Prevent tweak attachment, app has a clever idea; hack app protection, tweak final touches

Source: Internet
Author: User
Tags switch case appsync

It is believed that most appstore developers will have a lot more understanding of iOS development after they have read iOS app reverse engineering 9. One into the wasted deep like the sea, the appearance of tweak let a variety of naked run the author of the app instantly kneeling, his app was played in the palm between the inside of the cow face: cry:
However, the advent of some of the best defensive apps has injected a dose of cardiac appstore into the security-worrying. They use the protection method in the industry leading position, we should learn: handshake:. such as the September 30 update of the United States of America iOS client 4.8.1 version 3, will be able to strongly prevent the injection of various dylib, so that all tweak are dog ratio. Below, the younger brother takes everybody to see how the American Regiment is to do, and we can by what way, crack this kind of protection.
First, download the American Regiment, play with the play
Download complete, launch app, SSH to iOS, run

-e

Get output

1374 ??         0:03.53 /var/mobile/Applications/DCDC3F9D-227A-414F-B796-54AA9DB0F39A/imeituan.app/imeituan

All right, we got it. Directory path and process name for the group. Here we try to inject dylib with Cycript, and dynamically debug with Debugserver:

There should be a picture here, hung up, and can not find it back

Well...... Things got tricky: both injected dylib and dynamic debugging failed. Dynamic debugging failure, a large probability is the use of the Ptrace method, here will not repeat, the online search for a search there are many examples, and dylib injection failure is a relatively few people encounter the situation, we start from it, see what happened.

Second, anti-dyld_insert_libraries
Dylib injection is generally implemented by dyld_insert_libraries this environment variable, and now Dylib injection fails, that is, its constructor is not executed at all, indicating that this behavior is not done by the American Regiment code, but should occur before the code executes. In this case, this behavior is mostly due to a macho head of a callout, resulting in Dyld3 intentional. So......
Let's go straight to see the source code for DYLD. 5 OK! The source code is not a few lines in total, we focus on the Pruneenvironmentvariables function, and its comments write:
Also note this switch case:

Switch (Srestrictedreason) {case restrictednot: break; case restrictedbysetguid:dyld::log (" main executable (%s) is setuid or setgid\n ", sexecpath); break; case restrictedbysegment:dyld::log (  "main executable (%s) has __restrict/__restrict section\n", Sexecpath); break; case restrictedbyentitlements:dyld::log (" main executable (%s) is code signed with entitlements\n ", Sexecpath); break;}             

In three cases, the DYLD_ environment variable will be ignored by DYLD, respectively:
1. executable files are setuid or setgid;
2. The executable file contains the section __restrict/__restrict;
3. The executable file was signed with a entitlements.
Among them, because Apple's audit mechanism, 1 and 3 can not be specified by the user, it is unlikely to appear in the AppStore app. To make sure it's foolproof, let's simply verify it:

funmaker-5s:~ root# ls-l/var/mobile/applications/dcdc3f9d-227a-414f-b796-54aa9db0f39a/imeituan.app/ Imeituan-rwxr-xr-x 1 Mobile Mobile 25340624 Sep 10:23/var/mobile/applications/dcdc3f9d-227a-414f-b796-54aa9db0f39a /imeituan.app/imeituan*funmaker-5s:~ root# ldid-e/var/mobile/applications/dcdc3f9d-227a-414f-b796-54aa9db0f39a/ Imeituan.app/imeituan<?xml version= "1.0" encoding= "UTF-8" standalone= "yes"?><! DOCTYPE plist Public "-//apple//dtd plist 1.0//en" "Http://www.apple.com/DTDs/PropertyList-1.0.dtd" ><Plistversion="1.0" ><Dict><Key>keychain-access-groups</Key><Array><String>fss9ancq68.com.meituan.access</String><String>fss9ancq68.com.meituan.imeituan</String></Array><Key>com.apple.developer.pass-type-identifiers</Key><Array><string>t3zlxp4k5b.*</String></Array><Key>application-identifier</Key><String>fss9ancq68.com.meituan.imeituan</String><Key>aps-environment</Key><String>production</String></Dict></Plist><?xml version= "1.0" encoding= "UTF-8" standalone= "yes"?><! DOCTYPE plist Public "-//apple//dtd plist 1.0//en" "Http://www.apple.com/DTDs/PropertyList-1.0.dtd" ><Plistversion="1.0" ><Dict><Key>keychain-access-groups</Key><Array><String>fss9ancq68.com.meituan.access</String><String>fss9ancq68.com.meituan.imeituan</String></Array><Key>com.apple.developer.pass-type-identifiers</Key><Array><string>t3zlxp4k5b.*</string> </ array> <key> Application-identifier</key> << Span class= "Hljs-title" >string>fss9ancq68.com.meituan.imeituan</ string> <key>aps-environment< Span class= "Hljs-tag" ></key> < String>production</string> < /dict></PLIST>    

As you can see, Imeituan this executable file has no setuid/setgid bit and no special entitlements, then it has a potential spike in __restrict/__restrict this section. As to how to verify our ideas, use OSX to reverse the top bull fg! 3 of the modified version of Machoview7 look just fine ~


Well, this should be the United States Regiment 4.8.1 used the big kill device, this anti-dyld_insert_libraries method, in fact, early in iOS 7 perfect jailbreak, has been mentioned by Geohot 5: shocked: Worship!!!

Third, anti-anti-dyld_insert_libraries
Since anti-dyld_insert_libraries is realized by __restrict/__restrict, then anti-anti-dyld_insert_libraries nature is equivalent to anti- restrict/RESTRICT! and to anti-restrict/RESTRICT is also very simple, Imeituan this executable file with Macvim and other binary editor open, all the __restrict/__restrict string to rename it just fine, Like what:


So dyld can not find __restrict/__restrict, also will not ignore dyld_insert_libraries!
Copy the changed Imeituan back to iOS,

snakeninnys-MacBook:~ snakeninny$ scp /Users/snakeninny/imeituan root@192.168.3.3:/var/mobile/Applications/DCDC3F9D-227A-414F-B796-54AA9DB0F39A/imeituan.app/imeituan

Because we made a static patch to the app's executable, and its MD5 value has changed, Apple's signature is invalidated, and the app can't be started under normal circumstances. To solve this problem, it is very convenient, but also very ashamed, because the use of pirated app of the sharp weapon--appsync ...
Search for Appsync in Cydia, and then disable the iOS signature check after installing and respring. After everything is ready, open the American Regiment and re-test with Cycript:

FunMaker-5s:~ root# cycript -p imeituancy# [UIApp displayIdentifier]@"com.meituan.imeituan"

Finish the call.

Iv. Summary
According to the results of our analysis, an afterthought, we can search for a Sam2 post ( keyword "dyld_insert_libraries __restrict"), talked about is the content mentioned in this post. In addition to more professional and detailed, he also gave how to use this mechanism to add protection to their own methods, the end of our only destruction of the non-protection of the Wretched act: huffy:, worthy of worship ~!

Reference:
1. http://www.samdmarshall.com/blog/blocking_code_injection_on_ios_and_os_x.html
2. http://geohot.com/e7writeup.html5
3. Http://www.opensource.apple.com/source/dyld/dyld-210.2.3/src/dyld.cpp5
4. Https://theiphonewiki.com/wiki/Launchd.conf_untether1

Prevent tweak attachment, app has a clever idea; hack app protection, tweak final touches

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.