1. Toy模板网首页
  2. > Toy博客

IOS逆向-更改常见算法脚本

10月前 作者:Codeooo 分类:Toy博客 阅读(34) 违法举报

这篇具有很好参考价值的文章主要介绍了IOS逆向-更改常见算法脚本。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

堆栈打印:

	log('堆栈 from:\n' +Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');

我们盲猜测算法后,可以直接使用:

frida-trace -UF -i CC_MD5 -i CC_SHA1

可以无限迭代, -i xxx ;

我们知道object-C 前两个参数,一个是类本身,一个是方法名,所以我们打印可以直接打印下标为2的值;

IOS逆向-更改常见算法脚本
直接更改这个路径下的js文件,完善脚本;

C:\Users\xxx_handlers_\libcommonCrypto.dylib

CC_MD5.js

/*
 * Auto-generated by Frida. Please modify to match the signature of CC_MD5.
 * This stub is currently auto-generated from manpages when available.
 *
 * For full API reference, see: https://frida.re/docs/javascript-api/
 */

{
  /**
   * Called synchronously when about to call CC_MD5.
   *
   * @this {object} - Object allowing you to store state for use in onLeave.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {array} args - Function arguments represented as an array of NativePointer objects.
   * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.
   * It is also possible to modify arguments by assigning a NativePointer object to an element of this array.
   * @param {object} state - Object allowing you to keep state across function calls.
   * Only one JavaScript function will execute at a time, so do not worry about race-conditions.
   * However, do not use this to store function arguments across onEnter/onLeave, but instead
   * use "this" which is an object for keeping state local to an invocation.
   */
  onEnter(log, args, state) {
    log('CC_MD5() onEnter: ' + args[0].readCString(args[1].toInt32()));
	this.args2 = args[2];
  },

  /**
   * Called synchronously when about to return from CC_MD5.
   *
   * See onEnter for details.
   *
   * @this {object} - Object allowing you to access state stored in onEnter.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {NativePointer} retval - Return value represented as a NativePointer object.
   * @param {object} state - Object allowing you to keep state across function calls.
   */
  onLeave(log, retval, state) {
	log('CC_MD5() onLeave: ' + hexdump(this.args2, {length: 16}));
  }
}

CC_SHA1.js

/*
 * Auto-generated by Frida. Please modify to match the signature of CC_SHA1.
 * This stub is currently auto-generated from manpages when available.
 *
 * For full API reference, see: https://frida.re/docs/javascript-api/
 */

{
  /**
   * Called synchronously when about to call CC_SHA1.
   *
   * @this {object} - Object allowing you to store state for use in onLeave.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {array} args - Function arguments represented as an array of NativePointer objects.
   * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.
   * It is also possible to modify arguments by assigning a NativePointer object to an element of this array.
   * @param {object} state - Object allowing you to keep state across function calls.
   * Only one JavaScript function will execute at a time, so do not worry about race-conditions.
   * However, do not use this to store function arguments across onEnter/onLeave, but instead
   * use "this" which is an object for keeping state local to an invocation.
   */
  onEnter(log, args, state) {
	log('CC_SHA1() onEnter: ' + args[0].readCString(args[1].toInt32()));
	this.args2 = args[2];
  },

  /**
   * Called synchronously when about to return from CC_SHA1.
   *
   * See onEnter for details.
   *
   * @this {object} - Object allowing you to access state stored in onEnter.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {NativePointer} retval - Return value represented as a NativePointer object.
   * @param {object} state - Object allowing you to keep state across function calls.
   */
  onLeave(log, retval, state) {
	log('CC_SHA1() onLeave: ' + hexdump(this.args2, {length: 20}));
  }
}

SecKeyEncrypt RSA

frida-trace -UF -i CC_MD5 -i CC_SHA1 -i CCCrypt -i SecKeyEncrypt

IOS逆向-更改常见算法脚本

/*
 * Auto-generated by Frida. Please modify to match the signature of SecKeyEncrypt.
 * This stub is currently auto-generated from manpages when available.
 *
 * For full API reference, see: https://frida.re/docs/javascript-api/
 */

{
  /**
   * Called synchronously when about to call SecKeyEncrypt.
   *
   * @this {object} - Object allowing you to store state for use in onLeave.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {array} args - Function arguments represented as an array of NativePointer objects.
   * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.
   * It is also possible to modify arguments by assigning a NativePointer object to an element of this array.
   * @param {object} state - Object allowing you to keep state across function calls.
   * Only one JavaScript function will execute at a time, so do not worry about race-conditions.
   * However, do not use this to store function arguments across onEnter/onLeave, but instead
   * use "this" which is an object for keeping state local to an invocation.
   */
  onEnter(log, args, state) {
	log('SecKeyEncrypt called from:\n' +
        Thread.backtrace(this.context, Backtracer.ACCURATE)
        .map(DebugSymbol.fromAddress).join('\n') + '\n');
	log('SecKeyEncrypt key: ' + hexdump(args[0]));
	log('SecKeyEncrypt padding: ' + (args[1]).toInt32());
	log('SecKeyEncrypt plainText: ' + (args[2]).readCString());
	log('SecKeyEncrypt plainTextSize: ' + (args[3]).toInt32());
	this.args4 = args[4];
	this.args5 = args[5];
  },

  /**
   * Called synchronously when about to return from SecKeyEncrypt.
   *
   * See onEnter for details.
   *
   * @this {object} - Object allowing you to access state stored in onEnter.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {NativePointer} retval - Return value represented as a NativePointer object.
   * @param {object} state - Object allowing you to keep state across function calls.
   */
  onLeave(log, retval, state) {
	log('SecKeyEncrypt cipherText: ' + hexdump(this.args4, {length: 128}));
	log('SecKeyEncrypt cipherTextSize: ' + (this.args5).readInt());
  }
}



frida-trace -UF -m "-[NSData initWithContentsOfFile:]"

查看本地证书

/*
 * Auto-generated by Frida. Please modify to match the signature of SecKeyEncrypt.
 * This stub is currently auto-generated from manpages when available.
 *
 * For full API reference, see: https://frida.re/docs/javascript-api/
 */

{
  /**
   * Called synchronously when about to call SecKeyEncrypt.
   *
   * @this {object} - Object allowing you to store state for use in onLeave.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {array} args - Function arguments represented as an array of NativePointer objects.
   * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.
   * It is also possible to modify arguments by assigning a NativePointer object to an element of this array.
   * @param {object} state - Object allowing you to keep state across function calls.
   * Only one JavaScript function will execute at a time, so do not worry about race-conditions.
   * However, do not use this to store function arguments across onEnter/onLeave, but instead
   * use "this" which is an object for keeping state local to an invocation.
   */
  onEnter(log, args, state) {
	log('SecKeyEncrypt called from:\n' +
        Thread.backtrace(this.context, Backtracer.ACCURATE)
        .map(DebugSymbol.fromAddress).join('\n') + '\n');
	log('SecKeyEncrypt key: ' + hexdump(args[0]));
	log('SecKeyEncrypt padding: ' + (args[1]).toInt32());
	log('SecKeyEncrypt plainText: ' + (args[2]).readCString());
	log('SecKeyEncrypt plainTextSize: ' + (args[3]).toInt32());
	this.args4 = args[4];
	this.args5 = args[5];
  },

  /**
   * Called synchronously when about to return from SecKeyEncrypt.
   *
   * See onEnter for details.
   *
   * @this {object} - Object allowing you to access state stored in onEnter.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {NativePointer} retval - Return value represented as a NativePointer object.
   * @param {object} state - Object allowing you to keep state across function calls.
   */
  onLeave(log, retval, state) {
	log('SecKeyEncrypt cipherText: ' + hexdump(this.args4, {length: 128}));
	log('SecKeyEncrypt cipherTextSize: ' + (this.args5).readInt());
  }
}

CCCrypt

/*
 * Auto-generated by Frida. Please modify to match the signature of CCCrypt.
 * This stub is currently auto-generated from manpages when available.
 *
 * For full API reference, see: https://frida.re/docs/javascript-api/
 */

{
  /**
   * Called synchronously when about to call CCCrypt.
   *
   * @this {object} - Object allowing you to store state for use in onLeave.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {array} args - Function arguments represented as an array of NativePointer objects.
   * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.
   * It is also possible to modify arguments by assigning a NativePointer object to an element of this array.
   * @param {object} state - Object allowing you to keep state across function calls.
   * Only one JavaScript function will execute at a time, so do not worry about race-conditions.
   * However, do not use this to store function arguments across onEnter/onLeave, but instead
   * use "this" which is an object for keeping state local to an invocation.
   */
  onEnter(log, args, state) {
	log('CC_MD5 called from:\n' +
        Thread.backtrace(this.context, Backtracer.ACCURATE)
        .map(DebugSymbol.fromAddress).join('\n') + '\n');
	log('CCCrypt() kCCEncrypt 0 or kCCDecrypt 1: ', args[0]);
    log('CCCrypt() CCAlgorithm: ', args[1]);
    log('CCCrypt() CCOptions 1/2: ', args[2]);
    log('CCCrypt() key: ', hexdump(args[3]));
    log('CCCrypt() keyLen: ', args[4]);
    log('CCCrypt() iv: ', hexdump(args[5]));
    log('CCCrypt() dataIn: ', hexdump(args[6]));
    log('CCCrypt() dataInLength: ', args[7]);
	this.args8 = args[8];
	this.args10 = args[10];
  },

  /**
   * Called synchronously when about to return from CCCrypt.
   *
   * See onEnter for details.
   *
   * @this {object} - Object allowing you to access state stored in onEnter.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {NativePointer} retval - Return value represented as a NativePointer object.
   * @param {object} state - Object allowing you to keep state across function calls.
   */
  onLeave(log, retval, state) {
	log('CCCrypt() dataOut: ', hexdump(this.args8));
    log('CCCrypt() dataOutLen: ', hexdump(this.args10));
  }
}


CCCrypt
CCCryptorStatus CCCrypt(
 CCOperation op, /* kCCEncrypt 0,kCCDecrypt 1 */
CCAlgorithm alg, /* kCCAlgorithmAES128=0,kCCAlgorithmAES=0,kCCAlgorithmDES,kCCAlgorithm3DES,kCCAlgorithmCAST,kCCAlgorithmRC4,kCCAlgorithmRC2, kCCAlgorithmBlowfish */
CCOptions options, /* kCCOptionPKCS7Padding=1、kCCOptionECBMode=2 */
constvoid*key, 秘钥 jdiwjcnd
size_t keyLength, 秘钥长度,必须和选择的算法相匹配,不同的算法要求的秘钥长度不一样。可选值如下:
kCCKeySizeAES128 = 16,
kCCKeySizeAES192 = 24,
kCCKeySizeAES256 = 32,
kCCKeySizeDES = 8,
kCCKeySize3DES = 24,
kCCKeySizeMinCAST = 5,
kCCKeySizeMaxCAST = 16,
kCCKeySizeMinRC4 = 1,
kCCKeySizeMaxRC4 = 512,
kCCKeySizeMinRC2 = 1,
kCCKeySizeMaxRC2 = 128,
kCCKeySizeMinBlowfish = 8,
kCCKeySizeMaxBlowfish
constvoid*iv, /* optional initialization vector */ 加密使用的向量参数,CBC模式需要,16字节。ECB模式不需要。
原 始解释:初始向量,可选类型,用于CBC模式。如果存在,则必须与所选算法的块大小相同。如果选择了CBC模式(由于选项标志中没有任何模式位),并且没 有IV,将使用NULL(所有0)IV。如果使用ECB模式或选择了流密码算法,则忽略此操作。对于声音加密,总是使用随机数据初始化IV。
iv的创建有三种方式:
const Byte iv[] = {1,2,3,4,5,6,7,8};
const Byte iv[] = {0,1,2,3,4,5,6,7};
 
constvoid*dataIn, /* optional per op and alg */ 加解密的数据,const char *类型,使用字符串的UTF8String进行转换
size_tdataInLength, 数据的长度,类型size_t
void*dataOut, /* data RETURNED here */ 输出的数据,加密解密后的数据写在这里,
size_t dataOutAvailable, 输出数据时需要的可用空间大小。数据缓冲区的大小(字节)
size_t*dataOutMoved) 输出数据实际的大小。返回成功后,写入dataOut的字节数。如果由于提供的缓冲区空间不足而返回kCCBufferTooSmall,则在这里返回所需的缓冲区空间。

通过弹窗定位:

弹窗控件:

frida-trace -UF -m "*[UIAlertView *]"

修改js添加堆栈等操作打印文章来源地址https://www.toymoban.com/news/detail-509284.html

通过url

frida-trace -UF -m "+[NSURL URLWithString:]"

/*
 * Auto-generated by Frida. Please modify to match the signature of +[NSURL URLWithString:].
 * This stub is currently auto-generated from manpages when available.
 *
 * For full API reference, see: https://frida.re/docs/javascript-api/
 */

{
  /**
   * Called synchronously when about to call +[NSURL URLWithString:].
   *
   * @this {object} - Object allowing you to store state for use in onLeave.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {array} args - Function arguments represented as an array of NativePointer objects.
   * For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.
   * It is also possible to modify arguments by assigning a NativePointer object to an element of this array.
   * @param {object} state - Object allowing you to keep state across function calls.
   * Only one JavaScript function will execute at a time, so do not worry about race-conditions.
   * However, do not use this to store function arguments across onEnter/onLeave, but instead
   * use "this" which is an object for keeping state local to an invocation.
   */
  onEnter(log, args, state) {
	console.log('CCCryptorCreate called from:\n' +
        Thread.backtrace(this.context, Backtracer.ACCURATE)
        .map(DebugSymbol.fromAddress).join('\n') + '\n');
	log(`+[NSURL URLWithString:]` + ObjC.Object(args[2]));
  },

  /**
   * Called synchronously when about to return from +[NSURL URLWithString:].
   *
   * See onEnter for details.
   *
   * @this {object} - Object allowing you to access state stored in onEnter.
   * @param {function} log - Call this function with a string to be presented to the user.
   * @param {NativePointer} retval - Return value represented as a NativePointer object.
   * @param {object} state - Object allowing you to keep state across function calls.
   */
  onLeave(log, retval, state) {
  }
}

frida demo:

var initWithMethod = ObjC.classes.XYHTTPRequest['+ initWithMethod:requestURL:requestParam:requestHeaderField:'];
Interceptor.attach(initWithMethod.implementation, {
    onEnter: function (args) {
        console.log('initWithMethod called from:\n' +
            Thread.backtrace(this.context, Backtracer.ACCURATE)
                .map(DebugSymbol.fromAddress).join('\n') + '\n');
        //console.log("args[2]: ", (args[2]));
        console.log("args[3]: ", ObjC.Object(args[3]));
        console.log("args[4]: ", ObjC.Object(args[4]));
        console.log("args[5]: ", ObjC.Object(args[5]));
    }, onLeave: function (retval) {

    }
});

到了这里,关于IOS逆向-更改常见算法脚本的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

分享到:
领支付宝红包 赞助服务器费用

相关文章

  • 【iOS逆向与安全】iOS插件开发入门

    【iOS逆向与安全】iOS插件开发入门

    前言 经过之前的学习,相信你已经能熟练的使用Frida-trace、IDA Pro等逆向工具。不过,仅仅到这肯定是不够的。接下来,学会把你逆向的结果打包成插件并运行,那iOS逆向,你也就真正的入门了。 一、目标 把逆向的结果制作成插件并运行 二、工具 mac系统 Xcode:插件开发工具

    2024年02月09日
    浏览(67)
  • 【iOS逆向与安全】iOS插件开发光速入门

    【iOS逆向与安全】iOS插件开发光速入门

    经过之前的学习,相信你已经能熟练的使用Frida-trace、IDA Pro等逆向工具。不过,仅仅到这肯定是不够的。接下来,学会把你逆向的结果打包成插件并运行,那iOS逆向,你也就真正的入门了。 把逆向的结果制作成插件并运行 mac系统 Xcode:插件开发工具 已越狱iOS设备:运行deb插

    2024年02月06日
    浏览(42)
  • IOS逆向初探

    IOS逆向初探

    这些文章用于记录学习路上的点点滴滴,也希望能给到刚入门的小伙伴们一点帮助。爱而所向,不负所心。 iphone 6 MacOS Monterey 12.3.1 Objective-C是iOS操作系统运用的软件开发语言。Objective-C的流行完全是因为iphone的成功。Objective-C是OS 系统的开发语言,是面向对象的编程语言,它

    2024年02月06日
    浏览(32)
  • iOS App逆向之:iOS应用砸壳技术

    iOS App逆向之:iOS应用砸壳技术

    在iOS逆向,有一项关键的技术叫做“iOS砸壳”(iOS App Decryption)。自iOS 5版本以来,苹果引入了应用程序加密机制,使得大部分应用都需要进行砸壳操作才能进行逆向分析。因此作为开发者、逆向工程师和安全研究人员都需要了解这项技术,因为它是iOS逆向必不可少的一个过

    2024年02月11日
    浏览(37)
  • IOS逆向前期环境准备笔记

    IOS逆向前期环境准备笔记

    ios系统由于效验问题,只能升级不能降级,需要特别注意, 刷系统可以在爱思上搞定; 越狱推荐使用u盘镜像及本地启动盘制作: 注意,要进去bios,关闭安全启动,不然直接失败: Checkra1n镜像:https://share.weiyun.com/kr63NENg 其他工具:https://blog.6ziz.com/jailbreakdownload 参考教程:

    2024年02月11日
    浏览(46)
  • 基于3D扫描和3D打印的产品逆向工程实战【数字仪表】

    基于3D扫描和3D打印的产品逆向工程实战【数字仪表】

    逆向工程是一种从物理零件创建数字设计的强大方法,并且可以与 3D 扫描和 3D 打印等技术一起成为原型设计工具包中的宝贵工具。 推荐:用 NSDT编辑器 快速搭建可编程3D场景 3D 扫描仪可以非常快速地测量复杂的物体,并且在涉及现实生活参考时可以极大地加快您的设计工作

    2024年02月09日
    浏览(37)

  • 四、iOS逆向:破壳 ipa 安装

    设备环境: 硬件环境:iPhone6.0、Mac电脑Big Sur(M1 芯片)。 软件环境:cydia。 2. 操作步骤: (1)cydia 安装Filza File Manager (源为apt.cydiakk.com)、Apple File conduit 2 和 AppSync; (2)通过爱思助手将破壳ipa导入手机上; (3)通过Filza 进行安装。 3. Q  A: 【问题1】软件闪退;

    2024年02月16日
    浏览(40)
  • IOS-H5app逆向笔记

    IOS-H5app逆向笔记

    可通过ui来查看界面布局,来确定是否是 webview控件; 再继续砸壳后,找到 www 找到 app-service 进行 格式化分析,定位等; 注: 可修改该文件,修改后将文件再 scp 进手机目录里,进行插桩调试; 进入根目录后: cd / 查找项目目录: 运行沙盒目录 /private/var/mobile/Containe

    2024年02月11日
    浏览(41)
  • iOS逆向:越狱及相关概念的介绍

    iOS逆向:越狱及相关概念的介绍

    在上一篇内容中我们介绍了App脱壳的技术,今天我们来介绍一个和iOS逆向密切相关的知识:越狱。 iOS操作系统的封闭性一直是开发者们关注的焦点之一。为了突破Apple的限制,越狱技术应运而生。本文将深入探讨iOS越狱,包括可越狱的版本对比、完美越狱的概念、目前流行的

    2024年02月11日
    浏览(36)
  • iOS逆向进阶:iOS进程间通信方案深入探究与local socket介绍

    iOS逆向进阶:iOS进程间通信方案深入探究与local socket介绍

    在移动应用开发中,进程间通信(Inter-Process Communication,IPC)是一项至关重要的技术,用于不同应用之间的协作和数据共享。在iOS生态系统中,进程和线程是基本的概念,而进程间通信方案则为应用的功能拓展和性能优化提供了强大的支持。 进程 是指在操作系统中正在运行

    2024年02月10日
    浏览(41)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包