POST /sign/v1?__skts=1594635245.049246&__skua=2a697581ee5fdcf2a827af884b294ffd&__skck=8f5973b085446090f224af74e30e0181&__skcy=7sVHcJSytsg4qCD2R4albdgwBcc%3D&__skno=13D941B5-5180-46DC-94AF-E6A8B9A2ED4A&__skvs=1.1 HTTP/1.1
Host: appsec-mobile.meituan.com
Content-Type: text/plain; charset=ISO-8859-1
__skck参数相同了
body需要解密
(lldb) bt
- thread #1, queue = ‘com.apple.main-thread’, stop reason = breakpoint 1.1
- frame #0: 0x00000001117fe7e8 libDPScopeDylib.dylib
_logos_meta_method$_ungrouped$NSURL$URLWithString$(self=NSURL, _cmd="URLWithString:", URLString="https://appsec-mobile.meituan.com/sign/v1") at DPScopeDylib.xm:16:9 frame #1: 0x000000010802bd30 DPScope
+[SAKGuardDataProcessor reportData:] + 104
frame #2: 0x00000001080296d0 DPScope+[SAKGuardCommon init] + 376 // po [SAKGuardDataProcessor collectData] 收集数据 frame #3: 0x00000001080bb1d4 DPScope
___lldb_unnamed_symbol41247$$DPScope + 196
frame #4: 0x00000001080ba2b0 DPScope___lldb_unnamed_symbol41235$$DPScope + 64 frame #5: 0x00000001080ba9b8 DPScope
-[SAKLTaskRunner runWithType:] + 236
frame #6: 0x00000001080b7d84 DPScope-[SAKLauncherManager runTasksOfLaunchComplete] + 60 frame #7: 0x0000000111853730 libdispatch.dylib
_dispatch_client_callout + 16
frame #8: 0x0000000111855044 libdispatch.dylib_dispatch_once_callout + 84 frame #9: 0x00000001080b8074 DPScope
-[SAKLauncherManager runTasksOfLaunchCompleteIfNeed] + 104
frame #10: 0x00000001080b8438 DPScope-[SAKLauncherManager saklauncher_keyControllerViewDidAppear:] + 140 frame #11: 0x000000018f30cfc0 UIKitCore
-[UIViewController _setViewAppearState:isAnimating:] + 832
frame #12: 0x000000018f30d9dc UIKitCore`-[UIViewController _endAppearanceTransition:] + 228
- frame #0: 0x00000001117fe7e8 libDPScopeDylib.dylib
(lldb) bt
- thread #1, queue = ‘com.apple.main-thread’, stop reason = breakpoint 1.1
- frame #0: 0x00000001117fe7e8 libDPScopeDylib.dylib
_logos_meta_method$_ungrouped$NSURL$URLWithString$(self=NSURL, _cmd="URLWithString:", URLString="https://appsec-mobile.meituan.com/sign/v1?__skts=1594708707.419664&__skua=2a697581ee5fdcf2a827af884b294ffd&__skck=8f5973b085446090f224af74e30e0181&__skcy=HK8K1ONR950T9AVibumE9De0Z84%3D&__skno=D0E8128A-28C6-47DB-82E2-F8ECDAC45708&__skvs=1.1") at DPScopeDylib.xm:16:9 frame #1: 0x0000000104f4c4ac DPScope
-[CIPURLComponents URL] + 1168
frame #2: 0x000000010802ece4 DPScope+[SAKRequestSignatureProcessor signaturedRequestForRequest:] + 2968 // 这里只是发送请求的准备,header和body,签名加密 frame #3: 0x000000010802bdec DPScope
+[SAKGuardDataProcessor reportData:] + 292
frame #4: 0x00000001080296d0 DPScope+[SAKGuardCommon init] + 376 frame #5: 0x00000001080bb1d4 DPScope
___lldb_unnamed_symbol41247$$DPScope + 196
frame #6: 0x00000001080ba2b0 DPScope___lldb_unnamed_symbol41235$$DPScope + 64 frame #7: 0x00000001080ba9b8 DPScope
-[SAKLTaskRunner runWithType:] + 236
frame #8: 0x00000001080b7d84 DPScope-[SAKLauncherManager runTasksOfLaunchComplete] + 60 frame #9: 0x0000000111853730 libdispatch.dylib
_dispatch_client_callout + 16
frame #10: 0x0000000111855044 libdispatch.dylib_dispatch_once_callout + 84 frame #11: 0x00000001080b8074 DPScope
-[SAKLauncherManager runTasksOfLaunchCompleteIfNeed] + 104
frame #12: 0x00000001080b8438 DPScope-[SAKLauncherManager saklauncher_keyControllerViewDidAppear:] + 140 frame #13: 0x000000018f30cfc0 UIKitCore
-[UIViewController _setViewAppearState:isAnimating:] + 832
frame #14: 0x000000018f30d9dc UIKitCore`-[UIViewController _endAppearanceTransition:] + 228
- frame #0: 0x00000001117fe7e8 libDPScopeDylib.dylib
// 获取签名信息
(lldb) po [aKgoKtIryRzhQQka OlnuibcHlROEuipN]
{
data = (
{
CandyKey = “Tb6yTwgSEvbLgLtguw21Q80dR8atTLZ9gbOyX3m9FB0FMGWI60SALA==”;
},
{
CandyClientKey = 8f5973b085446090f224af74e30e0181; // 这个是固定key
aesKey = meituan1sankuai0;
commonKey = meituan0sankuai1;
conchKey = “$MXMYBS@HelloPay”;
“maoyan_aes_key” = Maoyan010iauknaS;
“owl_aes_key” = 34281a9dw2i701d4;
}
);
“encrypted-type” = (
secret,
config
);
“package-name” = “com.dianping.dpscope”;
platform = iOS;
pubkey = T78GX8TJ57; // 签名ID, MonkeyDev重签过, 经过对比和真实的一样
}
// 获取设备信息
(lldb) po [[SAKGuardDataProcessor sharedInstance] startCollection]
1.1}}Darwin|Apple|褚保的手机|iOS|13.1.1|zh-Hans|Asia/Shanghai (GMT+8) offset 28800|Apple|iPhone|18.7.0|0|-|F2E9F25D-A60D-4750-88F0-22D82D723D34|D10AP|chubaodeshouji|-|iOS|iPhone9,1||Darwin Kernel Version 19.0.0: Tue Sep 3 21:52:14 PDT 2019; root:xnu-6153.2.3~2/RELEASE_ARM64_T8030|-|-}}-}}-}}-|-|349E9862-D5A5-4445-BF5B-049D0501AA97|1334*750|29.000592G|-|-|中国移动|-}}-|78|1.000000|0|0|DE8FF714-9423-4126-96E9-1C2286543259|E6CB2126-8831-45CD-9515-0225CD09070D|-}}0|0|0|-|1|0|0.604554|0}}iOS|大众点评|10.31.2|13.1.1|F2E9F25D-A60D-4750-88F0-22D82D723D34|2020-07-14 16:40:48:268|-|-|18683483692|31139148932|0|2020-02-02 00:00:01|2020-02-19 07:54:55}}
// 获取硬件信息,
(lldb) po [[SAKGuardDataProcessor sharedInstance] getHWProperty]
Darwin|Apple|褚保的手机|iOS|13.1.1|zh-Hans|Asia/Shanghai (GMT+8) offset 28800|Apple|iPhone|18.7.0|0|-|F2E9F25D-A60D-4750-88F0-22D82D723D34|D10AP|chubaodeshouji|-|iOS|iPhone9,1||Darwin Kernel Version 19.0.0: Tue Sep 3 21:52:14 PDT 2019; root:xnu-6153.2.3~2/RELEASE_ARM64_T8030|-|-
// 获取idfa和SIM卡信息, 最后一个不应该为null
(lldb) po [[SAKGuardDataProcessor sharedInstance] getExternalEquipmentInfo]
-|-|349E9862-D5A5-4445-BF5B-049D0501AA97|1334*750|29.000592G|-|-|中国移动|(null)
// 获取电量
(lldb) po [[SAKGuardDataProcessor sharedInstance] getUserAction]
(null)|90|1.000000|0|0|53C219B5-F891-4685-95E1-127CC32D020D|41038E93-AD4E-4B23-B0B6-109F8249C4C6|-
// 环境检测, 下面为1的是代理被检测了
(lldb) po [[SAKGuardDataProcessor sharedInstance] getEnvironmentInfo]
0|0|0|-|1|0|0.604554|0
// 此函数返回1,表示有代理, 正常应该返回0
bool __cdecl +[aKgoKtIryRzhQQka ykMRlhjGhOCGsQnN](aKgoKtIryRzhQQka_meta *self, SEL a2)
// 代理信息检测
po CFNetworkCopySystemProxySettings();
Printing description of $x0:
{
ExceptionsList = (
"*.local",
"169.254/16"
);
FTPPassive = 1;
HTTPEnable = 1;
HTTPPort = 8888;
HTTPProxy = "192.168.0.137";
HTTPSEnable = 1;
HTTPSPort = 8888;
HTTPSProxy = "192.168.0.137";
"__SCOPED__" = {
en0 = {
ExceptionsList = (
"*.local",
"169.254/16"
);
FTPPassive = 1;
HTTPEnable = 1;
HTTPPort = 8888;
HTTPProxy = "192.168.0.137";
HTTPSEnable = 1;
HTTPSPort = 8888;
HTTPSProxy = "192.168.0.137";
};
};
}
// vpn检测
+[SAKGuardCommon checkVPN]
// 声音检测
[[AVAudioSession sharedInstance] outputVolume]
// 平台信息检测:
(lldb) po [[SAKGuardDataProcessor sharedInstance] getPlatformInfo]
iOS|大众点评|10.31.2|13.1.1|F2E9F25D-A60D-4750-88F0-22D82D723D34|2020-07-14 15:29:44:805|-|-|18683488408|31139148932|0|2020-02-02 00:00:01|2020-02-19 07:54:55
// 获取系统文件时间
po [[NSFileManager defaultManager] attributesOfItemAtPath:@"System/Library/CoreServices" error:nil]
System/Library/CoreServices = {
NSFileCreationDate = "2020-02-01 16:00:01 +0000";
NSFileModificationDate = "2020-02-18 23:54:55 +0000";
}
{
NSFileCreationDate = "2020-02-01 16:00:01 +0000";
NSFileModificationDate = "2020-02-18 23:54:55 +0000";
}
// 获取位置信息
(lldb) po [[SAKGuardDataProcessor sharedInstance] getLocationInfo]
// sim信息获取
(lldb) po [[[SAKGuardDataProcessor sharedInstance] teleNetInfo] subscriberCellularProvider]
CTCarrier (0x2807b98c0) {
Carrier name: [中国移动]
Mobile Country Code: [] // 这里不能为空
Mobile Network Code:[] // 这里不能为空
ISO Country Code:[] // 这里不能为空
Allows VOIP? [YES]
}
// 设备信息打包函数
DPScope`-[SAKGuardDataProcessor packData:]:
参数:
Printing description of $x2:
1.1}}Darwin|Apple|褚保的手机|iOS|13.1.1|zh-Hans|Asia/Shanghai (GMT+8) offset 28800|Apple|iPhone|18.7.0|0|-|F2E9F25D-A60D-4750-88F0-22D82D723D34|D10AP|chubaodeshouji|-|iOS|iPhone9,1||Darwin Kernel Version 19.0.0: Tue Sep 3 21:52:14 PDT 2019; root:xnu-6153.2.3~2/RELEASE_ARM64_T8030|-|-}}-}}-}}-|-|349E9862-D5A5-4445-BF5B-049D0501AA97|1334*750|29.000592G|-|-|中国移动|-}}-|94|1.000000|0|0|BFD0A97A-67BA-4B5A-984C-EE603348734B|91D5B338-8B7B-471B-8C04-152E3DB04623|-}}0|0|0|-|1|0|0.604554|0}}iOS|大众点评|10.31.2|13.1.1|F2E9F25D-A60D-4750-88F0-22D82D723D34|2020-07-14 16:46:31:244|-|-|18683488483|31139148932|0|2020-02-02 00:00:01|2020-02-19 07:54:55}}0.000000|0.000000|tenghongyandejia|20:74:2c:94:90:ea|1|-|460|00|-|}}
返回:
Printing description of $x0:
q2BMSFY/3tT/WdOH8nckVcTtFndD0u7/mDpQaTj/jZzG0Y9wiJ4jw7A5JccJMHXBdWNowHV41wT/WlZpuzw+9M9RRqAPwj7PWPoM2aDNG971tt+eluA1O8iIkeL3h6hQTMjZ/+yBvlPV2JicO0erAvsTIjXJzBV4RtfD4yVi40H0JQHXyD36CbDe/DZ4ZTLV36bXicS+vt3A4N2q1OW7izgmFhV+87HKRdumAoz9EEbtc82BxrGfmnrxM71KOjbzMUVi/e0p+jgUmoAfYFNMGlOVeke9CZjJ8Zs2soHP7qyBHEKwNMGssdGawmUCN2DwmyG8ZLQ7oEljXclT7RBpmr++9u4KK8P1dd0TtMJpAlYNkLFOD0XX3AiddLBqQemHUyMXjQwjVF8t+0Q0jS6Ufb2tQfEfT1s4qXfXT2ItazecKm5KIYVIDkeXS9URslcPbYZptVz/njgmQ/yrTD3Xekq2Ber0AHIn5n03lEE5jQOwL0ZfO5Hs3tOS2qHmT0waciYuHpCyXI7hPj5v8K3LlWjasWpUl3xmvNIYue58Zkrq3L5nNXgTt+IwS0O7rauZbx9t9d8ZXfc9mLVXvLxlnqsBWb8csawNzDDYsTjaWaXs/AGf9E81zGNuolneXhQ5el9ltY8Dk32L/yjcG7e1BWYqc3pY+GuTIAs1rL6kGJsPdgU+KEgC8sz0Vrqum5eT
// 签名检测函数, 10.33.11
[aKgoKtIryRzhQQka nuxcJgbBUEIISRxJ:MQfdAllMPsyxnAzP:]
CFSTR(“embedded”), CFSTR(“mobileprovision”)
// 通过读取安装目录下的mobileprovision.embedded文件获取当前app签名, 而AppStore版本是根本没有这个文件的,所以只要能读到这个文件就是重签名了
v11 = objc_msgSend(&OBJC_CLASS___NSBundle, "mainBundle");
v12 = (void *)objc_retainAutoreleasedReturnValue(v11);
v13 = v12;
v14 = objc_msgSend(v12, "pathForResource:ofType:", CFSTR("embedded"), CFSTR("mobileprovision"));
v15 = objc_retainAutoreleasedReturnValue(v14);
objc_release(v13);
v16 = objc_msgSend(&OBJC_CLASS___NSFileManager, "defaultManager");
v17 = (void *)objc_retainAutoreleasedReturnValue(v16);
v18 = (unsigned __int64)objc_msgSend(v17, "fileExistsAtPath:", v15);
objc_release(v17);
if ( v18 )
{
v19 = objc_msgSend(&OBJC_CLASS___NSString, "stringWithContentsOfFile:encoding:error:", v15, 1LL, 0LL);
// 然后查找application-identifier后的值
// 获取 CandyClientKey
(lldb) po [aKgoKtIryRzhQQka EGNcwaekbtdtzKgr]
8f5973b085446090f224af74e30e0181
// 注册发送手机验证码:
// 其中带有这个接口
https://verify.meituan.com/v2/ext_api/page_data?__reqTraceID=CFD2E195-0DB4-489E-8ED9-0BCE849E3E34&ci=0&language=zh-Hans&msid=E5096AC1-F5C1-4D8F-8880-B95334B2B17C1594794269784565&utm_campaign=Adianping-novaBdianping-novaH0&utm_content=b914807c296c4380af1d5bbec61098c9a159482881909492920&utm_medium=iphone&utm_source=AppStore&utm_term=10.31.2&uuid=b914807c296c4380af1d5bbec61098c9a159482881909492920&version_name=10.31.2
// 其中带有这个接口
https://verify.meituan.com/v2/ext_api/login/verify?__reqTraceID=82F06EC8-23E7-4D3A-9574-C5DCA95A85F6&ci=0&language=zh-Hans&msid=E5096AC1-F5C1-4D8F-8880-B95334B2B17C1594794269784565&utm_campaign=Adianping-novaBdianping-novaH0&utm_content=b914807c296c4380af1d5bbec61098c9a159482881909492920&utm_medium=iphone&utm_source=AppStore&utm_term=10.31.2&uuid=b914807c296c4380af1d5bbec61098c9a159482881909492920&version_name=10.31.2
// 发送验证码请求分析
(lldb) bt
* thread #1, queue = ‘com.apple.main-thread’, stop reason = breakpoint 4.1
* frame #0: 0x000000010d14a880 libDPScopeDylib.dylib_logos_meta_method$_ungrouped$NSURL$URLWithString$(self=NSURL, _cmd="URLWithString:", URLString="https://accountapi.dianping.com/mlogin/sendverifycode.api?code=&countrycode=86&cx=i2HKpOmsirDPavelVfQBZLQ8qGyA5lAF9dnqexU%2Bhdr1IjODyXbTuSiBfxajV%2BaH1OO1yJEuzkk5d6fS4lLH5rvfLhUpmlcrGyUEze%2BMHBiA3FCWvxCFIPZ1tgejrjDa3EGpnWyxDHJpuJn87ZmfKRNkkiXjEiznCQqxTiICB4PWPpdB%2B%2BNytvbp/FhDFTwW20FOVQMVHDj/B0shBNqzEV41ZbKyqhAp4VztxpxIfrVoOi8m9Lav4DtVYdM25JbHoZNue9Eut/GCm8Wgr0K602KstYEAF8%2BHzwTh/P8UfT8lnJKq8NKiajD8wSxfVq%2BtYW62e8Uw5ZEmBeFJX9GNUD2%2BV/BD6EyNkAkyIcnqLqNa0jzd/bZIaouX4CEOYCPhEG1aRMcJ/sdToMMKzM1v401F2zDc3eQOu/hZzGy0ASxy5FJRVLP17FXlRt6GJKA8W7s6ikqiW2jx4ZP7ZOKSWcgS2FrfhGfk/vAkksJA56AAhljh7k5JccrPxxvv4A18aOTI6XRQw494vsLUt15N0RLm3U%2BuNxBL36j7pPcDFoY13xte0o7cwRNO12vTYZL021O1AmzVGa1UgG4d1FvHhBL8kXkLt9s5ftw5WAoKmO2ZDUgi98Jtm9CoMg46HDttHN5JxO5v0Z/vSmxb3MSwe0aDk3u2%2BfPC4f7%2BiRpJDO/KEeA5zZXIPAniHr4QxLHn56t5E//lXFhV98/Boc8c0c00xZ0zenBJCl2Hfn2mKVO2GDu1uH3ESD7LXtROhREAivQAtp%2B9V4tus%2BVhamjSGMfOqHMmMZlOIQrEcQfnpLNGLl4sEOiWD%2BNsEa6efXs%2BDjKJbAiCWWSJKxOvhG%2BZuKEIgd8ekAjl3sU4/E6PRkeqzJMqggbu8KePCR2CSvAZ94At5H10M2w3qpG7vnqm0jaQp9q%2B8wLPk20P74ZFZXCRxUD5wVPg5iysWkQ761%2BpZF%2BoHbOtSEqxi9YJKm7OJirsSr9LluovI6i7hl%2Bs4CImx18aOJ3ukNbJAddZHUKJfElsvq7IiJuFnCbnSA4vtFzlckYZecWrkOcG3/cn5QxKmGJTRLymqAuZltE105yeNlmFBPHKqFz9RdEnkejknxLM6ck/%2BmPWMKb0xWO1E/dmfiZv/45SLCwnuwB1z6R0PjEkkUUXoAlWmOh2lHJYZuEzCefhk9/NEXAZIJfairRWcu1RVvkF39d5X0IAjSwnhEq1ghw6gL9GmoKy2gGE9vQ9JLLNPqgQP0YQZDLd0i9kJL/6vAsPuMbM3ViwMXNAahBopk66ZizzvVlinWFxBZQDl0hv%2BbxTxoXBFLXXQ4x6BFhfpr26gRt2JpMJz%2Bjg&locationcityid=110&mapi_cacheType=0&phone=13866562536&ticket=&type=1&verifytype=1") at DPScopeDylib.xm:18:9 frame #1: 0x0000000103086044 DPScope
-[NVMApiRequestionSerialization requestBySerializingTask:] + 268
frame #2: 0x0000000102ecb128 DPScope-[NVTask createRequest] + 1248 frame #3: 0x0000000102ec92ac DPScope
-[NVTask start] + 112
frame #4: 0x00000001033a145c DPScope-[PicassoMapiModule sendPostRequestWithParams:callback:isV2:] + 1228 frame #5: 0x000000010d19e338 libdispatch.dylib
_dispatch_call_block_and_release + 24
frame #6: 0x000000010d19f730 libdispatch.dylib_dispatch_client_callout + 16 frame #7: 0x000000010d1ad710 libdispatch.dylib
_dispatch_main_queue_callback_4CF + 976
多次调用
(lldb) bt
* thread #30, queue = ‘com.shark.request.process.queue’, stop reason = breakpoint 4.1
* frame #0: 0x000000010d14a880 libDPScopeDylib.dylib_logos_meta_method$_ungrouped$NSURL$URLWithString$(self=NSURL, _cmd="URLWithString:", URLString="https://accountapi.dianping.com/mlogin/sendverifycode.api?code=&countrycode=86&cx=i2HKpOmsirDPavelVfQBZLQ8qGyA5lAF9dnqexU%2Bhdr1IjODyXbTuSiBfxajV%2BaH1OO1yJEuzkk5d6fS4lLH5rvfLhUpmlcrGyUEze%2BMHBiA3FCWvxCFIPZ1tgejrjDa3EGpnWyxDHJpuJn87ZmfKRNkkiXjEiznCQqxTiICB4PWPpdB%2B%2BNytvbp/FhDFTwW20FOVQMVHDj/B0shBNqzEV41ZbKyqhAp4VztxpxIfrVoOi8m9Lav4DtVYdM25JbHoZNue9Eut/GCm8Wgr0K602KstYEAF8%2BHzwTh/P8UfT8lnJKq8NKiajD8wSxfVq%2BtYW62e8Uw5ZEmBeFJX9GNUD2%2BV/BD6EyNkAkyIcnqLqNa0jzd/bZIaouX4CEOYCPhEG1aRMcJ/sdToMMKzM1v401F2zDc3eQOu/hZzGy0ASxy5FJRVLP17FXlRt6GJKA8W7s6ikqiW2jx4ZP7ZOKSWcgS2FrfhGfk/vAkksJA56AAhljh7k5JccrPxxvv4A18aOTI6XRQw494vsLUt15N0RLm3U%2BuNxBL36j7pPcDFoY13xte0o7cwRNO12vTYZL021O1AmzVGa1UgG4d1FvHhBL8kXkLt9s5ftw5WAoKmO2ZDUgi98Jtm9CoMg46HDttHN5JxO5v0Z/vSmxb3MSwe0aDk3u2%2BfPC4f7%2BiRpJDO/KEeA5zZXIPAniHr4QxLHn56t5E//lXFhV98/Boc8c0c00xZ0zenBJCl2Hfn2mKVO2GDu1uH3ESD7LXtROhREAivQAtp%2B9V4tus%2BVhamjSGMfOqHMmMZlOIQrEcQfnpLNGLl4sEOiWD%2BNsEa6efXs%2BDjKJbAiCWWSJKxOvhG%2BZuKEIgd8ekAjl3sU4/E6PRkeqzJMqggbu8KePCR2CSvAZ94At5H10M2w3qpG7vnqm0jaQp9q%2B8wLPk20P74ZFZXCRxUD5wVPg5iysWkQ761%2BpZF%2BoHbOtSEqxi9YJKm7OJirsSr9LluovI6i7hl%2Bs4CImx18aOJ3ukNbJAddZHUKJfElsvq7IiJuFnCbnSA4vtFzlckYZecWrkOcG3/cn5QxKmGJTRLymqAuZltE105yeNlmFBPHKqFz9RdEnkejknxLM6ck/%2BmPWMKb0xWO1E/dmfiZv/45SLCwnuwB1z6R0PjEkkUUXoAlWmOh2lHJYZuEzCefhk9/NEXAZIJfairRWcu1RVvkF39d5X0IAjSwnhEq1ghw6gL9GmoKy2gGE9vQ9JLLNPqgQP0YQZDLd0i9kJL/6vAsPuMbM3ViwMXNAahBopk66ZizzvVlinWFxBZQDl0hv%2BbxTxoXBFLXXQ4x6BFhfpr26gRt2JpMJz%2Bjg&locationcityid=110&mapi_cacheType=0&phone=13866562536&ticket=&type=1&verifytype=1") at DPScopeDylib.xm:18:9 frame #1: 0x0000000102a65db8 DPScope
-[NVMonitorCenter commandWithUrl:] + 48
frame #2: 0x0000000102eba790 DPScope-[NVCIPSessionUseQueue pvcode:tunnel:responseBytes:] + 256 frame #3: 0x0000000102eb8d5c DPScope
-[NVCIPSessionUseQueue handleSuccessResult:tunnel:data:] + 876
frame #4: 0x0000000102eb83c4 DPScope`-[NVCIPSessionUseQueue connectionCompletion:tunnel:data:error:] + 276
// 最终确定所有的抓不到的请求都会走
[NVTask doRequest]
// http
+[[NVTunnelService sharedInstance] sendHTTPRequest:type:cmd:timeout:failoverType:completion:generateId:]
// socket
+[[NVTunnelService sharedInstance] uploadWithRequest:progress:completion:]
+[[NVTunnelService sharedInstance] downloadWithRequest:progress:completion:]
+[[NVTunnelService sharedInstance] uploadWithRequestUseQueue:progress:completion:]
+[[NVTunnelService sharedInstance] downloadWithRequestUseQueue:progress:completion:]
// cx数据来源
id __cdecl +[NVDeviceInfo generateHonestJSONWithBusiness:](NVDeviceInfo_meta *self, SEL a2, id a3) // 获取诚信数据
(lldb) po [[NVDeviceInfo generateHonestJSONWithBusiness:@""] cipf_URLEncodedString]
%7B%0A%20%20%22fingerprint%22%20%3A%20%22i2HKpOmsirDPavelVfQBZLQ8qGyA5lAF9dnqexU%2Bhdry7Ji6dUDpcOGSPkD8%2Ba5pXeQGG6wJBNSZNXVo52IdRidnrMwkTdN6U5EZavNP6VPg%5C%2FarYKi2dbI4U%5C%2FjxV1KRaHt%2BNsO8N4IV0Yjva%5C%2FPs6RvL8LBjDeAdMIRHjtR5HEgBGEoNeEx99Ta63aKp%2B9XJp%5C%2F7RFTd4aIcVaZVn77MUncCrBfKudBr3flb4nVFqWB6VCefxOUKL%2B524ySijMgSNztncPHiUwulIQt1EuKUD3W7kQbp4OTy0OT4W5MuRzvvJBo%2B6rW3mHQZKbWvI%2B4ac8nXq7PkCCWRg%5C%2FhUNvW%5C%2FTYRZmJUuGs3qxMWaMG6WB3Rp2m%5C%2FqJ187xqoDTS0tZNepF7f853uMAyjo2VvsSLbhUANJeOXta6882vB9AQSH0jJvrVC4uyZzFV4PKgVMwtGfC1pAotxvjesJR31LNx0G%5C%2F7QuTgOmC6BS5RTfgB1%5C%2FHFMr%5C%2FxqU0d94Mu6Krovgc%2B4mnXSA8elFSoIyIdJfmBvZ62ZEtw%2BHKGq2GIvEr1E3vUsecvmatGYU92AL27%5C%2FEQHMRPX4AvGwZGMo2FBHA3WDVz5SQXGu%5C%2Fz9BtivRHkGGZAK66Rz4KG%5C%2Fj0rOK%5C%2FoQPSJu%5C%2FGYtOK6smVIfVYQX%2B%5C%2FdiZHlD9Kszi%5C%2FIJzejrvq2A5hFR3i5G7Kivm4F9k%5C%2FPDFk6%2BI1KKE2vY%5C%2F0JrzvEeTX3OJ1XXjqJfcZBKFXHk%2BqYZxK6gKqxq6d92Ttn1PIyp%5C%2FjmwbBZGFWNGdPLS5FJMK2icpcx%5C%2FvRgqFf1EofLGZ5xKzOqLLriq4vh8gXVMcXfKTKp5j9VnJAIDLZJK7ebEHoQnVc2F3fmENj10zmTK%2BqnVQo6Rco4QN9iev%5C%2FrJR8BUisVcL8CQJtbZt8uu4%2BdyYawClTVLJ0V3uRdbznub0n1iuqz203Mx7t3ui%2B9cPXVs1vSvxOKGKyP%2B4j0NRRjQw1e0PpeV41u%5C%2Frm0MTMAAo8cp%5C%2FziYNU6mfB67R%2B3FqQr0XVZ9c8IUBgbb9YzE2c%2Bk6FtAeXFX2DJrjLBEIe3P9WkM%5C%2FB32Qh1wEehYyK4KFmu57D8%5C%2FhQd4wSaoUfujLBeO6ZIwvdA7blDthQXwzkKOQr%2BXlPsI5g1Cw0jG9iJAhQ0et3Sse0N5GLMoQNKUgDsAfDCzeawIlc4veCyJmPQnR3cY3UiXoyghyf7MRsdpoq2uJA2qnKtQjxaNA7fOpgjpMqwqgVHQvrSIWNuRfwx5BC7o03VYgtlDKBHnw3E3KUj%2BDeG8zZTaIk%5C%2FU%5C%2FWcqBQuEGGtW2dA5C55YeSB7JgX4xblRD0l6C8bTVs0qfZNIyxemgojoUgPSnKaB4aI5VexKrbr4sujCrWZyPM0z5wVf9nwIlvsKtuK4R0EKVZ2CnCa4kX3aObi0PbOV0fy6gDqAZkz8Bzrj1XS7FtLCs8N6EyL7kLHA4MM%3D%22%0A%7D
(lldb) po [[NVDeviceInfo generateHonestJSONWithBusiness:@"sendverifycode"] cipf_URLEncodedString]
%7B%0A%20%20%22fingerprint%22%20%3A%20%22i2HKpOmsirDPavelVfQBZLQ8qGyA5lAF9dnqexU%2Bhdry7Ji6dUDpcOGSPkD8%2Ba5pXeQGG6wJBNSZNXVo52IdRidnrMwkTdN6U5EZavNP6VPg%5C%2FarYKi2dbI4U%5C%2FjxV1KRaHt%2BNsO8N4IV0Yjva%5C%2FPs6RvL8LBjDeAdMIRHjtR5HEgBGEoNeEx99Ta63aKp%2B9XJp%5C%2F7RFTd4aIcVaZVn77MUncCrBfKudBr3flb4nVFqWB6VCefxOUKL%2B524ySijMgSNztncPHiUwulIQt1EuKUD3W7kQbp4OTy0OT4W5MuRzvvJBo%2B6rW3mHQZKbWvI%2B4ac8nXq7PkCCWRg%5C%2FhUNvW%5C%2FTYRZmJUuGs3qxMWaMG6WB3Rp2m%5C%2FqJ187xqoDTS0tZNepF7f853uMAyjo2VvsSLbhUANJeOXta6882vB9AQSH0jJvrVC4uyZzFV4PKgVMwtGfC1pAotxvjesJR31LNx0G%5C%2F7QuTgOmC6BS5RTfgB1%5C%2FHFMr%5C%2FxqU0d94Mu6Krovgc%2B4mnXSA8elFSoIyIdJfmBvZ62ZEtw%2BHKGq2GIvEr1E3vUsecvmatGYU92AL27%5C%2FEQHMRPX4AvGwZGMo2FBHA3WDVz5SQXGu%5C%2Fz9BtivRHkGGZAK66Rz4KG%5C%2Fj0rOK%5C%2FoQPSJu%5C%2FGYtOK6smVIfVYQX%2B%5C%2FdiZHlD9Kszi%5C%2FIJzejrvq2A5hFR3i5G7Kivm4F9k%5C%2FPDFk6%2BI1KKE2vY%5C%2F0JrzvEeTX3OJ1XXjqJfcZBKFXHk%2BqYZxK6gKqxq6d92Ttn1PIyp%5C%2FjmwbBZGFWNGdPLS5FJMK2icpcx%5C%2FvRgqFf1EofLGZ5xKzOqLLriq4vh8gXVMcXfKTKp5j9VnJAIDLZJK7ebEHoQnVc2F3fmENj10zmTK%2BqnVQo6Rco4QN9iev%5C%2FrJR8BUisVcL8CQJtbZt8uu4%2BdyYawClTVLJ0V3uRdbznub0n1iuqz203Mx7t3ui%2B9cPXVs1vSvxOKGKyP%2B4j0NRRjQw1e0PpeV41u%5C%2Frm0MTMAAo8cp%5C%2FziYNU6mfB67R%2B3FqQr0XVZ9c8IUBgbb9YzE2c%2Bk6FtAeXFX2DJrjLBEIe3P9WkM%5C%2FB32Qh1wEehYyK4KFmu57D8%5C%2FhQd4wSaoUfujLBeO6ZIwvdA7blDthQXwzkKOQr%2BXlPsI5g1Cw0jG9iJAhQ0et3Sse0N5GLMoQNKUgDsAfDCzeawIlc4veCyJmPQnR3cY3UiXoyghyf7MRsdpoq2uJA2qnKtQjxaNA7fOpgjpMqwqgVHQvrSIWNuRfwx5BC7o03VYgtlDKBHnw3E3KUj%2BDeG8zZTaIk%5C%2FU%5C%2FWcqBQuEGGtW2dA5C55YeSB7JgX4xblRD0l6C8bTVs0qfZNIyxemgojoUgPSnKaB4aI5VexKrbr4sujCrWZyPM0z5wVf9nwIlvsKtuK4R0EKVZ2CnCa4kX3aObi0PbOV0fy6gDqAZkz8Bzrj1XS7FtLCs8N6EyL7kLHA4MM%3D%22%0A%7D
(lldb)
* thread #40, name = 'com.dianping.picasso.bridge.1', stop reason = breakpoint 8.1
* frame #0: 0x000000010276f5a8 DPScope`+[NVDeviceInfo generateHonestJSONWithBusiness:]
frame #1: 0x0000000105250b74 DPScope`-[PicassoDeviceUtilModule cxInfo:callback:] + 252
frame #2: 0x000000018b8a3760 CoreFoundation`__invoking___ + 144
frame #3: 0x000000018b774b40 CoreFoundation`-[NSInvocation invoke] + 300
frame #4: 0x00000001051c7f50 DPScope`+[PicassoModuleUtil invokeMethodWithHostId:module:method:arguments:callback:] + 840
frame #5: 0x00000001051b41ac DPScope`-[PicassoJSEngine _invokeNativeHost:module:method:arguments:callback:] + 124
frame #6: 0x00000001051b2a78 DPScope`___lldb_unnamed_symbol33843$$DPScope + 336
frame #7: 0x000000018b8a3760 CoreFoundation`__invoking___ + 144
(lldb) bt
* thread #6, queue = 'this', stop reason = breakpoint 4.1
* frame #0: 0x0000000105445068 DPScope`-[SAKFingerprintGenerator setLastCorpse:]
frame #1: 0x0000000105443c7c DPScope`___lldb_unnamed_symbol40606$$DPScope + 404 // sub_103207AE8
frame #2: 0x000000010ec6a338 libdispatch.dylib`_dispatch_call_block_and_release + 24
frame #3: 0x000000010ec6b730 libdispatch.dylib`_dispatch_client_callout + 16
frame #4: 0x000000010ec72740 libdispatch.dylib`_dispatch_lane_serial_drain + 744
frame #5: 0x000000010ec732e0 libdispatch.dylib`_dispatch_lane_invoke + 444
frame #6: 0x000000010ec7e6c4 libdispatch.dylib`_dispatch_workloop_worker_thread + 1304
frame #7: 0x000000018b5b4b74 libsystem_pthread.dylib`_pthread_wqthread + 272
// 获取设备信息指纹
po [[SAKFingerprintGenerator sharedGenerator] requestSyncFingerprint]
{
"app_dection" = "AA=="; // 这个值就是非越狱,其他值都是已越狱
"app_version" = "10.31.2";
batteryLevel = 63;
batteryState = Unplugged;
bootTime = 1590894891;
brand = Apple;
business = unknown;
cell = "[{\"mcc\":\"460\",\"mnc\":\"02\"}]";
ch = Alpha;
coreFileCreateTime = "2019-08-25 16:58:50";
coreFileModifyTime = "2020-03-30 05:58:09";
cpuCore = 2;
cpuStyle = arm64;
cpuUsage = "9.40000";
dm = "iPhone9,1";
dpid = unknown;
"dtk_token" = unknown;
dylibs = "GLTools\n";
"finger_version" = "3.14159265358979323846264";
firstlaunchtime = "1594876875296.076";
idfa = "BA7C1EF0-308B-426D-9CFD-04B8B1929C78";
idfv = "9B5CFCB1-0AB7-4FB3-AF4C-E88AEF194748";
installtime = "1594877712420.278";
"local_time" = "1594878029429.121";
location = {
latitude = "31.84308053666397";
longitude = "117.2834253172378";
};
locstatus = 1;
magic = 428015897; // 常量
memory = "254.593750@2000.000000";
mno = 46002;
net = WiFi;
os = "iOS13.1.2";
phonename = "\U67f3\U6625\U83ca\U7684\U624b\U673a";
phonenameInFile = unknown;
root = 0;
sc = "750,1334";
scBrightness = "0.75999";
simstate = 1;
source = appstore;
storage = "17817.633875@29696.065601";
systemVolume = 6;
"utm_medium" = iphone;
uuid = 0000000000000AECEA1A278404091AEFF0704F804867FA159490241878827317;
wifiip = "192.168.0.86";
wifimac = "[{\"bssid\":\"ee:12:16:96:be:20\",\"ssid\":\"qirongkanniceng\"}]";
}
// cx的生成逻辑
NSDictionary* dic = [[SAKFingerprintGenerator sharedGenerator] requestSyncFingerprint];
dic = [[SAKFingerprintGenerator sharedGenerator] fPOQSGjfagwUwbUw:dic];// 返回:
{
I1 = iphone;
I10 = "iOS13.1.2";
I11 = "[{\"mcc\":\"460\",\"mnc\":\"02\"}]";
I12 = "750,1334";
I13 = 6;
I14 = 1590894891;
I15 = "[{\"bssid\":\"ee:12:16:96:be:20\",\"ssid\":\"qirongkanniceng\"}]";
I16 = (
);
I17 = {
latitude = "31.84308054586397";
longitude = "117.2834253138378";
};
I18 = "BA7C1EF0-308B-426D-9CFD-04B8B1929C78";
I19 = "1594876875296.076";
I2 = unknown;
I20 = "9B5CFCB1-0AB7-4FB3-AF4C-E88AEF194748";
I21 = 1;
I22 = 1;
I23 = "17817.633875@29696.065601";
I24 = "\U67f3\U6625\U83ca\U7684\U624b\U673a";
I25 = "192.168.0.86";
I26 = appstore;
I27 = unknown;
I28 = unknown;
I29 = "10.31.2";
I3 = 0;
I30 = "3.14159265358979323846264";
I31 = 428015897;
I32 = Alpha;
I33 = "GLTools\n";
I34 = "2019-08-25 16:58:50";
I35 = "2020-03-30 05:58:09";
I36 = unknown;
I37 = "1594877712420.278";
I38 = Apple;
I39 = "1594878968998.806";
I4 = WiFi;
I40 = 0000000000000AECEA1A278404091AEFF0704F804867FA159490241878827317;
I41 = "265.156250@2000.000000";
I42 = "0.75999";
I43 = 2;
I44 = "37.60000";
I45 = arm64;
I5 = "AA==";
I6 = 46002;
I7 = 61;
I8 = "iPhone9,1";
I9 = Unplugged;
}
dic = [SAKFingerprintGenerator sharedGenerator] IoIKUneLoQHHMqUH:dic]; // 加密数据返回
{
fingerprint = "i2HKpOmsirDPavelVfQBZLQ8qGyA5lAF9dnqexU+hdqm2IMhVwRPZGAmQsXujWBzO3HNey5yx9qygnT1GHsqqeEwQxHvSCnXpZdFBKMiN2U+S+DcjA5ffT6G8WaXTOi0i2VjlT9hqlpBw1wMdhCMSQpeo5gRNOyBAYzI6W7XOiyYLuSELjODU4wVU6Ef9J2ssAglR4eGTkUj4M7oMxIpc2V26L28o/HV2bqqlWFOYwB9+VLYHP+caYqsAa5BB9anOxZAV/j4IyrXB9TeoMYRIgQ9BHPoPxo7n/Qq3VsLdzHwyFiJjIR4zOJGDK9Oy48qbe4qaDIITQTh1D4DWsyGOwK8ZjiXSpDKlYGuUnoBTMKhft80bqXzWJZTp8mIFBW3jrQBOLVkMyUCdAySP0WEa0ax0v9TvLUhFt7WEKPb4b+fqM2cfgh7D3CovWMw98YHPcBB+IMI+QuHJq9C0F0lTGNRMAGgMqnRWIOrXlDhuIlCg6CO8n59T1+YCupWazYKdaDmwI1ZoxFsSIhOpu3hO4yEE1UbEtyYBO7UCNuBG1S3p791FZhHSnkVtJ5mSxxDkoZkfX/4xBtaRPeC1RZmzFFLt06Dug75Dawb3Je3DxfrmtPiWEiJEVQ3Eb5rOhTe630BauQzjQRDCntCCFORUf0XcMNXkV8QhhTnPznRWkpnMJxVxS+n+gcsBWihBfltbGT7j/mMn9we1OKtGpRsW+Ug0w2NrWsQ8pyGpCtUjdBw8WiOu6BR7jqZWuRNSn4yRv9884dOM9OSxSdJgWfqEh9p+D5CsUcCBAcpFj0zcLhIt72YbJPJ6gjU9z7CKiKnhCidZDXwtQEKfvSrjgDkzfk14SVGuNpvSzA7pvX1HY3aAJK7vQ71QIj7OA2odWYrE8pA+ghVx7Kl48DvBp9hrqbNQWPX+RtlEOzMiFamCgjC14r7iWvZRBnWz/DiTi9d4n2kZTJByQ6jZqGKx/ujSMrZzQBY2TyekvYthliuWPf46YOLf2yLCLul5LPIcqu124E2857aIwlJ1LazMl6sg3dPyRtwz6Q3K6ps5MY/GUcmJbo5ga4vt8Yu41ARpReoRDuacC2tB4Lj2f3C3o0Z3beD7D1Z3zUsbmIzczvym5wyDrY0bL/pQXjhesMObSb0dpLeyGQ1zUC1PBbcDl+e3ZQla+jT/lYz4DHYBQUEthcboKgiiZzUPW6imBuiTGWaqYvixDbv+9yRwUTvKDCLVIhDBlr8ArDgccCPaPUPjoIjGiRYKE2+FYCV9nnvOSe+r4RSSsgzhYq/W+pPYKq9CFcHW0U1x90HsfAmGRebeiXariw60jBXAUypZ8cYZBdVUW1NlNP13qlQcOm1yasEaBvVgCJziU9OZQIg2lLKHs4=";
}
cx参数就是fingerPrint数据相同
所有Class里有带sakFingerprint_accessInfomation函数的都是获取设备信息
根据日志分析,cx一定是调用[PicassoDeviceUtilModule cxInfo:callback:]函数生成的, CFSTR("DeviceUtil.cxInfo- business valid: %@"));这句日志被发现在url生成之前
// 对比函数是否被hook
DPScope`-[NSArray(CIPListOperation) cipf_mapCar:]:
// 以下函数就是数据伪装检查, 只要调用了 SAKRequestSignatureProcessor 下的三个函数就早就被识别到了
signaturedJavaScriptRequestForURLString
signaturedRequestForRequest
attachSiuaForRequest
%hook PicassoMapiModule
- (void)sendPostRequestWithParams:(id)arg1 callback:(id)arg2 isV2:(_Bool)arg3;
- (void)sendFetchRequestWithParams:(id)arg1 callback:(id)arg2 isV2:(_Bool)arg3;
%end
%hook NVNetworkClient - (id)postPath:(id)arg1 parameters:(id)arg2 compress:(_Bool)arg3 failOver:(_Bool)arg4 sigVerify:(_Bool)arg5 antiBrush:(_Bool)arg6;
- (id)postPath:(id)arg1 mapi_parameters:(id)arg2 failOver:(_Bool)arg3 sigVerify:(_Bool)arg4 antiBrush:(_Bool)arg5;
- (id)getPath:(id)arg1 parameters:(id)arg2 cachePolicy:(int)arg3 failOver:(_Bool)arg4 sigVerify:(_Bool)arg5 antiBrush:(_Bool)arg6;
- (id)getPath:(id)arg1 mapi_parameters:(id)arg2 failOver:(_Bool)arg3 sigVerify:(_Bool)arg4 antiBrush:(_Bool)arg5;
%end
并且设置 -[NVTask setRequestPreHandler:](v4, “setRequestPreHandler:”, &v95); 去设置请求头
作弊检测总结:
- 请求头里出现: siua 字段
- User-Agent里面出现: a0d0 字符, 但a0d0表示未越狱,与此无关
- 请求url里出现: __skck和__skua等参数的请求, 所有没有抓包到的请求,都添加了这些参数,所以与此无关
请求分析:
id __cdecl -[TNTunnel sendHttpRequest:timeoutinfo:]
id __cdecl -[TNTunnel send:timeout:info:](TNTunnel self, SEL a2, id a3, int a4, id a5)// 参数: TNRequest
DPScope`-[TNConnection connect]: // 这里面连接socket服务器
底层调用:
(lldb) bt
* thread #14, name = 'RequestThread', stop reason = breakpoint 30.43 31.43
* frame #0: 0x0000000105082278 DPScope`-[TNSession setIsIPv6Enabled:]
frame #1: 0x000000010508b828 DPScope`-[TNTunnel sendHttpRequest:timeout:compression:info:] + 292
frame #2: 0x000000010508b6dc DPScope`-[TNTunnel sendHttpRequest:timeout:info:] + 72
frame #3: 0x0000000104ea4d30 DPScope`-[NVTunnel sendHttpInRunloop:] + 524
Printing description of $x2:
accountapi.dianping.com/sendverifycode.api
(lldb) bt
* thread #14, name = 'RequestThread', stop reason = breakpoint 30.28 31.28
* frame #0: 0x00000001050821e0 DPScope`-[TNSession setCmd:]
frame #1: 0x0000000104ea4d58 DPScope`-[NVTunnel sendHttpInRunloop:] + 564
frame #2: 0x000000018bc87b28 Foundation`__NSThreadPerformPerform + 184
frame #3: 0x000000018b81bb64 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24
frame #4: 0x000000018b81babc CoreFoundation`__CFRunLoopDoSource0 + 80
frame #5: 0x000000018b81b244 CoreFoundation`__CFRunLoopDoSources0 + 184
frame #6: 0x000000018b816274 CoreFoundation`__CFRunLoopRun + 788
frame #7: 0x000000018b815c34 CoreFoundation`CFRunLoopRunSpecific + 424
frame #8: 0x000000018b816990 CoreFoundation`CFRunLoopRun + 60
frame #9: 0x0000000104e97efc DPScope`+[NVRequestMgr runRequests] + 104
frame #10: 0x000000018bc879d0 Foundation`__NSThread__start__ + 848
frame #11: 0x000000018b5b3d98 libsystem_pthread.dylib`_pthread_start + 156
上面的方向 错了,
-[TNTunnel send:timeout:info:]
-[TNSession runloop]
-[TNTunnel sessionBegan:]:
// 到这个函数请求已经发送出了
* thread #24, name = 'RequestThread', stop reason = breakpoint 16.1
* frame #0: 0x0000000107979cdc DPScope`-[TNSession waitTunnelTimeout]
frame #1: 0x000000018bc7416c Foundation`__NSFireDelayedPerform + 412
frame #2: 0x000000018b81c1c0 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 28
// 根据下面这段分析, 出发送数据是走的 TNSecureStream 和 NSOutputStream
if ( objc_msgSend(v3, "connectionStatus") == (void *)1
|| !(unsigned int)objc_msgSend(v3[2], "canWrite")
|| objc_msgSend(v3, "connectionStatus") == (void *)2
&& (v15 = objc_msgSend(v4, "request"),
v16 = (NVMonitorCenter *)objc_retainAutoreleasedReturnValue(v15),
v17 = (unsigned __int64)objc_msgSend(v16, "isNeedEncript"),
objc_release(v16, v18, v19, v20, v21, v22, v23, v24, v53),
// 请求时的连接
DPScope`-[TNSecureStream initWithSocketAddress:delegate:]:
DPScope`-[TNSecureStream buildStreamWithAddress:]:
(lldb) bt
* thread #24, name = 'RequestThread', stop reason = breakpoint 23.49
* frame #0: 0x0000000108aff05c DPScope`-[TNSecureStream setUseNoBlockReading:]
frame #1: 0x0000000107958830 DPScope`-[TNConnection connect] + 356
frame #2: 0x00000001079656fc DPScope`-[TNConnectionRacingTask startConnectRacing:tunnel:] + 572
frame #3: 0x0000000107963eb8 DPScope`-[TNConnectionManager startRacingTask:] + 500
frame #4: 0x0000000107963a3c DPScope`-[TNConnectionManager checkConnections:] + 332
frame #5: 0x00000001079833f4 DPScope`-[TNTunnel send:timeout:info:] + 448
frame #6: 0x00000001079837ec DPScope`-[TNTunnel sendHttpRequest:timeout:compression:info:] + 232
frame #7: 0x00000001079836dc DPScope`-[TNTunnel sendHttpRequest:timeout:info:] + 72
frame #8: 0x000000010779cd30 DPScope`-[NVTunnel sendHttpInRunloop:] + 524
----------------------------------------------- 10.38.12 ------------------------------------------------------------
以下是未使用新机时的值,打开新机过后一切正常
(lldb) po [v08x9hIR s3CGS7ZR]
{
“app_dection” = “AQ==”; // 已越狱
}
(lldb) po [SAKFingerprintData getFingerprintData]
{
“app_dection” = “EQA=”; // 已越狱
batteryLevel = 41;
batteryState = Unplugged;
bootTime = 1604987166;
cell = “[{"mcc":"460","mnc":"02"}]”;
coreFileCreateTime = “2020-01-01 16:00:00”;
coreFileModifyTime = “2020-01-01 16:00:00”;
cpuCore = 4;
cpuStyle = arm64;
cpuUsage = “3.70000”;
dm = “iPhone9,1”;
firstlaunchtime = “1608887094306.164”;
idfa = “645CF58C-E42A-45EC-973E-EB776C2DA3A6”;
idfv = “1B5229FC-D6EF-4C3F-BF59-1D4080C9F703”;
installtime = “1608790705791.434”;
“local_time” = “1608895699246.112”;
locstatus = 0;
memory = “354.937500@2001.953125”;
mno = 46002;
net = 4G;
os = “iPhone 14.1”;
phonename = “\U9146\U6587\U7684\U624b\U673a”;
phonenameInFile = w2;
root = 1;
sc = “750,1334”;
scBrightness = “0.68894”;
simstate = 1;
source = appstore;
storage = “19344.335938@30497.535156”;
systemVolume = 4;
uuid = 000000000000014FA977B515E44E499305BB115794E43A160624478536170476;
wifiip = “192.168.0.105”;
wifimac = “[{"bssid":"","ssid":""}]”;
}
(lldb) po [WMMachMonitor isJailbroken]
0x0000000000000001 // 已越狱
(lldb) po [v08x9hIR s3CGS7ZR]
{
“app_dection” = “AQ==”; // 已越狱
}
(lldb) po [v08x9hIR s6lmakDr]
0x0000000000000001 // 已越狱
(lldb) po [v08x9hIR j8D0DR94]
nil // 未越狱
(lldb) po [v08x9hIR s4SzvXuI:@“/Library/MobileSubstrate/MobileSubstrate.dylib”]
0x0000000000000001 // 已越狱
// 检测文件是否存在,
// 如: /Library/MobileSubstrate/MobileSubstrate.dylib
bool __cdecl +[v08x9hIR s4SzvXuI:](v08x9hIR_meta *self, SEL a2, id a3)
{
v08x9hIR_meta *v3; // x20
__int64 v4; // x19
void *v5; // x0
void *v6; // x0
void *v7; // x0
void *v8; // x0
char v9; // w20
void *v11; // x0
v3 = self;
v4 = objc_retain(a3);
v5 = objc_msgSend(v3, “class”);
if ( (unsigned __int64)objc_msgSend(v5, “fileExistsAtPath:”, v4) & 1
|| (v6 = objc_msgSend(v3, “class”), (unsigned __int64)objc_msgSend(v6, “o4YTWdgU:”, v4) & 1) // _fopen
|| (v7 = objc_msgSend(v3, “class”), (unsigned __int64)objc_msgSend(v7, “f03Xh9nn:”, v4) & 1) // _stat
|| (v8 = objc_msgSend(v3, “class”), (unsigned __int64)objc_msgSend(v8, “w6Pki78j:”, v4) & 1) ) // _access
{
v9 = 1;
}
else
{
v11 = objc_msgSend(v3, “class”);
v9 = (unsigned __int64)objc_msgSend(v11, “u2Osvhsf:”, v4); // _statfs
}
objc_release(v4);
return v9;
}
// 新机状态下,只有下面的函数未通过
(lldb) po [WMMachMonitor isJailbroken]
0x0000000000000001 // 已越狱
经过分析: 该函数返回false表示已越狱,app自身判断bug, 所以返回true就是未越狱
po (long long)[@“123mobilesubstrate234234” rangeOfString:@“mobilesubstrate” options:1] == 0x7FFFFFFFFFFFFFFF
id __cdecl +[SAKApp_DectionWFInfo sakFingerprint_accessInfomation](SAKApp_DectionWFInfo_meta *self, SEL a2)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-“+” TO EXPAND]
if ( !(byte_109D91EA8 & 1) )
{
v2 = self;
v3 = +[SAKHorn getCachedDataForType:](&OBJC_CLASS___SAKHorn, “getCachedDataForType:”, CFSTR(“card”));
v4 = (void *)objc_retainAutoreleasedReturnValue(v3);
v5 = v4;
v6 = objc_msgSend(v4, “sakhorn_jsonToDictionary”);
v7 = (void *)objc_retainAutoreleasedReturnValue(v6);
v8 = v7;
if ( v7 && objc_msgSend(v7, “count”) )
{
v9 = objc_msgSend(v8, “objectForKeyedSubscript:”, CFSTR(“skill”));
v10 = (void *)objc_retainAutoreleasedReturnValue(v9);
}
else
{
v10 = 0LL;
}
objc_release(v8);
objc_release(v5);
v11 = (char *)objc_msgSend(v10, “count”); // v10新机名单:
// <__NSArrayI 0x283135650>(
// /Library/MobileSubstrate/MobileSubstrate.dylib,
// /var/mobile/iGrimace,
// /var/mobile/Library/Preferences/org.ioshack.igrimace.adv.plist,
// /var/mobile/Library/Preferences/com.007gaiji.selapp.plist,
// /Library/MobileSubstrate/DynamicLibraries/CatSysHelper.dylib, // sk2
// /Library/MobileSubstrate/DynamicLibraries/aXbNdktKladkeL.dylib,
// /Library/MobileSubstrate/DynamicLibraries/amg.dylib,
// /Library/MobileSubstrate/DynamicLibraries/zorro.dylib,
// /Library/MobileSubstrate/DynamicLibraries/XGenPatch.dylib,
// /Library/MobileSubstrate/DynamicLibraries/iGrimaceX9Tweak.dylib,
// /Library/MobileSubstrate/DynamicLibraries/ALS.dylib,
// /Library/MobileSubstrate/DynamicLibraries/hdfaker.dylib
// )
if ( v11 )
{
v12 = v11;
byte_109D91EA8 = 1;
v13 = (unsigned __int64)(v11 + 7) >> 3;
qword_109D91EA0 = (unsigned __int64)(v11 + 7) >> 3;
qword_109D91E98 = (__int64)malloc(v13);
bzero((void *)qword_109D91E98, v13);
v14 = 0LL;
do
{
v15 = objc_msgSend(v2, “class”);
v16 = objc_msgSend(v10, “objectAtIndexedSubscript:”, v14);
v17 = objc_retainAutoreleasedReturnValue(v16);
LODWORD(v15) = (unsigned __int64)objc_msgSend(v15, “checkFileExistsAtPath:”, v17);
objc_release(v17);
if ( (_DWORD)v15 )
*(_BYTE *)(qword_109D91E98 + ((unsigned int)v14 >> 3)) |= 1 << ((unsigned __int8)v14 & 7);
++v14;
}
while ( v12 != v14 );
}
objc_release(v10);
}
v18 = objc_msgSend(&OBJC_CLASS___NSData, “dataWithBytes:length:”, qword_109D91E98, qword_109D91EA0);
v19 = (void *)objc_retainAutoreleasedReturnValue(v18);
v26 = CFSTR(“app_dection”);
if ( objc_msgSend(v19, “length”) )
{
v20 = objc_msgSend(v19, “base64EncodedStringWithOptions:”, 0LL);
v21 = (const __CFString *)objc_retainAutoreleasedReturnValue(v20);
v22 = 1;
}
else
{
v22 = 0;
v21 = CFSTR(“unknown”);
}
v27 = v21;
v23 = objc_msgSend(&OBJC_CLASS___NSDictionary, “dictionaryWithObjects:forKeys:count:”, &v27, &v26, 1LL);
v24 = objc_retainAutoreleasedReturnValue(v23);
if ( v22 )
objc_release(v21);
result = (id)objc_release(v19);
if ( __stack_chk_guard == v28 )
result = (id)objc_autoreleaseReturnValue(v24);
return result;
}
// 检查文件是否存在
bool __cdecl +[SAKApp_DectionWFInfo checkFileExistsAtPath:](SAKApp_DectionWFInfo_meta *self, SEL a2, id a3)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-“+” TO EXPAND]
v3 = self;
v4 = (void *)objc_retain(a3);
v5 = v4;
if ( v4 && objc_msgSend(v4, “length”) )
{
v6 = objc_msgSend(v3, “class”);
if ( (unsigned __int64)objc_msgSend(v6, “fileExistsAtPath:”, v5) & 1
|| (v7 = objc_msgSend(v3, “class”), (unsigned __int64)objc_msgSend(v7, “fopenAtPath:”, v5) & 1)
|| (v8 = objc_msgSend(v3, “class”), (unsigned __int64)objc_msgSend(v8, “statAtPath:”, v5) & 1)
|| (v9 = objc_msgSend(v3, “class”), (unsigned __int64)objc_msgSend(v9, “accessAtPath:”, v5) & 1)
|| (v10 = objc_msgSend(v3, “class”), (unsigned __int64)objc_msgSend(v10, “statfsAtPath:”, v5) & 1) )
{
v11 = 1;
}
else
{
v13 = objc_msgSend(v3, “class”);
v11 = (unsigned __int64)objc_msgSend(v13, “dlopenPreflight:”, v5); // 新的越狱检测方式未通过
}
}
else
{
v11 = 0;
}
objc_release(v5);
return v11;
}
(lldb) po [SAKApp_DectionWFInfo checkFileExistsAtPath:@“/Library/MobileSubstrate/MobileSubstrate.dylib”]
0x0000000000000001
bool __cdecl +[SAKApp_DectionWFInfo dlopenPreflight:](SAKApp_DectionWFInfo_meta *self, SEL a2, id a3)
{
void *v3; // x19
void *v4; // x0
void *v5; // x0
const char *v6; // x0
bool v7; // w20
v3 = (void *)objc_retain(a3);
if ( v3
&& ((v4 = objc_msgSend(&OBJC_CLASS___NSString, “class”), !(unsigned int)objc_msgSend(v3, “isKindOfClass:”, v4))
|| objc_msgSend(v3, “length”)) )
{
v5 = (void *)objc_retainAutorelease(v3);
v6 = (const char *)objc_msgSend(v5, “cStringUsingEncoding:”, 4LL);
v7 = dlopen_preflight(v6); // 调用系统函数检测文件是否存在
}
else
{
v7 = 0;
}
objc_release(v3);
return v7;
}
// 最后hook成功过后
// 获取设备信息指纹
po [[SAKFingerprintGenerator sharedGenerator] requestSyncFingerprint]
{
“app_dection” = “AAA=”; // AAA= 和 AA== 都是非越狱状态,是由 [nsdata base64EncodedStringWithOptions:0], 这里的nsdata的字节长度为2,值为00
“app_version” = “10.31.2”;
__int64 __fastcall sub_1035D3F5C(__int64 a1) // 设备基本数据来源
void __cdecl -[SAKGuardDataProcessor _backgroundCollect](SAKGuardDataProcessor *self, SEL a2)
{
OS_dispatch_queue *v2; // x8
void **v3; // [xsp+8h] [xbp-28h]
__int64 v4; // [xsp+10h] [xbp-20h]
__int64 (__fastcall *v5)(__int64); // [xsp+18h] [xbp-18h]
void *v6; // [xsp+20h] [xbp-10h]
SAKGuardDataProcessor *v7; // [xsp+28h] [xbp-8h]
v2 = self->_queue;
v3 = _NSConcreteStackBlock;
v4 = 3254779904LL;
v5 = sub_1035D4574; // 后台搜索数据: 也是sub_1035D1750()函数的数据来源
v6 = &unk_1076DBD60;
v7 = self;
dispatch_async(v2, &v3);
}
// 拼接越狱检测和设备信息等字符串的函数
void *__fastcall sub_1035D1750(__int64 a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-“+” TO EXPAND]
v1 = a1;
objc_msgSend((void **)(a1 + 32), “appendString:”, CFSTR(“2.0”));
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|}}”));
v2 = (void **)(v1 + 32);
v3 = objc_msgSend((void **)(v1 + 40), “data”);
v4 = (void )objc_retainAutoreleasedReturnValue(v3);
v5 = v4;
v6 = objc_msgSend(v4, “siua_safeObjectForKey:”, CFSTR(“board”));
v7 = objc_retainAutoreleasedReturnValue(v6);
objc_msgSend(v2, “appendString:”, v7);
objc_release(v7);
objc_release(v5);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v8 = (void **)(v1 + 32);
v9 = objc_msgSend((void **)(v1 + 40), “data”);
v10 = (void )objc_retainAutoreleasedReturnValue(v9);
v11 = v10;
v12 = objc_msgSend(v10, “siua_safeObjectForKey:”, CFSTR(“manufacture”));
v13 = objc_retainAutoreleasedReturnValue(v12);
objc_msgSend(v8, “appendString:”, v13);
objc_release(v13);
objc_release(v11);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v14 = (void **)(v1 + 32);
v15 = objc_msgSend((void **)(v1 + 40), “data”);
v16 = (void )objc_retainAutoreleasedReturnValue(v15);
v17 = v16;
v18 = objc_msgSend(v16, “siua_safeObjectForKey:”, CFSTR(“brand”));
v19 = objc_retainAutoreleasedReturnValue(v18);
objc_msgSend(v14, “appendString:”, v19);
objc_release(v19);
objc_release(v17);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v20 = (void **)(v1 + 32);
v21 = objc_msgSend((void **)(v1 + 40), “data”);
v22 = (void )objc_retainAutoreleasedReturnValue(v21);
v23 = v22;
v24 = objc_msgSend(v22, “siua_safeObjectForKey:”, CFSTR(“model”));
v25 = objc_retainAutoreleasedReturnValue(v24);
objc_msgSend(v20, “appendString:”, v25);
objc_release(v25);
objc_release(v23);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v26 = (void **)(v1 + 32);
v27 = objc_msgSend((void **)(v1 + 40), “data”);
v28 = (void )objc_retainAutoreleasedReturnValue(v27);
v29 = v28;
v30 = objc_msgSend(v28, “siua_safeObjectForKey:”, CFSTR(“cpu”));
v31 = objc_retainAutoreleasedReturnValue(v30);
objc_msgSend(v26, “appendString:”, v31);
objc_release(v31);
objc_release(v29);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v32 = (void **)(v1 + 32);
v33 = objc_msgSend((void **)(v1 + 40), “data”);
v34 = (void )objc_retainAutoreleasedReturnValue(v33);
v35 = v34;
v36 = objc_msgSend(v34, “siua_safeObjectForKey:”, CFSTR(“cpu2”));
v37 = objc_retainAutoreleasedReturnValue(v36);
objc_msgSend(v32, “appendString:”, v37);
objc_release(v37);
objc_release(v35);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v38 = (void **)(v1 + 32);
v39 = objc_msgSend((void **)(v1 + 40), “data”);
v40 = (void )objc_retainAutoreleasedReturnValue(v39);
v41 = v40;
v42 = objc_msgSend(v40, “siua_safeObjectForKey:”, CFSTR(“name”));
v43 = objc_retainAutoreleasedReturnValue(v42);
objc_msgSend(v38, “appendString:”, v43);
objc_release(v43);
objc_release(v41);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v44 = (void **)(v1 + 32);
v45 = objc_msgSend((void **)(v1 + 40), “data”);
v46 = (void )objc_retainAutoreleasedReturnValue(v45);
v47 = v46;
v48 = objc_msgSend(v46, “siua_safeObjectForKey:”, CFSTR(“hardware”));
v49 = objc_retainAutoreleasedReturnValue(v48);
objc_msgSend(v44, “appendString:”, v49);
objc_release(v49);
objc_release(v47);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v50 = (void **)(v1 + 32);
v51 = objc_msgSend((void **)(v1 + 40), “data”);
v52 = (void )objc_retainAutoreleasedReturnValue(v51);
v53 = v52;
v54 = objc_msgSend(v52, “siua_safeObjectForKey:”, CFSTR(“device”));
v55 = objc_retainAutoreleasedReturnValue(v54);
objc_msgSend(v50, “appendString:”, v55);
objc_release(v55);
objc_release(v53);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v56 = (void **)(v1 + 32);
v57 = objc_msgSend((void **)(v1 + 40), “data”);
v58 = (void )objc_retainAutoreleasedReturnValue(v57);
v59 = v58;
v60 = objc_msgSend(v58, “siua_safeObjectForKey:”, CFSTR(“product”));
v61 = objc_retainAutoreleasedReturnValue(v60);
objc_msgSend(v56, “appendString:”, v61);
objc_release(v61);
objc_release(v59);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v62 = (void **)(v1 + 32);
v63 = objc_msgSend((void **)(v1 + 40), “data”);
v64 = (void )objc_retainAutoreleasedReturnValue(v63);
v65 = v64;
v66 = objc_msgSend(v64, “siua_safeObjectForKey:”, CFSTR(“host”));
v67 = objc_retainAutoreleasedReturnValue(v66);
objc_msgSend(v62, “appendString:”, v67);
objc_release(v67);
objc_release(v65);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v68 = (void **)(v1 + 32);
v69 = objc_msgSend((void **)(v1 + 40), “data”);
v70 = (void )objc_retainAutoreleasedReturnValue(v69);
v71 = v70;
v72 = objc_msgSend(v70, “siua_safeObjectForKey:”, CFSTR(“display”));
v73 = objc_retainAutoreleasedReturnValue(v72);
objc_msgSend(v68, “appendString:”, v73);
objc_release(v73);
objc_release(v71);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v74 = (void **)(v1 + 32);
v75 = objc_msgSend((void **)(v1 + 40), “data”);
v76 = (void )objc_retainAutoreleasedReturnValue(v75);
v77 = v76;
v78 = objc_msgSend(v76, “siua_safeObjectForKey:”, CFSTR(“release”));
v79 = objc_retainAutoreleasedReturnValue(v78);
objc_msgSend(v74, “appendString:”, v79);
objc_release(v79);
objc_release(v77);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v80 = (void **)(v1 + 32);
v81 = objc_msgSend((void **)(v1 + 40), “data”);
v82 = (void )objc_retainAutoreleasedReturnValue(v81);
v83 = v82;
v84 = objc_msgSend(v82, “siua_safeObjectForKey:”, CFSTR(“sdkversion”));
v85 = objc_retainAutoreleasedReturnValue(v84);
objc_msgSend(v80, “appendString:”, v85);
objc_release(v85);
objc_release(v83);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v86 = (void **)(v1 + 32);
v87 = objc_msgSend((void **)(v1 + 40), “data”);
v88 = (void )objc_retainAutoreleasedReturnValue(v87);
v89 = v88;
v90 = objc_msgSend(v88, “siua_safeObjectForKey:”, CFSTR(“locale”));
v91 = objc_retainAutoreleasedReturnValue(v90);
objc_msgSend(v86, “appendString:”, v91);
objc_release(v91);
objc_release(v89);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v92 = (void **)(v1 + 32);
v93 = objc_msgSend((void **)(v1 + 40), “data”);
v94 = (void )objc_retainAutoreleasedReturnValue(v93);
v95 = v94;
v96 = objc_msgSend(v94, “siua_safeObjectForKey:”, CFSTR(“region”));
v97 = objc_retainAutoreleasedReturnValue(v96);
objc_msgSend(v92, “appendString:”, v97);
objc_release(v97);
objc_release(v95);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v98 = (void **)(v1 + 32);
v99 = objc_msgSend((void **)(v1 + 40), “data”);
v100 = (void )objc_retainAutoreleasedReturnValue(v99);
v101 = v100;
v102 = objc_msgSend(v100, “siua_safeObjectForKey:”, CFSTR(“tags”));
v103 = objc_retainAutoreleasedReturnValue(v102);
objc_msgSend(v98, “appendString:”, v103);
objc_release(v103);
objc_release(v101);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v104 = (void **)(v1 + 32);
v105 = objc_msgSend((void **)(v1 + 40), “data”);
v106 = (void )objc_retainAutoreleasedReturnValue(v105);
v107 = v106;
v108 = objc_msgSend(v106, “siua_safeObjectForKey:”, CFSTR(“fingerprint”));
v109 = objc_retainAutoreleasedReturnValue(v108);
objc_msgSend(v104, “appendString:”, v109);
objc_release(v109);
objc_release(v107);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v110 = (void **)(v1 + 32);
v111 = objc_msgSend((void **)(v1 + 40), “data”);
v112 = (void )objc_retainAutoreleasedReturnValue(v111);
v113 = v112;
v114 = objc_msgSend(v112, “siua_safeObjectForKey:”, CFSTR(“buildtype”));
v115 = objc_retainAutoreleasedReturnValue(v114);
objc_msgSend(v110, “appendString:”, v115);
objc_release(v115);
objc_release(v113);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v116 = (void **)(v1 + 32);
v117 = objc_msgSend((void **)(v1 + 40), “data”);
v118 = (void )objc_retainAutoreleasedReturnValue(v117);
v119 = v118;
v120 = objc_msgSend(v118, “siua_safeObjectForKey:”, CFSTR(“description”));
v121 = objc_retainAutoreleasedReturnValue(v120);
objc_msgSend(v116, “appendString:”, v121);
objc_release(v121);
objc_release(v119);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v122 = (void **)(v1 + 32);
v123 = objc_msgSend((void **)(v1 + 40), “data”);
v124 = (void )objc_retainAutoreleasedReturnValue(v123);
v125 = v124;
v126 = objc_msgSend(v124, “siua_safeObjectForKey:”, CFSTR(“secure”));
v127 = objc_retainAutoreleasedReturnValue(v126);
objc_msgSend(v122, “appendString:”, v127);
objc_release(v127);
objc_release(v125);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v128 = (void **)(v1 + 32);
v129 = objc_msgSend((void **)(v1 + 40), “data”);
v130 = (void )objc_retainAutoreleasedReturnValue(v129);
v131 = v130;
v132 = objc_msgSend(v130, “siua_safeObjectForKey:”, CFSTR(“debuggable”));
v133 = objc_retainAutoreleasedReturnValue(v132);
objc_msgSend(v128, “appendString:”, v133);
objc_release(v133);
objc_release(v131);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|}}”));
objc_msgSend(*(void **)(v1 + 32), “appendString:”, CFSTR(“-|}}-|}}”));
v134 = (void **)(v1 + 32);
v135 = objc_msgSend((void **)(v1 + 40), “data”);
v136 = (void )objc_retainAutoreleasedReturnValue(v135);
v137 = v136;
v138 = objc_msgSend(v136, “siua_safeObjectForKey:”, CFSTR(“imei”));
v139 = objc_retainAutoreleasedReturnValue(v138);
objc_msgSend(v134, “appendString:”, v139);
objc_release(v139);
objc_release(v137);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v140 = (void **)(v1 + 32);
v141 = objc_msgSend((void **)(v1 + 40), “data”);
v142 = (void )objc_retainAutoreleasedReturnValue(v141);
v143 = v142;
v144 = objc_msgSend(v142, “siua_safeObjectForKey:”, CFSTR(“imsi”));
v145 = objc_retainAutoreleasedReturnValue(v144);
objc_msgSend(v140, “appendString:”, v145);
objc_release(v145);
objc_release(v143);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v146 = (void **)(v1 + 32);
v147 = objc_msgSend((void **)(v1 + 40), “data”);
v148 = (void )objc_retainAutoreleasedReturnValue(v147);
v149 = v148;
v150 = objc_msgSend(v148, “siua_safeObjectForKey:”, CFSTR(“idfa”));
v151 = objc_retainAutoreleasedReturnValue(v150);
objc_msgSend(v146, “appendString:”, v151);
objc_release(v151);
objc_release(v149);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v152 = (void **)(v1 + 32);
v153 = objc_msgSend((void **)(v1 + 40), “data”);
v154 = (void )objc_retainAutoreleasedReturnValue(v153);
v155 = v154;
v156 = objc_msgSend(v154, “siua_safeObjectForKey:”, CFSTR(“resolution”));
v157 = objc_retainAutoreleasedReturnValue(v156);
objc_msgSend(v152, “appendString:”, v157);
objc_release(v157);
objc_release(v155);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v158 = (void **)(v1 + 32);
v159 = objc_msgSend((void **)(v1 + 40), “data”);
v160 = (void )objc_retainAutoreleasedReturnValue(v159);
v161 = v160;
v162 = objc_msgSend(v160, “siua_safeObjectForKey:”, CFSTR(“romtotal”));
v163 = objc_retainAutoreleasedReturnValue(v162);
objc_msgSend(v158, “appendString:”, v163);
objc_release(v163);
objc_release(v161);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v164 = (void **)(v1 + 32);
v165 = objc_msgSend((void **)(v1 + 40), “data”);
v166 = (void )objc_retainAutoreleasedReturnValue(v165);
v167 = v166;
v168 = objc_msgSend(v166, “siua_safeObjectForKey:”, CFSTR(“sdtotal”));
v169 = objc_retainAutoreleasedReturnValue(v168);
objc_msgSend(v164, “appendString:”, v169);
objc_release(v169);
objc_release(v167);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v170 = (void **)(v1 + 32);
v171 = objc_msgSend((void **)(v1 + 40), “data”);
v172 = (void )objc_retainAutoreleasedReturnValue(v171);
v173 = v172;
v174 = objc_msgSend(v172, “siua_safeObjectForKey:”, CFSTR(“macaddress”));
v175 = objc_retainAutoreleasedReturnValue(v174);
objc_msgSend(v170, “appendString:”, v175);
objc_release(v175);
objc_release(v173);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v176 = (void **)(v1 + 32);
v177 = objc_msgSend((void **)(v1 + 40), “data”);
v178 = (void )objc_retainAutoreleasedReturnValue(v177);
v179 = v178;
v180 = objc_msgSend(v178, “siua_safeObjectForKey:”, CFSTR(“carrier”)); // 运营商
v181 = objc_retainAutoreleasedReturnValue(v180);
objc_msgSend(v176, “appendString:”, v181);
objc_release(v181);
objc_release(v179);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v182 = (void **)(v1 + 32);
v183 = objc_msgSend((void **)(v1 + 40), “data”);
v184 = (void )objc_retainAutoreleasedReturnValue(v183);
v185 = v184;
v186 = objc_msgSend(v184, “siua_safeObjectForKey:”, CFSTR(“access_subtype”)); // 网络类型: CTRadioAccessTechnologyLTE
v187 = objc_retainAutoreleasedReturnValue(v186);
objc_msgSend(v182, “appendString:”, v187);
objc_release(v187);
objc_release(v185);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|}}”));
v188 = (void **)(v1 + 32);
v189 = objc_msgSend((void **)(v1 + 40), “data”);
v190 = (void )objc_retainAutoreleasedReturnValue(v189);
v191 = v190;
v192 = objc_msgSend(v190, “siua_safeObjectForKey:”, CFSTR(“nick”)); // 新的越狱检测, 正常设备为0
v193 = objc_retainAutoreleasedReturnValue(v192);
objc_msgSend(v188, “appendString:”, v193);
objc_release(v193);
objc_release(v191);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v194 = (void **)(v1 + 32);
v195 = objc_msgSend((void **)(v1 + 40), “data”);
v196 = (void )objc_retainAutoreleasedReturnValue(v195);
v197 = v196;
v198 = objc_msgSend(v196, “siua_safeObjectForKey:”, CFSTR(“batterypct”)); // 电量
v199 = objc_retainAutoreleasedReturnValue(v198);
objc_msgSend(v194, “appendString:”, v199);
objc_release(v199);
objc_release(v197);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v200 = (void **)(v1 + 32);
v201 = objc_msgSend((void **)(v1 + 40), “data”);
v202 = (void )objc_retainAutoreleasedReturnValue(v201);
v203 = v202;
v204 = objc_msgSend(v202, “siua_safeObjectForKey:”, CFSTR(“batterychange”)); // 电量是否改变, 1: 改变, 0: 未改变
v205 = objc_retainAutoreleasedReturnValue(v204);
objc_msgSend(v200, “appendString:”, v205);
objc_release(v205);
objc_release(v203);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v206 = (void **)(v1 + 32);
v207 = objc_msgSend((void **)(v1 + 40), “data”);
v208 = (void )objc_retainAutoreleasedReturnValue(v207);
v209 = v208;
v210 = objc_msgSend(v208, “siua_safeObjectForKey:”, CFSTR(“charging”)); // 充电中
v211 = objc_retainAutoreleasedReturnValue(v210);
objc_msgSend(v206, “appendString:”, v211);
objc_release(v211);
objc_release(v209);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v212 = (void **)(v1 + 32);
v213 = objc_msgSend((void **)(v1 + 40), “data”);
v214 = (void )objc_retainAutoreleasedReturnValue(v213);
v215 = v214;
v216 = objc_msgSend(v214, “siua_safeObjectForKey:”, CFSTR(“USB”)); // 是否连接usb
v217 = objc_retainAutoreleasedReturnValue(v216);
objc_msgSend(v212, “appendString:”, v217);
objc_release(v217);
objc_release(v215);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v218 = (void **)(v1 + 32);
v219 = objc_msgSend((void **)(v1 + 40), “data”);
v220 = (void )objc_retainAutoreleasedReturnValue(v219);
v221 = v220;
v222 = objc_msgSend(v220, “siua_safeObjectForKey:”, CFSTR(“siid”)); // 大众点评自己生成的一个id, 如果不重装不会改变
v223 = objc_retainAutoreleasedReturnValue(v222);
objc_msgSend(v218, “appendString:”, v223);
objc_release(v223);
objc_release(v221);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v224 = (void **)(v1 + 32);
v225 = objc_msgSend((void **)(v1 + 40), “data”);
v226 = (void )objc_retainAutoreleasedReturnValue(v225);
v227 = v226;
v228 = objc_msgSend(v226, “siua_safeObjectForKey:”, CFSTR(“timerand”));
v229 = objc_retainAutoreleasedReturnValue(v228);
objc_msgSend(v224, “appendString:”, v229);
objc_release(v229);
objc_release(v227);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v230 = (void **)(v1 + 32);
v231 = objc_msgSend((void **)(v1 + 40), “data”);
v232 = (void )objc_retainAutoreleasedReturnValue(v231);
v233 = v232;
v234 = objc_msgSend(v232, “siua_safeObjectForKey:”, CFSTR(“dataActivity”));
v235 = objc_retainAutoreleasedReturnValue(v234);
objc_msgSend(v230, “appendString:”, v235);
objc_release(v235);
objc_release(v233);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|}}”));
v236 = (void **)(v1 + 32);
v237 = objc_msgSend((void **)(v1 + 40), “data”);
v238 = (void )objc_retainAutoreleasedReturnValue(v237);
v239 = v238;
v240 = objc_msgSend(v238, “siua_safeObjectForKey:”, CFSTR(“stgyroot”)); // 是否越狱
v241 = objc_retainAutoreleasedReturnValue(v240);
objc_msgSend(v236, “appendString:”, v241);
objc_release(v241);
objc_release(v239);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v242 = (void **)(v1 + 32);
v243 = objc_msgSend((void **)(v1 + 40), “data”);
v244 = (void )objc_retainAutoreleasedReturnValue(v243);
v245 = v244;
v246 = objc_msgSend(v244, “siua_safeObjectForKey:”, CFSTR(“stgyspitep”)); // 是否是恶意的
v247 = objc_retainAutoreleasedReturnValue(v246);
objc_msgSend(v242, “appendString:”, v247);
objc_release(v247);
objc_release(v245);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v248 = (void **)(v1 + 32);
v249 = objc_msgSend((void **)(v1 + 40), “data”);
v250 = (void )objc_retainAutoreleasedReturnValue(v249);
v251 = v250;
v252 = objc_msgSend(v250, “siua_safeObjectForKey:”, CFSTR(“stgysimulator”)); // 是否是模块器
v253 = objc_retainAutoreleasedReturnValue(v252);
objc_msgSend(v248, “appendString:”, v253);
objc_release(v253);
objc_release(v251);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v254 = (void **)(v1 + 32);
v255 = objc_msgSend((void **)(v1 + 40), “data”);
v256 = (void )objc_retainAutoreleasedReturnValue(v255);
v257 = v256;
v258 = objc_msgSend(v256, “siua_safeObjectForKey:”, CFSTR(“stgysimulatorinfo”)); // 模拟器信息
v259 = objc_retainAutoreleasedReturnValue(v258);
objc_msgSend(v254, “appendString:”, v259);
objc_release(v259);
objc_release(v257);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v260 = (void **)(v1 + 32);
v261 = objc_msgSend((void **)(v1 + 40), “data”);
v262 = (void )objc_retainAutoreleasedReturnValue(v261);
v263 = v262;
v264 = objc_msgSend(v262, “siua_safeObjectForKey:”, CFSTR(“isProxy”)); // 是否是代理
v265 = objc_retainAutoreleasedReturnValue(v264);
objc_msgSend(v260, “appendString:”, v265);
objc_release(v265);
objc_release(v263);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v266 = (void **)(v1 + 32);
v267 = objc_msgSend((void **)(v1 + 40), “data”);
v268 = (void )objc_retainAutoreleasedReturnValue(v267);
v269 = v268;
v270 = objc_msgSend(v268, “siua_safeObjectForKey:”, CFSTR(“isVPN”)); // 是否连接vpn
v271 = objc_retainAutoreleasedReturnValue(v270);
objc_msgSend(v266, “appendString:”, v271);
objc_release(v271);
objc_release(v269);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v272 = (void **)(v1 + 32);
v273 = objc_msgSend((void **)(v1 + 40), “data”);
v274 = (void )objc_retainAutoreleasedReturnValue(v273);
v275 = v274;
v276 = objc_msgSend(v274, “siua_safeObjectForKey:”, CFSTR(“brightness”));
v277 = objc_retainAutoreleasedReturnValue(v276);
objc_msgSend(v272, “appendString:”, v277);
objc_release(v277);
objc_release(v275);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v278 = (void **)(v1 + 32);
v279 = objc_msgSend((void **)(v1 + 40), “data”);
v280 = (void )objc_retainAutoreleasedReturnValue(v279);
v281 = v280;
v282 = objc_msgSend(v280, “siua_safeObjectForKey:”, CFSTR(“systemVolume”));
v283 = objc_retainAutoreleasedReturnValue(v282);
objc_msgSend(v278, “appendString:”, v283);
objc_release(v283);
objc_release(v281);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v284 = (void **)(v1 + 32);
v285 = objc_msgSend((void **)(v1 + 40), “data”);
v286 = (void )objc_retainAutoreleasedReturnValue(v285);
v287 = v286;
v288 = objc_msgSend(v286, “siua_safeObjectForKey:”, CFSTR(“acc_open”));
v289 = objc_retainAutoreleasedReturnValue(v288);
objc_msgSend(v284, “appendString:”, v289);
objc_release(v289);
objc_release(v287);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v290 = (void **)(v1 + 32);
v291 = objc_msgSend((void **)(v1 + 40), “data”);
v292 = (void )objc_retainAutoreleasedReturnValue(v291);
v293 = v292;
v294 = objc_msgSend(v292, “siua_safeObjectForKey:”, CFSTR(“automator”));
v295 = objc_retainAutoreleasedReturnValue(v294);
objc_msgSend(v290, “appendString:”, v295);
objc_release(v295);
objc_release(v293);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|}}”));
v296 = (void **)(v1 + 32);
v297 = objc_msgSend((void **)(v1 + 40), “data”);
v298 = (void )objc_retainAutoreleasedReturnValue(v297);
v299 = v298;
v300 = objc_msgSend(v298, “siua_safeObjectForKey:”, CFSTR(“platform”));
v301 = objc_retainAutoreleasedReturnValue(v300);
objc_msgSend(v296, “appendString:”, v301);
objc_release(v301);
objc_release(v299);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v302 = (void **)(v1 + 32);
v303 = objc_msgSend((void **)(v1 + 40), “data”);
v304 = (void )objc_retainAutoreleasedReturnValue(v303);
v305 = v304;
v306 = objc_msgSend(v304, “siua_safeObjectForKey:”, CFSTR(“appname”));
v307 = objc_retainAutoreleasedReturnValue(v306);
objc_msgSend(v302, “appendString:”, v307);
objc_release(v307);
objc_release(v305);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v308 = (void **)(v1 + 32);
v309 = objc_msgSend((void **)(v1 + 40), “data”);
v310 = (void )objc_retainAutoreleasedReturnValue(v309);
v311 = v310;
v312 = objc_msgSend(v310, “siua_safeObjectForKey:”, CFSTR(“appversion”));
v313 = objc_retainAutoreleasedReturnValue(v312);
objc_msgSend(v308, “appendString:”, v313);
objc_release(v313);
objc_release(v311);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v314 = (void **)(v1 + 32);
v315 = objc_msgSend((void **)(v1 + 40), “data”);
v316 = (void )objc_retainAutoreleasedReturnValue(v315);
v317 = v316;
v318 = objc_msgSend(v316, “siua_safeObjectForKey:”, CFSTR(“display”));
v319 = objc_retainAutoreleasedReturnValue(v318);
objc_msgSend(v314, “appendString:”, v319);
objc_release(v319);
objc_release(v317);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v320 = (void **)(v1 + 32);
v321 = objc_msgSend((void **)(v1 + 40), “data”);
v322 = (void )objc_retainAutoreleasedReturnValue(v321);
v323 = v322;
v324 = objc_msgSend(v322, “siua_safeObjectForKey:”, CFSTR(“uuid”));
v325 = objc_retainAutoreleasedReturnValue(v324);
objc_msgSend(v320, “appendString:”, v325);
objc_release(v325);
objc_release(v323);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v326 = (void **)(v1 + 32);
v327 = objc_msgSend((void **)(v1 + 40), “data”);
v328 = (void )objc_retainAutoreleasedReturnValue(v327);
v329 = v328;
v330 = objc_msgSend(v328, “siua_safeObjectForKey:”, CFSTR(“time”));
v331 = objc_retainAutoreleasedReturnValue(v330);
objc_msgSend(v326, “appendString:”, v331);
objc_release(v331);
objc_release(v329);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v332 = (void **)(v1 + 32);
v333 = objc_msgSend((void **)(v1 + 40), “data”);
v334 = (void )objc_retainAutoreleasedReturnValue(v333);
v335 = v334;
v336 = objc_msgSend(v334, “siua_safeObjectForKey:”, CFSTR(“androidAppCnt”));
v337 = objc_retainAutoreleasedReturnValue(v336);
objc_msgSend(v332, “appendString:”, v337);
objc_release(v337);
objc_release(v335);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v338 = (void **)(v1 + 32);
v339 = objc_msgSend((void **)(v1 + 40), “data”);
v340 = (void )objc_retainAutoreleasedReturnValue(v339);
v341 = v340;
v342 = objc_msgSend(v340, “siua_safeObjectForKey:”, CFSTR(“appCache”));
v343 = objc_retainAutoreleasedReturnValue(v342);
objc_msgSend(v338, “appendString:”, v343);
objc_release(v343);
objc_release(v341);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v344 = (void **)(v1 + 32);
v345 = objc_msgSend((void **)(v1 + 40), “data”);
v346 = (void )objc_retainAutoreleasedReturnValue(v345);
v347 = v346;
v348 = objc_msgSend(v346, “siua_safeObjectForKey:”, CFSTR(“availableSystem”));
v349 = objc_retainAutoreleasedReturnValue(v348);
objc_msgSend(v344, “appendString:”, v349);
objc_release(v349);
objc_release(v347);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v350 = (void **)(v1 + 32);
v351 = objc_msgSend((void **)(v1 + 40), “data”);
v352 = (void )objc_retainAutoreleasedReturnValue(v351);
v353 = v352;
v354 = objc_msgSend(v352, “siua_safeObjectForKey:”, CFSTR(“totalMemory”));
v355 = objc_retainAutoreleasedReturnValue(v354);
objc_msgSend(v350, “appendString:”, v355);
objc_release(v355);
objc_release(v353);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v356 = (void **)(v1 + 32);
v357 = objc_msgSend((void **)(v1 + 40), “data”);
v358 = (void )objc_retainAutoreleasedReturnValue(v357);
v359 = v358;
v360 = objc_msgSend(v358, “siua_safeObjectForKey:”, CFSTR(“firstlaunchtime”));
v361 = objc_retainAutoreleasedReturnValue(v360);
objc_msgSend(v356, “appendString:”, v361);
objc_release(v361);
objc_release(v359);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v362 = (void **)(v1 + 32);
v363 = objc_msgSend((void **)(v1 + 40), “data”);
v364 = (void )objc_retainAutoreleasedReturnValue(v363);
v365 = v364;
v366 = objc_msgSend(v364, “siua_safeObjectForKey:”, CFSTR(“coreFileCreateTime”));
v367 = objc_retainAutoreleasedReturnValue(v366);
objc_msgSend(v362, “appendString:”, v367);
objc_release(v367);
objc_release(v365);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v368 = (void **)(v1 + 32);
v369 = objc_msgSend((void **)(v1 + 40), “data”);
v370 = (void )objc_retainAutoreleasedReturnValue(v369);
v371 = v370;
v372 = objc_msgSend(v370, “siua_safeObjectForKey:”, CFSTR(“coreFileModifyTime”));
v373 = objc_retainAutoreleasedReturnValue(v372);
objc_msgSend(v368, “appendString:”, v373);
objc_release(v373);
objc_release(v371);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|}}”));
v374 = (void **)(v1 + 32);
v375 = objc_msgSend((void **)(v1 + 40), “data”);
v376 = (void )objc_retainAutoreleasedReturnValue(v375);
v377 = v376;
v378 = objc_msgSend(v376, “siua_safeObjectForKey:”, CFSTR(“lo”)); // 经度
v379 = objc_retainAutoreleasedReturnValue(v378);
objc_msgSend(v374, “appendString:”, v379);
objc_release(v379);
objc_release(v377);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v380 = (void **)(v1 + 32);
v381 = objc_msgSend((void **)(v1 + 40), “data”);
v382 = (void )objc_retainAutoreleasedReturnValue(v381);
v383 = v382;
v384 = objc_msgSend(v382, “siua_safeObjectForKey:”, CFSTR(“la”)); // 纬度
v385 = objc_retainAutoreleasedReturnValue(v384);
objc_msgSend(v380, “appendString:”, v385);
objc_release(v385);
objc_release(v383);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v386 = (void **)(v1 + 32);
v387 = objc_msgSend((void **)(v1 + 40), “data”);
v388 = (void )objc_retainAutoreleasedReturnValue(v387);
v389 = v388;
v390 = objc_msgSend(v388, “siua_safeObjectForKey:”, CFSTR(“ssid”));
v391 = objc_retainAutoreleasedReturnValue(v390);
objc_msgSend(v386, “appendString:”, v391);
objc_release(v391);
objc_release(v389);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v392 = (void **)(v1 + 32);
v393 = objc_msgSend((void **)(v1 + 40), “data”);
v394 = (void )objc_retainAutoreleasedReturnValue(v393);
v395 = v394;
v396 = objc_msgSend(v394, “siua_safeObjectForKey:”, CFSTR(“bssid”));
v397 = objc_retainAutoreleasedReturnValue(v396);
objc_msgSend(v392, “appendString:”, v397);
objc_release(v397);
objc_release(v395);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v398 = (void **)(v1 + 32);
v399 = objc_msgSend((void **)(v1 + 40), “data”);
v400 = (void )objc_retainAutoreleasedReturnValue(v399);
v401 = v400;
v402 = objc_msgSend(v400, “siua_safeObjectForKey:”, CFSTR(“active”)); //
v403 = objc_retainAutoreleasedReturnValue(v402);
objc_msgSend(v398, “appendString:”, v403);
objc_release(v403);
objc_release(v401);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v404 = (void **)(v1 + 32);
v405 = objc_msgSend((void **)(v1 + 40), “data”);
v406 = (void )objc_retainAutoreleasedReturnValue(v405);
v407 = v406;
v408 = objc_msgSend(v406, “siua_safeObjectForKey:”, CFSTR(“strength”));
v409 = objc_retainAutoreleasedReturnValue(v408);
objc_msgSend(v404, “appendString:”, v409);
objc_release(v409);
objc_release(v407);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v410 = (void **)(v1 + 32);
v411 = objc_msgSend((void **)(v1 + 40), “data”);
v412 = (void )objc_retainAutoreleasedReturnValue(v411);
v413 = v412;
v414 = objc_msgSend(v412, “siua_safeObjectForKey:”, CFSTR(“mcc”));
v415 = objc_retainAutoreleasedReturnValue(v414);
objc_msgSend(v410, “appendString:”, v415);
objc_release(v415);
objc_release(v413);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v416 = (void **)(v1 + 32);
v417 = objc_msgSend((void **)(v1 + 40), “data”);
v418 = (void )objc_retainAutoreleasedReturnValue(v417);
v419 = v418;
v420 = objc_msgSend(v418, “siua_safeObjectForKey:”, CFSTR(“mnc”));
v421 = objc_retainAutoreleasedReturnValue(v420);
objc_msgSend(v416, “appendString:”, v421);
objc_release(v421);
objc_release(v419);
objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|”));
v422 = (void **)(v1 + 32);
v423 = objc_msgSend((void **)(v1 + 40), “data”);
v424 = (void )objc_retainAutoreleasedReturnValue(v423);
v425 = v424;
v426 = objc_msgSend(v424, “siua_safeObjectForKey:”, CFSTR(“lac”));
v427 = objc_retainAutoreleasedReturnValue(v426);
objc_msgSend(v422, “appendString:”, v427);
objc_release(v427);
objc_release(v425);
return objc_msgSend((void **)(v1 + 32), “appendString:”, CFSTR(“|}}”));
}
返回:
2.0|}}Darwin|Apple|Apple|iPhone|iPhone9,1|-|余成的iPhone|D10AP|iOS|iOS|yuchengdeiPhone|14.1|20.0.0|0|zh-Hans|Asia/Shanghai (GMT+8) offset 28800|-|9A451818-1C96-4EFC-AE37-311CD5F2686C|-|Darwin Kernel Version 20.0.0: Wed Sep 30 03:24:26 PDT 2020; root:xnu-7195.0.46~41/RELEASE_ARM64_T8101|-|-|}}-|}}-|}}-|-|92EE56B0-91C7-4807-828C-4DD3E4BC4913|1334*750|29.782749G|-|-|中国联通|CTRadioAccessTechnologyLTE|}}1|31|1|0|0|F6B34E98-5F78-43E1-8108-3BEDAE82F732|452A4401-2BFA-42F7-B2D5-645A0FE1EDD5|-|}}0|0|0|-|0|0|0.642651|12|-|-|}}iOS|大众点评|10.38.12|14.1|9A451818-1C96-4EFC-AE37-311CD5F2686C|2020-12-26 14:56:14:230|-|-|18683154401|31978983424|0|2020-09-21 08:30:55|2020-09-21 08:30:55|}}-|-|28-4|c4:88:62:32:40:2a|1|-|460|01|-|}}
正常的结果应该是:
2.0|}}Darwin|Apple|Apple|iPhone|iPhone9,1|-|余成的iPhone|D10AP|iOS|iOS|yuchengdeiPhone|14.1|20.0.0|0|zh-Hans|Asia/Shanghai (GMT+8) offset 28800|-|9A451818-1C96-4EFC-AE37-311CD5F2686C|-|Darwin Kernel Version 20.0.0: Wed Sep 30 03:24:26 PDT 2020; root:xnu-7195.0.46~41/RELEASE_ARM64_T8101|-|-|}}-|}}-|}}-|-|92EE56B0-91C7-4807-828C-4DD3E4BC4913|1334*750|29.782749G|-|-|中国联通|CTRadioAccessTechnologyLTE|}}0|31|1|0|0|F6B34E98-5F78-43E1-8108-3BEDAE82F732|452A4401-2BFA-42F7-B2D5-645A0FE1EDD5|-|}}0|0|0|-|0|0|0.642651|12|-|-|}}iOS|大众点评|10.38.12|14.1|9A451818-1C96-4EFC-AE37-311CD5F2686C|2020-12-26 14:56:14:230|-|-|18683154401|31978983424|0|2020-09-21 08:30:55|2020-09-21 08:30:55|}}-|-|28-4|c4:88:62:32:40:2a|1|-|460|01|-|}}
// 其中: 0|0|0|-|0|0 这段就是越狱、是否是恶意的、是否是模拟器、模拟器信息(为空则被替换为-)、是否有代理、是否连接vpn
// 其中: -|-|28-4|c4:88:62:32:40:2a|1|-|460|01, 经度,纬度,BSSID,macAddr,active(检测当前SSID是否为空, 4G时应该为空), SSID,信号强度,lac
// 其中: 中国联通|CTRadioAccessTechnologyLTE|}}1|31|1|0|0| 这段是, 运营商、4G、是否越狱、电量、充电状态、
__int64 __fastcall sub_1035DC8C0(__int64 a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-“+” TO EXPAND]
v1 = a1;
objc_retain(CFSTR(“8BAu12VUFofKpd8q04e18dao8bNEqwvdTfSD2dIAkc25414LhHmi8SUfAYhzuu95GPeNXUTIejHjKkrpXjLleoF3EbpkYiu+nx1E9Hj6205Uk+O3Au/zMR/9iJFkK3QZ84oOIbgo/sTN+zR2tJU/irHM2kOkMennS+Tn8xrUtKzPNCHz/VbS4uvFML6+BpZxA3MoAP7goHSLp44gQG0nmp/RE41DKxAxv2cqV5wXS3BqAvxXVmYgoE9yt3D2wRdssUNbk42udKr1exh1vSMWUnjNJt3nnXU+bETL0gfqTwCeA38i56iTCwWW49XNvHUOFJTTN/LkerZo0ZaMHXpAuVi882BY5C0Ue8Z6SdOk0rnFqDLjyGXqOWvQofKCdme9oalrDjF0iGD4GcEBy3IURwzpnTMk9hga7dW7O9tVwOiibTeJeAc5xHjH+JovrhF4gRrTp83WWLp8XldsmeWOKtao8bNEqwvdTfSD2dIAkc0EgRbvIDlh32/nyS75V+4DiyPr1RKLIrk/wTaAOI1Yb/VrMKISoIE17Uzj2O87wdFzpKG+LZRmUess4sj9ia8ja6JFkbiUOrub8gesUe4GMV3QZjLx32EeNp3OqL2JhGhvbPWYde7k1AFGmOu8/I4VG+orVTeYtE8Ug3jQJtEiW0uYwC5rutBj/SnsqdBWJH9Uk+O3Au/zMR/9iJFkK3QZ2BOuCMRZywdzIdnH2fO/L9fNrs2fLceTHZslKpiBcSVLmMAua7rQY/0p7KnQViR/VJPjtwLv8zEf/YiRZCt0GdgTrgjEWcsHcyHZx9nzvy9JRKyZa5PrepWHJRP4uQze9ygiMN/IKL7OE7s1cGg4/LdwTi/V9kfiDYpcVdpgG/FoOmIljtCHf0aNxgAoZJaGGHpTH9fRDwKuUwOUPwzAVZybDyfvXdcoMLyOS5VA/kAOaYCipeMItzx0/xHDgbf/qyhZl/W2KcvcQ/uUN5YrCIaJMqL8W/RfQBiyC/7ap8qevVRtqkO7FWUDX0RR3gUrqR+bdrMiskkrnXMTy+aWJTGm7nvqcCWKfB5nTekpYdeGa2UZkUxnMueiNKzkiRSYRYyVwMEjkpZwidZNJKeJg+aBhNFNoSmhxWqrkLZhrB1wsNAgUrMm7ZVQ1g/6a0C6GsD4wogK4rBocAO9rRi+DFhdd7owNRpQ8oc1jRlpl7KweKEmEu6Nh+EkaZh0uB70gPth3JGOOqPivessU4pmv31yxUuaDQj5PutaDSf2PFs9czvuDzB3JUT4uSMMd4Kw7NHViEfpt8QV+qqYMZJKoZvybpweLr2QchtlQ+3gJRcVLiecmjI1LLw4a434eNYQ+TA1UF2mUWAmbnlI8WLa4pLR1wqBA+BbBf94HeQa1/w05ms5QQBPIHL1vd/81WTdbLLUx6tE2V4PuJs+jjIY1vAChY5ocPVN6Dv8wyigpEjz3sZkMtBcg0+BAZhkts7Zs/PczeLzaFOfEpIKwomOx7TerJLYBXOSQx9nYGHkdcTuF1Fy64tzOc6cxzyiYyH1s3TyZH+25wmBQ+OD2bs081gJvgbd8IdwG4FrKFHIlUwkD72Bt/vYkYQDgMtVXBsy”));
v2 = (void *)objc_alloc(&OBJC_CLASS___NSData);
v3 = objc_msgSend(
v2,
“initWithBase64EncodedString:options:”,
CFSTR(“8BAu12VUFofKpd8q04e18dao8bNEqwvdTfSD2dIAkc25414LhHmi8SUfAYhzuu95GPeNXUTIejHjKkrpXjLleoF3EbpkYiu+nx1E9Hj6205Uk+O3Au/zMR/9iJFkK3QZ84oOIbgo/sTN+zR2tJU/irHM2kOkMennS+Tn8xrUtKzPNCHz/VbS4uvFML6+BpZxA3MoAP7goHSLp44gQG0nmp/RE41DKxAxv2cqV5wXS3BqAvxXVmYgoE9yt3D2wRdssUNbk42udKr1exh1vSMWUnjNJt3nnXU+bETL0gfqTwCeA38i56iTCwWW49XNvHUOFJTTN/LkerZo0ZaMHXpAuVi882BY5C0Ue8Z6SdOk0rnFqDLjyGXqOWvQofKCdme9oalrDjF0iGD4GcEBy3IURwzpnTMk9hga7dW7O9tVwOiibTeJeAc5xHjH+JovrhF4gRrTp83WWLp8XldsmeWOKtao8bNEqwvdTfSD2dIAkc0EgRbvIDlh32/nyS75V+4DiyPr1RKLIrk/wTaAOI1Yb/VrMKISoIE17Uzj2O87wdFzpKG+LZRmUess4sj9ia8ja6JFkbiUOrub8gesUe4GMV3QZjLx32EeNp3OqL2JhGhvbPWYde7k1AFGmOu8/I4VG+orVTeYtE8Ug3jQJtEiW0uYwC5rutBj/SnsqdBWJH9Uk+O3Au/zMR/9iJFkK3QZ2BOuCMRZywdzIdnH2fO/L9fNrs2fLceTHZslKpiBcSVLmMAua7rQY/0p7KnQViR/VJPjtwLv8zEf/YiRZCt0GdgTrgjEWcsHcyHZx9nzvy9JRKyZa5PrepWHJRP4uQze9ygiMN/IKL7OE7s1cGg4/LdwTi/V9kfiDYpcVdpgG/FoOmIljtCHf0aNxgAoZJaGGHpTH9fRDwKuUwOUPwzAVZybDyfvXdcoMLyOS5VA/kAOaYCipeMItzx0/xHDgbf/qyhZl/W2KcvcQ/uUN5YrCIaJMqL8W/RfQBiyC/7ap8qevVRtqkO7FWUDX0RR3gUrqR+bdrMiskkrnXMTy+aWJTGm7nvqcCWKfB5nTekpYdeGa2UZkUxnMueiNKzkiRSYRYyVwMEjkpZwidZNJKeJg+aBhNFNoSmhxWqrkLZhrB1wsNAgUrMm7ZVQ1g/6a0C6GsD4wogK4rBocAO9rRi+DFhdd7owNRpQ8oc1jRlpl7KweKEmEu6Nh+EkaZh0uB70gPth3JGOOqPivessU4pmv31yxUuaDQj5PutaDSf2PFs9czvuDzB3JUT4uSMMd4Kw7NHViEfpt8QV+qqYMZJKoZvybpweLr2QchtlQ+3gJRcVLiecmjI1LLw4a434eNYQ+TA1UF2mUWAmbnlI8WLa4pLR1wqBA+BbBf94HeQa1/w05ms5QQBPIHL1vd/81WTdbLLUx6tE2V4PuJs+jjIY1vAChY5ocPVN6Dv8wyigpEjz3sZkMtBcg0+BAZhkts7Zs/PczeLzaFOfEpIKwomOx7TerJLYBXOSQx9nYGHkdcTuF1Fy64tzOc6cxzyiYyH1s3TyZH+25wmBQ+OD2bs081gJvgbd8IdwG4FrKFHIlUwkD72Bt/vYkYQDgMtVXBsy”),
0LL);
v4 = v3;
v5 = objc_msgSend(v3, “cip_aesDecryptWithKey:iv:”, CFSTR(“meituan.sankuai.”), CFSTR(“meituan.com”));
v6 = objc_retainAutoreleasedReturnValue(v5);
v7 = v6;
v8 = *(_QWORD )((_QWORD *)(v1 + 32) + 8LL);
v40 = *(_QWORD )(v8 + 40);
v9 = objc_msgSend(&OBJC_CLASS___NSJSONSerialization, “JSONObjectWithData:options:error:”, v6, 0LL, &v40);
v10 = objc_retainAutoreleasedReturnValue(v9);
objc_storeStrong(v8 + 40, v40);
if ( !(_QWORD )((_QWORD )((_QWORD *)(v1 + 32) + 8LL) + 40LL) )
{
v33 = v7;
v37 = 0u;
v38 = 0u;
v35 = 0u;
v36 = 0u;
v18 = (void *)objc_retain(v10);
v19 = v18;
v20 = objc_msgSend(v18, “countByEnumeratingWithState:objects:count:”, &v35, &v42, 16LL);//
// (lldb) po [NSArray arrayWithArray:(id)$x0]
// <__NSArrayI 0x158717010>(
// /bin/bash,
// /Applications/Cydia.app,
// /Library/MobileSubstrate/MobileSubstrate.dylib,
// /user/Applictations,
// /user/Continers/Bundle/Application,
// /usr/sbin/sshd,
// /etc/apt,
// /Applications/RockApp.app,
// /Applications/Icy.app,
// /usr/sbin/sshd,
// /usr/bin/sshd,
// /usr/libexec/sftp-server,
// /Applications/WinterBoard.app,
// /Applications/SBSettings.app,
// /Applications/MxTube.app,
// /Applications/IntelliScreen.app,
// /Library/MobileSubstrate/DynamicLibraries/Veency.plist,
// /Library/MobileSubstrate/DynamicLibraries/LiveClock.plist,
// /private/var/lib/apt,
// /private/var/stash,
// /System/Library/LaunchDaemons/com.ikey.bbot.plist,
// /System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist,
// /private/var/tmp/cydia.log,
// /private/var/lib/cydia,
// /etc/clutch.conf,
// /var/cache/clutch.plist,
// /etc/clutch_cracked.plist,
// /var/cache/clutch_cracked.plist,
// /var/lib/clutch/overdrive.dylib,
// /var/root/Documents/Cracked/,
// /panguaxe,
// /panguaxe.installed,
// /xuanyuansword,
// /xuanyuansword.installed
// )
if ( v20 )
{
v21 = v20;
v22 = *(QWORD *)v36;
v23 = &selRef_log_content_options;
while ( 2 )
{
v24 = 0LL;
v25 = v23;
v26 = v23[205];
do
{
if ( *(_QWORD *)v36 != v22 )
objc_enumerationMutation(v19);
v27 = (void )objc_retainAutorelease((_QWORD )(((_QWORD *)&v35 + 1) + 8 * v24));
if ( !mac_syscall(SYS_stat, (const char *)objc_msgSend(v27, v26, 4LL), (struct stat *)&v39) )// 使用反调试的方式实现,SVC 0x80指令
{
byte_109D92058 = 1;
v29 = objc_msgSend(&OBJC_CLASS___NSArray, “arrayWithObjects:count:”, &v41, 0LL);
v10 = objc_retainAutoreleasedReturnValue(v29);
objc_release(v19);
objc_release(v19);
v7 = v33;
goto LABEL_20;
}
++v24;
}
while ( v24 < (unsigned __int64)v21 );
v21 = objc_msgSend(v19, “countByEnumeratingWithState:objects:count:”, &v35, &v42, 16LL);
v23 = v25;
if ( v21 )
continue;
break;
}
}
objc_release(v19);
v28 = objc_msgSend(&OBJC_CLASS___NSArray, “arrayWithObjects:count:”, &v41, 0LL);
v10 = objc_retainAutoreleasedReturnValue(v28);
objc_release(v19);
v7 = v33;
}
v11 = getenv(“DYLD_INSERT_LIBRARIES”);
v12 = objc_msgSend(&OBJC_CLASS___NSString, “stringWithFormat:”, CFSTR(“%s”), v11);
v13 = (void *)objc_retainAutoreleasedReturnValue(v12);
if ( objc_msgSend(v13, “rangeOfString:options:”, CFSTR(“mobilesubstrate”), 1LL) == (void *)0x7FFFFFFFFFFFFFFFLL )
{
objc_retain(CFSTR(“MACHO”));
v14 = *(_QWORD )((_QWORD *)(v1 + 32) + 8LL);
v34 = *(_QWORD *)(v14 + 40);
objc_msgSend(
CFSTR(“MACHO”),
“writeToFile:atomically:encoding:error:”,
CFSTR(“/private/jailbreak.txt”),
1LL,
4LL,
&v34);
objc_storeStrong(v14 + 40, v34);
v15 = objc_msgSend(&OBJC_CLASS___NSFileManager, “defaultManager”);
v16 = (void *)objc_retainAutoreleasedReturnValue(v15);
objc_msgSend(v16, “removeItemAtPath:error:”, CFSTR(“/private/jailbreak.txt”), 0LL);
v17 = objc_release(v16);
if ( *(_QWORD )((_QWORD )((_QWORD *)(v1 + 32) + 8LL) + 40LL) != 0LL )
{
if ( (unsigned int)sub_1035DC624(v17) )
byte_109D92058 = 1;
}
else
{
byte_109D92058 = 1;
}
objc_release(CFSTR(“MACHO”));
}
else
{
byte_109D92058 = 1;
}
objc_release(v13);
LABEL_20:
objc_release(v10);
objc_release(v7);
objc_release(v4);
result = objc_release(CFSTR(“8BAu12VUFofKpd8q04e18dao8bNEqwvdTfSD2dIAkc25414LhHmi8SUfAYhzuu95GPeNXUTIejHjKkrpXjLleoF3EbpkYiu+nx1E9Hj6205Uk+O3Au/zMR/9iJFkK3QZ84oOIbgo/sTN+zR2tJU/irHM2kOkMennS+Tn8xrUtKzPNCHz/VbS4uvFML6+BpZxA3MoAP7goHSLp44gQG0nmp/RE41DKxAxv2cqV5wXS3BqAvxXVmYgoE9yt3D2wRdssUNbk42udKr1exh1vSMWUnjNJt3nnXU+bETL0gfqTwCeA38i56iTCwWW49XNvHUOFJTTN/LkerZo0ZaMHXpAuVi882BY5C0Ue8Z6SdOk0rnFqDLjyGXqOWvQofKCdme9oalrDjF0iGD4GcEBy3IURwzpnTMk9hga7dW7O9tVwOiibTeJeAc5xHjH+JovrhF4gRrTp83WWLp8XldsmeWOKtao8bNEqwvdTfSD2dIAkc0EgRbvIDlh32/nyS75V+4DiyPr1RKLIrk/wTaAOI1Yb/VrMKISoIE17Uzj2O87wdFzpKG+LZRmUess4sj9ia8ja6JFkbiUOrub8gesUe4GMV3QZjLx32EeNp3OqL2JhGhvbPWYde7k1AFGmOu8/I4VG+orVTeYtE8Ug3jQJtEiW0uYwC5rutBj/SnsqdBWJH9Uk+O3Au/zMR/9iJFkK3QZ2BOuCMRZywdzIdnH2fO/L9fNrs2fLceTHZslKpiBcSVLmMAua7rQY/0p7KnQViR/VJPjtwLv8zEf/YiRZCt0GdgTrgjEWcsHcyHZx9nzvy9JRKyZa5PrepWHJRP4uQze9ygiMN/IKL7OE7s1cGg4/LdwTi/V9kfiDYpcVdpgG/FoOmIljtCHf0aNxgAoZJaGGHpTH9fRDwKuUwOUPwzAVZybDyfvXdcoMLyOS5VA/kAOaYCipeMItzx0/xHDgbf/qyhZl/W2KcvcQ/uUN5YrCIaJMqL8W/RfQBiyC/7ap8qevVRtqkO7FWUDX0RR3gUrqR+bdrMiskkrnXMTy+aWJTGm7nvqcCWKfB5nTekpYdeGa2UZkUxnMueiNKzkiRSYRYyVwMEjkpZwidZNJKeJg+aBhNFNoSmhxWqrkLZhrB1wsNAgUrMm7ZVQ1g/6a0C6GsD4wogK4rBocAO9rRi+DFhdd7owNRpQ8oc1jRlpl7KweKEmEu6Nh+EkaZh0uB70gPth3JGOOqPivessU4pmv31yxUuaDQj5PutaDSf2PFs9czvuDzB3JUT4uSMMd4Kw7NHViEfpt8QV+qqYMZJKoZvybpweLr2QchtlQ+3gJRcVLiecmjI1LLw4a434eNYQ+TA1UF2mUWAmbnlI8WLa4pLR1wqBA+BbBf94HeQa1/w05ms5QQBPIHL1vd/81WTdbLLUx6tE2V4PuJs+jjIY1vAChY5ocPVN6Dv8wyigpEjz3sZkMtBcg0+BAZhkts7Zs/PczeLzaFOfEpIKwomOx7TerJLYBXOSQx9nYGHkdcTuF1Fy64tzOc6cxzyiYyH1s3TyZH+25wmBQ+OD2bs081gJvgbd8IdwG4FrKFHIlUwkD72Bt/vYkYQDgMtVXBsy”));
if ( __stack_chk_guard != v43 )
{
v31 = objc_exception_rethrow(result);
__break(1u);
v32 = v31;
objc_end_catch();
_Unwind_Resume(v32);
}
return result;
}
--------------- 10.40.3 ---------------------
// 老的
2.0|}}Darwin|Apple|Apple|iPhone|iPhone9,1|-|余成的iPhone|D10AP|iOS|iOS|yuchengdeiPhone|14.1|20.0.0|0|zh-Hans|Asia/Shanghai (GMT+8) offset 28800|-|9A451818-1C96-4EFC-AE37-311CD5F2686C|-|Darwin Kernel Version 20.0.0: Wed Sep 30 03:24:26 PDT 2020; root:xnu-7195.0.46~41/RELEASE_ARM64_T8101|-|-|}}-|}}-|}}-|-|92EE56B0-91C7-4807-828C-4DD3E4BC4913|1334*750|29.782749G|-|-|中国联通|CTRadioAccessTechnologyLTE|}}1|31|1|0|0|F6B34E98-5F78-43E1-8108-3BEDAE82F732|452A4401-2BFA-42F7-B2D5-645A0FE1EDD5|-|}}0|0|0|-|0|0|0.642651|12|-|-|}}iOS|大众点评|10.38.12|14.1|9A451818-1C96-4EFC-AE37-311CD5F2686C|2020-12-26 14:56:14:230|-|-|18683154401|31978983424|0|2020-09-21 08:30:55|2020-09-21 08:30:55|}}-|-|28-4|c4:88:62:32:40:2a|1|-|460|01|-|}}
// 新的, 正确的数据
2.0|}}Darwin|Apple|Apple|iPhone|iPhone9,1|-|袁平保的手机|D10AP|iOS|iOS|yuanpingbaodeshouji|14.1|20.0.0|0|zh-Hans|Asia/Shanghai (GMT+8) offset 28800|-|E6FCC50C-4361-45C9-90DC-A17AE0462F2D|-|Darwin Kernel Version 20.0.0: Wed Sep 30 03:24:26 PDT 2020; root:xnu-7195.0.46~41/RELEASE_ARM64_T8101|-|-|}}-|}}-|}}-|-|A57E4BDF-48AE-467E-8A35-13EE7D4CA30F|1334*750|29.772984G|-|-|中国移动|CTRadioAccessTechnologyLTE|}}0|47|-0.003332|0|0|54ACF7F2-D19E-493F-B557-9B306DA086AE|8DE65E34-A681-449E-9704-07431D8A0DA3|-|}}0|0|0|-|0|0|0.606088|66|-|-|}}iOS|大众点评|10.40.3|14.1|E6FCC50C-4361-45C9-90DC-A17AE0462F2D|2021-02-01 11:45:30:173|-|-|18683163954|31968497664|0|1970-01-01 08:00:00|1970-01-01 08:00:00|}}-|-|-|-|0|-|460|00|-|}}
// 10.43.1
2.0|}}Darwin|Apple|Apple|iPhone|iPhone9,1|-|明彬的可爱|D10AP|iOS|iOS|mingbindekeai|13.0|19.0.0|0|zh-Hans|Asia/Shanghai (GMT+8) offset 28800|-|67DE3A8A-F9B8-4C4E-81ED-B0BD0917DB3F|-|Darwin Kernel Version 19.0.0: Mon Aug 12 20:19:35 PDT 2019; root:xnu-6153.0.103.12~1/RELEASE_ARM64_T8015|-|-|}}-|}}-|}}-|-|491EE0F2-474D-4499-A974-031D15BA87F8|1334*750|29.792515G|-|-|中国电信|CTRadioAccessTechnologyLTE|}}0|61|-0.09142696|0|0|99AC12B7-636A-49CC-9709-DDD58174BBC2|BF44B7CF-FA0E-496D-8637-84E64E3308B5|-|}}0|0|0|-|0|0|0.611302|78|-|-|}}iOS|大众点评|10.43.1|13.0|67DE3A8A-F9B8-4C4E-81ED-B0BD0917DB3F|2021-05-28 15:16:18:668|-|-|15994731520|31989469184|1621383132741.107|1970-01-01 08:00:00|1970-01-01 08:00:00|}}106.5343829353087|29.64766029197828|-|-|0|-|460|03|-|}}
// 新版本换了方式: ,原来的[SAKGuardDataProcessor _backgroundCollect]用的appendString的方式,现在用的是字典来保存,所以字段顺序有变化
(lldb) po [[SAKGuardDataProcessor sharedInstance] data]
{
USB = 0; // 这里的USB就是判断是否是在充电中来的
“acc_open” = “-”;
“access_subtype” = CTRadioAccessTechnologyLTE;
active = 0;
androidAppCnt = “-”;
appCache = “-”;
appname = “\U5927\U4f17\U70b9\U8bc4”;
appversion = “10.40.3”;
automator = “-”;
availableSystem = 18683163954; // 可用空间大小
batterychange = 1; // 电量改变
batterypct = 47;
board = Darwin;
brand = Apple;
brightness = “0.606088”;
bssid = “-”;
buildtype = “-”;
carrier = “\U4e2d\U56fd\U79fb\U52a8”;
charging = 0; // 是否是充电中
coreFileCreateTime = “1970-01-01 08:00:00”;
coreFileModifyTime = “1970-01-01 08:00:00”;
cpu = “iPhone9,1”;
cpu2 = “-”;
dataActivity = “-”;
debuggable = “-”;
description = “Darwin Kernel Version 20.0.0: Wed Sep 30 03:24:26 PDT 2020; root:xnu-7195.0.46~41/RELEASE_ARM64_T8101”;
device = iOS;
display = “14.1”;
fingerprint = “E6FCC50C-4361-45C9-90DC-A17AE0462F2D”;
firstlaunchtime = 0;
hardware = D10AP;
host = yuanpingbaodeshouji;
idfa = “A57E4BDF-48AE-467E-8A35-13EE7D4CA30F”;
imei = “-”;
imsi = “-”;
isProxy = 0;
isVPN = 0;
la = “-”; // 经纬度, sub_1035BC4F4() 10.40.3
lac = “-”;
lo = “-”; // 经纬度, sub_1035BC4F4() 10.40.3
locale = “zh-Hans”;
macaddress = “-”;
manufacture = Apple;
mcc = 460;
mnc = 00;
model = iPhone;
name = “\U8881\U5e73\U4fdd\U7684\U624b\U673a”;
nick = 0;
platform = iOS;
product = iOS;
region = “Asia/Shanghai (GMT+8) offset 28800”;
release = “20.0.0”;
resolution = “1334*750”;
romtotal = “29.772984G”;
sdkversion = 0;
sdtotal = “-”;
secure = “-”;
siid = “54ACF7F2-D19E-493F-B557-9B306DA086AE”;
“siua_version” = “2.0”;
ssid = “-”;
stgyroot = 0;
stgysimulator = 0;
stgysimulatorinfo = “-”;
stgyspitep = 0;
strength = “-”;
systemVolume = 66;
tags = “-”;
time = “2021-02-01 11:45:30:173”;
timerand = “8DE65E34-A681-449E-9704-07431D8A0DA3”;
totalMemory = 31968497664;
uuid = “E6FCC50C-4361-45C9-90DC-A17AE0462F2D”;
}
// 获取所有注入库信息
id __cdecl -[SAKFingerprintGenerator dylibs](SAKFingerprintGenerator *self, SEL a2)
id __cdecl -[SAKGuardDeviceFingerprint dylibs](SAKGuardDeviceFingerprint *self, SEL a2)
// 根据以前的版本更新异常数据得知,只需要对比两个函数的返回数据即可
po [[SAKGuardDataProcessor sharedInstance] data]
po [[SAKFingerprintGenerator sharedGenerator] requestSyncFingerprint]
// 10.43.1
- thread #11, queue = ‘com.apple.root.default-qos’, stop reason = breakpoint 4.1
- frame #0: 0x0000000107ed63a4 DPScope
+[SAKGuardDataProcessor sharedInstance] frame #1: 0x0000000107ed6670 DPScope
+[SAKGuardDataProcessor collectData] + 52
frame #2: 0x0000000107ed4754 DPScope`___lldb_unnamed_symbol44580$$DPScope + 32 // 0x103620754, // 上层: +[SAKGuardCommon init]// 其中真正
- frame #0: 0x0000000107ed63a4 DPScope
// 打包数据函数: 设备信息收集直接在这里一边获取一边拼成的字符串,没有原来的dic转换这一步了
DPScope`-[SAKGuardDataProcessor packData:]:
Printing description of $x2:
2.0|}}Darwin|Apple|Apple|iPhone|iPhone9,1|-|蒋康星手机|D10AP|iOS|iOS|jiangkangxingshouji|14.2.1|20.1.0|0|zh-Hans|Asia/Shanghai (GMT+8) offset 28800|-|001B5260-CB9C-44E2-A90E-031D340AD3AE|-|Darwin Kernel Version 20.1.0: Fri Oct 30 00:34:17 PDT 2020; root:xnu-7195.42.3~1/RELEASE_ARM64_T8015|-|-|}}-|}}-|}}-|-|D1A1BB11-653C-4457-8287-686ED5C8898B|1334*750|119.199482G|-|-|中国电信|CTRadioAccessTechnologyLTE|}}0|47|1|0|0|6D658F92-CD22-40C9-8031-9B6C4C5C00EF|6D4878FF-5C4A-4A72-B2D4-6D3D8ACA0864|-|}}0|0|0|-|0|0|0.675379|66|-|-|}}iOS|大众点评|10.43.1|14.2.1|001B5260-CB9C-44E2-A90E-031D340AD3AE|2021-04-30 21:02:26:078|-|-|29437577216|127989469184|1619367135811.206|2020-01-01 08:00:00|2020-01-01 08:00:00|}}-|-|-|-|0|-|460|03|-|}}
(lldb) bt
* thread #11, queue = 'com.apple.root.default-qos', stop reason = breakpoint 3.1
* frame #0: 0x0000000107ed9c18 DPScope`-[SAKGuardDataProcessor packData:]
frame #1: 0x0000000107ed99ac DPScope`-[SAKGuardDataProcessor _buildSiua] + 11712
frame #2: 0x0000000107ed6b68 DPScope`-[SAKGuardDataProcessor startCollection] + 32
frame #3: 0x0000000107ed6a20 DPScope`-[SAKGuardDataProcessor getChildThreadSiua] + 240
frame #4: 0x0000000107ed68ec DPScope`-[SAKGuardDataProcessor collectFingerprintData] + 284
frame #5: 0x0000000107ed6688 DPScope`+[SAKGuardDataProcessor collectData] + 76
frame #6: 0x0000000107ed4754 DPScope`___lldb_unnamed_symbol44580$$DPScope + 32