When we want to reverse a third-party application, we must first install the application on our mobile phone, and then perform hook analysis, find the corresponding method call, perform code injection, and crack its normal process to achieve the reverse purpose. Next, we will explain and analyze the specific implementation of this process in detail.
One, shell script to achieve re-signature
1. Let's take the most common application WeChat as an example, the principles of other applications are the same! First, we go to PP Assistant to download the jailbroken version of WeChat application, as shown below:
01
-
1.1 The jailbroken version of the application is not encrypted, the official version of the application is encrypted, we use MachOView to view the executable file information of the application, the demonstration is as follows:
02
- 1.2 From the above figure, we can see that the Crypt ID in the column of LC_ENCRYPTION_INFO_64 encrypted information is 0, which means there is no encryption, and the official version of WeChat is 1 here, which means that a certain encryption method is used. Difficult to perform code injection.
2. Let’s take a look at the effect of resigning the WeChat app first. The demonstration is as follows:
03
-
2.1 Next, we will explain the resignation process in detail. The resignation here can be done manually or by using a script. Manually is more cumbersome, so I won’t demonstrate it here. Next, we will re-sign the code based on the shell script. There are no more than 20 commands in total. Before explaining the shell script, if you are not familiar with the shell script, please take a moment to read the introductory tutorial .
-
2.2 We created a new WeChat project with the same name to facilitate the replacement of subsequent files, similar to other applications. Then create a new APP file in the project directory, here is used to place the ipa package we just downloaded, the demonstration is as follows:04
-
2.3 We create a script file for the project, then add certificate management, and then run it. The re-signature problem is solved in three steps. The demonstration is as follows:
05
-
2.4 The key lies in the implementation process of the shell script. Here is the shell signature script. Each line in the script is commented in detail and the script address is complete .
#获取手动创建的APP文件夹,用来放置越狱版本的Ipa包,${SRCROOT} 代表工程文件所在的目录
crackPath="${SRCROOT}/APP"
#获取越狱版本Ipa路径
oldIpaPath="${crackPath}/*.ipa"
# 创建一个临时文件夹,用来放置解压的Ipa文件
tempPath="${SRCROOT}/Temp"
#首先先清空Temp文件夹
rm -rf "$tempPath"
#创建临时文件夹目录
mkdir -p "$tempPath"
# 1. 解压IPA到temp下
unzip -oqq "$oldIpaPath" -d "$tempPath"
# 拿到解压的临时的APP的路径
oldIPaPath=$(set -- "$tempPath/Payload/"*.app;echo "$1")
# 2. 将解压出来的.app拷贝进入工程下
# BUILT_PRODUCTS_DIR 工程生成的APP包的路径(系统创建的)
# TARGET_NAME target名称(系统创建的)
targetAppPath="$BUILT_PRODUCTS_DIR/$TARGET_NAME.app"
# 打印app编译后的路径
echo "app路径:$targetAppPath"
#先删除app所在路径文件
rm -rf "$targetAppPath"
#重新创建该文件路径
mkdir -p "$targetAppPath"
#将解压的app文件拷贝到Xcode编译的app文件目录,让Xcode认为这是它编译出来的,Xcode就会帮我们完成签名工作
cp -rf "$oldIPaPath/" "$targetAppPath"
# 3. 删除extension和WatchAPP.个人证书没法签名Extention
rm -rf "$targetAppPath/PlugIns"
rm -rf "$targetAppPath/Watch"
# 4. 更新info.plist文件 CFBundleIdentifier,PlistBuddy是更改plist文件的可执行文件
# 设置:"Set : KEY Value" "目标文件路径"
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier $PRODUCT_BUNDLE_IDENTIFIER" "$targetAppPath/Info.plist"
# 5. 重签名第三方 FrameWorks
tagetAppFramworkPath="$targetAppPath/Frameworks"
if [ -d "$tagetAppFramworkPath" ];
then
for frameWork in "$tagetAppFramworkPath/"*
do
#签名
/usr/bin/codesign --force --sign "$EXPANDED_CODE_SIGN_IDENTITY" "$frameWork"
done
fi
Two, framework code injection
1. First of all, based on the code signing project, we create a framework library and add a load method to write the code we need to inject. The demonstration is as follows:
06
- 1.1 Then we add injection code behind the script
# 拿到MachO文件的路径
APP_BINARY=`plutil -convert xml1 -o - $targetAppPath/Info.plist|grep -A1 Exec|tail -n1|cut -f2 -d\>|cut -f1 -d\<`
#注入
yololib "$targetAppPath/$APP_BINARY" "Frameworks/Inject.framework/Inject"
-
1.2 Run the project, you can see that the code we injected is successful, the demonstration is as follows:
07
-
1.3 There are 306 errors reported in the above project. This is a problem of my computer's permissions, which can be ignored. There should be no problems with your computer. We can see that the code has been injected successfully. As for why it is added in the load method, please see my other article "Detailed Explanation of the Principle of Dyld Loading Application Startup" for details . There is an analysis of the timing of code injection!
-
1.4 Next, let's analyze what the yololib script does? First, we take out the framework executable file and wechat executable file we created, and then execute the yololib command to demonstrate the following figure:
08
-
1.5 yololib download address . Use yololib to inject your own framework into the WeChat executable file, as shown below:
09
-
1.6 Then use machOView to check whether there is a library problem in the WeChat executable file, as shown below:
10
2. How to intercept WeChat registration
-
2.1 We use the debugging tool to view the calling method of the registration button, as shown below:
11
-
2.2 We can see that the target called is "WCAccountLoginControlLogic", and the method executed by clicking the registration button is "onFirstViewRegester". With this, the next step is to exchange the simple methods.
-
2.3 We write the method exchange method in our framwork, as follows:
+(void)load
{
Method oldMethod = class_getInstanceMethod(objc_getClass("WCAccountLoginControlLogic"), @selector(onFirstViewRegester));
Method newMethod = class_getInstanceMethod(self, @selector(test));
method_exchangeImplementations(oldMethod, newMethod);
}
-(void)test{
NSLog(@"----截获到微信注册按钮点击------");
}
-
2.4 Next we run the program, click the button, the demonstration is as follows:
12
At this point, the automatic signature of shell scripts and framework code injection are completed. There is also a dylib injection, which is done with macOS libraries. Relatively speaking, this is relatively simple. If necessary, I will update the dylib related articles. Mainly familiar with the injection of framwork. Attach the script to download, help you please give a Star .
Author: Qinz
link: https: //www.jianshu.com/p/7d5daf6436b2