获取WebApp内容

进入NeteaseMusic.app/Contents目录观察,早就听闻网易云音乐客户端是个Hybird App,那想必Resources目录一定有相应的Web代码资源,ls后观察,在一堆图片文件里有个resources.pack文件很显眼:

查看下文件类型:

file resources.pack

zip压缩文件!尝试解压:

unzip resources.pack

需要输入密码😭。。。

启动Hopper,打开网易云的可执行文件,稍等分析完毕之后,尝试搜索unzip关键字,毕竟他得先解压嘛

发现有个YYYWebfilesManager的类很可疑,尤其是看到它的伪码的时候:

启动cycript,挂到运行着的NeteaseMusic进程上,直接调一下这几个方法:

很High,现在文件已经解压出来了,只需要把它们从内存保存到硬盘既可。class-dump一下,看一眼ZipArchive的Api:

class-dump NeteaseMusic -H -o headers

cat headers/ZipArchive.h

内容如下

//
//     Generated by class-dump 3.5 (64 bit).
//
//     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//

#import "NSObject.h"

@class NSArray, NSFileManager, NSString;

@interface ZipArchive : NSObject
{
    void *_zipFile;
    void *_unzFile;
    unsigned long long _numFiles;
    NSString *_password;
    id _delegate;
    CDUnknownBlockType _progressBlock;
    NSArray *_unzippedFiles;
    NSFileManager *_fileManager;
    unsigned long long _stringEncoding;
}

@property(nonatomic) unsigned long long stringEncoding; // @synthesize stringEncoding=_stringEncoding;
@property(copy, nonatomic) CDUnknownBlockType progressBlock; // @synthesize progressBlock=_progressBlock;
@property(readonly, nonatomic) NSArray *unzippedFiles; // @synthesize unzippedFiles=_unzippedFiles;
@property(copy, nonatomic) NSString *password; // @synthesize password=_password;
@property(readonly, nonatomic) unsigned long long numFiles; // @synthesize numFiles=_numFiles;
@property(retain, nonatomic) id <ZipArchiveDelegate> delegate; // @synthesize delegate=_delegate;
- (id)Date1980;
- (BOOL)OverWrite:(id)arg1;
- (void)OutputErrorMessage:(id)arg1;
- (id)getZipFileContents;
- (BOOL)UnzipCloseFile;
- (id)UnzipFileToMemory;
- (BOOL)UnzipFileTo:(id)arg1 overWrite:(BOOL)arg2;
- (BOOL)UnzipOpenFile:(id)arg1 Password:(id)arg2;
- (BOOL)UnzipOpenFile:(id)arg1;
- (BOOL)CloseZipFile2;
- (BOOL)addFileToZip:(id)arg1 newname:(id)arg2;
- (BOOL)CreateZipFile2:(id)arg1 Password:(id)arg2;
- (BOOL)CreateZipFile2:(id)arg1;
- (void)dealloc;
- (id)initWithFileManager:(id)arg1;
- (id)init;

@end

注意到- (BOOL)UnzipFileTo:(id)arg1 overWrite:(BOOL)arg2;这个Api,直接在cycript环境中输入:

[manager UnzipFileTo:@"/Users/kevin/Developer/Reverse/NeteaseMusic" overWrite: YES]

OK,此刻webfiles已经乖乖地躺在硬盘里了~