-
-
[原创]A64Dbg ADCpp实战itunesstored kbsync远程调用
-
发表于: 2021-4-9 21:36
-
步骤一:安装Textobot
https://gitee.com/geekneo/Textobot/blob/master/iOS/Textobot.deb
步骤二:安装A64Dbg Server
https://gitee.com/geekneo/A64Dbg/blob/master/a64dbg-server.deb
步骤三:安装UVMDbg Server
https://gitee.com/geekneo/A64Dbg/blob/master/a64dbg-server.uvm.deb
以LLDB模式调试分析itunesstored,得到kbsync计算接口如下:
其中sub_10002809C就是我们要调用的接口。
请参见代码注释:
将上述两个文件放置在~/A64Dbg/plugin目录下,运行A64Dbg,选择Remote UnicornVM iOS模式:
然后Attach itunesstored:
然后运行Plugin菜单的iTunesStoredKBSync:
然后在Log窗口就有相应的日志输出了:
脚本化的ObjC配合adpy插件,即可轻松实现复杂的rpc,have fun~
__text:00000001001C07AC ; void __cdecl -[KeybagSyncOperation run](KeybagSyncOperation *self, SEL)
__text:00000001001C07AC __KeybagSyncOperation_run_
__text:00000001001C07AC FC 6F BA A9 STP X28, X27, [SP,#-0x60]!
__text:00000001001C07B0 FA 67 01 A9 STP X26, X25, [SP,#0x10]
//...
__text:00000001001C0868 68 0E 00 B0 ADRP X8, #selRef_unsignedLongLongValue@PAGE
__text:00000001001C086C 01 E1 45 F9 LDR X1, [X8,#selRef_unsignedLongLongValue@PAGEOFF]
__text:00000001001C0870 E0 03 14 AA MOV X0, X20
__text:00000001001C0874 94 2A 03 94 BL _objc_msgSend
__text:00000001001C0878 61 01 80 52 MOV W1, #0xB
__text:00000001001C087C 08 9E F9 97 BL sub_10002809C
__text:00000001001C0880 F5 03 00 AA MOV X21, X0
__text:00000001001C07AC ; void __cdecl -[KeybagSyncOperation run](KeybagSyncOperation *self, SEL)
__text:00000001001C07AC __KeybagSyncOperation_run_
__text:00000001001C07AC FC 6F BA A9 STP X28, X27, [SP,#-0x60]!
__text:00000001001C07B0 FA 67 01 A9 STP X26, X25, [SP,#0x10]
//...
__text:00000001001C0868 68 0E 00 B0 ADRP X8, #selRef_unsignedLongLongValue@PAGE
__text:00000001001C086C 01 E1 45 F9 LDR X1, [X8,#selRef_unsignedLongLongValue@PAGEOFF]
__text:00000001001C0870 E0 03 14 AA MOV X0, X20
__text:00000001001C0874 94 2A 03 94 BL _objc_msgSend
__text:00000001001C0878 61 01 80 52 MOV W1, #0xB
__text:00000001001C087C 08 9E F9 97 BL sub_10002809C
__text:00000001001C0880 F5 03 00 AA MOV X21, X0
'''This is really a very simple a64dbg python adp demo.'''# import basic adp definition like error/event codefrom adpdef import *
# import adp api entriesfrom adp import *
import os
# send kbsync result to heredef kbsync_result_callback(buf):
print('kbsync result is : %s' % (buf))
# a64dbg debugengine event for python plugindef adp_on_event(args):
event = args[adp_inkey_type]
# user clicked the plugin's main menu
if event == adp_event_main_menu:
# kbsync calc is valid on ios platform
if curPlatform() == adp_remote_unicornvm_ios:
runadc('%s/kbsync.mm' % (os.path.dirname(__file__)))
return success()
# ask for plugin's menu name
if event == adp_event_menuname:
return success('iTunesStoredKBSync')
# ask for plugins's version and descripton
if event == adp_event_adpinfo:
return success(('0.1.0', 'This is an itunesstored kbsync calc python plugin.'))
return failed(adp_err_unimpl)
'''This is really a very simple a64dbg python adp demo.'''# import basic adp definition like error/event codefrom adpdef import *
# import adp api entriesfrom adp import *
import os
# send kbsync result to heredef kbsync_result_callback(buf):
print('kbsync result is : %s' % (buf))
# a64dbg debugengine event for python plugindef adp_on_event(args):
event = args[adp_inkey_type]
# user clicked the plugin's main menu
if event == adp_event_main_menu:
# kbsync calc is valid on ios platform
if curPlatform() == adp_remote_unicornvm_ios:
runadc('%s/kbsync.mm' % (os.path.dirname(__file__)))
return success()
# ask for plugin's menu name
if event == adp_event_menuname:
return success('iTunesStoredKBSync')
# ask for plugins's version and descripton
if event == adp_event_adpinfo:
return success(('0.1.0', 'This is an itunesstored kbsync calc python plugin.'))
return failed(adp_err_unimpl)
#include <objc/runtime.h>void adc_main() { printf("Start to calc kbsync.\n");
auto KeybagSyncOperation = NSClassFromString(@"KeybagSyncOperation");
printf("Get KeybagSyncOperation class: %p.\n", KeybagSyncOperation);
auto method = class_getInstanceMethod(KeybagSyncOperation,
NSSelectorFromString(@"run"));
printf("Get run method: %p.\n", method);
auto imp = method_getImplementation(method);
printf("Get run implementation: %p.\n", imp);
const uint32_t *kbsync_caller = (uint32_t *)imp;
const uint8_t mov_w1_0xb[] = {
0x61, 0x01, 0x80, 0x52
};
while (*kbsync_caller++ != *(uint32_t *)&mov_w1_0xb[0]);
printf("Parsed kbsync caller: %p.\n", kbsync_caller);
// decode the bl instruction to get the real kbsyn callee
// 31 30 29 28 27 26 25 ... 0
// 1 0 0 1 0 1 - imm -
int blopcode = *(int *)kbsync_caller;
int blmask = 0xFC000000;
if (blopcode & (1 << 26)) {
// sign extend
blopcode |= blmask;
}
else {
blopcode &= ~blmask;
}
long kbsync_entry = (long)kbsync_caller + (blopcode << 2);
printf("Decoded kbsync entry: 0x%lx.\n", kbsync_entry);
// call the kbsync calc entry
NSData *kbsync = ((NSData *(*)(long, int))kbsync_entry)(1111, 0xB);
// send result to our python callback
if (kbsync) {
str2py("kbsync_result_callback", [kbsync base64EncodedStringWithOptions:0].UTF8String, 0);
}
else {
str2py("kbsync_result_callback", "error, you should download something in the AppStore to init kbsync.", 0);
}
printf("Finished calc kbsync.\n");
}#include <objc/runtime.h>void adc_main() { printf("Start to calc kbsync.\n");
auto KeybagSyncOperation = NSClassFromString(@"KeybagSyncOperation");
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
