- 发帖
- 53390
- 今日发帖
- 最后登录
- 2024-11-14
|
您可以直接下载PDF文档:逆向XX助手获取Lua脚本明文.zip . ==========================================================今天来看看xx助手的lua脚本解密 1. 找寻线索/Library/MobileSubstrate/DynamicLibraries下面看到 XXScreenShot.dylib XXScreenShot.plist Plist内容如下 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>Filter</key> <dict> <key>Bundles</key> <array> <string>com.apple.backboardd</string> </array> </dict></dict></plist> 恩,明白了是hook了backboardd进程 2. 静态分析IDA 载入 XXScreenShot.dylib --- 找到loadLuaData函数,分析发现是 tea算法 [attachment=207336] 分析了一下,X23寄存器指向输出缓冲区 3. 动态调试 手机端运行:[attachment=207337] Mac端运行:[attachment=207338] 4.下断 [attachment=207339] 此时在目标程序上点击“播放”,让脚本载入 [attachment=207340] 5.继续分析[attachment=207341] 由于前面用IDA分析过x23寄存器保存了输出数据,那么我们直接在0x103d12cdc下断点,此时x23已经得到了数据,下好断点后,继续运行,如下图,顺利中断 [attachment=207342] 6.输出数据[attachment=207343] 此时lua脚本已经完整解密了!!! 7.编写tweak我们可以写个tweak来抓取脚本代码:/* 获取xx助手lua脚本 By 飘云/P.Y.G 2015-04-29 http://www.chinapyg.com*/#import <substrate.h>#import <pthread.h>// 原始函数signed int (*orig_XxteaDecrypt)(const char *inBuf, size_t bufLen, const char *key, size_t a4, char *outBuf, int a6);signed int myXxteaDecrypt(const char *inBuf, size_t bufLen, const char *key, size_t a4, char *outBuf, int a6){ signed int ret = orig_XxteaDecrypt(inBuf, bufLen, key, a4, outBuf, a6); NSString *str = [NSString stringWithCString:outBuf encoding:NSUTF8StringEncoding]; //NSLog(@"[++++]%s", outBuf); NSLog(@"[++++]%@", str); return ret;}void *threadFun(void*){ while (true) { void *lpFun = ((void*)MSFindSymbol(NULL, "__Z12XxteaDecryptPKciS0_iPci")); if (lpFun) { NSLog(@"[++++]lpFun = %p", lpFun); MSHookFunction(lpFun, (void*)myXxteaDecrypt, (void**)&orig_XxteaDecrypt); NSLog(@"[++++]orig_XxteaDecrypt = %p", orig_XxteaDecrypt); break; } } return NULL;}static __attribute__((constructor)) void piaoyun(){ // 用线程来查找,以免xx的dylib后加载而找不到函数 pthread_t th; int err = pthread_create(&th, NULL, threadFun, NULL); if (err != 0) printf("[++++]pthread_create error: %s\n", strerror(err)); NSLog(@"[++++]inject success!!!!");}8.Tweak演示 题后话:当然你也可以自己写个程序静态解密lua脚本,我不太喜欢折腾,就直接tweak了。。 [ 此帖被pony8000在2015-04-29 22:01重新编辑 ]
|