第一题:
解压ipa后,拖level1到ida
定位到[ViewController onClick]
// ViewController - (void)onClick
void __cdecl -[ViewController onClick](struct ViewController *self, SEL a2)
{
__CFString *v2; // r6@1
signed int v3; // r11@1
void *v4; // r0@2
void *v5; // r5@2
void *v6; // r0@2
void *v7; // r0@3
void *v8; // r0@3
void *v9; // r4@3
void *v10; // r0@3
const char *v11; // r5@3
int v12; // r0@3
size_t v13; // r6@5
int v14; // r0@7
int v15; // r1@7
signed int v16; // r4@8
void *v17; // r0@10
__CFString *v18; // r3@11
void *v19; // r0@13
struct ViewController *v20; // [sp+10h] [bp-28h]@1
v20 = self;
v2 = CFSTR("mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU==");
v3 = 5;
do
{
v4 = objc_msgSend(&OBJC_CLASS___Ceasar_CipherModel, "alloc");
--v3;
v5 = objc_msgSend(v4, "initWithCipherKey:", v3);
objc_msgSend(v5, "setCodedMessage:", v2);
objc_msgSend(v5, "decrypt");
v6 = objc_msgSend(v5, "originalMessage");
v2 = (__CFString *)objc_msgSend(&OBJC_CLASS___AESCrypt, "decrypt:password:", v6, CFSTR("ZGlhb2RhX2ppYW5rYW5nCg=="));
}
while ( v3 > 0 );
v7 = objc_msgSend(v20, "textFeild");
v8 = objc_msgSend(v7, "text");
v9 = objc_msgSend(v8, "UTF8String");
v10 = objc_msgSend(v2, "UTF8String");
v11 = (const char *)v10;
v12 = *(_BYTE *)v10;
if ( v12 )
{
if ( *(_BYTE *)v9 != v12 )
{
LABEL_8:
v16 = 0;
goto LABEL_10;
}
v13 = 1;
while ( v13 < strlen(v11) )
{
v14 = v11[v13];
v15 = *((_BYTE *)v9 + v13++);
if ( v15 != v14 )
goto LABEL_8;
}
}
v16 = 1;
LABEL_10:
v17 = objc_msgSend(&OBJC_CLASS___UIAlertView, "alloc");
if ( v16 == 1 )
v18 = CFSTR("芠\x01xcknx\x01");
else
v18 = CFSTR("芠\x01x\x19");
v19 = objc_msgSend(
v17,
"initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:",
&stru_1C808,
v18,
v20,
CFSTR("諷"),
CFSTR("nx"),
0);
j__objc_msgSend(v19, "show");
}
用Cycript:
iPhone:~ root# cycript -p level1
cy# v2 = @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU==";
@"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU=="
cy# v4 = [[Ceasar_CipherModel alloc] initWithCipherKey:4];
#"<Ceasar_CipherModel: 0x15d104c0>"
cy# [v4 setCodedMessage:v2];
cy# [v4 decrypt];
cy# v3 = [v4 originalMessage];
@"inIVWxfpVkvZKCE9QaaD6c0eHDJjPJoBuvO0pUyw4N3GgwM0zktzZRqtV7DkmUKytBdcZeArzCGet95RFJAQL8nzkt4yi7CDRgxRyPFLinPpD7dkilS+tfPcCc2vMdo0pQCM8hYccar2OJkSywQKQQ=="
cy# v1 = [AESCrypt decrypt:v3 password:@"ZGlhb2RhX2ppYW5rYW5nCg=="]
@"hDmx1/d5KNhr1BBYQlRNVsZSEaOdw4MtKTpT3082x/x9lZucw0qEm+UhMaOVuoSLyqD1x0elXGXqM4nFSP3W8khfyg1ynDEwLhLt12m68U8="
cy# v4 = [[Ceasar_CipherModel alloc] initWithCipherKey:3];
#"<Ceasar_CipherModel: 0x17033ec0>"
cy# [v4 setCodedMessage:v1];
cy# [v4 decrypt];
cy# v3 = [v4 originalMessage];
@"eAju1/a5HKeo1YYVNiOKSpWPBxLat4JqHQmQ3082u/u9iWrzt0nBj+ReJxLSrlPIvnA1u0biUDUnJ4kCPM3T8hecvd1vkABtIeIq12j68R8="
cy# v1 = [AESCrypt decrypt:v3 password:@"ZGlhb2RhX2ppYW5rYW5nCg=="]
@"e1s6fwEoaC3l/4VLi1DA4KKPJdGcGWK3elMxPqOuG7MNa9fcfWu6gpui+m3q1akL"
cy# v4 = [[Ceasar_CipherModel alloc] initWithCipherKey:2];
#"<Ceasar_CipherModel: 0x1713c5a0>"
cy# [v4 setCodedMessage:@"e1s6fwEoaC3l/4VLi1DA4KKPJdGcGWK3elMxPqOuG7MNa9fcfWu6gpui+m3q1akL"];
cy# [v4 decrypt];
cy# v3 = [v4 originalMessage];
@"c1q6duCmyA3j/4TJg1BY4IINHbEaEUI3cjKvNoMsE7KLy9dadUs6ensg+k3o1yiJ"
cy# v1 = [AESCrypt decrypt:v3 password:@"ZGlhb2RhX2ppYW5rYW5nCg=="]
@"4p2eb81lORtnnduYgcAc3pxfqGh8Fybny9NFnTzYJ6B="
cy# v4 = [[Ceasar_CipherModel alloc] initWithCipherKey:1];
#"<Ceasar_CipherModel: 0x15ed14f0>"
cy# [v4 setCodedMessage:v1];
cy# [v4 decrypt];
cy# v3 = [v4 originalMessage];
@"4o2da81kNQsmmctXfbZb3owepFg8Examx9MEmSyXI6A="
cy# v1 = [AESCrypt decrypt:v3 password:@"ZGlhb2RhX2ppYW5rYW5nCg=="]
@"QNEcNAUUYKq5mMZJTh3J5w=="
cy# v4 = [[Ceasar_CipherModel alloc] initWithCipherKey:0];
#"<Ceasar_CipherModel: 0x17044de0>"
cy# [v4 setCodedMessage:v1];
cy# [v4 decrypt];
cy# v3 = [v4 originalMessage];
@"QNEcNAUUYKq5mMZJTh3J5w=="
cy# v1 = [AESCrypt decrypt:v3 password:@"ZGlhb2RhX2ppYW5rYW5nCg=="]
@"Sp4rkDr0idKit"
cy#
得到答案。
或者写个tweak
%hook AESCrypt
+(id)decrypt:(id)data password:(id)key {
{ %log; id r = %orig; NSLog(@" = %@", r); return r; }
}
%end
输出:
Oct 20 22:59:43 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:hmHUVweoUjuYJBD9PzzC6b0dGCIiOInAtuN0oTxv4M3FfvL0yjsyYQpsU7CjlTJxsAcbYdZqyBFds95QEIZPK8myjs4xh7BCQfwQxOEKhmOoC7cjhkR+seObBb2uLcn0oPBL8gXbbzq2NIjRxvPJPP== password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 22:59:43 iPhone level1[1091]: = (null)
Oct 20 22:59:52 iPhone launchproxy[3800]: /usr/libexec/sshd-keygen-wrapper: Connection from: 127.0.0.1 on port: 57630
Oct 20 22:59:52 iPhone sshd[3802]: Accepted publickey for root from 127.0.0.1 port 57630 ssh2
Oct 20 22:59:52 iPhone sshd: root@ttys001[3803]: USER_PROCESS: 3803 ttys001
Oct 20 23:00:00 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:inIVWxfpVkvZKCE9QaaD6c0eHDJjPJoBuvO0pUyw4N3GgwM0zktzZRqtV7DkmUKytBdcZeArzCGet95RFJAQL8nzkt4yi7CDRgxRyPFLinPpD7dkilS+tfPcCc2vMdo0pQCM8hYccar2OJkSywQKQQ== password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 23:00:00 iPhone level1[1091]: = hDmx1/d5KNhr1BBYQlRNVsZSEaOdw4MtKTpT3082x/x9lZucw0qEm+UhMaOVuoSLyqD1x0elXGXqM4nFSP3W8khfyg1ynDEwLhLt12m68U8=
Oct 20 23:00:00 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:eAju1/a5HKeo1YYVNiOKSpWPBxLat4JqHQmQ3082u/u9iWrzt0nBj+ReJxLSrlPIvnA1u0biUDUnJ4kCPM3T8hecvd1vkABtIeIq12j68R8= password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 23:00:00 iPhone level1[1091]: = e1s6fwEoaC3l/4VLi1DA4KKPJdGcGWK3elMxPqOuG7MNa9fcfWu6gpui+m3q1akL
Oct 20 23:00:00 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:c1q6duCmyA3j/4TJg1BY4IINHbEaEUI3cjKvNoMsE7KLy9dadUs6ensg+k3o1yiJ password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 23:00:00 iPhone level1[1091]: = 4p2eb81lORtnnduYgcAc3pxfqGh8Fybny9NFnTzYJ6B=
Oct 20 23:00:00 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:4o2da81kNQsmmctXfbZb3owepFg8Examx9MEmSyXI6A= password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 23:00:00 iPhone level1[1091]: = QNEcNAUUYKq5mMZJTh3J5w==
Oct 20 23:00:00 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:QNEcNAUUYKq5mMZJTh3J5w== password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 23:00:00 iPhone level1[1091]: = Sp4rkDr0idKit
第二题:
ida载入后,由题目提示定位到cdevsw_add函数。
按ctrl+x打开xrefs窗口,选择第一个函数。
看到有random的提示
__TEXT:__text:800C0D88 sub_800C0D88 ; DATA XREF: __DATA:__const:8039CF70�o
__TEXT:__text:800C0D88
__TEXT:__text:800C0D88 perms = -0x18
__TEXT:__text:800C0D88 fmt = -0x14
__TEXT:__text:800C0D88 var_10 = -0x10
__TEXT:__text:800C0D88
__TEXT:__text:800C0D88 PUSH {R4-R7,LR}
__TEXT:__text:800C0D8A ADD R7, SP, #0xC
__TEXT:__text:800C0D8C SUB SP, SP, #0xC
__TEXT:__text:800C0D8E MOV R0, #(off_803BD360 - 0x800C0D9A)
__TEXT:__text:800C0D96 ADD R0, PC ; off_803BD360
__TEXT:__text:800C0D98 ADDW R1, R0, #0xB14
__TEXT:__text:800C0D9C MOV.W R0, #0xFFFFFFFF
__TEXT:__text:800C0DA0 BL _cdevsw_add
__TEXT:__text:800C0DA4 MOV R4, R0
__TEXT:__text:800C0DA6 CMP.W R4, #0xFFFFFFFF
__TEXT:__text:800C0DAA BGT loc_800C0DBA
__TEXT:__text:800C0DAC MOV R0, #(aRandom_initFai - 0x800C0DB8) ; "\"random_init: failed to allocate a maj"...
__TEXT:__text:800C0DB4 ADD R0, PC ; "\"random_init: failed to allocate a maj"...
__TEXT:__text:800C0DB6 BL _panic
由【a-guide-to-kernel-exploitation.pdf】的一段话:
the value −1 is supplied as the index (0xFFFFFFFF). When cdevsw add() sees a negative value, it uses the absolute value of the index instead, and then begins scanning for a usable slot from this location. However, the value of −1 will cause cdevsw add() to start scanning from slot 0. The second argument to this function is of the type struct cdevsw.
知找struct cdevsw。
按shift+F1,打开Local Types 窗口,按insert(mac按fn+enter),插入结构体
struct cdevsw
{
void (__cdecl *d_open)();
void (__cdecl *d_close)();
void (__cdecl *d_read)();
void (__cdecl *d_write)();
void (__cdecl *d_ioctl)();
void (__cdecl *d_stop)();
void (__cdecl *d_reset)();
int **d_ttys;
void (__cdecl *d_select)();
void (__cdecl *d_mmap)();
void (__cdecl *d_strategy)();
void (__cdecl *d_getc)();
void (__cdecl *d_putc)();
int d_type;
}
然后在Local Types 窗口里双击刚刚插入的cdevsw,点击确认添加到ida数据库。
然后对应跳转到
803BDE74
转成cdevsw:
__DATA:__data:803BDE74 DCD sub_800C0E18+1 ; d_open
__DATA:__data:803BDE74 DCD sub_800C0E34+1 ; d_close
__DATA:__data:803BDE74 DCD sub_800C0EA0+1 ; d_read
__DATA:__data:803BDE74 DCD sub_800C0E38+1 ; d_write
__DATA:__data:803BDE74 DCD sub_800C0E04+1 ; d_ioctl
__DATA:__data:803BDE74 DCD _nulldev+1 ; d_stop
__DATA:__data:803BDE74 DCD _nulldev+1 ; d_reset
__DATA:__data:803BDE74 DCD 0 ; d_ttys
__DATA:__data:803BDE74 DCD _enodev+1 ; d_select
__DATA:__data:803BDE74 DCD _enodev+1 ; d_mmap
__DATA:__data:803BDE74 DCD _enodev_strat+1 ; d_strategy
__DATA:__data:803BDE74 DCD _enodev+1 ; d_getc
__DATA:__data:803BDE74 DCD _enodev+1 ; d_putc
__DATA:__data:803BDE74 DCD 0 ; d_type
可得d_read,d_write,d_ioctl的地址
不知道kaslr怎么计算的,写不出答案。。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
