如果在逆向一个app是,分析到调用了一个executeBlock:方法。关注点到了一个block该怎么办,打印block只能看到是一个在栈中的block类型__NSStackBlock__ 。
使用hopper分析该二进制代码,看伪代码也不太懂:
asm{ stp x26, x25, [sp, #0xffffffb0]! };
asm{ stp x24, x23, [sp, #0x10] };
asm{ stp x22, x21, [sp, #0x20] };
asm{ stp x20, x19, [sp, #0x30] };
asm{ stp x29, x30, [sp, #0x40] };
0x0 = 0x0 - 0x60;
r21 = self;
r19 = [arg2 retain];
asm{ ldrsw x25, [x8, #0xd60] };
r8 = *(int32_t *)(r21 + r25);
if (r8 <= 0x2) {
asm{ blr x8 };
}
else {
asm{ movz w24, #0xc200, lsl #16 };
asm{ csel x20, x10, x9, eq };
r0 = [KDAlertView alloc];
asm{ movz x4, #0x0 };
asm{ movz x5, #0x0 };
r0 = [r0 initWithTitle:@"Purchase Validation" message:r20 cancelButtonTitle:STK0 cancelAction:STK-1];
r20 = r0;
asm{ nop };
r26 = *(int32_t *)(r0 + 0xf3704);
*(int32_t *)(r31 + 0x38) = r26;
asm{ stp w24, wzr, [sp, #0x40] };
asm{ nop };
*(int32_t *)(r31 + 0x48) = 0x10013ae9c;
*(int32_t *)(r31 + 0x50) = 0x100244fd0;
r23 = [r21 retain];
*(int32_t *)(r31 + 0x58) = r23;
r22 = @selector(addButtonWithTitle:action:);
[r20 addButtonWithTitle:r2 action:r1];
if (*(int32_t *)(r21 + r25) == 0x3) {
*(int32_t *)(r31 + 0x8) = r26;
asm{ stp w24, wzr, [sp, #0x10] };
asm{ nop };
*(int32_t *)(r31 + 0x18) = 0x10013aeac;
*(int32_t *)(r31 + 0x20) = 0x100245000;
*(int32_t *)(r31 + 0x28) = [r23 retain];
*(int32_t *)(r31 + 0x30) = [r19 retain];
[r20 addButtonWithTitle:r2 action:r1];
r0 = *(int32_t *)(r31 + 0x30);
[r0 release];
r0 = *(int32_t *)(r31 + 0x28);
[r0 release];
}
[r20 show];
r0 = *(int32_t *)(r31 + 0x58);
[r0 release];
[r20 release];
}
r0 = [r19 release];
0x0 = 0x40 - 0x40;
asm{ ldp x29, x30, [sp, #0x40] };
asm{ ldp x20, x19, [sp, #0x30] };
asm{ ldp x22, x21, [sp, #0x20] };
asm{ ldp x24, x23, [sp, #0x10] };
asm{ ldp x26, x25, [sp], #0x50 };
return;
如果直接改的话,需要自己重签名,可能是因为改app用到了其他extension,还有一些配置,所以自己签名后对不上,安装后,一只闪退?