Kotani bald collection

  • Today Xiaogu shares a fewThe basis of protectiveMethods. — Sure, how about that, toocrack

1. Whitelist protection

  • thisprotectiveIt should be working for nowA minimum ofThe reason is thisFriendly fire is relatively large

After all that thought, I’d like to say something about this protection

  • Principle:Whitelist protectionThe principle of the means is basicallyPrevent dynamic library inserts

That is, collect all the dynamic libraries you can use. If redundant dynamic libraries are detected, protective techniques can be applied

  • Step 1: Get all the libraries you need for execution
// Get the number of images
int count = _dyld_image_count();
// Remove your macho mirror
for (int i = 1; i < count; i++) {
    // Print all image names separated by a comma
    printf("%s,",_dyld_get_image_name(i));
}
Copy the code
  • Step 2: Put the outputlog.copy

If you do use it later, never write it on the client. (In fact, even if written on the server request error is still very large!)

  • Step 3: Determine if the application is loaded when it entersLibraries that are not included(If there is one, it is the injected library.)
    int count = _dyld_image_count();
    // Remove your macho mirror
    for (int i = 1; i < count; i++) {
// printf("%s,",_dyld_get_image_name(i));
        if(! strstr(libStr, _dyld_get_image_name(i))) {// If it does not, it is treated as an injected library!
            NSLog(@" inject library. Take protective measures ~!"); }}Copy the code
  • Conclusion under
      1. Whitelist protectionFriendly fire is too big
      1. Few apps do that right now.High maintenance costs
      1. If the system is upgraded, or the system library is different for each model. Will have beenChange is compatible with
      1. Let’s call it server storage. Maybe not the first time

This protection is not recommended! But with whitelist protection, there could be a lot of extension of thought. Brothers can consider ~

2. Ptrace

Long ago pay treasure is used this ~

2.1. Ptrace protection

  • When we reverse the APP, sometimes we don’t just do static analysis, we might debug it on the fly

  • Our dynamic debugging, whether terminal debugging, or Xcode add-on. All through the DebugServer monitoring process to do!

  • Ptrace prevents additional debugging by limiting the process

  • Let’s start with a Ptrace example

// Click the event for a wave
- (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event{
    NSLog("Ptrace anti-debug!");
    ptrace(PT_DENY_ATTACH, 0.0.0);// This is Ptrace protection debugging
    NSLog(@" Not protected?");
}
Copy the code
  • Let’s click on that

Found out and never left!

Ptrace features: Debugging flashes back, but APP works normally when clicked

2.2. Ptrace cracking

Where there is a way to protect, there is a way to break

  • If you’re sure it isPtrace protection. So we canThe symbol hookTry ~
// Define a function pointer!
int  (*ptrace_p)(int _request, pid_t _pid, caddr_t _addr, int_data); + (void)load
{
    / / exchange
    struct rebinding ptraceBd;
    ptraceBd.name ="ptrace";
    ptraceBd.replacement = my_ptrace;
    ptraceBd.replaced = (void *)&ptrace_p;
    
    struct rebinding bds[] = {ptraceBd};
    rebind_symbols(bds, 1);
}
/ / custom
int  my_ptrace (int _request, pid_t _pid, caddr_t _addr, int _data){
    if(_request ! = PT_DENY_ATTACH) {// If not refuse to attach, keep calling!
        return ptrace_p(_request,_pid,_addr,_data);
    }
    return 0;
}
Copy the code

This is done using the fishhook symbol rebinding

3. sysctl

3.1. Sysctl protection

This is pretty good at present ~ Douyin is using this, but he has made other protection besides this (I will play it sometime and write a blog, 😆).

  • Write down his protection code
#import <sys/sysctl.h>
bool isDebugServer(){
    / / control code
    int name[4];// Put bytecode - query information
    name[0] = CTL_KERN;// Kernel view
    name[1] = KERN_PROC;// Query the process
    name[2] = KERN_PROC_PID; // Check the process by process ID
    name[3] = getpid();// Get your process id
    // Query result
    struct kinfo_proc info;// Result of the process query
    size_t info_size = sizeof(info);// Structure size
    int error = sysctl(name, sizeof(name)/sizeof(*name), &info, &info_size, 0.0);
    assert(error == 0);//0 means no error, set an assertion
    P_flag = 1; p_flag = 1
    P_flag and P_TRACED =0
    return((info.kp_proc.p_flag & P_TRACED) ! =0);
}
- (void)viewDidLoad {
    [super viewDidLoad];
    if (isDebugServer()) {
        NSLog("In debugServer debugging state!");
        // Do it yourself
    }else{
        NSLog("In normal operating condition!"); }}Copy the code
  • When IXcode runwhen

  • When IDisconnect the xcode, run by yourself

Which means it’s detected.

3.2. Sysctl cracking

Also use the Fishhook symbol to rebind

  • I’m just going to write what’s after the rebindingimplementationthe
// Custom functions
int mySysctl(int *name, u_int namelen, void *info, size_t *infosize, void *newinfo, size_t newinfosize){
    if (namelen == 4
        && name[0] = =CTL_KERN
        && name[1] == KERN_PROC
        && name[2] == KERN_PROC_PID
        && info
        && (int)*infosize == sizeof(struct kinfo_proc))
    {
        int err = sysctl_p(name, namelen, info, infosize, newinfo, newinfosize);
        // Get info
        struct kinfo_proc * myInfo = (struct kinfo_proc *)info;
        if((myInfo->kp_proc.p_flag & P_TRACED) ! =0) {// use xor
            myInfo->kp_proc.p_flag ^= P_TRACED;
        }
        return 0;
    }
    return sysctl_p(name, namelen, info, infosize, newinfo, newinfosize);
}
Copy the code

4. To summarize

  • Whitelist protection is a means of thinking, this kind of protection is very big, use with caution!!

  • Ptrace and Sysctl are used a lot now, so you need to make sure that no one knows

  • You can use the project to try ~ 😆.