绕过iOS版QQ签名校验实现多开 -- By 飘云/P.Y.G

飘云 · 发表于 2016-10-30 01:23:16

目标QQ版本：6.5.8.437（2016-10-30最新版）

事情是酱紫滴。。。今天用PP助手多开了一个QQ来玩耍
多开.png

发现不能登录~~ 艾玛。。
登录.png

然后呢，拖入Hopper等了一段时间反汇编完成~~

首先理一下流程啊~ 签名校验无外乎那么几种

1.bundleID检测
2.签名段检测
3.代码段检测

我们从简单的bundleID检测入手~ 搜索"com.tencent.mqq"，找到如下关键点：

往上找到函数头：

然后找0x18b0f8处的引用：

调试符号深深出卖了你~~~ 都不用动态调试了~~~ 吼吼吼一万匹草泥马在疾驰...

我继续分析了一下，这货没对签名段进行校验~~ 那么事情就变得简单了~

我们找个优雅的点来Hook 将bundleID替换掉即可~~

祭出cycript神器

[Bash shell] 纯文本查看 复制代码


cy# [[UIApp keyWindow] recursiveDescription ].toString()
`<UIWindow: 0x1445242f0; frame = (0 0; 320 568); opaque = NO; autoresize = LM+RM+TM+BM; gestureRecognizers = <NSArray: 0x17005f980>; layer = <UIWindowLayer: 0x1702398c0>>
   | <UITransitionView: 0x14586fc00; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x170e30440>>
   |    | <UILayoutContainerView: 0x1705e0e00; frame = (0 0; 320 568); autoresize = W+H; gestureRecognizers = <NSArray: 0x171045af0>; layer = <CALayer: 0x170e2e2e0>>
   |    |    | <UINavigationTransitionView: 0x14589fe30; frame = (0 0; 320 568); clipsToBounds = YES; autoresize = W+H; layer = <CALayer: 0x170e2dcc0>>
   |    |    |    | <UIViewControllerWrapperView: 0x17419a410; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174e325c0>>
   |    |    |    |    | <UIView: 0x1701900c0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174e2b400>>
   |    |    |    |    |    | <QQView: 0x1447689c0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174e2b7a0>>
   |    |    |    |    |    |    | <UIImageView: 0x1745e4b00; frame = (0 0; 320 568); opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x17463bc60>>
   |    |    |    |    |    |    |    | <AccountHeadView: 0x1741b4580; frame = (117.5 40; 85 85); layer = <CALayer: 0x174e2cba0>>
   |    |    |    |    |    |    |    |    | <QQAvatarView: 0x1446bbbc0; baseClass = UIButton; frame = (2.5 2.5; 80 80); opaque = NO; userInteractionEnabled = NO; tag = 2109; layer = <CALayer: 0x174e2a860>>
   |    |    |    |    |    |    |    |    |    | <UIImageView: 0x1743f7500; frame = (0 0; 80 80); clipsToBounds = YES; opaque = NO; userInteractionEnabled = NO; layer = <CALayer: 0x175025e20>>
   |    |    |    |    |    |    | <AcountEditCellID: 0x144708410; baseClass = UITableViewCell; frame = (0 130; 320 50); alpha = 0.7; layer = <CALayer: 0x174a397e0>>
   |    |    |    |    |    |    |    | <UITableViewCellContentView: 0x1741993d0; frame = (0 0; 320 50); gestureRecognizers = <NSArray: 0x175040f90>; layer = <CALayer: 0x174e295e0>>
   |    |    |    |    |    |    |    | <UIIDTextField: 0x14468fc90; baseClass = UITextField; frame = (25 0; 270 50); text = '11223344'; clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x174e43330>; layer = <CALayer: 0x17502aaa0>>
   |    |    |    |    |    |    |    |    | <UIFieldEditor: 0x144775020; frame = (0 0; 243 50); text = '11223344'; clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x174e55300>; layer = <CALayer: 0x175026160>; contentOffset: {0, 0}; contentSize: {243, 50}>
...省略部分

往上搜索 11223344(这是我输入的QQ号码，这里进行了替换~~)

[Bash shell] 纯文本查看 复制代码

   <UIFieldEditor: 0x144775020; frame = (0 0; 243 50); text = '11223344'; clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x174e55300>; layer = <CALayer: 0x175026160>; contentOffset: {0, 0}; contentSize: {243, 50}>

现在找出 ViewController

[Bash shell] 纯文本查看 复制代码

   cy# [#0x144775020 nextResponder ]
#"<UIIDTextField: 0x14468fc90; baseClass = UITextField; frame = (25 0; 270 50); text = '11223344'; clipsToBounds = YES; opaque = NO; gestureRecognizers = <NSArray: 0x174e43330>; layer = <CALayer: 0x17502aaa0>>"
cy# [#0x14468fc90 nextResponder ]
#"<AcountEditCellID: 0x144708410; baseClass = UITableViewCell; frame = (0 130; 320 50); alpha = 0.7; layer = <CALayer: 0x174a397e0>>"
cy# [#0x144708410 nextResponder ]
#"<QQView: 0x1447689c0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174e2b7a0>>"
cy# [#0x1447689c0 nextResponder ]
#"<UIView: 0x1701900c0; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x174e2b400>>"
cy# [#0x1701900c0 nextResponder ]
#"<QQLoginViewController: 0x144aa9c00>"

好了，现在愉快的找到了 QQLoginViewController

[Objective-C] 纯文本查看 复制代码

导出头文件分析下
// class-dump -A -a -S -H ./QQ -o ./Headers

@interface QQLoginViewController : QQViewController <QQAccountMenuDelegate, AccountEditCellPWDelegate, AcountEditCellIDDelegate, NIAttributedLabelDelegate, UIActionSheetDelegate, QQSmsLoginSetPhoneViewDelegate, QQSmsLoginFillVerifyViewDelegate>
{

....

}

继续转到父类来看看：

@interface QQViewController : UIViewController <UserSummaryNavBarItemDelagate, ISkinProtocol, IQQPreviewStatus>
{

- (void)viewDidLoad; // IMP=0x0000000100b78948 // 随便找个必然被调用的函数进行Hook吧

}

// Hook代码：

[Objective-C] 纯文本查看 复制代码

%hook QQViewController

- (void)viewDidLoad {
    NSLog(@"======%s=======", __FUNCTION__);
    NSLog(@"bundleIdentifier=%@", [[NSBundle mainBundle] bundleIdentifier]);
    NSDictionary *dic = [[NSBundle mainBundle]infoDictionary];
    [dic setValue:@"com.tencent.mqq" forKey:@"CFBundleIdentifier"];
    %orig;
}

没错，真传一句话，就这么简单！！！

避免伸手党，不提供deb，自行编译把~~

笑倾天下 · 发表于 2016-10-30 08:20:19

沙发，感谢坛主分享好东西

wmj517 · 发表于 2016-10-30 08:20:27

好贴总是看的我晕晕的，支持了

飞天 · 发表于 2016-10-30 09:14:50

老大对苹果研究的深入，安卓的漂漂哦。

kangaroo · 发表于 2016-10-30 09:58:32

玩得6666

kangaroo · 发表于 2016-10-30 09:59:05

玩得真6 666

雲裏霧裏 · 发表于 2016-10-30 10:24:39

老飄這麽玩法太神了，只能膜拜！！

Taobi · 发表于 2016-10-30 10:53:31

城里人真会玩牛！！

a'ゞ龙行天下 · 发表于 2016-10-30 11:13:20

真会玩，膜拜

orz · 发表于 2016-10-30 12:30:19

膜拜玩IOS的。。借鉴下思路。

		自动登录	找回密码
密码			加入我们

[iOS] 绕过iOS版QQ签名校验实现多开 -- By 飘云/P.Y.G

评分

本帖被以下淘专辑推荐:

点评