iOS安全攻防（六）：使用class-dump-z分析支付寶app – iPhone手機開發技術文章 iPhone軟體開發教學課程

使用class-dump-z分析支付寶app

為瞭瞭解支付寶app的源碼結構，我們可以使用class-dump-z工具來分析支付寶二進制。

1.下載配置class_dump_z

前往 https://code.google.com/p/networkpx/wiki/class_dump_z ，下載tar包，然後解壓配置到本地環境

$ tar -zxvf class-dump-z_0.2a.tar.gz
$ sudo cp mac_x86/class-dump-z /usr/bin/

2.class_dump支付寶app

$ class-dump-z Portal > Portal-dump.txt

@protocol XXEncryptedProtocol_10764b0
-(?)XXEncryptedMethod_d109df;
-(?)XXEncryptedMethod_d109d3;
-(?)XXEncryptedMethod_d109c7;
-(?)XXEncryptedMethod_d109bf;
-(?)XXEncryptedMethod_d109b8;
-(?)XXEncryptedMethod_d109a4;
-(?)XXEncryptedMethod_d10990;
-(?)XXEncryptedMethod_d1097f;
-(?)XXEncryptedMethod_d10970;
-(?)XXEncryptedMethod_d10968;
-(?)XXEncryptedMethod_d10941;
-(?)XXEncryptedMethod_d10925;
-(?)XXEncryptedMethod_d10914;
-(?)XXEncryptedMethod_d1090f;
-(?)XXEncryptedMethod_d1090a;
-(?)XXEncryptedMethod_d10904;
-(?)XXEncryptedMethod_d108f9;
-(?)XXEncryptedMethod_d108f4;
-(?)XXEncryptedMethod_d108eb;
@optional
-(?)XXEncryptedMethod_d109eb;
@end

查看得到的信息是加過密的，這個加密操作是蘋果在部署到app store時做的，所以我們還需要做一步解密操作。

3.使用Clutch解密支付寶app

1）下載Clutch
iOS7越獄後的Cydia源裡已經下載不到Clutch瞭，但是我們可以從網上下載好推進iPhone
地址：Clutch傳送門

2）查看可解密的應用列表

root# ./Clutch 

Clutch-1.3.2
usage: ./Clutch [flags] [application name] [...]
Applications available: 9P_RetinaWallpapers breadtrip Chiizu CodecademyiPhone FisheyeFree food GirlsCamera IMDb InstaDaily InstaTextFree iOne ItsMe3 linecamera Molp MPCamera MYXJ NewsBoard Photo Blur Photo Editor PhotoWonder POCO相機 Portal QQPicShow smashbandits Spark tripcamera Tuding_vITC_01 wantu WaterMarkCamera WeiBo Weibo  

3）解密支付寶app

root# ./Clutch Portal

Clutch-1.3.2
Cracking Portal...
Creating working directory...
Performing initial analysis...
Performing cracking preflight...
dumping binary: analyzing load commands
dumping binary: obtaining ptrace handle
dumping binary: forking to begin tracing
dumping binary: successfully forked
dumping binary: obtaining mach port
dumping binary: preparing code resign
dumping binary: preparing to dump
dumping binary: ASLR enabled, identifying dump location dynamically
dumping binary: performing dump
dumping binary: patched cryptid
dumping binary: writing new checksum
Censoring iTunesMetadata.plist...
Packaging IPA file...

compression level: 0
	/var/root/Documents/Cracked/支付寶錢包-v8.0.0-(Clutch-1.3.2).ipa

elapsed time: 7473ms

Applications Cracked: 
Portal

Applications that Failed:

Total Success: 1 Total Failed: 0

4）導出已解密的支付寶app

從上一步驟得知，已解密的ipa位置為：/var/root/Documents/Cracked/支付寶錢包-v8.0.0-(Clutch-1.3.2).ipa
將其拷貝到本地去分析

4.class_dump已解密的支付寶app

解壓.ipa後，到 支付寶錢包-v8.0.0-(Clutch-1.3.2)/Payload/Portal.app 目錄下，class_dump已解密的二進制文件

$ class-dump-z Portal > ~/Portal-classdump.txt

這回就可以得到對應的信息瞭：

@protocol ALPNumPwdInputViewDelegate 
-(void)onPasswordDidChange:(id)onPassword;
@end

@protocol ALPContactBaseTableViewCellDelegate 
-(void)shareClicked:(id)clicked sender:(id)sender;
@end

@interface MMPPayWayViewController : XXUnknownSuperclass  {
@private
	Item* channelSelected;
	BOOL _bCheck;
	BOOL _bOpenMiniPay;
	BOOL _bNeedPwd;
	BOOL _bSimplePwd;
	BOOL _bAutopayon;
	BOOL _bHasSub;
	BOOL _bFirstChannel;
	BOOL _bChangeSub;
	BOOL _bClickBack;
	UITableView* _channelListTableView;
	NSMutableArray* _channelListArray;
	NSMutableArray* _subChanneSelectedlList;
	NSMutableArray* _unCheckArray;
	UIButton* _saveButton;
	UILabel* _tipLabel;
	MMPPasswordSwichView* _payWaySwitch;
	MMPPopupAlertView* _alertView;
	UIView* _setView;
	int _originalSelectedRow;
	int _currentSelectedRow;
	NSString* _statusCode;
	ChannelListModel* _defaultChannelList;
}
@property(assign, nonatomic) BOOL bClickBack;
@property(retain, nonatomic) ChannelListModel* defaultChannelList;
@property(retain, nonatomic) NSString* statusCode;
@property(assign, nonatomic) int currentSelectedRow;
@property(assign, nonatomic) int originalSelectedRow;
@property(retain, nonatomic) UIView* setView;
@property(retain, nonatomic) MMPPopupAlertView* alertView;
@property(retain, nonatomic) MMPPasswordSwichView* payWaySwitch;
@property(assign, nonatomic, getter=isSubChannelChanged) BOOL bChangeSub;
@property(assign, nonatomic) BOOL bFirstChannel;
@property(assign, nonatomic) BOOL bHasSub;
@property(assign, nonatomic) BOOL bAutopayon;
@property(assign, nonatomic) BOOL bSimplePwd;
@property(assign, nonatomic) BOOL bNeedPwd;
@property(assign, nonatomic) BOOL bOpenMiniPay;
@property(assign, nonatomic) BOOL bCheck;
@property(retain, nonatomic) UILabel* tipLabel;
@property(retain, nonatomic) UIButton* saveButton;
@property(retain, nonatomic) NSMutableArray* unCheckArray;
@property(retain, nonatomic) NSMutableArray* subChanneSelectedlList;
@property(retain, nonatomic) NSMutableArray* channelListArray;
@property(retain, nonatomic) UITableView* channelListTableView;
-(void).cxx_destruct;
-(void)subChannelDidSelected:(id)subChannel;
-(void)switchCheckButtonClicked:(id)clicked;
-(void)checkboxButtonClicked:(id)clicked;
-(void)onCellClick:(id)click;
-(void)showSubChannels;
-(void)tableView:(id)view didSelectRowAtIndexPath:(id)indexPath;
-(id)tableView:(id)view cellForRowAtIndexPath:(id)indexPath;
-(int)tableView:(id)view numberOfRowsInSection:(int)section;
-(float)tableView:(id)view heightForRowAtIndexPath:(id)indexPath;
-(int)numberOfSectionsInTableView:(id)tableView;
-(void)setTableViewFootView:(id)view;
-(void)setTableViewHeaderView:(id)view;
-(id)tableView:(id)view viewForHeaderInSection:(int)section;
-(id)tableView:(id)view viewForFooterInSection:(int)section;
-(float)tableView:(id)view heightForHeaderInSection:(int)section;
-(float)tableView:(id)view heightForFooterInSection:(int)section;
-(void)alertView:(id)view clickedButtonAtIndex:(int)index;
-(void)clickSave;
-(void)netWorkRequestWithPwd:(id)pwd;
-(void)setPayWaySwitchStates:(id)states;
-(void)changePayWaySwitch:(id)aSwitch;
-(void)scrollToSelectedRow;
-(void)didReceiveMemoryWarning;
-(void)viewDidLoad;
-(void)applicationEnterBackground:(id)background;
-(void)dealloc;
-(void)goBack;
-(BOOL)isChannelsSetChanged;
-(id)subChannelCode:(int)code;
-(id)subChannelDesc:(int)desc;
-(id)initWithDefaultData:(id)defaultData;
-(id)initWithNibName:(id)nibName bundle:(id)bundle;
-(void)commonInit:(id)init;
@end

5.分析支付寶源碼片段

1）使用瞭@private關鍵字限制成員訪問權限
但是實際上，在Objective-C編程中，使用@private連Keypath訪問都攔不住的

2）拋出瞭冗長的成員對象
這非常有利分析程序結構

6.進一步思考

1）如何利用 class-dump 結果，結合 cycript 進行攻擊呢？
2）class-dump-z 如此強大，有什麼方法可以減少暴露的信息嗎？

接下來的博文將針對上面的思考，繼續總結～