反越獄分析
by lichao890427
1.libjailprotect分析 2
2. liberty分析 5
3.tsprotector8分析 12
4.xcon分析 15
5.breakthrough分析 16
1.libjailprotect分析
①目錄結構:
├─Library
│ ├─MobileSubstrate
│ │ └─DynamicLibraries
│ │ JailProtect.dylib
│ │ JailProtect.plist
│ └─PreferenceLoader
│ └─Preferences
│ JailProtect.plist
└─usr
└─lib
libJailProtect.dylib
②加載原理
JailProtect.dylib中對com.apple.springboard模塊的[FBApplicationInfo environmentVariables]函數做hook,將環境變量DYLD_INSERT_LIBRARIES設置為真正執行anti-jailbreak的模塊/usr/lib/libJailProtect.dylib
libJailProtect.dylib中通過增加_interpose段的方式,對以下c函數執行hook:open,fopen,creat,access,smlink,forkdladdr,
dyld_get_image_name,dyld_get_image_header,task_for_pid,strstr,dlopen,lstat,fstatat,uname,,sysct,system,sysctlbyname,realpath$DARWIN_EXTSN,dlsym;同時通過MSHookMessageEx對以下objc函數執行hook:
[UIDevice systemVersion]
[NSProcessInfo operatingSystemVersionString]
[_LSCanOpenURLManager queryForApplicationsAvailableForOpeningURL:legacySPI]
[_LSCanOpenURLManager canOpenURL:publicSchemes:privateSchemes:XPCConnection:error:]
[_LSCanOpenURLManager internalCanOpenURL:publicSchemes:privateSchemes:XPCConnection:error:]
[UIApplication canOpenURL:]
[NSFileManager fileExistsAtPath:]
[NSFileManager fileExistsAtPath:isDirectory:]
[NSFileManager URLForDirectory:inDomain:appropriateForURL:create:error:]
[NSFileManager containerURLForSecurityApplicationGroupIdentifier:]
[NSString writeToFile:atomically:]
[NSString writeToFile:atomically:encoding:error:]
[NSString writeToURL:atomically:]
[NSString writeToURL:atomically:encoding:error:]
[NSData writeToFile:atomically:]
[NSData writeToFile:atomically:error:]
[NSData writeToFile:options:error:]
[NSData writeToURL:atomically:]
[NSData writeToURL:options:error:]
③hook操作
前綴黑名單:
/-
/.
/Applications
/Library
/System/Library/Caches/com.apple.dyld
/System/Library/Caches/com.apple.xpcd
/System/Library/LaunchDaemons/com.evad3rs
/System/Library/LaunchDaemons/com.saurik
/System/Library/LaunchDaemons/io.pangu
/User
/bin/bash
/bin/sh
/etc/apt
/etc/ssh
/evasi0n7
/panguaxe
/pguntether
/private
/taig
/tmp
/usr/arm-apple-darwin9
/usr/bin
/usr/include
/usr/lib
/usr/local
/usr/sbin
/usr/share/bigboss
/usr/share/dpkg
/var/cache/apt
/var/lib/apt
/var/lib/cydia
/var/lib/dpkg
/var/log/syslog
/var/mobile/Applications
/var/mobile/Containers
/var/mobile/Media/pangu
/var/root
/var/stash
/var/tmp
/xuanyuansword
路徑白名單:
[ NSFileManager URLsForDirectory:NSDocument DirectoyinDomains:NSUserDomainMask]
[NSBundle resourcePath]
/Library/Preferences/Logging
/Library/Preferences
/Library/Managed Preferences/mobile
/private/var/Managed Preferences/mobile
/var/mobile/Library/ConfigurationProfiles
/var/mobile/Library/UserConfigurationProfiles
/var/mobile/Library/AddressBook
/var/mobile/Library/Caches/com.apple.MobileGestalt.plist
/usr/share/icu
[NSFileManager URLForDirectory:inDomain:]返回的路徑
[NSFileManager containerURLForSecurityApplicationGroupIdentifier:]返回的路徑
以下hook函數中檢測以黑名單為前綴,且不在白名單中的路徑,遇到這些路徑會直接返回失敗
open/fopen/creat/access/symlink/lstat/fstatat/realpath
[NSFileManager fileExistsAtPath:]
[NSFileManager fileExistsAtPath:isDirectory:]
[NSString writeToFile:atomically:]
[NSString writeToFile:atomically:encoding:error:]
[NSString writeToURL:atomically:]
[NSString writeToURL:atomically:encoding:error:]
[NSData writeToFile:atomically:]
[NSData writeToFile:atomically:error:]
[NSData writeToFile:options:error:]
[NSData writeToURL:atomically:]
[NSData writeToURL:options:error:]
以下的hook函數中檢測路徑如果包含Substrate/Cydia/substrate/stash,則返回系統模塊
dladdr/dyld_get_image_name/dyld_get_image_header
以下的hook函數檢測字符串包含Substrate/Cydia/substrate/stash,則返回失敗
strstr/dlopen
hook的dlsym中如果函數名為fstatat則返回hook的fstatat
hook的fork回調直接返回失敗
hook的system回調直接返回0
hook的task_for_pid中檢測pid為0時返回失敗5
hook的uname替換version中的"Marijuan"為"RELEASE_"
hook的sysctl/sysctlbyname中如果請求kern.version則替換version中的"Marijuan"為"RELEASE_"
以下的hook函數檢測scheme字符串為cydia,則返回失敗
[_LSCanOpenURLManager queryForApplicationsAvailableForOpeningURL:legacySPI]
[_LSCanOpenURLManager canOpenURL:publicSchemes:privateSchemes:XPCConnection:error:]
[_LSCanOpenURLManager internalCanOpenURL:publicSchemes:privateSchemes:XPCConnection:error:]
[UIApplication canOpenURL:]
如下操作在初始化階段刪除cydia注冊的環境變量
unsetenv("_MSSafeMode")
unsetenv("DYLD_INSERT_LIBRARIES")
liberty分析
①目錄結構
├─Library
│ ├─MobileSubstrate
│ │ └─DynamicLibraries
│ │ LibertySB.dylib
│ │ LibertySB.plist
│ ├─PreferenceBundles
│ └─PreferenceLoader
│ └─Preferences
│ LibertyPref.plist
└─usr
└─lib
Liberty.dylib
②加載原理
LibertySB.dylib中對com.apple.springboard模塊的[FBApplicationInfo environmentVariables]函數做hook,將環境變量DYLD_INSERT_LIBRARIES設置為真正執行anti-jailbreak的模塊/usr/lib/Liberty.dylib
Liberty.dylib中通過fish hook和dlsymhook的方式,對以下c函數執行hook:access/dlopen/dlsym/fopen/fork/getenv/
lstat/open/opendir/stat/statfs/symlink/sysctl/sysctlbyname/vfork/system/_dyld_image_count/CFBundleGetAllBundle/CFNotificationCenterPostNotification;同時使用MSHookFunction對以下c函數(App內部函數)進行hook:_TasDraRecalcRiskAssessment/_TasDraGetRiskItemCount/_TasDraGetRiskAssessmentItemByName;同時通過method_setImplementation對以下objc函數執行hook:
(系統API)
[NSString writeToFile:atomically:encoding:error:]
[UIApplication openURL:]
[UIApplication canOpenURL:]
[NSJSONSerialization JSONObjectWithData:options:error:]
(APP內部函數)
[QPLibraryConfiguration runtimeConfigurationValueForKey:]
[ShieldCallbackManager setObserver:]
[HSBCRASPServices jailbreakStatus:]
[HSBCRASPServices handleLibraryInjectionDetected]
[HSBCRASPServices libraryInjectionDetected]
[HSBCRASPServices debuggerStatus:]
[HSBCRASPServices repackagingStatus:]
[HSBCRASPServices postNotification:value:]
[ShieldObserver libraryInjectionDetected]
[ShieldObserver debuggerStatus:]
[ShieldObserver repackagingStatus:]
[ShieldObserver jailbreakStatus:]
[Citibank.CBMSecurityCheck libraryInjectionDetected]
[Citibank.CBMSecurityCheck debuggerStatus:]
[Citibank.CBMSecurityCheck jailbreakStatus:]
[IPDKBAppDelegate shieldDelegateDidDetectLibraryInjection:]
[IPDKBAppDelegate shieldDelegateDidDetectJailbreak:]
[SFBShieldDelegate jailbreakAction]
[SFBShieldDelegate libraryInjectionDetected]
[SFBShieldDelegate debuggerStatus:]
[SFBShieldDelegate jailbreakStatus:]
[GLMOBUtilities getJailBrokenDeviceInfoDict]
在初始化的時期遍歷environ數組並抹去DYLD_INSERT_LIBRARIES指向的substrate模塊
③hook操作
黑名單:
/Applications
/Applications/
/Applications/Cydia.app
/Applications/Cydia.app/
/Applications/Cydia.app/Cydia
/Applications/Cydia.app/Info.plist
/Applications/Cydia.app/../Cydia.app
/Applications/Cydia.app/../Cydia.app/
/Applications/Cydia.app/../Cydia.app/In
/Applications/FakeCarrier.app
/Applications/Icy.app
/Applications/Iny.app
/Applications/iFile.app
/Applications/Activator.app
/Applications/IntelliScreen.app
/Applications/MxTube.app
/Applications/RockApp.app
/Applications/SBSettings.app
/Applications/WinterBoard.app
/Applications/blackra1n.app
/Library/Activator
/Library/Flipswitch
/Library/Frameworks/CydiaSubstrate.fram
/Library/MobileSubstrate
/Library/MobileSubstrate/DynamicLibrari
/Library/MobileSubstrate/DynamicLibrari
/Library/MobileSubstrate/DynamicLibrari
/Library/MobileSubstrate/MobileSubstrat
/Library/MobileSubstrateMobileSubstrate
/Library/Ringtones
/Library/Switchs
/Library/Wallpaper
/System/Library/LaunchDaemons/com.ikey.
/System/Library/LaunchDaemons/com.sauri
/bin/bash
/bin/sh
/bin
/bin/su
/etc/apt
/etc/apt/
/etc/clutch.conf
/etc/clutch_cracked.plist
/etc/ssh/sshd_config
/private/
/private
/private/vstb_writable_check
/private/etc/fstab
/private/Miitomo
/private/var/lib/apt
/private/var/lib/apt/
/private/var/lib/cydia
/private/var/lib/cydia/
/private/var/tmp/cydia.log
/private/var/mobile/Library/SBSettings/
/private/var/mobileLibrary/SBSettingsTh
/private/var/stash
/private/var/stash/
/private/var/tmp/cydia.log
/private/var/tmp/Cydia.log
/usr/arm-apple-darwin9
/usr/bin/ssh
/usr/bin/sshd
/usr/binsshd
/usr/sbin
/usr/sbinsshd
/usr/include
/usr/lib/pam
/usr/lib/python2.5
/usr/libexec
/usr/libexec/cydia
/usr/libexec/cydia/
/usr/libexec/sftp-server
/usr/libexec/ssh-keysign
/usr/sbin/sshd
/usr/share
/var/cache/apt
/var/cache/apt/
/var/cache/clutch.plist
/var/cache/clutch_cracked.plist
/var/lib/apt
/var/lib/apt/
/var/lib/clutch/overdrive.dylib
/var/lib/cydia
/var/lib/cydia/
/var/lib/dpkg/info
/var/log/syslog
/var/root/Documents/Cracked/
/var/tmp/cydia.log
/var/stash/Library/Ringstones
/var/stash/Library/Wallpaper
/var/stash/usr/include
/var/stash/usr/libexec
/var/stash/usr/share
/Systetem/Library/LaunchDaemons/com.ik
/System/Library/LaunchDaemons/com.saur
/Library/MobileSubstrate/MobileSubstra
/var/cache/apt/
/var/lib/apt/
/var/lib/cydia/
/var/log/syslog
/bin/bash
/bin/sh
/etc/apt/
/etc/ssh/sshd_config
/usr/libexec/ssh-keysign
/Library/MobileSubstrate/MobileSubstrate
/Applications/Cydia.app
/var/cache/apt
/var/lib/cydia
/var/log/syslog
/var/tmp/cydia.log
/bin/bash
/bin/sh
/usr/sbin/sshd
/usr/libexec/ssh-keysign
/etc/ssh/sshd_config
/etc/apt
/var/root/.tastest
/Library/Managed Preferences/mobile/.Gl
/Library/Preferences/com.apple.security
/private/var/mobile/home/duh
/etc/rel
/System/Library/LaunchDaemons/com.apple
/System/Library/LaunchDaemons/com.apple
/private/var/mobile/home/syslog
/private/var/mobile/home/sshd
/Library/MobileSubstrate/DynamicLibrari
/usr/lib/libsubstrate.dylib
/usr/bin
/bin
/boot
/var/root
/private/var/stash
/Applications/Cydia.app
/Library/MobileSubstrate
/private/etc/fstab
/var
/private/var
/private
/library/MobileSubstrate/MobileSubstrat
/mnt
/lib
/panguaxe
/panguaxe.installed
/private/var/mobile/Media/panguaxe.inst
/private/var/lib/dpkg/info/io.pangu.axe
/private/var/lib/dpkg/info/io.pangu.axe
/System/Library/LaunchDaemons/io.pangu.
/private/var/lib/dpkg/info/taiguntether
/private/var/lib/dpkg/info/taiguntether
/private/var/lib/dpkg/info/taiguntether
/private/var/lib/dpkg/info/taiguntether
/taig/
/taig/taig
/private/var/lib/dpkg/info/io.pangu.fux
/private/var/lib/dpkg/info/io.pangu.fux
/pguntether
/private/Miitomo
/var/stash/
/var/stash
/private/var/cache/apt/
/private/var/log/syslog
/private/etc/apt/
/private/etc/ssh/sshd_config
/var/mobile/Library/Application Support
/private/etc/dpkg/origins/debian
/bin/gunzip
/bin/gzip
/bin/tar
/Library/MobileSubstrate/DynamicLibrari
/usr
/private/var/cache/apt
/etc/fstab
/bin/ps
/Systetem/Library/LaunchDaemons/com.ike
/Library/MobileSubstrate/DynamicLibrari
/usr/lib/TsProtePass.dylib
/var/stash/Library/Ringtones
/var/stash/usr/arm-apple-darwin9
/private/masbog.txt
usr/bin/cycript
usr/bin/cynject
usr/sbin/frida-server
/private/var/db/stash/
/var/tmp//ct.shutdown
/var/tmp/ct.shutdown
/var/tmp//cydia.log
/var/tmp//pgloader
/var/tmp/pgloader
/var/tmp/
/var/tmp//.pangu93loaded
/var/tmp/.pangu93loaded
/var/tmp//RestoreFromBackupLock
/var/tmp/RestoreFromBackupLock
/Library/LaunchDaemons/com.openssh.sshd
/private/var/db/stash
/bin/mv
/private/jailbreak.txt
/Library/MobileSubstrate/
var/lib/apt
/private/var/TestPB16.file
/etc/TestPB16.file
/Applications/TestPB16.file
/System/Library/Caches/com.apple.dyld/e
/usr/lib/libmis.dylib
/usr/lib/pangu_xpcd.dylib
/System/Library/LaunchDaemons/io.pangu.
/xuanyuansword
/xuanyuansword.installed
/evasi0n7
/System/Library/LaunchDaemons/com.evad3
/System/Library/Caches/com.apple.xpcd/x
/usr/lib/libpatcyh.dylib
/usr/share/bigboss/icons/bigboss.png
/Library/MobileSubstrate/DynamicLibrari
/Library/PreferenceBundles/tsProtectorS
/Library/PreferenceLoader/Preferences/t
/private/var/lib/xcon
/Library/MobileSubstrate/DynamicLibrari
/Library/MobileSubstrate/DynamicLibrari
/.cydia_no_stash
/private/etc/dpkg/origins/debian
/private/var/log/apt/term.log
/Library/LaunchDaemons/re.frida.server.
/usr/sbin/frida-server
/sbin/reboot
/Library/Frameworks/CydiaSubstrate.fram
/etc/ssh
Applications
Library/MobileSubstrate
Library/MobileSubstrate/DynamicLibrarie
System/Library/LaunchDaemons
private/var/lib
private/var/mobile/Library/SBSettings
private/var/tmp
var/cache
var/lib
bin
usr/sbin
usr/bin
usr/libexec
etc/ssh
etc
var/tmp
var/log
Library/Frameworks
.
/private/var/evasi0n
以下的hook函數中檢測到路徑在黑名單中則返回失敗:
access/fopen/lstat/open/opendir/stat/statfs/symlink/readlink/realpath
hook的[NSString writeToFile:atomically:encoding:error:]在檢測到路徑為/private,/private/var/mobile/Containers,
/private/var/mobile/Applications時返回失敗
hook的[UIApplication canOpenURL:]和[UIApplication openURL:]在檢測到scheme為cydia/ifile/activator/filza時,返回失敗
hook的CFBundleGetAllBundles在返回結果中刪除包含Cydia的元素
hook的dlopen在檢測到路徑包含MobileSubstrate.dylib時返回失敗
hook的dyld_get_image_name在檢測到返回路徑包含ubstrate時返回失敗
hook的dyld_image_count在返回數大於80時返回80
hook的fopen/lstat/open/stat/statfs在檢測到路徑包含/etc/fstab,/private,/var/mobile/,/private/var時返回失敗
hook的fork/vfork返回失敗
hook的getenv在檢測到字符串包含DYLD_INSERT_LIBRARIES時返回失敗
hook的sysctl在檢測到mib[0]=CTL_KERN,mib[1]=KERN_PROC,mib[3]!=getpid()時返回失敗
hook的system返回0
3.tsprotector8分析
①目錄結構
└─Library
└─MobileSubstrate
└─DynamicLibraries
~~tsProtector 8.dylib
~~tsProtector 8.plist
②加載原理
JailProtect.dylib中對com.apple.springboard模塊的[FBApplicationInfo environmentVariables]函數做hook,將環境變量DYLD_INSERT_LIBRARIES設置為真正執行anti-jailbreak的模塊/usr/lib/libJailProtect.dylib
libJailProtect.dylib中通過MSHookFunction對以下c函數執行hook:access/popen/open/lstat/statfs/fopen/fork/
__opendir2/connect/system/posix_spawn/UIApplicationMain;同時通過MSHookMessageEx對以下objc函數執行hook:
[UIApplication canOpenURL:]
[NMSystemInfo getProcessInfo:]
[NSData initWithContentsOfFile:options:error:]
[NSString stringWithContentsOfFile:usedEncoding:error:]
[NSString initWithContentsOfFile:]
[NSString writeToFile:atomically:encoding:error:]
[NSFileManager instanceMethodForSelector:]
[NSFileManager fileExistsAtPath:isDirectory:]
[NSFileManager changeCurrentDirectoryPath:]
[NSFileManager contentsAtPath:]
[NSFileManager contentsOfDirectoryAtPath:error:]
[UIAlertView show]
③hook操作
白名單(包含或不包含/private):
/var
/var/mobile
/var/mobile/Containers/Bundle/Applications
/usr
/usr/lib
/System
/System/Library
/etc/passwd
/usr/lib/libAXSpeechManager.dylib
/usr/lib/libmecabra.dylib
/Databases.db
白名單(前綴):
/var/mobile/Containers
/var/mobile/Containers
/var/mobile/Library/AddressBook
/var/mobile/Library/Caches
/var/mobile/Library/Keyboard
/var/mobile/Library/Preferences/.
/var/mobile/Library/Preferences/com.apple.
/dev
/System/Library/AccessibilityBundles
/System/Library/Audio
/System/Library/Fonts
/System/Library/Frameworks
/System/Library/PrivateFrameworks
/System/Library/TextInput
/System/Library/Internet Plug-Ins
/usr/local/lib/icu/
/usr/share/icu
/var/db/timezone
/System/Library/CoreServices
/AppleInternal/Library
/Library/Managed Preferences
/usr/share/langid
/Library/Preferences/SystemConfiguration
黑名單:
/boot
/etc/fstab
/etc/fstb
/etc/hosts
/lib
/Library/MobileSubstrate
/Library/MobileSubstrate/DynamicLibraries
/Library/Ringtones
/Library/Themes
/Library/Wallpaper
/Library/WeeLoader
/Library/Zeppelin
/User
/mnt
/System/Library/KeyboardDictionaries
/tmp
/usr/arm-apple-darwin9
/usr/include
/usr/lib/hacktivate.dylib
/usr/libexec
/usr/libexec/sftp-server
/usr/libexec/ssh-keysign
/usr/share
黑名單(前綴):
/Applications
/Applications/YooKey.app
/etc/ssh
/Library/MobileSubstrate/MobileSubstrate.dylib
/System/Library/LaunchDaemons
/var/lib
/var/log
/xuanyuansword
/Library/MobileSubstrate/DynamicLibraries
/var/mobile/Library/Cydia
/var/mobile/Library/Pangu
/bin
/sbin
/usr/bin
/usr/sbin
黑名單(后綴):
.plist
/apt
/cydia
/cache
/dpkg
/etc
/lib
/log
/stash
SBSettings/Themes
term.log
cydia.log
以下hook函數檢測路徑存在於白名單后返回成功,存在於黑名單后返回失敗
access/popen/open/lstat/stat/statfs/fopen/__opendir2
[NSData initWithContentsOfFile:options:error:]
[NSString stringWithContentOfFile:usedEncoding:error:]
[NSString initWithContentsOfFile:]
[NSString writeToFile:atomically:encoding:error:]
[NSFileManager fileExistsAtPath:]
[NSFileManager fileExistsAtPath:isDirectory:]
[NSFileManager changeCurrentDirectoryPath:]
[NSFileManager contentsAtPath:]
[NSFileManager contentsOfDirectoryPath:error:]
hook的[UIApplication canOpenURL:]檢測scheme包含cydia時返回失敗
hook的[NSFileManager instanceMethodForSelector:]檢測selector為fileExistsAtPath:時返回失敗
hook的fork返回失敗
hook的connect檢測ip為127.0.0.1且port為22的ssh連接時返回失敗
hook的system返回失敗
4.xcon分析
①目錄結構
├── Library
│ └── MobileSubstrate
│ └── DynamicLibraries
│ ├── xCon.dylib
│ ├── xCon.plist
└── var
└── lib
└── xcon
├── dlsym-deny
├── fstab
├── paths-allow
└── paths-deny
②加載原理
xCon.dylib直接加載。使用MSHookFunction對以下系統c函數進行hook:fork/ptrace/access/connect/chdir/chflags/dlopen/
dlopen_preflight/dyld_image_count/dyld_get_image_name/dlsym/execl/execle/execlp/execv/execve/execvp/execvP/fopen/
fopen$DARWIN_EXTSN/fsctl/getattrlist/getenv/getxattr/link/listxattr/lstat/open/__opendir2/closedir/pathconf/popen/
_proc_pidpath/readdir/readdir_r/readlink/setxattr/stat/statfs/symlink/sysctl/sysctlbyname/system,使用MSHookFunction對以下第三方sdk的c函數進行hook:_Z26IsAppCheckerPolicyViolatedv/_Z18partitionsModifiedv/_Z16servicesModifiedv/
_Z10canUseForkv/_Z19kernelStateModifiedv/_Z25devReadPermissionModifiedP8NSString/_Z15UnObfuscateTextP8NSString/_Z25checkRootPermissionAtPathPKc。使用MSHookMessageEx對以下系統objc函數進行hook:
+[NSDictionary dictionaryWithContentsOfFile:]
-[NSDictionary initWithContentsOfFile:]
-[NSFileManager contentsAtPath:]
-[NSFileManager contentsOfDirectoryAtPath:error:]
-[NSFileManager createDirectoryAtPath:withIntermediateDirectories:attributes:error:]
-[NSFileManager fileExistsAtPath:isDirectory:]
-[NSFileManager attributesOfItemAtPath:error:]
-[NSProcessInfo environment]
-[NSString initWithContentsOfFile:usedEncoding:error:]
-[NSString initWithContentsOfFile:encoding:error:]
-[NSString writeToFile:atomically:encoding:error:]
-[UIApplication canOpenURL:]
使用MSHookMessageEx對以下第三方sdk的objc函數進行hook
com.good.gmmiphone -[GmmDefaults boolForKey:]
com.good.gmmiphone
+[JailbreakEnhacement init]
-[JailbreakEnhacement partitionsModified]
-[JailbreakEnhacement servicesModified]
-[JailbreakEnhacement checkFileSystemWithPath:forPermissions:]
-[JailbreakEnhacement canUseFork]
-[JailbreakEnhacement kernelStateModified]
-[JailbreakEnhacement devReadPermissionModified:]
-[JailbreakEnhacement filePermission:]
-[GmmAppCore checkCompilianceEarlyViolated]
-[GmmAppCore checkComplianceNewlyViolated]
-[GmmAppCore processJailbreakPolicy]
-[ReminderManager doComplianceCheckFailed]
-[SecurityCore dispatchOnCompilianceFail]
+[GmmDefaults secureUserDefaults]
+[GmmDefaults insecureUserDefaults]
-[GmmDefaults obfuscatedUserDefaults]
-[GmmDefaults initWithSyncEngineState:]
-[GmmDefaults initObfuscatedUserDefaults]
-[GmmDefaults objectForKey:]
-[GmmDefaults setObject:forKey:]
-[GmmDefaults setBool:forKey:]
-[GmmDefaults setInteger:forKey:]
-[GmmDefaults removeObjectForKey:]
-[GmmDefaults loadFromPath:]
-[GmmDefaults key]
-[GmmDefaults synchronize]
-[GmmDefaults resetSecureDefaults]
-[GmmDefaults storeChecksum:]
-[GmmDefaults verifyChecksum]
-[GmmDefaults lockDown]
-[GmmDefaults copyFromNSDefaults]
-[GmmDefaults upgradeContainersFromVersion:]
-[GmmDefaults syncEngineInitialized:]
③hook操作
路徑黑名單:
/.fseventsd
/.cydia_no_stash
/etc/clutch.conf
/usr/bin/codesign_allocate
/var/apt
/var/log/syslog
/var/stash
/var/run/syslog
/var/run/syslog.pid
/var/tmp/cydia.log
/var/tmp/pgloader
/evasi0n7
/evasi0n7-installed
/usr/lib/pangu_xpcd.dylib
/usr/lib/pangu_xpcd.ipod.dylib
/xuanyuansword
/tmp/cydia.log
/tmp/FlipSwitchCache
/tmp/.pange93loaded
/tmp/pgloader
/tmp/pgii
路徑白名單
/.
/.Trashes
/Applications
/System
/System/Library
/System/Library/Frameworks
/System/Library/LaunchDaemons
/Library
/Library/Ringtones
/Library/Wallpaper
/bin
/bin/launchctl
/dev
/dev/aes_0
/dev/null
/dev/urandom
/dev/random
/dev/zero
/mnt
/var
/var/mobile
/var/mobile/Library
/var/mobile/Library/Keyboard
/var/lib
/var/root
/var/run
/var/tmp
/var/spool
/var/vm
/private
/etc
/etc/hosts
/etc/passwd
/etc/asl
/etc/ppp
/etc/racoon
/etc/racoon/remote
/var
/var/mobile
/var/mobile/Library/AddressBook
/var/mobile/Library/Keyboard
/var/mobile/Library/Preferences
/var/root
/var/root/Library
/var/root/Library/Preferences
/sbin
/tmp
/usr
/usr/bin
/usr/bin/DumpBasebandCrash
/usr/bin/powerlog
/usr/bin/simulatecrash
/usr/lib
/usr/lib/system
/usr/libexec
/usr/sbin
/usr/share
/usr/share/zoneinfo
/usr/standalone
每個Hook函數中會檢測lr寄存器存儲的調用者地址所在模塊路徑若存在於沙盒中則觸發anti-jailbreak
Hook的fork/ptrace/fsctl/函數返回失敗
Hook的以下函數檢測到路徑在白名單之外,黑名單之內時返回失敗:
access/chdir/chflags/dlopen/dlopen_preflight/dyld_get_image_name/execl/execle/execlp/execv/execve/execvp/execvP/
fopen/getattrlist/getxattr/link/listxattr/lstat/open
Hook的connect檢測端口為22/51022且IP為ifaddr得到的ipv4/ipv6本地環回地址時返回失敗
Hook的getenv函數檢測到DYLD_INSERT_LIBRARIES/SHELL/_MSSafeMode時返回失敗
Hook的dlopen/open/函數在檢測到如下路徑后返回old_dlopen:
/etc/fstab
/private/etc/fstab
/var/lib/xcon/fstab
/bjn/bbsh
Hook的dlsym在檢測到以下路徑后返回失敗
MSFindSymbol
MSGetImageByName
MSHookFunction
MSHookMessage
MSHookMessageEx
SubstrateProcessCreate
SubstrateProcessRelease
SubstrateMemoryCreate
SubstrateHookMemory
Hook的lstat函數檢測如下路徑后返回失敗
/usr/include
/usr/arm-apple-darwin9
/var/stash/Library/Ringstones
/var/stash/Library/Wallpaper
/var/stash/usr/include
/var/stash/usr/libexec
/var/stash/usr/share
Hook的open函數檢測到如下路徑后返回失敗
/var/tmp/fastc
/etc/ssh
/etc/ssh/sshd_config
/var/mobile/Application/*
/var/run/utmpx
/Applications/Cydia.app
/bin/bash
/bin/cat
/bin/chown
/bin/curl
/bin/diff
/bin/kill
/bin/less
/bin/su
/etc/profile
/Library/MobileSubstrate
/Library/MobileSubstrate/MobileSubstrate.dylib
/private/etc/profile
/private/var/lib
/private/var/lib/cydia
/private/var/stash
/sbin/dump
/sbin/ping
/sbin/route
/usr/bin/curl
/usr/bin/diff
/usr/bin/ftp
/usr/bin/gdb
/usr/bin/less
/usr/bin/say
/usr/bin/scp
/usr/bin/tty
/usr/bin/rar
/usr/bin/wget
/usr/lib/apt
/usr/lib/libform.dylib
/usr/lib/libcurl.la
/usr/lib/libmenu.dylib
/usr/lib/libopcodes.a
/usr/lib/libuuid.la
/usr/lib/libxml2.la
/usr/lib/ssl
/usr/local
/usr/local/lib/libtop.a
/usr/local/lib
/var/evasi0n
/var/lib
/var/lib/apt
/var/lib/cache
/var/lib/mobile
Hook的dlopen函數在檢測到如下bundleid后返回失敗
jp.co.appdisco.AdLatte
com.pv.TWBB
com.digion.DiXiM-Digital-TV
jp.sammy-net.
com.ichikaku.
jp.naver.
com.linecorp.
de.j-gessner.
5.breakthrough分析
①目錄結構
├── Library
│ └── BreakThrough
│ └── SupportFiles
│ ├── %empty
│ ├── etc%fstab
│ ├── etc%fpasswd
└── MobileSubstrate
└── DynamicLibraries
├── !!!!_BreakThrough.dylib
├── !!!!_BreakThrough.plist
├── zzzz_BreakThrough.dylib
└── zzzz_BreakThrough.plist
②加載原理
!!!!_BreakThrough.dylib加載起來zzzz_BreakThrough.dylib,zzzz_BreakThrough.dylib中實現hook邏輯,使用
MSHookMessageEx/MSHookFunction
③hook操作
白名單:
/Applications
/Library/Ringtones
/Library/Wallpaper
/usr/libexec
/usr/share
/usr/include
/usr/arm-apple-darwin9
黑名單前綴:
/etc/fstab
/var/tmp/fastc
/etc/ssh
/etc/ssh/sshd_config
/var/mobile/Applications
/var/run/utmpx
/Applications
/Applications/Absinthe.app
/Applications/AdSheet.app
/Applications/Activator.app
/Applications/blackra1n.app
/Applications/blacksn0w.app
/Applications/Cycorder.app
/Applications/Cydia.app
/Applications/Cydia.app/Info.plist
/Applications/Cydia.app/../Cydia.app
/Applications/Cydia.app/../Cydia.app/Info.plist
/Applications/FakeCarrier.app
/Applications/greenpois0n.app
/Applications/iProtect.app
/Applications/iRealSMS.app
/Applications/Jailbreakme.app
/Applications/Icy.app
/Applications/Installous.app
/Applications/IntelliScreen.app
/Applications/Iny.app
/Applications/limera1n.app
/Applications/MxTube.app
/Application/Preferences.app/General.plist
/Applications/RockApp.app
/Applications/SBSettings.app
/Applications/Seas0nPass.app
/Applications/ultrasn0w.app
/Applications/urus.app
/Applications/WinterBoard.app
/bin/apt
/bin/bash
/bin/bunzip2
/bin/cat
/bin/chown
/bin/curl
/bin/diff
/bin/kill
/bin/less
/bin/ls
/bin/sh
/bin/su
/etc/apt
/etc/profile
/etc/ssh
/etc/ssh/sshd_config
/etc/fstab 偽造
/etc/passwd偽造
/Library/Activator
/Library/BreakThrough
/Library/BreakThrough/SupportFiles
/Library/LaunchDaemons/com.openssh.sshd.plist
/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/Library/MobileSubstrate
/Library/MobileSubstrate/MobileSubstrate.dylib
/Library/MobileSubstrate/DynamicLibraries/!!!!_BreakThrough.dylib
/Library/MobileSubstrate/DynamicLibraries/!!!!_BreakThrough.plist
/Library/MobileSubstrate/DynamicLibraries/xCon.dylib
/Library/MobileSubstrate/DynamicLibraries/xCon.plist
/Library/MobileSubstrate/DynamicLibraries/zzzz_BreakThrough.dylib
/Library/MobileSubstrate/MobileSubstrate.dylib
/Library/MobileSubstrate/DynamicLibraries/Activator.plist
/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist"
/Library/MobileSubstrate/DynamicLibraries/SBSettings.dylib
/Library/MobileSubstrate/DynamicLibraries/SBSettings.plist
/Library/MobileSubstrate/DynamicLibraries/Veency.plist
/Library/MobileSubstrate/DynamicLibraries/xCon.dylib
/Library/MobileSubstrate/DynamicLibraries/!!!!BreakThrough.dylib
/Library/MobileSubstrate/DynamicLibraries/zzzz_BreakThrough.dylib
/Library/PreferenceLoader/Preferences/LibActivator.plist
/private/etc/profile
/private/var/lib
/private/var/lib/apt
/private/var/lib/cydia
/private/var/lib/dpkg/info/net.sident.rio.ios.breakthrough.list
/private/var/lib/dpkg/info/net.sident.rio.ios.breakthrough.postinst
/private/var/lib/dpkg/info/net.sident.rio.ios.breakthrough.postrm
/private/var/lib/dpkg/info/io.pangu.axe7.list
/private/var/lib/dpkg/info/io.pangu.axe7.prerm
/private/var/lib/dpkg/info/io.pangu.fuxiqin9.list
/private/var/lib/dpkg/info/io.pangu.fuxiqin9.prerm
/private/var/lib/dpkg/info/taiguntether83x.extrainst
/private/var/lib/dpkg/info/taiguntether83x.list
/private/var/lib/dpkg/info/taiguntether83x.preinst
/private/var/lib/dpkg/info/taiguntether83x.prerm
/private/var/mobile/Library/SBSettings/Themes
/private/var/mobile/Media/panguaxe.installed
/private/var/root/Media
/private/var/stash
/private/var/tmp/cydia.log
/sbin/dump
/sbin/ping
/sbin/route
/usr/arm-apple-darwin9
/usr/bin/curl
/usr/bin/diff
/usr/bin/ftp
/usr/bin/gdb
/usr/bin/less
/usr/bin/say
/usr/bin/scp
/usr/bin/sshd
/usr/bin/tty
/usr/bin/xar
/usr/bin/wget
/usr/include
/usr/sbin/sshd
/usr/lib/apt
/usr/lib/libactivator.dylib
/usr/lib/libform.dylib
/usr/lib/libcurl.la
/usr/lib/libmenu.dylib
/usr/lib/libopcodes.a
/usr/lib/libuuid.la
/usr/lib/libxml2.la
/usr/lib/ssl
/usr/libexec/cydia
/usr/libexec/sftp-server
/usr/libexec/ssh-keysign
/usr/local
/usr/local/lib/libtopo.a
/usr/local/lib
/var/cache/apt
/var/evasi0n
/var/lib
/var/lib/apt
/var/lib/cache
/var/lib/cydia
/var/lib/mobile
/var/lib/xcon
/var/log/syslog
/User
/boot
/lib
/mnt
/panguaxe
/panguaxe.installed
/guntether
/taig
/taig/taig
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/System/Library/LaunchDaemons/com.ikey.bbot.plist
/System/Library/LaunchDaemons/io.pangu.axe.untether.plist
hook的以下函數檢查url為file://localhost/Library/MobileSubstrate/DynamicLibraries/xCon.dylib后失敗
[NSData dataWithContentsOfURL:]
[NSString dataWithContentsOfURL:]
hook的以下函數]檢查file為/Library/MobileSubstrate/DynamicLibraries/xCon.dylib后失敗
[NSData initWithContentsOfFile:]
[NSSting initWithContentsOfFile:]
hook的[NSFileManager contentsOfDirectoryAtPath:error:]路徑處理如下:
/Applications下白名單為
./../AdSheet.app/AppStore.app/Calculator.app/Camera.app/Compass.app/Contacts~iphone.app/MobileCal.app/
DDActionsService.app/DemoApp.app/FacebookAccountMigrationDialog.app/FieldTest.app/MobileMail.app/
Game Center~iphone.app/GameCenterUIService.app/MailCompositionService.app/Maps.app/MobileNotes.app/
MessagesViewService.app/MobilePhone.app/MobileSMS.app/MobileSafari.app/MobileSlideShow.app/Nike.app/
MobileStore.app/MobileTimer.app/Music~iphone.app/Preferences.app/Reminders.app/Setup.ap/Shoebox.app/
ShoeboxUIService.app/SocialUIService.app/Stocks.app/StoreKitUIService.app/TrustMe.app/Utilities/Videos.app/
VoiceMemos.app/Weather.app/Web.app/WebSheet.app/WebViewService.app/WhatsNew.app/iAdOptOut.app/
iOS Diagnostics.app/iPodOut.app/kbd.app/quicklookd.app
/var/mobile/Applications/下正常訪問,子目錄且非容器目錄返回空
黑名單返回空
/private/var/root和/var/root強制結果為 Library
/usr/bin強制結果為DumpBasebandCrash/powerlog/simulatecrash
/usr/lib強制結果為dyld/libexslt.dylib/libIOKit.A.dylib/libIOKit.dylib/libMatch.dylib/StandardDMCFiles/system
/System/Library強制結果為AccessibilityBundles/AccessoryUpdaterBundles/Accounts/ApplePTP/AppleUSBDevice/Audio/
Backup/BulletinBoardPlugins/Caches/Carrier Bundles/CoreServices/DataClassMigrators/DeviceOMatic/Extensions/
Filessystems/Fonts/fps/Frameworks/HIDPlugins/Internet Plug-Ins/KeyboardLayouts/LaunchDaemons/
LinguisticData/LocationBundles/Lockdown/MediaCapture/Messages/Obliteration/PreferenceBundles/
PreinstalledAssets/PrivateFrameworks/PublishingBundles/RegionFeatures/ScreenReader/SearchBundles/
SetupAssistantBundles/SocialServices/Spotlight/SpringBoardPlugins/SyncBundles/SystemConfiguration/TextInput/
UserEventPlugins/VideoDecoders/VideoProcessors/VoiceServices/Watchdog/WeeAppPlugins
/tmp下白名單為
./../L65ancd.sock/L65d.sock/MediaCache/RestoreFromBackupLock/SpringBoard_reboot_flag/abm_csd/
com.apple.audio.hogmode.plist/com.apple.tccd/com.apple.timed.plist/csilock/launchd/libETL.log/log-bb-
hook的 [UIApplication canOpenURL:]檢查scheme為cydia/ifile/Cydia/Icy/
hook的open/symlink/stat/opendir/realpath$DARWIN_EXTSN/fopen/access及以下Objective-C函數會檢查以上檢測點
[NSFileManager fileExistsAtPath:]
[NSFIleManager fileExistsAtPath:isDirectory:]
[NSFileManager destinationOfSymbolickLinkAtPath:error:]
[NSFileManager isReadableFileAtPath:]
[NSFileManager subpathsOfDirectoryAtPath:error:]
hook的connect檢查ip為127.0.0.1時返回失敗
hook的readlink檢查如下路徑后返回失敗
/Applications /User
hook的dladdr檢測到如下函數時返回正常值
[NSFileManager fileExistsAtPath:]
[NSFileManager isReadableFileAtPath:]
[NSFileManager fileExistsAtPath:isDirectory:]
[NSString initWithContentsOfFile:encoding:error:]
[NSData initWithContentsOfURL:options:error:]
hook的getenv/[NSProcessInfo environment]檢測DYLD_INSERT_LIBRARIES/DYLD_PRINT_LIBRARIES/_MSSafeMode
時返回失敗
hook的readdir
檢測當前目錄為’/’且子目錄為./../.Trashes/.file/Applications/Developer/Library/System/bin/cores/dev/etc/private/sbin/
tmp/usr/var時放行
檢測當前目錄為/private/var/stash/Applications,private/var/stash/,/Applications,/private/var/db/stash/,子目錄不是
以下目錄時返回失敗:
./../AdSheet.app/AppStore.app/Calculator.app/Camera.app/Compass.app/Contacts~iphone.app/MobileCal.app/
DDActionsService.app/DemoApp.app/FacebookAccountMigrationDialog.app/FieldTest.app/MobileMail.app/
Game Center~iphone.app/GameCenterUIService.app/MailCompositionService.app/Maps.app/MobileNotes.app/
MessagesViewService.app/MobilePhone.app/MobileSMS.app/MobileSafari.app/MobileSlideShow.app/Nike.app/
MobileStore.app/MobileTimer.app/Music~iphone.app/Preferences.app/Reminders.app/Setup.ap/Shoebox.app/
ShoeboxUIService.app/SocialUIService.app/Stocks.app/StoreKitUIService.app/TrustMe.app/Utilities/Videos.app/
VoiceMemos.app/Weather.app/Web.app/WebSheet.app/WebViewService.app/WhatsNew.app/iAdOptOut.app/
iOS Diagnostics.app/iPodOut.app/kbd.app/quicklookd.app
檢測當前目錄為/Library且子目錄不是以下目錄時返回失敗
hook的system返回0
hook的fork返回-1
hook的dlopen檢查如下路徑:
/Library/MobileSubstrate/DynamicLibraries/tsProtector.dylibtsProtector 8.dylib
/Library/MobileSubstrate/DynamicLibraries/
/Library/MobileSubstrate/MobileSubstrate.dylib
/Library/MobileSubstrate/DynamicLibraries/xCon.dylib
hook的dlsym檢查MSHookFunction
hook的_dyld_register_func_for_add_image在回調函數中檢查
/Library/MobileSubstrate/MobileSubstrate.dylib
/private/var/mobile/Containers/Bundle/Application/
/Library/MobileSubstrate/
/Library/Frameworks/CydiaSubstrate.framework/
/usr/lib/libsubstrate.dylib
hook的_dyld_image_count檢查如下路徑:
/Library/MobileSubstrate/DynamicLibraries/xCon.dylib
/Library/Frameworks/CydiaSubstrate.framework/Libraries/SubstrateLoader.dylib
/usr/lib/libsubstrate.dylib
/Library/MobileSubstrate/MobileSubstrate.dylib
/usr/lib/libobjc.A.dylib
/Library/MobileSubstrate/DynamicLibraries/~~~~~~~~Stakeout.dylib
/MobileSubstrate.dylib
/Multifl0w.dylib
/SubstrateLoader.dylib
/DreamBoard.dylib
/Unrestrictor3G.dylib
/fakecarrier.dylib
/WinterBoard.dylib
/xCon.dylib
/SBSettings.dylib
/SubstrateLoader.dylib
hook的dyld_get_image_name檢查如下路徑:
BreakThrough.dylib
DreamBoard.dylib
fakecarrier.dylib
/Library/Frameworks/CydiaSubstrate.framework/
/Library/MobileSubstrate/
/Library/MobileSubstrate/MobileSubstrate.dylib
MobileSafety.dylib
MobileSubstrate.dylib
Multifl0w.dylib
SBSettings.dylib
SubstrateLoader.dylib
tsProtector.dylib
Unrestrictor3G.dylib
WinterBoard.dylib
xCon.dylib
!!!!_BreakThrough_8.dylib
zzzz_BreakThrough_8.dylib
hook的syscall如下處理:
number=open 返回-1
number=symlink 路徑為/etc/ssh /etc/ssh/sshd_config則返回失敗
number=sysctl 命令為KERN_PROC時處理同sysctl
hook的sysctl如下處理:
KERN_PROC_PID 去除p_flag的P_TRACE/P_DISABLE_ASLR,反反調試
KERN_PROC_ALL 遇到進程名p_comm為以下名字分別處理
p_pid==getpid() 去除p_flag的P_TRACED/P_DISABLE_ASLR/P_NOREMOTEHANG
AlphaPlayer 去除p_flag的P_TRACED/P_DISABLE_ASLR/P_NOREMOTEHANG
sshd 跳過
sandboxd/MobileStorageMou/CommCenterMobile/MobilePhone/MobileMail/spd/timed/lsd/vsassetd/security/
itunesstored/misd/lockbot/installd/SpringBoard/xxxx-launchproxy/notification_pro/syslog_relay/DTPower/ptpd/
CommCenterClassi/geod/softwareupdatese/networkd/notifyd/aosnotifyd/BTServer/aggregated/apsd/configd/
dataaccessd/fairplayd.N90/fseventsd/iapd/imagent/location/mDNSResponder/mediaremoted/mediaserverd/
lockdownd/powerd/wifid/UserEventAgent/launchd/kernel_task/TVSideView 正常處理
hook的 以下函數返回失敗
[LineGameSDK checkJailBreak]
[JBDetection isJailbroken]
[AlpsPlayerRootedCheckUtil isJailbreak]
[AccessPrivilege_objc checkMe]
[AccessPrivilege_objc checkMe2:]
[AccessPrivilege_objc checkMe3:]
[CARCheck isJailbreak]
[CZDevice isJailbroken]
[DeviceUtil isJeilBroken]
[Litmus CheckJailBreak]
[AdChecker isJailBroken]
[ANSMetadata isJailbroken]
[DeckFlag SET_Flag:]
[CMNSecurityManager isRootDetected]
[CMNSecurityManager setRootDetected]
[MobileAPI isJailbroken]
[JBBuster cydiaDiscovery]
[JBBuster cydiaschemeDiscovery]
[JBBuster env]
[JBBuster icon]
[JBBuster identifier]
[JBBuster ls]
[JBBuster mkfile]
[JBBuster shtest]
[JBBuster isJailBreak]
hook的[NSString writeToFile:atomically:encoding_error]檢測到以下路徑時返回失敗:
/private/var/mobile/Application
/private/var/mobile/Containers
app類型:
00 jp.sammy-net.appstore.ip0002
02 com.ibm.
03 com.exys2008. *
04 jp.co.caadv.
05 jp.sammy-net.
06 net.appbank.
07 jp.uula.
08 jp.wowow.
09 com.squareup.square
0A com.panasonic.jp.wisdomviewer
0B com.paypal.here
0D jp.co.capcom.
0E com.ichikaku.
0F jp.co.nttdocomo.danimestore
10 com.PIXELA.
11 com.digion.
12 com.wb.
13 xcom.stampgetter.
14 com.chuchucoin
15 jp.flup.
16 jp.co.appdisco.
17 jp.co.dpcorp.
18 Presentnow
19 com.entrust.
1A com.air-watch.
1B com.zenprise.
1D jp.co.delight.
1E com.glu.
1F com.rovio.
20 com.unigame.iphone.
21 jp.co.cybird.
22 com.skype.
23 jp.co.alpha.
24 jp.co.craftegg.monpuz
25 com.enterproid.
26 jp.co.rakuten.
27 jp.co.dcgl.
28 jp.chance-bunny
29 jp.co.d2cr.
2A cm.mucho
2B jp.co.bandainamcogames.
2C jp.co.cyberagent.
2D jp.yomecolle
2E kr.co.lockjoy.
2F com.mjack
31 V5CQX55X69.jp.co.jcom.xvie.live
32 jp.co.fukuokabank.securestarter
33 jp.co.mizuhobank.
34 jp.aeria.
35 Yournet.
36 com.panasonic.
37 net.oratta.
38 com.gamevil.
39 jp.co.tmemo.
3A jp.colopl.
3B com.gameloft.
3C com.nagasebros.
3D jp.co.sony.
3E jp.lifemaker.
3F com.google.ingres com.nianticlabs.
40 net.adways.
41 aprich.sakura.ne.jp
42 jp.co.cygames.OreillyCollection
43 jp.co.smbc.smotp
44 com.nhnent.
45 kr.co.vcnc
46 com.google.Movies
47 jp.gungho.
48 de.j-gessner.
49 com.aniplex.
4B com.kddi.
4C jp.mufg.bk.mymoney.01
4E com.cachatto.
4F com.dazn.
50 com.nintendo.
51 us.zoom.
6.AWZ分析
黑名單:
/Applications/Cydia.app
/private/var/stash
/Applications/blackra1n.app
/Applications/FakeCarrier.app
/Applications/Icy.app
/Applications/IntelliScreen.app
/Applications/MxTube.app
/Applications/RockApp.app
/Applications/SBSetttings.app
/Applications/WinterBoard.app
/private/var/tmp/cydia.log
/usr/bin/sshd
/usr/sbin/sshd
/usr/libexec/sftp-server
/Systetem/Library/LaunchDaemons/com.ikey.bbot.plist
/System/Library/LaunchDaemons/com.saurik.Cy@dia.Startup.plist
/Library/MobileSubstrate/MobileSubstrate.dylib
/var/log/syslog
/bin/bash
/bin/sh
/etc/ssh/sshd_config
/usr/libexec/ssh-keysign
/private/var/lib/apt/
/private/var/lib/cydia/
/private/var/mobileLibrary/SBSettingsThemes/
/private/var/stash/
/usr/libexec/cydia/
/var/cache/apt/
/var/lib/apt/
/var/lib/cydia/
/var/log/syslog
/bin/bash
/bin/sh
/etc/apt/
/etc/ssh/sshd_config
/usr/libexec/ssh-keysign
/var/stash/Library/Ringtones
/var/stash/Library/Wallpaper
/var/stash/usr/include
/var/stash/usr/libexec
/var/stash/usr/share
/var/stash/usr/arm-apple-darwin9
/etc/apt
/usr/bin/ssh
/usr/bin/sh
/System/Library
/private/var/mobile
/usr/share/langid
hook的以下函數在檢測到路徑為黑名單時返回失敗:
lstat/fopen/stat/access
[NSFileManager fileExistsAtPath:]
[NSFileManager fileExistsAtPath:isDirectory:]
[NSFileManager isReadableFileAtPath:]
[NSFileManager isWritableFileAtPath:]
[NSFileManager isExecutableFileAtPath:]
[NSFileManager isDeleteableFileAtPath:]