IOS ice and fire songs-App Hook on a non-jailbreaking mobile phone

IOS ice and fire songs-App Hook on a non-jailbreaking mobile phone

0x00

Ice refers to the user State, and fire refers to the kernel state. How to break through the user State sandbox like a refrigerator and finally reach and control the burning kernel like a flame is what will be described in the "Song of iOS ice and fire" series of articles. But before talking about the main story, let's talk about the branch story today-Hook apps on non-jailbreaking iOS. With this technology, you can implement various hook functions (e.g ., automatic snatching of red packets, automatic chat robots, game plug-ins, etc.), but the purpose of this article is not to encourage everyone to use plug-ins, not to encourage everyone to sell plug-ins, therefore, do not use this technology to do anything illegal.

The series of iOS song of ice and fire are as follows:

Objective-C Pwn and iOS arm64 ROP Hook apps on non-jailbreaking iOS apps) please refer to the following link for more information:

The Code involved in this article can be downloaded from my github:
Https://github.com/zhengmin1989/iOS_ICE_AND_FIRE

0x01 Mach-O LC_LOAD_DYLIB Hook

If I have read the android dynamic debugging Seven Weapons hook-Hooking (on) http://drops.wooyun.org/tips/9300 and Android dynamic debugging Seven Weapons hook-Hooking (on) http://drops.wooyun.org/papers/10156 students should know in android hook method can be five flowers eight books. In fact, there are many hook methods on iOS, but most of them need to be jailbroken (for example, Cydia Substrate, which is most commonly used ), today I will introduce a method to hook iOS apps without jailbreak, that is, Mach-O LC_LOAD_DYLIB Hook. This method loads the third-party dylib and implements the hook by modifying the binary itself. The specific idea is as follows:

Extract the binary file in ipa-> modify the Load Commands list of the binary file, and add dylib-> hook. in the constructor function, dylib completes hook-> signing, packaging, and installing the modified ipa.

First, let's take a look at the target app we are going to inject. This app is very simple, that is, calling the talker class mentioned in the previous chapter to output a sentence "Hello, iOS !".

In the Products folder, we can see the IceAndFire. app file, that is, the compiled app:

IceAndFire. app is actually a folder. You can see a lot of resource files (signature information, images, etc.), but the most important thing is the binary file IceAndFire with the same name as the folder. We can use the xxd command to view the content:

This binary file stores all the logic of the IceAndFire app, but it is too hard to directly view the binary code. Here I recommend a software called MachOView (which can be downloaded from my github ), through this software, we can see the structure of the entire MachO file:

In the data segment Load Commands, we can see that the binary file IceAndFire will automatically Load dynamic libraries such as Foundation and libobjc. A. dylib at startup. If we modify the Load Commands structure of the MachO file, can the IceAndFire app Load our custom dylib for hook at startup? That's right. This idea is feasible. In addition, as long as the corresponding hook logic is completed in the dylib constructor, you can hook the specified function at app startup.

So how to modify the MachO struct? Using a binary editor such as 010 editor is indeed a method, but it is really troublesome. The good news is that the Kim Jong Il team has prepared the tool for automatic injection into dylib for us. This tool named yololib can help us directly inject dylib: https://github.com/kjcracks/yololib. But the author only released the source code did not release binary, I helped you compile a copy of The threw on my github (https://github.com/zhengmin1989/iOS_ICE_AND_FIRE ).

After compiling yololib, we only need to execute it on mac:

#! Bash./yololib [binary]? [Dylib file]./yololib [binary file of dylib inserted] [dylib to be inserted]

Run the following command to complete dylib injection ,:

Now let's take a look at the IceAndFire binary file using MachOView and we will see that hook1.dylib has been successfully injected into it:

"@ Executable_path/hook1.dylib" indicates that the binary file will load hook1.dylib in the current directory. Therefore, the compiled hook1.dylib should be put together with the binary file in IceAndFire. in the app folder, so that we can ensure that hook1.dylib can be correctly loaded when running the app.

0x02 CaptainHook for Dylib

After modifying the Load Commands structure of the app binary file, let's take a look at how to construct a third-party dylib for hook. Because the app will certainly not take the initiative to call the functions in the third-party dylib, if we want the third-party dylib to perform the hook operation, we need to write the hook logic into the constructor. It is very easy to implement the constructor. You only need to declare "_ attribute _ (constructor) static" before the function. Let's write "Hello, Ice and Fire!" first !" Test:

After compiling the dylib file, we will sign, package, and install the dylib file with the app. Then we run the program and we can see that the injected dylib library was successfully loaded and executed when the program was started.

The next step is to hook a specific function. Here I recommend using the CaptainHook framework. The author has helped us implement various macros required by the hook. You can complete the hook for specific functions by following the steps below:

Use CHDeclareClass () to declare the class you want to hook. Use CHLoadClass () or CHLoadLateClass () to load the declared class in the constructor. Use CHMethod () to hook the corresponding method in CHMethod () you can use CHSuper () to call the original function. Use CHClassHook () in the constructor to register the method to be hooked.

For example, we want to hook the "say method" in the Talker class, so that the app can modify the method parameter when calling the "say", so that the "Hello, Android !", We only need to write the source code of dylib as follows:

#!objc#import 
 
  CHDeclareClass(Talker);CHMethod(1, void, Talker, say, id, arg1){    NSString* tmp=@"Hello, Android!";    CHSuper(1, Talker, say, tmp);}__attribute__((constructor)) static void entry(){    NSLog(@"Hello, Ice And Fire!");    CHLoadLateClass(Talker);    CHClassHook(1, Talker,say);}
 

The macro format of CHMethod () is: number of parameters, type of return value, class name, selector name, selector type, and variable name of the parameter corresponding to selector.

The format of the macro CHClassHook () is: number of parameters, type of returned values, class name, and selector name.

After writing the code, we compile the source code and sign, package, and install the generated dylib file with the app. After running the program, we can see that the dylib library we injected has successfully hooked the say method. We should have output "Hello, iOS !", We have successfully changed to "Hello, Android !" :

0x03 signature, packaging, and installation

We know that a very important feature of the iPhone after jailbreak is that it can disable app signature verification. After the signature verification is disabled, apps on the App Store (both paid and free) it can be pirated and installed free of charge. However, on a non-jailbroken iPhone, the system requires that the app must have a valid signature and cannot be installed. In fact, in addition to the legal signature of the app on the AppStore, we can also use the developer certificate or enterprise certificate to make the app without a legal signature have a legal signature.

When we have a developer account and installed a certificate on the machine, we can see our signature information in the Keychain Access tool:

What we will do next is to use this developer certificate to sign our modified IceAndFire. app. The procedure is as follows:

First, ensure that the IceAndFire. app folder contains the correct embedded. mobileprovision file:

If you do not have one, you can go to Apple's Developer Center (pai.apple.com) to generate one. For individual developers, add the UDID of iOS devices to the device list of the developers and generate the embedded. mobileprovision file. For enterprise certificates, there is no limit on the number of devices.

Entitlements. plist:

The most important thing to note here is that the application-identifier must contain the correct Team ID (which can be viewed in the Developer Center) and the corresponding Bundle ID.

Use codesign to sign the hook's dylib:

#!bashcodesign -f -s "iPhone Developer: [email protected] (XXXXXXXXX)" IceAndFire.app/hook1.dylib

Use codesign to sign the app:

#!bashcodesign -f -s "iPhone Developer: [email protected] (XXXXXXXXX)" --entitlements Entitlements.plist IceAndFire.app

Use xcrun to package IceAndFire. app into IceAndFire. ipa:

#!bashxcrun -sdk iphoneos PackageApplication -v IceAndFire.app  -o ~/iOSPwn/hook/github/IceAndFire.ipa

Use itunes or mobiledevice for installation.

If it succeeds, "OK" is displayed ". Then you can use the modified app on a non-jailbreaking mobile phone.

0x04 Class-dump and ida

Through the introduction in the above sections, we have already walked through the non-Jailbreak app hook process, but at this time someone will ask: "Your hook app is written by yourself, of course, you know which function should be hooked. I want to hook all apps on the app Store and there is no source code. What should I do?" In fact, this problem is not difficult to solve. You only need to make good use of class-dump and ida.

Class-dump is a tool that can be used to dump header files:

For example, if we want to dump the header file of XXX, we only need to execute:

#!bash./class-dump -H -o header XXX

After dump, all header files are saved in the "header" folder:

Each header file contains the declaration of classes and methods:

We can see that using class-dump can help us understand the internal structure of the app. However, class-dump can only obtain the header file of the app and does not know the specific logic of each method. At this time, ida is required.

Using ida, we can obtain the specific logic of a method, but you need to have a certain understanding of arm assembly:

For example, the function shown in is to call NSLog (@ "% @ \ n") to output the parameter content to the console. Only by understanding what a function is doing can we learn how to hook it.

0x05 principle of automatic snatching of Red Packets

The plug-in for automatic snatching of red packets is nothing more than hook the function for receiving messages, and then judge whether there are any red packets in the message. If so, you can directly call the function to open the red envelope. However, because the main purpose of this article is to introduce app hooks for non-jailbreaking mobile phones, rather than encouraging you to use plug-ins, the details of implementation will not be published, if you are interested, you can try to write one by yourself. Although the effect is not as cool as the mechanical flow, it does save time and effort.

0x06 Summary

Through this article, we can see that even non-jailbreaking iOS systems can still play a lot of tricks. Therefore, major it vendors should not blindly trust the security of non-jailbreaking iOS systems. Important logic such as red envelopes and payments must be obfuscated and reinforced, and integrity verification must be provided for apps. Otherwise, a good white hat may just write a plug-in for auto-snatching of red packets, but hackers may use this technology to develop various plug-ins to make profits or allow users to accidentally install apps with backdoors, what will happen next will only be known by the day.

Finally, I would like to thank my colleagues, and Yao, for their help and guidance in this article.

PS: The Code involved in this article can be downloaded from my github:

Https://github.com/zhengmin1989/iOS_ICE_AND_FIRE