Category: Study

Everything I do not know is interesting, I will learn until I die.

iOS双开微信的跳转授权问题

背景

最近TrollStore用得挺多,给自己也弄了两个微信。但是在微信读书授权的时候,唤起的微信登录,是A微信,不是B微信。目标是希望能唤起B微信。

具体过程

如果你不希望看原理,那么就直接跳到总结

顺带说下,A微信为官方的Bundle ID:com.tencent.xin

B微信是自己定义的一个:com.tencent.xinVan

Bundle ID是iOS App,唯一的身份标识,所以不能重复

  1. 结合第一性原理,去了解了一下iOS在开中是如何唤起另一个App的。找到了CFBundleURLSchemes这个参数。这个参数是被唤起的App,向iOS提交自己的资源名。

如果写wechat,那么wechat://xxx这样的schemes,就会请求唤起微信。

  1. 由于主动唤起的代码肯定是无法修改的(最多找到常量的配置地方,去修改,但是那样就需要静态分析什么的,比较麻烦),所以就想着简单点,直接修改被唤起App的scheme。
  2. 其实就是A、B两个App,都是同样的scheme,所以想着,把A的scheme配置去掉。于是乎,用Fliza找到A的info.plist文件,去掉了CFBundleURLSchemes相关的配置。

这个时候,我用Safari去调用B中写的任何一个scheme,都是可以成功唤起B,而不是A的。但是微信阅读依旧唤起的是A,而不是B……这个就很尴尬。

考虑到是不是系统缓存的问题,但是搜了一圈没搜到,也不想重启。于是乎,就卸载了A,修改了包中的info.plist文件,重新打包签名安装。

OK,搞定。

总结

对于多开应用的情况下,如果你想要唤起B,而不是A。

那么做如下几步:

  1. 安装签名后的B;
  2. 修改A的info.plist文件:找到CFBundleURLSchemes,删掉其中的数组配置;
  3. 打包安装签名后的A;

关于iOS15越狱修改字体

很有幸,用的是iPhone11,还保留了iOS15.0.1系统。这个系统被陆续爆出漏洞:TrollStore免费安装其他IPA、MacDirtyCow漏洞可以临时修改内存映射,再到XinaA15Rootless越狱。感觉这手机真是买对了!

越狱

  1. 安装TrollStore
  2. 安装XinA15
  3. 打开后点击“open Jailbreak”按钮
是的,就这么简单

修改字体

修改系统字体

替换字体路径:/var/jb/Library/Fonts/

系统字体路径:/System/Library/Fonts

其实只要看着需要替换的字体,按照对应的路径,放到jb下即可。

部分App没有变化

没有变化的App,基本上都是有自己的设定字体,而不是用了系统默认。

Twitter

Chirp

从Google上搜索,和询问Discord上的小伙伴,得知Twitter用了自研的字体Chirp。遂打算进入Twitter.app目录,看看如何替换掉。

用Filza找了一下,找到如下:

/private/var/containers/Bundle/Application/256324AA-3DC7-41F4-B4AB-C78A55B87C33/Twitter.app

这个一串数字、英文的路径应该大家都不一样,只要沿着前面的路径,到这个目录下去搜索,就能看到。

很幸运,直接就找到了Chirp目录。

然后把里面的文件都替换下,大功告成。

Bandit Level 32 → Level 33

After all this git stuff its time for another escape. Good luck!

解密

>>> $0
$ whoami
bandit33
$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee

知识点

  1. 作为脚本的第一个参数,都是当前执行文件名称,这里使用$0相当于执行了sh(看开头是一个$可以得出是sh而非bash);
  2. whoami发现是bandit33,那么直接看密码就行了;

Bandit Level 31 → Level 32

解密

bandit31@bandit:~$ mktemp -d
/tmp/tmp.UHFbV1v7DX
bandit31@bandit:~$ cd /tmp/tmp.UHFbV1v7DX
bandit31@bandit:/tmp/tmp.UHFbV1v7DX$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password:
remote: Counting objects: 4, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit31@bandit:/tmp/tmp.UHFbV1v7DX$ cd repo/
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ ls
README.md
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ cat README.md
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ echo 'May I come in?' > key.txt
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git add -A
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
nothing to commit, working tree clean
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ cat .gitignore
*.txt
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ :>.gitignore
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

        modified:   .gitignore

Untracked files:
  (use "git add <file>..." to include in what will be committed)

        key.txt

no changes added to commit (use "git add" and/or "git commit -a")
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git add -A
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git commit -m 'Try to resolve it.'
[master e515574] Try to resolve it.
 2 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 key.txt
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git push
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password:
Counting objects: 4, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (4/4), 339 bytes | 0 bytes/s, done.
Total 4 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'

知识点

  1. git工具使用add将所有工作区改动存储到暂存区;
  2. commit命令将暂存区内容存储到索引区;
  3. push命令将本地差异内容提交到远端;
  4. 这里有一个.gitignore文件,用于正则匹配不被git察觉到文件;

Bandit Level 30 → Level 31

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.

解密

bandit30@bandit:~$ mktemp -d
/tmp/tmp.UkNUXze0ar
bandit30@bandit:~$ cd /tmp/tmp.UkNUXze0ar
bandit30@bandit:/tmp/tmp.UkNUXze0ar$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit30-git@localhost's password:
remote: Counting objects: 4, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit30@bandit:/tmp/tmp.UkNUXze0ar$ cd repo/
bandit30@bandit:/tmp/tmp.UkNUXze0ar/repo$ ls
README.md
bandit30@bandit:/tmp/tmp.UkNUXze0ar/repo$ git tag
secret
bandit30@bandit:/tmp/tmp.UkNUXze0ar/repo$ git show secret
47e603bb428404d265f59c42920d81e5

知识点

  1. git tag

Bandit Level 29 → Level 30

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.

解密

bandit29@bandit:~$ mktemp -d
/tmp/tmp.5vEfTyPY8r
bandit29@bandit:~$ cd /tmp/tmp.5vEfTyPY8r
bandit29@bandit:/tmp/tmp.5vEfTyPY8r$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit29-git@localhost's password:
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/tmp.5vEfTyPY8r$ cd repo/
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git log
commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    fix username

commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    initial commit of README.md
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git tag
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git branch
* master
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git branch -r
  origin/HEAD -> origin/master
  origin/dev
  origin/master
  origin/sploits-dev
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git log
commit 33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    add data needed for development

commit a8af722fccd4206fc3780bd3ede35b2c03886d9b
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    add gif2ascii

commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    fix username

commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    initial commit of README.md
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ ls
code  README.md
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ cat code/gif2ascii.py

bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf

知识点

  1. git命令存在多个分支branch,分支只是历史树上的一个游标;

Bandit Level 28 → Level 29

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.

Clone the repository and find the password for the next level.

解密

bandit28@bandit:~$ mktemp -d
/tmp/tmp.0HXHG7V3Lt
bandit28@bandit:~$ cd /tmp/tmp.0HXHG7V3Lt
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit28/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit28-git@localhost's password:
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt$ cd repo/
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ ls
README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ git log
commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200

    fix info leak

commit 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200

    add missing data

commit b67405defc6ef44210c53345fc953e6a21338cc7
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200

    initial commit of README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ git checkout b67405defc6ef44210c53345fc953e6a21338cc7
Note: checking out 'b67405defc6ef44210c53345fc953e6a21338cc7'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at b67405d... initial commit of README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ ls
README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: <TBD>

bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ git checkout 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Previous HEAD position was b67405d... initial commit of README.md
HEAD is now at 186a103... add missing data
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: bbc96594b4e001778eee9975372716b2

知识点

  1. git作为版本追踪工具,查看历史log
  2. 检出(checkout)到某个SHA历史点;

Bandit Level 27 → Level 28

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

解密

bandit27@bandit:~$ mktemp -d
/tmp/tmp.RG0BBbh379
bandit27@bandit:~$ cd /tmp/tmp.RG0BBbh379
bandit27@bandit:/tmp/tmp.RG0BBbh379$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit27-git@localhost's password:

remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/tmp.RG0BBbh379$ cd repo/
bandit27@bandit:/tmp/tmp.RG0BBbh379/repo$ ls
README
bandit27@bandit:/tmp/tmp.RG0BBbh379/repo$ cat README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2

知识点

  1. git版本追踪工具基本命令clone

Bandit Level 26 → Level 27

Good job getting a shell! Now hurry and grab the password for bandit27!

解密

bandit26@bandit:~$ ls -l bandit27-do
-rwsr-x--- 1 bandit27 bandit26 7296 Oct 16  2018 bandit27-do
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea

知识点

  1. ls -l发现可执行文件bandit27-do设置了setuid

Bandit Level 25 → Level 26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

解密

使用ssh -i登陆bandit24发现直接退出,但是在退出前打印了很多内容。
这个时候,把终端高度缩小到只有几行(不能完全打印登陆内容),再次登陆,会发现输出信息不完全,并且没有迅速退出。
此时,直接按v进入VIM,就保存住了bandit26的登陆。
使用VIM命令模式,打开bandit26的密码文件:e /etc/bandit_pas/bandit26。
得到密码:5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
不过依旧在VIM里,无法做什么事情(一些环境变量都没有,无法执行系统命令)。我们设置下变量set shell=/bin/bash,然后再执行shell,就成功使用bash了。

知识点

  1. VIM的基本操作;
  2. VIM的命令;