-[SiShiPurchaseWindowController restorePurchaseAction]:000000010002650c         push       rbp                                         ; Objective C Implementation defined at 0x1001137f0 (instance method), Begin of try block, DATA XREF=0x1001137f0000000010002650d         mov        rbp, rsp0000000100026510         push       r150000000100026512         push       r140000000100026514         push       r130000000100026516         push       r120000000100026518         push       rbx0000000100026519         sub        rsp, 0x58// 调用 indicatorView方法，不重要000000010002651d         mov        r14, rdi0000000100026520         mov        rsi, qword [0x100143648]                    ; argument "selector" for method _objc_msgSend, @selector(indicatorView)0000000100026527         mov        r15, qword [_objc_msgSend_1000f4360]        ; _objc_msgSend_1000f4360000000010002652e         call       r15                                         ; Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend0000000100026531         mov        rdi, rax                                    ; argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue0000000100026534         call       imp___stubs__objc_retainAutoreleasedReturnValue ; objc_retainAutoreleasedReturnValue//调用 setHidden方法，不重要0000000100026539         mov        rbx, rax000000010002653c         mov        rsi, qword [0x100142210]                    ; argument "selector" for method _objc_msgSend, @selector(setHidden:)0000000100026543         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend0000000100026546         xor        edx, edx0000000100026548         call       r15                                         ; Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend000000010002654b         mov        rdi, rbx                                    ; argument "instance" for method _objc_release000000010002654e         call       qword [_objc_release_1000f4368]             ; _objc_release, _objc_release_1000f4368,_objc_release0000000100026554         lea        rdi, qword [rbp+var_30]                     ; argument "addr" for method imp___stubs__objc_initWeak0000000100026558         mov        rsi, r14                                    ; argument "value" for method imp___stubs__objc_initWeak000000010002655b         call       imp___stubs__objc_initWeak                  ; objc_initWeak//划重点，SiShiPurchaseHelper这个类0000000100026560         mov        rdi, qword [objc_cls_ref_SiShiPurchaseHelper] ; argument "instance" for method _objc_msgSend, objc_cls_ref_SiShiPurchaseHelper0000000100026567         mov        rsi, qword [0x100141dd8]                    ; argument "selector" for method _objc_msgSend, @selector(sharedInstance)000000010002656e         call       r15                                         ; End of try block started at 0x10002650c, Begin of try block (catch block at 0x10002664c), Jumps to 0x100174ec0 (_objc_msgSend), _objc_msgSend0000000100026571         mov        rdi, rax                                    ; End of try block started at 0x10002656e, Begin of try block, argument "instance" for method imp___stubs__objc_retainAutoreleasedReturnValue0000000100026574         call       imp___stubs__objc_retainAutoreleasedReturnValue ; objc_retainAutoreleasedReturnValue0000000100026579         mov        r15, rax000000010002657c         mov        rax, qword [__NSConcreteStackBlock_1000f41b8] ; __NSConcreteStackBlock_1000f41b80000000100026583         lea        r14, qword [rbp+var_60]0000000100026587         mov        qword [r14-0x20], rax000000010002658b         mov        r13d, 0xc20000000000000100026591         mov        qword [r14-0x18], r130000000100026595         lea        rax, qword [sub_100026660]                  ; sub_100026660000000010002659c         mov        qword [r14-0x10], rax00000001000265a0         lea        rax, qword [0x1000f4e28]                    ; 0x1000f4e2800000001000265a7         mov        qword [r14-8], rax00000001000265ab         lea        r12, qword [rbp+var_30]00000001000265af         mov        rdi, r14                                    ; argument "dest" for method imp___stubs__objc_copyWeak00000001000265b2         mov        rsi, r12                                    ; argument "src" for method imp___stubs__objc_copyWeak00000001000265b5         call       imp___stubs__objc_copyWeak                  ; objc_copyWeak00000001000265ba         lea        rbx, qword [rbp+var_38]00000001000265be         mov        rax, qword [__NSConcreteStackBlock_1000f41b8] ; __NSConcreteStackBlock_1000f41b800000001000265c5         mov        qword [rbx-0x20], rax00000001000265c9         mov        qword [rbx-0x18], r1300000001000265cd         lea        rax, qword [sub_100026691]                  ; sub_10002669100000001000265d4         mov        qword [rbx-0x10], rax00000001000265d8         lea        rax, qword [0x1000f4ef8]                    ; 0x1000f4ef800000001000265df         mov        qword [rbx-8], rax00000001000265e3         mov        rdi, rbx                                    ; argument "dest" for method imp___stubs__objc_copyWeak00000001000265e6         mov        rsi, r12                                    ; argument "src" for method imp___stubs__objc_copyWeak00000001000265e9         call       imp___stubs__objc_copyWeak                  ; objc_copyWeak//重点是这个方法 startRestore00000001000265ee         mov        rsi, qword [0x100143720]                    ; argument "selector" for method _objc_msgSend, @selector(startRestore:failedBlock:)00000001000265f5         lea        rdx, qword [rbp+var_80]                     ; End of try block started at 0x100026571, Begin of try block (catch block at 0x100026637)00000001000265f9         lea        rcx, qword [rbp+var_58]00000001000265fd         mov        rdi, r15                                    ; argument "instance" for method _objc_msgSend0000000100026600         call       qword [_objc_msgSend_1000f4360]             ; _objc_msgSend, _objc_msgSend_1000f4360,_objc_msgSend0000000100026606         mov        rdi, r15                                    ; End of try block started at 0x1000265f5, Begin of try block, argument "instance" for method _objc_release0000000100026609         call       qword [_objc_release_1000f4368]             ; _objc_release, _objc_release_1000f4368,_objc_release000000010002660f         mov        rdi, rbx                                    ; argument "instance" for method imp___stubs__objc_destroyWeak0000000100026612         call       imp___stubs__objc_destroyWeak               ; objc_destroyWeak0000000100026617         mov        rdi, r14                                    ; argument "instance" for method imp___stubs__objc_destroyWeak000000010002661a         call       imp___stubs__objc_destroyWeak               ; objc_destroyWeak000000010002661f         lea        rdi, qword [rbp+var_30]                     ; argument "instance" for method imp___stubs__objc_destroyWeak0000000100026623         call       imp___stubs__objc_destroyWeak               ; objc_destroyWeak0000000100026628         add        rsp, 0x58000000010002662c         pop        rbx000000010002662d         pop        r12000000010002662f         pop        r130000000100026631         pop        r140000000100026633         pop        r150000000100026635         pop        rbp0000000100026636         ret

/* @class SiShiPurchaseHelper */-(void)startRestore:(void *)arg2 failedBlock:(void *)arg3 {    r12 = [arg3 retain];    rbx = [arg2 retain];    [self setStartPurchase:0x1];    [self setCompeletedBlock:rbx];    [rbx release];    [self setFailedBlock:r12];    [r12 release];    rax = [SKPaymentQueue defaultQueue];    rax = [rax retain];    [rax restoreCompletedTransactions];    [rax release];    return;}

OSSPlainTextAKSKPairCredentialProvider.hSKPaymentTransactionObserver-Protocol.hSKProductsRequestDelegate-Protocol.hSKRequestDelegate-Protocol.h

#import "NSObject-Protocol.h" @class NSArray, NSError, SKPayment, SKPaymentQueue, SKProduct; @protocol SKPaymentTransactionObserver- (void)paymentQueue:(SKPaymentQueue *)arg1 updatedTransactions:(NSArray *)arg2; @optional- (void)paymentQueue:(SKPaymentQueue *)arg1 didRevokeEntitlementsForProductIdentifiers:(- (void)paymentQueueDidChangeStorefront:(SKPaymentQueue *)arg1;- (BOOL)paymentQueue:(SKPaymentQueue *)arg1 shouldAddStorePayment:(SKPayment *)arg2 forP- (void)paymentQueue:(SKPaymentQueue *)arg1 updatedDownloads:(NSArray *)arg2;- (void)paymentQueueRestoreCompletedTransactionsFinished:(SKPaymentQueue *)arg1;- (void)paymentQueue:(SKPaymentQueue *)arg1 restoreCompletedTransactionsFailedWithError:- (void)paymentQueue:(SKPaymentQueue *)arg1 removedTransactions:(NSArray *)arg2;@end它实现了几个回调方法，不管它，在Hopper中搜索 paymentQueue，并生成伪代码：/* @class SiShiPurchaseHelper */-(void)paymentQueue:(void *)arg2 updatedTransactions:(void *)arg3 {    rbx = self;    rax = [arg3 retain];    var_150 = intrinsic_movaps(var_150, 0x0);    *(int128_t *)(&var_150 + 0x10) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x10), 0x0);    *(int128_t *)(&var_150 + 0x20) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x20), 0x0);    *(int128_t *)(&var_150 + 0x30) = intrinsic_movaps(*(int128_t *)(&var_150 + 0x30), 0x0);    var_B8 = rax;    rax = [rax countByEnumeratingWithState:&var_150 objects:&var_B0 count:0x10];    var_D8 = rax;    if (rax != 0x0) {            var_100 = **(&var_150 + 0x10);            var_C0 = rbx;            do {                    r12 = 0x0;                    do {                            if (*var_140 != var_100) {                                    objc_enumerationMutation(var_B8);                            }                            r14 = *(var_148 + r12 * 0x8);                            rax = [r14 transactionState];                            if (rax != 0x3) {                                    if (rax != 0x2) {                                            if (rax == 0x1) {                                                    // 关键位置                                                    [rbx completeTransaction:r14];                                            }                                    }                                    else {                                            rax = [r14 error];                                            rax = [rax retain];                                            r14 = [rax code];                                            [rax release];                                            if (r14 == 0x2) {                                                    rbx = var_C0;                                                    [rbx purchaseFailedWithError:0x0];                                            }                                            else {                                                    rbx = var_C0;                                                    [rbx purchaseFailedWithError:[[[[NSBundle mainBundle] retain] localizedStringForKey:@"Unlock failed" value:@"" table:0x0] retain]];                                                    [rax release];                                                    [rax release];                                            }                                    }                            }                            else {                                    [rbx completeTransaction:r14];                            }                            r12 = r12 + 0x1;                    } while (r12 < var_D8);                    rax = [var_B8 countByEnumeratingWithState:&var_150 objects:&var_B0 count:0x10];                    var_D8 = rax;            } while (rax != 0x0);    }    var_30 = **___stack_chk_guard;    [var_B8 release];    if (**___stack_chk_guard != var_30) {            __stack_chk_fail();    }    return;}

/* @class SiShiPurchaseHelper */-(void)completeTransaction:(void *)arg2 {    r14 = self;    rax = [arg2 retain];    r15 = rax;    rax = [rax payment];    rax = [rax retain];    r12 = rax;    rax = [rax productIdentifier];    rax = [rax retain];    [rax release];    [r12 release];    if (rax != 0x0) {            [r14 setCurrentTransaction:r15];            //关键方法：            [r14 purchaseSuccess];            [r14 bornWenYuShan];    }    [r15 release];    return;}

[r14 purchaseSuccess];[r14 bornWenYuShan];

/* @class SiShiPurchaseHelper */-(void)bornWenYuShan {    [self setIsVip:0x1];    rax = [NSUserDefaults standardUserDefaults];    rax = [rax retain];    [rax setBool:0x1 forKey:@"kSiShiIsVipString"];    [rax release];    rbx = [[NSNotificationCenter defaultCenter] retain];    [rbx postNotificationName:*0x1000f52b0 object:0x0];    [rbx release];    return;}

0000000100012910         push       rbp                                         ; Objective C Implementation defined at 0x10010f4d0 (instance method), DATA XREF=0x10010f4d00000000100012911         mov        rbp, rsp0000000100012914         push       r150000000100012916         push       r140000000100012918         push       r13000000010001291a         push       r12000000010001291c         push       rbx000000010001291d         push       rax ......中间的代码全部NOP掉 00000001000129bd         pop        rbx00000001000129be         pop        r1200000001000129c0         pop        r1300000001000129c2         pop        r1400000001000129c4         pop        r1500000001000129c6         pop        rbp00000001000129c7         jmp        rax

// r14 = self000000010001291e         mov        r14, rdi// rbx = _objc_msgSend_1000f43600000000100012921         mov        rbx, qword [_objc_msgSend_1000f4360]    // msgSend函数的第一个参数：rsi = bornWenYuShan    0000000100012928         mov        rsi, qword [0x100142d48]    // msgSend函数的第二个参数：rdi = r14                000000010001292f         mov        rdi, r14                                    0000000100012932         call       rbx   //等于执行 msgSend(self,bornWenYuShan)

sudo codesign --sign - --force --deep ./Live Wallpaper.app

# 往期推荐

1.某视频app的学习记录

2.Chrom V8分析入门——Google CTF2018 justintime分析

3.Typora 授权解密与剖析

4.内核漏洞学习-HEVD-StackOverflowGS

5.人人都可以拯救正版硬件受害者(Jlink提示Clone)

6.frida内存检索svc指令查找sendto和recvfrom进行hook抓包