iOS作為當(dāng)今最流行的移動(dòng)端操作系統(tǒng)之一,圍繞iOS的黑產(chǎn)肯定也少不了。
第一次碰到通過(guò)對(duì)ipa注入自定義的dylib,達(dá)到遠(yuǎn)程控制ipa,還是充滿好奇心想看下他的實(shí)現(xiàn)邏輯艾凯。
開(kāi)搞
猜想:通過(guò)加載dylib,啟動(dòng)app,請(qǐng)求網(wǎng)絡(luò),拿到許可則正常使用,否則exit(0).
有了這個(gè)猜想嗤详,就按照步驟來(lái)吧个扰。
解壓包,查看bundle內(nèi)容葱色,發(fā)現(xiàn)有很多 windows上的東西递宅,由于對(duì)游戲開(kāi)發(fā)不太了解,也不知道其作用,先列入白名單办龄,繼續(xù)找可疑文件烘绽。
sln 應(yīng)該是 vs 建的工程。
以下為不太了解的文件俐填,先略過(guò).
├── plugin.proto
├── protobuf-lite.pc
├── protobuf.pc
├── DeveloperEx.sln
├── DeveloperEx.vcxproj
├── DeveloperEx.vcxproj.filters
├── DeveloperEx.vcxproj.user
├── Developer_Debug.bat
├── Developer_Release.bat
發(fā)現(xiàn)可疑文件
├── logo1.png
外表普通的png圖片安接,很容易略過(guò),但是mac上自帶軟件卻無(wú)法預(yù)覽英融。
修改后綴為 txt 用文本編輯器打開(kāi)盏檐。亂碼中找一些有用的信息。
??????????????__TEXT???? __text__TEXT?K)?K???__stubs__TEXT?t4??t???__stub_helper__TEXT wL? w???__objc_methname__TEXTly??ly?__cstring__TEXT{|m?{|?__objc_classname__TEXT?~8?~?__objc_methtype__TEXT ?% ??__const__TEXTH?H??__unwind_info__TEXTP??P?????__DATA?@?@???__got__DATA?????/__la_symbol_ptr__DATA??x?????A__const__DATA??????__cfstring__DATA????__objc_classlist__DATA??????__objc_nlclslist__DATA???????__objc_protolist__DATA?????__objc_imageinfo__DATA?????__objc_const__DATA????__objc_selrefs__DATA?h?????__objc_protorefs__DATA8?8??__objc_classrefs__DATA@?P@???__objc_data__DATA??????__data__DATA0??0??__bss__DATA???????__LLVM?@?@????__bundle__LLVM????H__LINKEDIT????z??
0????/usr/lib/libzheng.dylib"?0?@@??????x?H?`???
???p'??'?Po?o??q?I?%?p??0???Y?;?i ????%??? *?,?@@??????X????,?/System/Library/Frameworks/Foundation.framework/FoundationP???<?
?/System/Library/Frameworks/UIKit.framework/UIKit8????/usr/lib/libobjc.A.dylib8???
???/usr/lib/libSystem.B.dylib`??&??/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation&?? ?P)??
???O??+
最下方有加載dylib的文字驶悟。所以想到了這是個(gè)偽裝的mach-o文件胡野。
查看mach-o header
otool -h /Users/hwh/Downloads/5/Payload/sss.app/logo1.png
得到
| magic | cputype | cpusubtype | caps | filetype | ncmds | sizeofcmds | flags |
|---|---|---|---|---|---|---|---|
| 0xfeedfacf | 16777228 | 0 | 0x00 | 2 | 28 | 3936 | 0x00200085 |
| 0xFEEDFACE = 32bit 0xFEEDFACF = 64bit | cpu類型 | cpu子類型 | ??? | 文件類型(執(zhí)行文件、庫(kù)文件痕鳍、core硫豆、內(nèi)核擴(kuò)展) | load command個(gè)數(shù) | load command 大小 | 標(biāo)志位 |
使用工具mach0view 查看,以下為實(shí)例笼呆,和上邊數(shù)據(jù)并不對(duì)應(yīng)
macho_header.png
使用自帶命令查看熊响。
otool -L /Users/hwh/Downloads/5/Payload/sss.app/logo1.png
得到
/Users/hwh/Downloads/5/Payload/sss.app/logo1.png (architecture armv7):
/usr/lib/libzheng.dylib (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1280.25.0)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3512.60.7)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1280.38.0)
/Users/hwh/Downloads/5/Payload/sss.app/logo1.png (architecture arm64):
/usr/lib/libzheng.dylib (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1280.25.0)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3512.60.7)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1280.38.0)
這是一個(gè)標(biāo)準(zhǔn)的mach-o 文件。那么執(zhí)行文件 就是他了抄邀。
繼續(xù)確認(rèn)這個(gè)推論耘眨。
查看主執(zhí)行文件.
otool -L /Users/hwh/Downloads/5/Payload/sss.app/sss
查看 load command
/Users/hwh/Downloads/5/Payload/sss.app/sss (architecture armv7):
/System/Library/Frameworks/GameController.framework/GameController (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/MediaPlayer.framework/MediaPlayer (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 307.4.0)
/System/Library/Frameworks/CoreTelephony.framework/CoreTelephony (compatibility version 1.0.0, current version 0.0.0)
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 253.0.0)
/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1070.14.0)
/System/Library/Frameworks/OpenGLES.framework/OpenGLES (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CFNetwork.framework/CFNetwork (compatibility version 1.0.0, current version 808.2.16)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3600.6.21)
/System/Library/Frameworks/CoreMotion.framework/CoreMotion (compatibility version 1.0.0, current version 2100.0.34)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1349.13.0)
/System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, current version 0.0.0)
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8)
/System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
/System/Library/Frameworks/OpenAL.framework/OpenAL (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/AVFoundation.framework/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 888.30.2)
/System/Library/Frameworks/AudioToolbox.framework/AudioToolbox (compatibility version 1.0.0, current version 492.0.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.0.0)
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1348.22.0)
@executable_path/logo1.png (compatibility version 0.0.0, current version 0.0.0)
/Users/hwh/Downloads/5/Payload/sss.app/sss (architecture arm64):
/System/Library/Frameworks/GameController.framework/GameController (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/MediaPlayer.framework/MediaPlayer (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 307.4.0)
/System/Library/Frameworks/CoreTelephony.framework/CoreTelephony (compatibility version 1.0.0, current version 0.0.0)
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 253.0.0)
/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1070.14.0)
/System/Library/Frameworks/OpenGLES.framework/OpenGLES (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CFNetwork.framework/CFNetwork (compatibility version 1.0.0, current version 808.2.16)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3600.6.21)
/System/Library/Frameworks/CoreMotion.framework/CoreMotion (compatibility version 1.0.0, current version 2100.0.34)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1349.13.0)
/System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, current version 0.0.0)
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8)
/System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
/System/Library/Frameworks/OpenAL.framework/OpenAL (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/AVFoundation.framework/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 888.30.2)
/System/Library/Frameworks/AudioToolbox.framework/AudioToolbox (compatibility version 1.0.0, current version 492.0.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.0.0)
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1348.22.0)
@executable_path/logo1.png (compatibility version 0.0.0, current version 0.0.0)
@executable_path/logo1.png (compatibility version 0.0.0, current version 0.0.0)
所以說(shuō)明 在加載主程序時(shí),load command 中也load了 logo1.png境肾。
所以logo1.png 會(huì)在程序執(zhí)行時(shí)也會(huì)執(zhí)行剔难,logo1本身也是個(gè)可執(zhí)行文件。
查看 logo1 源碼吧奥喻。
使用hopper打開(kāi) logo1.png 主執(zhí)行文件偶宫。
首先會(huì)看到
image.png
額。环鲤。纯趋。因?yàn)楦F,買不起冷离。選擇 try the demo吵冒,繼續(xù)。
image.png
Fat 版本西剥,隨便選擇一個(gè)查看痹栖。
image.png
混淆過(guò)的代碼。
通過(guò)右側(cè)ASM Mode 模式的面板尋找有用信息瞭空。
下面貼一些有用的asm信息揪阿。
方法名: +[здравей d_a]:
// 從 mainbundle中讀取文件
0000490e movw r3, #0x3a82 ; &@selector(mainBundle), :lower16:(0x839c - 0x491a)
00004912 movt r3, #0x0 ; &@selector(mainBundle), :upper16:(0x839c - 0x491a)
00004916 add r3, pc ; &@selector(mainBundle)
00004918 movw sb, #0x3b48 ; :lower16:(0x846c - 0x4924)
0000491c movt sb, #0x0 ; :upper16:(0x846c - 0x4924)
00004920 add sb, pc ; objc_cls_ref_NSBundle
00004922 str r0, [sp, #0xbc + var_C]
00004924 str r1, [sp, #0xbc + var_10]
00004926 ldr.w r0, [sb] ; objc_cls_ref_NSBundle,_OBJC_CLASS_$_NSBundle
0000492a ldr r1, [r3] ; "mainBundle",@selector(mainBundle)
// 讀取配置文件
0000497c movw r2, #0x3a1c ; &@selector(pathForResource:ofType:), :lower16:(0x83a4 - 0x4988)
00004980 movt r2, #0x0 ; &@selector(pathForResource:ofType:), :upper16:(0x83a4 - 0x4988)
00004984 add r2, pc ; &@selector(pathForResource:ofType:)
00004986 ldr r2, [r2] ; "pathForResource:ofType:",@selector(pathForResource:ofType:)
// 對(duì)配置信息進(jìn)行處理
00004a1e movw r2, #0x3982 ; &@selector(objectForKeyedSubscript:), :lower16:(0x83ac - 0x4a2a)
00004a22 movt r2, #0x0 ; &@selector(objectForKeyedSubscript:), :upper16:(0x83ac - 0x4a2a)
00004a26 add r2, pc ; &@selector(objectForKeyedSubscript:)
// 創(chuàng)建網(wǎng)絡(luò)請(qǐng)求
00004b72 add r3, pc ; objc_cls_ref_NSMutableURLRequest
00004b74 str r0, [sp, #0xbc + var_24]
00004b76 ldr r0, [r3] ; objc_cls_ref_NSMutableURLRequest,_OBJC_CLASS_$_NSMutableURLRequest
00004c42 movw r2, #0x3792 ; &@selector(sendAsynchronousRequest:queue:completionHandler:), :lower16:(0x83e0 - 0x4c4e)
00004c46 movt r2, #0x0 ; &@selector(sendAsynchronousRequest:queue:completionHandler:), :upper16:(0x83e0 - 0x4c4e)
00004c4a add r2, pc ; &@selector(sendAsynchronousRequest:queue:completionHandler:)
// 處理網(wǎng)絡(luò)請(qǐng)求返回?cái)?shù)據(jù)
00004d70 ldr r0, [r0] ; _objc_msgSend_8010,_objc_msgSend
00004d72 movw r1, #0x3656 ; &@selector(statusCode), :lower16:(0x83d4 - 0x4d7e)
00004d76 movt r1, #0x0 ; &@selector(statusCode), :upper16:(0x83d4 - 0x4d7e)
00004d7a add r1, pc ; &@selector(statusCode)
00004d7c ldr r2, [sp, #0x6c + var_8]
00004db4 movw r2, #0x3618 ; &@selector(JSONObjectWithData:options:error:), :lower16:(0x83d8 - 0x4dc0)
00004db8 movt r2, #0x0 ; &@selector(JSONObjectWithData:options:error:), :upper16:(0x83d8 - 0x4dc0)
00004dbc add r2, pc ; &@selector(JSONObjectWithData:options:error:)
// 不同狀態(tài)碼的處理 - 非法 疗我,調(diào)用 hs函數(shù)
00004ec0 add r2, pc ; &@selector(hs)
00004ec2 ldr r2, [r2] ; "hs",@selector(hs)
// hs 函數(shù)實(shí)現(xiàn)
+[здравей hs]:
000055b4 push {r7, lr} ; Objective C Implementation defined at 0x826c (class method)
000055b6 mov r7, sp
000055b8 sub sp, #0x14
000055ba movs r2, #0x0
000055bc str r0, [sp, #0x14 + var_4]
000055be str r1, [sp, #0x14 + var_8]
000055c0 mov r0, r2 ; argument "status" for method imp___picsymbolstub4__exit
000055c2 blx imp___picsymbolstub4__exit
; endp
000055c6 mov r8, r8
imp___picsymbolstub4__exit 執(zhí)行exit 函數(shù)的 代碼塊 imp 指針。
此處應(yīng)該就是對(duì)應(yīng) exit(0) 了
基本確認(rèn)了這個(gè)app是被怎么做了手腳南捂。剩下的就是去除logo1的事情了吴裤。
去除門(mén)后的Load command
使用optool
~ optool -h
uninstall -p <payload> -t <target> [-o=<output>] [-b] [--resign] Removes an
y LC_LOAD commands which point to a given payload from the target binary. T
his may render some executables unusable.
optool uninstall -p "@executable_path/logo1.png" -t sss
-
@executable_path/logo1.png為load command 中加載的后門(mén) -
sss為可執(zhí)行文件地址
成功后,重簽名即可
如果有疑問(wèn)溺健,發(fā)郵件
wally.h@qq.com
