背景:
我們的app發布后,有可能給別人砸殼然后進行重簽名。為了加強安全性,我們現在對app進行防重簽名的防護。接下來我們一起探討一下如何防止別人重簽名我們的app。
本文防重簽名的方法是先從embedded.mobileprovision讀取自己app的com.apple.developer.team-identifier中的證明組織單位TeamId,然后在app啟動時檢測當前app的這個信息與原來的是否相同,不同則閃退(當然我們也可以記錄下用戶行為,把當前收集用戶的相關信息上報到服務器,然后再決定如何處理)。
技術要點:
1.關鍵字符串用函數替換,達到在二進制文件中查看不到的效果;
2.關鍵函數名用C語言寫,這樣用Class-dump等工具查不出函數名;
3.閃退的代碼用匯編寫,這樣在編譯后的二進制文件中找不到exit的關鍵字
4.關鍵函數名用不規則字符串替換,達到混淆效果,別人更難破解(慎用,上架可能被拒)
如何實現
1.先查看一下當前app的查看證明組織單位,在本地的證書中可以查看,如下圖:
image.png
或者進入.app的包內容,查看embedded.mobileprovision信息security cms -D -i embedded.mobileprovision 找到<key>com.apple.developer.team-identifier</key>的value的就是(即<NSString>與</NSString>中間那一串字符)
image.png
2.利用簽名信息進行重簽名防護,以下方法是檢測當前從com.apple.developer.team-identifier的Teamid與上面我們查出的Teamid是否相同,不同則調用匯編執行exit(0),用subStr1()返回字符串替換embedde等
void checkCodesign(NSString *teamId){
// 描述文件路徑
NSString *embeddedPath = [[NSBundle mainBundle] pathForResource:@"embedded" ofType:@"mobileprovision"];
// 讀取com.apple.developer.team-identifier 注意描述文件的編碼要使用:NSASCIIStringEncoding
NSString *embeddedProvisioning = [NSString stringWithContentsOfFile:embeddedPath encoding:NSASCIIStringEncoding error:nil];
NSArray *embeddedProvisioningLines = [embeddedProvisioning componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]];
for (int i = 0; i < embeddedProvisioningLines.count; i++) {
if ([embeddedProvisioningLines[i] rangeOfString:@"com.apple.developer.team-identifier"].location != NSNotFound) {
NSInteger fromPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"<string>"].location+8;
NSInteger toPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"</string>"].location;
NSRange range;
range.location = fromPosition;
range.length = toPosition - fromPosition;
NSString *fullIdentifier = [embeddedProvisioningLines[i+1] substringWithRange:range];
//NSArray *identifierComponents = [fullIdentifier componentsSeparatedByString:@"."];
// NSString *appIdentifier = [identifierComponents firstObject];
// 對比簽名ID
if (![fullIdentifier isEqual:teamId]) {
//以下等于exit(0)
asm(
"mov X0,#0\n"
"mov w16,#1\n"
"svc #0x80"
);
}
break;
}
}
}
3.以上方法雖然能達到防止重簽名的效果,但是通過hopper,能夠查到相關的一些 信息,這樣別人能通過fishhook等方法繞過這個防護。
image.png
4.為了加強安全性,我們對以上的幾個關鍵的字符串進行了隱藏,比如函數checkCodesign()改為safeStringHandle(),用subStr3()返回字符串替換application-identifier等等,從而達到讓人誤以為這個方法是在對字符串處理
//
// aaasss.m
// noResign
//
// Created by caizhongtao on 2019/12/18.
// Copyright ? 2019 admin. All rights reserved.
//
#import "StringExtenHandle.h"
@implementation StringExtenHandleClass
+(void)load{
NSLog(@"******************* FrameWork load ****************");
safeStringHandle();
}
//查看embedded.mobileprovision信息security cms -D -i embedded.mobileprovision
//找到<key>application-identifier</key>的value的第一部分(即.com 前面的字條串)
#define Str_Key 0xAD
//把字符串3748LX2W73變成函數隱藏原來的字符串
//以下實際返回3748LX2W73
//23P8M9VEK5
static NSString *subStr4(){
unsigned char key[] = {//用異或^運算進行加密
(Str_Key ^ '2'),
(Str_Key ^'3'),
(Str_Key ^'P'),
(Str_Key ^'8'),
(Str_Key ^'M'),
(Str_Key ^'9'),
(Str_Key ^'V'),
(Str_Key ^'E'),
(Str_Key ^'K'),
(Str_Key ^'5'),
(Str_Key ^'\0'),
};
//用異或^運算進行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下實際返回 embedded
static NSString *subStr1(){
unsigned char key[] = {//用異或^運算進行加密
(Str_Key ^'e'),
(Str_Key ^'m'),
(Str_Key ^'b'),
(Str_Key ^'e'),
(Str_Key ^'d'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'d'),
(Str_Key ^'\0'),
};
//用異或^運算進行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下實際返回 mobileprovision
static NSString *subStr2(){
unsigned char key[] = {//用異或^運算進行加密
(Str_Key ^'m'),
(Str_Key ^'o'),
(Str_Key ^'b'),
(Str_Key ^'i'),
(Str_Key ^'l'),
(Str_Key ^'e'),
(Str_Key ^'p'),
(Str_Key ^'r'),
(Str_Key ^'o'),
(Str_Key ^'v'),
(Str_Key ^'i'),
(Str_Key ^'s'),
(Str_Key ^'i'),
(Str_Key ^'o'),
(Str_Key ^'n'),
(Str_Key ^'\0'),
};
//用異或^運算進行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下實際返回 application-identifier
static NSString *subStr5(){
unsigned char key[] = {//用異或^運算進行加密
(Str_Key ^'a'),
(Str_Key ^'p'),
(Str_Key ^'p'),
(Str_Key ^'l'),
(Str_Key ^'i'),
(Str_Key ^'c'),
(Str_Key ^'a'),
(Str_Key ^'t'),
(Str_Key ^'i'),
(Str_Key ^'o'),
(Str_Key ^'n'),
(Str_Key ^'-'),
(Str_Key ^'i'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'n'),
(Str_Key ^'t'),
(Str_Key ^'i'),
(Str_Key ^'f'),
(Str_Key ^'i'),
(Str_Key ^'e'),
(Str_Key ^'r'),
(Str_Key ^'\0'),
};
//用異或^運算進行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下實際返回 //com.apple.developer.team-identifier
static NSString *subStr3(){
unsigned char key[] = {//用異或^運算進行加密
(Str_Key ^'c'),
(Str_Key ^'o'),
(Str_Key ^'m'),
(Str_Key ^'.'),
(Str_Key ^'a'),
(Str_Key ^'p'),
(Str_Key ^'p'),
(Str_Key ^'l'),
(Str_Key ^'e'),
(Str_Key ^'.'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'v'),
(Str_Key ^'e'),
(Str_Key ^'l'),
(Str_Key ^'o'),
(Str_Key ^'p'),
(Str_Key ^'e'),
(Str_Key ^'r'),
(Str_Key ^'.'),
(Str_Key ^'t'),
(Str_Key ^'e'),
(Str_Key ^'a'),
(Str_Key ^'m'),
(Str_Key ^'-'),
(Str_Key ^'i'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'n'),
(Str_Key ^'t'),
(Str_Key ^'i'),
(Str_Key ^'f'),
(Str_Key ^'i'),
(Str_Key ^'e'),
(Str_Key ^'r'),
(Str_Key ^'\0'),
};
//用異或^運算進行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下函數名實為checkCodesign(),但為了安全故意偽裝成字符串處理函數
void safeStringHandle(void){
// 描述文件路徑
NSString *embeddedPath = [[NSBundle mainBundle] pathForResource:subStr1() ofType:subStr2()];
// 讀取application-identifier 注意描述文件的編碼要使用:NSASCIIStringEncoding
NSString *embeddedProvisioning = [NSString stringWithContentsOfFile:embeddedPath encoding:NSASCIIStringEncoding error:nil];
NSArray *embeddedProvisioningLines = [embeddedProvisioning componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]];
for (int i = 0; i < embeddedProvisioningLines.count; i++) {
if ([embeddedProvisioningLines[i] rangeOfString:subStr3()].location != NSNotFound) {
NSInteger fromPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"<string>"].location+8;
NSInteger toPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"</string>"].location;
NSRange range;
range.location = fromPosition;
range.length = toPosition - fromPosition;
NSString *fullIdentifier = [embeddedProvisioningLines[i+1] substringWithRange:range];
// NSArray *identifierComponents = [fullIdentifier componentsSeparatedByString:@"."];
// NSString *appIdentifier = [identifierComponents firstObject];
// 對比簽名ID
if (![fullIdentifier isEqual:subStr4()]) {
//exit(0)
#ifdef __arm64__
asm volatile(
"mov X0,#0\n"
"mov x16,#1\n"
"svc #0x80"
);
#endif
#ifdef __arm__
asm volatile(
"mov r0,#0\n"
"mov r12,#1\n"
"svc #80"
);
#endif
}
break;
}
}
}
@end
效果如下:
image.png
5.為了進一步加強安全性,我們也可以對以上幾個重要的方法名進行重命名為不規則的名字,此方法用的是預編譯的頭文件。在編譯的過程會把我們自己的函數轉換成不規則的字符串,在編譯后的二進制文件中就看不到我們原來的函數。(注:有網友提醒這種方法名混淆有可能審核不通過,所以這種頭文件混淆請大家結合實際使用)
#ifndef PrefixHeader_pch
#define PrefixHeader_pch
#define StringExtenHandleClass dedfsdE3Fjytlks
#define safeStringHandle dijSD9fojdfksjzDSdf
#define subStr1 gsrjzs684zfgjt5afsFse
#define subStr2 hFtw4ef5u57zvSgDSf
#define subStr3 sGEW546UTRdewghfUJ6U65
#define subStr4 ftkuyy45gkyghdd43tr
#endif /* PrefixHeader_pch */
//====================================================
#import "StringExtenHandle.h"
@implementation StringExtenHandleClass
//查看embedded.mobileprovision信息security cms -D -i embedded.mobileprovision
//找到<key>application-identifier</key>的value的第一部分(即.com 前面的字條串)
#define Str_Key 0xAD
//把字符串3748LX2W73變成函數隱藏原來的字符串
//以下實際返回3748LX2W75
static NSString *subStr4(){
unsigned char key[] = {//用異或^運算進行加密
(Str_Key ^ '3'),
(Str_Key ^'7'),
(Str_Key ^'4'),
(Str_Key ^'8'),
(Str_Key ^'L'),
(Str_Key ^'X'),
(Str_Key ^'2'),
(Str_Key ^'W'),
(Str_Key ^'7'),
(Str_Key ^'5'),
(Str_Key ^'\0'),
};
//用異或^運算進行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下實際返回 embedded
static NSString *subStr1(){
unsigned char key[] = {//用異或^運算進行加密
(Str_Key ^'e'),
(Str_Key ^'m'),
(Str_Key ^'b'),
(Str_Key ^'e'),
(Str_Key ^'d'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'d'),
(Str_Key ^'\0'),
};
//用異或^運算進行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下實際返回 mobileprovision
static NSString *subStr2(){
unsigned char key[] = {//用異或^運算進行加密
(Str_Key ^'m'),
(Str_Key ^'o'),
(Str_Key ^'b'),
(Str_Key ^'i'),
(Str_Key ^'l'),
(Str_Key ^'e'),
(Str_Key ^'p'),
(Str_Key ^'r'),
(Str_Key ^'o'),
(Str_Key ^'v'),
(Str_Key ^'i'),
(Str_Key ^'s'),
(Str_Key ^'i'),
(Str_Key ^'o'),
(Str_Key ^'n'),
(Str_Key ^'\0'),
};
//用異或^運算進行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下實際返回 //com.apple.developer.team-identifier
static NSString *subStr3(){
unsigned char key[] = {//用異或^運算進行加密
(Str_Key ^'c'),
(Str_Key ^'o'),
(Str_Key ^'m'),
(Str_Key ^'.'),
(Str_Key ^'a'),
(Str_Key ^'p'),
(Str_Key ^'p'),
(Str_Key ^'l'),
(Str_Key ^'e'),
(Str_Key ^'.'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'v'),
(Str_Key ^'e'),
(Str_Key ^'l'),
(Str_Key ^'o'),
(Str_Key ^'p'),
(Str_Key ^'e'),
(Str_Key ^'r'),
(Str_Key ^'.'),
(Str_Key ^'t'),
(Str_Key ^'e'),
(Str_Key ^'a'),
(Str_Key ^'m'),
(Str_Key ^'-'),
(Str_Key ^'i'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'n'),
(Str_Key ^'t'),
(Str_Key ^'i'),
(Str_Key ^'f'),
(Str_Key ^'i'),
(Str_Key ^'e'),
(Str_Key ^'r'),
(Str_Key ^'\0'),
};
//用異或^運算進行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下函數名實為checkCodesign(),但為了安全故意偽裝成字符串處理函數
void safeStringHandle(){
// 描述文件路徑
NSString *embeddedPath = [[NSBundle mainBundle] pathForResource:subStr1() ofType:subStr2()];
// 讀取application-identifier 注意描述文件的編碼要使用:NSASCIIStringEncoding
NSString *embeddedProvisioning = [NSString stringWithContentsOfFile:embeddedPath encoding:NSASCIIStringEncoding error:nil];
NSArray *embeddedProvisioningLines = [embeddedProvisioning componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]];
for (int i = 0; i < embeddedProvisioningLines.count; i++) {
if ([embeddedProvisioningLines[i] rangeOfString:subStr3()].location != NSNotFound) {
NSInteger fromPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"<string>"].location+8;
NSInteger toPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"</string>"].location;
NSRange range;
range.location = fromPosition;
range.length = toPosition - fromPosition;
NSString *fullIdentifier = [embeddedProvisioningLines[i+1] substringWithRange:range];
NSArray *identifierComponents = [fullIdentifier componentsSeparatedByString:@"."];
NSString *appIdentifier = [identifierComponents firstObject];
// 對比簽名ID
if (![appIdentifier isEqual:subStr4()]) {
//exit(0)
#ifdef __arm64__
asm volatile(
"mov X0,#0\n"
"mov x16,#1\n"
"svc #0x80"
);
#endif
#ifdef __arm__
asm volatile(
"mov r0,#0\n"
"mov r12,#1\n"
"svc #80"
);
#endif
}
break;
}
}
}
@end
(特別注意:創建PreHeader文件后,一定要在BuilderSetting中添加到預處理中,不然這個文件不會生效)
image.png
以下是函數名混淆后的效果
image.png
參考:
http://www.lxweimin.com/p/248d3d2c323c
