Few days ago, one of my friend who working at Yonyou Corp asked me to hack into their MobileYonyou App.
She told me her company using MobileYonyou app check in for their work, but need to upload the user location to the server.
She is a lazy girl, she want to check in for work but on her bed.
So i have to made a litter work.
Here are my work step,
- She sent me a message of client sent to server.
First thought it is a Base64 code, and then I decode this Base64 code but some binary data went out.
- Then i analysis the binary data and the wireshark cap data. I know the binary data need to unzip. Because the client using gzip before send the POST data.
- After unzip, the new binary comes out. But looks like encrypted.
So i need to download a decompiler such as IDA.
- Open IDA Pro, and select the file MobileYonyou. But IDA said the Binary file has beed encrypted.
*( I download the file from AppStore, so this file has packing by Apple)
I have to unpacking the binary first. Thanks to god I finally find a jailbreaked iPod Touch.
Tutorial Googled by Google: how to crack ipa file
- Open unpacked binary MobileYouyou, and waiting IDA analysis.
After it’s done ( wait bottom-left status change to “AU:idle”)
- Click menu View -> Open Subview -> Functions.
Now, we know Youyon using 3DES to encrypt the data before POST.
- Look at the function [DESEncryption TripleDES:encryptOrDecrypt:key],
The key is send as a parameter into this function, so the key mustn’t be in this function.
- Right click on the function compilation code, and select graph view, and click jump to xref and click OK.
- Right Click the function name and click Xref to.Look at the new window bumped out
We know that AFNetwork was using this 3DES function,
- Researching the functions view using new magic word “requestBySerializingRequest”
and look into [AFHTTPRequestSerializer requestBySerializingRequest:WithParameters….] function,
Press F5 into pseudocode mode,
Finally GOT IT.
The DES key is CFSTR(“G51-NIPR”)
All done, and now, just create a new project by simulation the whole checkin step and post the data to request URI: http://l.yonyou.com/v3/MobileService.ashx
and buy some condoms prepare for accept her thanks. ^_^