iOS防护-反调试

1,通过调用ptrace函数可以阻止调试器依附。

其中x0-x3存储的为函数入参，x16存储的为函数编号，通过Apple提供的System Call Table 可以查出ptrace的编号为26，最后一句指令发起了系统调用。通过使用asm指令能够将汇编代码嵌入我们的函数中，构成反调试方法。

// 使用inline方式将函数在调用处强制展开，防止被hook和追踪符号
static __attribute__((always_inline)) void anti_debug()
{
    // 判断是否是ARM64处理器指令集
#ifdef __arm64__
    // volatile修饰符能够防止汇编指令被编译器忽略
    __asm__ __volatile__
    (
     "mov X0, #26\n"
     "mov X1, #31\n"
     "mov X2, #0\n"
     "mov X3, #0\n"
     "mov X4, #0\n"
     "mov w16, #0\n"
     "svc #0x80"
     );
#endif
}

调用

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
    // Override point for customization after application launch.
    anti_debug();
    return YES;
}

2，反调试检测

static __attribute__((always_inline)) void check_svc_integrity() {
    int pid;
    static jmp_buf protectionJMP;
#ifdef __arm64__
    __asm__ __volatile__("mov x0, #0\n"
            "mov w16, #20\n"
            "svc #0x80\n"
            "cmp x0, #0\n"
            "b.ne #24\n"
            
            "mov x1, #0\n"
            "mov sp, x1\n"
            "mov x29, x1\n"
            "mov x30, x1\n"
            "ret\n"
            
            "mov %[result], x0\n"
            : [result] "=r" (pid)
            :
            :
            );
    
    if(pid == 0) {
        longjmp(protectionJMP, 1);
    }
#endif
}
//需要头文件#include <unistd.h>
void AntiDebug_isatty() {
    if (isatty(1)) {
        exit(1);
    } else {
    }
}

调用

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
    // Override point for customization after application launch.
    check_svc_integrity();
    AntiDebug_isatty();
    check_svc_integrity();
    return YES;
}

参考https://juejin.im/post/5d9891abf265da5b926bc2b7?utm_source=gold_browser_extension