iOS逆向----iOS11以后绕过越狱检测

当然有手动绕过越狱检测的办法，比如自己利用Fishhook或者OC的runtime机制去替换越狱检测的函数，甚至可以使用frida来Hook函数的返回值。这些都是比较稳妥的方法，本篇文章主要介绍的是自动绕过检测的工具Liberty Lite。

由于之前绕过越狱检测的xCon已经许久不更新，而且在iOS10.3以后的越狱手机上会导致很多APP崩溃。xCon没有白名单机制，因此只要安装就是全局起作用，导致Cydia崩溃后无法通过Cydia卸载该插件。因此有人推出了新的，支持iOS11-iOS12设备的绕过越狱检测的tweak。

首先在Cydia中新增软件源「https://ryleyangus.com/repo/」
然后在Sources中点击Ryley‘s Repo，点击Tweaks，找到「Liberty Lite」。这里建议安装Liberty Lite Beta版本。

安装好之后会提示Restart SpringBoard。

使用方法：
进入系统设置->找到Liberty->点击Block Jalibreak Detection->选择需要生效的APP

由于添加了白名单机制，因此比之前的xCon更安全。

文件分析

在Cydia中安装完之后，ssh连接手机，然后进入/Library/MobileSubstrate/DynamicLibraries目录下

cd /Library/MobileSubstrate/DynamicLibraries
ls

851AB7E5-ECD7-4394-A357-BB4567546325.png

这里会发现Liberty Lite安装了AppList.dylib、PreferenceLoader.dylib、RocketBootstrap.dylib、zzzzLiberty.dylib四个库以及他们各自的plist文件。其中AppList，PreferenceLoader，RocketBootstrap都是跟设置有关的tweak，主要代码在zzzzLiberty中。

我们通过分析zzzzLiberty.plist会发现他依旧是在加载UIKit的时候执行，这一点跟xCon一样：

B491E1B4-70A5-44C2-B2EF-FE846726747E.png

同样的，我们利用otool和strings命令，逆向以及获取里面的字符串：

➜  Desktop otool -tV zzzzLiberty.dylib > xCon
➜  Desktop strings zzzzLiberty.dylib
/Applications
/Applications/
/Applications/Cydia.app
/Applications/Cydia.app/
/Applications/Cydia.app/Cydia
/Applications/Cydia.app/Info.plist
/Applications/Cydia.app/../Cydia.app
/Applications/Cydia.app/../Cydia.app/
/Applications/Cydia.app/../Cydia.app/Info.plist
/Applications/FakeCarrier.app
/Applications/Icy.app
/Applications/Iny.app
/Applications/iFile.app
/Applications/Activator.app
/Applications/IntelliScreen.app
/Applications/MxTube.app
/Applications/RockApp.app
/Applications/SBSettings.app
/Applications/WinterBoard.app
/Applications/blackra1n.app
/Library/Activator
/Library/Flipswitch
/Library/Frameworks/CydiaSubstrate.framework
/Library/MobileSubstrate
/Library/MobileSubstrate/DynamicLibraries
/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist
/Library/MobileSubstrate/DynamicLibraries/Veency.plist
/Library/MobileSubstrate/MobileSubstrate.dylib
/Library/MobileSubstrateMobileSubstrate.dylib
/Library/Ringtones
/Library/Switchs
/Library/Wallpaper
/System/Library/LaunchDaemons/com.ikey.bbot.plist
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/bin/bash
/bin/sh
/bin
/bin/su
/etc/apt
/etc/apt/
/etc/clutch.conf
/etc/clutch_cracked.plist
/etc/ssh/sshd_config
/private/
/private
/private/vstb_writable_check
/private/etc/fstab
/private/Miitomo
/private/var/lib/apt
/private/var/lib/apt/
/private/var/lib/cydia
/private/var/lib/cydia/
/private/var/tmp/cydia.log
/private/var/mobile/Library/SBSettings/Themes
/private/var/mobileLibrary/SBSettingsThemes/
/private/var/stash
/private/var/stash/
/private/var/tmp/Cydia.log
/usr/arm-apple-darwin9
/usr/bin/ssh
/usr/bin/sshd
/usr/binsshd
/usr/sbin
/usr/sbinsshd
/usr/include
/usr/lib/pam
/usr/lib/python2.5
/usr/libexec
/usr/libexec/cydia
/usr/libexec/cydia/
/usr/libexec/sftp-server
/usr/libexec/ssh-keysign
/usr/sbin/sshd
/usr/share
/var/cache/apt
/var/cache/apt/
/var/cache/clutch.plist
/var/cache/clutch_cracked.plist
/var/lib/apt
/var/lib/apt/
/var/lib/clutch/overdrive.dylib
/var/lib/cydia
/var/lib/cydia/
/var/lib/dpkg/info
/var/log/syslog
/var/root/Documents/Cracked/
/var/tmp/cydia.log
/var/stash/Library/Ringstones
/var/stash/Library/Wallpaper
/var/stash/usr/include
/var/stash/usr/libexec
/var/stash/usr/share
//Systetem/Library/LaunchDaemons/com.ikey.bbot.plist
//System/Library/LaunchDaemons/com.saurik.Cy@dia.Startup.plist
//Library/MobileSubstrate/MobileSubstrate.dylib
//var/cache/apt/
//var/lib/apt/
//var/lib/cydia/
//var/log/syslog
//bin/bash
//bin/sh
//etc/apt/
//etc/ssh/sshd_config
//usr/libexec/ssh-keysign
Library/MobileSubstrate/MobileSubstrate.dylib
Applications/Cydia.app
var/cache/apt
var/lib/cydia
var/log/syslog
var/tmp/cydia.log
bin/bash
bin/sh
usr/sbin/sshd
usr/libexec/ssh-keysign
etc/ssh/sshd_config
etc/apt
/var/root/.tastest
/Library/Managed Preferences/mobile/.GlobalPreferences.plist
/Library/Preferences/com.apple.security.plist
/private/var/mobile/home/duh
/etc/rel
/System/Library/LaunchDaemons/com.apple.period.plist
/System/Library/LaunchDaemons/com.apple.ksyslog.plist
/private/var/mobile/home/syslog
/private/var/mobile/home/sshd
/Library/MobileSubstrate/DynamicLibraries/sfbase.dylib
/usr/lib/libsubstrate.dylib
/usr/bin
/boot
/var/root
/var
/private/var
/library/MobileSubstrate/MobileSubstrate.dylib
/mnt
/lib
/panguaxe
/panguaxe.installed
/private/var/mobile/Media/panguaxe.installed
/private/var/lib/dpkg/info/io.pangu.axe7.list
/private/var/lib/dpkg/info/io.pangu.axe7.prerm
/System/Library/LaunchDaemons/io.pangu.axe.untether.plist
/private/var/lib/dpkg/info/taiguntether83x.extrainst_
/private/var/lib/dpkg/info/taiguntether83x.list
/private/var/lib/dpkg/info/taiguntether83x.preinst
/private/var/lib/dpkg/info/taiguntether83x.prerm
/taig/
/taig/taig
/private/var/lib/dpkg/info/io.pangu.fuxiqin9.list
/private/var/lib/dpkg/info/io.pangu.fuxiqin9.prerm
/pguntether
/var/stash/
/var/stash
/private/var/cache/apt/
/private/var/log/syslog
/private/etc/apt/
/private/etc/ssh/sshd_config
/var/mobile/Library/Application Support/Flex3/patches.plist
/private/etc/dpkg/origins/debian
......

我们发现这里跟xCon惊人的相似。。。毕竟检测越狱就这么多手段。