通過在 Xcode 里的 Other Linker Flags 設置參數,可以防止App被注入dylib(僅限於iOS 10 以下系統) 比如,某藝,XX音樂等
dylib無法注入,也就意味着沒辦法用cycript動態調試App,只能干瞪眼
Other Linker Flags 參數
-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null
通過閱讀dyld源代碼,我們可以得知其大概原理
static ImageLoader* loadPhase3(const char* path, const char* orgPath, const LoadContext& context, std::vector<const char*>* exceptions) { ImageLoader* image = NULL; if ( strncmp(path, "@executable_path/", 17) == 0 ) { // executable_path cannot be in used in any binary in a setuid process rdar://problem/4589305 if ( sProcessIsRestricted ) throwf("unsafe use of @executable_path in %s with restricted binary", context.origin); } else if ( (strncmp(path, "@loader_path/", 13) == 0) && (context.origin != NULL) ) { // @loader_path cannot be used from the main executable of a setuid process rdar://problem/4589305 if ( sProcessIsRestricted && (strcmp(context.origin, sExecPath) == 0) ) throwf("unsafe use of @loader_path in %s with restricted binary", context.origin); } else if (sProcessIsRestricted && (path[0] != '/' )) { throwf("unsafe use of relative rpath %s in %s with restricted binary", path, context.origin); } return loadPhase4(path, orgPath, context, exceptions); }
當dylib加載路徑是以 @executable_path、@loader_path 或者不是以 '/'開頭,則會拋出異常使進程結束。
針對以上情況,分享一個修改__RESTRICT命令的工具,原理是將Mach-O文件中的 RESTRICT命令改為 SESTRICT,使該命令因為無法識別而失效。
使用
./AAntiCrack --replace-restrict <應用可執行文件mach-o>
此工具還有注入dylib功能,將dylib與mach-o放在同一目錄下,然后執行
./AAntiCrack --replace-restrict -i dylib路徑 <應用可執行文件mach-o>
即可實現動態庫注入,與反反注入
相關鏈接:
http://bbs.iosre.com/t/tweak-app-app-tweak/438