数美IOS防作弊产品技术原理分析
由于时间和水平有限,本文会存在诸多不足,希望得到您的及时反馈与指正,多谢!
工具环境:
iPhone 6、
系统版本 10.1.1
IDA Pro 7.0
0x00:防作弊产品介绍
1.由于IOS系统的不开放性,能获取的信息太少,所在IOS上的防作弊产品可做的功能就相比较于安卓要少很多了。硬件方面主要获取IDFA、IDFV这两个值,软件方面主要获取一些风险APP的名称。
0x01:SDK整体框架
1.该防作弊产品提供SDK形式给开发者调用,当开发者成功集成到APP后,APP启动时就会生成一个唯一的ID值。
2.SDK客户端整体流程如图1所示:
图1
3.服务器返回的ID会存放在系统中,这个ID值用通俗的话说,就是为每台设备注册一个身份证号,它代表了设备。这样一来,如果刷量者通过hook机制来修改IDFA、mac等设备模拟新用户就不起作用了。
0x02:技术细节分析
1.APP启动时会解密会判断本地是否缓存了deviceID值与风险app名单,如果没有就生成一个随机的deviceid然后解密写死在app中的风险文件名单。
2.从服务器获取deviceid值
如果没有缓存ID就生成一个ID,生成随机的deviceID代码如下:
1 // 第一次生成deviceid (uuid+当前时间) 2 id __cdecl -[SmidManager genFpId](SmidManager *self, SEL a2) 3 { 4 __int64 v2; // x0 5 __int64 v3; // x0 6 __int64 v4; // x0 7 __int64 v5; // x0 8 void *v6; // x0 9 void *v7; // x0 10 void *v8; // x0 11 void *v9; // x0 12 void *second; // x0 13 void *v11; // x0 14 __int64 v12; // x0 15 __int64 currtime; // ST68_8 16 id v14; // x0 17 __int64 uuid_md5; // x0 18 __int64 v16; // ST58_8 19 void *v17; // x0 20 void *v18; // x0 21 void *v19; // x0 22 void *v20; // x0 23 void *v21; // x9 24 void *v22; // x0 25 void *v23; // x0 26 void *v24; // x9 27 void *v25; // x0 28 void *v26; // x0 29 void *v27; // x9 30 void *v28; // x0 31 void *v29; // x0 32 void *v30; // x9 33 void *v31; // x0 34 void *v32; // x0 35 void *v33; // x9 36 void *v34; // x0 37 void *v35; // x0 38 void *v36; // x9 39 void *v37; // x0 40 void *v38; // x0 41 void *v39; // x9 42 void *v40; // x0 43 void *v41; // x0 44 void *v42; // x9 45 void *v43; // x0 46 struct objc_object *v44; // x0 47 struct objc_object *v45; // ST38_8 48 id v46; // x0 49 void *v47; // x0 50 __int64 v48; // x0 51 void *v49; // x0 52 __int64 v50; // ST30_8 53 __int64 v52; // [xsp+98h] [xbp-B8h] 54 void *v53; // [xsp+A0h] [xbp-B0h] 55 void *v54; // [xsp+A8h] [xbp-A8h] 56 void *v55; // [xsp+B0h] [xbp-A0h] 57 __int64 v56; // [xsp+B8h] [xbp-98h] 58 void *v57; // [xsp+C0h] [xbp-90h] 59 void *minute; // [xsp+C8h] [xbp-88h] 60 void *hour; // [xsp+D0h] [xbp-80h] 61 void *day; // [xsp+D8h] [xbp-78h] 62 void *month; // [xsp+E0h] [xbp-70h] 63 void *year; // [xsp+E8h] [xbp-68h] 64 void *v63; // [xsp+F0h] [xbp-60h] 65 __int64 v64; // [xsp+F8h] [xbp-58h] 66 void *v65; // [xsp+100h] [xbp-50h] 67 __int64 v66; // [xsp+108h] [xbp-48h] 68 struct objc_object *uuid; // [xsp+110h] [xbp-40h] 69 __int64 v68; // [xsp+118h] [xbp-38h] 70 __int64 v69; // [xsp+120h] [xbp-30h] 71 SEL v70; // [xsp+128h] [xbp-28h] 72 SmidManager *v71; // [xsp+130h] [xbp-20h] 73 __int64 v72; // [xsp+138h] [xbp-18h] 74 75 v71 = self; 76 v70 = a2; 77 v2 = CFUUIDCreate(); 78 v69 = v2; 79 v3 = CFUUIDCreateString(0LL, v2); 80 v68 = v3; 81 v4 = CFStringCreateCopy(0LL, v3); 82 v72 = v4; 83 v5 = objc_autoreleaseReturnValue(v4); 84 uuid = (struct objc_object *)objc_retainAutoreleasedReturnValue(v5); 85 CFRelease(v69); 86 CFRelease(v68); 87 v6 = objc_msgSend(&OBJC_CLASS___NSDate, (const char *)&unk_195EEC6AF); 88 v66 = objc_retainAutoreleasedReturnValue(v6); 89 v7 = objc_msgSend(&OBJC_CLASS___NSCalendar, (const char *)&unk_195F34590); 90 v8 = (void *)objc_retainAutoreleasedReturnValue(v7); 91 v65 = v8; 92 v64 = 252LL; 93 v9 = objc_msgSend(v8, (const char *)&unk_195F345E4, 252LL, v66); 94 v63 = (void *)objc_retainAutoreleasedReturnValue(v9); 95 year = objc_msgSend(v63, (const char *)&unk_195F9F96E); 96 month = objc_msgSend(v63, (const char *)&unk_195F9F973); 97 day = objc_msgSend(v63, (const char *)&unk_195F9F979); 98 hour = objc_msgSend(v63, (const char *)&unk_195F34810); 99 minute = objc_msgSend(v63, (const char *)&unk_195F5F105); 100 second = objc_msgSend(v63, (const char *)&unk_195F5F10C); 101 v57 = second; 102 v11 = objc_msgSend( 103 &OBJC_CLASS___NSString, 104 (const char *)&unk_195EDDC2A, 105 CFSTR("%04d%02d%02d%02d%02d%02d"), 106 year, 107 month, 108 day, 109 hour, 110 minute, 111 second); 112 v12 = objc_retainAutoreleasedReturnValue(v11); 113 v56 = v12; 114 currtime = v12; 115 v14 = ((id (__cdecl *)(SmUtils_meta *, SEL, id))objc_msgSend)( 116 (SmUtils_meta *)&OBJC_CLASS___SmUtils, 117 "md5EncodeStr:", 118 uuid); 119 uuid_md5 = objc_retainAutoreleasedReturnValue(v14); 120 v16 = uuid_md5; 121 v17 = objc_msgSend( 122 &OBJC_CLASS___NSString, 123 (const char *)&unk_195EDDC2A, 124 CFSTR("%@%@%@"), 125 currtime, 126 uuid_md5, 127 CFSTR("00")); 128 v55 = (void *)objc_retainAutoreleasedReturnValue(v17); 129 objc_release(v16); 130 v18 = (void *)objc_retain(&stru_1027FA700); 131 v54 = v18; 132 v19 = objc_msgSend(v18, (const char *)&unk_195EF0B91, CFSTR("shumei")); 133 v20 = (void *)objc_retainAutoreleasedReturnValue(v19); 134 v21 = v54; 135 v54 = v20; 136 objc_release(v21); 137 v22 = objc_msgSend(v54, (const char *)&unk_195EF0B91, CFSTR("_")); 138 v23 = (void *)objc_retainAutoreleasedReturnValue(v22); 139 v24 = v54; 140 v54 = v23; 141 objc_release(v24); 142 v25 = objc_msgSend(v54, (const char *)&unk_195EF0B91, CFSTR("ios")); 143 v26 = (void *)objc_retainAutoreleasedReturnValue(v25); 144 v27 = v54; 145 v54 = v26; 146 objc_release(v27); 147 v28 = objc_msgSend(v54, (const char *)&unk_195EF0B91, CFSTR("_")); 148 v29 = (void *)objc_retainAutoreleasedReturnValue(v28); 149 v30 = v54; 150 v54 = v29; 151 objc_release(v30); 152 v31 = objc_msgSend(v54, (const char *)&unk_195EF0B91, CFSTR("sec")); 153 v32 = (void *)objc_retainAutoreleasedReturnValue(v31); 154 v33 = v54; 155 v54 = v32; 156 objc_release(v33); 157 v34 = objc_msgSend(v54, (const char *)&unk_195EF0B91, CFSTR("_")); 158 v35 = (void *)objc_retainAutoreleasedReturnValue(v34); 159 v36 = v54; 160 v54 = v35; 161 objc_release(v36); 162 v37 = objc_msgSend(v54, (const char *)&unk_195EF0B91, CFSTR("key")); 163 v38 = (void *)objc_retainAutoreleasedReturnValue(v37); 164 v39 = v54; 165 v54 = v38; 166 objc_release(v39); 167 v40 = objc_msgSend(v54, (const char *)&unk_195EF0B91, CFSTR("_")); 168 v41 = (void *)objc_retainAutoreleasedReturnValue(v40); 169 v42 = v54; 170 v54 = v41; 171 objc_release(v42); 172 v43 = objc_msgSend(&OBJC_CLASS___NSString, (const char *)&unk_195EDDC2A, CFSTR("%@%@"), v54, v55); 173 v44 = (struct objc_object *)objc_retainAutoreleasedReturnValue(v43); 174 v45 = v44; 175 v46 = ((id (__cdecl *)(SmUtils_meta *, SEL, id))objc_msgSend)( 176 (SmUtils_meta *)&OBJC_CLASS___SmUtils, 177 "md5EncodeStr:", 178 v44); 179 v53 = (void *)objc_retainAutoreleasedReturnValue(v46); 180 objc_release(v45); 181 v47 = objc_msgSend(v53, (const char *)&unk_195F19145, 14LL); 182 v48 = objc_retainAutoreleasedReturnValue(v47); 183 v52 = v48; 184 v49 = objc_msgSend(v55, (const char *)&unk_195EF0B91, v48); 185 v50 = objc_retainAutoreleasedReturnValue(v49); 186 objc_storeStrong(&v52, 0LL); 187 objc_storeStrong(&v53, 0LL); 188 objc_storeStrong(&v54, 0LL); 189 objc_storeStrong(&v55, 0LL); 190 objc_storeStrong(&v56, 0LL); 191 objc_storeStrong(&v63, 0LL); 192 objc_storeStrong(&v65, 0LL); 193 objc_storeStrong(&v66, 0LL); 194 objc_storeStrong(&uuid, 0LL); 195 return (id)objc_autoreleaseReturnValue(v50); 196 }
判断deviceID类型 本地随机生成为0 服务下发的为1
1 signed __int64 __cdecl +[SmidManager typeId:](SmidManager_meta *self, SEL a2, id a3) 2 { 3 void *v3; // x0 4 void *v4; // x0 5 void *v5; // x0 6 void *v6; // x8 7 void *v7; // x0 8 void *v8; // x0 9 void *v9; // x8 10 void *v10; // x0 11 void *v11; // x0 12 void *v12; // x8 13 void *v13; // x0 14 void *v14; // x0 15 void *v15; // x8 16 void *v16; // x0 17 void *v17; // x0 18 void *v18; // x8 19 void *v19; // x0 20 void *v20; // x0 21 void *v21; // x8 22 void *v22; // x0 23 void *v23; // x0 24 void *v24; // x8 25 void *v25; // x0 26 void *v26; // x0 27 void *v27; // x8 28 void *v28; // x0 29 __int64 v29; // x0 30 __int64 v30; // ST18_8 31 void *v31; // x0 32 id v32; // x0 33 void *v33; // x0 34 void *v34; // x0 35 __int64 v35; // x0 36 __int64 v36; // x8 37 void *v37; // x0 38 __int64 v39; // [xsp+68h] [xbp-48h] 39 void *v40; // [xsp+70h] [xbp-40h] 40 struct objc_object *v41; // [xsp+78h] [xbp-38h] 41 void *v42; // [xsp+80h] [xbp-30h] 42 int v43; // [xsp+8Ch] [xbp-24h] 43 void *v44; // [xsp+90h] [xbp-20h] 44 SEL v45; // [xsp+98h] [xbp-18h] 45 SmidManager_meta *v46; // [xsp+A0h] [xbp-10h] 46 __int64 v47; // [xsp+A8h] [xbp-8h] 47 48 v46 = self; 49 v45 = a2; 50 v44 = 0LL; 51 objc_storeStrong(&v44, a3); 52 if ( (unsigned __int64)+[SmStrUtils empty:](&OBJC_CLASS___SmStrUtils, "empty:", v44) & 1 53 || objc_msgSend(v44, (const char *)&unk_195EE38EE) != &unk_3E ) 54 { 55 v47 = -1LL; 56 v43 = 1; 57 } 58 else 59 { 60 v3 = (void *)objc_retain(&stru_1027FA700); 61 v42 = v3; 62 v4 = objc_msgSend(v3, (const char *)&unk_195EF0B91, CFSTR("shumei")); 63 v5 = (void *)objc_retainAutoreleasedReturnValue(v4); 64 v6 = v42; 65 v42 = v5; 66 objc_release(v6); 67 v7 = objc_msgSend(v42, (const char *)&unk_195EF0B91, CFSTR("_")); 68 v8 = (void *)objc_retainAutoreleasedReturnValue(v7); 69 v9 = v42; 70 v42 = v8; 71 objc_release(v9); 72 v10 = objc_msgSend(v42, (const char *)&unk_195EF0B91, CFSTR("ios")); 73 v11 = (void *)objc_retainAutoreleasedReturnValue(v10); 74 v12 = v42; 75 v42 = v11; 76 objc_release(v12); 77 v13 = objc_msgSend(v42, (const char *)&unk_195EF0B91, CFSTR("_")); 78 v14 = (void *)objc_retainAutoreleasedReturnValue(v13); 79 v15 = v42; 80 v42 = v14; 81 objc_release(v15); 82 v16 = objc_msgSend(v42, (const char *)&unk_195EF0B91, CFSTR("sec")); 83 v17 = (void *)objc_retainAutoreleasedReturnValue(v16); 84 v18 = v42; 85 v42 = v17; 86 objc_release(v18); 87 v19 = objc_msgSend(v42, (const char *)&unk_195EF0B91, CFSTR("_")); 88 v20 = (void *)objc_retainAutoreleasedReturnValue(v19); 89 v21 = v42; 90 v42 = v20; 91 objc_release(v21); 92 v22 = objc_msgSend(v42, (const char *)&unk_195EF0B91, CFSTR("key")); 93 v23 = (void *)objc_retainAutoreleasedReturnValue(v22); 94 v24 = v42; 95 v42 = v23; 96 objc_release(v24); 97 v25 = objc_msgSend(v42, (const char *)&unk_195EF0B91, CFSTR("_")); 98 v26 = (void *)objc_retainAutoreleasedReturnValue(v25); 99 v27 = v42; 100 v42 = v26; 101 objc_release(v27); 102 v28 = objc_msgSend(v44, (const char *)&unk_195F19145, 48LL); 103 v29 = objc_retainAutoreleasedReturnValue(v28); 104 v30 = v29; 105 v31 = objc_msgSend(&OBJC_CLASS___NSString, (const char *)&unk_195EDDC2A, CFSTR("%@%@"), v42, v29); 106 v41 = (struct objc_object *)objc_retainAutoreleasedReturnValue(v31); 107 objc_release(v30); 108 v32 = ((id (__cdecl *)(SmUtils_meta *, SEL, id))objc_msgSend)( 109 (SmUtils_meta *)&OBJC_CLASS___SmUtils, 110 "md5EncodeStr:", 111 v41); 112 v33 = (void *)objc_retainAutoreleasedReturnValue(v32); 113 v40 = v33; 114 v34 = objc_msgSend(v33, (const char *)&unk_195F19145, 14LL); 115 v35 = objc_retainAutoreleasedReturnValue(v34); 116 v36 = (__int64)v40; 117 v40 = (void *)v35; 118 objc_release(v36); 119 v37 = objc_msgSend(v44, (const char *)&unk_195EDFD20, 48LL); 120 v39 = objc_retainAutoreleasedReturnValue(v37); 121 if ( (unsigned __int64)+[SmStrUtils equal:right:](&OBJC_CLASS___SmStrUtils, "equal:right:", v40, v39) & 1 ) 122 { 123 if ( (unsigned __int16)objc_msgSend(v44, (const char *)&unk_195F17186, 47LL) == 48 ) 124 { 125 v47 = 0LL; 126 v43 = 1; 127 } 128 else 129 { 130 if ( (unsigned __int16)objc_msgSend(v44, (const char *)&unk_195F17186, 47LL) == 49 ) 131 v47 = 1LL; 132 else 133 v47 = -1LL; 134 v43 = 1; 135 } 136 } 137 else 138 { 139 v47 = 2LL; 140 v43 = 1; 141 } 142 objc_storeStrong(&v39, 0LL); 143 objc_storeStrong(&v40, 0LL); 144 objc_storeStrong(&v41, 0LL); 145 objc_storeStrong(&v42, 0LL); 146 } 147 objc_storeStrong(&v44, 0LL); 148 return v47; 149 }
将获取到的硬件信息与刚生成的deviceid组合加密传给服务器,如果成功服务器就返回一个deviceID值。
1 //组合请求体 2 { 3 "lstat":[ 4 1, 5 0 6 ], 7 "idfa":"56076342-6AA8-4EF3-A3B3-FF0E2C6Exxxx", 8 "os":"ios", 9 "rtype":"core", 10 "t":1559112353610, 11 "sdkver":"2.5.0", 12 "idfv":"DFF15047-2F42-4612-8BE2-8D0B2482xxxx", 13 "boot":1559009952219, 14 "appId":"", 15 "lfrom":"gen", 16 "smid":"2019052914070272ea50eee30ea85b0bcc2141c04e5bcd00ebfc34bfe82ae9" //本地随机生成 17 }
加密传给服务器 获取deviceid key为smsdkWd4Z1WnKWa9R3ud4Jxxx(md5值)
1 id __cdecl -[SmAntiFraud wrap:](SmAntiFraud *self, SEL a2, id a3) 2 { 3 void *v3; // x0 4 __int64 v4; // x0 5 __int64 v5; // STD0_8 6 void *v6; // x0 7 void *v7; // STC8_8 8 void *v8; // x0 9 __int64 v9; // x0 10 __int64 v10; // STC0_8 11 void *v11; // x0 12 id v12; // x0 13 void *v13; // x0 14 void *v14; // STB8_8 15 void *v15; // x0 16 id v16; // x0 17 __int64 v17; // x0 18 __int64 v18; // x8 19 NSMutableDictionary *v19; // x0 20 void *v20; // x0 21 void *v21; // STA8_8 22 char v22; // STA4_1 23 void *v23; // x0 24 __int64 v24; // ST90_8 25 void *v25; // x0 26 __int64 v26; // ST78_8 27 id v27; // x0 28 __int64 v28; // x0 29 __int64 v29; // ST58_8 30 void *v30; // x0 31 void *v31; // x0 32 __int64 v32; // x0 33 const __CFString *v33; // x9 34 __int64 v34; // ST48_8 35 void *v35; // x0 36 id v36; // x0 37 struct objc_object *v37; // x0 38 id v38; // x0 39 __int64 v39; // x0 40 __int64 v40; // x8 41 __int64 v41; // ST30_8 42 __int64 v43; // [xsp+D8h] [xbp-68h] 43 struct objc_object *v44; // [xsp+E0h] [xbp-60h] 44 __int64 v45; // [xsp+E8h] [xbp-58h] 45 void *v46; // [xsp+F0h] [xbp-50h] 46 struct objc_object *v47; // [xsp+F8h] [xbp-48h] 47 struct objc_object *v48; // [xsp+100h] [xbp-40h] 48 __int64 v49; // [xsp+108h] [xbp-38h] 49 char v50; // [xsp+117h] [xbp-29h] 50 struct objc_object *v51; // [xsp+118h] [xbp-28h] 51 SEL v52; // [xsp+120h] [xbp-20h] 52 SmAntiFraud *v53; // [xsp+128h] [xbp-18h] 53 54 v53 = self; 55 v52 = a2; 56 v51 = 0LL; 57 objc_storeStrong(&v51, a3); 58 if ( (unsigned __int64)+[SmStrUtils empty:](&OBJC_CLASS___SmStrUtils, "empty:", v51) & 1 ) 59 objc_storeStrong(&v51, &stru_1027FA700); 60 v50 = 0; 61 v49 = 0LL; 62 if ( (unsigned __int64)objc_msgSend(v53->_option, (const char *)&unk_1A7804C37) & 1 ) 63 { 64 v3 = objc_msgSend(v53->_option, (const char *)&unk_192B2C190); 65 v4 = objc_retainAutoreleasedReturnValue(v3); 66 v5 = v4; 67 v6 = objc_msgSend(CFSTR("smsdk"), (const char *)&unk_195EF0B91, v4); 68 v7 = (void *)objc_retainAutoreleasedReturnValue(v6); 69 v8 = -[SmOption privKey](v53->_option, "privKey"); 70 v9 = objc_retainAutoreleasedReturnValue(v8); 71 v10 = v9; 72 v11 = objc_msgSend(v7, (const char *)&unk_195EF0B91, v9); 73 v48 = (struct objc_object *)objc_retainAutoreleasedReturnValue(v11); 74 objc_release(v10); 75 objc_release(v7); 76 objc_release(v5); 77 v12 = ((id (__cdecl *)(SmUtils_meta *, SEL, id))objc_msgSend)( 78 (SmUtils_meta *)&OBJC_CLASS___SmUtils, 79 "md5EncodeStr:", 80 v48); 81 v13 = (void *)objc_retainAutoreleasedReturnValue(v12); 82 v14 = v13; 83 v15 = objc_msgSend(v13, (const char *)&unk_195F390C0); 84 v47 = (struct objc_object *)objc_retainAutoreleasedReturnValue(v15); 85 objc_release(v14); 86 v16 = ((id (__cdecl *)(SmUtils_meta *, SEL, id, id))objc_msgSend)( 87 (SmUtils_meta *)&OBJC_CLASS___SmUtils, 88 "aes256EncryptStr:key:", 89 v51, 90 v47); 91 v17 = objc_retainAutoreleasedReturnValue(v16); 92 v18 = v49; 93 v49 = v17; 94 objc_release(v18); 95 v50 = 1; 96 objc_storeStrong(&v47, 0LL); 97 objc_storeStrong(&v48, 0LL); 98 } 99 else 100 { 101 objc_storeStrong(&v49, v51); 102 } 103 if ( (unsigned __int64)+[SmStrUtils empty:](&OBJC_CLASS___SmStrUtils, "empty:", v49) & 1 ) 104 objc_storeStrong(&v49, &stru_1027FA700); 105 v19 = sub_18DFAAFC4(&OBJC_CLASS___NSMutableDictionary, "alloc"); 106 v46 = objc_msgSend(v19, (const char *)&unk_195EEC7EA, 5LL); 107 objc_msgSend(v46, "setObject:forKey:", v49, CFSTR("fingerprint")); 108 if ( v50 & 1 ) 109 { 110 v20 = -[SmOption privKey](v53->_option, "privKey"); 111 v21 = (void *)objc_retainAutoreleasedReturnValue(v20); 112 v22 = (unsigned __int64)objc_msgSend(v21, (const char *)&unk_195EDE27E, &stru_1027FA700); 113 objc_release(v21); 114 if ( v22 & 1 ) 115 { 116 v23 = objc_msgSend(&OBJC_CLASS___NSNumber, (const char *)&unk_195EE35B1, 4LL); 117 v24 = objc_retainAutoreleasedReturnValue(v23); 118 objc_msgSend(v46, "setObject:forKey:", v24, CFSTR("fpEncode")); 119 objc_release(v24); 120 } 121 else 122 { 123 v25 = objc_msgSend(&OBJC_CLASS___NSNumber, (const char *)&unk_195EE35B1, 6LL); 124 v26 = objc_retainAutoreleasedReturnValue(v25); 125 objc_msgSend(v46, "setObject:forKey:", v26, CFSTR("fpEncode")); 126 objc_release(v26); 127 } 128 } 129 v27 = ((id (__cdecl *)(SmUtils_meta *, SEL))objc_msgSend)((SmUtils_meta *)&OBJC_CLASS___SmUtils, "currentTimeMillis"); 130 v28 = objc_retainAutoreleasedReturnValue(v27); 131 v29 = v28; 132 v30 = objc_msgSend(&OBJC_CLASS___NSString, (const char *)&unk_195EDDC2A, CFSTR("%@"), v28); 133 v45 = objc_retainAutoreleasedReturnValue(v30); 134 objc_release(v29); 135 objc_msgSend(v46, "setObject:forKey:", v45, CFSTR("sessionId")); 136 v31 = objc_msgSend(v53->_option, (const char *)&unk_192B2C190); 137 v32 = objc_retainAutoreleasedReturnValue(v31); 138 v33 = CFSTR("0"); 139 if ( v50 & 1 ) 140 v33 = CFSTR("1"); 141 v34 = v32; 142 v35 = objc_msgSend( 143 &OBJC_CLASS___NSMutableDictionary, 144 (const char *)&unk_195EE678B, 145 v32, 146 CFSTR("organization"), 147 v46, 148 CFSTR("data"), 149 v33, 150 CFSTR("encrypt"), 151 0LL); 152 v44 = (struct objc_object *)objc_retainAutoreleasedReturnValue(v35); 153 objc_release(v34); 154 v36 = ((id (__cdecl *)(SmUtils_meta *, SEL, id))objc_msgSend)( 155 (SmUtils_meta *)&OBJC_CLASS___SmUtils, 156 "jsonEncode:", 157 v44); 158 v37 = (struct objc_object *)objc_retainAutoreleasedReturnValue(v36); 159 v43 = (__int64)v37; 160 v38 = ((id (__cdecl *)(SmStrUtils_meta *, SEL, id))objc_msgSend)( 161 (SmStrUtils_meta *)&OBJC_CLASS___SmStrUtils, 162 "safe:", 163 v37); 164 v39 = objc_retainAutoreleasedReturnValue(v38); 165 v40 = v43; 166 v43 = v39; 167 objc_release(v40); 168 v41 = objc_retain(v43); 169 objc_storeStrong(&v43, 0LL); 170 objc_storeStrong(&v44, 0LL); 171 objc_storeStrong(&v45, 0LL); 172 objc_storeStrong(&v46, 0LL); 173 objc_storeStrong(&v49, 0LL); 174 objc_storeStrong(&v51, 0LL); 175 return (id)objc_autoreleaseReturnValue(v41); 176 }
成功后返回deviceid,最后将值存放在Keychain中FP_IP,下次直接读取使用,如图2所示:
图2
3.发送手机风险信息给服务器
解密写死在app里的的风险名单数据:
{ "code":0, "data":"pITcmNnygx1Ur4MYHadrCIFU+IzwDyA36ry3e8fo71LJgY2o68GGAeBDtDRGuriGM3JLsy4+qDAra8DHJJmlsn/BZGgu+iEo5eFknYAjymoTJqG66DlmpL7D6120NMB50lrYEiFiWkk6x/NPz9N+gPLbFgo3bDsNg7UO3zpIGIYUy/D4k6FpjItjEwLI4Gi21eRUTF2GTci5mEiHG67FcyxMeXTOJdv6WCS393aqWl/m5zv7YfbdIYNYIQPOkZuVUFVaENNPcEhvUiS5Iyw8x46ht2tm6I0U7CgCjLYjqxGCeJ5zWk9lMEvw97D3DBU5YGj8BcgNNc3YhTBaUahRxBtwS+n2jsqmZ2DJ/3rQLzbB56iQEjsFcNWFTdGStxM2Df2e6NoGteve6h3+0mAGrsEr3JhAuea7SiONznXLX6mE5J5xHWS/AhjBWfs5SJ8qi+sZMVt3VqQ20JSUUkMZD9C9i6zbmjFOuopIyXVspDr1y9d6kyveXMT+2RlA70DWwTaWUj1uEgYcHE+63I/nZdluMsZj/tmnxGbmjOfoYgyIA8YoOCT2L5pjs4aRrXAQBy346I6IkVL1WegbqC7IOJfdvBDtaB9JFwgkJoMQOVmTb9qSKi6K2lEptySCTGWuK+m1UJg7tmETf/fDTyjO8Euyft1f5f7ybbrh6yM5aeLCNF/pRYT9LuyiBvCTALLk/VVZHtynRCEaf/D0qi1xC0tlIjvTuHTDoODpaTZkXJy6Gc3S7BzogstgtjGGvbHU0ZJUuT/exRnEu8OEr93MFJyo2XgIwhSgj7re0YYSLEBNS6QH4D6GMkwKFqwpG1nIUtWTyVI1kcoGMfvhhOfxgZ0DDpHJMgacgI5lsJzNRaOhCGzv0VwarOe2jZI6bH/wFnSc8wu+Dlnljuv93E6FjQ6vtFABwQ6ILKksHvDWrtL9OKFLcwtyMl06gM4QF4KrAigLPtb5xACIcO4lYZnkS4e0ovoRxVp5FKICNEQF5AQBLxJAoBAEmFbV0I0BRShP5j9lrS/NhoMB1TrK6KgGfsFl7m6wGfYZXvcgfTibSMFe62mL7xulVZV1VroEawIujJ7koWfNA6MBnSUN6XrYgfDQPslk5Sx/6zhBRQsy8FmBpDzkvDPJxpLXtF5mxhJ8FHgeIVqXnUiNJ4rlWb2lCMG45Espx5C38s9tb+AqUgnOISotpPR7tCL+r57SLGRPXxRH9pLHsiRs7lmJXYqP8zZdFjTJrgu3atSqZpjpkfzM7M/NChBG1kJuFWPNYU3wSgz9BiOs36OLuOjCH0npxujVkXaSkN/Kdc18+cf/thRvkxxry2mYrvbmHJ1xY4OfjGl8w2vHzm3paOwFVtdc+Uomq7ME5+tkP5JnUMILL4pCCGxj0KecIFpU87mraS4xjuwH7vjHIcfN7ZjDZ7rEHDzon8OT5fkMvl9di7hetM1JQwHGSajT+ETkNGYaO+JHjDZNN0PIvvl0VVezc6p4Ch+Q8c1P77nefGurltQobFpFmQR2noUg8IusJF8IVnmIGTSaxVCog+mHjyTw4mGrOcpG9paUlvi6r+qGIh13SW84+PRyNjYu5RUlUimrp26+XAPCx2PSiJ++gnet8vukvFpT+yBj/Ans/uBgrVvxONxnxZuL/wOzJ0rEdwzDCWOt+QDt2tpJSpVKc+jTQ0Zsi+V0AxfmgipoEusD/y0g9hd1T4euAf6uLvKxEUREU8Iz1CwG9xY72sIW+5FvAk2tGtaAPMPiFlub6iV2wYANjzQgcnfXlDvb3Tv7dQ9YyXtIWjt9UTyPBcVep/NIkG6LRZRcceZHE1aWddoeoTRX3GcwZo0czuIJPVEK7Nfn0uqGUXp5CsZvMTm6pCWZhC8JSVDl7hOXjmyJABmjVOBrY3UNX+srtSK/B10SeN/jTvONcC4T8LDSRkciENE68HX5X79EALd9tGQAedW54sJubIE7fI1P3w51SpB894p5L7o6TSDPacUWRCTCdMtVwEa0IiYNbeikGirQPKh1pGxf4i0+icmyw6dQFKzRhei+uPTQI21taPrOzBCRttyLlCw7CqMz32T00MuPZrEZsfXbjPgAGN+ue7OGggTMBmoc3WMtkEHWDBsbBRgnrFeyXD53ylXIMyRLNiJ6FOhj3c0rF6JnmBcYRnA70L20K+qwRsJ3VkJA7afjLvHpUgwY7bR3fie/vViGWbHtgol4p1itqpHpUvqsv7Lb9tARPdYATw0zuWliEmOXmj5zQ+r7DKfpEc/Ao+yyu180B5hd3ZsaN5Rqd6EIhnBfNLvE1gtA0IkJ3E6xmtM8dIeT2pgcDw/qQoGrP/wAvZ2tqsI9A/EFMOTBfcG4vYf5lHw8/59vNHL4dWqmYz0eP41gaKa7aWTZwJXXTwe+VfuS5ckaVS8fa3xSKO32HOkS6jYJEqAQBbr6kugjuRpDtpH2c4KstWbQAnilg96pzpT6qUMvyDWC7qHbzK9UxO53+aK4J+kr9gpL0AkpUjBWpYJ7F0Adp8XmFdA6w+S1uCQ22F892N8QhiHhW+w+DSFXNoDqNcXnAtmWzXbP2PvfKVhSwQ8mbmDq4xomqRskP+6e4xK1mOIiJYJoIR7CkBhxQbglr03zRnHF4WvEUMPOuTBcXIBUiWAPVvCAMhZ/1NUJk9B6KPlJYTYWCcgHwF70m9/PIenGvnXTFa6gbwEvrUNEhku221NBsCT1sHH6fKec", "enc":1, "length":2038, "ver":1 }
解密函数:
1 __text:0000000101D60C04 2 __text:0000000101D60C04 ; id __cdecl -[SmCloudConfiguration parseConf:WithLength:WithEnc:WithVer:](SmCloudConfiguration *self, SEL, id, int, int, int) 3 __text:0000000101D60C04 __SmCloudConfiguration_parseConf_WithLength_WithEnc_WithVer__ 4 __text:0000000101D60C04 5 __text:0000000101D60C04 6 __text:0000000101D60C04 var_90= -0x90 7 __text:0000000101D60C04 var_88= -0x88 8 __text:0000000101D60C04 var_80= -0x80 9 __text:0000000101D60C04 var_78= -0x78 10 __text:0000000101D60C04 var_6C= -0x6C 11 __text:0000000101D60C04 var_68= -0x68 12 __text:0000000101D60C04 var_64= -0x64 13 __text:0000000101D60C04 var_60= -0x60 14 __text:0000000101D60C04 var_58= -0x58 15 __text:0000000101D60C04 var_50= -0x50 16 __text:0000000101D60C04 var_48= -0x48 17 __text:0000000101D60C04 var_3C= -0x3C 18 __text:0000000101D60C04 var_38= -0x38 19 __text:0000000101D60C04 var_2C= -0x2C 20 __text:0000000101D60C04 var_28= -0x28 21 __text:0000000101D60C04 var_24= -0x24 22 __text:0000000101D60C04 var_20= -0x20 23 __text:0000000101D60C04 var_18= -0x18 24 __text:0000000101D60C04 var_10= -0x10 25 __text:0000000101D60C04 var_8= -8 26 __text:0000000101D60C04 var_s0= 0 27 __text:0000000101D60C04 28 __text:0000000101D60C04 FF 83 02 D1 SUB SP, SP, #0xA0 29 __text:0000000101D60C08 FD 7B 09 A9 STP X29, X30, [SP,#0x90+var_s0] 30 __text:0000000101D60C0C FD 43 02 91 ADD X29, SP, #0x90 31 __text:0000000101D60C10 A8 83 00 D1 SUB X8, X29, #-var_20 32 __text:0000000101D60C14 09 00 80 D2 MOV X9, #0 33 __text:0000000101D60C18 A0 03 1F F8 STUR X0, [X29,#var_10] 34 __text:0000000101D60C1C A1 83 1E F8 STUR X1, [X29,#var_18] 35 __text:0000000101D60C20 A9 03 1E F8 STUR X9, [X29,#var_20] 36 __text:0000000101D60C24 E0 03 08 AA MOV X0, X8 37 __text:0000000101D60C28 E1 03 02 AA MOV X1, X2 38 __text:0000000101D60C2C E4 2F 00 B9 STR W4, [SP,#0x90+var_64] 39 __text:0000000101D60C30 E3 2B 00 B9 STR W3, [SP,#0x90+var_68] 40 __text:0000000101D60C34 E5 27 00 B9 STR W5, [SP,#0x90+var_6C] 41 __text:0000000101D60C38 3B D1 11 94 BL _objc_storeStrong 42 __text:0000000101D60C3C 68 85 00 D0 ADRP X8, #selRef_base64DecodeStr_@PAGE 43 __text:0000000101D60C40 08 41 1E 91 ADD X8, X8, #selRef_base64DecodeStr_@PAGEOFF 44 __text:0000000101D60C44 09 86 00 90 ADRP X9, #classRef_SmUtils@PAGE 45 __text:0000000101D60C48 29 21 1C 91 ADD X9, X9, #classRef_SmUtils@PAGEOFF 46 __text:0000000101D60C4C E3 2B 40 B9 LDR W3, [SP,#0x90+var_68] 47 __text:0000000101D60C50 A3 C3 1D B8 STUR W3, [X29,#var_24] 48 __text:0000000101D60C54 E4 2F 40 B9 LDR W4, [SP,#0x90+var_64] 49 __text:0000000101D60C58 A4 83 1D B8 STUR W4, [X29,#var_28] 50 __text:0000000101D60C5C E5 27 40 B9 LDR W5, [SP,#0x90+var_6C] 51 __text:0000000101D60C60 A5 43 1D B8 STUR W5, [X29,#var_2C] 52 __text:0000000101D60C64 29 01 40 F9 LDR X9, [X9] 53 __text:0000000101D60C68 A2 03 5E F8 LDUR X2, [X29,#var_20] 54 __text:0000000101D60C6C 01 01 40 F9 LDR X1, [X8] ; "base64DecodeStr:" 55 __text:0000000101D60C70 E0 03 09 AA MOV X0, X9 ; void * 56 __text:0000000101D60C74 F9 D0 11 94 BL _objc_msgSend ; base64解密 57 __text:0000000101D60C78 FD 03 1D AA MOV X29, X29 58 __text:0000000101D60C7C 12 D1 11 94 BL _objc_retainAutoreleasedReturnValue 59 __text:0000000101D60C80 A0 83 1C F8 STUR X0, [X29,#var_38] 60 __text:0000000101D60C84 A8 83 5C F8 LDUR X8, [X29,#var_38] 61 __text:0000000101D60C88 C8 00 00 B5 CBNZ X8, loc_101D60CA0 62 __text:0000000101D60C8C E8 03 00 32 MOV W8, #1 63 __text:0000000101D60C90 09 00 80 D2 MOV X9, #0 64 __text:0000000101D60C94 A9 83 1F F8 STUR X9, [X29,#var_8] 65 __text:0000000101D60C98 A8 43 1C B8 STUR W8, [X29,#var_3C] 66 __text:0000000101D60C9C B5 00 00 14 B loc_101D60F70 67 __text:0000000101D60CA0 68 __text:0000000101D60CA0 69 __text:0000000101D60CA0 loc_101D60CA0 70 __text:0000000101D60CA0 08 00 80 D2 MOV X8, #0 71 __text:0000000101D60CA4 E8 27 00 F9 STR X8, [SP,#0x90+var_48] 72 __text:0000000101D60CA8 E8 23 00 F9 STR X8, [SP,#0x90+var_50] 73 __text:0000000101D60CAC A9 83 5D B8 LDUR W9, [X29,#var_28] 74 __text:0000000101D60CB0 3F 05 00 71 CMP W9, #1 75 __text:0000000101D60CB4 81 0B 00 54 B.NE loc_101D60E24 76 __text:0000000101D60CB8 68 85 00 D0 ADRP X8, #selRef_desDecodeDataToData_key_length_@PAGE 77 __text:0000000101D60CBC 08 E1 1E 91 ADD X8, X8, #selRef_desDecodeDataToData_key_length_@PAGEOFF 78 __text:0000000101D60CC0 E9 53 00 B0 ADRP X9, #off_1027DD1F0@PAGE 79 __text:0000000101D60CC4 29 C1 07 91 ADD X9, X9, #off_1027DD1F0@PAGEOFF 80 __text:0000000101D60CC8 0A 86 00 90 ADRP X10, #classRef_SmUtils@PAGE 81 __text:0000000101D60CCC 4A 21 1C 91 ADD X10, X10, #classRef_SmUtils@PAGEOFF 82 __text:0000000101D60CD0 4A 01 40 F9 LDR X10, [X10] 83 __text:0000000101D60CD4 A2 83 5C F8 LDUR X2, [X29,#var_38] 84 __text:0000000101D60CD8 23 01 40 F9 LDR X3, [X9] ; "zaq1mko0" 85 __text:0000000101D60CDC A4 C3 9D B8 LDURSW X4, [X29,#var_24] 86 __text:0000000101D60CE0 01 01 40 F9 LDR X1, [X8] ; "desDecodeDataToData:key:length:" 87 __text:0000000101D60CE4 E0 03 0A AA MOV X0, X10 ; void * 88 __text:0000000101D60CE8 DC D0 11 94 BL _objc_msgSend ; +[SmUtils desDecodeDataToData:key:length:] 89 __text:0000000101D60CEC FD 03 1D AA MOV X29, X29 90 __text:0000000101D60CF0 F5 D0 11 94 BL _objc_retainAutoreleasedReturnValue 91 __text:0000000101D60CF4 E0 1F 00 F9 STR X0, [SP,#0x90+var_58] 92 __text:0000000101D60CF8 E8 1F 40 F9 LDR X8, [SP,#0x90+var_58] 93 __text:0000000101D60CFC C8 00 00 B5 CBNZ X8, loc_101D60D14 94 __text:0000000101D60D00 E8 03 00 32 MOV W8, #1 95 __text:0000000101D60D04 09 00 80 D2 MOV X9, #0 96 __text:0000000101D60D08 A9 83 1F F8 STUR X9, [X29,#var_8] 97 __text:0000000101D60D0C A8 43 1C B8 STUR W8, [X29,#var_3C] 98 __text:0000000101D60D10 3E 00 00 14 B loc_101D60E08 99 __text:0000000101D60D14 100 __text:0000000101D60D14 101 __text:0000000101D60D14 loc_101D60D14 102 __text:0000000101D60D14 08 86 00 90 ADRP X8, #classRef_SmZipUtil@PAGE 103 __text:0000000101D60D18 08 C1 1C 91 ADD X8, X8, #classRef_SmZipUtil@PAGEOFF 104 __text:0000000101D60D1C 08 01 40 F9 LDR X8, [X8] 105 __text:0000000101D60D20 E9 1F 40 F9 LDR X9, [SP,#0x90+var_58] 106 __text:0000000101D60D24 E0 03 09 AA MOV X0, X9 107 __text:0000000101D60D28 E8 0F 00 F9 STR X8, [SP,#0x90+var_78] 108 __text:0000000101D60D2C E0 D0 11 94 BL _objc_retainAutorelease 109 __text:0000000101D60D30 48 83 00 B0 ADRP X8, #selRef_bytes@PAGE 110 __text:0000000101D60D34 08 A1 3B 91 ADD X8, X8, #selRef_bytes@PAGEOFF 111 __text:0000000101D60D38 01 01 40 F9 LDR X1, [X8] ; "bytes" 112 __text:0000000101D60D3C C7 D0 11 94 BL _objc_msgSend 113 __text:0000000101D60D40 28 83 00 F0 ADRP X8, #selRef_length@PAGE 114 __text:0000000101D60D44 08 61 2B 91 ADD X8, X8, #selRef_length@PAGEOFF 115 __text:0000000101D60D48 E9 1F 40 F9 LDR X9, [SP,#0x90+var_58] 116 __text:0000000101D60D4C 01 01 40 F9 LDR X1, [X8] ; "length" 117 __text:0000000101D60D50 E0 0B 00 F9 STR X0, [SP,#0x90+var_80] 118 __text:0000000101D60D54 E0 03 09 AA MOV X0, X9 ; void * 119 __text:0000000101D60D58 C0 D0 11 94 BL _objc_msgSend 120 __text:0000000101D60D5C 68 85 00 D0 ADRP X8, #selRef_zlibDecompressed_WithLength_@PAGE 121 __text:0000000101D60D60 08 A1 1F 91 ADD X8, X8, #selRef_zlibDecompressed_WithLength_@PAGEOFF 122 __text:0000000101D60D64 01 01 40 F9 LDR X1, [X8] ; "zlibDecompressed:WithLength:" 123 __text:0000000101D60D68 E8 0F 40 F9 LDR X8, [SP,#0x90+var_78] 124 __text:0000000101D60D6C E0 07 00 F9 STR X0, [SP,#0x90+var_88] 125 __text:0000000101D60D70 E0 03 08 AA MOV X0, X8 ; void * 126 __text:0000000101D60D74 E2 0B 40 F9 LDR X2, [SP,#0x90+var_80] 127 __text:0000000101D60D78 E3 07 40 F9 LDR X3, [SP,#0x90+var_88] 128 __text:0000000101D60D7C B7 D0 11 94 BL _objc_msgSend ; 解压 129 __text:0000000101D60D80 FD 03 1D AA MOV X29, X29 130 __text:0000000101D60D84 D0 D0 11 94 BL _objc_retainAutoreleasedReturnValue 131 __text:0000000101D60D88 E0 1B 00 F9 STR X0, [SP,#0x90+var_60] 132 __text:0000000101D60D8C E8 1B 40 F9 LDR X8, [SP,#0x90+var_60] 133 __text:0000000101D60D90 C8 00 00 B5 CBNZ X8, loc_101D60DA8 134 __text:0000000101D60D94 E8 03 00 32 MOV W8, #1 135 __text:0000000101D60D98 09 00 80 D2 MOV X9, #0 136 __text:0000000101D60D9C A9 83 1F F8 STUR X9, [X29,#var_8] 137 __text:0000000101D60DA0 A8 43 1C B8 STUR W8, [X29,#var_3C] 138 __text:0000000101D60DA4 14 00 00 14 B loc_101D60DF4 139 __text:0000000101D60DA8 140 __text:0000000101D60DA8 141 __text:0000000101D60DA8 loc_101D60DA8 142 __text:0000000101D60DA8 28 83 00 F0 ADRP X8, #selRef_alloc@PAGE 143 __text:0000000101D60DAC 08 21 19 91 ADD X8, X8, #selRef_alloc@PAGEOFF 144 __text:0000000101D60DB0 C9 85 00 B0 ADRP X9, #classRef_NSString@PAGE 145 __text:0000000101D60DB4 29 01 28 91 ADD X9, X9, #classRef_NSString@PAGEOFF 146 __text:0000000101D60DB8 29 01 40 F9 LDR X9, [X9] 147 __text:0000000101D60DBC 01 01 40 F9 LDR X1, [X8] ; "alloc" 148 __text:0000000101D60DC0 E0 03 09 AA MOV X0, X9 ; void * 149 __text:0000000101D60DC4 A5 D0 11 94 BL _objc_msgSend 150 __text:0000000101D60DC8 E3 03 7E B2 MOV X3, #4 151 __text:0000000101D60DCC 48 83 00 B0 ADRP X8, #selRef_initWithData_encoding_@PAGE 152 __text:0000000101D60DD0 08 41 2E 91 ADD X8, X8, #selRef_initWithData_encoding_@PAGEOFF 153 __text:0000000101D60DD4 E2 1B 40 F9 LDR X2, [SP,#0x90+var_60] 154 __text:0000000101D60DD8 01 01 40 F9 LDR X1, [X8] ; "initWithData:encoding:" 155 __text:0000000101D60DDC 9F D0 11 94 BL _objc_msgSend 156 __text:0000000101D60DE0 E8 27 40 F9 LDR X8, [SP,#0x90+var_48] 157 __text:0000000101D60DE4 E0 27 00 F9 STR X0, [SP,#0x90+var_48] 158 __text:0000000101D60DE8 E0 03 08 AA MOV X0, X8 159 __text:0000000101D60DEC A7 D0 11 94 BL _objc_release 160 __text:0000000101D60DF0 BF 43 1C B8 STUR WZR, [X29,#var_3C] 161 __text:0000000101D60DF4 162 __text:0000000101D60DF4 loc_101D60DF4 163 __text:0000000101D60DF4 08 00 80 D2 MOV X8, #0 164 __text:0000000101D60DF8 E9 C3 00 91 ADD X9, SP, #0x90+var_60 165 __text:0000000101D60DFC E0 03 09 AA MOV X0, X9 166 __text:0000000101D60E00 E1 03 08 AA MOV X1, X8 167 __text:0000000101D60E04 C8 D0 11 94 BL _objc_storeStrong 168 __text:0000000101D60E08 169 __text:0000000101D60E08 loc_101D60E08 170 __text:0000000101D60E08 E0 E3 00 91 ADD X0, SP, #0x90+var_58 171 __text:0000000101D60E0C 01 00 80 D2 MOV X1, #0 172 __text:0000000101D60E10 C5 D0 11 94 BL _objc_storeStrong 173 __text:0000000101D60E14 A8 43 5C B8 LDUR W8, [X29,#var_3C] 174 __text:0000000101D60E18 88 09 00 35 CBNZ W8, loc_101D60F48 175 __text:0000000101D60E1C 01 00 00 14 B loc_101D60E20 176 __text:0000000101D60E20 177 __text:0000000101D60E20 178 __text:0000000101D60E20 loc_101D60E20 179 __text:0000000101D60E20 14 00 00 14 B loc_101D60E70 180 __text:0000000101D60E24 181 __text:0000000101D60E24 182 __text:0000000101D60E24 loc_101D60E24 183 __text:0000000101D60E24 68 85 00 D0 ADRP X8, #selRef_desDecodeDataToStr_key_length_@PAGE 184 __text:0000000101D60E28 08 C1 1F 91 ADD X8, X8, #selRef_desDecodeDataToStr_key_length_@PAGEOFF 185 __text:0000000101D60E2C E9 53 00 B0 ADRP X9, #off_1027DD1F0@PAGE 186 __text:0000000101D60E30 29 C1 07 91 ADD X9, X9, #off_1027DD1F0@PAGEOFF 187 __text:0000000101D60E34 0A 86 00 90 ADRP X10, #classRef_SmUtils@PAGE 188 __text:0000000101D60E38 4A 21 1C 91 ADD X10, X10, #classRef_SmUtils@PAGEOFF 189 __text:0000000101D60E3C 4A 01 40 F9 LDR X10, [X10] 190 __text:0000000101D60E40 A2 83 5C F8 LDUR X2, [X29,#var_38] 191 __text:0000000101D60E44 23 01 40 F9 LDR X3, [X9] ; "zaq1mko0" 192 __text:0000000101D60E48 A4 C3 9D B8 LDURSW X4, [X29,#var_24] 193 __text:0000000101D60E4C 01 01 40 F9 LDR X1, [X8] ; "desDecodeDataToStr:key:length:" 194 __text:0000000101D60E50 E0 03 0A AA MOV X0, X10 ; void * 195 __text:0000000101D60E54 81 D0 11 94 BL _objc_msgSend ; des解密 196 __text:0000000101D60E58 FD 03 1D AA MOV X29, X29 197 __text:0000000101D60E5C 9A D0 11 94 BL _objc_retainAutoreleasedReturnValue 198 __text:0000000101D60E60 E8 27 40 F9 LDR X8, [SP,#0x90+var_48] 199 __text:0000000101D60E64 E0 27 00 F9 STR X0, [SP,#0x90+var_48] 200 __text:0000000101D60E68 E0 03 08 AA MOV X0, X8 201 __text:0000000101D60E6C 87 D0 11 94 BL _objc_release 202 __text:0000000101D60E70 203 __text:0000000101D60E70 loc_101D60E70 204 __text:0000000101D60E70 E8 27 40 F9 LDR X8, [SP,#0x90+var_48] 205 __text:0000000101D60E74 C8 00 00 B5 CBNZ X8, loc_101D60E8C 206 __text:0000000101D60E78 E8 03 00 32 MOV W8, #1 207 __text:0000000101D60E7C 09 00 80 D2 MOV X9, #0 208 __text:0000000101D60E80 A9 83 1F F8 STUR X9, [X29,#var_8] 209 __text:0000000101D60E84 A8 43 1C B8 STUR W8, [X29,#var_3C] 210 __text:0000000101D60E88 30 00 00 14 B loc_101D60F48 211 __text:0000000101D60E8C 212 __text:0000000101D60E8C 213 __text:0000000101D60E8C loc_101D60E8C 214 __text:0000000101D60E8C A8 43 5D B8 LDUR W8, [X29,#var_2C] 215 __text:0000000101D60E90 1F 05 00 71 CMP W8, #1 216 __text:0000000101D60E94 21 02 00 54 B.NE loc_101D60ED8 217 __text:0000000101D60E98 68 85 00 D0 ADRP X8, #selRef_parse1_@PAGE 218 __text:0000000101D60E9C 08 E1 1F 91 ADD X8, X8, #selRef_parse1_@PAGEOFF 219 __text:0000000101D60EA0 09 86 00 90 ADRP X9, #classRef_SmCollectConfiguration@PAGE 220 __text:0000000101D60EA4 29 A1 1D 91 ADD X9, X9, #classRef_SmCollectConfiguration@PAGEOFF 221 __text:0000000101D60EA8 29 01 40 F9 LDR X9, [X9] 222 __text:0000000101D60EAC E2 27 40 F9 LDR X2, [SP,#0x90+var_48] 223 __text:0000000101D60EB0 01 01 40 F9 LDR X1, [X8] ; "parse1:" 224 __text:0000000101D60EB4 E0 03 09 AA MOV X0, X9 ; void * 225 __text:0000000101D60EB8 68 D0 11 94 BL _objc_msgSend ; +[SmCollectConfiguration parse1:] 226 __text:0000000101D60EBC FD 03 1D AA MOV X29, X29 227 __text:0000000101D60EC0 81 D0 11 94 BL _objc_retainAutoreleasedReturnValue 228 __text:0000000101D60EC4 E8 23 40 F9 LDR X8, [SP,#0x90+var_50] 229 __text:0000000101D60EC8 E0 23 00 F9 STR X0, [SP,#0x90+var_50] 230 __text:0000000101D60ECC E0 03 08 AA MOV X0, X8 231 __text:0000000101D60ED0 6E D0 11 94 BL _objc_release 232 __text:0000000101D60ED4 10 00 00 14 B loc_101D60F14 233 __text:0000000101D60ED8 234 __text:0000000101D60ED8 235 __text:0000000101D60ED8 loc_101D60ED8 236 __text:0000000101D60ED8 68 85 00 D0 ADRP X8, #selRef_parse0_@PAGE 237 __text:0000000101D60EDC 08 01 20 91 ADD X8, X8, #selRef_parse0_@PAGEOFF 238 __text:0000000101D60EE0 09 86 00 90 ADRP X9, #classRef_SmCollectConfiguration@PAGE 239 __text:0000000101D60EE4 29 A1 1D 91 ADD X9, X9, #classRef_SmCollectConfiguration@PAGEOFF 240 __text:0000000101D60EE8 29 01 40 F9 LDR X9, [X9] 241 __text:0000000101D60EEC E2 27 40 F9 LDR X2, [SP,#0x90+var_48] 242 __text:0000000101D60EF0 01 01 40 F9 LDR X1, [X8] ; "parse0:" 243 __text:0000000101D60EF4 E0 03 09 AA MOV X0, X9 ; void * 244 __text:0000000101D60EF8 58 D0 11 94 BL _objc_msgSend ; +[SmCollectConfiguration parse0:] 245 __text:0000000101D60EFC FD 03 1D AA MOV X29, X29 246 __text:0000000101D60F00 71 D0 11 94 BL _objc_retainAutoreleasedReturnValue 247 __text:0000000101D60F04 E8 23 40 F9 LDR X8, [SP,#0x90+var_50] 248 __text:0000000101D60F08 E0 23 00 F9 STR X0, [SP,#0x90+var_50] 249 __text:0000000101D60F0C E0 03 08 AA MOV X0, X8 250 __text:0000000101D60F10 5E D0 11 94 BL _objc_release 251 __text:0000000101D60F14 252 __text:0000000101D60F14 loc_101D60F14 253 __text:0000000101D60F14 E8 23 40 F9 LDR X8, [SP,#0x90+var_50] 254 __text:0000000101D60F18 C8 00 00 B5 CBNZ X8, loc_101D60F30 255 __text:0000000101D60F1C E8 03 00 32 MOV W8, #1 256 __text:0000000101D60F20 09 00 80 D2 MOV X9, #0 257 __text:0000000101D60F24 A9 83 1F F8 STUR X9, [X29,#var_8] 258 __text:0000000101D60F28 A8 43 1C B8 STUR W8, [X29,#var_3C] 259 __text:0000000101D60F2C 07 00 00 14 B loc_101D60F48 260 __text:0000000101D60F30 261 __text:0000000101D60F30 262 __text:0000000101D60F30 loc_101D60F30 263 __text:0000000101D60F30 E8 23 40 F9 LDR X8, [SP,#0x90+var_50] 264 __text:0000000101D60F34 E0 03 08 AA MOV X0, X8 265 __text:0000000101D60F38 5A D0 11 94 BL _objc_retain 266 __text:0000000101D60F3C E9 03 00 32 MOV W9, #1 267 __text:0000000101D60F40 A0 83 1F F8 STUR X0, [X29,#var_8] 268 __text:0000000101D60F44 A9 43 1C B8 STUR W9, [X29,#var_3C] 269 __text:0000000101D60F48 270 __text:0000000101D60F48 loc_101D60F48 271 __text:0000000101D60F48 272 __text:0000000101D60F48 08 00 80 D2 MOV X8, #0 273 __text:0000000101D60F4C E9 03 01 91 ADD X9, SP, #0x90+var_50 274 __text:0000000101D60F50 E0 03 09 AA MOV X0, X9 275 __text:0000000101D60F54 E1 03 08 AA MOV X1, X8 276 __text:0000000101D60F58 73 D0 11 94 BL _objc_storeStrong 277 __text:0000000101D60F5C 08 00 80 D2 MOV X8, #0 278 __text:0000000101D60F60 E9 23 01 91 ADD X9, SP, #0x90+var_48 279 __text:0000000101D60F64 E0 03 09 AA MOV X0, X9 280 __text:0000000101D60F68 E1 03 08 AA MOV X1, X8 281 __text:0000000101D60F6C 6E D0 11 94 BL _objc_storeStrong 282 __text:0000000101D60F70 283 __text:0000000101D60F70 loc_101D60F70 284 __text:0000000101D60F70 A0 E3 00 D1 SUB X0, X29, #-var_38 285 __text:0000000101D60F74 01 00 80 D2 MOV X1, #0 286 __text:0000000101D60F78 E1 03 00 F9 STR X1, [SP,#0x90+var_90] 287 __text:0000000101D60F7C 6A D0 11 94 BL _objc_storeStrong 288 __text:0000000101D60F80 A0 83 00 D1 SUB X0, X29, #-var_20 289 __text:0000000101D60F84 E1 03 40 F9 LDR X1, [SP,#0x90+var_90] 290 __text:0000000101D60F88 67 D0 11 94 BL _objc_storeStrong 291 __text:0000000101D60F8C A0 83 5F F8 LDUR X0, [X29,#var_8] 292 __text:0000000101D60F90 FD 7B 49 A9 LDP X29, X30, [SP,#0x90+var_s0] 293 __text:0000000101D60F94 FF 83 02 91 ADD SP, SP, #0xA0 294 __text:0000000101D60F98 E2 CF 11 14 B _objc_autoreleaseReturnValue
解密后风险名单数据:
{ "risk_apps":[ { "awz":{ "pn":"/Applications/AWZ.app", "uri":"IGG://" } }, { "nzt":{ "pn":"/Applications/NZT.app", "uri":"" } }, { "igvx":{ "pn":"/Applications/igvx.app", "uri":"" } }, { "touchelf":{ "pn":"/Applications/TouchElf.app", "uri":"" } }, { "touchsprite":{ "pn":"/Applications/TouchSprite.app", "uri":"" } }, { "wujivpn":{ "pn":"/Applications/WujiVPN.app", "uri":"" } }, { "rst":{ "pn":"/Applications/RST.app", "uri":"" } }, { "forge9":{ "pn":"/Applications/Forge9.app", "uri":"" } }, { "forge":{ "pn":"/Applications/Forge.app", "uri":"" } }, { "gfaker":{ "pn":"/Applications/GFaker.app", "uri":"" } }, { "hdfaker":{ "pn":"/Applications/hdfakerset.app", "uri":"" } }, { "r8":{ "pn":"/Applications/R8.app", "uri":"" } }, { "pranava":{ "pn":"/Applications/Pranava.app", "uri":"" } }, { "ig":{ "pn":"/Applications/iG.app", "uri":"" } }, { "hiddenapi":{ "pn":"/Applications/HiddenApi.app", "uri":"" } }, { "xgsab":{ "pn":"/Applications/Xgen.app", "uri":"" } }, { "birdfaker9":{ "pn":"/Applications/BirdFaker9.app", "uri":"" } }, { "vpnmaster":{ "pn":"/Applications/VPNMasterPro.app", "uri":"" } }, { "guizmovpn":{ "pn":"/Applications/GuizmOVPN.app", "uri":"" } }, { "axj":{ "pn":"/Applications/AXJ.app", "uri":"" } } ], "risk_dirs":[ { "vts":{ "dir":"/var/touchelf/scripts/", "type":"absolute" } }, { "vmmtl":{ "dir":"/var/mobile/Media/TouchSprite/lua/", "type":"absolute" } }, { "vmlxlltp":{ "dir":"/var/mobile/Library/XXAssistant/Lua/Luas/Temp/public", "type":"absolute" } }, { "laxlltp":{ "dir":"/Library/ApplicationSupport/XXAssistant/Lua/Luas/Temp/public", "type":"absolute" } }, { "vmlxx":{ "dir":"/var/mobile/Library/XXIDEHelper/xsp/", "type":"absolute" } }, { "laxx":{ "dir":"/Library/ApplicationSupport/XXIDEHelper/xsp/", "type":"absolute" } }, { "vmlxll":{ "dir":"/var/mobile/Library/XXAssistant/Lua/LocalLuas/", "type":"absolute" } }, { "laxll":{ "dir":"/Library/ApplicationSupport/XXAssistant/Lua/LocalLuas/", "type":"absolute" } }, { "vri":{ "dir":"/var/root/igfix", "type":"absolute" } }, { "vrigf":{ "dir":"/var/root/igflag", "type":"absolute" } }, { "vrr8f":{ "dir":"/var/root/R8_fix", "type":"absolute" } }, { "vrif":{ "dir":"/var/root/igvx_fix", "type":"absolute" } }, { "vrifg":{ "dir":"/var/root/igvx_flag", "type":"absolute" } }, { "vrf9":{ "dir":"/var/root/Forge9_fix", "type":"absolute" } }, { "ubi":{ "dir":"/usr/bin/iGevo", "type":"absolute" } }, { "ubxd":{ "dir":"/usr/bin/XGenDaemon.dylib", "type":"absolute" } }, { "vmgfaker":{ "dir":"/var/mobile/GFaker", "type":"absolute" } }, { "vmnztdata":{ "dir":"/var/mobile/nztdata", "type":"absolute" } }, { "vmawzdata":{ "dir":"/var/mobile/awzdata", "type":"absolute" } }, { "vmigrimace":{ "dir":"/var/mobile/iGrimace", "type":"absolute" } }, { "vmhdfaker":{ "dir":"/var/mobile/hdFaker", "type":"absolute" } }, { "vmnztresult":{ "dir":"/var/mobile/NZTResult.plist", "type":"absolute" } } ], "s_c":"bLnUc67riNTBZs/F9Z58sowAzvjIWq3lEqCWV+kZE9ORfHoNLsD1z/CKJZYFvRvID/eSiW1XPNZ+R2WcD3WsTf2LTJ5IllJvCaX6gUnAebHd2bAPZz6gFECVcM9EYT5fwMsAy3RG7PUMJwo7nyoIOyXKTrg4lHgKFe/RtiNqnAEbHSnjlx4Fpn9fzXD9NTnW4zvoRfkZgVvo7eIgAw7Sp2Su9XSj2HJPezJxVwjPGRWDAMRqSlykWO+Mb6VgfRgZBsCQUeqTU2DhVhg7ausocizPiVd2U1I/Yb3g4GxdlKo+SXqD5wSNg2VNqVGXjB3IBdRYlH65NWRgTcxTOEunXv2LTJ5IllJvCaX6gUnAebHd2bAPZz6gFECVcM9EYT5fHlwIsYb13H9UKt5SoOc8sTt7GtdUmZdUnawqUeFoQsrtF0POX5AWjYWNgOnuzGcVMMPh/5mMW9AO1UvM0XBCDF31F3ziPHR9nW+CUlOssYy4Ang/J6YqMFcI0IxIGzd1G0VhdfSiud0S5Pmj2+3R95ImS25CHi0LV8Zslgk79YUGwJBR6pNTYOFWGDtq6yhy4clnOHjcURYwoxp23sGpQeDHKqgSy0CiHdv204icglpBUsM95aHS6V85kTXYb1zkRku6tYjoT1Bo5s7K3JFcy4oaMqtTHXTRDp0Y8Es2BJLt1YX3BnhJLnTQj8vv5CevRneJJX4FzG3RJidPWfn1/Txw2Q7Zb8gzzM5CrLhZIngTzBC+9wvFTfGcxJd8Z14qbsvX4Yvatdcj9bCiGHrw0zBTDEaFK9blFJkAlq2/Dd7cWtrVhhuMJF1Ynr9XmEXzyD36OhTfYYKWOFDR0rxDfxPMEL73C8VN8ZzEl3xnXipuy9fhi9q11yP1sKIYevDTAKO1N0krFE/231fwl/uHAtcC/TtDI1SNLf8lneZxG8pdasHXdTkhVwJZ0LoFxeBEf0K6rYpQPmnmX20sG2eKmtdModba+e6rc1qfJ0HaHmKTeHjxGlHtzUhztLSGwBpjEQxrlHZIF14pp6UCsTc7ZTqylHCKkZLIJeibrIjYKnOfUtJj6cbgWCG6V9P/2Qe1U6SkHYCy6B1PU3v9XKxexIsV1IT1w+4k3Q7hpkJNTCC9zcar9P2zJCjle5vomk+EuPOvtIcXw70zqhWoV8x61FA2/p+Z+854rgTPYpYnjsu8xYFA5GF6uknGOWA7IX4tjLRArkVbjXm2oTf34WCG6EAg1JKjbZzcMbSNLCp6IuK9YdGRlBAXcYXEYWOusfcfzmd4gFBS7ypRuQwVA4zKJATn3yMraOdkCoouBrB97ac4XZL33ZMwyHUp2yHTWM7WbiB0HqRjCWlme5ARA9YOPjnf5DT6RZIgUkJiyoewP22eDd9tFrRFijkxbNUmCMBATldTPSDi6XwTc+W7J4Xbhe5w+SttjMQdcxVC9NBSjC1cB16A3sMIoCWka9parUzz3A+UfKMyd20a0Zt+2RNtWmE//KRnmkpzYE/qB/ygeccB+ZcUltVmyBdZ56aWfaSBupq4leFfimfYbY5MuobTBLUCMYV80VPQgVgeowUln38otvlPIydmEafHSy7BeMPC+0wrYEr/EWLs3aDAdAeOy3qQQHytdtwl9kVMA8JE4GsFD07Dm4POHLUV6lQuciq2WTU90/QyuLDTyRgFJmJb7LSQwmM0UoMwkSj11S6LDGno9qwJC4ZBuUvrrdFOxMYLEmu4GLFqGrut04AeqVZXQIohWXpke0aqsLYxCYFSedfAm9rDmKsrXrQnDEuGPACs", "sensitive.bssid":true, "sensitive.gps":false, "sensitive.name":true, "sensitive.ssid":true }
解析风险文件 并获取相关的值:
1 id __cdecl +[SmCollectConfiguration parse1:](SmCollectConfiguration_meta *self, SEL a2, id a3) 2 { 3 void *v3; // x0 4 struct objc_object *v4; // x0 5 void *v5; // x0 6 void *v6; // x0 7 void *v7; // x0 8 __int64 v8; // ST120_8 9 void *v9; // x0 10 void *v10; // x0 11 void *v11; // ST100_8 12 void *v12; // x0 13 __int64 v13; // STF8_8 14 void *v14; // STF0_8 15 void *v15; // x0 16 __int64 v16; // STE8_8 17 void *v17; // x0 18 void *v18; // x0 19 void *v19; // STC8_8 20 void *v20; // x0 21 __int64 v21; // STC0_8 22 void *v22; // x0 23 void *v23; // x0 24 void *v24; // STA0_8 25 char v25; // w0 26 void *v26; // x0 27 void *v27; // x0 28 void *v28; // ST78_8 29 void *v29; // x0 30 void *v30; // x0 31 void *v31; // x0 32 void *v32; // ST50_8 33 void *v33; // x0 34 void *v34; // x0 35 void *v35; // x0 36 void *v36; // ST28_8 37 void *v37; // x0 38 __int64 v38; // ST20_8 39 void *v39; // ST18_8 40 struct objc_object *v40; // x0 41 __int64 v41; // ST10_8 42 void *v43; // [xsp+140h] [xbp-80h] 43 void *v44; // [xsp+148h] [xbp-78h] 44 void *v45; // [xsp+150h] [xbp-70h] 45 void *v46; // [xsp+158h] [xbp-68h] 46 void *s_c; // [xsp+160h] [xbp-60h] 47 void *risk_dirs; // [xsp+168h] [xbp-58h] 48 void *risk_apps; // [xsp+170h] [xbp-50h] 49 int v50; // [xsp+17Ch] [xbp-44h] 50 void *jsonDecode; // [xsp+180h] [xbp-40h] 51 void *v52; // [xsp+188h] [xbp-38h] 52 __int64 v53; // [xsp+190h] [xbp-30h] 53 SEL v54; // [xsp+198h] [xbp-28h] 54 SmCollectConfiguration_meta *v55; // [xsp+1A0h] [xbp-20h] 55 __int64 v56; // [xsp+1A8h] [xbp-18h] 56 57 v55 = self; 58 v54 = a2; 59 v53 = 0LL; 60 objc_storeStrong(&v53, a3); 61 v3 = objc_msgSend(&OBJC_CLASS___SmCollectConfiguration, &aAlloc); 62 v52 = objc_msgSend(v3, "init"); 63 v4 = +[SmUtils jsonDecode:](&OBJC_CLASS___SmUtils, "jsonDecode:", v53); 64 jsonDecode = (void *)objc_retainAutoreleasedReturnValue(v4); 65 if ( jsonDecode ) 66 { 67 v5 = objc_msgSend(jsonDecode, "objectForKey:", CFSTR("risk_apps")); 68 risk_apps = (void *)objc_retainAutoreleasedReturnValue(v5); 69 if ( risk_apps ) 70 { 71 v6 = objc_msgSend(&OBJC_CLASS___NSArray, &aClass_4); 72 if ( (unsigned __int64)objc_msgSend(risk_apps, "isKindOfClass:", v6) & 1 ) 73 { 74 v7 = objc_msgSend(v55, "parseRiskApps1:", risk_apps); 75 v8 = objc_retainAutoreleasedReturnValue(v7); 76 objc_msgSend(v52, "setRiskApps:", v8); 77 objc_release(v8); 78 } 79 } 80 objc_storeStrong(&risk_apps, 0LL); 81 v9 = objc_msgSend(jsonDecode, "objectForKey:", CFSTR("risk_dirs")); 82 risk_dirs = (void *)objc_retainAutoreleasedReturnValue(v9); 83 if ( risk_dirs ) 84 { 85 v10 = objc_msgSend(&OBJC_CLASS___NSArray, &aClass_4); 86 if ( (unsigned __int64)objc_msgSend(risk_dirs, "isKindOfClass:", v10) & 1 ) 87 { 88 v11 = v52; 89 v12 = objc_msgSend(v55, "parseRiskDirs1:", risk_dirs); 90 v13 = objc_retainAutoreleasedReturnValue(v12); 91 objc_msgSend(v11, "setRiskDirs:", v13); 92 objc_release(v13); 93 } 94 } 95 objc_storeStrong(&risk_dirs, 0LL); 96 v14 = v52; 97 v15 = objc_msgSend(v55, "parseSensitive1:", jsonDecode); 98 v16 = objc_retainAutoreleasedReturnValue(v15); 99 objc_msgSend(v14, "setSensitives:", v16); 100 objc_release(v16); 101 v17 = objc_msgSend(jsonDecode, &aObjectforkeyed, CFSTR("s_c")); 102 s_c = (void *)objc_retainAutoreleasedReturnValue(v17); 103 if ( s_c ) 104 { 105 v18 = objc_msgSend(&OBJC_CLASS___NSString, &aClass_4); 106 if ( (unsigned __int64)objc_msgSend(s_c, "isKindOfClass:", v18) & 1 ) 107 { 108 v19 = v52; 109 v20 = objc_msgSend(v55, "parseSyscallCodes1:", s_c); 110 v21 = objc_retainAutoreleasedReturnValue(v20); 111 objc_msgSend(v19, "setSyscallCodes:", v21); 112 objc_release(v21); 113 } 114 } 115 objc_storeStrong(&s_c, 0LL); 116 v22 = objc_msgSend(jsonDecode, &aObjectforkeyed, CFSTR("upload_checker_switch")); 117 v46 = (void *)objc_retainAutoreleasedReturnValue(v22); 118 if ( v46 ) 119 { 120 v23 = objc_msgSend(&OBJC_CLASS___NSNumber, &aClass_4); 121 if ( (unsigned __int64)objc_msgSend(v46, "isKindOfClass:", v23) & 1 ) 122 { 123 v24 = v52; 124 v25 = (unsigned __int64)objc_msgSend(v46, &aBoolvalue); 125 objc_msgSend(v24, "setUploadCheckerSwitch:", v25 & 1); 126 } 127 } 128 objc_storeStrong(&v46, 0LL); 129 v26 = objc_msgSend(jsonDecode, &aObjectforkeyed, CFSTR("sensor_times")); 130 v45 = (void *)objc_retainAutoreleasedReturnValue(v26); 131 if ( v45 ) 132 { 133 v27 = objc_msgSend(&OBJC_CLASS___NSNumber, &aClass_4); 134 if ( (unsigned __int64)objc_msgSend(v45, "isKindOfClass:", v27) & 1 ) 135 { 136 v28 = v52; 137 v29 = objc_msgSend(v45, (const char *)&unk_195EE18E6); 138 objc_msgSend(v28, "setSensorTimes:", v29); 139 } 140 } 141 objc_storeStrong(&v45, 0LL); 142 v30 = objc_msgSend(jsonDecode, &aObjectforkeyed, CFSTR("sensor_interval")); 143 v44 = (void *)objc_retainAutoreleasedReturnValue(v30); 144 if ( v44 ) 145 { 146 v31 = objc_msgSend(&OBJC_CLASS___NSNumber, &aClass_4); 147 if ( (unsigned __int64)objc_msgSend(v44, "isKindOfClass:", v31) & 1 ) 148 { 149 v32 = v52; 150 v33 = objc_msgSend(v44, (const char *)&unk_195EE18E6); 151 objc_msgSend(v32, "setSensorInterval:", v33); 152 } 153 } 154 objc_storeStrong(&v44, 0LL); 155 v34 = objc_msgSend(jsonDecode, &aObjectforkeyed, CFSTR("sensor")); 156 v43 = (void *)objc_retainAutoreleasedReturnValue(v34); 157 if ( v43 ) 158 { 159 v35 = objc_msgSend(&OBJC_CLASS___NSArray, &aClass_4); 160 if ( (unsigned __int64)objc_msgSend(v43, "isKindOfClass:", v35) & 1 ) 161 { 162 v36 = v52; 163 v37 = objc_msgSend(v55, "parseSensorConfig:", v43); 164 v38 = objc_retainAutoreleasedReturnValue(v37); 165 objc_msgSend(v36, "setSensorConfigs:", v38); 166 objc_release(v38); 167 } 168 } 169 objc_storeStrong(&v43, 0LL); 170 objc_msgSend(v52, &aSetcontent, v53); 171 v39 = v52; 172 v40 = +[SmUtils md5EncodeStr:](&OBJC_CLASS___SmUtils, "md5EncodeStr:", v53); 173 v41 = objc_retainAutoreleasedReturnValue(v40); 174 objc_msgSend(v39, (const char *)&unk_1A0F6E4CD, v41); 175 objc_release(v41); 176 v56 = objc_retain(v52); 177 v50 = 1; 178 } 179 else 180 { 181 v56 = 0LL; 182 v50 = 1; 183 } 184 objc_storeStrong(&jsonDecode, 0LL); 185 objc_storeStrong(&v52, 0LL); 186 objc_storeStrong(&v53, 0LL); 187 return (id)objc_autoreleaseReturnValue(v56); 188 }
解密上面的s_c数据:
1 //baes64+aes解密 2 id __cdecl +[SmCollectConfiguration parseSyscallCodes1:](SmCollectConfiguration_meta *self, SEL a2, id a3) 3 { 4 NSMutableDictionary *v3; // x0 5 struct objc_object *v4; // x0 6 struct objc_object *v5; // x0 7 void *v6; // x0 8 void *v7; // STD0_8 9 void *v8; // x0 10 void *v9; // x0 11 void *v10; // x0 12 void *v11; // ST78_8 13 void *v12; // x0 14 void *v13; // x0 15 void *v14; // x0 16 void *v15; // ST68_8 17 void *v16; // x0 18 void *v17; // x0 19 void *v18; // ST58_8 20 void *v19; // x0 21 void *v20; // x0 22 void *v21; // ST48_8 23 void *v22; // x0 24 SmSyscallCode *v23; // x0 25 id result; // x0 26 __int64 v25; // [xsp+80h] [xbp-2D0h] 27 void *v26; // [xsp+90h] [xbp-2C0h] 28 __int64 v27; // [xsp+98h] [xbp-2B8h] 29 __int64 v28; // [xsp+A8h] [xbp-2A8h] 30 void *v29; // [xsp+B0h] [xbp-2A0h] 31 void *v30; // [xsp+B8h] [xbp-298h] 32 __int64 v31; // [xsp+D8h] [xbp-278h] 33 void *v32; // [xsp+E8h] [xbp-268h] 34 __int64 v33; // [xsp+F0h] [xbp-260h] 35 __int64 v34; // [xsp+100h] [xbp-250h] 36 void *v35; // [xsp+108h] [xbp-248h] 37 void *v36; // [xsp+110h] [xbp-240h] 38 void *v37; // [xsp+130h] [xbp-220h] 39 void *v38; // [xsp+138h] [xbp-218h] 40 void *v39; // [xsp+140h] [xbp-210h] 41 void *v40; // [xsp+148h] [xbp-208h] 42 void *v41; // [xsp+150h] [xbp-200h] 43 void *v42; // [xsp+158h] [xbp-1F8h] 44 char v43; // [xsp+160h] [xbp-1F0h] 45 __int64 v44; // [xsp+168h] [xbp-1E8h] 46 __int64 *v45; // [xsp+170h] [xbp-1E0h] 47 __int64 v46; // [xsp+1A0h] [xbp-1B0h] 48 void *v47; // [xsp+1A8h] [xbp-1A8h] 49 char v48; // [xsp+1B0h] [xbp-1A0h] 50 __int64 v49; // [xsp+1B8h] [xbp-198h] 51 __int64 *v50; // [xsp+1C0h] [xbp-190h] 52 void *v51; // [xsp+1F0h] [xbp-160h] 53 void *v52; // [xsp+1F8h] [xbp-158h] 54 __int64 v53; // [xsp+200h] [xbp-150h] 55 int v54; // [xsp+20Ch] [xbp-144h] 56 void *v55; // [xsp+210h] [xbp-140h] 57 __int64 v56; // [xsp+218h] [xbp-138h] 58 SEL v57; // [xsp+220h] [xbp-130h] 59 SmCollectConfiguration_meta *v58; // [xsp+228h] [xbp-128h] 60 __int64 v59; // [xsp+230h] [xbp-120h] 61 char v60; // [xsp+238h] [xbp-118h] 62 char v61; // [xsp+2B8h] [xbp-98h] 63 __int64 v62; // [xsp+338h] [xbp-18h] 64 65 v62 = 2133820963558129745LL; 66 v58 = self; 67 v57 = a2; 68 v56 = 0LL; 69 objc_storeStrong(&v56, a3); 70 v3 = sub_18DFAAFC4(&OBJC_CLASS___NSMutableDictionary, "alloc"); 71 v55 = objc_msgSend(v3, "init"); 72 if ( !v56 ) 73 { 74 v59 = objc_retain(v55); 75 v54 = 1; 76 LABEL_46: 77 objc_storeStrong(&v55, 0LL); 78 objc_storeStrong(&v56, 0LL); 79 return (id)objc_autoreleaseReturnValue(v59); 80 } 81 v4 = +[SmUtils aes256DecryptStr:key:](&OBJC_CLASS___SmUtils, "aes256DecryptStr:key:", v56, CFSTR("smsckey")); 82 v53 = objc_retainAutoreleasedReturnValue(v4); 83 if ( (unsigned __int64)+[SmStrUtils empty:](&OBJC_CLASS___SmStrUtils, "empty:", v53) & 1 ) 84 { 85 v59 = objc_retain(v55); 86 v54 = 1; 87 LABEL_45: 88 objc_storeStrong(&v53, 0LL); 89 goto LABEL_46; 90 } 91 v5 = +[SmUtils jsonDecode:](&OBJC_CLASS___SmUtils, "jsonDecode:", v53); 92 v52 = (void *)objc_retainAutoreleasedReturnValue(v5); 93 if ( !v52 ) 94 { 95 v59 = objc_retain(v55); 96 v54 = 1; 97 LABEL_44: 98 objc_storeStrong(&v52, 0LL); 99 goto LABEL_45; 100 } 101 v6 = nullsub_1421(&OBJC_CLASS___NSArray, "class"); 102 if ( !((unsigned __int64)objc_msgSend(v52, "isKindOfClass:", v6) & 1) ) 103 { 104 v59 = objc_retain(v55); 105 v54 = 1; 106 goto LABEL_44; 107 } 108 memset(&v48, 0, 0x40uLL); 109 v36 = (void *)objc_retain(v52); 110 v35 = objc_msgSend(v36, "countByEnumeratingWithState:objects:count:", &v48, &v61, 16LL); 111 if ( !v35 ) 112 { 113 LABEL_43: 114 objc_release(v36); 115 v59 = objc_retain(v55); 116 v54 = 1; 117 goto LABEL_44; 118 } 119 v34 = *v50; 120 v33 = 0LL; 121 v32 = v35; 122 while ( 1 ) 123 { 124 v31 = v33; 125 if ( *v50 != v34 ) 126 objc_enumerationMutation(v36); 127 v51 = *(void **)(v49 + 8 * v33); 128 if ( !v51 ) 129 goto LABEL_41; 130 v7 = v51; 131 v8 = nullsub_1421(&OBJC_CLASS___NSDictionary, "class"); 132 if ( !((unsigned __int64)objc_msgSend(v7, "isKindOfClass:", v8) & 1) ) 133 goto LABEL_41; 134 v47 = (void *)objc_retain(v51); 135 memset(&v43, 0, 0x40uLL); 136 v9 = objc_msgSend(v47, "allKeys"); 137 v30 = (void *)objc_retainAutoreleasedReturnValue(v9); 138 v29 = objc_msgSend(v30, "countByEnumeratingWithState:objects:count:", &v43, &v60, 16LL); 139 if ( v29 ) 140 break; 141 LABEL_40: 142 objc_release(v30); 143 objc_storeStrong(&v47, 0LL); 144 LABEL_41: 145 ++v33; 146 if ( v31 + 1 >= (unsigned __int64)v32 ) 147 { 148 v32 = objc_msgSend(v36, "countByEnumeratingWithState:objects:count:", &v48, &v61, 16LL); 149 v33 = 0LL; 150 if ( !v32 ) 151 goto LABEL_43; 152 } 153 } 154 v28 = *v45; 155 v27 = 0LL; 156 v26 = v29; 157 while ( 1 ) 158 { 159 v25 = v27; 160 if ( *v45 != v28 ) 161 objc_enumerationMutation(v30); 162 v46 = *(_QWORD *)(v44 + 8 * v27); 163 v10 = objc_msgSend(v47, "objectForKeyedSubscript:", v46); 164 v42 = (void *)objc_retainAutoreleasedReturnValue(v10); 165 if ( v42 166 && (v11 = v42, 167 v12 = nullsub_1421(&OBJC_CLASS___NSDictionary, "class"), 168 (unsigned __int64)objc_msgSend(v11, "isKindOfClass:", v12) & 1) ) 169 { 170 v13 = (void *)objc_retain(v42); 171 v41 = v13; 172 v14 = objc_msgSend(v13, "objectForKeyedSubscript:", CFSTR("clazz")); 173 v40 = (void *)objc_retainAutoreleasedReturnValue(v14); 174 if ( v40 175 && (v15 = v40, 176 v16 = nullsub_1421(&OBJC_CLASS___NSString, "class"), 177 (unsigned __int64)objc_msgSend(v15, "isKindOfClass:", v16) & 1) ) 178 { 179 v17 = objc_msgSend(v41, "objectForKeyedSubscript:", CFSTR("method")); 180 v39 = (void *)objc_retainAutoreleasedReturnValue(v17); 181 if ( v39 182 && (v18 = v39, 183 v19 = nullsub_1421(&OBJC_CLASS___NSString, "class"), 184 (unsigned __int64)objc_msgSend(v18, "isKindOfClass:", v19) & 1) ) 185 { 186 v20 = objc_msgSend(v41, "objectForKeyedSubscript:", CFSTR("type")); 187 v38 = (void *)objc_retainAutoreleasedReturnValue(v20); 188 if ( v38 189 && (v21 = v38, 190 v22 = nullsub_1421(&OBJC_CLASS___NSString, "class"), 191 (unsigned __int64)objc_msgSend(v21, "isKindOfClass:", v22) & 1) ) 192 { 193 v23 = sub_18DFAAFC4(&OBJC_CLASS___SmSyscallCode, "alloc"); 194 v37 = -[SmSyscallCode init](v23, "init"); 195 objc_msgSend(v37, "setKey:", v46); 196 objc_msgSend(v37, "setClazz:", v40); 197 objc_msgSend(v37, (const char *)&unk_1A77FDCF6, v39); 198 objc_msgSend(v37, (const char *)&unk_195EE7F2A, v38); 199 objc_msgSend(v55, (const char *)&unk_195EDFD34, v37, v46); 200 objc_storeStrong(&v37, 0LL); 201 v54 = 0; 202 } 203 else 204 { 205 v54 = 5; 206 } 207 objc_storeStrong(&v38, 0LL); 208 } 209 else 210 { 211 v54 = 5; 212 } 213 objc_storeStrong(&v39, 0LL); 214 } 215 else 216 { 217 v54 = 5; 218 } 219 objc_storeStrong(&v40, 0LL); 220 objc_storeStrong(&v41, 0LL); 221 } 222 else 223 { 224 v54 = 5; 225 } 226 result = (id)objc_storeStrong(&v42, 0LL); 227 if ( v54 ) 228 { 229 if ( v54 != 5 ) 230 return result; 231 } 232 ++v27; 233 if ( v25 + 1 >= (unsigned __int64)v26 ) 234 { 235 v26 = objc_msgSend(v30, "countByEnumeratingWithState:objects:count:", &v43, &v60, 16LL); 236 v27 = 0LL; 237 if ( !v26 ) 238 goto LABEL_40; 239 } 240 } 241 }
解密后内容:
smsckey [ { "name":{ "clazz":"UIDevice", "method":"name", "type":"oc" }, "model":{ "clazz":"UIDevice", "method":"model", "type":"oc" }, "platform":{ "clazz":"UIDevice", "method":"platform", "type":"oc" }, "hwmodel":{ "clazz":"UIDevice", "method":"hwmodel", "type":"oc" }, "systemVersion":{ "clazz":"UIDevice", "method":"systemVersion", "type":"oc" }, "localizedModel":{ "clazz":"UIDevice", "method":"localizedModel", "type":"oc" }, "identifierForVendor":{ "clazz":"UIDevice", "method":"identifierForVendor", "type":"oc" }, "carrierName":{ "clazz":"CTCarrier", "method":"carrierName", "type":"oc" }, "isoCountryCode":{ "clazz":"CTCarrier", "method":"isoCountryCode", "type":"oc" }, "mobileCountryCode":{ "clazz":"CTCarrier", "method":"mobileCountryCode", "type":"oc" }, "mobileNetworkCode":{ "clazz":"CTCarrier", "method":"mobileNetworkCode", "type":"oc" }, "isReachableViaWiFi":{ "clazz":"Reachability", "method":"isReachableViaWiFi", "type":"oc" }, "isReachableViaWWANP":{ "clazz":"Reachability", "method":"isReachableViaWWANP", "type":"oc" }, "reachabilityForInternetConnection":{ "clazz":"Reachability", "method":"reachabilityForInternetConnection", "type":"oc" }, "currentRadioAccessTechnology":{ "clazz":"CTTelephonyNetworkInfo", "method":"currentRadioAccessTechnology", "type":"oc" }, "value":{ "clazz":"OpenUDID", "method":"value", "type":"oc" }, "valueWithError":{ "clazz":"OpenUDID", "method":"valueWithError", "type":"oc" } } ]
最终获取到的手机风险环境信息组合如下:
{ "width": 375, "sysaddrs": "8|0x18e50a390|0x18e509504|0x18e50a554|0x18e50a504|0x18e50954c|0x18e524680|0x18e44c210|0x18e5e3780", "sysname": "Darwin", "appname": "comkuaikancomic", "apputm": "Kuaikan", "languages": ["zh-Hans-CN"], "carrier": "-NVT", "osver": "1011", "cost": "8450,42,139539", "lstat": [1, 0], "is_vpn": "false", "rmCode": "8|0x18e4883bc|0xa9be4ff4|0xa9017bfd|0x910043fd|0xd10243ff", "lfrom": "gen", "orientation": "-0012383,0000852,-0999923", "s_c": { "mobileNetworkCode": { "fname": "\/System\/Library\/Frameworks\/CoreTelephonyframework\/CoreTelephony", "fbase": "0x191f3f000", "sname": "<redacted>", "opcode": "8|0x191f71718|0x901086a8|0xb9886508|0xf8686800|0xd65f03c0|0x901086a8|0xb9886503|0x1400fd0c|0x901086a8|0xb9886908|0xf8686800", "saddr": "0x191f71718" }, "reachabilityForInternetConnection": { "fname": "\/usr\/lib\/libobjcAdylib", "fbase": "0x18df88000", "sname": "_objc_msgForward", "opcode": "8|0x18dfa33c0|0xd0133331|0xf940ca31|0xd61f0220|0xd503201f|0xd503201f|0xd503201f|0xd503201f|0xd503201f|0x17fffed0|0xd503201f", "saddr": "0x18dfa33c0" }, "isoCountryCode": { "fname": "\/System\/Library\/Frameworks\/CoreTelephonyframework\/CoreTelephony", "fbase": "0x191f3f000", "sname": "<redacted>", "opcode": "8|0x191f71734|0x901086a8|0xb9886908|0xf8686800|0xd65f03c0|0x901086a8|0xb9886903|0x1400fd05|0x901086a8|0xb9886d08|0x38686800", "saddr": "0x191f71734" }, "isReachableViaWWANP": { "fname": "\/usr\/lib\/libobjcAdylib", "fbase": "0x18df88000", "sname": "_objc_msgForward", "opcode": "8|0x18dfa33c0|0xd0133331|0xf940ca31|0xd61f0220|0xd503201f|0xd503201f|0xd503201f|0xd503201f|0xd503201f|0x17fffed0|0xd503201f", "saddr": "0x18dfa33c0" }, "hwmodel": { "fname": "\/var\/containers\/Bundle\/Application\/CB8831A1-1606-4DCC-AD3B-3C34AD1D1308\/Kuaikanapp\/Kuaikan", "fbase": "0x100064000", "sname": "_ZN4base8internal9BindStateIMN3net24QuicQcloudSessionFactoryEFvPNS3_3JobEiEJNS0_17UnretainedWrapperIS3_EES5_EE7DestroyEPKNS0_13BindStateBaseE", "opcode": "8|0x1020abdb8|0x900066e8|0xf9422101|0xb0001fa2|0x91056c42|0x1402c4a4|0xd100c3ff|0xa9027bfd|0x910083fd|0xd00031e8|0xf9473d08", "saddr": "0x1016e9cac" }, "localizedModel": { "fname": "\/System\/Library\/Frameworks\/UIKitframework\/UIKit", "fbase": "0x1953a1000", "sname": "<redacted>", "opcode": "8|0x19586f140|0xa9be4ff4|0xa9017bfd|0x910043fd|0x900ed588|0xf9423d01|0xb00cc0c2|0x910c0042|0x961ccf71|0xaa1d03fd|0x961cecca", "saddr": "0x19586f140" }, "isReachableViaWiFi": { "fname": "\/var\/containers\/Bundle\/Application\/CB8831A1-1606-4DCC-AD3B-3C34AD1D1308\/Kuaikanapp\/Kuaikan", "opcode": "8|0x100f7e2d4|0xd10083ff|0xa9017bfd|0x910043fd|0xb81fc3bf|0xf000efe8|0xf9425901|0x94477b5b|0xd10013a1|0x9447724d|0x340000c0", "fbase": "0x100064000" }, "carrierName": { "fname": "\/System\/Library\/Frameworks\/CoreTelephonyframework\/CoreTelephony", "fbase": "0x191f3f000", "sname": "<redacted>", "opcode": "8|0x191f716e0|0x901086a8|0xb9885d08|0xf8686800|0xd65f03c0|0x901086a8|0xb9885d03|0x1400fd1a|0x901086a8|0xb9886108|0xf8686800", "saddr": "0x191f716e0" }, "platform": { "fname": "\/var\/containers\/Bundle\/Application\/CB8831A1-1606-4DCC-AD3B-3C34AD1D1308\/Kuaikanapp\/Kuaikan", "fbase": "0x100064000", "sname": "_ZN4base8internal9BindStateIMN3net24QuicQcloudSessionFactoryEFvPNS3_3JobEiEJNS0_17UnretainedWrapperIS3_EES5_EE7DestroyEPKNS0_13BindStateBaseE", "opcode": "8|0x1020abd48|0x900066e8|0xf9422101|0xb0001fa2|0x91059042|0x1402c4c0|0xa9be4ff4|0xa9017bfd|0x910043fd|0xd0006648|0xf9453101", "saddr": "0x1016e9cac" }, "identifierForVendor": { "fname": "\/System\/Library\/Frameworks\/UIKitframework\/UIKit", "fbase": "0x1953a1000", "sname": "<redacted>", "opcode": "8|0x19586f288|0xa9be4ff4|0xa9017bfd|0x910043fd|0xd00ed688|0xf9467500|0xb00ed4c8|0xf9420d01|0x961ccf1f|0xaa1d03fd|0x961cec78", "saddr": "0x19586f288" }, "mobileCountryCode": { "fname": "\/System\/Library\/Frameworks\/CoreTelephonyframework\/CoreTelephony", "fbase": "0x191f3f000", "sname": "<redacted>", "opcode": "8|0x191f716fc|0x901086a8|0xb9886108|0xf8686800|0xd65f03c0|0x901086a8|0xb9886103|0x1400fd13|0x901086a8|0xb9886508|0xf8686800", "saddr": "0x191f716fc" }, "systemVersion": { "fname": "\/System\/Library\/Frameworks\/UIKitframework\/UIKit", "fbase": "0x1953a1000", "sname": "<redacted>", "opcode": "8|0x1955247f0|0xa9be4ff4|0xa9017bfd|0x910043fd|0xf00eefc8|0xf9423d01|0x900cdb22|0x910e8042|0x9629f9c5|0xaa1d03fd|0x962a171e", "saddr": "0x1955247f0" }, "currentRadioAccessTechnology": { "fname": "\/System\/Library\/Frameworks\/CoreTelephonyframework\/CoreTelephony", "fbase": "0x191f3f000", "sname": "<redacted>", "opcode": "8|0x191f730a8|0xd0108688|0xf942b901|0x1700bf9c|0xd0108688|0xf942c101|0x1700bf99|0xa9be4ff4|0xa9017bfd|0x910043fd|0xaa0003f3", "saddr": "0x191f730a8" }, "value": { "error": "1" }, "valueWithError": { "error": "1" }, "model": { "fname": "\/System\/Library\/Frameworks\/UIKitframework\/UIKit", "fbase": "0x1953a1000", "sname": "<redacted>", "opcode": "8|0x19560b734|0xa9be4ff4|0xa9017bfd|0x910043fd|0x900ee8a8|0xf9423d01|0xb00cd3e2|0x910c0042|0x96265df4|0xaa1d03fd|0x96267b4d", "saddr": "0x19560b734" }, "name": { "fname": "\/System\/Library\/Frameworks\/UIKitframework\/UIKit", "fbase": "0x1953a1000", "sname": "<redacted>", "opcode": "8|0x19586f0e4|0xa9be4ff4|0xa9017bfd|0x910043fd|0x900ed588|0xf9423d01|0xb00cc0c2|0x910b8042|0x961ccf88|0xaa1d03fd|0x961cece1", "saddr": "0x19586f0e4" } }, "networkType": "WIFI", "riskapp": {}, "first": "false", "appId": "", "totalSpace": 12075954176, "stCode": "8|0x18e50a390|0xd2802a50|0xd4001001|0x540000c3|0xa9bf7bfd", "freeSpace": 9338871808, "rtype": "all", "name": "iPhone", "scaledDensity": 2, "root": "true", "model": "iPhone7,2", "smid": "20190528104716e43647ec3ea6fdd0b1100ebd52ea1e4c018be30066d3xxxx", "battery": 1, "height": 667, "sdkver": "250", "idfa": "56076342-6AA8-4EF3-A3B3-FF0E2C6EEAEF", "acCode": "8|0x18e50a734|0xd2800430|0xd4001001|0x540000c3|0xa9bf7bfd", "idfv": "DFF15047-2F42-4612-8BE2-8D0B248248D8", "bssid": "c4:b8:b4:23:cd:c0", "os": "ios", "t": 1559043750046, "appver": "28084", "boot": 1559009953157, "ssid": "Reyun", "dns": ["114114114114"], "riskdir": {}, "track": "true", "smseq": "1", "memory": 1037041664, "brightness": 03940821886062622 }
加密上传服务器(加密函数和上面加密函数一样),到这里整个流程应当完了。
0x03:总结
1.SDK主要从硬件软件两方面来获取设备数据,分两步完成,唯一ID的生成与风险环境的上报。
2. 最后感谢看完本文,如果觉得这篇文章有用可能帮助到你的朋友也欢迎转载,欢迎扫码关注公众号:
当把学习当成一种习惯!
