iOS reverse security learning
With Apple's years of research and development of the iOS system, there are more and more security protection mechanisms on iOS and more and more complex. This is very unfriendly to researchers who are new to iOS security and often do not know where to start. Therefore, in order for everyone to have a more systematic understanding of the security mechanisms on iOS, everyone starts with the outline below, hoping to bring some help to everyone's study and research.
You can refer to the index of the column "Reverse and Security of iOS Applications" in the study outline below.
A Preliminary Study of Reverse
Assembly language
DATA SEGMENT; the beginning of the data segment ……; pseudo-instruction, define the data segment variable DATA ENDS; end of data segment EXTRA SEGMENT; start of extended segment ……; Directive, define the extended segment variable EXTRA ENDS; the end of the extended segment STACK SEGMENT; start of stack segment ……; pseudo-instruction, define the data segment variable STACK ENDS; end of stack segment MAC1 MACRO; start of macro definition ……; pseudo-instruction or instruction, macro definition body ENDM; End of macro definition CODE SEGMENT; start of code segment ASSUME CS:CODE,DS:DATA,ES:EXTRA,SS:STACKSTART: ;Main program start address definition MOV AX,DATA; register initialization MOV DS,AX MOV AX,EXTRA MOV ES, AX MOV AX,STACK MOV SS,AX …… ;Command CALL SUB1; call subroutine ……; ;Command MAC1; call macro …… ;Command MOV AH, 4CH; return to DOS INT 21H SUB1 PROC; start of subroutine definition …… RET; return to the main program SUB1 ENDP; End of subroutine definition CODE ENDS; end of code segment END START; end assembly
Signature and re-signature
- Fully re-signed
The information of the certificate, mobileprovision, and Bundle ID is the same. This method of re-signing is basically the same as signing the code directly;
advantage:
Long validity period and high stability;
Disadvantages:
The maintenance cost is high. Each re-signed ipa must modify the Bundle ID and match the corresponding signature certificate and mobileprovision description file; the
scope of application:
There are requirements for signature stability;
- Incomplete resignature
Only guarantee that the certificate and mobileprovision correspond to each other. As for whether the two are consistent with the original ipa Bundle ID and other information, it will not be considered;
advantage:
It seems more convenient to maintain;
disadvantages:
In fact, the original ipa signature has not been completely replaced. It is easy to re-signature and fail, and the stability is not high. It is very likely that the signature will become invalid. You need to re-sign.
Scope of application:
The stability requirement is not high;
Detailed video
HOOK and injection
- Software encryption technology is constantly updated and iterated. The level of both parties is constantly improving. Simple static level security confrontation has rarely appeared. Analysts are facing more high-strength code encryption technology and program anti-tampering technology. Under the background, a new software analysis technology-Hook and injection came into being
- Decompiling the APK, modifying or adding code and then repacking the APK will change the hash value and signature information of the original file. The software anti-tampering technology is to check the hash value and signature of the original file when the software is running to determine whether the program is been destroyed. Hook technology is also called "hook technology". The principle is to "hook" the function to be modified first, and then replace it with a custom function, allowing the program to execute the custom function at runtime, achieving the purpose of dynamically modifying the software. Take the Hook anti-tampering technology as an example. When the anti-tampering system detects the hash value and signature of the program, it will call the system API to read the APK signature information. Using the Hook technology, these system APIs can be "hooked" and return directly to the original program. Signature information, thereby effectively "cheating" the anti-tampering system, and solving the problem of signature checking after the code is repackaged. So it involves two technical points: how to implement the action of "hooking"; how to write a custom function
Pay attention to the official account: iOS Advanced Collection