[iOS Reverse Lab] Research on the security of some video software functions

Hi 👋

📚 Personal site: lab.lawliet
📦 Technical documentation
🐙 making
Wechat: RyukieW

My apps

–	Mine Elic endless sky ladder	Dream of books
type	The game	financial
AppStore	Elic	Umemi

Reverse, for better forward development

One, reverse target

Reverse research functional logic, improve the reverse analysis thinking
Identify functional risk points and improve protection measures

So let’s start with the analysis

2. The class-dump tool exports header files

Be prepared in advance to smash the shell 🔗 application

If you need to break the shell of the bag, you can contact me through the way on the top.

Use class-dump to export header files so that we can locate the target.

Class -dump -h MachO file name -o Output folder /

3. Login state processing

If you are looking for isLogin in Headers, you will see something that is most likely used to determine the state of login:

UserInfoConfigSuspected user managed object

3.1 Hook login mode

The Logos syntax is used here for quick Hook code writing. website

@interface UserInfoConfig

+ (bool)isLogined;

- (bool)isLogined;

@end

%hook UserInfoConfig

+ (bool)isLogined {
    return YES;
}

- (bool)isLogined {
    return YES;
}

%end

Copy the code

3.2 Checking the Login Status

untreated

After the Hook

Through! The login now has been changed to Open now, but the user information is empty.

This simply changes the login state. This is an important point for the application of account system.
We need to think about how to better protect them.

The get method of the login status is overwritten, so there is a large number of interface error messages:

2021-05-23 14:52:09.592113+0800 PUClient[6981:2390642] You should call Login API before Calling any im related API

3.3 Finding the VIP mode

Start with the UI layer

A. Find the container:`RRVipUserInfoView`

Let’s see if we have a data model internally
- There are no suspects
- So let’s go to the superview

B. Superview:`RRVipBannerTopCell`

There’s only oneRRTopBannerModel *bannerModel;Model, but it doesn’t seem to have anything to do with VIP
- Violent search to see

C. Search VIP related words

Use Headers to search for VIP keywords and check them one by oneRRIMManager
- But the suspectedIMFunction related class, not related to video. ignore

Here are a few more possible files

D.rrmjuser Suspected user object

There is a property like this: @Property (retain, nonatomic) RRMedalModel *vipMedal;

E. RMedalModel Suspected member

Looking at the headers, I found a number of fields that looked suspiciously like membership features

@interface RRMedalModel : NSObject <NSCoding>
{
    _Bool _isExpired;// If the literal meaning is expired
    long long _medalId; // Suspected membership type
    NSString *_imgUrl;
    NSString *_name;
    NSString *_endTime;// Expiration time
}

+ (id)modelCustomPropertyMapper;
+ (id)replacedKeyFromPropertyName;
- (void).cxx_destruct;
@property(nonatomic) _Bool isExpired; // @synthesize isExpired=_isExpired;
@property(copy, nonatomic) NSString *endTime; // @synthesize endTime=_endTime;
@property(copy, nonatomic) NSString *name; // @synthesize name=_name;
@property(copy, nonatomic) NSString *imgUrl; // @synthesize imgUrl=_imgUrl;
@property(nonatomic) long long medalId; // @synthesize medalId=_medalId;
- (id)endTimeTextString;
- (id)endTimeString;
- (_Bool)isPermanent;// If the literal meaning is permanent
- (id)initWithCoder:(id)arg1;
- (void)encodeWithCoder:(id)arg1;

@end

Copy the code

The RrmjUser attribute is found in the previous UserInfoConfig. Presumably to save the current user, here we are going to set an object of our own creation at runtime so that we can call the get method to see if the member we overwrote has expired.

3.4 Complete Logos code

#pragma mark - RRMedalModel

@interface RRMedalModel: NSObject

- (bool)isPermanent;
- (bool)isExpired;

@end

%hook RRMedalModel

- (bool)isPermanent {
    return YES;
}

- (bool)isExpired {
    return NO;
}

%end

#pragma mark - RrmjUser

@interface RrmjUser: NSObject

@end

%hook RrmjUser

- (id)vipMedal {
    id vip = [[%c(RRMedalModel) alloc] init];
    return vip;
}

%end

#pragmaMark-userinfoconfig - Here Hook the login mode

@interface UserInfoConfig

+ (bool)isLogined;

- (bool)isLogined;

- (id)userInfo;

@end

%hook UserInfoConfig

+ (bool)isLogined {
    return YES;
}

- (bool)isLogined {
    return YES;
}

- (id)userInfo {
    id tempUser = [[%c(RrmjUser) alloc] init];
    return tempUser;
}

%end

Copy the code

3.5 the results

I became a “permanent member”.

Four: advertising logic

I tried to Return the AD loading method directly, but I couldn’t load the video directly.
- So try to change the AD to one where you don’t have to wait for the countdown to end to click skip.
- For the application that has access to advertisement, can strengthen the protection in these logic.

#pragma mark - RRPlayerControlAdPlay
@interface RRPlayerControlAdPlay: NSObject

- (bool)canJump;

@end

%hook RRPlayerControlAdPlay

- (bool)canJump {
    return YES;
}

%end
Copy the code

Five: Research video permissions

5.1 Compare the video differences between non-members and members based on the data of normally displayed episodes

Debug to find differences in key fields

5.2 Hook

Change all video types to Free by Hook related get method

#pragma mark - MovieEpisode
@interface MovieEpisode: NSObject
/// 2 VIP nil free
- (long long)feeModeType;
- (NSString *)feeMode;

@end

%hook MovieEpisode

- (NSString *)feeMode {
    return @"free";
}

- (long long)feeModeType {
    return 0;
}

%end
Copy the code

5.4 the results

The list page displays successfully without the VIp tag, all identified here for free videos.

But when you click on the right number of episodes to watch, you get an error

Vi: Video stream analysis

I tried a lot of data models to rewrite, but it didn’t work

Below is a free video stream, accessible in a browser

(lldb) po ((M3u8Model *)0x2828f1300).dibblingTotalDuration
0

(lldb) po ((M3u8Model *)0x2828f1300).url
https://tx-cdn-local.rr.tv/2a66f13043434abb9114720c3cc4f19c/d6372e9485f84ba38a4b82ab0f31bad2-0e37a229c0ddec2ae7b75fbcac9f6f55- ld.mp4? auth_key=1622396264-900b321e0b42e34f95ab888009a63e84-0-39b17c20f3adcd88504a446cd2496c25&clientType=ios_rrsp_jzsp&clientV Ersion = 5.5.1 & parseUsage = PLAY&uid = 0
Copy the code

VIP video A free 5-minute video stream
- And here we have one at the endend=300Suspected is the control that means 5 minutes long.
- But trying to adjust the time parameters in the URL does not allow access to the full video.
- From the domain name to see the free on Tencent cloud charge on Ali cloud.

(lldb) po ((M3u8Model *)0x2828d9280).url
https://ali-preview.rr.tv/da81107fbb414227bad8faafa68ba9e6/eb37b38567b44e34817a36d9a8b09c3f-74a18a8c38dc4be51298ea5519a1815c-l d.mp4? auth_key=1622396977-56748ddc75ea4acf87fe91146aecae62-0-fb83047d57857ce0deded4705ee8a6be&end=300

(lldb) po ((M3u8Model *)0x2828d9280).dibblingTotalDuration
0

(lldb) 
Copy the code

It can be speculated that there are some verification of user rights in the parameters of VIP video stream. Without the correct key, the video stream cannot be obtained normally.
- The security here is relatively in place

Vii. Summary and safety suggestions

A simple rewrite of the get method is enough to crack some scenarios
- This kind of cracking is deadly for tool-based applications, and it directly affects revenue.
Important logic can be confused, increase the difficulty of cracking.
Recently there was reverse research on another tool class project and found that it wasSwift. There was a problem with the Dump header. I will share with you when I have some progress
- The side reflects withSwiftWriting projects also increases reverse costs
Reverse guard
- I have done some preliminary studies on some programs before
  - However, I still feel that the summary is not good enough. If you are interested, you can have a look in my technical document archive
- This later will be a detailed summary to share with you ~

Some suggestions for studying the reverse

Don’t touch important apps like banking
Try not to reverse on your own phone
You don’t necessarily need a jailbreak, but it’s easier to have one
Don’t use your personal account to log in
Remember that a littleReverse, for better forward development

If you are interested in reverse, you are welcome to communicate ~