使用class-dump-z分析支付宝app
为了了解支付宝app的源码结构,我们可以使用class-dump-z工具来分析支付宝二进制。
1.下载配置class_dump_z
前往 https://code.google.com/p/networkpx/wiki/class_dump_z ,下载tar包,然后解压配置到本地环境
$ tar -zxvf class-dump-z_0.2a.tar.gz$ sudo cp mac_x86/class-dump-z /usr/bin/
2.class_dump支付宝app
$ class-dump-z Portal > Portal-dump.txt@protocol XXEncryptedProtocol_10764b0-(?)XXEncryptedMethod_d109df;-(?)XXEncryptedMethod_d109d3;-(?)XXEncryptedMethod_d109c7;-(?)XXEncryptedMethod_d109bf;-(?)XXEncryptedMethod_d109b8;-(?)XXEncryptedMethod_d109a4;-(?)XXEncryptedMethod_d10990;-(?)XXEncryptedMethod_d1097f;-(?)XXEncryptedMethod_d10970;-(?)XXEncryptedMethod_d10968;-(?)XXEncryptedMethod_d10941;-(?)XXEncryptedMethod_d10925;-(?)XXEncryptedMethod_d10914;-(?)XXEncryptedMethod_d1090f;-(?)XXEncryptedMethod_d1090a;-(?)XXEncryptedMethod_d10904;-(?)XXEncryptedMethod_d108f9;-(?)XXEncryptedMethod_d108f4;-(?)XXEncryptedMethod_d108eb;@optional-(?)XXEncryptedMethod_d109eb;@end查看得到的信息是加过密的,这个加密操作是苹果在部署到app store时做的,所以我们还需要做一步解密操作。3.使用Clutch解密支付宝app
1)下载ClutchiOS7越狱后的Cydia源里已经下载不到Clutch了,但是我们可以从网上下载好推进iPhone地址:Clutch传送门2)查看可解密的应用列表
root# ./Clutch Clutch-1.3.2usage: ./Clutch [flags] [application name] […]Applications available: 9P_RetinaWallpapers breadtrip Chiizu CodecademyiPhone FisheyeFree food GirlsCamera IMDb InstaDaily InstaTextFree iOne ItsMe3 linecamera Moldiv MPCamera MYXJ NewsBoard Photo Blur Photo Editor PhotoWonder POCO相机 Portal QQPicShow smashbandits Spark tripcamera Tuding_vITC_01 wantu WaterMarkCamera WeiBo Weibo
3)解密支付宝app
root# ./Clutch PortalClutch-1.3.2Cracking Portal…Creating working directory…Performing initial analysis…Performing cracking preflight…dumping binary: analyzing load commandsdumping binary: obtaining ptrace handledumping binary: forking to begin tracingdumping binary: successfully forkeddumping binary: obtaining mach portdumping binary: preparing code resigndumping binary: preparing to dumpdumping binary: ASLR enabled, identifying dump location dynamicallydumping binary: performing dumpdumping binary: patched cryptiddumping binary: writing new checksumCensoring iTunesMetadata.plist…Packaging IPA file…compression level: 0/var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipaelapsed time: 7473msApplications Cracked: PortalApplications that Failed:Total Success: 1 Total Failed: 0
4)导出已解密的支付宝app
从上一步骤得知,,已解密的ipa位置为:/var/root/Documents/Cracked/支付宝钱包-v8.0.0-(Clutch-1.3.2).ipa将其拷贝到本地去分析
4.class_dump已解密的支付宝app
解压.ipa后,到 支付宝钱包-v8.0.0-(Clutch-1.3.2)/Payload/Portal.app 目录下,class_dump已解密的二进制文件
$ class-dump-z Portal > ~/Portal-classdump.txt这回就可以得到对应的信息了:
@protocol ALPNumPwdInputViewDelegate <NSObject>-(void)onPasswordDidChange:(id)onPassword;@end@protocol ALPContactBaseTableViewCellDelegate <NSObject>-(void)shareClicked:(id)clicked sender:(id)sender;@end@interface MMPPayWayViewController : XXUnknownSuperclass <SubChannelSelectDelegate, UITableViewDataSource, UITableViewDelegate, CellDelegate, UIAlertViewDelegate> {@privateItem* channelSelected;BOOL _bCheck;BOOL _bOpenMiniPay;BOOL _bNeedPwd;BOOL _bSimplePwd;BOOL _bAutopayon;BOOL _bHasSub;BOOL _bFirstChannel;BOOL _bChangeSub;BOOL _bClickBack;UITableView* _channelListTableView;NSMutableArray* _channelListArray;NSMutableArray* _subChanneSelectedlList;NSMutableArray* _unCheckArray;UIButton* _saveButton;UILabel* _tipLabel;MMPPasswordSwichView* _payWaySwitch;MMPPopupAlertView* _alertView;UIView* _setView;int _originalSelectedRow;int _currentSelectedRow;NSString* _statusCode;ChannelListModel* _defaultChannelList;}@property(assign, nonatomic) BOOL bClickBack;@property(retain, nonatomic) ChannelListModel* defaultChannelList;@property(retain, nonatomic) NSString* statusCode;@property(assign, nonatomic) int currentSelectedRow;@property(assign, nonatomic) int originalSelectedRow;@property(retain, nonatomic) UIView* setView;@property(retain, nonatomic) MMPPopupAlertView* alertView;@property(retain, nonatomic) MMPPasswordSwichView* payWaySwitch;@property(assign, nonatomic, getter=isSubChannelChanged) BOOL bChangeSub;@property(assign, nonatomic) BOOL bFirstChannel;@property(assign, nonatomic) BOOL bHasSub;@property(assign, nonatomic) BOOL bAutopayon;@property(assign, nonatomic) BOOL bSimplePwd;@property(assign, nonatomic) BOOL bNeedPwd;@property(assign, nonatomic) BOOL bOpenMiniPay;@property(assign, nonatomic) BOOL bCheck;@property(retain, nonatomic) UILabel* tipLabel;@property(retain, nonatomic) UIButton* saveButton;@property(retain, nonatomic) NSMutableArray* unCheckArray;@property(retain, nonatomic) NSMutableArray* subChanneSelectedlList;@property(retain, nonatomic) NSMutableArray* channelListArray;@property(retain, nonatomic) UITableView* channelListTableView;-(void).cxx_destruct;-(void)subChannelDidSelected:(id)subChannel;-(void)switchCheckButtonClicked:(id)clicked;-(void)checkboxButtonClicked:(id)clicked;-(void)onCellClick:(id)click;-(void)showSubChannels;-(void)tableView:(id)view didSelectRowAtIndexPath:(id)indexPath;-(id)tableView:(id)view cellForRowAtIndexPath:(id)indexPath;-(int)tableView:(id)view numberOfRowsInSection:(int)section;-(float)tableView:(id)view heightForRowAtIndexPath:(id)indexPath;-(int)numberOfSectionsInTableView:(id)tableView;-(void)setTableViewFootView:(id)view;-(void)setTableViewHeaderView:(id)view;-(id)tableView:(id)view viewForHeaderInSection:(int)section;-(id)tableView:(id)view viewForFooterInSection:(int)section;-(float)tableView:(id)view heightForHeaderInSection:(int)section;-(float)tableView:(id)view heightForFooterInSection:(int)section;-(void)alertView:(id)view clickedButtonAtIndex:(int)index;-(void)clickSave;-(void)netWorkRequestWithPwd:(id)pwd;-(void)setPayWaySwitchStates:(id)states;-(void)changePayWaySwitch:(id)aSwitch;-(void)scrollToSelectedRow;-(void)didReceiveMemoryWarning;-(void)viewDidLoad;-(void)applicationEnterBackground:(id)background;-(void)dealloc;-(void)goBack;-(BOOL)isChannelsSetChanged;-(id)subChannelCode:(int)code;-(id)subChannelDesc:(int)desc;-(id)initWithDefaultData:(id)defaultData;-(id)initWithNibName:(id)nibName bundle:(id)bundle;-(void)commonInit:(id)init;@end
5.分析支付宝源码片段
我躺下来,以一张报纸当枕头。高高在我上方的,
