iOS防重簽名

背景:

我們的app發(fā)布后,有可能給別人砸殼然后進(jìn)行重簽名。為了加強(qiáng)安全性,我們現(xiàn)在對app進(jìn)行防重簽名的防護(hù)。接下來我們一起探討一下如何防止別人重簽名我們的app。
本文防重簽名的方法是先從embedded.mobileprovision讀取自己app的com.apple.developer.team-identifier中的證明組織單位TeamId,然后在app啟動(dòng)時(shí)檢測當(dāng)前app的這個(gè)信息與原來的是否相同,不同則閃退(當(dāng)然我們也可以記錄下用戶行為,把當(dāng)前收集用戶的相關(guān)信息上報(bào)到服務(wù)器,然后再?zèng)Q定如何處理)。

技術(shù)要點(diǎn):

1.關(guān)鍵字符串用函數(shù)替換,達(dá)到在二進(jìn)制文件中查看不到的效果;
2.關(guān)鍵函數(shù)名用C語言寫,這樣用Class-dump等工具查不出函數(shù)名;
3.閃退的代碼用匯編寫,這樣在編譯后的二進(jìn)制文件中找不到exit的關(guān)鍵字
4.關(guān)鍵函數(shù)名用不規(guī)則字符串替換,達(dá)到混淆效果,別人更難破解(慎用,上架可能被拒)

如何實(shí)現(xiàn)

1.先查看一下當(dāng)前app的查看證明組織單位,在本地的證書中可以查看,如下圖:


image.png

或者進(jìn)入.app的包內(nèi)容,查看embedded.mobileprovision信息security cms -D -i embedded.mobileprovision 找到<key>com.apple.developer.team-identifier</key>的value的就是(即<NSString>與</NSString>中間那一串字符)

image.png

2.利用簽名信息進(jìn)行重簽名防護(hù),以下方法是檢測當(dāng)前從com.apple.developer.team-identifier的Teamid與上面我們查出的Teamid是否相同,不同則調(diào)用匯編執(zhí)行exit(0),用subStr1()返回字符串替換embedde等

void  checkCodesign(NSString *teamId){
    // 描述文件路徑
    NSString *embeddedPath = [[NSBundle mainBundle] pathForResource:@"embedded" ofType:@"mobileprovision"];
    // 讀取com.apple.developer.team-identifier  注意描述文件的編碼要使用:NSASCIIStringEncoding
    NSString *embeddedProvisioning = [NSString stringWithContentsOfFile:embeddedPath encoding:NSASCIIStringEncoding error:nil];
    NSArray *embeddedProvisioningLines = [embeddedProvisioning componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]];
    
    for (int i = 0; i < embeddedProvisioningLines.count; i++) {
        if ([embeddedProvisioningLines[i] rangeOfString:@"com.apple.developer.team-identifier"].location != NSNotFound) {
            
            NSInteger fromPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"<string>"].location+8;
            
            NSInteger toPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"</string>"].location;
            
            NSRange range;
            range.location = fromPosition;
            range.length = toPosition - fromPosition;
            
            NSString *fullIdentifier = [embeddedProvisioningLines[i+1] substringWithRange:range];
            //NSArray *identifierComponents = [fullIdentifier componentsSeparatedByString:@"."];
          //  NSString *appIdentifier = [identifierComponents firstObject];
       
            // 對比簽名ID
            if (![fullIdentifier isEqual:teamId]) {
                //以下等于exit(0)
                asm(
                    "mov X0,#0\n"
                    "mov w16,#1\n"
                    "svc #0x80"
                    );
            }
            break;
        }
    }
}

3.以上方法雖然能達(dá)到防止重簽名的效果,但是通過hopper,能夠查到相關(guān)的一些 信息,這樣別人能通過fishhook等方法繞過這個(gè)防護(hù)。


image.png

4.為了加強(qiáng)安全性,我們對以上的幾個(gè)關(guān)鍵的字符串進(jìn)行了隱藏,比如函數(shù)checkCodesign()改為safeStringHandle(),用subStr3()返回字符串替換application-identifier等等,從而達(dá)到讓人誤以為這個(gè)方法是在對字符串處理

//
//  aaasss.m
//  noResign
//
//  Created by caizhongtao on 2019/12/18.
//  Copyright ? 2019 admin. All rights reserved.
//

#import "StringExtenHandle.h"

@implementation StringExtenHandleClass

+(void)load{
    NSLog(@"******************* FrameWork load ****************");
    safeStringHandle();
}


//查看embedded.mobileprovision信息security cms -D -i embedded.mobileprovision
//找到<key>application-identifier</key>的value的第一部分(即.com 前面的字條串)
#define Str_Key 0xAD
//把字符串3748LX2W73變成函數(shù)隱藏原來的字符串
//以下實(shí)際返回3748LX2W73
//23P8M9VEK5
static NSString *subStr4(){
    unsigned char key[] = {//用異或^運(yùn)算進(jìn)行加密
        (Str_Key ^ '2'),
        (Str_Key ^'3'),
        (Str_Key ^'P'),
        (Str_Key ^'8'),
        (Str_Key ^'M'),
        (Str_Key ^'9'),
        (Str_Key ^'V'),
        (Str_Key ^'E'),
        (Str_Key ^'K'),
        (Str_Key ^'5'),
        (Str_Key ^'\0'),
    };
    
    //用異或^運(yùn)算進(jìn)行解密
    unsigned char *p = key;
    while (((*p) ^= Str_Key) != '\0') {
        p++;
    };
    
    return [NSString stringWithUTF8String:(const char *)key];
}

//以下實(shí)際返回 embedded
static NSString *subStr1(){
    unsigned char key[] = {//用異或^運(yùn)算進(jìn)行加密
        (Str_Key ^'e'),
        (Str_Key ^'m'),
        (Str_Key ^'b'),
        (Str_Key ^'e'),
        (Str_Key ^'d'),
        (Str_Key ^'d'),
        (Str_Key ^'e'),
        (Str_Key ^'d'),
        (Str_Key ^'\0'),
    };
    
    //用異或^運(yùn)算進(jìn)行解密
    unsigned char *p = key;
    while (((*p) ^= Str_Key) != '\0') {
        p++;
    };
    
    return [NSString stringWithUTF8String:(const char *)key];
}

//以下實(shí)際返回 mobileprovision
static NSString *subStr2(){
    unsigned char key[] = {//用異或^運(yùn)算進(jìn)行加密
        (Str_Key ^'m'),
        (Str_Key ^'o'),
        (Str_Key ^'b'),
        (Str_Key ^'i'),
        (Str_Key ^'l'),
        (Str_Key ^'e'),
        (Str_Key ^'p'),
        (Str_Key ^'r'),
        (Str_Key ^'o'),
        (Str_Key ^'v'),
        (Str_Key ^'i'),
        (Str_Key ^'s'),
        (Str_Key ^'i'),
        (Str_Key ^'o'),
        (Str_Key ^'n'),
        (Str_Key ^'\0'),
    };
    
    //用異或^運(yùn)算進(jìn)行解密
    unsigned char *p = key;
    while (((*p) ^= Str_Key) != '\0') {
        p++;
    };
    
    return [NSString stringWithUTF8String:(const char *)key];
}


//以下實(shí)際返回  application-identifier
static NSString *subStr5(){
    unsigned char key[] = {//用異或^運(yùn)算進(jìn)行加密
        (Str_Key ^'a'),
        (Str_Key ^'p'),
        (Str_Key ^'p'),
        (Str_Key ^'l'),
        (Str_Key ^'i'),
        (Str_Key ^'c'),
        (Str_Key ^'a'),
        (Str_Key ^'t'),
        (Str_Key ^'i'),
        (Str_Key ^'o'),
        (Str_Key ^'n'),
        (Str_Key ^'-'),
        (Str_Key ^'i'),
        (Str_Key ^'d'),
        (Str_Key ^'e'),
        (Str_Key ^'n'),
        (Str_Key ^'t'),
        (Str_Key ^'i'),
        (Str_Key ^'f'),
        (Str_Key ^'i'),
        (Str_Key ^'e'),
        (Str_Key ^'r'),
        (Str_Key ^'\0'),
    };
    
    //用異或^運(yùn)算進(jìn)行解密
    unsigned char *p = key;
    while (((*p) ^= Str_Key) != '\0') {
        p++;
    };
    
    return [NSString stringWithUTF8String:(const char *)key];
}

//以下實(shí)際返回  //com.apple.developer.team-identifier
static NSString *subStr3(){
    unsigned char key[] = {//用異或^運(yùn)算進(jìn)行加密
        (Str_Key ^'c'),
        (Str_Key ^'o'),
        (Str_Key ^'m'),
        (Str_Key ^'.'),
        (Str_Key ^'a'),
        (Str_Key ^'p'),
        (Str_Key ^'p'),
        (Str_Key ^'l'),
        (Str_Key ^'e'),
        (Str_Key ^'.'),
        
        (Str_Key ^'d'),
        (Str_Key ^'e'),
        (Str_Key ^'v'),
        (Str_Key ^'e'),
        (Str_Key ^'l'),
        (Str_Key ^'o'),
        (Str_Key ^'p'),
        (Str_Key ^'e'),
        (Str_Key ^'r'),
        (Str_Key ^'.'),
        
        (Str_Key ^'t'),
        (Str_Key ^'e'),
        (Str_Key ^'a'),
        (Str_Key ^'m'),

        
        (Str_Key ^'-'),
        (Str_Key ^'i'),
        (Str_Key ^'d'),
        (Str_Key ^'e'),
        (Str_Key ^'n'),
        (Str_Key ^'t'),
        (Str_Key ^'i'),
        (Str_Key ^'f'),
        (Str_Key ^'i'),
        (Str_Key ^'e'),
        (Str_Key ^'r'),
        (Str_Key ^'\0'),
    };
    
    //用異或^運(yùn)算進(jìn)行解密
    unsigned char *p = key;
    while (((*p) ^= Str_Key) != '\0') {
        p++;
    };
    
    return [NSString stringWithUTF8String:(const char *)key];
}


//以下函數(shù)名實(shí)為checkCodesign(),但為了安全故意偽裝成字符串處理函數(shù)
void   safeStringHandle(void){
    // 描述文件路徑
    NSString *embeddedPath = [[NSBundle mainBundle] pathForResource:subStr1() ofType:subStr2()];
    // 讀取application-identifier  注意描述文件的編碼要使用:NSASCIIStringEncoding
    NSString *embeddedProvisioning = [NSString stringWithContentsOfFile:embeddedPath encoding:NSASCIIStringEncoding error:nil];
    NSArray *embeddedProvisioningLines = [embeddedProvisioning componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]];

    for (int i = 0; i < embeddedProvisioningLines.count; i++) {
        if ([embeddedProvisioningLines[i] rangeOfString:subStr3()].location != NSNotFound) {

            NSInteger fromPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"<string>"].location+8;

            NSInteger toPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"</string>"].location;

            NSRange range;
            range.location = fromPosition;
            range.length = toPosition - fromPosition;

            NSString *fullIdentifier = [embeddedProvisioningLines[i+1] substringWithRange:range];
//            NSArray *identifierComponents = [fullIdentifier componentsSeparatedByString:@"."];
//            NSString *appIdentifier = [identifierComponents firstObject];

            // 對比簽名ID
            if (![fullIdentifier isEqual:subStr4()]) {
                //exit(0)
            #ifdef __arm64__
                asm volatile(
                    "mov X0,#0\n"
                    "mov x16,#1\n"
                    "svc #0x80"
                    );
            #endif

            #ifdef __arm__
                asm volatile(
                    "mov r0,#0\n"
                    "mov r12,#1\n"
                    "svc #80"
                    );
            #endif
            }
            break;
        }
    }
}
@end

效果如下:


image.png

5.為了進(jìn)一步加強(qiáng)安全性,我們也可以對以上幾個(gè)重要的方法名進(jìn)行重命名為不規(guī)則的名字,此方法用的是預(yù)編譯的頭文件。在編譯的過程會(huì)把我們自己的函數(shù)轉(zhuǎn)換成不規(guī)則的字符串,在編譯后的二進(jìn)制文件中就看不到我們原來的函數(shù)。(注:有網(wǎng)友提醒這種方法名混淆有可能審核不通過,所以這種頭文件混淆請大家結(jié)合實(shí)際使用)

#ifndef PrefixHeader_pch
#define PrefixHeader_pch

#define   StringExtenHandleClass dedfsdE3Fjytlks
#define   safeStringHandle    dijSD9fojdfksjzDSdf
#define   subStr1        gsrjzs684zfgjt5afsFse
#define   subStr2        hFtw4ef5u57zvSgDSf
#define   subStr3        sGEW546UTRdewghfUJ6U65
#define   subStr4        ftkuyy45gkyghdd43tr

#endif /* PrefixHeader_pch */

//====================================================

#import "StringExtenHandle.h"

@implementation StringExtenHandleClass
//查看embedded.mobileprovision信息security cms -D -i embedded.mobileprovision
//找到<key>application-identifier</key>的value的第一部分(即.com 前面的字條串)
#define Str_Key 0xAD
//把字符串3748LX2W73變成函數(shù)隱藏原來的字符串
//以下實(shí)際返回3748LX2W75
static NSString *subStr4(){
    unsigned char key[] = {//用異或^運(yùn)算進(jìn)行加密
        (Str_Key ^ '3'),
        (Str_Key ^'7'),
        (Str_Key ^'4'),
        (Str_Key ^'8'),
        (Str_Key ^'L'),
        (Str_Key ^'X'),
        (Str_Key ^'2'),
        (Str_Key ^'W'),
        (Str_Key ^'7'),
        (Str_Key ^'5'),
        (Str_Key ^'\0'),
    };
    
    //用異或^運(yùn)算進(jìn)行解密
    unsigned char *p = key;
    while (((*p) ^= Str_Key) != '\0') {
        p++;
    };
    
    return [NSString stringWithUTF8String:(const char *)key];
}

//以下實(shí)際返回 embedded
static NSString *subStr1(){
    unsigned char key[] = {//用異或^運(yùn)算進(jìn)行加密
        (Str_Key ^'e'),
        (Str_Key ^'m'),
        (Str_Key ^'b'),
        (Str_Key ^'e'),
        (Str_Key ^'d'),
        (Str_Key ^'d'),
        (Str_Key ^'e'),
        (Str_Key ^'d'),
        (Str_Key ^'\0'),
    };
    
    //用異或^運(yùn)算進(jìn)行解密
    unsigned char *p = key;
    while (((*p) ^= Str_Key) != '\0') {
        p++;
    };
    
    return [NSString stringWithUTF8String:(const char *)key];
}

//以下實(shí)際返回 mobileprovision
static NSString *subStr2(){
    unsigned char key[] = {//用異或^運(yùn)算進(jìn)行加密
        (Str_Key ^'m'),
        (Str_Key ^'o'),
        (Str_Key ^'b'),
        (Str_Key ^'i'),
        (Str_Key ^'l'),
        (Str_Key ^'e'),
        (Str_Key ^'p'),
        (Str_Key ^'r'),
        (Str_Key ^'o'),
        (Str_Key ^'v'),
        (Str_Key ^'i'),
        (Str_Key ^'s'),
        (Str_Key ^'i'),
        (Str_Key ^'o'),
        (Str_Key ^'n'),
        (Str_Key ^'\0'),
    };
    
    //用異或^運(yùn)算進(jìn)行解密
    unsigned char *p = key;
    while (((*p) ^= Str_Key) != '\0') {
        p++;
    };
    
    return [NSString stringWithUTF8String:(const char *)key];
}

//以下實(shí)際返回  //com.apple.developer.team-identifier
static NSString *subStr3(){
    unsigned char key[] = {//用異或^運(yùn)算進(jìn)行加密
        (Str_Key ^'c'),
        (Str_Key ^'o'),
        (Str_Key ^'m'),
        (Str_Key ^'.'),
        (Str_Key ^'a'),
        (Str_Key ^'p'),
        (Str_Key ^'p'),
        (Str_Key ^'l'),
        (Str_Key ^'e'),
        (Str_Key ^'.'),
        
        (Str_Key ^'d'),
        (Str_Key ^'e'),
        (Str_Key ^'v'),
        (Str_Key ^'e'),
        (Str_Key ^'l'),
        (Str_Key ^'o'),
        (Str_Key ^'p'),
        (Str_Key ^'e'),
        (Str_Key ^'r'),
        (Str_Key ^'.'),
        
        (Str_Key ^'t'),
        (Str_Key ^'e'),
        (Str_Key ^'a'),
        (Str_Key ^'m'),

        
        (Str_Key ^'-'),
        (Str_Key ^'i'),
        (Str_Key ^'d'),
        (Str_Key ^'e'),
        (Str_Key ^'n'),
        (Str_Key ^'t'),
        (Str_Key ^'i'),
        (Str_Key ^'f'),
        (Str_Key ^'i'),
        (Str_Key ^'e'),
        (Str_Key ^'r'),
        (Str_Key ^'\0'),
    };
    
    //用異或^運(yùn)算進(jìn)行解密
    unsigned char *p = key;
    while (((*p) ^= Str_Key) != '\0') {
        p++;
    };
    
    return [NSString stringWithUTF8String:(const char *)key];
}


//以下函數(shù)名實(shí)為checkCodesign(),但為了安全故意偽裝成字符串處理函數(shù)
void   safeStringHandle(){
    // 描述文件路徑
    NSString *embeddedPath = [[NSBundle mainBundle] pathForResource:subStr1() ofType:subStr2()];
    // 讀取application-identifier  注意描述文件的編碼要使用:NSASCIIStringEncoding
    NSString *embeddedProvisioning = [NSString stringWithContentsOfFile:embeddedPath encoding:NSASCIIStringEncoding error:nil];
    NSArray *embeddedProvisioningLines = [embeddedProvisioning componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]];
    
    for (int i = 0; i < embeddedProvisioningLines.count; i++) {
        if ([embeddedProvisioningLines[i] rangeOfString:subStr3()].location != NSNotFound) {
            
            NSInteger fromPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"<string>"].location+8;
            
            NSInteger toPosition = [embeddedProvisioningLines[i+1] rangeOfString:@"</string>"].location;
            
            NSRange range;
            range.location = fromPosition;
            range.length = toPosition - fromPosition;
            
            NSString *fullIdentifier = [embeddedProvisioningLines[i+1] substringWithRange:range];
            NSArray *identifierComponents = [fullIdentifier componentsSeparatedByString:@"."];
            NSString *appIdentifier = [identifierComponents firstObject];
            
            // 對比簽名ID
            if (![appIdentifier isEqual:subStr4()]) {
                   //exit(0)
            #ifdef __arm64__
                asm volatile(
                    "mov X0,#0\n"
                    "mov x16,#1\n"
                    "svc #0x80"
                    );
            #endif

            #ifdef __arm__
                asm volatile(
                    "mov r0,#0\n"
                    "mov r12,#1\n"
                    "svc #80"
                    );
            #endif
            }
            break;
        }
    }
}
@end

(特別注意:創(chuàng)建PreHeader文件后,一定要在BuilderSetting中添加到預(yù)處理中,不然這個(gè)文件不會(huì)生效)


image.png

以下是函數(shù)名混淆后的效果


image.png

參考:
http://www.itdecent.cn/p/248d3d2c323c

http://www.cocoachina.com/articles/499320?filter=rec

iOS如何用fastlane重簽名app

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺,僅提供信息存儲(chǔ)服務(wù)。

友情鏈接更多精彩內(nèi)容