iOS 反反注入 修改__RESTRICT,__restrict工具

通过在 Xcode 里的 Other Linker Flags 设置参数,可以防止App被注入dylib(仅限于iOS 10 以下系统)  比如,某艺,XX音乐等

dylib无法注入,也就意味着没办法用cycript动态调试App,只能干瞪眼

Other Linker Flags 参数

-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null

通过阅读dyld源代码,我们可以得知其大概原理

static ImageLoader* loadPhase3(const char* path, const char* orgPath, const LoadContext& context, std::vector<const char*>* exceptions)
{
    ImageLoader* image = NULL;
    if ( strncmp(path, "@executable_path/", 17) == 0 ) {
        // executable_path cannot be in used in any binary in a setuid process rdar://problem/4589305
        if ( sProcessIsRestricted ) 
            throwf("unsafe use of @executable_path in %s with restricted binary", context.origin);
    }
    else if ( (strncmp(path, "@loader_path/", 13) == 0) && (context.origin != NULL) ) {
        // @loader_path cannot be used from the main executable of a setuid process rdar://problem/4589305
        if ( sProcessIsRestricted && (strcmp(context.origin, sExecPath) == 0) )
            throwf("unsafe use of @loader_path in %s with restricted binary", context.origin);
    }
    else if (sProcessIsRestricted && (path[0] != '/' )) {
        throwf("unsafe use of relative rpath %s in %s with restricted binary", path, context.origin);
    }
    
    return loadPhase4(path, orgPath, context, exceptions);
}

当dylib加载路径是以 @executable_path、@loader_path 或者不是以 '/'开头,则会抛出异常使进程结束。

针对以上情况,分享一个修改__RESTRICT命令的工具,原理是将Mach-O文件中的 RESTRICT命令改为 SESTRICT,使该命令因为无法识别而失效。

github源码地址

使用

./AAntiCrack --replace-restrict  <应用可执行文件mach-o>

 此工具还有注入dylib功能,将dylib与mach-o放在同一目录下,然后执行

./AAntiCrack --replace-restrict -i dylib路径 <应用可执行文件mach-o>

 即可实现动态库注入,与反反注入

 

相关链接:

  http://bbs.iosre.com/t/tweak-app-app-tweak/438 

 

posted @ 2017-09-20 12:32  Coding&Life  阅读(2971)  评论(0编辑  收藏  举报