今天来看看xx助手的lua脚本解密
1. 找寻线索
/Library/MobileSubstrate/DynamicLibraries下面看到 XXScreenShot.dylib XXScreenShot.plist
Plist内容如下
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Filter</key>
<dict>
<key>Bundles</key>
<array>
<string>com.apple.backboardd</string>
</array>
</dict>
</dict>
</plist>
恩,明白了是hook了backboardd进程
2. 静态分析
IDA 载入 XXScreenShot.dylib --- 找到loadLuaData函数,分析发现是 tea算法
分析了一下,x23寄存器是输出缓冲区
3. 动态调试
手机端运行:
Mac端运行:
4.下断
此时在目标程序上点击“播放”,让脚本载入
5.继续分析
由于前面用IDA分析过x23寄存器保存了输出数据,那么我们直接在0x103d12cdc下断点,此时x23已经得到了数据,下好断点后,继续运行,如下图,顺利中断
6.输出数据
此时lua脚本已经完整解密了!!!
7.编写tweak
我们可以写个tweak来抓取脚本
/*
获取xx助手lua脚本
By 飘云/P.Y.G
2015-04-29
http://www.chinapyg.com
*/
#import <substrate.h>
#import <pthread.h>
// 原始函数
signed int (*orig_XxteaDecrypt)(const char *inBuf, size_t bufLen, const char *key, size_t a4, char *outBuf, int a6);
signed int myXxteaDecrypt(const char *inBuf, size_t bufLen, const char *key, size_t a4, char *outBuf, int a6)
{
signed int ret = orig_XxteaDecrypt(inBuf, bufLen, key, a4, outBuf, a6);
NSLog(@"[++++]%s", outBuf);
return ret;
}
void *threadFun(void*)
{
while (true)
{
void *lpFun = ((void*)MSFindSymbol(NULL, "__Z12XxteaDecryptPKciS0_iPci"));
if (lpFun)
{
NSLog(@"[++++]lpFun = %p", lpFun);
MSHookFunction(lpFun, (void*)myXxteaDecrypt, (void**)&orig_XxteaDecrypt);
NSLog(@"[++++]orig_XxteaDecrypt = %p", orig_XxteaDecrypt);
break;
}
}
return NULL;
}
static __attribute__((constructor)) void piaoyun()
{
// 用线程来查找,以免xx的dylib后加载而找不到函数
pthread_t th;
int err = pthread_create(&th, NULL, threadFun, NULL);
if (err != 0)
printf("[++++]pthread_create error: %s\n", strerror(err));
NSLog(@"[++++]inject success!!!!");
}
8.Tweak演示
发表评论