设备iphone6plus 拖到hopper分析,看了下label列表,看到敏感方法 onClick,静态分析如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
 -[ViewController onClick]:
0000b6a0         push       {r4, r5, r6, r7, lr}                                ; Objective C Implementation defined at 0x1cd38 (instance)
0000b6a2         add        r7, sp, #0xc
0000b6a4         push.w     {r8, r10, r11}
0000b6a8         sub        sp, #0x20
0000b6aa         str        r0, [sp, #0x10]
0000b6ac         movw       r0, #0x355c
0000b6b0         movt       r0, #0x1
0000b6b4         movw       r1, #0x354e
0000b6b8         movt       r1, #0x1
0000b6bc         movw       r2, #0x3528
0000b6c0         movt       r2, #0x1
0000b6c4         movw       r3, #0x3534
0000b6c8         add        r0, pc                                              ; @selector(decrypt:password:)
0000b6ca         movt       r3, #0x1
0000b6ce         movw       r5, #0x352c
0000b6d2         add        r1, pc                                              ; @selector(originalMessage)
0000b6d4         movt       r5, #0x1
0000b6d8         movw       r6, #0x10e4
0000b6dc         ldr        r0, [r0]                                            ; @selector(decrypt:password:)
0000b6de         movt       r6, #0x1
0000b6e2         str        r0, [sp, #0x1c]
0000b6e4         add        r3, pc                                              ; @selector(setCodedMessage:)
0000b6e6         ldr        r0, [r1]                                            ; @selector(originalMessage)
0000b6e8         add        r5, pc                                              ; @selector(initWithCipherKey:)
0000b6ea         str        r0, [sp, #0x18]
0000b6ec         movw       r0, #0x343a
0000b6f0         movt       r0, #0x1
0000b6f4         add        r2, pc                                              ; @selector(decrypt)
0000b6f6         add        r0, pc                                              ; @selector(alloc)
0000b6f8         ldr.w      r8, [r3]                                            ; @selector(setCodedMessage:)
0000b6fc         ldr.w      r10, [r5]                                           ; @selector(initWithCipherKey:)
0000b700         add        r6, pc                                              ; @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU=="
0000b702         ldr        r4, [r0]                                            ; @selector(alloc)
0000b704         mov.w      r11, #0x5
0000b708         ldr        r1, [r2]                                            ; @selector(decrypt)
0000b70a         str        r1, [sp, #0x14]
0000b70c         movw       r0, #0x38c2                                         ; XREF=-[ViewController onClick]+200
0000b710         mov        r1, r4                                              ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b712         movt       r0, #0x1
0000b716         add        r0, pc                                              ; objc_cls_ref_Ceasar_CipherModel
0000b718         ldr        r0, [r0]                                            ; objc_cls_ref_Ceasar_CipherModel, argument #1 for method imp___symbolstub1__objc_msgSend
0000b71a         blx        imp___symbolstub1__objc_msgSend
0000b71e         sub.w      r11, r11, #0x1   ------>设置ceasar_cipher model 的cipherKey,循环5次解密4,3,2,1,0
0000b722         mov        r1, r10                                             ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b724         mov        r2, r11
0000b726         blx        imp___symbolstub1__objc_msgSend
0000b72a         mov        r5, r0       
0000b72c         mov        r1, r8    ------------>设置setCodedMessage           ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b72e         mov        r2, r6
0000b730         blx        imp___symbolstub1__objc_msgSend
0000b734         ldr        r1, [sp, #0x14]                                     ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b736         mov        r0, r5                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b738         blx        imp___symbolstub1__objc_msgSend
0000b73c         ldr        r1, [sp, #0x18]                                     ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b73e         mov        r0, r5                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b740         blx        imp___symbolstub1__objc_msgSend
0000b744         mov        r2, r0  ---->凯撒解密后的字符串用作aes解密
0000b746         movw       r0, #0x388c
0000b74a         movt       r0, #0x1
0000b74e         ldr        r1, [sp, #0x1c]                                     ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b750         add        r0, pc                                              ; objc_cls_ref_AESCrypt
0000b752         ldr        r0, [r0]                                            ; objc_cls_ref_AESCrypt, argument #1 for method imp___symbolstub1__objc_msgSend
0000b754         movw       r3, #0x1098
0000b758         movt       r3, #0x1
0000b75c         add        r3, pc            --->aes解密秘钥                     ; @"ZGlhb2RhX2ppYW5rYW5nCg=="
0000b75e         blx        imp___symbolstub1__objc_msgSend  ---->对凯撒解密后的数据进行aes解密
0000b762         mov        r6, r0
0000b764         cmp.w      r11, #0x0   ------>循环  5次
0000b768         bgt        0xb70c
0000b76a         movw       r0, #0x346c
0000b76e         mov        r10, r4
0000b770         movt       r0, #0x1
0000b774         ldr.w      r8, [sp, #0x10]
0000b778         add        r0, pc                                              ; @selector(textFeild)
0000b77a         ldr        r1, [r0]                                            ; @selector(textFeild), argument #2 for method imp___symbolstub1__objc_msgSend
0000b77c         mov        r0, r8                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b77e         blx        imp___symbolstub1__objc_msgSend
0000b782         movw       r1, #0x349e
0000b786         movt       r1, #0x1
0000b78a         add        r1, pc                                              ; @selector(text)
0000b78c         ldr        r1, [r1]                                            ; @selector(text), argument #2 for method imp___symbolstub1__objc_msgSend
0000b78e         blx        imp___symbolstub1__objc_msgSend
0000b792         movw       r1, #0x3492
0000b796         movt       r1, #0x1
0000b79a         add        r1, pc                                              ; @selector(UTF8String)
0000b79c         ldr        r5, [r1]                                            ; @selector(UTF8String)
0000b79e         mov        r1, r5                                              ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7a0         blx        imp___symbolstub1__objc_msgSend
0000b7a4         mov        r4, r0
0000b7a6         mov        r0, r6                                              ; argument #1 for method imp___symbolstub1__objc_msgSend
0000b7a8         mov        r1, r5                                              ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7aa         blx        imp___symbolstub1__objc_msgSend
0000b7ae         mov        r5, r0
0000b7b0         ldrb       r0, [r5]                                            ; "UTF8String"
0000b7b2         cmp        r0, #0x0
0000b7b4         beq        0xb7d6
0000b7b6         ldrb       r1, [r4]
0000b7b8         cmp        r1, r0
0000b7ba         bne        0xb7d2
0000b7bc         movs       r6, #0x1
0000b7be         mov        r0, r5                                              ; argument #1 for method imp___symbolstub1__strlen, XREF=-[ViewController onClick]+304
0000b7c0         blx        imp___symbolstub1__strlen
0000b7c4         cmp        r6, r0
0000b7c6         bhs        0xb7d6
0000b7c8         ldrb       r0, [r5, r6]
0000b7ca         ldrb       r1, [r4, r6]
0000b7cc         adds       r6, #0x1
0000b7ce         cmp        r1, r0
0000b7d0         beq        0xb7be
0000b7d2         movs       r4, #0x0                                            ; XREF=-[ViewController onClick]+282
0000b7d4         b          0xb7d8
0000b7d6         movs       r4, #0x1                                            ; XREF=-[ViewController onClick]+276, -[ViewController onClick]+294
0000b7d8         movw       r0, #0x37fe                                         ; XREF=-[ViewController onClick]+308
0000b7dc         mov        r1, r10                                             ; argument #2 for method imp___symbolstub1__objc_msgSend
0000b7de         movt       r0, #0x1
0000b7e2         add        r0, pc                                              ; objc_cls_ref_UIAlertView
0000b7e4         ldr        r0, [r0]                                            ; objc_cls_ref_UIAlertView, argument #1 for method imp___symbolstub1__objc_msgSend
0000b7e6         blx        imp___symbolstub1__objc_msgSend
0000b7ea         movw       r1, #0x3438
0000b7ee         cmp        r4, #0x1
0000b7f0         movt       r1, #0x1
0000b7f4         movw       r6, #0x1022
0000b7f8         add        r1, pc                                              ; @selector(initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:)
0000b7fa         movt       r6, #0x1
0000b7fe         movw       r2, #0xffa
0000b802         add        r6, pc                                              ; cfstring__S_m
0000b804         movt       r2, #0x1
0000b808         ldr        r1, [r1]                                            ; @selector(initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:)
0000b80a         add        r2, pc                                              ; @""
0000b80c         bne        0xb81a
0000b80e         movw       r3, #0xffe
0000b812         movt       r3, #0x1
0000b816         add        r3, pc                                              ; cfstring____xcknx___b_R__eQ__
0000b818         b          0xb824
0000b81a         movw       r3, #0x1022                                         ; XREF=-[ViewController onClick]+364
0000b81e         movt       r3, #0x1
0000b822         add        r3, pc                                              ; cfstring____x______
0000b824         movw       r5, #0x1002                                         ; XREF=-[ViewController onClick]+376
0000b828         movs       r4, #0x0
0000b82a         movt       r5, #0x1
0000b82e         str.w      r8, [sp]
0000b832         add        r5, pc                                              ; cfstring_nx__
0000b834         str        r6, [sp, #0x4]
0000b836         str        r5, [sp, #0x8]
0000b838         str        r4, [sp, #0xc]
0000b83a         blx        imp___symbolstub1__objc_msgSend
0000b83e         movw       r1, #0x33ee
0000b842         movt       r1, #0x1
0000b846         add        r1, pc                                              ; @selector(show)
0000b848         ldr        r1, [r1]                                            ; @selector(show)
0000b84a         add        sp, #0x20
0000b84c         pop.w      {r8, r10, r11}
0000b850         pop.w      {r4, r5, r6, r7, lr}
0000b854         b.w        0x179c0
                        ; endp

用到加密方式:凯撒加密AES

还原代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
NSString* data = @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU==";
NSString* password = @"ZGlhb2RhX2ppYW5rYW5nCg==";
int times = 5;
do{
    times--;
    Ceasar_CipherModel* model = [[Ceasar_CipherModel alloc] init];
    model.cipherKey = times;
    model.codedMessage = data;
    [model decrypt];
    data = [AESCrypt decrypt:model.originalMessage password:password];
}while (times > 0);
NSLog(@"result : %@",data);
1
2
3
4
5
第一次: hDmx1/d5KNhr1BBYQlRNVsZSEaOdw4MtKTpT3082x/x9lZucw0qEm+UhMaOVuoSLyqD1x0elXGXqM4nFSP3W8khfyg1ynDEwLhLt12m68U8=
第二次: e1s6fwEoaC3l/4VLi1DA4KKPJdGcGWK3elMxPqOuG7MNa9fcfWu6gpui+m3q1akL
第三次: 4p2eb81lORtnnduYgcAc3pxfqGh8Fybny9NFnTzYJ6B=
第四次: QNEcNAUUYKq5mMZJTh3J5w==
第五次: Sp4rkDr0idKit

最终结果为:

Sp4rkDr0idKit