IOS reverse security debugging and reverse debugging

Protect the debugging

Prevents App debugging by re-signing

Code:

#import <sys/sysctl.h> - (void)done{if([self isDebug]){NSLog(@" presence debugger "); Exit (0); }else{NSLog(@" no debugger "); } } - (BOOL)isDebug{ int name[4]; Name [0] = CTL_KERN; // Kernel query name[1] = KERN_PROC; // Query process name[2] = KERN_PROC_PID; Name [3] = getPid (); //PID process ID struct kinfo_proc info; Size_t info_size = sizeof(info); Sysctl (name, sizeof(name)/sizeof(*name), &info, &info_size, 0, 0); sysctl(name, sizeof(name)/sizeof(*name), &info, &info_size, 0, 0); P_flag: : : : : : : : : : : : : : : : : : : : : : : : = 0); }Copy the code

Attack Protection debugging

Steps (Hook mode)

1. Debug the re-signature application

2. Add a symbolic Breakpoint and filter the method name keyword, for example :(exit)

3. After entering the breakpoint, output (LLDB) BT instruction, check the function call stack, find the memory address of the root method

Image list (executable) file list (image list)

5. Calculate the offset by subtracting the start address from the memory address

6. Find the executable file (exec) and use the disassembly tool (Hopper Diaassembler V4) for analysis and query with calculated offsets

7. 4 bytes need to be subtracted due to register problems, so the actual call is the last one in the query result

8. Select assembly code and click space to view the call process (sySCTL for debugging protection)

9. Establish the framework to use scripts for fishHook injection and method exchange

Code:

Int (* syscTL_p)(int *, u_int, void *, size_t *, void *, size_t); Int mySysctl(int *name, u_int namelen, void *info, size_t *infoSize, void *newInfo, Size_t newInfoSize){// Undebug filter if (namelen == 4&& name[0] == CTL_KERN && name[1] == KERN_PROC && name[2] == KERN_PROC_PID && info) {/ / keep int the error = sysctl_p (name, namelen, info, infoSize newInfo, newInfoSize); Struct kinfo_proc * myinfo = (struct kinfo_proc *)info; if((myinfo->kp_proc.p_flag & P_TRACED) ! P_flag ^= P_TRACED; myinfo->kp_proc.p_flag ^= P_TRACED; } return error; } return sysctl_p(name,namelen,info,infoSize,newInfo,newInfoSize); Struct rebinding[1]{{"sysctl",mySysctl,(void *)&sysctl_p}},1); }Copy the code

IOS reverse security debugging and reverse debugging

Protect the debugging

Prevents App debugging by re-signing

Code:

Attack Protection debugging

Steps (Hook mode)

1. Debug the re-signature application

2. Add a symbolic Breakpoint and filter the method name keyword, for example :(exit)

3. After entering the breakpoint, output (LLDB) BT instruction, check the function call stack, find the memory address of the root method

Image list (executable) file list (image list)

5. Calculate the offset by subtracting the start address from the memory address

6. Find the executable file (exec) and use the disassembly tool (Hopper Diaassembler V4) for analysis and query with calculated offsets

7. 4 bytes need to be subtracted due to register problems, so the actual call is the last one in the query result

8. Select assembly code and click space to view the call process (sySCTL for debugging protection)

9. Establish the framework to use scripts for fishHook injection and method exchange

Code:

Related Posts

IOS walks you through component binaries step by step

Project optimization on high imitation elegant Curiosity daily

How to control uav movement through DJI SDK