iOS作为当今最流行的移动端操作系统之一,围绕iOS的黑产肯定也少不了。
第一次碰到通过对ipa注入自定义的dylib,达到远程控制ipa,还是充满好奇心想看下他的实现逻辑。
开搞
猜想:通过加载dylib,启动app,请求网络,拿到许可则正常使用,否则exit(0).
有了这个猜想,就按照步骤来吧。
解压包,查看bundle内容,发现有很多 windows上的东西,由于对游戏开发不太了解,也不知道其作用,先列入白名单,继续找可疑文件。
sln 应该是 vs 建的工程。
以下为不太了解的文件,先略过.
├── plugin.proto
├── protobuf-lite.pc
├── protobuf.pc
├── DeveloperEx.sln
├── DeveloperEx.vcxproj
├── DeveloperEx.vcxproj.filters
├── DeveloperEx.vcxproj.user
├── Developer_Debug.bat
├── Developer_Release.bat
发现可疑文件
├── logo1.png
外表普通的png图片,很容易略过,但是mac上自带软件却无法预览。
修改后缀为 txt 用文本编辑器打开。乱码中找一些有用的信息。
��������������__TEXT���� __text__TEXT�K)�K���__stubs__TEXT�t4��t���__stub_helper__TEXT wL� w���__objc_methname__TEXTly��ly�__cstring__TEXT{|m�{|�__objc_classname__TEXT�~8�~�__objc_methtype__TEXT �% ��__const__TEXTH�H��__unwind_info__TEXTP��P�����__DATA�@�@���__got__DATA�����/__la_symbol_ptr__DATA��x�����A__const__DATA������__cfstring__DATA����__objc_classlist__DATA������__objc_nlclslist__DATA�������__objc_protolist__DATA�����__objc_imageinfo__DATA�����__objc_const__DATAȃ�ȃ�__objc_selrefs__DATAЅh�Ѕ���__objc_protorefs__DATA8�8��__objc_classrefs__DATA@�P@���__objc_data__DATA������__data__DATA0��0��__bss__DATAȈ������__LLVM�@�@����__bundle__LLVM����H__LINKEDIT����z��
0����/usr/lib/libzheng.dylib"�0�@@������x�H�`���
���p'��'�Po�o��q�I�%�p��0���Y�;i ����%��� *�,�@@������X����,�/System/Library/Frameworks/Foundation.framework/FoundationP���<�
�/System/Library/Frameworks/UIKit.framework/UIKit8����/usr/lib/libobjc.A.dylib8���
���/usr/lib/libSystem.B.dylib`��&��/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation&�� �P)��
���O��+
最下方有加载dylib的文字。所以想到了这是个伪装的mach-o文件。
查看mach-o header
otool -h /Users/hwh/Downloads/5/Payload/sss.app/logo1.png
得到
| magic | cputype | cpusubtype | caps | filetype | ncmds | sizeofcmds | flags |
|---|---|---|---|---|---|---|---|
| 0xfeedfacf | 16777228 | 0 | 0x00 | 2 | 28 | 3936 | 0x00200085 |
| 0xFEEDFACE = 32bit 0xFEEDFACF = 64bit | cpu类型 | cpu子类型 | ??? | 文件类型(执行文件、库文件、core、内核扩展) | load command个数 | load command 大小 | 标志位 |
使用工具mach0view 查看,以下为实例,和上边数据并不对应
macho_header.png
使用自带命令查看。
otool -L /Users/hwh/Downloads/5/Payload/sss.app/logo1.png
得到
/Users/hwh/Downloads/5/Payload/sss.app/logo1.png (architecture armv7):
/usr/lib/libzheng.dylib (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1280.25.0)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3512.60.7)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1280.38.0)
/Users/hwh/Downloads/5/Payload/sss.app/logo1.png (architecture arm64):
/usr/lib/libzheng.dylib (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1280.25.0)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3512.60.7)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1280.38.0)
这是一个标准的mach-o 文件。那么执行文件 就是他了。
继续确认这个推论。
查看主执行文件.
otool -L /Users/hwh/Downloads/5/Payload/sss.app/sss
查看 load command
/Users/hwh/Downloads/5/Payload/sss.app/sss (architecture armv7):
/System/Library/Frameworks/GameController.framework/GameController (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/MediaPlayer.framework/MediaPlayer (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 307.4.0)
/System/Library/Frameworks/CoreTelephony.framework/CoreTelephony (compatibility version 1.0.0, current version 0.0.0)
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 253.0.0)
/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1070.14.0)
/System/Library/Frameworks/OpenGLES.framework/OpenGLES (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CFNetwork.framework/CFNetwork (compatibility version 1.0.0, current version 808.2.16)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3600.6.21)
/System/Library/Frameworks/CoreMotion.framework/CoreMotion (compatibility version 1.0.0, current version 2100.0.34)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1349.13.0)
/System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, current version 0.0.0)
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8)
/System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
/System/Library/Frameworks/OpenAL.framework/OpenAL (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/AVFoundation.framework/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 888.30.2)
/System/Library/Frameworks/AudioToolbox.framework/AudioToolbox (compatibility version 1.0.0, current version 492.0.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.0.0)
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1348.22.0)
@executable_path/logo1.png (compatibility version 0.0.0, current version 0.0.0)
/Users/hwh/Downloads/5/Payload/sss.app/sss (architecture arm64):
/System/Library/Frameworks/GameController.framework/GameController (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/MediaPlayer.framework/MediaPlayer (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 307.4.0)
/System/Library/Frameworks/CoreTelephony.framework/CoreTelephony (compatibility version 1.0.0, current version 0.0.0)
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 253.0.0)
/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1070.14.0)
/System/Library/Frameworks/OpenGLES.framework/OpenGLES (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CFNetwork.framework/CFNetwork (compatibility version 1.0.0, current version 808.2.16)
/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3600.6.21)
/System/Library/Frameworks/CoreMotion.framework/CoreMotion (compatibility version 1.0.0, current version 2100.0.34)
/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1349.13.0)
/System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, current version 0.0.0)
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8)
/System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
/System/Library/Frameworks/OpenAL.framework/OpenAL (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/AVFoundation.framework/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 888.30.2)
/System/Library/Frameworks/AudioToolbox.framework/AudioToolbox (compatibility version 1.0.0, current version 492.0.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.0.0)
/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1348.22.0)
@executable_path/logo1.png (compatibility version 0.0.0, current version 0.0.0)
@executable_path/logo1.png (compatibility version 0.0.0, current version 0.0.0)
所以说明 在加载主程序时,load command 中也load了 logo1.png。
所以logo1.png 会在程序执行时也会执行,logo1本身也是个可执行文件。
查看 logo1 源码吧。
使用hopper打开 logo1.png 主执行文件。
首先会看到
image.png
额。。。因为穷,买不起。选择 try the demo,继续。
image.png
Fat 版本,随便选择一个查看。
image.png
混淆过的代码。
通过右侧ASM Mode 模式的面板寻找有用信息。
下面贴一些有用的asm信息。
方法名: +[здравей d_a]:
// 从 mainbundle中读取文件
0000490e movw r3, #0x3a82 ; &@selector(mainBundle), :lower16:(0x839c - 0x491a)
00004912 movt r3, #0x0 ; &@selector(mainBundle), :upper16:(0x839c - 0x491a)
00004916 add r3, pc ; &@selector(mainBundle)
00004918 movw sb, #0x3b48 ; :lower16:(0x846c - 0x4924)
0000491c movt sb, #0x0 ; :upper16:(0x846c - 0x4924)
00004920 add sb, pc ; objc_cls_ref_NSBundle
00004922 str r0, [sp, #0xbc + var_C]
00004924 str r1, [sp, #0xbc + var_10]
00004926 ldr.w r0, [sb] ; objc_cls_ref_NSBundle,_OBJC_CLASS_$_NSBundle
0000492a ldr r1, [r3] ; "mainBundle",@selector(mainBundle)
// 读取配置文件
0000497c movw r2, #0x3a1c ; &@selector(pathForResource:ofType:), :lower16:(0x83a4 - 0x4988)
00004980 movt r2, #0x0 ; &@selector(pathForResource:ofType:), :upper16:(0x83a4 - 0x4988)
00004984 add r2, pc ; &@selector(pathForResource:ofType:)
00004986 ldr r2, [r2] ; "pathForResource:ofType:",@selector(pathForResource:ofType:)
// 对配置信息进行处理
00004a1e movw r2, #0x3982 ; &@selector(objectForKeyedSubscript:), :lower16:(0x83ac - 0x4a2a)
00004a22 movt r2, #0x0 ; &@selector(objectForKeyedSubscript:), :upper16:(0x83ac - 0x4a2a)
00004a26 add r2, pc ; &@selector(objectForKeyedSubscript:)
// 创建网络请求
00004b72 add r3, pc ; objc_cls_ref_NSMutableURLRequest
00004b74 str r0, [sp, #0xbc + var_24]
00004b76 ldr r0, [r3] ; objc_cls_ref_NSMutableURLRequest,_OBJC_CLASS_$_NSMutableURLRequest
00004c42 movw r2, #0x3792 ; &@selector(sendAsynchronousRequest:queue:completionHandler:), :lower16:(0x83e0 - 0x4c4e)
00004c46 movt r2, #0x0 ; &@selector(sendAsynchronousRequest:queue:completionHandler:), :upper16:(0x83e0 - 0x4c4e)
00004c4a add r2, pc ; &@selector(sendAsynchronousRequest:queue:completionHandler:)
// 处理网络请求返回数据
00004d70 ldr r0, [r0] ; _objc_msgSend_8010,_objc_msgSend
00004d72 movw r1, #0x3656 ; &@selector(statusCode), :lower16:(0x83d4 - 0x4d7e)
00004d76 movt r1, #0x0 ; &@selector(statusCode), :upper16:(0x83d4 - 0x4d7e)
00004d7a add r1, pc ; &@selector(statusCode)
00004d7c ldr r2, [sp, #0x6c + var_8]
00004db4 movw r2, #0x3618 ; &@selector(JSONObjectWithData:options:error:), :lower16:(0x83d8 - 0x4dc0)
00004db8 movt r2, #0x0 ; &@selector(JSONObjectWithData:options:error:), :upper16:(0x83d8 - 0x4dc0)
00004dbc add r2, pc ; &@selector(JSONObjectWithData:options:error:)
// 不同状态码的处理 - 非法 ,调用 hs函数
00004ec0 add r2, pc ; &@selector(hs)
00004ec2 ldr r2, [r2] ; "hs",@selector(hs)
// hs 函数实现
+[здравей hs]:
000055b4 push {r7, lr} ; Objective C Implementation defined at 0x826c (class method)
000055b6 mov r7, sp
000055b8 sub sp, #0x14
000055ba movs r2, #0x0
000055bc str r0, [sp, #0x14 + var_4]
000055be str r1, [sp, #0x14 + var_8]
000055c0 mov r0, r2 ; argument "status" for method imp___picsymbolstub4__exit
000055c2 blx imp___picsymbolstub4__exit
; endp
000055c6 mov r8, r8
imp___picsymbolstub4__exit 执行exit 函数的 代码块 imp 指针。
此处应该就是对应 exit(0) 了
基本确认了这个app是被怎么做了手脚。剩下的就是去除logo1的事情了。
去除门后的Load command
使用optool
~ optool -h
uninstall -p <payload> -t <target> [-o=<output>] [-b] [--resign] Removes an
y LC_LOAD commands which point to a given payload from the target binary. T
his may render some executables unusable.
optool uninstall -p "@executable_path/logo1.png" -t sss
-
@executable_path/logo1.png为load command 中加载的后门 -
sss为可执行文件地址
成功后,重签名即可
如果有疑问,发邮件
wally.h@qq.com
