【软件】 iTunes
【作者】 fosom
【2013.4.15】
【前提】OD,IDA,iTunes
最近很多看雪的朋友找我看看iTunes怎么分析,今天又恰好没事,就看了看。
【iTunes登录协议-描述】
<plist version="1.0">
<dict>
<key>appleId</key>
<string>asdfasdf@asdf.com</string>
<key>attempt</key>
<integer>1</integer>
<key>createSession</key>
<string>true</string>
<key>guid</key>
<string>4AEF365B.CF847F94.08E11EF5.FDD88C5B.09DA8172.65FAFEFB.6A193139</string>
<key>machineName</key>
<string>2012-20130221HH</string>
<key>password</key>
<string>qweqweqwe</string>
<key>why</key>
<string>signIn</string>
</dict>
</plist>
【登录过程分析】
·在此,只提供关键Call的分析过程:(也就是登录协议的xml的组合过程)
.text:1081B6F0 LoginServer proc near ; CODE XREF: sub_1082A6A0+3F7p
.text:1081B6F0
.text:1081B6F0 var_244 = dword ptr -244h
.text:1081B6F0 var_240 = dword ptr -240h
.text:1081B6F0 var_23C = dword ptr -23Ch
.text:1081B6F0 var_238 = dword ptr -238h
.text:1081B6F0 var_234 = dword ptr -234h
.text:1081B6F0 var_230 = dword ptr -230h
.text:1081B6F0 var_229 = byte ptr -229h
.text:1081B6F0 var_228 = dword ptr -228h
.text:1081B6F0 var_221 = byte ptr -221h
.text:1081B6F0 var_220 = dword ptr -220h
.text:1081B6F0 var_21C = dword ptr -21Ch
.text:1081B6F0 var_218 = word ptr -218h
.text:1081B6F0 var_18 = word ptr -18h
.text:1081B6F0 var_16 = byte ptr -16h
.text:1081B6F0 var_10 = dword ptr -10h
.text:1081B6F0 var_C = dword ptr -0Ch
.text:1081B6F0 var_4 = dword ptr -4
.text:1081B6F0
.text:1081B6F0 push ebp
.text:1081B6F1 mov ebp, esp
.text:1081B6F3 push 0FFFFFFFFh
.text:1081B6F5 push offset loc_10FC8DDB
.text:1081B6FA mov eax, large fs:0
.text:1081B700 push eax
.text:1081B701 sub esp, 23Ch
.text:1081B707 mov eax, dword_1131C190
.text:1081B70C xor eax, ebp
.text:1081B70E mov [ebp+var_10], eax
.text:1081B711 push ebx
.text:1081B712 push esi
.text:1081B713 push edi
.text:1081B714 push eax
.text:1081B715 lea eax, [ebp+var_C]
.text:1081B718 mov large fs:0, eax
.text:1081B71E xor edi, edi
.text:1081B720 xor ebx, ebx
.text:1081B722 mov [ebp+var_244], ecx
.text:1081B728 mov esi, edx
.text:1081B72A mov [ebp+var_240], edi
.text:1081B730 mov [ebp+var_23C], ebx
.text:1081B736 mov [ebp+var_4], edi
.text:1081B739 mov al, [esi+0CB8h]
.text:1081B73F and al, 1
.text:1081B741 mov [ebp+var_221], al
.text:1081B747 mov eax, [esi+0CB8h]
.text:1081B74D push edi
.text:1081B74E shr eax, 1
.text:1081B750 push esi
.text:1081B751 and al, 1
.text:1081B753 push ecx
.text:1081B754 mov ecx, dword_1156CA4C
.text:1081B75A mov [ebp+var_229], al
.text:1081B760 call sub_108186D0
.text:1081B765 mov [ebp+var_238], eax
.text:1081B76B cmp eax, edi
.text:1081B76D jnz short loc_1081B77A
.text:1081B76F mov edi, [esi+8A0h]
.text:1081B775 jmp loc_1081BBD0
.text:1081B77A ; ---------------------------------------------------------------------------
.text:1081B77A
.text:1081B77A loc_1081B77A: ; CODE XREF: LoginServer+7Dj
.text:1081B77A mov ecx, ds:kCFTypeDictionaryValueCallBacks
.text:1081B780 mov edx, ds:kCFTypeDictionaryKeyCallBacks
.text:1081B786 push ecx
.text:1081B787 push edx
.text:1081B788 push edi
.text:1081B789 push edi
.text:1081B78A call ds:CFDictionaryCreateMutable
.text:1081B790 add esp, 10h
.text:1081B793 mov [ebp+var_228], eax
.text:1081B799 cmp eax, edi
.text:1081B79B jnz short loc_1081B7A7
.text:1081B79D mov edi, 0FFFFFF94h
.text:1081B7A2 jmp loc_1081BBAE
.text:1081B7A7 ; ---------------------------------------------------------------------------
.text:1081B7A7
.text:1081B7A7 loc_1081B7A7: ; CODE XREF: LoginServer+ABj
.text:1081B7A7 mov eax, [esi+8]
.text:1081B7AA mov ecx, [esi+0Ch]
.text:1081B7AD push offset aDsid ; "dsid"
.text:1081B7B2 mov [ebp+var_234], eax
.text:1081B7B8 mov [ebp+var_230], ecx
.text:1081B7BE call ds:__CFStringMakeConstantString
.text:1081B7C4 mov ebx, eax
.text:1081B7C6 add esp, 4
.text:1081B7C9 cmp ebx, edi
.text:1081B7CB jz short loc_1081B816
.text:1081B7CD mov edx, [ebp+var_234]
.text:1081B7D3 or edx, [ebp+var_230]
.text:1081B7D9 jz short loc_1081B816
.text:1081B7DB mov ecx, dword_11565448
.text:1081B7E1 lea eax, [ebp+var_234]
.text:1081B7E7 push eax
.text:1081B7E8 push 4
.text:1081B7EA push ecx
.text:1081B7EB call ds:CFNumberCreate
.text:1081B7F1 mov edi, eax
.text:1081B7F3 add esp, 0Ch
.text:1081B7F6 test edi, edi
.text:1081B7F8 jz short loc_1081B816
.text:1081B7FA mov edx, [ebp+var_228]
.text:1081B800 push edi
.text:1081B801 push ebx
.text:1081B802 push edx
.text:1081B803 call ds:CFDictionarySetValue
.text:1081B809 add esp, 0Ch
.text:1081B80C push edi
.text:1081B80D call ds:CFRelease
.text:1081B813 add esp, 4
.text:1081B816
.text:1081B816 loc_1081B816: ; CODE XREF: LoginServer+DBj
.text:1081B816 ; LoginServer+E9j ...
.text:1081B816 push offset aAppleid_0 ; 这里,就是帐号: asdfasdf@asdf.com
.text:1081B81B lea edi, [esi+8B0h]
.text:1081B821 call ds:__CFStringMakeConstantString
.text:1081B827 mov ebx, eax
.text:1081B829 add esp, 4
.text:1081B82C test ebx, ebx
.text:1081B82E jz short loc_1081B864
.text:1081B830 test edi, edi
.text:1081B832 jz short loc_1081B864
.text:1081B834 cmp word ptr [edi], 0
.text:1081B838 jz short loc_1081B864
.text:1081B83A mov eax, edi
.text:1081B83C call GetCFString ; ;宽字符转字符;Widestring --> char*
.text:1081B841 mov edi, eax
.text:1081B843 test edi, edi
.text:1081B845 jz short loc_1081B864
.text:1081B847 mov eax, [ebp+pXMLNode] ; 042B1170 E8 E6 78 01 80 12 00 01 09 00 00 00 00 00 00 00
.text:1081B847 ; 042B1180 00 00 00 00 00 00 01 00 50 02 76 01 00 00 00 00
.text:1081B84D push eax ; pXMLNode
.text:1081B84E mov ecx, edi ; 0432E408 58 93 78 01 8C 07 00 01 12 65 65 65 65 65 65 65 X搙.eeeeeee
.text:1081B84E ; 0432E418 65 40 71 77 65 71 77 2E 63 6F 6D 00 00 00 00 00 e@qweqw.com.....
.text:1081B84E ;
.text:1081B84E ;
.text:1081B850 mov edx, ebx ; 0426ACA0 58 93 78 01 8C 07 00 00 07 61 70 70 6C 65 49 64 X搙..appleId
.text:1081B850 ; 0426ACB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
.text:1081B850 ;
.text:1081B850 ;
.text:1081B852 call CFDictionarySetValue1 ; ;设置XML的节点的值
.text:1081B852 ; 参数:
.text:1081B852 ; pNewNode ;节点指针
.text:1081B852 ; ecx: 当前节点Value
.text:1081B852 ; edx: 当前节点Name
.text:1081B857 add esp, 4
.text:1081B85A push edi
.text:1081B85B call ds:CFRelease
.text:1081B861 add esp, 4
.text:1081B864
.text:1081B864 loc_1081B864: ; CODE XREF: LoginServer+13Ej
.text:1081B864 ; LoginServer+142j ...
.text:1081B864 push offset aPassword_0 ; 密码: qweqweqwe
.text:1081B869 lea edi, [esi+0AB0h]
.text:1081B86F call ds:__CFStringMakeConstantString
.text:1081B875 mov ebx, eax
.text:1081B877 add esp, 4
.text:1081B87A test ebx, ebx
.text:1081B87C jz short loc_1081B8B2
.text:1081B87E test edi, edi
.text:1081B880 jz short loc_1081B8B2
.text:1081B882 cmp word ptr [edi], 0
.text:1081B886 jz short loc_1081B8B2
.text:1081B888 mov eax, edi
.text:1081B88A call sub_104B59D0
.text:1081B88F mov edi, eax
.text:1081B891 test edi, edi
.text:1081B893 jz short loc_1081B8B2
.text:1081B895 mov ecx, [ebp+var_228]
.text:1081B89B push ecx
.text:1081B89C mov ecx, edi
.text:1081B89E mov edx, ebx
.text:1081B8A0 call sub_10001580
.text:1081B8A5 add esp, 4
.text:1081B8A8 push edi
.text:1081B8A9 call ds:CFRelease
.text:1081B8AF add esp, 4
.text:1081B8B2
.text:1081B8B2 loc_1081B8B2: ; CODE XREF: LoginServer+18Cj
.text:1081B8B2 ; LoginServer+190j ...
.text:1081B8B2 mov edx, [esi+0CB0h]
.text:1081B8B8 push offset aAttempt ; "attempt"
.text:1081B8BD mov [ebp+var_234], edx
.text:1081B8C3 mov [ebp+var_230], 0
.text:1081B8CD call ds:__CFStringMakeConstantString
.text:1081B8D3 mov ebx, eax
.text:1081B8D5 add esp, 4
.text:1081B8D8 test ebx, ebx
.text:1081B8DA jz short loc_1081B927
.text:1081B8DC mov eax, [ebp+var_234]
.text:1081B8E2 or eax, [ebp+var_230]
.text:1081B8E8 jz short loc_1081B927
.text:1081B8EA mov edx, dword_11565448
.text:1081B8F0 lea ecx, [ebp+var_234]
.text:1081B8F6 push ecx
.text:1081B8F7 push 4
.text:1081B8F9 push edx
.text:1081B8FA call ds:CFNumberCreate
.text:1081B900 mov edi, eax
.text:1081B902 add esp, 0Ch
.text:1081B905 test edi, edi
.text:1081B907 jz short loc_1081B927
.text:1081B909 push edi
.text:1081B90A push ebx
.text:1081B90B mov ebx, [ebp+var_228]
.text:1081B911 push ebx
.text:1081B912 call ds:CFDictionarySetValue
.text:1081B918 add esp, 0Ch
.text:1081B91B push edi
.text:1081B91C call ds:CFRelease
.text:1081B922 add esp, 4
.text:1081B925 jmp short loc_1081B92D
.text:1081B927 ; ---------------------------------------------------------------------------
.text:1081B927
.text:1081B927 loc_1081B927: ; CODE XREF: LoginServer+1EAj
.text:1081B927 ; LoginServer+1F8j ...
.text:1081B927 mov ebx, [ebp+var_228]
.text:1081B92D
.text:1081B92D loc_1081B92D: ; CODE XREF: LoginServer+235j
.text:1081B92D mov eax, [esi+0CBCh]
.text:1081B933 test eax, eax
.text:1081B935 jz short loc_1081B950
.text:1081B937 mov ecx, offset sub_103E2840
.text:1081B93C test ecx, ecx
.text:1081B93E jz short loc_1081B950
.text:1081B940 push ebx
.text:1081B941 push offset sub_103E2840
.text:1081B946 push eax
.text:1081B947 call ds:CFDictionaryApplyFunction
.text:1081B94D add esp, 0Ch
.text:1081B950
.text:1081B950 loc_1081B950: ; CODE XREF: LoginServer+245j
.text:1081B950 ; LoginServer+24Ej
.text:1081B950 mov edi, ebx
.text:1081B952 call Getkey_machineName ; 119CFAE4 1081B957 返回到 iTunes_1.1081B957 来自 iTunes_1.1081AA60
.text:1081B952 ;
.text:1081B952 ;
.text:1081B957 mov eax, [esi+0CB4h]
.text:1081B95D cmp eax, 1Ch
.text:1081B960 jg short loc_1081B9BC
.text:1081B962 jz short loc_1081B9B5
.text:1081B964 add eax, 0DDh
.text:1081B969 cmp eax, 0E4h
.text:1081B96E ja loc_1081BA0F
.text:1081B974 movzx edx, ds:byte_1081BC3C[eax]
.text:1081B97B jmp ds:off_1081BC24[edx*4]
.text:1081B982
.text:1081B982 loc_1081B982: ; DATA XREF: .text:off_1081BC24o
.text:1081B982 push offset aServerdialog ; "serverDialog"
.text:1081B987 jmp loc_1081BA14
.text:1081B98C ; ---------------------------------------------------------------------------
.text:1081B98C
.text:1081B98C loc_1081B98C: ; CODE XREF: LoginServer+28Bj
.text:1081B98C ; DATA XREF: .text:1081BC28o
.text:1081B98C push offset aSignin ; "signIn"
.text:1081B991 call ds:__CFStringMakeConstantString
.text:1081B997 mov [ebp+var_221], 1
.text:1081B99E jmp short loc_1081BA1A
.text:1081B9A0 ; ---------------------------------------------------------------------------
.text:1081B9A0
.text:1081B9A0 loc_1081B9A0: ; CODE XREF: LoginServer+28Bj
.text:1081B9A0 ; DATA XREF: .text:1081BC2Co
.text:1081B9A0 push offset aCheckDownloadQ ; "check-download-queue"
.text:1081B9A5 jmp short loc_1081BA14
.text:1081B9A7 ; ---------------------------------------------------------------------------
.text:1081B9A7
.text:1081B9A7 loc_1081B9A7: ; CODE XREF: LoginServer+28Bj
.text:1081B9A7 ; DATA XREF: .text:1081BC34o
.text:1081B9A7 push offset aCheckforpurcha ; "checkForPurchasedMusic"
.text:1081B9AC jmp short loc_1081BA14
.text:1081B9AE ; ---------------------------------------------------------------------------
.text:1081B9AE
.text:1081B9AE loc_1081B9AE: ; CODE XREF: LoginServer+28Bj
.text:1081B9AE ; DATA XREF: .text:1081BC30o
.text:1081B9AE push offset aDownloadsUrl ; "downloads-url"
.text:1081B9B3 jmp short loc_1081BA14
.text:1081B9B5 ; ---------------------------------------------------------------------------
.text:1081B9B5
.text:1081B9B5 loc_1081B9B5: ; CODE XREF: LoginServer+272j
.text:1081B9B5 push offset aMachineauthori ; "machineAuthorize"
.text:1081B9BA jmp short loc_1081BA14
.text:1081B9BC ; ---------------------------------------------------------------------------
.text:1081B9BC
.text:1081B9BC loc_1081B9BC: ; CODE XREF: LoginServer+270j
.text:1081B9BC sub eax, 1Dh
.text:1081B9BF cmp eax, 1Ah
.text:1081B9C2 ja short loc_1081BA0F
.text:1081B9C4 movzx eax, ds:byte_1081BD3C[eax]
.text:1081B9CB jmp ds:off_1081BD24[eax*4]
.text:1081B9D2
.text:1081B9D2 loc_1081B9D2: ; DATA XREF: .text:1081BD34o
.text:1081B9D2 push offset aViewaccount ; "viewAccount"
.text:1081B9D7 call ds:__CFStringMakeConstantString
.text:1081B9DD mov [ebp+var_221], 1
.text:1081B9E4 jmp short loc_1081BA1A
.text:1081B9E6 ; ---------------------------------------------------------------------------
.text:1081B9E6
.text:1081B9E6 loc_1081B9E6: ; CODE XREF: LoginServer+2DBj
.text:1081B9E6 ; DATA XREF: .text:1081BD28o
.text:1081B9E6 push offset aPurchase ; "purchase"
.text:1081B9EB jmp short loc_1081BA14
.text:1081B9ED ; ---------------------------------------------------------------------------
.text:1081B9ED
.text:1081B9ED loc_1081B9ED: ; CODE XREF: LoginServer+2DBj
.text:1081B9ED ; DATA XREF: .text:1081BD2Co
.text:1081B9ED push offset aRedownload ; "redownload"
.text:1081B9F2 jmp short loc_1081BA14
.text:1081B9F4 ; ---------------------------------------------------------------------------
.text:1081B9F4
.text:1081B9F4 loc_1081B9F4: ; CODE XREF: LoginServer+2DBj
.text:1081B9F4 ; DATA XREF: .text:off_1081BD24o
.text:1081B9F4 push offset aMachinedeautho ; "machineDeauthorize"
.text:1081B9F9 jmp short loc_1081BA14
.text:1081B9FB ; ---------------------------------------------------------------------------
.text:1081B9FB
.text:1081B9FB loc_1081B9FB: ; CODE XREF: LoginServer+2DBj
.text:1081B9FB ; DATA XREF: .text:1081BD30o
.text:1081B9FB push offset aSetAutoDownloa ; "set-auto-download"
.text:1081BA00 call ds:__CFStringMakeConstantString
.text:1081BA06 mov [ebp+var_229], 1
.text:1081BA0D jmp short loc_1081BA1A
.text:1081BA0F ; ---------------------------------------------------------------------------
.text:1081BA0F
.text:1081BA0F loc_1081BA0F: ; CODE XREF: LoginServer+27Ej
.text:1081BA0F ; LoginServer+28Bj ...
.text:1081BA0F push offset aUnknown_2 ; "unknown"
.text:1081BA14
.text:1081BA14 loc_1081BA14: ; CODE XREF: LoginServer+297j
.text:1081BA14 ; LoginServer+2B5j ...
.text:1081BA14 call ds:__CFStringMakeConstantString
.text:1081BA1A
.text:1081BA1A loc_1081BA1A: ; CODE XREF: LoginServer+2AEj
.text:1081BA1A ; LoginServer+2F4j ...
.text:1081BA1A add esp, 4
.text:1081BA1D push offset aWhy ; <key>why</key>
.text:1081BA1D ; <string>signIn</string>
.text:1081BA22 mov edi, eax
.text:1081BA24 call ds:__CFStringMakeConstantString
.text:1081BA2A add esp, 4
.text:1081BA2D test eax, eax
.text:1081BA2F jz short loc_1081BA41
.text:1081BA31 test edi, edi
.text:1081BA33 jz short loc_1081BA41
.text:1081BA35 push edi
.text:1081BA36 push eax
.text:1081BA37 push ebx
.text:1081BA38 call ds:CFDictionarySetValue
.text:1081BA3E add esp, 0Ch
.text:1081BA41
.text:1081BA41 loc_1081BA41: ; CODE XREF: LoginServer+33Fj
.text:1081BA41 ; LoginServer+343j
.text:1081BA41 cmp [ebp+var_229], 0
.text:1081BA48 jz short loc_1081BAC0
.text:1081BA4A push offset aKc ; "kc"
.text:1081BA4F mov [ebp+var_234], 1
.text:1081BA59 mov [ebp+var_230], 0
.text:1081BA63 call ds:__CFStringMakeConstantString
.text:1081BA69 mov ebx, eax
.text:1081BA6B add esp, 4
.text:1081BA6E test ebx, ebx
.text:1081BA70 jz short loc_1081BABA
.text:1081BA72 mov ecx, [ebp+var_234]
.text:1081BA78 or ecx, [ebp+var_230]
.text:1081BA7E jz short loc_1081BABA
.text:1081BA80 mov eax, dword_11565448
.text:1081BA85 lea edx, [ebp+var_234]
.text:1081BA8B push edx
.text:1081BA8C push 4
.text:1081BA8E push eax
.text:1081BA8F call ds:CFNumberCreate
.text:1081BA95 mov edi, eax
.text:1081BA97 add esp, 0Ch
.text:1081BA9A test edi, edi
.text:1081BA9C jz short loc_1081BABA
.text:1081BA9E mov ecx, [ebp+var_228]
.text:1081BAA4 push edi
.text:1081BAA5 push ebx
.text:1081BAA6 push ecx
.text:1081BAA7 call ds:CFDictionarySetValue
.text:1081BAAD add esp, 0Ch
.text:1081BAB0 push edi
.text:1081BAB1 call ds:CFRelease
.text:1081BAB7 add esp, 4
.text:1081BABA
.text:1081BABA loc_1081BABA: ; CODE XREF: LoginServer+380j
.text:1081BABA ; LoginServer+38Ej ...
.text:1081BABA mov ebx, [ebp+var_228]
.text:1081BAC0
.text:1081BAC0 loc_1081BAC0: ; CODE XREF: LoginServer+358j
.text:1081BAC0 mov edx, [esi+8]
.text:1081BAC3 mov eax, [esi+0Ch]
.text:1081BAC6 xor ecx, ecx
.text:1081BAC8 mov [ebp+var_220], edx
.text:1081BACE mov [ebp+var_21C], eax
.text:1081BAD4 mov [ebp+var_218], cx
.text:1081BADB mov [ebp+var_18], 100h
.text:1081BAE1 mov [ebp+var_16], cl
.text:1081BAE4
.text:1081BAE4 loc_1081BAE4: ; CODE XREF: LoginServer+48Ej
.text:1081BAE4 cmp [ebp+var_221], 0
.text:1081BAEB jz short loc_1081BB1F
.text:1081BAED push offset aTrue ; "true"
.text:1081BAF2 call ds:__CFStringMakeConstantString
.text:1081BAF8 add esp, 4
.text:1081BAFB push offset aCreatesession ; <key>createSession</key>
.text:1081BAFB ; <string>true</string>
.text:1081BB00 mov edi, eax
.text:1081BB02 call ds:__CFStringMakeConstantString
.text:1081BB08 add esp, 4
.text:1081BB0B test eax, eax
.text:1081BB0D jz short loc_1081BB1F
.text:1081BB0F test edi, edi
.text:1081BB11 jz short loc_1081BB1F
.text:1081BB13 push edi
.text:1081BB14 push eax
.text:1081BB15 push ebx
.text:1081BB16 call ds:CFDictionarySetValue
.text:1081BB1C add esp, 0Ch
.text:1081BB1F
.text:1081BB1F loc_1081BB1F: ; CODE XREF: LoginServer+3FBj
.text:1081BB1F ; LoginServer+41Dj ...
.text:1081BB1F mov eax, [ebp+var_238]
.text:1081BB25 mov ecx, [ebp+var_244]
.text:1081BB2B push 8
.text:1081BB2D lea edx, [ebp+var_240]
.text:1081BB33 push edx
.text:1081BB34 push 3
.text:1081BB36 push eax
.text:1081BB37 push esi
.text:1081BB38 push ecx
.text:1081BB39 mov edx, ebx
.text:1081BB3B lea ecx, [ebp+var_220]
.text:1081BB41 call HttpSendPak ; <plist version="1.0">; 到这里这个协议已经组合好了,用Http发送。
.text:1081BB41 ; <dict>
.text:1081BB41 ; <key>appleId</key>
.text:1081BB41 ; <string>asdfasdf@asdf.com</string>
.text:1081BB41 ; <key>attempt</key>
.text:1081BB41 ; <integer>1</integer>
.text:1081BB41 ; <key>createSession</key>
.text:1081BB41 ; <string>true</string>
.text:1081BB41 ; <key>guid</key>
.text:1081BB41 ; <string>4AEF365B.CF847F94.08E11EF5.FDD88C5B.09DA8172.65FAFEFB.6A193139</string>
.text:1081BB41 ; <key>machineName</key>
.text:1081BB41 ; <string>2012-20130221HH</string>
.text:1081BB41 ; <key>password</key>
.text:1081BB41 ; <string>qweqweqwe</string>
.text:1081BB41 ; <key>why</key>
.text:1081BB41 ; <string>signIn</string>
.text:1081BB41 ; </dict>
.text:1081BB41 ; </plist>
.text:1081BB46 mov edi, eax
.text:1081BB48 cmp edi, 138Dh
.text:1081BB4E jnz short loc_1081BB83
.text:1081BB50 cmp [ebp+var_221], 0
.text:1081BB57 jnz short loc_1081BBA8
.text:1081BB59 mov eax, [esi+8A8h]
.text:1081BB5F mov [ebp+var_221], 1
.text:1081BB66 test eax, eax
.text:1081BB68 jz short loc_1081BB74
.text:1081BB6A push eax
.text:1081BB6B call ds:CFRelease
.text:1081BB71 add esp, 4
.text:1081BB74
.text:1081BB74 loc_1081BB74: ; CODE XREF: LoginServer+478j
.text:1081BB74 mov dword ptr [esi+8A8h], 0
.text:1081BB7E jmp loc_1081BAE4
.text:1081BB83 ; ---------------------------------------------------------------------------
.text:1081BB83
.text:1081BB83 loc_1081BB83: ; CODE XREF: LoginServer+45Ej
.text:1081BB83 test edi, edi
.text:1081BB85 jnz short loc_1081BBA8
.text:1081BB87 mov eax, [ebp+var_240]
.text:1081BB8D test eax, eax
.text:1081BB8F jz short loc_1081BBA8
.text:1081BB91 mov eax, [eax+48h]
.text:1081BB94 test eax, eax
.text:1081BB96 jz short loc_1081BBA2
.text:1081BB98 push eax
.text:1081BB99 call ds:CFRetain
.text:1081BB9F add esp, 4
.text:1081BBA2
.text:1081BBA2 loc_1081BBA2: ; CODE XREF: LoginServer+4A6j
.text:1081BBA2 mov [esi+0CC0h], eax
.text:1081BBA8
.text:1081BBA8 loc_1081BBA8: ; CODE XREF: LoginServer+467j
.text:1081BBA8 ; LoginServer+495j ...
.text:1081BBA8 mov ebx, [ebp+var_23C]
.text:1081BBAE
.text:1081BBAE loc_1081BBAE: ; CODE XREF: LoginServer+B2j
.text:1081BBAE mov edx, [ebp+var_238]
.text:1081BBB4 mov esi, ds:CFRelease
.text:1081BBBA push edx
.text:1081BBBB call esi ; CFRelease
.text:1081BBBD mov eax, [ebp+var_228]
.text:1081BBC3 add esp, 4
.text:1081BBC6 test eax, eax
.text:1081BBC8 jz short loc_1081BBD0
.text:1081BBCA push eax
.text:1081BBCB call esi ; CFRelease
.text:1081BBCD add esp, 4
.text:1081BBD0
.text:1081BBD0 loc_1081BBD0: ; CODE XREF: LoginServer+85j
.text:1081BBD0 ; LoginServer+4D8j
.text:1081BBD0 mov [ebp+var_4], 0FFFFFFFFh
.text:1081BBD7 test ebx, ebx
.text:1081BBD9 jz short loc_1081BC05
.text:1081BBDB lea eax, [ebx+4]
.text:1081BBDE or ecx, 0FFFFFFFFh
.text:1081BBE1 lock xadd [eax], ecx
.text:1081BBE5 jnz short loc_1081BC05
.text:1081BBE7 mov edx, [ebx]
.text:1081BBE9 mov eax, [edx+4]
.text:1081BBEC mov ecx, ebx
.text:1081BBEE call eax
.text:1081BBF0 lea ecx, [ebx+8]
.text:1081BBF3 or edx, 0FFFFFFFFh
.text:1081BBF6 lock xadd [ecx], edx
.text:1081BBFA jnz short loc_1081BC05
.text:1081BBFC mov eax, [ebx]
.text:1081BBFE mov edx, [eax+8]
.text:1081BC01 mov ecx, ebx
.text:1081BC03 call edx
.text:1081BC05
.text:1081BC05 loc_1081BC05: ; CODE XREF: LoginServer+4E9j
.text:1081BC05 ; LoginServer+4F5j ...
.text:1081BC05 mov eax, edi
.text:1081BC07 mov ecx, [ebp+var_C]
.text:1081BC0A mov large fs:0, ecx
.text:1081BC11 pop ecx
.text:1081BC12 pop edi
.text:1081BC13 pop esi
.text:1081BC14 pop ebx
.text:1081BC15 mov ecx, [ebp+var_10]
.text:1081BC18 xor ecx, ebp
.text:1081BC1A call sub_10DD46B3
.text:1081BC1F mov esp, ebp
.text:1081BC21 pop ebp
.text:1081BC22 retn
.text:1081BC22 LoginServer endp
【关于iTunes.下载的通讯协议】
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>guid</key>
<string>B0AAC223.90E7035E.5328E781.E0AD481B.14DF9387.8C26EAF9.6C7326D2</string> //参数1.GUID
<key>kbsync</key>
<data>
AAQAA3DvM5I0QawMtpWq5REJaqnMDsT06D9kgFkHi+kvAsFrHQBIkYSiR7TRY2+nlEQm //参数2.kbsync_data,也是最关键的地方,参见:附录A
TpY5WLMQEmPGV0UOiyrabJgRV8l0rHGnUKCeo2D2u+CC1M8QigYTl8tOHqmr5APgeHCd
MBg+nsOtBmn12oLgZk0RXE5vf8HEh7u6qv2MWLYghtgqbCuGMVxlC0ERmL0MRs383wFS
WI8fGO6FT8Bs7YswW1CVRd+R0fBDdmxbqwRV4XP2mmBq0CmAc2Vh4WNgGIey+xyDl/PA
W4r7WayU8NpnsuQD0rfjlS+KIanE5X00vBCAkskknXneDIufCMpm0SJjnuD6Pa2+85uc
oLk9X+O6QO/xmT435kuFysJkBVN8oFNM/V+ZNgVHRXJPxwN/ECtNDIb+j2CNimlhv9/h
ihnL23RGi70+faJ7KQLt+I5TLcl+hp+texepbXvWN5Y8kP+o3IUrK6pjp1B4M6WfuFxlG
rE3VhVlEr0vOTmwQNhzOHFSaGQkqh4JsTIBDAuGLyWdqcw8KI6RNM27anAtgIz0K47AT
azcDt01LOqmCy4RY12qSCEy+lP2/i2tFtAWRP2AibHC6czi4VxuZ15FDJsVewgLfCy/I
7+6/DJmW0rRv7MukLDvmOq6u5Oco6uwn7uIHQOVd+U3hDnf8Q/KFXmQr7JJST6W3bJEt
t0cQF7k708lLZkuT8dkydnAB7Xor8nugEefOxk9IQ2Af6gLpoBmNRoxtrTHv9kNqbTcY
ojmH0wTOGeWLW6Ob18YAVB0GH6lEJBZGbHDky6ccRpe9g/WvZnsgxFQ6H+C19Icqxx7T
eo62t5Ne33oQFK/buvW/Dfb4QaDXaiXvubKtpQphtOR0hnO7U6+36QyV+T9ZAJeB6r+T
lnq5G/gvhsNYNewhWnqLiwonFoflM6huEW0/3HhPikQw/8gC/Gtrj4s170E0TBqNLR6m
Nxypm1M9Gjg2vgk/c/qWX8xhFurbKWyNEgYmZ8eoL1rAcLaXZUaeh13m
</data>
<key>machineName</key>
<string>FSDGFF</string> //参数3. 机器码
<key>needDiv</key>
<string>1</string>
<key>origPage</key>
<string>Genre-CN-Mobile Software Applications-36-iphone</string>
<key>origPage2</key>
<string>Genre-CN-Mobile Software Applications-36-iphone</string>
<key>origPageCh</key>
<string>Mobile Software Applications-main</string>
<key>origPageCh2</key>
<string>Mobile Software Applications-main</string>
<key>origPageLocation</key>
<string>Titledbox_排行榜|Listbox_免费 App|Lockup_2|Buy</string>
<key>price</key>
<string>0</string>
<key>pricingParameters</key>
<string>STDQ</string>
<key>productType</key>
<string>C</string>
<key>salableAdamId</key>
<string>510886627</string>
</dict>
</plist>
【附录A--kbsync的加密call的分析】
空间: iTunes.dll
.text:1081D22A mov esi, [ebp+var_8]
.text:1081D22D mov edi, [ebp+var_4]
.text:1081D230 push offset aKbsync ; "kbsync" //搜索关键字
.text:1081D235 call ds:__CFStringMakeConstantString
.text:1081D23B add esp, 4
.text:1081D23E cmp [ebp+arg_0], 0
.text:1081D242 mov ebx, eax
.text:1081D244 jz short loc_1081D280
.text:1081D246 test ebx, ebx
.text:1081D248 jz short loc_1081D280
.text:1081D24A test edi, edi
.text:1081D24C jnz short loc_1081D252
.text:1081D24E test esi, esi
.text:1081D250 jnz short loc_1081D280
.text:1081D252
.text:1081D252 loc_1081D252: ; CODE XREF: sub_1081D1F0+5Cj
.text:1081D252 mov edx, dword_11565448
.text:1081D258 push esi
.text:1081D259 push edi
.text:1081D25A push edx
.text:1081D25B call ds:CFDataCreate //实例化 kbsync.data
.text:1081D261 mov esi, eax
.text:1081D263 add esp, 0Ch
.text:1081D266 test esi, esi
.text:1081D268 jz short loc_1081D280
.text:1081D26A mov eax, [ebp+arg_0]
.text:1081D26D push esi
.text:1081D26E push ebx
.text:1081D26F push eax
.text:1081D270 call ds:CFDictionarySetValue
.text:1081D276 push esi
.text:1081D277 call ds:CFRelease
.text:1081D27D add esp, 10h
.text:1081D280
.text:1081D280 loc_1081D280: ; CODE XREF: sub_1081D1F0+54j
.text:1081D280 ; sub_1081D1F0+58j ...
.text:1081D280 mov ecx, [ebp+var_4]
.text:1081D283 push ecx
.text:1081D284 call Encrypt_kbsync //对 kbsync.data 加密处理
.text:1081D289 add esp, 4
.text:1081D28C xor eax, eax
.text:1081D28E
.text:1081D28E loc_1081D28E: ; CODE XREF: sub_1081D1F0+38j
.text:1081D28E pop edi
.text:1081D28F pop esi
.text:1081D290 pop ebx
.text:1081D291 mov esp, ebp
.text:1081D293 pop ebp
.text:1081D294 retn
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
