0000000100026527 mov r15, qword [_objc_msgSend_1000f4360] ; _objc_msgSend_1000f4360000000010002652e call r15 ; Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend0000000100026531 mov rdi, rax ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue0000000100026534 call imp___stubs__objc_retainAutoreleasedReturnValue ; objc_retainAutoreleasedReturnValue//调用 setHidden方法,不重要0000000100026539 mov rbx, rax000000010002653c mov rsi, qword [0x100142210] ; argument "selector" for method _objc_msgSend, @selector(setHidden:)0000000100026543 mov rdi, rax ; argument "instance" for method _objc_msgSend0000000100026546 xor edx, edx0000000100026548 call r15 ; Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend000000010002654b mov rdi, rbx ; argument "instance" for method _objc_release000000010002654e call qword [_objc_release_1000f4368] ; _objc_release, _objc_release_1000f4368,_objc_release0000000100026554 lea rdi, qword [rbp+var_30] ; argument "addr" for method imp___stubs__objc_initWeak0000000100026558 mov rsi, r14 ; argument "value" for method imp___stubs__objc_initWeak000000010002655b call imp___stubs__objc_initWeak ; objc_initWeak//划重点,SiShiPurchaseHelper这个类0000000100026560 mov rdi, qword [objc_cls_ref_SiShiPurchaseHelper] ; argument "instance" for method _objc_msgSend, objc_cls_ref_SiShiPurchaseHelper0000000100026567 mov rsi, qword [0x100141dd8] ; argument "selector" for method _objc_msgSend, @selector(sharedInstance)000000010002656e call r15 ; End of try block started at 0x10002650c, Begin of try block (catch block at 0x10002664c), Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend0000000100026571 mov rdi, rax ; End of try block started at 0x10002656e, Begin of try block, argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue0000000100026574 call imp___stubs__objc_retainAutoreleasedReturnValue ; objc_retainAutoreleasedReturnValue0000000100026579 mov r15, rax000000010002657c mov rax, qword [__NSConcreteStackBlock_1000f41b8] ; __NSConcreteStackBlock_1000f41b80000000100026583 lea r14, qword [rbp+var_60]0000000100026587 mov qword [r14-0x20], rax000000010002658b mov r13d, 0xc20000000000000100026591 mov qword [r14-0x18], r130000000100026595 lea rax, qword [sub_100026660] ; sub_100026660000000010002659c mov qword [r14-0x10], rax00000001000265a0 lea rax, qword [0x1000f4e28] ; 0x1000f4e2800000001000265a7 mov qword [r14-8], rax00000001000265ab lea r12, qword [rbp+var_30]00000001000265af mov rdi, r14 ; argument "dest" for method imp___stubs__objc_copyWeak00000001000265b2 mov rsi, r12 ; argument "src" for method imp___stubs__objc_copyWeak00000001000265b5 call imp___stubs__objc_copyWeak ; objc_copyWeak00000001000265ba lea rbx, qword [rbp+var_38]00000001000265be mov rax, qword [__NSConcreteStackBlock_1000f41b8] ; __NSConcreteStackBlock_1000f41b800000001000265c5 mov qword [rbx-0x20], rax00000001000265c9 mov qword [rbx-0x18], r1300000001000265cd lea rax, qword [sub_100026691] ; sub_10002669100000001000265d4 mov qword [rbx-0x10], rax00000001000265d8 lea rax, qword [0x1000f4ef8] ; 0x1000f4ef800000001000265df mov qword [rbx-8], rax00000001000265e3 mov rdi, rbx ; argument "dest" for method imp___stubs__objc_copyWeak00000001000265e6 mov rsi, r12 ; argument "src" for method imp___stubs__objc_copyWeak00000001000265e9 call imp___stubs__objc_copyWeak ; objc_copyWeak//重点是这个方法 startRestore00000001000265ee mov rsi, qword [0x100143720] ; argument "selector" for method _objc_msgSend, @selector(startRestore:failedBlock:)00000001000265f5 lea rdx, qword [rbp+var_80] ; End of try block started at 0x100026571, Begin of try block (catch block at 0x100026637)00000001000265f9 lea rcx, qword [rbp+var_58]00000001000265fd mov rdi, r15 ; argument "instance" for method _objc_msgSend0000000100026600 call qword [_objc_msgSend_1000f4360] ; _objc_msgSend, _objc_msgSend_1000f4360,_objc_msgSend0000000100026606 mov rdi, r15 ; End of try block started at 0x1000265f5, Begin of try block, argument "instance" for method _objc_release0000000100026609 call qword [_objc_release_1000f4368] ; _objc_release, _objc_release_1000f4368,_objc_release000000010002660f mov rdi, rbx ; argument "instance" for method imp___stubs__objc_destroyWeak0000000100026612 call imp___stubs__objc_destroyWeak ; objc_destroyWeak0000000100026617 mov rdi, r14 ; argument "instance" for method imp___stubs__objc_destroyWeak000000010002661a call imp___stubs__objc_destroyWeak ; objc_destroyWeak000000010002661f lea rdi, qword [rbp+var_30] ; argument "instance" for method imp___stubs__objc_destroyWeak0000000100026623 call imp___stubs__objc_destroyWeak ; objc_destroyWeak0000000100026628 add rsp, 0x58000000010002662c pop rbx000000010002662d pop r12000000010002662f pop r130000000100026631 pop r140000000100026633 pop r150000000100026635 pop rbp0000000100026636 ret/* @class SiShiPurchaseHelper */-(void)startRestore:(void *)arg2 failedBlock:(void *)arg3 { r12 = [arg3 retain]; rbx = [arg2 retain]; [self setStartPurchase:0x1]; [self setCompeletedBlock:rbx]; [rbx release]; [self setFailedBlock:r12]; [r12 release]; rax = [SKPaymentQueue defaultQueue]; rax = [rax retain]; [rax restoreCompletedTransactions]; [rax release]; return;}OSSPlainTextAKSKPairCredentialProvider.hSKPaymentTransactionObserver-Protocol.hSKProductsRequestDelegate-Protocol.hSKRequestDelegate-Protocol.h#import "NSObject-Protocol.h" @class NSArray, NSError, SKPayment, SKPaymentQueue, SKProduct; @protocol SKPaymentTransactionObserver- (void)paymentQueue:(SKPaymentQueue *)arg1 updatedTransactions:(NSArray *)arg2; @optional- (void)paymentQueue:(SKPaymentQueue *)arg1 didRevokeEntitlementsForProductIdentifiers:(- (void)paymentQueueDidChangeStorefront:(SKPaymentQueue *)arg1;- (BOOL)paymentQueue:(SKPaymentQueue *)arg1 shouldAddStorePayment:(SKPayment *)arg2 forP- (void)paymentQueue:(SKPaymentQueue *)arg1 updatedDownloads:(NSArray *)arg2;- (void)paymentQueueRestoreCompletedTransactionsFinished:(SKPaymentQueue *)arg1;- (void)paymentQueue:(SKPaymentQueue *)arg1 restoreCompletedTransactionsFailedWithError:- (void)paymentQueue:(SKPaymentQueue *)arg1 removedTransactions:(NSArray *)arg2;@end它实现了几个回调方法,不管它,在Hopper中搜索 paymentQueue,并生成伪代码:/* @class SiShiPurchaseHelper */-(void)paymentQueue:(void *)arg2 updatedTransactions:(void *)arg3 { rbx = self; rax = [arg3 retain]; var_150 = intrinsic_movaps(var_150, 0x0); *(int128_t *)(&var_150 + 0x10) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x10), 0x0); *(int128_t *)(&var_150 + 0x20) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x20), 0x0); *(int128_t *)(&var_150 + 0x30) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x30), 0x0); var_B8 = rax; rax = [rax countByEnumeratingWithState:&var_150 objects:&var_B0 count:0x10]; var_D8 = rax; if (rax != 0x0) { var_100 = **(&var_150 + 0x10); var_C0 = rbx; do { r12 = 0x0; do { if (*var_140 != var_100) { objc_enumerationMutation(var_B8); } r14 = *(var_148 + r12 * 0x8); rax = [r14 transactionState]; if (rax != 0x3) { if (rax != 0x2) { if (rax == 0x1) { // 关键位置 [rbx completeTransaction:r14]; } } else { rax = [r14 error]; rax = [rax retain]; r14 = [rax code]; [rax release]; if (r14 == 0x2) { rbx = var_C0; [rbx purchaseFailedWithError:0x0]; } else { rbx = var_C0; [rbx purchaseFailedWithError:[[[[NSBundle mainBundle] retain] localizedStringForKey:@"Unlock failed" value:@"" table:0x0] retain]]; [rax release]; [rax release]; } } } else { [rbx completeTransaction:r14]; } r12 = r12 + 0x1; } while (r12 < var_D8); rax = [var_B8 countByEnumeratingWithState:&var_150 objects:&var_B0 count:0x10]; var_D8 = rax; } while (rax != 0x0); } var_30 = **___stack_chk_guard; [var_B8 release]; if (**___stack_chk_guard != var_30) { __stack_chk_fail(); } return;}/* @class SiShiPurchaseHelper */-(void)completeTransaction:(void *)arg2 { r14 = self; rax = [arg2 retain]; r15 = rax; rax = [rax payment]; rax = [rax retain]; r12 = rax; rax = [rax productIdentifier]; rax = [rax retain]; [rax release]; [r12 release]; if (rax != 0x0) { [r14 setCurrentTransaction:r15]; //关键方法: [r14 purchaseSuccess]; [r14 bornWenYuShan]; } [r15 release]; return;}[r14 purchaseSuccess];[r14 bornWenYuShan];/* @class SiShiPurchaseHelper */-(void)bornWenYuShan { [self setIsVip:0x1]; rax = [NSUserDefaults standardUserDefaults]; rax = [rax retain]; [rax setBool:0x1 forKey:@"kSiShiIsVipString"]; [rax release]; rbx = [[NSNotificationCenter defaultCenter] retain]; [rbx postNotificationName:*0x1000f52b0 object:0x0]; [rbx release]; return;}0000000100012910 push rbp ; Objective C Implementation defined at 0x10010f4d0 (instance method), DATA XREF=0x10010f4d00000000100012911 mov rbp, rsp0000000100012914 push r150000000100012916 push r140000000100012918 push r13000000010001291a push r12000000010001291c push rbx000000010001291d push rax ......中间的代码全部NOP掉 00000001000129bd pop rbx00000001000129be pop r1200000001000129c0 pop r1300000001000129c2 pop r1400000001000129c4 pop r1500000001000129c6 pop rbp00000001000129c7 jmp rax// r14 = self000000010001291e mov r14, rdi// rbx = _objc_msgSend_1000f43600000000100012921 mov rbx, qword [_objc_msgSend_1000f4360] // msgSend函数的第一个参数:rsi = bornWenYuShan 0000000100012928 mov rsi, qword [0x100142d48] // msgSend函数的第二个参数:rdi = r14 000000010001292f mov rdi, r14 0000000100012932 call rbx //等于执行 msgSend(self,bornWenYuShan)sudo codesign --sign - --force --deep ./Live Wallpaper.app看雪ID:Mr.梵高
https://bbs.pediy.com/user-home-942743.htm
# 往期推荐
2.Chrom V8分析入门——Google CTF2018 justintime分析
5.人人都可以拯救正版硬件受害者(Jlink提示Clone)
6.frida内存检索svc指令查找sendto和recvfrom进行hook抓包
球分享
球点赞
球在看
点击“阅读原文”,了解更多!