IDFA生成过程分析

IDFA生成过程分析

Preference进程

  1. 跟踪-[ASIdentifierManager advertisingIdentifier]
-[LSApplicationWorkspace deviceIdentifierForAdvertising]
_LSDDeviceIdentifierService* serv = [_LSDService synchronousXPCProxyWithErrorHandler:nil];
-[serv getIdentifierOfType:1 completionHandler:]
  1. 跟踪限制广告追踪按钮
var get_pid = new NativeFunction(Module.findExportByName(null, 'xpc_connection_get_pid'), 'int', ['pointer']);
var get_name = new NativeFunction(Module.findExportByName(null, 'xpc_connection_get_name'), 'pointer', ['pointer']);

log('xpc_connection_send_message(' +
    'connection=' + args[0] +
    ', message=' + ObjC.Object(args[1]).toString() +
    ', pid=' + get_pid(args[0]) + 
    ', name=' + get_name(args[0]).readUtf8String() +
')');

xpc_connection_send_message(connection=0x281672fd0, message=<OS_xpc_dictionary: <dictionary: 0x281c7b0c0> { count = 3, transaction: 0, voucher = 0x0, contents =
	"f" => <uint64: 0x9d5e13525c1289f7>: 1
	"root" => <data: 0x2830c5940>: { length = 64 bytes, contents = 0x62706c6973743136a03f000000000000007f111b636c6561... }
	"proxynum" => <uint64: 0x9d5e13525c1289f7>: 1
}>, pid=97, name=com.apple.lsd.advertisingidentifiers)
xpc_connection_send_notification(), notify=<OS_xpc_dictionary: <dictionary: 0x281c7c3c0> { count = 3, transaction: 0, voucher = 0x0, contents =
	"operation" => <int64: 0x9d4e13525c1289f2>: 4
	"value" => <int64: 0x9d4e13525c1289f6>: 0
	"key" => <string: 0x2827fc8d0> { length = 37, contents = "com.apple.Advertising.LimitAdTracking" }
}>, pid=0, name=com.apple.aggregated

xpc_connection_send_notification
xpc_connection_send_message_with_reply_sync

lsd进程

  1. 跟踪-[ASIdentifierManager advertisingIdentifier]
-[_LSDDeviceIdentifierClient getIdentifierOfType:1 completionHandler:]
-[_LSDeviceIdentifierCache getIdentifierOfType:vendorName:bundleIdentifier:completionHandler:]
  1. 跟踪限制广告追踪按钮
-[_LSDDeviceIdentifierClient clearAllIdentifiersOfType:0x1]
__int64 __94___LSDeviceIdentifierCache_getIdentifierOfType_vendorName_bundleIdentifier_completionHandler___block_invoke(__int64 a1)
{
  v1 = a1;
  if ( !*(_QWORD *)(a1 + 32) || !*(_QWORD *)(a1 + 40) )
  {
    v9 = 0LL;
    goto LABEL_34;
  }
  v2 = objc_msgSend(*(void **)(a1 + 48), "identifiersOfTypeNotDispatched:", *(_QWORD *)(a1 + 64));
  v3 = (void *)objc_retainAutoreleasedReturnValue(v2);
  if ( *(_QWORD *)(a1 + 64) != 1LL )
    goto LABEL_10;
  v4 = +[LSApplicationRestrictionsManager sharedInstance](
         &OBJC_CLASS___LSApplicationRestrictionsManager,
         "sharedInstance");
  v5 = (void *)objc_retainAutoreleasedReturnValue(v4);
  if ( (unsigned __int8)objc_msgSend(v5, "isAdTrackingEnabled") )
  {
    v6 = (unsigned __int64)objc_msgSend(*(void **)(a1 + 48), "deviceUnlockedSinceBoot");
    objc_release(v5);
    if ( v6 )
    {
      if ( *(_QWORD *)(a1 + 64) == 1LL )
      {
        v7 = (void *)objc_retain(*(_QWORD *)(*(_QWORD *)(a1 + 48) + 16LL));
        if ( v7 )
        {
LABEL_31:
          v47 = objc_msgSend(*(void **)(v1 + 48), "applyPerUserEntropyNotDispatched:type:", v7, *(_QWORD *)(v1 + 64));
          v9 = objc_retainAutoreleasedReturnValue(v47);
          objc_release(v7);
          goto LABEL_33;
        }
        v8 = objc_msgSend(&OBJC_CLASS___NSUUID, "UUID");
        v7 = (void *)objc_retainAutoreleasedReturnValue(v8);
        objc_release(0LL);
        objc_storeStrong(*(_QWORD *)(a1 + 48) + 16LL);
        objc_msgSend(*(void **)(a1 + 48), "save");
        goto LABEL_30;
      }
LABEL_10:
      if ( !v3 )
        goto LABEL_32;
      v10 = objc_msgSend(v3, "objectForKeyedSubscript:", *(_QWORD *)(a1 + 32));
      v11 = (void *)objc_retainAutoreleasedReturnValue(v10);
      v12 = v11;
      v13 = objc_msgSend(v11, "objectForKeyedSubscript:", CFSTR("LSVendorIdentifier"));
      v14 = objc_retainAutoreleasedReturnValue(v13);
      objc_release(v12);
      v51 = v14;
      if ( v14 )
      {
        v15 = objc_msgSend(v3, "objectForKeyedSubscript:", *(_QWORD *)(a1 + 32));
        v16 = (void *)objc_retainAutoreleasedReturnValue(v15);
        v17 = v16;
        v18 = objc_msgSend(v16, "objectForKeyedSubscript:", CFSTR("LSApplications"));
        v19 = (void *)objc_retainAutoreleasedReturnValue(v18);
        objc_release(v17);
        if ( v19 && (unsigned __int8)objc_msgSend(v19, "containsObject:", *(_QWORD *)(a1 + 40)) )
        {
          v20 = (void *)objc_alloc(&OBJC_CLASS___NSUUID);
          v7 = objc_msgSend(v20, "initWithUUIDString:", v51);
          objc_release(v19);
          if ( v7 )
          {
LABEL_29:
            objc_release(v51);
LABEL_30:
            if ( v7 )
              goto LABEL_31;
LABEL_32:
            v9 = 0LL;
            goto LABEL_33;
          }
        }
        else
        {
          objc_release(v19);
        }
      }
      v22 = objc_msgSend(v3, "objectForKeyedSubscript:", *(_QWORD *)(a1 + 32));
      v23 = objc_retainAutoreleasedReturnValue(v22);
      objc_release(v23);
      if ( !v23 )
      {
        v24 = objc_msgSend(&OBJC_CLASS___NSMutableDictionary, "dictionary");
        v25 = objc_retainAutoreleasedReturnValue(v24);
        objc_msgSend(v3, "setObject:forKeyedSubscript:", v25, *(_QWORD *)(a1 + 32));
        objc_release(v25);
      }
      v26 = objc_msgSend(v3, "objectForKeyedSubscript:", *(_QWORD *)(a1 + 32));
      v27 = (void *)objc_retainAutoreleasedReturnValue(v26);
      v28 = v27;
      v29 = objc_msgSend(v27, "objectForKeyedSubscript:", CFSTR("LSVendorIdentifier"));
      v30 = objc_retainAutoreleasedReturnValue(v29);
      objc_release(v28);
      if ( v30 )
      {
        v31 = (void *)objc_alloc(&OBJC_CLASS___NSUUID);
        v7 = objc_msgSend(v31, "initWithUUIDString:", v30, v30);
      }
      else
      {
        v32 = objc_msgSend(&OBJC_CLASS___NSUUID, "UUID", 0LL);
        v33 = (void *)objc_retainAutoreleasedReturnValue(v32);
        v7 = v33;
        v34 = objc_msgSend(v33, "UUIDString");
        v35 = v3;
        v36 = objc_retainAutoreleasedReturnValue(v34);
        v37 = objc_msgSend(v35, "objectForKeyedSubscript:", *(_QWORD *)(v1 + 32));
        v38 = (void *)objc_retainAutoreleasedReturnValue(v37);
        objc_msgSend(v38, "setObject:forKeyedSubscript:", v36, CFSTR("LSVendorIdentifier"));
        objc_release(v38);
        objc_release(v36);
        v3 = v35;
      }
      v39 = objc_msgSend(v3, "objectForKeyedSubscript:", *(_QWORD *)(v1 + 32));
      v40 = (void *)objc_retainAutoreleasedReturnValue(v39);
      v41 = v40;
      v42 = objc_msgSend(v40, "objectForKeyedSubscript:", CFSTR("LSApplications"));
      v43 = (void *)objc_retainAutoreleasedReturnValue(v42);
      objc_release(v41);
      if ( !v43 )
      {
        v44 = objc_msgSend(&OBJC_CLASS___NSMutableArray, "array");
        v43 = (void *)objc_retainAutoreleasedReturnValue(v44);
        v45 = objc_msgSend(v3, "objectForKeyedSubscript:", *(_QWORD *)(v1 + 32));
        v46 = (void *)objc_retainAutoreleasedReturnValue(v45);
        objc_msgSend(v46, "setObject:forKeyedSubscript:", v43, CFSTR("LSApplications"));
        objc_release(v46);
      }
      if ( !(unsigned __int8)objc_msgSend(v43, "containsObject:", *(_QWORD *)(v1 + 40)) )
        objc_msgSend(v43, "addObject:", *(_QWORD *)(v1 + 40));
      objc_msgSend(*(void **)(v1 + 48), "save");
      objc_release(v43);
      objc_release(v50);
      goto LABEL_29;
    }
  }
  else
  {
    objc_release(v5);
  }
  v21 = objc_msgSend(&OBJC_CLASS___NSUUID, "_LS_nullUUID");
  v9 = objc_retainAutoreleasedReturnValue(v21);
LABEL_33:
  objc_release(v3);
LABEL_34:
  v48 = *(_QWORD *)(v1 + 56);
  if ( v48 )
    (*(void (__fastcall **)(__int64, __int64))(v48 + 16))(v48, v9);
  return objc_release(v9);
}

可见,IDFA是从UUID生成的