首页
社区
课程
招聘
[原创]某车联网APPx梆加固 浅浅分析
发表于: 2022-8-10 18:05 63873

[原创]某车联网APPx梆加固 浅浅分析

2022-8-10 18:05
63873

目标App:比亚迪汽车 6.1.0

工具:Cydia、Frida、Objection、Storm Sniffer(抓包)

首先打开Storm Sniffer,该AppStore可下载。(使用fiddler也可以)

目标App开启了SSLPinning,导致无法抓包。

image-20220810173130504

通过objection绕过SSLPinning

image-20220810173130504

接下来可以看到抓包内容了

软件提示:账号密码错误

使用 frida-ios-dump进行砸壳dump出ipa文件,找到包内二进制文件,拖入IDA中分析。

4.1 思路: Frida hook -[NSURLRequest initWithURL:] 打印其调用堆栈

输出如下:

根据AFHTTPRequestSerializer可以判断出该App使用了 AFNetwoking

继续hook -[AFHTTPRequestSerializer requestWithMethod:URLString:parameters:error:] 获取parameters参数,内容为加密后参数。

可以判断出加密点在+ [BYDHttpsRequestUtils httpsPostRequestWithRequestRequestInfo:successBlock:failedBlock:] 方法内。

4.2 ida 查看+ [BYDHttpsRequestUtils httpsPostRequestWithRequestRequestInfo:successBlock:failedBlock:]

image-20220810173130504

这里使用Hopper反编译出现了一些问题(菜鸡 这里不知道Hopper如何更改 函数范围,有大佬知道可以留言一些么)

image-20220810173408406

看一眼CFG图。(一种植物)!控制流混淆,稳住,问题不大,先看伪代码试试。

image-20220810173704978

这里创建了网络请求 requestInfo实例,找一下设置参数 的函数调用。

image-20220810173928035

这里找到了,+[BYDDataManager entryRequestInfo:]这个方法返回加密内容,传入的v6是明文消息字典的aes加密,密钥为$key+$value拼接sha1(先挖个坑,这里讲起来太复杂),再跟进一下康康。

image-20220810174300976

wd**d,离谱了。再继续看看伪代码:

image-20220810174533792

看到request字符串了,上面有个BangSafeSDK可以确定是梆梆企业的加密了,再继续深入看看+[BangSafeSDK checkcode:dataStyle:],结果utf8 编码、获取当前时间,最终调用了sub_1023BE0D4。

这里本来想看看sub_1023BE0D4的CFG,IDA直接给报错了,节点太多。

image-20220810173928035
怎么办呢? 盲猜一手控制流混淆(已经习惯了),上trace!干他!

Frida Stalker trace一下调用地址,感谢misskings大佬。

trace 的指令如下:

配合ida python脚本,去除无用分支:

再次查看CFG图:

image-20220810180151027

不会,遂放弃。

毁灭吧!!! 挖坑了,其实还是控制流混淆,先分析到这里吧。

 
objection -g 比亚迪汽车 explore
ios sslpinning disable --quiet
objection -g 比亚迪汽车 explore
ios sslpinning disable --quiet
https://dilinkappserver.byd.com/app/auth/login
User-Agent: bi ya di qi che/6.0.1 (iPhone; iOS 14.0; Scale/3.00)
Content-Type: application/json
Host: dilinkappserver.byd.com
 
{"request":"FESWLgT0LjY\/GjPQmt4xYvDWajog909VYoUcLQ8TE7E\/F4U9GwHtbmfY9uZbmqPnGW2ys0NRnezIjTETA64wpvfP3aZV+caLdK8fsLovfxoacBp5hIkvlS4hTEYkl8XfIfashQDMOdYmm8W89ZBwpFF+Ipd9hFy7NGHDom4SgXQ5uE7Io8jFnoGiz5CiQ9B3K0NbCSOkSbbwJi14iFi15sy3car\/W3xMNUZuo7\/vNE7Dz\/eHwxroJ7L+DK\/6yXbNLRHMHRtXJykfnD31ShNTEqzkF+Fp2Z6jUuFFpn4B7SB4uJYWe5cJ9g3gDIOEifHEhhD3LCQfOEKppgisduO8el4rEGFaKPx1bzOAIk0W1qPXk0LbVCFPQYFpypUB8Rrn2hBBsA8cepRBBtH73jeRcvrRMBc0gK+YRw4uq8yd44bNoEpSt1L5YOJBelSxmp9WOhkGOjt5cPCHij1ptaO9gp1d7XAg4+MhpzXoluB8aPi8A28stX04l+HdU6lNU0pUGYtFVRbTvYV4KjseXQ5wlRavwFMgv3c61WUMznyLmtI8zdheCVdr3vGG1nNvGI7cqMHdw8jvdYFCe9jr3eu1nG2uHakh7PHDMyEDpEh7WSJvVod+0sleiS+vhv5xnNhXUOtBtjCUcLSZToY6YJky9O4E8WDOGg2j5kvCaHrY\/bgSGd87O7sCkmrjeYEJj5BSV95tlI2Ky1GlTRvG4jLQ800QuXAJyXQJpf9uO5lbmV2yPJ7OcKbRoaRu7rhMj4yok9dPEY5bIJeMFptv+bBTKgRh18R5ZecUdpyx8PrVY7FvTEihzH9z+ACGIMNgw7MZIVRPBqLh\/zXK1JfY3pPblvLVhmbeWQ6ETTC2eEWDmAcBovF+Mpj\/M2ybwRdFGLATHZJUQCobYS+02Jxfd0\/ODHpOQ7c2RJwZh6aijIEeh3Ohj1weh\/ZNAK7189yi3n810Bne0ld\/Vo11Jk7hSSQ9z1vCZijCzbDb4Yuw+jsnM\/CPS0OBMMQqIsuz9TPJ\/89SP103sVv01AOXWUM0OB97POJpQ8Bnfjusf8x7CKURlyj4hl6NHksSAGeOmPv96B\/X\/xEARr3Lq7K0RnVFjqFJUsXVVJavggfrhexl7xgvU7MqOPZ24ZiMmOTKTKP+WVsykcraeoP9+yuYkhdMLPEBelpnkoHOuHvpqojhOcJvN8pu\/tRclZO6KGuRD8I7M3J2+mMo8ZTNQUB7oYVR\/UfIKJ5+aIybJklZ1HTb5nV\/D1tDgWRN5JDvndJ78cEi6s8Hi9gsZjglN1JNaQ3vShP7RuLSYdRqDO7e27cSkibTH4YW6PsHPHhqX2g4ev8WTEbRIAsiVJTOuJqNaPaoX3oDMviBz5aZ0iu6XwRwbojibWBCOABktvzVNgngxxeyPmyJlVQ5H5ehn\/iNNZC4RRz0FqhetTfWdQWXnRqicq+tiujO478mQQVKTDKvhi6y0uL2g2SuR81QJ0YmhlCFxqFWX2ACpro\/4HM5J0EdJvboVwrR70CEBa6pqwsvCSCQCltwM+EDH+OYxt34oL1ngY7+fsm1oZcyEvn3\/snVZcd97klBzdl5oCyj3ANtoDIQua35u2ENXbPc8CqIIlcbPVsmF5U1ESRs5khYlDjBH6qvpZBoA4a36pgMZVu8XKpk7c+bOIB0WrZcMSaIF+r2x0Jg8ZKjrZ\/AwhoRDHAtEIQNDLNkPDvjoEcoI0CF3\/p\/AVyjko9aqtatyNZE7i0MQ4SUdamyogd428NFygGgq5JtoSe3XXL\/3hWxlbTGqESnPXKjh7jTG5FQxy6grBp7lVN2DSW2yNkvVOrtVaRjIbTzJd7\/oiUE29Yx1l\/1tPpJTq0CDSa2sTGgYHyPkppcoA3OXLiEGuQC0lKuvuahyAh956uueAi7DvMUWzPemfszzr6Bd35RucQE5tFjzQ19QIIDGhxLHMfweQHO2jEUuTddqRbnO3ZVyM8jZpcNBwMKbuqjk"}
 
{"response":"Fel63A3fJsBnqDNoqrf3sNRYntlgl2bMzWrA56aEQZRggnMBao9z1ds1G/TqV2TMwrRu1wovdv5AwWkDlpdqO0A=="}
https://dilinkappserver.byd.com/app/auth/login
User-Agent: bi ya di qi che/6.0.1 (iPhone; iOS 14.0; Scale/3.00)
Content-Type: application/json
Host: dilinkappserver.byd.com
 
{"request":"FESWLgT0LjY\/GjPQmt4xYvDWajog909VYoUcLQ8TE7E\/F4U9GwHtbmfY9uZbmqPnGW2ys0NRnezIjTETA64wpvfP3aZV+caLdK8fsLovfxoacBp5hIkvlS4hTEYkl8XfIfashQDMOdYmm8W89ZBwpFF+Ipd9hFy7NGHDom4SgXQ5uE7Io8jFnoGiz5CiQ9B3K0NbCSOkSbbwJi14iFi15sy3car\/W3xMNUZuo7\/vNE7Dz\/eHwxroJ7L+DK\/6yXbNLRHMHRtXJykfnD31ShNTEqzkF+Fp2Z6jUuFFpn4B7SB4uJYWe5cJ9g3gDIOEifHEhhD3LCQfOEKppgisduO8el4rEGFaKPx1bzOAIk0W1qPXk0LbVCFPQYFpypUB8Rrn2hBBsA8cepRBBtH73jeRcvrRMBc0gK+YRw4uq8yd44bNoEpSt1L5YOJBelSxmp9WOhkGOjt5cPCHij1ptaO9gp1d7XAg4+MhpzXoluB8aPi8A28stX04l+HdU6lNU0pUGYtFVRbTvYV4KjseXQ5wlRavwFMgv3c61WUMznyLmtI8zdheCVdr3vGG1nNvGI7cqMHdw8jvdYFCe9jr3eu1nG2uHakh7PHDMyEDpEh7WSJvVod+0sleiS+vhv5xnNhXUOtBtjCUcLSZToY6YJky9O4E8WDOGg2j5kvCaHrY\/bgSGd87O7sCkmrjeYEJj5BSV95tlI2Ky1GlTRvG4jLQ800QuXAJyXQJpf9uO5lbmV2yPJ7OcKbRoaRu7rhMj4yok9dPEY5bIJeMFptv+bBTKgRh18R5ZecUdpyx8PrVY7FvTEihzH9z+ACGIMNgw7MZIVRPBqLh\/zXK1JfY3pPblvLVhmbeWQ6ETTC2eEWDmAcBovF+Mpj\/M2ybwRdFGLATHZJUQCobYS+02Jxfd0\/ODHpOQ7c2RJwZh6aijIEeh3Ohj1weh\/ZNAK7189yi3n810Bne0ld\/Vo11Jk7hSSQ9z1vCZijCzbDb4Yuw+jsnM\/CPS0OBMMQqIsuz9TPJ\/89SP103sVv01AOXWUM0OB97POJpQ8Bnfjusf8x7CKURlyj4hl6NHksSAGeOmPv96B\/X\/xEARr3Lq7K0RnVFjqFJUsXVVJavggfrhexl7xgvU7MqOPZ24ZiMmOTKTKP+WVsykcraeoP9+yuYkhdMLPEBelpnkoHOuHvpqojhOcJvN8pu\/tRclZO6KGuRD8I7M3J2+mMo8ZTNQUB7oYVR\/UfIKJ5+aIybJklZ1HTb5nV\/D1tDgWRN5JDvndJ78cEi6s8Hi9gsZjglN1JNaQ3vShP7RuLSYdRqDO7e27cSkibTH4YW6PsHPHhqX2g4ev8WTEbRIAsiVJTOuJqNaPaoX3oDMviBz5aZ0iu6XwRwbojibWBCOABktvzVNgngxxeyPmyJlVQ5H5ehn\/iNNZC4RRz0FqhetTfWdQWXnRqicq+tiujO478mQQVKTDKvhi6y0uL2g2SuR81QJ0YmhlCFxqFWX2ACpro\/4HM5J0EdJvboVwrR70CEBa6pqwsvCSCQCltwM+EDH+OYxt34oL1ngY7+fsm1oZcyEvn3\/snVZcd97klBzdl5oCyj3ANtoDIQua35u2ENXbPc8CqIIlcbPVsmF5U1ESRs5khYlDjBH6qvpZBoA4a36pgMZVu8XKpk7c+bOIB0WrZcMSaIF+r2x0Jg8ZKjrZ\/AwhoRDHAtEIQNDLNkPDvjoEcoI0CF3\/p\/AVyjko9aqtatyNZE7i0MQ4SUdamyogd428NFygGgq5JtoSe3XXL\/3hWxlbTGqESnPXKjh7jTG5FQxy6grBp7lVN2DSW2yNkvVOrtVaRjIbTzJd7\/oiUE29Yx1l\/1tPpJTq0CDSa2sTGgYHyPkppcoA3OXLiEGuQC0lKuvuahyAh956uueAi7DvMUWzPemfszzr6Bd35RucQE5tFjzQ19QIIDGhxLHMfweQHO2jEUuTddqRbnO3ZVyM8jZpcNBwMKbuqjk"}
 
{"response":"Fel63A3fJsBnqDNoqrf3sNRYntlgl2bMzWrA56aEQZRggnMBao9z1ds1G/TqV2TMwrRu1wovdv5AwWkDlpdqO0A=="}
    try {
 
        var className = "NSURLRequest";
        var funcName = "- initWithURL:";
 
        var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]');
        Interceptor.attach(hook.implementation, {
 
            onEnter: function(args) {
                console.log(colors.green,"NSURLRequest with URL: ",colors.resetColor + ObjC.Object(args[2]));
                console.log("\nBacktrace:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join("\n"));
            },
 
        });
 
    } catch (error) {
        console.log(colors.red,"[!] Exception: ",colors.resetColor + error.message);
    }
    try {
 
        var className = "NSURLRequest";
        var funcName = "- initWithURL:";
 
        var hook = eval('ObjC.classes.' + className + '["' + funcName + '"]');
        Interceptor.attach(hook.implementation, {
 
            onEnter: function(args) {
                console.log(colors.green,"NSURLRequest with URL: ",colors.resetColor + ObjC.Object(args[2]));
                console.log("\nBacktrace:\n" + Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join("\n"));
            },
 
        });
 
    } catch (error) {
        console.log(colors.red,"[!] Exception: ",colors.resetColor + error.message);
    }
[iPhone::比亚迪汽车 ]->  NSURLRequest with URL:  https://dilinkappserver.byd.com/app/auth/login
Backtrace:
0x1057d943c /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!-[AFHTTPRequestSerializer requestWithMethod:URLString:parameters:error:]
0x1057d106c /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!-[AFHTTPSessionManager dataTaskWithHTTPMethod:URLString:parameters:headers:uploadProgress:downloadProgress:success:failure:]
0x1057d0780 /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!-[AFHTTPSessionManager POST:parameters:headers:progress:success:failure:]
0x1049e1e24 /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!+[AFNRequestUtls postRequestWithInfo:successBlock:failedBlock:]
0x104b4d270 /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!+[BYDHttpsRequestUtils httpsPostRequestWithRequestRequestInfo:successBlock:failedBlock:]
0x1048f48fc /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!-[BYDUserModel doLoginSuccess:failed:]
0x104a4c4f8 /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!-[BYDLoginVC doLogin]
...
[iPhone::比亚迪汽车 ]->  NSURLRequest with URL:  https://dilinkappserver.byd.com/app/auth/login
Backtrace:
0x1057d943c /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!-[AFHTTPRequestSerializer requestWithMethod:URLString:parameters:error:]
0x1057d106c /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!-[AFHTTPSessionManager dataTaskWithHTTPMethod:URLString:parameters:headers:uploadProgress:downloadProgress:success:failure:]
0x1057d0780 /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!-[AFHTTPSessionManager POST:parameters:headers:progress:success:failure:]
0x1049e1e24 /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!+[AFNRequestUtls postRequestWithInfo:successBlock:failedBlock:]
0x104b4d270 /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!+[BYDHttpsRequestUtils httpsPostRequestWithRequestRequestInfo:successBlock:failedBlock:]
0x1048f48fc /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!-[BYDUserModel doLoginSuccess:failed:]
0x104a4c4f8 /private/var/containers/Bundle/Application/48133A5D-90E1-494C-8472-79C2B5DE912B/比亚迪汽车.app/比亚迪汽车!-[BYDLoginVC doLogin]
...
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
/// <reference path="frida-gum.d.ts" />
 
 
//+[BYDHttpsRequestUtils httpsPostRequestWithRequestRequestInfo:successBlock:failedBlock:]
var target = ObjC.classes['BYDHttpsRequestUtils']['+ httpsPostRequestWithRequestRequestInfo:successBlock:failedBlock:']
console.log(target.implementation)
 
var m = Process.getModuleByAddress(target.implementation)
var vm = m.base.add(0x23BE0D4)//注意ida加载二进制文件的基地址
var baseAddr = m.base
console.log(vm);
Interceptor.attach(vm, {
    onEnter: function (args) {
        console.log("enter")
        this.tid = Process.getCurrentThreadId()
        console.log(this.tid);
        Stalker.follow(this.tid, {
            events: {
                // 暂时不需要这些 events
                call: false,
                ret: false,
                exec: false,
 
                block: false,
                compile: false
            },
 
            transform: function (iterator) {
 
                var instruction = iterator.next();
                const startAddress = instruction.address;
                                    // 从ida里面 找到 sub_1023BE0D4 函数的地址范围,alt+p
                var is = startAddress.compare(baseAddr.add(0x23CBB6C))<0 && startAddress.compare(baseAddr.add(0x23BE0D4))>=0;
                do{
                        if(is){
                            console.log(instruction.address.sub(baseAddr).add(0x100000000) + ":" + instruction);
                        }
 
                    iterator.keep();
                } while ((instruction = iterator.next()) !== null);
 
 
            }
        })
 
    },
    onLeave: function (ret) {
        Stalker.unfollow(this.tid)
    }
})
/// <reference path="frida-gum.d.ts" />
 
 
//+[BYDHttpsRequestUtils httpsPostRequestWithRequestRequestInfo:successBlock:failedBlock:]
var target = ObjC.classes['BYDHttpsRequestUtils']['+ httpsPostRequestWithRequestRequestInfo:successBlock:failedBlock:']
console.log(target.implementation)
 
var m = Process.getModuleByAddress(target.implementation)
var vm = m.base.add(0x23BE0D4)//注意ida加载二进制文件的基地址
var baseAddr = m.base
console.log(vm);
Interceptor.attach(vm, {
    onEnter: function (args) {
        console.log("enter")
        this.tid = Process.getCurrentThreadId()
        console.log(this.tid);

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2022-8-24 14:25 被FANGG3编辑 ,原因:
上传的附件:
收藏
免费 6
支持
分享
打赏 + 50.00雪花
打赏次数 1 雪花 + 50.00
 
赞赏  Editor   +50.00 2022/08/29 恭喜您获得“雪花”奖励,安全圈有你而精彩!
最新回复 (6)
雪    币: 3836
活跃值: (4142)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
支持下
2022-8-16 14:40
0
雪    币: 35
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
3
看不懂来个手机端教程吧
2022-8-17 16:24
0
雪    币: 435
活跃值: (2636)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
4
caolinkai 支持下
谢谢~~
2022-8-18 11:24
0
雪    币: 435
活跃值: (2636)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
5
mb_iwquahum 看不懂来个手机端教程吧
意思是用手机逆向么?
2022-8-18 11:24
0
雪    币: 228
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
7
大佬研究过梆梆企业壳没有,可否加个联系方式一起交流下。
2023-9-27 13:52
0
游客
登录 | 注册 方可回帖
返回
//