iOS 混淆相关的求助


#1

这种是控制流改写了吗?有没有办法对抗这种技术

hop出来的方法
void * +[AFSecurityPolicy defaultPolicy](void * self, void * _cmd) {
r31 = r31 - 0x110;
*(r31 + 0x90) = d11;
*(r31 + 0x98) = d10;
*(r31 + 0xa0) = d9;
*(r31 + 0xa8) = d8;
*(r31 + 0xb0) = r28;
*(r31 + 0xb8) = 0x2d8dcc;
*(r31 + 0xc0) = r26;
*(r31 + 0xc8) = 0x2d8dc5;
*(r31 + 0xd0) = 0x2d8e11;
*(r31 + 0xd8) = 0x2d8e20;
*(r31 + 0xe0) = 0x2d8e38;
*(r31 + 0xe8) = 0x2d8de0;
*(r31 + 0xf0) = 0x2d8e68;
*(r31 + 0xf8) = r19;
*(r31 + 0x100) = r29;
*(r31 + 0x108) = r30;
r29 = r31 + 0x100;
*(r31 + 0x8) = self;
r8 = 0x340670;
asm{ ldar w8, [x8] };
*(r31 + 0x48) = r8;
r28 = zero_extend_64(0x2bc);
asm{ movk w28, #0x1864 };
r19 = zero_extend_64(0xf76b);
asm{ movk w19, #0xa526 };
r20 = 0x2d8e68;
r22 = 0x2d8e38;
r23 = 0x2d8e20;
r24 = 0x2d8e11;
r8 = 0x293000;
asm{ nop };
*(r31 + 0x30) = *(0x292000 + “/System/Library/Frameworks/Foundation.framework/Foundation”);
r8 = 0x292000;
*(r31 + 0x20) = *(r8 + 0xbd0);
asm{ nop };
*(r31 + 0x10) = *(r8 + 0xbe0);
r26 = zero_extend_64(0x9f74);
asm{ movk w26, #0x7438 };
r11 = zero_extend_64(0x11ce);
asm{ movk w11, #0x7884 };
r25 = 0x2d8dc5;
r27 = 0x2d8dcc;
r8 = zero_extend_64(0x90cf);
asm{ movk w8, #0xc535 };
r21 = 0x2d8de0;
do {
do {
do {
while (r8 <= r28) {
if (r8 <= r19) {
r9 = zero_extend_64(0x7957);
asm{ movk w9, #0x90f2 };
if (r8 != r9) {
r9 = zero_extend_64(0x9285);
asm{ movk w9, #0x9221 };
if (r8 == r9) {
asm{ stlr w9, [x8] };
*(r31 + 0x50) = 0x2d8e00;
*(r31 + 0x58) = dlsym(dlopen(zero_extend_64(0x0), zero_extend_64(0xa)), r20);
*(r31 + 0x60) = dlsym(dlopen(zero_extend_64(0x0), zero_extend_64(0xa)), 0x2d8e50);
*(r31 + 0x68) = dlsym(dlopen(zero_extend_64(0x0), zero_extend_64(0xa)), r22);
*(r31 + 0x70) = dlsym(dlopen(zero_extend_64(0x0), zero_extend_64(0xa)), r23);
r0 = dlopen(zero_extend_64(0x0), zero_extend_64(0xa));
r0 = dlsym(r0, r24);
r11 = zero_extend_64(0x11ce);
asm{ movk w11, #0x7884 };
*(r31 + 0x78) = r0;
r8 = zero_extend_64(0x7957);
asm{ movk w8, #0x90f2 };
}
}
else {
*(r31 + 0x80) = *(r31 + 0x78);
r0 = dlopen(zero_extend_64(0x0), zero_extend_64(0xa));
r0 = dlsym(r0, *(r31 + 0x50));
r11 = zero_extend_64(0x11ce);
asm{ movk w11, #0x7884 };
*(r29 + 0xffffffffffffff88) = r0;
r8 = zero_extend_64(0x9f75);
asm{ movk w8, #0x7438 };
}
}
else {
r9 = zero_extend_64(0xf76c);
asm{ movk w9, #0xa526 };
if (r8 != r9) {
r9 = zero_extend_64(0x90cf);
asm{ movk w9, #0xc535 };
if (r8 == r9) {
r8 = *(r31 + 0x48);
if (r8 == 0x0) {
asm{ cset w8 };
}
*(r31 + 0x4d) = r8;
r8 = zero_extend_64(0xf0d4);
asm{ movk w8, #0x4eac };
}
}
else {
*(r23 + 0x1) = *(r31 + 0x4f);
*(r23 + 0x2) = *(r23 + 0x2);
*(r23 + 0xa) = *(r23 + 0xa) ^ zero_extend_64(0xb6);
*(r23 + 0xb) = *(r23 + 0xb) ^ zero_extend_64(0xa2);
*(r23 + 0xc) = *(r23 + 0xc) ^ zero_extend_64(0xb0);
*(r23 + 0xd) = *(r23 + 0xd) ^ zero_extend_64(0x76);
*(r23 + 0xe) = *(r23 + 0xe) ^ 0x1;
*(r23 + 0xf) = *(r23 + 0xf) ^ zero_extend_64(0xc8);
*(r23 + 0x10) = *(r23 + 0x10) ^ zero_extend_64(0x85);
r22 = r22;
*(r22 + 0x8) = *(r22 + 0x8) ^ zero_extend_64(0xb0);
*(r22 + 0x9) = *(r22 + 0x9) ^ zero_extend_64(0x91);
*(r22 + 0xa) = *(r22 + 0xa) ^ zero_extend_64(0x8d);
*(r22 + 0xb) = *(r22 + 0xb) ^ zero_extend_64(0x37);
*(r22 + 0xc) = *(r22 + 0xc) ^ 0xffffffffbbbbbbbb;
*0x2d8e60 = *0x2d8e60 ^ zero_extend_64(0x25);
d0 = r20;
v0 = v0 ^ v8 ^ v9 ^ v1 ^ v10;
*(r20 + 0x8) = *(r20 + 0x8) ^ zero_extend_64(0xb2);
*(r20 + 0x9) = *(r20 + 0x9) ^ zero_extend_64(0x90);
*(r20 + 0xa) = *(r20 + 0xa) ^ zero_extend_64(0xc4);
*(r20 + 0xb) = *(r20 + 0xb) ^ zero_extend_64(0x98);
*(r20 + 0xc) = *(r20 + 0xc) ^ 0xffffffffffffff8f;
r8 = zero_extend_64(0x9285);
asm{ movk w8, #0x9221 };
r20 = d0;
}
}
}
if (r8 > r26) {
break;
}
r9 = zero_extend_64(0x2bd);
asm{ movk w9, #0x1864 };
if (r8 != r9) {
r9 = zero_extend_64(0xf0d4);
asm{ movk w9, #0x4eac };
if (r8 == r9) {
COND = *(r31 + 0x4d) != 0x0;
r8 = zero_extend_64(0x9285);
asm{ movk w8, #0x9221 };
if (COND) {
asm{ csel w8, w11, w8 };
}
}
}
else {
*(r24 + 0x8) = *(r31 + 0x4e);
*(r24 + 0x9) = *(r24 + 0x9) ^ zero_extend_64(0x41);
*(r24 + 0xa) = *(r24 + 0xa) ^ 0x4;
*(r24 + 0xb) = *(r24 + 0xb) ^ zero_extend_64(0xd0);
*(r24 + 0xc) = *(r24 + 0xc) ^ zero_extend_64(0xb3);
r23 = r23 ^ zero_extend_64(0xcd);
*(r31 + 0x4f) = *(r23 + 0x1) ^ zero_extend_64(0x1a);
r8 = zero_extend_64(0xf76c);
asm{ movk w8, #0xa526 };
}
} while (true);
if (r8 != r11) {
break;
}
r25 = r25 ^ zero_extend_64(0x25);
*(r25 + 0x1) = *(r25 + 0x1) ^ zero_extend_64(0x50);
*(r25 + 0x2) = *(r25 + 0x2) ^ zero_extend_64(0x1d);
*(r25 + 0x3) = *(r25 + 0x3) ^ 0xffffffffffffffc1;
*(r25 + 0x4) = *(r25 + 0x4) ^ zero_extend_64(0xda);
*(r25 + 0x5) = *(r25 + 0x5) ^ zero_extend_64(0x8a);
*(r25 + 0x6) = *(r25 + 0x6) ^ zero_extend_64(0xd4);
r27 = r27 ^ zero_extend_64(0x9e);
*(r27 + 0x1) = *(r27 + 0x1) ^ 0xf;
*(r27 + 0x2) = *(r27 + 0x2) ^ zero_extend_64(0xae);
*(r27 + 0x3) = *(r27 + 0x3) ^ zero_extend_64(0xaf);
*(r27 + 0x4) = *(r27 + 0x4) ^ zero_extend_64(0x41);
*(r27 + 0x5) = *(r27 + 0x5) ^ 0x60;
r21 = r21;
*(r21 + 0x10) = *(r21 + 0x10) ^ 0x6;
*(r21 + 0x11) = *(r21 + 0x11) ^ 0xffffffff;
*(r21 + 0x12) = *(r21 + 0x12) ^ zero_extend_64(0xc8);
*(r21 + 0x13) = *(r21 + 0x13) ^ zero_extend_64(0x6d);
q0 = 0x2d8e00;
v0 = v0 ^ v1 ^ v1;
*0x2d8e10 = *0x2d8e10 ^ 0x33333333;
r24 = r24 ^ zero_extend_64(0x53);
*(r24 + 0x1) = *(r24 + 0x1) ^ zero_extend_64(0x53);
*(r24 + 0x2) = *(r24 + 0x2) ^ zero_extend_64(0x39);
*(r24 + 0x3) = *(r24 + 0x3) ^ zero_extend_64(0x36);
*(r24 + 0x4) = (r24 + 0x4) ^ zero_extend_64(0xb9);
(r24 + 0x6) = (r24 + 0x6) ^ zero_extend_64(0x62);
(r24 + 0x7) = (r24 + 0x7) ^ zero_extend_64(0xd3);
(r31 + 0x4e) = (r24 + 0x8) ^ zero_extend_64(0x8c);
r8 = zero_extend_64(0x2bd);
asm{ movk w8, #0x1864 };
} while (true);
r9 = zero_extend_64(0x9f75);
asm{ movk w9, #0x7438 };
} while (r8 != r9);
r19 = (
(r31 + 0x80))(
(r31 + 0x8), (
(r29 + 0xffffffffffffff88))(0x2d8dc5));
r19 = (
(r31 + 0x68))(r19, (
(r31 + 0x70))(0x2d8dcc));
r0 = (
(r31 + 0x60))(0x2d8de0);
(
(r31 + 0x58))(r19, r0, zero_extend_64(0x0));
r0 = [r19 autorelease];
return r0;
}

正常方法
+ (instancetype)defaultPolicy {
AFSecurityPolicy *securityPolicy = [[self alloc] init];
securityPolicy.SSLPinningMode = AFSSLPinningModeNone;

return securityPolicy;

}


#2

看起来像光


#3

这种dlopen+dlsym大量调OC函数也可以过审真可以啊?这真的是AppStore下的吗?


#4

不是AppStroe ,网上随便下载的


#5

其实你认真看看,他很多都是dlsym对应的函数然后间接调的;我以前见过一个越狱插件和这个有点像,不过那个我是HOOK了他的字符串加解密函数看了一下对方调的某APP的函数,调用过程全是用的dlsym那种


#6

随便下就能下到强混淆, 运气这么好?


#7

是chuiniu 插:mango:件,想看看别人怎么实现的,想学习这种反混淆


#9

如果是学习的话!建议自己写个很短的函数。用光,ollvm,Armariris等。混淆下,然后试着反混淆。推荐学习miasm这个