苹果应用商店登陆协议分析

Harr 逆向工程 2,573 次浏览 , , , , 4条评论

整理资料的时候发现自己在16年分析苹果应用商店协议的源码,时间都过去这么久了,贴出来晒晒。
[code lang=”objc” toolbar=”true”]
/*
User-Agent: "AppStore/2.0 iOS/8.2 model/iPhone6,2 build/12D508 (6; dt:90)"
Step 1:
GET https://init.itunes.apple.com/WebObjects/MZInit.woa/wa/signSapSetupCert
直接返回一个plist数据,里面是证书
Step 2:
POST https://play.itunes.apple.com/WebObjects/MZPlay.woa/wa/signSapSetup
body1:"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n<plist version=\"1.0\">\n<dict>\n\t<key>sign-sap-setup-buffer</key>\n\t<data>\n\tAgAAANIISnQ/0ZM7Y5Cijsp5iuHN6Ybx5GHoOeG+EgGRMWMXbMvVqbbtJsejYB/N8xmk\n\trhMYr5kvWRlpjSj1/KkUWfHJFThsPJhC8kdxMoD+gQutaezmfd4bK4fpf+SstZr9xD8l\n\tluiA6v01wztzmcgZP6jXJU/VoG9Xlh0pvOH86pjF1A5clKqLHzcYjWVtVfZfVr/L5oys\n\tTZwk3e3Won2cWa9HB/OfuZsBWG0hp+HvJTyMBCZ0mH6PKcAE7LQ/t9ldi6sdAXAVT6sP\n\tSGuTp5jJK49R6u9UAnojGDQ7G2niv1a3DllDr/TZ9sVU3untMIrB/1RbOlzLQpKUwOaq\n\t1FTTVk1L+9jl0J939342ZvunnMciZ6ycT5hyKsss/AAAADAGjEuAuhcF6gNumq0rVEiG\n\tcMupFwki38aCTFZ2uyghLqVhxAoRlOWv0RNAZ86DMhvxDQO7YMWdhW+TuHn1hZEOsSuR\n\tNwEEOGEAAA==\n\t</data>\n</dict>\n</plist>\n"
body2:"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n<plist version=\"1.0\">\n<dict>\n\t<key>sign-sap-setup-buffer</key>\n\t<data>\n\tAgAAANIISnQ/0ZM7Y5CbXIqP8+SmvF/tSbayfcZfvYlVN/+543xbExpLAWp1O/E6SbEd\n\tUZ5KWy5bt0v67QJjBmDWGGMjmD6atdxlVd+ZTpX7p3YL4k/nCyEtTq8HRgUK8lD/nzJU\n\tjX1qz6Cz3pdisiP/cNKCB2rf8zJm3lQCG6qoq7y5h7VDhrQYxJZ575gE77THWPzkfZyz\n\tOPkUD7QpiqWJueeaJ1aVBGmR6iQJpYmeFHqFvYdLJWodBQF4SootIucM9SN6zWEZgdnu\n\t1udO6U9hOPQVNQpj+ZfktjXXKMC7MNy2BM+3VKLMsfrb3Q4Wg29FLlC+Q+MsYqyxVrba\n\trwvzBr/lj3tmy5YScCsSj0qQafK2KWCyGNBcCHriKwAAADCvb9cXzq0CR++wmGpgVe7P\n\tOUD6XrDSBq39exDWGhTIxzQRhT1AShJdLzlukGMHTLZptHt2LsfvZUzDM8ZMX/uBeY2K\n\tAQEEOGEAAA==\n\t</data>\n</dict>\n</plist>\n"

Step 3:
GET https://p38-buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/com.apple.jingle.app.finance.DirectAction/convertWizard?rmp=0&workflowID=20990&why=signIn&guid=bc8f422055b84b368bd6c9cb2a53b3a121bf5cac&createSession=true&attempt=0&guid=bc8f422055b84b368bd6c9cb2a53b3a121bf5cac
query-data:
rmp=0
&workflowID=20990
&why=signIn
&guid=bc8f422055b84b368bd6c9cb2a53b3a121bf5cac
&createSession=true
&attempt=0
&guid=bc8f422055b84b368bd6c9cb2a53b3a121bf5cac
*/
void itsd_authenticate(char* _userName, char* _password){
NSString* username = [NSString stringWithUTF8String:(const char*)_userName];
NSString* password = [NSString stringWithUTF8String:(const char*)_password];
Class AuthenticateAttemptOperation = NSClassFromString(@"AuthenticateAttemptOperation");
__block Class authAttemptOp = nil;
gcd.sync(^{
authAttemptOp = (__bridge Class)m_objc_msgSend((__bridge void*)AuthenticateAttemptOperation, NSSelectorFromString(@"alloc"));
authAttemptOp = (__bridge Class)m_objc_msgSend((__bridge void*)authAttemptOp, NSSelectorFromString(@"init"));
});
if (authAttemptOp){
Class SignInResponse = NSClassFromString(@"SignInResponse");
__block Class signInResp = nil;
gcd.sync(^{
signInResp = (__bridge Class)m_objc_msgSend((__bridge void*)SignInResponse, NSSelectorFromString(@"alloc"));
signInResp = (__bridge Class)m_objc_msgSend((__bridge void*)signInResp, NSSelectorFromString(@"initWithResponseType:"), (void*)3);
});
m_objc_msgSend((__bridge void*)signInResp, NSSelectorFromString(@"setPassword:"), (__bridge void*)password);
m_objc_msgSend((__bridge void*)signInResp, NSSelectorFromString(@"setUserName:"), (__bridge void*)username);
Class ACAccountCredential = NSClassFromString(@"ACAccountCredential");
__block Class credential = nil;
gcd.sync(^{
credential = (__bridge Class)m_objc_msgSend((__bridge void*)ACAccountCredential, NSSelectorFromString(@"alloc"));
credential = (__bridge Class)m_objc_msgSend((__bridge void*)credential, NSSelectorFromString(@"initWithPassword:"), (__bridge void*)password);
});
m_objc_msgSend((__bridge void*)signInResp, NSSelectorFromString(@"setSingleSignOnCredential:"), (__bridge void*)credential);
m_objc_msgSend((__bridge void*)authAttemptOp, NSSelectorFromString(@"_setSignInResponse:"), (__bridge void*)signInResp);

// requestParameters
NSMutableDictionary* dictReqParameters = (__bridge_transfer NSMutableDictionary*)m_objc_msgSend((__bridge void*)authAttemptOp, NSSelectorFromString(@"_newAuthenticateAccountRequestParameters"));
NSLog(@"request-parameters: %@", dictReqParameters);

// send
__block NSError* error = 0;
gcd.sync(^{
m_objc_msgSend((__bridge void*)authAttemptOp, NSSelectorFromString(@"_sendAuthenticateRequest:"), &error);
});

NSLog(@"error: %@", error);
NSLog(@"signInResponse: %@", (__bridge Class)m_objc_msgSend((__bridge void*)authAttemptOp, NSSelectorFromString(@"signInResponse")));
Class authResp = (__bridge Class)m_objc_msgSend((__bridge void*)authAttemptOp, NSSelectorFromString(@"authenticationResponse"));
NSLog(@"authenticationResponse: %@", authResp);

NSDictionary* dictAuthResp = (__bridge NSDictionary*)m_objc_msgSend((__bridge void*)authResp, NSSelectorFromString(@"responseDictionary"));
NSLog(@"dictAuthResp: %@", dictAuthResp);
NSHTTPURLResponse* httpUrlResp = (__bridge NSHTTPURLResponse*)m_objc_msgSend((__bridge void*)authResp, NSSelectorFromString(@"URLResponse"));
NSLog(@"httpUrlResp: %@", httpUrlResp);

// release
gcd.sync(^{
m_objc_msgSend((__bridge void*)credential, NSSelectorFromString(@"release"));
m_objc_msgSend((__bridge void*)signInResp, NSSelectorFromString(@"release"));
m_objc_msgSend((__bridge void*)authAttemptOp, NSSelectorFromString(@"release"));
});
}
}
[/code]

4条评论

  1. Harr 2018年9月14日 下午2:21 回复

    哈哈😄

  2. 学海无涯 2018年9月14日 下午2:23 回复

    你好,kbsync能破解码?

    • Harr 2018年9月14日 下午2:24 回复

      不能,目前也没人能破解,都是调用call的。

  3. 罗布 2019年3月5日 下午12:03 回复

    能提供点帮助么?可以联系我,我想了解新版本itunes中kbsync的计算。

发表评论

电子邮件地址不会被公开。 必填项已用*标注

Go