小葡萄爸爸滴博客

2015第2届移动安全挑战赛iOS第一题分析

Sep 5, 2017

设备iphone6plus 拖到hopper分析，看了下label列表，看到敏感方法 onClick，静态分析如下:

 -[ViewController onClick]:
0000b6a0         push       {r4, r5, r6, r7, lr}                                ; Objective C Implementation defined at 0x1cd38 (instance)
0000b6a2         add        r7, sp, #0xc
0000b6a4         push.w     {r8, r10, r11}
0000b6a8         sub        sp, #0x20
0000b6aa         str        r0, [sp, #0x10]
0000b6ac         movw       r0, #0x355c
0000b6b0         movt       r0, #0x1
0000b6b4         movw       r1, #0x354e
0000b6b8         movt       r1, #0x1
0000b6bc         movw       r2, #0x3528
0000b6c0         movt       r2, #0x1
0000b6c4         movw       r3, #0x3534
0000b6c8         add        r0, pc                                              ; @selector(decrypt:password:)
0000b6ca         movt       r3, #0x1
0000b6ce         movw       r5, #0x352c
0000b6d2         add        r1, pc                                              ; @selector(originalMessage)
0000b6d4         movt       r5, #0x1
0000b6d8         movw       r6, #0x10e4
0000b6dc         ldr        r0, [r0]                                            ; @selector(decrypt:password:)
0000b6de         movt       r6, #0x1
0000b6e2         str        r0, [sp, #0x1c]
0000b6e4         add        r3, pc                                              ; @selector(setCodedMessage:)
0000b6e6         ldr        r0, [r1]                                            ; @selector(originalMessage)
0000b6e8         add        r5, pc                                              ; @selector(initWithCipherKey:)
0000b6ea         str        r0, [sp, #0x18]
0000b6ec         movw       r0, #0x343a
0000b6f0         movt       r0, #0x1
0000b6f4         add        r2, pc                                              ; @selector(decrypt)
0000b6f6         add        r0, pc                                              ; @selector(alloc)
0000b6f8         ldr.w      r8, [r3]                                            ; @selector(setCodedMessage:)
0000b6fc         ldr.w      r10, [r5]                                           ; @selector(initWithCipherKey:)
0000b700         add        r6, pc                                              ; @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU=="
0000b702         ldr        r4, [r0]                                            ; @selector(alloc)
0000b704         mov.w      r11, #0x5
0000b708         ldr        r1, [r2]                                            ; @selector(decrypt)
0000b70a         str        r1, [sp, #0x14]
0000b70c         movw       r0, #0x38c2                                         ; XREF=-[ViewController onClick]+200
0000b710         mov        r1, r4                                              ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b712         movt       r0, #0x1
0000b716         add        r0, pc                                              ; objc_cls_ref_Ceasar_CipherModel
0000b718         ldr        r0, [r0]                                            ; objc_cls_ref_Ceasar_CipherModel, argument #1 for method imp___symbolstub1__objc_msgSend
0000b71a         blx        imp___symbolstub1__objc_msgSend
0000b71e         sub.w      r11, r11, #0x1   ------>设置ceasar_cipher model 的cipherKey，循环5次解密4，3，2，1,0
0000b722         mov        r1, r10                                             ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b724         mov        r2, r11
0000b726         blx        imp___symbolstub1__objc_msgSend
0000b72a         mov        r5, r0       
0000b72c         mov        r1, r8    ------------>设置setCodedMessage           ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b72e         mov        r2, r6
0000b730         blx        imp___symbolstub1__objc_msgSend
0000b734         ldr        r1, [sp, #0x14]                                     ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b736         mov        r0, r5                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b738         blx        imp___symbolstub1__objc_msgSend
0000b73c         ldr        r1, [sp, #0x18]                                     ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b73e         mov        r0, r5                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b740         blx        imp___symbolstub1__objc_msgSend
0000b744         mov        r2, r0  ---->凯撒解密后的字符串用作aes解密
0000b746         movw       r0, #0x388c
0000b74a         movt       r0, #0x1
0000b74e         ldr        r1, [sp, #0x1c]                                     ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b750         add        r0, pc                                              ; objc_cls_ref_AESCrypt
0000b752         ldr        r0, [r0]                                            ; objc_cls_ref_AESCrypt, argument #1 for method imp___symbolstub1__objc_msgSend
0000b754         movw       r3, #0x1098
0000b758         movt       r3, #0x1
0000b75c         add        r3, pc            --->aes解密秘钥                     ; @"ZGlhb2RhX2ppYW5rYW5nCg=="
0000b75e         blx        imp___symbolstub1__objc_msgSend  ---->对凯撒解密后的数据进行aes解密
0000b762         mov        r6, r0
0000b764         cmp.w      r11, #0x0   ------>循环  5次
0000b768         bgt        0xb70c
0000b76a         movw       r0, #0x346c
0000b76e         mov        r10, r4
0000b770         movt       r0, #0x1
0000b774         ldr.w      r8, [sp, #0x10]
0000b778         add        r0, pc                                              ; @selector(textFeild)
0000b77a         ldr        r1, [r0]                                            ; @selector(textFeild), argument #2 for method imp___symbolstub1__objc_msgSend
0000b77c         mov        r0, r8                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b77e         blx        imp___symbolstub1__objc_msgSend
0000b782         movw       r1, #0x349e
0000b786         movt       r1, #0x1
0000b78a         add        r1, pc                                              ; @selector(text)
0000b78c         ldr        r1, [r1]                                            ; @selector(text), argument #2 for method imp___symbolstub1__objc_msgSend
0000b78e         blx        imp___symbolstub1__objc_msgSend
0000b792         movw       r1, #0x3492
0000b796         movt       r1, #0x1
0000b79a         add        r1, pc                                              ; @selector(UTF8String)
0000b79c         ldr        r5, [r1]                                            ; @selector(UTF8String)
0000b79e         mov        r1, r5                                              ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7a0         blx        imp___symbolstub1__objc_msgSend
0000b7a4         mov        r4, r0
0000b7a6         mov        r0, r6                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b7a8         mov        r1, r5                                              ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7aa         blx        imp___symbolstub1__objc_msgSend
0000b7ae         mov        r5, r0
0000b7b0         ldrb       r0, [r5]                                            ; "UTF8String"
0000b7b2         cmp        r0, #0x0
0000b7b4         beq        0xb7d6
0000b7b6         ldrb       r1, [r4]
0000b7b8         cmp        r1, r0
0000b7ba         bne        0xb7d2
0000b7bc         movs       r6, #0x1
0000b7be         mov        r0, r5                                              ; argument #1 for method imp___symbolstub1__strlen, XREF=-[ViewController onClick]+304
0000b7c0         blx        imp___symbolstub1__strlen
0000b7c4         cmp        r6, r0
0000b7c6         bhs        0xb7d6
0000b7c8         ldrb       r0, [r5, r6]
0000b7ca         ldrb       r1, [r4, r6]
0000b7cc         adds       r6, #0x1
0000b7ce         cmp        r1, r0
0000b7d0         beq        0xb7be
0000b7d2         movs       r4, #0x0                                            ; XREF=-[ViewController onClick]+282
0000b7d4         b          0xb7d8
0000b7d6         movs       r4, #0x1                                            ; XREF=-[ViewController onClick]+276, -[ViewController onClick]+294
0000b7d8         movw       r0, #0x37fe                                         ; XREF=-[ViewController onClick]+308
0000b7dc         mov        r1, r10                                             ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7de         movt       r0, #0x1
0000b7e2         add        r0, pc                                              ; objc_cls_ref_UIAlertView
0000b7e4         ldr        r0, [r0]                                            ; objc_cls_ref_UIAlertView, argument #1 for method imp___symbolstub1__objc_msgSend
0000b7e6         blx        imp___symbolstub1__objc_msgSend
0000b7ea         movw       r1, #0x3438
0000b7ee         cmp        r4, #0x1
0000b7f0         movt       r1, #0x1
0000b7f4         movw       r6, #0x1022
0000b7f8         add        r1, pc                                              ; @selector(initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:)
0000b7fa         movt       r6, #0x1
0000b7fe         movw       r2, #0xffa
0000b802         add        r6, pc                                              ; cfstring__S_m
0000b804         movt       r2, #0x1
0000b808         ldr        r1, [r1]                                            ; @selector(initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:)
0000b80a         add        r2, pc                                              ; @""
0000b80c         bne        0xb81a
0000b80e         movw       r3, #0xffe
0000b812         movt       r3, #0x1
0000b816         add        r3, pc                                              ; cfstring____xcknx___b_R__eQ__
0000b818         b          0xb824
0000b81a         movw       r3, #0x1022                                         ; XREF=-[ViewController onClick]+364
0000b81e         movt       r3, #0x1
0000b822         add        r3, pc                                              ; cfstring____x______
0000b824         movw       r5, #0x1002                                         ; XREF=-[ViewController onClick]+376
0000b828         movs       r4, #0x0
0000b82a         movt       r5, #0x1
0000b82e         str.w      r8, [sp]
0000b832         add        r5, pc                                              ; cfstring_nx__
0000b834         str        r6, [sp, #0x4]
0000b836         str        r5, [sp, #0x8]
0000b838         str        r4, [sp, #0xc]
0000b83a         blx        imp___symbolstub1__objc_msgSend
0000b83e         movw       r1, #0x33ee
0000b842         movt       r1, #0x1
0000b846         add        r1, pc                                              ; @selector(show)
0000b848         ldr        r1, [r1]                                            ; @selector(show)
0000b84a         add        sp, #0x20
0000b84c         pop.w      {r8, r10, r11}
0000b850         pop.w      {r4, r5, r6, r7, lr}
0000b854         b.w        0x179c0
                        ; endp

用到加密方式：凯撒加密、AES

还原代码如下：

NSString* data = @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU==";
NSString* password = @"ZGlhb2RhX2ppYW5rYW5nCg==";
int times = 5;
do{
    times--;
    Ceasar_CipherModel* model = [[Ceasar_CipherModel alloc] init];
    model.cipherKey = times;
    model.codedMessage = data;
    [model decrypt];
    data = [AESCrypt decrypt:model.originalMessage password:password];
}while (times > 0);
NSLog(@"result : %@",data);

第一次： hDmx1/d5KNhr1BBYQlRNVsZSEaOdw4MtKTpT3082x/x9lZucw0qEm+UhMaOVuoSLyqD1x0elXGXqM4nFSP3W8khfyg1ynDEwLhLt12m68U8=
第二次： e1s6fwEoaC3l/4VLi1DA4KKPJdGcGWK3elMxPqOuG7MNa9fcfWu6gpui+m3q1akL
第三次： 4p2eb81lORtnnduYgcAc3pxfqGh8Fybny9NFnTzYJ6B=
第四次： QNEcNAUUYKq5mMZJTh3J5w==
第五次： Sp4rkDr0idKit

最终结果为：

Sp4rkDr0idKit

...more

2015第2届移动安全挑战赛iOS第二题分析

Sep 5, 2017

第二题题目如下

环境：iPhone5C(A1529) iOS 8.4 kernelcache ，解密后的kernelcache见附件
求得下列地址（减去kaslr）：
(1)设备/dev/random，对应结构体cdevsw中d_read, d_write, d_ioctl在题目给出kernelcache中的地址。
(2)设备/dev/pf，对应结构体cdevsw中d_read, d_write, d_ioctl在题目给出kernelcache中的地址。
(3)设备/dev/ptmx，对应结构体cdevsw中d_read, d_write, d_ioctl在题目给出kernelcache中的地址。
假设上述地址的结果是：
/dev/random
d_read:0x80001231
d_write:0x80001253
d_ioctl:0x80001275
/dev/pf
d_read:0x80201297
d_write:0x802012b9
d_ioctl:0x801012db
/dev/ptmx
d_read:0x802012ed
d_write:0x802012ff
d_ioctl:0x80201211
那么答案的格式应该是：(用#号分隔)
0x80001231#0x80001253#0x80001275#0x80201297#0x802012b9#0x801012db#0x802012ed#0x802012ff#0x80201211

我们知道iOS内核是基于XNU内核改的，XNU for mac的代码可以从苹果官方下载到：

xnu-2782.40.9/bsd/dev/random/randomdev.c

static struct cdevsw random_cdevsw =
{
	random_open,		/* open */
	random_close,		/* close */
	random_read,		/* read */
	random_write,		/* write */
	random_ioctl,		/* ioctl */
	(stop_fcn_t *)nulldev, /* stop */
	(reset_fcn_t *)nulldev, /* reset */
	NULL,				/* tty's */
	eno_select,			/* select */
	eno_mmap,			/* mmap */
	eno_strat,			/* strategy */
	eno_getc,			/* getc */
	eno_putc,			/* putc */
	0					/* type */
};
/*
 * Called to initialize our device,
 * and to register ourselves with devfs
 */
void
random_init(void)
{
	int ret;
	ret = cdevsw_add(RANDOM_MAJOR, &random_cdevsw);
	if (ret < 0) {
		panic("random_init: failed to allocate a major number!");
	}
	devfs_make_node(makedev (ret, RANDOM_MINOR), DEVFS_CHAR,
		UID_ROOT, GID_WHEEL, 0666, "random", 0);
	/*
	 * also make urandom 
	 * (which is exactly the same thing in our context)
	 */
	devfs_make_node(makedev (ret, URANDOM_MINOR), DEVFS_CHAR,
		UID_ROOT, GID_WHEEL, 0666, "urandom", 0);
}

将kernercache拖到IDA或者hopper中分析，找到该代码段：

================ B E G I N N I N G   O F   P R O C E D U R E ================
             sub_800c0d88:
800c0d88         push       {r4, r5, r6, r7, lr}
800c0d8a         add        r7, sp, #0xc
800c0d8c         sub        sp, #0xc
800c0d8e         movw       r0, #0xc5c6
800c0d92         movt       r0, #0x2f
800c0d96         add        r0, pc                                              ; 0x803bd360 (_PE_poll_input + 0xaf4c)
800c0d98         addw       r1, r0, #0xb14
800c0d9c         mov.w      r0, #0xffffffff
800c0da0         bl         _cdevsw_add
800c0da4         mov        r4, r0
800c0da6         cmp.w      r4, #0xffffffff
800c0daa         bgt        0x800c0dba
800c0dac         movw       r0, #0x655f
800c0db0         movt       r0, #0x2b
800c0db4         add        r0, pc                                              ; "\\\\\\\\\\\\\\\\\\\\\\\\"random_init: failed to allocate a major number!\\\\\\\\\\\\\\\\\\\\\\\\"", argument #1 for method _panic
800c0db6         bl         _panic
800c0dba         movw       r0, #0x657b                                         ; XREF=sub_800c0d88+34
800c0dbe         mov.w      r6, #0x1b6
800c0dc2         movt       r0, #0x2b
800c0dc6         movs       r5, #0x0
800c0dc8         str        r6, [sp]                                            ; argument #5 for method _devfs_make_node
800c0dca         add        r0, pc                                              ; "random"
800c0dcc         movs       r1, #0x0                                            ; argument #2 for method _devfs_make_node
800c0dce         str        r0, [sp, #0x4]                                      ; argument #6 for method _devfs_make_node
800c0dd0         lsl.w      r0, r4, #0x18                                       ; argument #1 for method _devfs_make_node
800c0dd4         movs       r2, #0x0                                            ; argument #3 for method _devfs_make_node
800c0dd6         movs       r3, #0x0                                            ; argument #4 for method _devfs_make_node
800c0dd8         str        r5, [sp, #0x8]
800c0dda         bl         _devfs_make_node
800c0dde         movw       r0, #0x6560
800c0de2         movs       r1, #0x0                                            ; argument #2 for method _devfs_make_node
800c0de4         movt       r0, #0x2b
800c0de8         str        r6, [sp]                                            ; argument #5 for method _devfs_make_node
800c0dea         movs       r2, #0x0                                            ; argument #3 for method _devfs_make_node
800c0dec         add        r0, pc                                              ; "urandom"
800c0dee         movs       r3, #0x0                                            ; argument #4 for method _devfs_make_node
800c0df0         str        r0, [sp, #0x4]                                      ; argument #6 for method _devfs_make_node
800c0df2         movs       r0, #0x1
800c0df4         orr.w      r0, r0, r4, lsl #24                                 ; argument #1 for method _devfs_make_node
800c0df8         str        r5, [sp, #0x8]
800c0dfa         bl         _devfs_make_node
800c0dfe         add        sp, #0xc
800c0e00         pop        {r4, r5, r6, r7, pc}
                        ; endp
800c0e02         nop

从源码中可以看出 cdevsw_add 函数第二个参数为cdevsw结构体地址
从汇编中算出random_cdevsw结构体地址为0x803bd360+0xb14 = 0x803BDE74
go到0x803BDE74 random_cdevsw：

803bde74         db  0x19 ; '.'
803bde75         db  0x0e ; '.'
803bde76         db  0x0c ; '.'
803bde77         db  0x80 ; '.'
803bde78         db  0x35 ; '5'
803bde79         db  0x0e ; '.'
803bde7a         db  0x0c ; '.'
803bde7b         db  0x80 ; '.'
803bde7c         db  0xa1 ; '.'
803bde7d         db  0x0e ; '.'
803bde7e         db  0x0c ; '.'
803bde7f         db  0x80 ; '.'  ---->random_read 0x800c0ea1
803bde80         db  0x39 ; '9'
803bde81         db  0x0e ; '.'
803bde82         db  0x0c ; '.'
803bde83         db  0x80 ; '.'  ---->random_write 0x800c0e39
803bde84         db  0x05 ; '.'
803bde85         db  0x0e ; '.'
803bde86         db  0x0c ; '.'
803bde87         db  0x80 ; '.'  ---->random_ioctl 0x800c0e05
803bde88         db  0xc9 ; '.'
803bde89         db  0x73 ; 's'
803bde8a         db  0x28 ; '('
803bde8b         db  0x80 ; '.'
803bde8c         db  0xc9 ; '.'
803bde8d         db  0x73 ; 's'
803bde8e         db  0x28 ; '('
803bde8f         db  0x80 ; '.'
803bde90         db  0x00 ; '.'
803bde91         db  0x00 ; '.'
803bde92         db  0x00 ; '.'
803bde93         db  0x00 ; '.'
803bde94         db  0xad ; '.'
803bde95         db  0x73 ; 's'
803bde96         db  0x28 ; '('
803bde97         db  0x80 ; '.'
803bde98         db  0xad ; '.'
803bde99         db  0x73 ; 's'
803bde9a         db  0x28 ; '('
803bde9b         db  0x80 ; '.'
803bde9c         db  0xb1 ; '.'
803bde9d         db  0x73 ; 's'
803bde9e         db  0x28 ; '('
803bde9f         db  0x80 ; '.'
803bdea0         db  0xad ; '.'
803bdea1         db  0x73 ; 's'
803bdea2         db  0x28 ; '('
803bdea3         db  0x80 ; '.'
803bdea4         db  0xad ; '.'
803bdea5         db  0x73 ; 's'
803bdea6         db  0x28 ; '('
803bdea7         db  0x80 ; '.'
803bdea8         db  0x00 ; '.'
803bdea9         db  0x00 ; '.'
803bdeaa         db  0x00 ; '.'
803bdeab         db  0x00 ; '.'

1	得到 /dev/random 结果： 0x800c0ea1#0x800c0e39#0x800c0e05

...more

破解TexturePacker加密资源，寻找解密Key之旅

Sep 5, 2017

破解TexturePacker加密资源的方式有好多种。。最多的是hook uncompress然后获取到内容，加入ccz的文件头写入文件。
例如：

1 2	http://blog.csdn.net/ynnmnm/article/details/38392795 http://bbs.pediy.com/showthread.php?t=187332

今天我用最直接的方法搞定，直接找到用户设置的秘钥。

1	void ZipUtils::ccSetPvrEncryptionKeyPart(int index, unsigned int value)// 设置密钥的接口

上appstore上随便找个cocos2d的游戏，拖入Hopper，搜索ccSetPvrEncryptionKeyPart，没有找到。然后搜索ZipUtils，如下图：

ccDecodeEncodedPvr用来解密pvr.ccz文件，没有找到ccSetPvrEncryptionKeyPart，那么我们在ccDecodeEncodedPvr上下代码块里面试试运气

int sub_444200(int arg0, int arg1) {
    r1 = arg1;
    r0 = arg0;
    r3 = *(0x7d79d0 + r0 * 0x4);
    asm{ it         eq };
    if (r3 == r1) {
            return r0;
    }
    *(0x7d79d0 + r0 * 0x4) = r1;
    *(int8_t *)0x7d89e0 = 0x0;
    return 0x0;
}

这个有点像。。猜测arg0为index arg1为value
写tweak验证：

int(*orgccSetPvrEncryptionKey)(int index,unsigned int key);
int myccSetPvrEncryptionKey(int index,unsigned int key);
int myccSetPvrEncryptionKey(int index,unsigned int key2key{
  NSLog(@"\n\n=====  keys: %d-%u    ======\n\n",index,key);
  orgccSetPvrEncryptionKey(key1,key2);
}
%ctor{
  NSLog(@"====== HOOKED ======");
  intptr_t module_vmaddr = _dyld_get_image_vmaddr_slide(0);
  intptr_t ccSetPvrEncryptionKey = module_vmaddr + 0x444200 + 1;
  MSHookFunction((void *)ccSetPvrEncryptionKey, (void*)myccSetPvrEncryptionKey, (void**)&orgccSetPvrEncryptionKey);
}

测试log

...more

IOS游戏加速原理与实现

Sep 5, 2017

游戏助手（如XX助手）有一项游戏加速功能，实现原理其实非常简单，直接hook gettimeofday。

实现tweak代码如下：

//  speedup.xm
//  create by creantan on 14-10-23
static int (*orig_gettimeofday)(struct timeval * __restrict, void * __restrict);
static int mygettimeofday(struct timeval*tv,struct timezone *tz ) {
    int ret = orig_gettimeofday(tv,tz);
    if (ret == 0) {
        tv->tv_usec *= SPEEDLEVEL;
        tv->tv_sec *= SPEEDLEVEL;
    }
    return ret;
}
%ctor {
    MSHookFunction((void *)MSFindSymbol(NULL,"_gettimeofday"), (void *)mygettimeofday, (void **)&orig_gettimeofday);
}

...more

MAC平台下的crackme两例分析

Sep 5, 2017

工具列表：

Hopper disassembler（静态分析）
lldb （动态调试）

先来个最简单的，直接用Hopper disassembler分析：
直接把第一个crackme拖到Hopper里面，看下左边窗口，看下这个crackme的Labels

很容易就找到这个methed实现methImpl_AppDelegate_checkifisok_
点击它看下汇编：

0x0000000100001110 55                              push       rbp
0x0000000100001111 4889E5                          mov        rbp, rsp
0x0000000100001114 4883EC70                        sub        rsp, 0x70
0x0000000100001118 488D0551180000                  lea        rax, qword [ds:cfstring_Length_of_the_serial_string_is___lx] ; @"Length of the serial string is: %lx"
0x000000010000111f 488D0DBA160000                  lea        rcx, qword [ds:objc_msg_length] ; @selector(length)
0x0000000100001126 4C8D0523180000                  lea        r8, qword [ds:cfstring_Length_of_the_name_string_is___lx] ; @"Length of the name string is: %lx"
0x000000010000112d 4C8D0DFC170000                  lea        r9, qword [ds:cfstring_uh_] ; @"uh?"
0x0000000100001134 48897DF8                        mov        qword [ss:rbp-0x70+var_104], rdi
0x0000000100001138 488975F0                        mov        qword [ss:rbp-0x70+var_96], rsi
0x000000010000113c 488955E8                        mov        qword [ss:rbp-0x70+var_88], rdx
0x0000000100001140 4C89CF                          mov        rdi, r9
0x0000000100001143 488945B0                        mov        qword [ss:rbp-0x70+var_32], rax
0x0000000100001147 B000                            mov        al, 0x0
0x0000000100001149 4C8945A8                        mov        qword [ss:rbp-0x70+var_24], r8
0x000000010000114d 48894DA0                        mov        qword [ss:rbp-0x70+var_16], rcx
0x0000000100001151 E8C6030000                      call       imp___stubs__NSLog
0x0000000100001156 488B4DF8                        mov        rcx, qword [ss:rbp-0x70+var_104]
0x000000010000115a 488B152F190000                  mov        rdx, qword [ds:0x100002a90]
0x0000000100001161 488B0C11                        mov        rcx, qword [ds:rcx+rdx]
0x0000000100001165 488B350C160000                  mov        rsi, qword [ds:objc_sel_stringValue] ; @selector(stringValue)
0x000000010000116c 4889CF                          mov        rdi, rcx
0x000000010000116f E8B4030000                      call       imp___stubs__objc_msgSend
0x0000000100001174 488945E0                        mov        qword [ss:rbp-0x70+var_80], rax
0x0000000100001178 488B45E0                        mov        rax, qword [ss:rbp-0x70+var_80]
0x000000010000117c 4889C7                          mov        rdi, rax
0x000000010000117f 488B75A0                        mov        rsi, qword [ss:rbp-0x70+var_16]
0x0000000100001183 FF1557160000                    call       qword [ds:objc_msg_length]  ; @selector(length)
0x0000000100001189 488945D8                        mov        qword [ss:rbp-0x70+var_72], rax
0x000000010000118d 488B75D8                        mov        rsi, qword [ss:rbp-0x70+var_72]
0x0000000100001191 488B7DA8                        mov        rdi, qword [ss:rbp-0x70+var_24]
0x0000000100001195 B000                            mov        al, 0x0
0x0000000100001197 E880030000                      call       imp___stubs__NSLog
0x000000010000119c 488B4DF8                        mov        rcx, qword [ss:rbp-0x70+var_104]
0x00000001000011a0 488B15F1180000                  mov        rdx, qword [ds:0x100002a98]
0x00000001000011a7 488B0C11                        mov        rcx, qword [ds:rcx+rdx]
0x00000001000011ab 488B35C6150000                  mov        rsi, qword [ds:objc_sel_stringValue] ; @selector(stringValue)
0x00000001000011b2 4889CF                          mov        rdi, rcx
0x00000001000011b5 E86E030000                      call       imp___stubs__objc_msgSend
0x00000001000011ba 488945D0                        mov        qword [ss:rbp-0x70+var_64], rax
0x00000001000011be 488B45D0                        mov        rax, qword [ss:rbp-0x70+var_64]
0x00000001000011c2 4889C7                          mov        rdi, rax
0x00000001000011c5 488B75A0                        mov        rsi, qword [ss:rbp-0x70+var_16]
0x00000001000011c9 FF1511160000                    call       qword [ds:objc_msg_length]  ; @selector(length)
0x00000001000011cf 488945C8                        mov        qword [ss:rbp-0x70+var_56], rax
0x00000001000011d3 488B75C8                        mov        rsi, qword [ss:rbp-0x70+var_56]
0x00000001000011d7 488B7DB0                        mov        rdi, qword [ss:rbp-0x70+var_32]
0x00000001000011db B000                            mov        al, 0x0
0x00000001000011dd E83A030000                      call       imp___stubs__NSLog
0x00000001000011e2 48817DC80A000000                cmp        qword [ss:rbp-0x70+var_56], 0xa
0x00000001000011ea 0F86BF000000                    jbe        0x1000012af     //判断密码长度是否大于10
                                       ; Basic Block Input Regs: rbp -  Killed Regs: <nothing>
0x00000001000011f0 48817DC80F000000                cmp        qword [ss:rbp-0x70+var_56], 0xf
0x00000001000011f8 0F83B1000000                    jnc        0x1000012af //判断密码长度是否小于15
                                       ; Basic Block Input Regs: rbp -  Killed Regs: <nothing>
0x00000001000011fe 48817DD807000000                cmp        qword [ss:rbp-0x70+var_72], 0x7
0x0000000100001206 0F86A3000000                    jbe        0x1000012af   //判断用户名长度是否大于7
                                       ; Basic Block Input Regs: rbp -  Killed Regs: <nothing>
0x000000010000120c 48817DD80F000000                cmp        qword [ss:rbp-0x70+var_72], 0xf
0x0000000100001214 0F8395000000                    jnc        0x1000012af   // 判断用户名长度是否小于15
                                       ; Basic Block Input Regs: <nothing> -  Killed Regs: rax rcx rdx rbp rsi rdi
0x000000010000121a 488D05CF150000                  lea        rax, qword [ds:objc_msg_isEqualToString_] ; @selector(isEqualToString:)
0x0000000100001221 488D0D68170000                  lea        rcx, qword [ds:cfstring_]   ; @""
0x0000000100001228 488B15D9150000                  mov        rdx, qword [ds:bind__OBJC_CLASS_$_NSCharacterSet]
0x000000010000122f 488B354A150000                  mov        rsi, qword [ds:objc_sel_alphanumericCharacterSet] ; @selector(alphanumericCharacterSet)
0x0000000100001236 4889D7                          mov        rdi, rdx
0x0000000100001239 48894598                        mov        qword [ss:rbp-0x70+var_8], rax
0x000000010000123d 48894D90                        mov        qword [ss:rbp-0x70+var_0], rcx
0x0000000100001241 E8E2020000                      call       imp___stubs__objc_msgSend     //获取字母和数字集合 NSCharacterSet *alphanumericSet = [ NSCharacterSetalphanumericCharacterSet ];
0x0000000100001246 488945C0                        mov        qword [ss:rbp-0x70+var_48], rax
0x000000010000124a 488B45D0                        mov        rax, qword [ss:rbp-0x70+var_64]
0x000000010000124e 488B55C0                        mov        rdx, qword [ss:rbp-0x70+var_48]
0x0000000100001252 488B352F150000                  mov        rsi, qword [ds:objc_sel_stringByTrimmingCharactersInSet_] ; @selector(stringByTrimmingCharactersInSet:)
0x0000000100001259 4889C7                          mov        rdi, rax
0x000000010000125c E8C7020000                      call       imp___stubs__objc_msgSend  //格式化密码，去除密码中含alphanumericSet中的字符 NSString *trimmedString = [passwdString stringByTrimmingCharactersInSet:alphanumericSet];
0x0000000100001261 4889C7                          mov        rdi, rax
0x0000000100001264 488B7598                        mov        rsi, qword [ss:rbp-0x70+var_8]
0x0000000100001268 488B5590                        mov        rdx, qword [ss:rbp-0x70+var_0]
0x000000010000126c FF157E150000                    call       qword [ds:objc_msg_isEqualToString_] ; @selector(isEqualToString:)//判断trimmedString是否和@“”空串相等
0x0000000100001272 8845BF                          mov        byte [ss:rbp-0x70+var_47], al
0x0000000100001275 807DBF00                        cmp        byte [ss:rbp-0x70+var_47], 0x0
0x0000000100001279 0F8418000000                    je         0x100001297   //不等则显示错误
                                       ; Basic Block Input Regs: rbp -  Killed Regs: rax rsi rdi
0x000000010000127f 488B45F8                        mov        rax, qword [ss:rbp-0x70+var_104]
0x0000000100001283 488B3506150000                  mov        rsi, qword [ds:objc_sel_yes] ; @selector(yes)
0x000000010000128a 4889C7                          mov        rdi, rax
0x000000010000128d E896020000                      call       imp___stubs__objc_msgSend
0x0000000100001292 E913000000                      jmp        0x1000012aa
                                       ; Basic Block Input Regs: rbp -  Killed Regs: rax rsi rdi
0x0000000100001297 488B45F8                        mov        rax, qword [ss:rbp-0x70+var_104] ; XREF=0x100001279
0x000000010000129b 488B35F6140000                  mov        rsi, qword [ds:objc_sel_no] ; @selector(no)
0x00000001000012a2 4889C7                          mov        rdi, rax
0x00000001000012a5 E87E020000                      call       imp___stubs__objc_msgSend
                                       ; Basic Block Input Regs: <nothing> -  Killed Regs: <nothing>
0x00000001000012aa E913000000                      jmp        0x1000012c2                ; XREF=0x100001292
                                       ; Basic Block Input Regs: rbp -  Killed Regs: rax rsi rdi
0x00000001000012af 488B45F8                        mov        rax, qword [ss:rbp-0x70+var_104] ; XREF=0x1000011ea, 0x1000011f8, 0x100001206, 0x100001214
0x00000001000012b3 488B35DE140000                  mov        rsi, qword [ds:objc_sel_no] ; @selector(no)
0x00000001000012ba 4889C7                          mov        rdi, rax
0x00000001000012bd E866020000                      call       imp___stubs__objc_msgSend
                                       ; Basic Block Input Regs: <nothing> -  Killed Regs: rsp rbp
0x00000001000012c2 4883C470                        add        rsp, 0x70                  ; XREF=0x1000012aa
0x00000001000012c6 5D                              pop        rbp
0x00000001000012c7 C3                              ret

复原代码如下：

/**
 *  用户名密码验证
 *  用户名密码长度验证，密码字母和数字验证，密码只能包含数字和字母
 *  @return 返回YES or NO
 */
-(BOOL)checkifisok{
    NSString* name = [nameTextField text];
    NSString* serial = [serialTextField text];
    int nameLength = [name length];
    int serialLength = [serial length];
    if(serialLength > 10 && serialLength < 15){
        if(nameLength > 7 && nameLength < 15){
            NSCharacterSet *alphanumericSet = [NSCharacterSet alphanumericCharacterSet];
            NSString *trimmedString = [serial stringByTrimmingCharactersInSet:alphanumericSet];
            if([trimmedString isEqualToString:@""]){
                returnYES;
            }
        }else{
            returnNO
        }
    }else{
        returnNO;
    }
}

第二个使用lldb动态调试：

lldb crackme2.app
r
ctl+c
br s -a 0x2a9e

0x00002a9e 55                              push      ebp
0x00002a9f 89E5                            mov       ebp,esp
0x00002aa1 57                              push      edi
0x00002aa2 56                              push      esi
0x00002aa3 53                              push      ebx
0x00002aa4 83EC3C                          sub       esp,0x3c
0x00002aa7 A140400000                      mov       eax, dword [ds:objc_msg_length]    ; @selector(length)
0x00002aac 89442404                        mov        dword [ss:esp+0x4],eax
0x00002ab0 8B4510                          mov       eax, dword [ss:ebp-0x48+arg_8]
0x00002ab3 890424                          mov        dword [ss:esp],eax
0x00002ab6 E8A3250000                      call       imp___jump_table__objc_msgSend
0x00002abb 83F808                          cmp        eax,0x8   //判断注册码长度是否为8位
0x00002abe 0F858A010000                    jne       0x2c4e  //不等跳往错误提示
                                       ; Basic Block Input Regs: ecx ebx ebp -  Killed Regs: eax ecx ebx esp ebp esi edi
0x00002ac4 A144400000                      mov       eax, dword [ds:objc_msg_lossyCString]; @selector(lossyCString)
0x00002ac9 BE04000000                      mov       esi,0x4   //esi初始化为4
0x00002ace 31DB                            xor       ebx,ebx
0x00002ad0 89442404                        mov        dword [ss:esp+0x4],eax
0x00002ad4 8B4514                          mov       eax, dword [ss:ebp-0x48+arg_C]
0x00002ad7 890424                          mov        dword [ss:esp],eax
0x00002ada E87F250000                      call       imp___jump_table__objc_msgSend
0x00002adf 890424                          mov        dword [ss:esp],eax
0x00002ae2 89C7                            mov       edi,eax
0x00002ae4 E87A250000                      call       imp___jump_table__strlen
0x00002ae9 31C9                            xor       ecx,ecx
0x00002aeb 8945D0                          mov        dword [ss:ebp-0x48+var_24],eax
0x00002aee EB37                            jmp       0x2b27
                                       ; Basic Block Input Regs: ebx esi edi -  Killed Regs: eax ecx edx ebx ebp esi
0x00002af0 0FBE041F                        movsx     eax, byte [ds:edi+ebx]             ; XREF=0x2b2a   //取用户名的一个字符
0x00002af4 43                              inc       ebx  //循环累加器
0x00002af5 0FAFC6                          imul      eax,esi  //取出来的字符与esi相乘
0x00002af8 83C604                          add       esi,0x4  //esi+4
0x00002afb 89C2                            mov       edx,eax
0x00002afd C1E204                          shl       edx,0x4  //edx << 0x4
0x00002b00 29C2                            sub       edx,eax
0x00002b02 B8AD8BDB68                      mov       eax,0x68db8bad
0x00002b07 8D8C0A9A020000                  lea       ecx, dword [ds:edx+ecx+0x29a]
0x00002b0e F7E9                            imul      ecx
0x00002b10 89C8                            mov       eax,ecx
0x00002b12 C1F81F                          sar       eax,0x1f
0x00002b15 C1FA0C                          sar       edx,0xc
0x00002b18 29C2                            sub       edx,eax
0x00002b1a 89C8                            mov       eax,ecx
0x00002b1c 69D210270000                    imul      edx,edx,0x2710
0x00002b22 29D0                            sub       eax,edx
0x00002b24 8945E0                          mov        dword [ss:ebp-0x48+var_40],eax
                                       ; Basic Block Input Regs: ebx ebp -  Killed Regs: <nothing>
0x00002b27 395DD0                          cmp        dword [ss:ebp-0x48+var_24],ebx   ; XREF=0x2aee
0x00002b2a 77C4                            jnbe      0x2af0
                                       ; Basic Block Input Regs: ecx ebx ebp edi -  Killed Regs: eax ecx ebx esp ebp esi
0x00002b2c 8B45E0                          mov       eax, dword [ss:ebp-0x48+var_40]
0x00002b2f BE04000000                      mov       esi,0x4
0x00002b34 31DB                            xor       ebx,ebx
0x00002b36 C744240878300000                mov        dword [ss:esp+0x8],0x3078         ; @"%i"
0x00002b3e 8944240C                        mov        dword [ss:esp+0xc],eax
0x00002b42 A128400000                      mov       eax, dword [ds:objc_msg_stringWithFormat_]; @selector(stringWithFormat:)
0x00002b47 89442404                        mov        dword [ss:esp+0x4],eax
0x00002b4b A154400000                      mov       eax, dword [ds:cls_NSString]
0x00002b50 890424                          mov        dword [ss:esp],eax
0x00002b53 E806250000                      call       imp___jump_table__objc_msgSend   //将结果格式化为NSString
0x00002b58 893C24                          mov        dword [ss:esp],edi
0x00002b5b 8945D8                          mov        dword [ss:ebp-0x48+var_32],eax
0x00002b5e E800250000                      call       imp___jump_table__strlen
0x00002b63 31C9                            xor       ecx,ecx
0x00002b65 8945D4                          mov        dword [ss:ebp-0x48+var_28],eax
0x00002b68 EB32                            jmp       0x2b9c
                                       ; Basic Block Input Regs: ebx esi edi -  Killed Regs: eax ecx edx ebx ebp esi
0x00002b6a 0FBE041F                        movsx     eax, byte [ds:edi+ebx]             ; XREF=0x2b9f
0x00002b6e 43                              inc       ebx
0x00002b6f 0FAFC6                          imul      eax,esi
0x00002b72 83C608                          add       esi,0x8
0x00002b75 8D1480                          lea       edx, dword [ds:eax+eax*4]
0x00002b78 8D54502D                        lea       edx, dword [ds:eax+edx*2+0x2d]
0x00002b7c B8AD8BDB68                      mov       eax,0x68db8bad
0x00002b81 01D1                            add       ecx,edx
0x00002b83 F7E9                            imul      ecx
0x00002b85 89C8                            mov       eax,ecx
0x00002b87 C1F81F                          sar       eax,0x1f
0x00002b8a C1FA0C                          sar       edx,0xc
0x00002b8d 29C2                            sub       edx,eax
0x00002b8f 89C8                            mov       eax,ecx
0x00002b91 69D210270000                    imul      edx,edx,0x2710
0x00002b97 29D0                            sub       eax,edx
0x00002b99 8945E4                          mov        dword [ss:ebp-0x48+var_44],eax
                                       ; Basic Block Input Regs: ebx ebp -  Killed Regs: <nothing>
0x00002b9c 3B5DD4                          cmp       ebx, dword [ss:ebp-0x48+var_28]    ; XREF=0x2b68
0x00002b9f 72C9                            jc        0x2b6a
                                       ; Basic Block Input Regs: ebx ebp -  Killed Regs: eax ebx esp ebp esi edi
0x00002ba1 8B45E4                          mov       eax, dword [ss:ebp-0x48+var_44]
0x00002ba4 BE04000000                      mov       esi,0x4
0x00002ba9 31DB                            xor       ebx,ebx
0x00002bab C744240878300000                mov        dword [ss:esp+0x8],0x3078         ; @"%i"
0x00002bb3 BF04000000                      mov       edi,0x4
0x00002bb8 8944240C                        mov        dword [ss:esp+0xc],eax
0x00002bbc A128400000                      mov       eax, dword [ds:objc_msg_stringWithFormat_]; @selector(stringWithFormat:)
0x00002bc1 89442404                        mov        dword [ss:esp+0x4],eax
0x00002bc5 A154400000                      mov       eax, dword [ds:cls_NSString]
0x00002bca 890424                          mov        dword [ss:esp],eax
0x00002bcd E88C240000                      call       imp___jump_table__objc_msgSend //将结果格式化为NSString
0x00002bd2 895C2408                        mov        dword [ss:esp+0x8],ebx
0x00002bd6 8974240C                        mov        dword [ss:esp+0xc],esi
0x00002bda 8945DC                          mov        dword [ss:ebp-0x48+var_36],eax
0x00002bdd A148400000                      mov       eax, dword [ds:objc_msg_substringWithRange_]; @selector(substringWithRange:)
0x00002be2 89442404                        mov        dword [ss:esp+0x4],eax
0x00002be6 8B4510                          mov       eax, dword [ss:ebp-0x48+arg_8]
0x00002be9 890424                          mov        dword [ss:esp],eax
0x00002bec E86D240000                      call       imp___jump_table__objc_msgSend //截取密码前4位验证
0x00002bf1 89742408                        mov        dword [ss:esp+0x8],esi
0x00002bf5 897C240C                        mov        dword [ss:esp+0xc],edi
0x00002bf9 89C3                            mov       ebx,eax
0x00002bfb A148400000                      mov       eax, dword [ds:objc_msg_substringWithRange_]; @selector(substringWithRange:)
0x00002c00 89442404                        mov        dword [ss:esp+0x4],eax
0x00002c04 8B4510                          mov       eax, dword [ss:ebp-0x48+arg_8]
0x00002c07 890424                          mov        dword [ss:esp],eax
0x00002c0a E84F240000                      call       imp___jump_table__objc_msgSend//截取密码后4位验证
0x00002c0f 891C24                          mov        dword [ss:esp],ebx
0x00002c12 89C6                            mov       esi,eax
0x00002c14 8B45D8                          mov       eax, dword [ss:ebp-0x48+var_32]
0x00002c17 89442408                        mov        dword [ss:esp+0x8],eax
0x00002c1b A108400000                      mov       eax, dword [ds:objc_msg_isEqual_]  ; @selector(isEqual:)
0x00002c20 89442404                        mov        dword [ss:esp+0x4],eax
0x00002c24 E835240000                      call       imp___jump_table__objc_msgSend //判断是否相等
0x00002c29 84C0                            test      al,al
0x00002c2b 7421                            je        0x2c4e
                                       ; Basic Block Input Regs: ebp esi -  Killed Regs: eax edx esp
0x00002c2d 8B45DC                          mov       eax, dword [ss:ebp-0x48+var_36]
0x00002c30 893424                          mov        dword [ss:esp],esi
0x00002c33 89442408                        mov        dword [ss:esp+0x8],eax
0x00002c37 A108400000                      mov       eax, dword [ds:objc_msg_isEqual_]  ; @selector(isEqual:)
0x00002c3c 89442404                        mov        dword [ss:esp+0x4],eax
0x00002c40 E819240000                      call       imp___jump_table__objc_msgSend//判断是否相等
0x00002c45 BA01000000                      mov       edx,0x1
0x00002c4a 84C0                            test      al,al
0x00002c4c 7502                            jne       0x2c50
                                       ; Basic Block Input Regs: edx -  Killed Regs: edx
0x00002c4e 31D2                            xor       edx,edx                           ; XREF=0x2abe, 0x2c2b
                                       ; Basic Block Input Regs: edx -  Killed Regs: eax ebx esp esi edi
0x00002c50 83C43C                          add       esp,0x3c                         ; XREF=0x2c4c
0x00002c53 89D0                            mov       eax,edx
0x00002c55 5B                              pop       ebx
0x00002c56 5E                              pop       esi
0x00002c57 5F                              pop       edi
0x00002c58 C9                              leave     
0x00002c59 C3                              ret

...more