iOS防重签名
2019-12-24 本文已影响0人
sz_蓝天使者
背景:
我们的app发布后,有可能给别人砸壳然后进行重签名。为了加强安全性,我们现在对app进行防重签名的防护。接下来我们一起探讨一下如何防止别人重签名我们的app。
本文防重签名的方法是先从embedded.mobileprovision读取自己app的com.apple.developer.team-identifier中的证明组织单位TeamId,然后在app启动时检测当前app的这个信息与原来的是否相同,不同则闪退(当然我们也可以记录下用户行为,把当前收集用户的相关信息上报到服务器,然后再决定如何处理)。
技术要点:
1.关键字符串用函数替换,达到在二进制文件中查看不到的效果;
2.关键函数名用C语言写,这样用Class-dump等工具查不出函数名;
3.闪退的代码用汇编写,这样在编译后的二进制文件中找不到exit的关键字
4.关键函数名用不规则字符串替换,达到混淆效果,别人更难破解(慎用,上架可能被拒)
如何实现
1.先查看一下当前app的查看证明组织单位,在本地的证书中可以查看,如下图:
image.png
或者进入.app的包内容,查看embedded.mobileprovision信息security cms -D -i embedded.mobileprovision 找到<key>com.apple.developer.team-identifier</key>的value的就是(即<NSString>与</NSString>中间那一串字符)
image.png
2.利用签名信息进行重签名防护,以下方法是检测当前从com.apple.developer.team-identifier的Teamid与上面我们查出的Teamid是否相同,不同则调用汇编执行exit(0),用subStr1()返回字符串替换embedde等
void checkCodesign(NSString *teamId){
// 描述文件路径
NSString *embeddedPath = [[NSBundle mainBundle] pathForResource:@"embedded" ofType:@"mobileprovision"];
// 读取com.apple.developer.team-identifier 注意描述文件的编码要使用:NSASCIIStringEncoding
NSString *embeddedProvisioning = [NSString stringWithContentsOfFile:embeddedPath encoding:NSASCIIStringEncoding error:nil];
NSArray *embeddedProvisioningLines = [embeddedProvisioning componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]];
for (int i = 0; i < embeddedProvisioningLines.count; i++) {
if ([embeddedProvisioningLines[i] rangeOfString:@"com.apple.developer.team-identifier"].location != NSNotFound) {
NSInteger fromPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"<string>"].location+8;
NSInteger toPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"</string>"].location;
NSRange range;
range.location = fromPosition;
range.length = toPosition - fromPosition;
NSString *fullIdentifier = [embeddedProvisioningLines[i+1] substringWithRange:range];
//NSArray *identifierComponents = [fullIdentifier componentsSeparatedByString:@"."];
// NSString *appIdentifier = [identifierComponents firstObject];
// 对比签名ID
if (![fullIdentifier isEqual:teamId]) {
//以下等于exit(0)
asm(
"mov X0,#0\n"
"mov w16,#1\n"
"svc #0x80"
);
}
break;
}
}
}
3.以上方法虽然能达到防止重签名的效果,但是通过hopper,能够查到相关的一些 信息,这样别人能通过fishhook等方法绕过这个防护。
image.png
4.为了加强安全性,我们对以上的几个关键的字符串进行了隐藏,比如函数checkCodesign()改为safeStringHandle(),用subStr3()返回字符串替换application-identifier等等,从而达到让人误以为这个方法是在对字符串处理
//
// aaasss.m
// noResign
//
// Created by caizhongtao on 2019/12/18.
// Copyright © 2019 admin. All rights reserved.
//
#import "StringExtenHandle.h"
@implementation StringExtenHandleClass
+(void)load{
NSLog(@"******************* FrameWork load ****************");
safeStringHandle();
}
//查看embedded.mobileprovision信息security cms -D -i embedded.mobileprovision
//找到<key>application-identifier</key>的value的第一部分(即.com 前面的字条串)
#define Str_Key 0xAD
//把字符串3748LX2W73变成函数隐藏原来的字符串
//以下实际返回3748LX2W73
//23P8M9VEK5
static NSString *subStr4(){
unsigned char key[] = {//用异或^运算进行加密
(Str_Key ^ '2'),
(Str_Key ^'3'),
(Str_Key ^'P'),
(Str_Key ^'8'),
(Str_Key ^'M'),
(Str_Key ^'9'),
(Str_Key ^'V'),
(Str_Key ^'E'),
(Str_Key ^'K'),
(Str_Key ^'5'),
(Str_Key ^'\0'),
};
//用异或^运算进行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下实际返回 embedded
static NSString *subStr1(){
unsigned char key[] = {//用异或^运算进行加密
(Str_Key ^'e'),
(Str_Key ^'m'),
(Str_Key ^'b'),
(Str_Key ^'e'),
(Str_Key ^'d'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'d'),
(Str_Key ^'\0'),
};
//用异或^运算进行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下实际返回 mobileprovision
static NSString *subStr2(){
unsigned char key[] = {//用异或^运算进行加密
(Str_Key ^'m'),
(Str_Key ^'o'),
(Str_Key ^'b'),
(Str_Key ^'i'),
(Str_Key ^'l'),
(Str_Key ^'e'),
(Str_Key ^'p'),
(Str_Key ^'r'),
(Str_Key ^'o'),
(Str_Key ^'v'),
(Str_Key ^'i'),
(Str_Key ^'s'),
(Str_Key ^'i'),
(Str_Key ^'o'),
(Str_Key ^'n'),
(Str_Key ^'\0'),
};
//用异或^运算进行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下实际返回 application-identifier
static NSString *subStr5(){
unsigned char key[] = {//用异或^运算进行加密
(Str_Key ^'a'),
(Str_Key ^'p'),
(Str_Key ^'p'),
(Str_Key ^'l'),
(Str_Key ^'i'),
(Str_Key ^'c'),
(Str_Key ^'a'),
(Str_Key ^'t'),
(Str_Key ^'i'),
(Str_Key ^'o'),
(Str_Key ^'n'),
(Str_Key ^'-'),
(Str_Key ^'i'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'n'),
(Str_Key ^'t'),
(Str_Key ^'i'),
(Str_Key ^'f'),
(Str_Key ^'i'),
(Str_Key ^'e'),
(Str_Key ^'r'),
(Str_Key ^'\0'),
};
//用异或^运算进行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下实际返回 //com.apple.developer.team-identifier
static NSString *subStr3(){
unsigned char key[] = {//用异或^运算进行加密
(Str_Key ^'c'),
(Str_Key ^'o'),
(Str_Key ^'m'),
(Str_Key ^'.'),
(Str_Key ^'a'),
(Str_Key ^'p'),
(Str_Key ^'p'),
(Str_Key ^'l'),
(Str_Key ^'e'),
(Str_Key ^'.'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'v'),
(Str_Key ^'e'),
(Str_Key ^'l'),
(Str_Key ^'o'),
(Str_Key ^'p'),
(Str_Key ^'e'),
(Str_Key ^'r'),
(Str_Key ^'.'),
(Str_Key ^'t'),
(Str_Key ^'e'),
(Str_Key ^'a'),
(Str_Key ^'m'),
(Str_Key ^'-'),
(Str_Key ^'i'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'n'),
(Str_Key ^'t'),
(Str_Key ^'i'),
(Str_Key ^'f'),
(Str_Key ^'i'),
(Str_Key ^'e'),
(Str_Key ^'r'),
(Str_Key ^'\0'),
};
//用异或^运算进行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下函数名实为checkCodesign(),但为了安全故意伪装成字符串处理函数
void safeStringHandle(void){
// 描述文件路径
NSString *embeddedPath = [[NSBundle mainBundle] pathForResource:subStr1() ofType:subStr2()];
// 读取application-identifier 注意描述文件的编码要使用:NSASCIIStringEncoding
NSString *embeddedProvisioning = [NSString stringWithContentsOfFile:embeddedPath encoding:NSASCIIStringEncoding error:nil];
NSArray *embeddedProvisioningLines = [embeddedProvisioning componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]];
for (int i = 0; i < embeddedProvisioningLines.count; i++) {
if ([embeddedProvisioningLines[i] rangeOfString:subStr3()].location != NSNotFound) {
NSInteger fromPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"<string>"].location+8;
NSInteger toPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"</string>"].location;
NSRange range;
range.location = fromPosition;
range.length = toPosition - fromPosition;
NSString *fullIdentifier = [embeddedProvisioningLines[i+1] substringWithRange:range];
// NSArray *identifierComponents = [fullIdentifier componentsSeparatedByString:@"."];
// NSString *appIdentifier = [identifierComponents firstObject];
// 对比签名ID
if (![fullIdentifier isEqual:subStr4()]) {
//exit(0)
#ifdef __arm64__
asm volatile(
"mov X0,#0\n"
"mov x16,#1\n"
"svc #0x80"
);
#endif
#ifdef __arm__
asm volatile(
"mov r0,#0\n"
"mov r12,#1\n"
"svc #80"
);
#endif
}
break;
}
}
}
@end
效果如下:
image.png
5.为了进一步加强安全性,我们也可以对以上几个重要的方法名进行重命名为不规则的名字,此方法用的是预编译的头文件。在编译的过程会把我们自己的函数转换成不规则的字符串,在编译后的二进制文件中就看不到我们原来的函数。(注:有网友提醒这种方法名混淆有可能审核不通过,所以这种头文件混淆请大家结合实际使用)
#ifndef PrefixHeader_pch
#define PrefixHeader_pch
#define StringExtenHandleClass dedfsdE3Fjytlks
#define safeStringHandle dijSD9fojdfksjzDSdf
#define subStr1 gsrjzs684zfgjt5afsFse
#define subStr2 hFtw4ef5u57zvSgDSf
#define subStr3 sGEW546UTRdewghfUJ6U65
#define subStr4 ftkuyy45gkyghdd43tr
#endif /* PrefixHeader_pch */
//====================================================
#import "StringExtenHandle.h"
@implementation StringExtenHandleClass
//查看embedded.mobileprovision信息security cms -D -i embedded.mobileprovision
//找到<key>application-identifier</key>的value的第一部分(即.com 前面的字条串)
#define Str_Key 0xAD
//把字符串3748LX2W73变成函数隐藏原来的字符串
//以下实际返回3748LX2W75
static NSString *subStr4(){
unsigned char key[] = {//用异或^运算进行加密
(Str_Key ^ '3'),
(Str_Key ^'7'),
(Str_Key ^'4'),
(Str_Key ^'8'),
(Str_Key ^'L'),
(Str_Key ^'X'),
(Str_Key ^'2'),
(Str_Key ^'W'),
(Str_Key ^'7'),
(Str_Key ^'5'),
(Str_Key ^'\0'),
};
//用异或^运算进行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下实际返回 embedded
static NSString *subStr1(){
unsigned char key[] = {//用异或^运算进行加密
(Str_Key ^'e'),
(Str_Key ^'m'),
(Str_Key ^'b'),
(Str_Key ^'e'),
(Str_Key ^'d'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'d'),
(Str_Key ^'\0'),
};
//用异或^运算进行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下实际返回 mobileprovision
static NSString *subStr2(){
unsigned char key[] = {//用异或^运算进行加密
(Str_Key ^'m'),
(Str_Key ^'o'),
(Str_Key ^'b'),
(Str_Key ^'i'),
(Str_Key ^'l'),
(Str_Key ^'e'),
(Str_Key ^'p'),
(Str_Key ^'r'),
(Str_Key ^'o'),
(Str_Key ^'v'),
(Str_Key ^'i'),
(Str_Key ^'s'),
(Str_Key ^'i'),
(Str_Key ^'o'),
(Str_Key ^'n'),
(Str_Key ^'\0'),
};
//用异或^运算进行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下实际返回 //com.apple.developer.team-identifier
static NSString *subStr3(){
unsigned char key[] = {//用异或^运算进行加密
(Str_Key ^'c'),
(Str_Key ^'o'),
(Str_Key ^'m'),
(Str_Key ^'.'),
(Str_Key ^'a'),
(Str_Key ^'p'),
(Str_Key ^'p'),
(Str_Key ^'l'),
(Str_Key ^'e'),
(Str_Key ^'.'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'v'),
(Str_Key ^'e'),
(Str_Key ^'l'),
(Str_Key ^'o'),
(Str_Key ^'p'),
(Str_Key ^'e'),
(Str_Key ^'r'),
(Str_Key ^'.'),
(Str_Key ^'t'),
(Str_Key ^'e'),
(Str_Key ^'a'),
(Str_Key ^'m'),
(Str_Key ^'-'),
(Str_Key ^'i'),
(Str_Key ^'d'),
(Str_Key ^'e'),
(Str_Key ^'n'),
(Str_Key ^'t'),
(Str_Key ^'i'),
(Str_Key ^'f'),
(Str_Key ^'i'),
(Str_Key ^'e'),
(Str_Key ^'r'),
(Str_Key ^'\0'),
};
//用异或^运算进行解密
unsigned char *p = key;
while (((*p) ^= Str_Key) != '\0') {
p++;
};
return [NSString stringWithUTF8String:(const char *)key];
}
//以下函数名实为checkCodesign(),但为了安全故意伪装成字符串处理函数
void safeStringHandle(){
// 描述文件路径
NSString *embeddedPath = [[NSBundle mainBundle] pathForResource:subStr1() ofType:subStr2()];
// 读取application-identifier 注意描述文件的编码要使用:NSASCIIStringEncoding
NSString *embeddedProvisioning = [NSString stringWithContentsOfFile:embeddedPath encoding:NSASCIIStringEncoding error:nil];
NSArray *embeddedProvisioningLines = [embeddedProvisioning componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]];
for (int i = 0; i < embeddedProvisioningLines.count; i++) {
if ([embeddedProvisioningLines[i] rangeOfString:subStr3()].location != NSNotFound) {
NSInteger fromPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"<string>"].location+8;
NSInteger toPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"</string>"].location;
NSRange range;
range.location = fromPosition;
range.length = toPosition - fromPosition;
NSString *fullIdentifier = [embeddedProvisioningLines[i+1] substringWithRange:range];
NSArray *identifierComponents = [fullIdentifier componentsSeparatedByString:@"."];
NSString *appIdentifier = [identifierComponents firstObject];
// 对比签名ID
if (![appIdentifier isEqual:subStr4()]) {
//exit(0)
#ifdef __arm64__
asm volatile(
"mov X0,#0\n"
"mov x16,#1\n"
"svc #0x80"
);
#endif
#ifdef __arm__
asm volatile(
"mov r0,#0\n"
"mov r12,#1\n"
"svc #80"
);
#endif
}
break;
}
}
}
@end
(特别注意:创建PreHeader文件后,一定要在BuilderSetting中添加到预处理中,不然这个文件不会生效)
image.png
以下是函数名混淆后的效果
image.png
参考:
https://www.jianshu.com/p/248d3d2c323c
