iOS Development/app Security/code automatically confusing notes

Recent exposure to banking projects, the security of the app have some knowledge ... More embarrassing, in addition to the usual network parameters encryption and decryption, as well as prevent data replay, but also mentioned the risk of anti-compilation, in fact, Apple is relatively safe, and anti-compilation to see. h file .... But it would be better to confuse the code.

I. Create a new confuse.sh and Gbfunc.list file in the project root directory

Description

The confuse.sh file is executed during compilation gbfunc.list used to automatically confuse the code, storing the method name to be confused when filtering out

Touch confuse.sh

Touch gbfunc.list

Second, new GBConfuse.h

Description

GBConfuse.h is automatically confusing the code, will be automatically generated string definition macro, stored in this file, but also easy to view.

Note: the. h file needs to be moved out of the project file, because the project file, when it is recompiled, or can get GBConfuse.h inside the things, you can pass the comparison, get the method. (Back to the class-dump with the anti-compilation came to understand ...) ）

Third, add the following code in the confuse.sh

#!/usr/bin/env Bash

Tablename=symbols

symbol_db_file= "Symbols"

#func. List path

string_symbol_file= "$PROJECT _dir/gbfunc.list"

#项目文件路径

confuse_file= "$PROJECT _dir/safedemo"

#Confuse. h Path

head_file= "$PROJECT _dir/gbconfuse.h"

Export Lc_ctype=c

#取以. m or. h files that begin with a + or-sign | Remove all + OR-numbers | Replace the symbol with a space |n spaces follow the < sign < # | The beginning cannot be ibaction| with a space split string to take the second part | sort | Go Repeat | Delete blank line | Delete lines starting with init > write in Func.list

Grep-h-r-i "^[-+" $CONFUSE _file--include ' *. [MH] ' |sed ' s/[+-]//g "|sed" s/[();,: *^/{]//g "|sed" s/[]*</</"| sed"/^[]*ibaction/d "|awk ' {split ($0,b," "); Print b[2]; } ' | Sort|uniq |sed "/^$/d" |sed-n "/^gbsafe_/p" > $STRING _symbol_file

#维护数据库方便日后作排重, the following code is from the Weibo blog

CreateTable ()

{

echo "CREATE table $TABLENAME (src text, des text);" | Sqlite3 $SYMBOL _db_file

}

Insertvalue ()

{

echo "INSERT into $TABLENAME values (' $ ', ' $ ');" | Sqlite3 $SYMBOL _db_file

}

Query ()

{

echo "SELECT * from $TABLENAME where src= ' $ ';" | Sqlite3 $SYMBOL _db_file

}

Ramdomstring ()

{

OpenSSL rand-base64 64 | Tr-cd ' a-za-z ' |head-c 16

}

Rm-f $SYMBOL _db_file

Rm-f $HEAD _file

CreateTable

Touch $HEAD _file

#这里也要做修改

Echo ' #ifndef Gbconfuse_h

#define Codeconfuse ' >> $HEAD _file

echo "//confuse string at ' Date '" >> $HEAD _file

Cat "$STRING _symbol_file" | While Read-ra line; Do

if [[!-Z ' $line]]; Then

Ramdom= ' ramdomstring '

echo $line $ramdom

Insertvalue $line $ramdom

echo "#define $line $ramdom" >> $HEAD _file

Fi

Done

echo "#endif" >> $HEAD _file

Sqlite3 $SYMBOL _db_file. Dump

The code that needs to be modified is the file path:

Iv. adding Run Script

V. Adding a PCH file

Vi. adding a test method prefixed with "Gbsafe_" in Viewcontroller

Seven, testing

The operation error is as follows:

The reason is that the. sh file does not have permissions, so you need to turn on permissions.

Under the confuse.sh file directory, execute the command:

chmod 755 confuse.sh

Run successfully!

Pack one. IPA installation package for testing!

Do not confuse the code first:

Convert. IPA file type to. zip, unzip to. app File

The new hear folder is used to save the files that are obtained after the decompile:

Anti-compilation with Class-dump

Class-dump-h to crack the executable path-o hack after the header file storage path

Get files that are not obfuscated by code:

You can see that there are some. h files in the project, open to see the full method name ....

Then the client said the test company said it wasn't safe ...

Code obfuscation required ...

In the PCH file, reference GBConfuse.h:

RePack: Can get confused after the. IPA.

Here is the result of the confusion.

Summarize:

In fact, the principle should be in the compilation process, the need to confuse the code to generate random strings to replace ....

iOS Development/app Security/code automatically confusing notes