Kwai, quick shadow iOSApp anti debug

Time:2020-11-16

Kwai, quick shadow App protection is using the same set of code, anti debugging is also very easy, please look at the process.

>As a developer, it is very important to have a learning atmosphere and a communication circle. This is my ownIOS communication groupNo matter you are Xiaobai or Daniel, welcome to join us. Share bat, Ali’s interview questions, interview experience, discuss technology, let’s communicate, learn and grow together!

1. Kwai App to debug

Frida smash the shell directly, and then create the monkeydev project, and in the anti anti ID bug. M file related functions under the breakpoint, and then run.

After the app runs, the_ The dlsym function is broken, and then BT prints the call stack:

 

 

Then, disconnect at stack 1 address, that is, B 0x00000001054c3430, and press C to run. After the data is broken at 0x00000001054c3430, modify the return value x0 = 0, that is: register write $x0 0

On line 55 of the assembly:

 

 

The command is as follows: memory write – S 4 0x1028c09f4 0xd503201f

2. Reverse debugging of quick shadow app

Smash shell quick shadow, and then create monkeydev project, run, flash back. Take a look at the log and print it as follows: [anti anti ID bug] – dlsym get ptrace symbol [antiantibug] – ptrace request is PT_ DENY_ Attach in my of antiantiantibug_ Ptrace and my_ The lower breakpoint is at dlsym.

De inverse debugging function 1:0x000000010265c920,
Assembly line 55: NOP can run normally by changing the line of assembly instruction. The command is as follows:
memory write -s 4 0x102e089f4 0xd503201f

2.1 calculation logic of APP sign

Firstly, through IDA static analysis, we get the following key methods:

id __cdecl +[KSMWPassportSecurityTools hmac:withKeyData:](KSMWPassportSecurityTools_meta *self, SEL a2, id a3, id a4)
{
  id v4; // x19
  id v5; // x20
  __int64 v6; // x21
  __int64 v7; // x1
  __int64 v8; // x22
  void *v9; // x0
  const char *v10; // x20
  void *v11; // x19
  void *v12; // x21
  void *v13; // x19
  size_t v14; // x0
  char v16; // [xsp+8h] [xbp-48h]
  v4 = a4;
  v5 = a3;
  v6 = objc_retain(a3, a2);
  v8 = objc_retain(v4, v7);
  v9 = (void *)objc_retainAutorelease(v5);
  v10 = (const char *)objc_msgSend(v9, "cStringUsingEncoding:", 4LL);
  objc_release(v6);
  v11 = (void *)objc_retainAutorelease(v4);
  v12 = objc_msgSend(v11, "bytes");
  v13 = objc_msgSend(v11, "length");
  objc_release(v8);
  v14 = strlen(v10);
  CCHmac(2LL, v12, v13, v10, v14, &v16);   // 2 = kCCHmacAlgSHA256
  return (id)objc_msgSend(&OBJC_CLASS___NSData, "dataWithBytes:length:", &v16, 32LL);
}

Copy code

The complete sign calculation logic is as follows:

[KSMWPassportSecurityTools createSignWithStringNonce:ssecurity:longValue: value]
    |
    +[KSMWPassportSecurityTools hmac:withKeyData:] = resultData
        |
        CCHmac(2LL, 0, 0, x3, 101, resultBuf); 
    |
    data = bswap32(value)
    |
    [data appendData: resultData]
    |
    [KSMWPassportSecurityTools base64Encode:]


Copy code

Therefore, the [ksmwpassportsecuritytools create signwithst ” ringNonce:ssecurity : longvalue: value] method, and then click get verification code. The call stack is as follows:

thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 18.1
frame #0: 0x0000000101856fb0 KwaiYDelux`+[KSMWPassportSecurityTools createSignWithStringNonce:ssecurity:longValue:]
frame #1: 0x0000000101856c30 KwaiYDelux`+[KSMWPassportSecurityTools signOnURLPath:method:requestParams:] + 364
frame #2: 0x0000000101855910 KwaiYDelux`-[KSMWNetworkOperation url:method:parameters:cookies:completionHandler:] + 212
frame #3: 0x0000000101863a14 KwaiYDelux`-[KWPassportAPI POST:bodyParams:completionHandler:] + 280
frame #4: 0x00000001018607f8 KwaiYDelux`-[KWPassportAPI requestSMSCode:countryCode:type:completion:] + 412
frame #5: 0x000000010185f25c KwaiYDelux`-[KWPassport requestSMSCode:countryCode:type:completion:] + 132
frame #6: 0x00000001026799dc KwaiYDelux`-[KWAccountChannelService_Imp sendSMSWithRequest:handler:] + 264
frame #7: 0x000000018deea800 CoreFoundation`__invoking___ + 144
frame #8: 0x000000018ddcc3c0 CoreFoundation`-[NSInvocation invoke] + 292
frame #9: 0x000000010259659c KwaiYDelux`___lldb_unnamed_symbol58737$$KwaiYDelux + 1180
frame #10: 0x000000010817e7fc Flutter`__45-[FlutterMethodChannel setMethodCallHandler:]_block_invoke + 116
frame #11: 0x000000010811d6d0 Flutter`flutter::PlatformViewIOS::HandlePlatformMessage(fml::RefPtr) + 680
frame #12: 0x0000000108170048 Flutter`std::__1::__function::__func)::$_32, std::__1::allocator)::$_32>, void ()>::operator()() + 80
frame #13: 0x000000010812a988 Flutter`fml::MessageLoopImpl::FlushTasks(fml::FlushType) + 96
frame #14: 0x000000010812ef0c Flutter`fml::MessageLoopDarwin::OnTimerFire(__CFRunLoopTimer*, fml::MessageLoopDarwin*) + 32
frame #15: 0x000000018de75554 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 28
frame #16: 0x000000018de75284 CoreFoundation`__CFRunLoopDoTimer + 864
frame #17: 0x000000018de74ab8 CoreFoundation`__CFRunLoopDoTimers + 248
frame #18: 0x000000018de6fa08 CoreFoundation`__CFRunLoopRun + 1844
frame #19: 0x000000018de6efb4 CoreFoundation`CFRunLoopRunSpecific + 436
frame #20: 0x000000019007079c GraphicsServices`GSEventRunModal + 104
frame #21: 0x00000001ba6d0c38 UIKitCore`UIApplicationMain + 212
frame #22: 0x0000000100e0c028 KwaiYDelux`___lldb_unnamed_symbol1343$$KwaiYDelux + 100
frame #23: 0x000000018d9328e0 libdyld.dylib`start + 4

Copy code

Call + [ksmwpassportsecuritytools hmac:withKeyData ]:
Where HMAC = Post & / pass / KY / SMS / code & countrycode = + 86 & phone = ztsp__ R2oN18L5Ilx8weM__ ZTSP&type=395&8951850021377611294
Data = empty

Assemble 50 lines, call

(lldb) x / 50xg $X3, length = 101, i.e. = Post & / pass / KY / SMS / code & countrycode = + 86 & phone = ztsp__ R2oN18L5Ilx8weM__ ZTSP&type=395&8951850021377611294

The memory data are as follows:

0x2823ace91: 0x61702f2654534f50 0x6d732f796b2f7373      
0x2823acea1: 0x632665646f632f73 0x6f437972746e756f      
0x2823aceb1: 0x702636382b3d6564 0x53545a3d656e6f68      
0x2823acec1: 0x314e6f32525f5f50 0x7738786c49354c38
0x2823aced1: 0x5053545a5f5f4d65 0x39333d6570797426
0x2823acee1: 0x3538313539382635 0x3637373331323030
0x2823acef1: 0x0000003439323131 0x0000000000000000
0x2823acf01: 0x0000000000000000 0x0000000000000000
Copy code

(lldb) x / 50xg $X5 – > encryption result

0x16f1290c8: 0x35da8aa020e5bd2f 0xf6fc50b2b2c85841
0x16f1290d8: 0x2e00c9df95a02ada 0x17325b620c1cd33f
Copy code

The encryption results of data < 7c3b5c2a 5ec9161e > append were obtained

<7c3b5c2a 5ec9161e 2fbde520 a08ada35 4158c8b2 b250fcf6 da2aa095 dfc9002e 3fd31c0c 625b3217>
Copy code

Then call [KSMWPassportSecurityTools base64Encode:], and import the data above. The results are as follows:
fDtcKl7JFh4vveUgoIraNUFYyLKyUPz22iqgld/JAC4/0xwMYlsyFw==

This is the final sign, which can be compared through packet capture.

Since most of the business interfaces of Kuaiyi app are developed by fluent, there is no ability to reverse it. The interface request of the flitter page is not native, so it is impossible to capture packets.

Wireshark can only catch the encrypted packets of HTTPS. The essence of Wireshark is to copy the packets passing through the network card, instead of acting as a proxy server on the mobile phone system like Charles to make proxy requests for the network requests of the app.

According to the Internet, you can use the fan Qiang tool to proxy, and then use Charles to capture packets.

>As a developer, it is very important to have a learning atmosphere and a communication circle. This is my ownIOS communication groupNo matter you are Xiaobai or Daniel, welcome to join us. Share bat, Ali’s interview questions, interview experience, discuss technology, let’s communicate, learn and grow together!
Author: Reflection CC
Link: https://juejin.im/post/5ee59de76fb9a047f558d8ed

Recommended Today

Virus killing VBS module

“Virus kill VBS module. VBS” this file you can directly execute, without any damage. Provide a special killing template, and you can write your own special killing tool according to the virus behavior you analyzed. Very convenient, very efficient! As an anti-virus person, you should not only analyze the virus log, but also know how […]