iOS逆向与安全9.2:越狱调试系统程序

tweak插件开发

1、连接手机 usb或者wifi 通过ssh连手机

2、ps -A查看所有应用

ps -A
找到目标应用

3、导出目标应用到mac端

scp -r -p 12345 root@localhost:/System/Library/CoreServices/SpringBoard.app
拷贝成功

4.导出头文件

加载进内存中Macho文件为已解密Macho 可直接导出有文件

class-dump -H SpringBoard -o sps/
导出成功

5.cy或者lldb调试

6.Monkey写tweak插件

  1. 新建logos tweak项目
新建tweak项目

2.配置注入程序
Package/Library/MobileSubstrate/DynamicLibraries/BadgeTweak.plist 文件 Filter/Bundles 字段 可多个程序注入


配置注入程序

3.配置打包信息
Build Setiings -> 搜索MONKEY

image.png
打包配置
连接信息
安装生效配置
  • 免配置连接信息
  1. monkey配置
    修改zshrc文件 monkey环境配置在zshrc,不在base_profile
vi ~./zshrc

在Monkey环境变量下插入 设备ip和设备端口,保存生效即可,在monkey项目中可不用再配置设备ip和设备端口

插入设备ip和设备端口
  1. theos 配置
    theos 项目目录必须为英文
    加入THEOS_DEVICE_IP和THEOS_DEVICE_PORT
    修改base_profile theos 环境配置在base_profile文件中
vi ~./base_profile
配置theos设备ip和端口

tweak插件原理

tweak插件打包deb,安装到手机后
在手机Library/MobileSubstrate/DynamicLibraries目录下
有dylid文件和plist配置文件

deb包安装目录

手机控制台查看注入进程


插件注入成功

tweak插件通过环境变量插入动态库到应用从而达到改变应用的目的

DYLD_INSERT_LIBRARIES 防护 tweak插件

dyld加载应用过程,是否设置限制插入动态库,如果限制限制插入动态库,所有插入动态库被设为空。

dyld判断是否限制插入动态库
  • Macho文件中__RESTRICT 字段不为空,并且值为__restrict,则设置了限制插入动态库。


    判断Macho文件"__RESTRICT"字段和值"__restrict"
判断Macho文件"__RESTRICT"字段和值"__restrict"
  • 设置_RESTRICT和值__restrict,设置了限制插入动态库,做防护

项目中 Build Settings -> other Linker Flags 添加字段

Build Settings -> other Linker Flags 添加
-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null

添加RESTRICT限制动态库插入

添加RESTRICT限制动态库插入 dump砸壳会失效

破解RESTRICT字段防护,破解限制动态库注入防护

  • 可直接修改Macho文件中的RESTRICT来破解限制动态库注入防护。
  1. Synalyze it! Pro 工具修改


    image.png
image.png
  1. MachoView 工具修改
MachoView修改

修改完签名被破坏,需要重新签名。

dyld加载,限制动态库注入防护检测

RESTRICT字段限制动态库注入防护升级
防止macho文件中RESTRICT被修改,从而防护失效

注意 iOS10 以后,苹果的LYLD 不再检测 RESTRICT字段了,改方法不适应iOS10以后

防护相关的检测,bool类型!!

#import <mach-o/loader.h>
#import <mach-o/dyld.h>

#if __LP64__
#define macho_header               mach_header_64
#define LC_SEGMENT_COMMAND        LC_SEGMENT_64
#define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT
#define LC_ENCRYPT_COMMAND        LC_ENCRYPTION_INFO
#define macho_segment_command    segment_command_64
#define macho_section            section_64
#else
#define macho_header               mach_header
#define LC_SEGMENT_COMMAND        LC_SEGMENT
#define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT_64
#define LC_ENCRYPT_COMMAND        LC_ENCRYPTION_INFO_64
#define macho_segment_command    segment_command
#define macho_section            section
#endif

+(void)load
{
    const struct mach_header_64 * header = _dyld_get_image_header(0);//我自己??
    if (hasRestrictedSegment(header)) {
        NSLog(@"防止Tweak注入状态!!");
    }else{
        NSLog(@"被修改了!!");//做相应处理
    }
    
}


static bool hasRestrictedSegment(const struct macho_header* mh){

    const uint32_t cmd_count = mh->ncmds;
    const struct load_command* const cmds = (struct load_command*)(((char*)mh)+sizeof(struct macho_header));
    const struct load_command* cmd = cmds;
    for (uint32_t i = 0; i < cmd_count; ++i) {
        switch (cmd->cmd) {
            case LC_SEGMENT_COMMAND:
            {
                const struct macho_segment_command* seg = (struct macho_segment_command*)cmd;
                
                printf("seg name: %s\n", seg->segname);
                if (strcmp(seg->segname, "__RESTRICT") == 0) {
                    const struct macho_section* const sectionsStart = (struct macho_section*)((char*)seg + sizeof(struct macho_segment_command));
                    const struct macho_section* const sectionsEnd = &sectionsStart[seg->nsects];
                    for (const struct macho_section* sect=sectionsStart; sect < sectionsEnd; ++sect) {
                        if (strcmp(sect->sectname, "__restrict") == 0)
                            return true;
                    }
                }
            }
                break;
        }
        cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
    }
    
    return false;
} 
   }

白名单检测防护

#import <mach-o/dyld.h>
#import <mach-o/loader.h>

+(void)load
{
    HKCheckWhitelist();
}


bool HKCheckWhitelist(){
    
    int count = _dyld_image_count();//原app加载了多少数量
    
    for (int i = 0; i < count; i++) {
        //遍历拿到库名称!
       const char * imageName = _dyld_get_image_name(i);
      
       // libraries(白名单)是否包含imageName库名,var/mobile/Containers/Bundle/Application目录为应用本身不检测,
        if (!strstr(libraries, imageName)&&!strstr(imageName, "/var/mobile/Containers/Bundle/Application")) {
            printf("该库非白名单之内!!\n%s",imageName);
//            return NO;
        }
    }
    return YES;
}


const char * libraries = "/var/mobile/Containers/Bundle/Application/AD8D84E6-E893-4C96-A29A-FBD13AF4B461/WhitelistDemo.app/WhitelistDemo/Library/MobileSubstrate/MobileSubstrate.dylib/Developer/usr/lib/libBacktraceRecording.dylib/Developer/Library/PrivateFrameworks/DTDDISupport.framework/libViewDebuggerSupport.dylib/System/Library/Frameworks/Foundation.framework/Foundation/usr/lib/libobjc.A.dylib/usr/lib/libSystem.B.dylib/System/Library/Frameworks/UIKit.framework/UIKit/usr/lib/libextension.dylib/usr/lib/libarchive.2.dylib/usr/lib/libicucore.A.dylib/usr/lib/libxml2.2.dylib/usr/lib/libz.1.dylib/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation/System/Library/Frameworks/CFNetwork.framework/CFNetwork/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration/System/Library/Frameworks/Security.framework/Security/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit/usr/lib/libCRFSuite.dylib/usr/lib/liblangid.dylib/usr/lib/libc++abi.dylib/usr/lib/libc++.1.dylib/usr/lib/system/libcache.dylib/usr/lib/system/libcommonCrypto.dylib/usr/lib/system/libcompiler_rt.dylib/usr/lib/system/libcopyfile.dylib/usr/lib/system/libcorecrypto.dylib/usr/lib/system/introspection/libdispatch.dylib/usr/lib/system/libdyld.dylib/usr/lib/system/liblaunch.dylib/usr/lib/system/libmacho.dylib/usr/lib/system/libremovefile.dylib/usr/lib/system/libsystem_asl.dylib/usr/lib/system/libsystem_blocks.dylib/usr/lib/system/libsystem_c.dylib/usr/lib/system/libsystem_configuration.dylib/usr/lib/system/libsystem_containermanager.dylib/usr/lib/system/libsystem_coreservices.dylib/usr/lib/system/libsystem_coretls.dylib/usr/lib/system/libsystem_dnssd.dylib/usr/lib/system/libsystem_info.dylib/usr/lib/system/libsystem_kernel.dylib/usr/lib/system/libsystem_m.dylib/usr/lib/system/libsystem_malloc.dylib/usr/lib/system/libsystem_network.dylib/usr/lib/system/libsystem_networkextension.dylib/usr/lib/system/libsystem_notify.dylib/usr/lib/system/libsystem_platform.dylib/usr/lib/system/libsystem_pthread.dylib/usr/lib/system/libsystem_sandbox.dylib/usr/lib/system/libsystem_trace.dylib/usr/lib/system/libunwind.dylib/usr/lib/system/libvminterpose.dylib/usr/lib/system/libxpc.dylib/usr/lib/libbz2.1.0.dylib/usr/lib/liblzma.5.dylib/usr/lib/libMobileGestalt.dylib/usr/lib/libsqlite3.dylib/usr/lib/libenergytrace.dylib/usr/lib/libbsm.0.dylib/System/Library/PrivateFrameworks/UIFoundation.framework/UIFoundation/System/Library/PrivateFrameworks/IOSurface.framework/IOSurface/System/Library/PrivateFrameworks/PowerLog.framework/PowerLog/System/Library/PrivateFrameworks/HangTracer.framework/HangTracer/usr/lib/liblockdown.dylib/System/Library/PrivateFrameworks/MobileKeyBag.framework/MobileKeyBag/System/Library/PrivateFrameworks/UserNotificationServices.framework/UserNotificationServices/System/Library/PrivateFrameworks/FrontBoardServices.framework/FrontBoardServices/System/Library/PrivateFrameworks/BaseBoard.framework/BaseBoard/System/Library/PrivateFrameworks/CoreUI.framework/CoreUI/System/Library/Frameworks/CoreVideo.framework/CoreVideo/System/Library/Frameworks/OpenGLES.framework/OpenGLES/System/Library/Frameworks/VideoToolbox.framework/VideoToolbox/System/Library/PrivateFrameworks/MobileAsset.framework/MobileAsset/System/Library/PrivateFrameworks/BackBoardServices.framework/BackBoardServices/System/Library/Frameworks/CoreImage.framework/CoreImage/System/Library/PrivateFrameworks/DictionaryServices.framework/DictionaryServices/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics/System/Library/Frameworks/ImageIO.framework/ImageIO/System/Library/Frameworks/QuartzCore.framework/QuartzCore/System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices/System/Library/PrivateFrameworks/AppSupport.framework/AppSupport/System/Library/Frameworks/CoreText.framework/CoreText/System/Library/PrivateFrameworks/TextInput.framework/TextInput/System/Library/Frameworks/MobileCoreServices.framework/MobileCoreServices/System/Library/PrivateFrameworks/WebKitLegacy.framework/WebKitLegacy/System/Library/PrivateFrameworks/WebCore.framework/WebCore/System/Library/PrivateFrameworks/ProofReader.framework/ProofReader/usr/lib/libAccessibility.dylib/System/Library/Frameworks/Accelerate.framework/Accelerate/System/Library/PrivateFrameworks/PhysicsKit.framework/PhysicsKit/System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer/System/Library/PrivateFrameworks/IOSurfaceAccelerator.framework/IOSurfaceAccelerator/System/Library/Frameworks/Metal.framework/Metal/System/Library/PrivateFrameworks/FontServices.framework/FontServices/System/Library/PrivateFrameworks/FontServices.framework/libFontParser.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vImage.framework/vImage/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/vecLib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libvDSP.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libLAPACK.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libBLAS.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libvMisc.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libLinearAlgebra.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libSparseBLAS.dylib/System/Library/PrivateFrameworks/AppleJPEG.framework/AppleJPEG/System/Library/PrivateFrameworks/GPUCompiler.framework/libmetal_timestamp.dylib/System/Library/Frameworks/OpenGLES.framework/libCoreFSCache.dylib/System/Library/PrivateFrameworks/IOAccelerator.framework/IOAccelerator/System/Library/Frameworks/OpenGLES.framework/libGFXShared.dylib/System/Library/Frameworks/OpenGLES.framework/libGLImage.dylib/System/Library/Frameworks/OpenGLES.framework/libCVMSPluginSupport.dylib/System/Library/Frameworks/OpenGLES.framework/libCoreVMClient.dylib/System/Library/PrivateFrameworks/MobileSystemServices.framework/MobileSystemServices/System/Library/PrivateFrameworks/AssertionServices.framework/AssertionServices/System/Library/Frameworks/MetalPerformanceShaders.framework/MetalPerformanceShaders/System/Library/PrivateFrameworks/Quagga.framework/Quagga/System/Library/PrivateFrameworks/FaceCore.framework/FaceCore/System/Library/Frameworks/CoreMedia.framework/CoreMedia/System/Library/PrivateFrameworks/ColorSync.framework/ColorSync/usr/lib/libiconv.2.dylib/System/Library/PrivateFrameworks/UserFS.framework/UserFS/System/Library/PrivateFrameworks/CrashReporterSupport.framework/CrashReporterSupport/System/Library/Frameworks/CoreAudio.framework/CoreAudio/System/Library/PrivateFrameworks/AggregateDictionary.framework/AggregateDictionary/usr/lib/libxslt.1.dylib/usr/lib/libmarisa.dylib/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore/System/Library/Frameworks/AudioToolbox.framework/AudioToolbox/System/Library/PrivateFrameworks/TCC.framework/TCC/System/Library/PrivateFrameworks/LanguageModeling.framework/LanguageModeling/usr/lib/libcmph.dylib/System/Library/Frameworks/MediaAccessibility.framework/MediaAccessibility/usr/lib/libstdc++.6.dylib/Library/Frameworks/CydiaSubstrate.framework/Libraries/SubstrateLoader.dylib/Library/MobileSubstrate/DynamicLibraries/RHRevealLoader.dylib/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate";


最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 212,332评论 6 493
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 90,508评论 3 385
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 157,812评论 0 348
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 56,607评论 1 284
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 65,728评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,919评论 1 290
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,071评论 3 410
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 37,802评论 0 268
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,256评论 1 303
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,576评论 2 327
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,712评论 1 341
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,389评论 4 332
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,032评论 3 316
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,798评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,026评论 1 266
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,473评论 2 360
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,606评论 2 350

推荐阅读更多精彩内容