Home > Developer > Mobile Develop

Simple anti-Ida for iOS executable files

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Ida doesn't need me to crap, this article explains how to achieve anti-IDA static analysis by simply changing the Mach-o file.

Let's talk about the Mach-o file Format section.

?

?

  2. struct ?section?{? / *?for?32-bit?architectures?*/
  4. ???? char ???????? SECTNAME[16];??? / *?name?of?this?section?*/
  6. ???? char ???????? SEGNAME[16];???? / *?segment?this?section?goes?in?*/ ??
  8. ???? uint32_t???? addr;??????? / *?memory?address?of?this?section?*/ ??
  10. ???? uint32_t???? size;??????? / *?size?in?bytes?of?this?section?*/ ??
  12. ???? uint32_t???? offset;????? / *?file?offset?of?this?section?*/
  14. ???? uint32_t???? Align;?????? / *?section?alignment? (power?of?2) */
  16. ???? uint32_t???? Reloff;????? / *?file?offset?of?relocation?entries?*/ ??
  18. ???? uint32_t???? Nreloc;????? / *?number?of?relocation?entries?*/ ??
  20. ???? uint32_t???? Flags;?????? / *?flags? (section?type?and?attributes) */
  22. ???? uint32_t???? reserved1;?? / *?reserved? (for?offset?or?index)? */
  24. ???? uint32_t???? Reserved2;?? / *?reserved? (for?count?or?sizeof)? */
  26. }; ?

The primary function of the SectionTo property is to tell the load, the virtual address (addr) of the load to memory, the size, and the offset of the section's physical address in the file (offset).

The validation of executable file legitimacy just does the segment layer, for section section layer does not verify that the loader simply maps the segment address linearly to memory, has a large granularity, does not detail to the section, so the section properties are not used when loading, but Ida is a good student, relying entirely on the Mach format to analyze the file, the bug appears. (in fact, in win, OD also has a similar bug), So let's change the file manually to achieve the effect that Ida can't load and iOS will work.

Experiment 1: Change the physical address offset of the section.

1, first drag the file to Ida and we see the 2 sections below the text section.

"__text" and "__stub_helper "

header:0000408c DCB "__text", 0,0,0,0,0,0,0,0,0,0; Sectname

header:0000408c DCB "__text", 0,0,0,0,0,0,0,0,0,0; Segname

header:0000408c DCD 0xad00; Addr

header:0000408c DCD 0xd6938; Size

header:0000408c DCD 0x6d00; Offset

header:0000408c DCD 3; Align

header:0000408c DCD 0; Reloff

header:0000408c DCD 0; Nreloc

header:0000408c DCD 0x80000400; Flags

header:0000408c DCD 0; Reserved1

header:0000408c DCD 0; Reserved2

header:000040d0 DCB "__stub_helper", 0,0,0; Sectname

header:000040d0 DCB "__text", 0,0,0,0,0,0,0,0,0,0; Segname

Header:000040d0 DCD 0xe1638; Addr

Header:000040d0 DCD 0xe88; Size

Header:000040d0 DCD 0xdd638; Offset

Header:000040d0 DCD 2; Align

header:000040d0 DCD 0; Reloff

header:000040d0 DCD 0; Nreloc

Header:000040d0 DCD 0x80000400; Flags

header:000040d0 DCD 0; Reserved1

header:000040d0 DCD 0; Reserved2

?

The memory load address for the "__text" section is 0xad00 and the file offset is 0x6d00

The memory load address for the "__stub_helper" section is 0xe1638and the file offset is 0xdd638

2, we change the file offset of " __text" to "__stub_helper" file offset, keep the file after modification, continue to drag to the analysis under IDA, such as:

?

header:0000408c DCB "__text", 0,0,0,0,0,0,0,0,0,0; Sectname

header:0000408c DCB "__text", 0,0,0,0,0,0,0,0,0,0; Segname

header:0000408c DCD 0xad00; Addr

header:0000408c DCD 0xd6938; Size

header:0000408c DCD 0xdd638; Offset

header:0000408c DCD 3; Align

header:0000408c DCD 0; Reloff

header:0000408c DCD 0; Nreloc

header:0000408c DCD 0x80000400; Flags

header:0000408c DCD 0; Reserved1

header:0000408c DCD 0; Reserved2

header:000040d0 DCB "__stub_helper", 0,0,0; Sectname

header:000040d0 DCB "__text", 0,0,0,0,0,0,0,0,0,0; Segname

Header:000040d0 DCD 0xe1638; Addr

Header:000040d0 DCD 0xe88; Size

Header:000040d0 DCD 0xdd638; Offset

Header:000040d0 DCD 2; Align

header:000040d0 DCD 0; Reloff

header:000040d0 DCD 0; Nreloc

Header:000040d0 DCD 0x80000400; Flags

header:000040d0 DCD 0; Reserved1

header:000040d0 DCD 0; Reserved2

?

The physical offset of the two sections is 0xdd638.

Double-click the "__text" section to enter the code.

You can see the lower left corner, the physical address is 0xdd638, which is actually wrong, the physical address should be 0x6d00. We can conclude that IDA uses the physical address of the section directly, slacking off, and should actually use the segment address to calculate.


Experiment 2: Change the physical offset of the section to a number far beyond the file size.


header:0000408c; Sections

header:0000408c DCB "__text", 0,0,0,0,0,0,0,0,0,0; Sectname

header:0000408c DCB "__text", 0,0,0,0,0,0,0,0,0,0; Segname

header:0000408c DCD 0xad00; Addr

header:0000408c DCD 0xd6938; Size

header:0000408c DCD 0xFFFFFFFF; Offset

header:0000408c DCD 3; Align

header:0000408c DCD 0; Reloff

header:0000408c DCD 0; Nreloc

header:0000408c DCD 0x80000400; Flags

header:0000408c DCD 0; Reserved1

header:0000408c DCD 0; Reserved2

?

Save the file after you change it, drag it to Ida,



Simple anti-Ida for iOS executable files

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
itools for ios build webkit for ios lastpass for ios apps qooapp for ios android emulator for ios ios simulator for mac android emulator for ios

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More