IOS - 越狱检测

ios 2023-08-16 18:08:49 636人浏览独家记忆

摘要

判断是否能打开越狱软件利用URL Scheme来查看是否能够代开比如cydia这些越狱软件 //Check cydia URL hook canOpenURL 来绕过 if([[UIApplication sharedApp

判断是否能打开越狱软件

利用URL Scheme来查看是否能够代开比如cydia这些越狱软件

    //Check cydia URL hook canOpenURL 来绕过    if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.avl.com"]])    {        return YES;    }    if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.example.package"]])    {        return YES;    }

 frida-trace -U -f 包名  -m  "+[NSURL URLWithString:]"

包名可以用 frida-ps -Ua来查看, 然后更改生成的js路径脚本

 {    onEnter(log, args, state) {var URLName = ObjC.Object(args[2]);if(URLName.containsString_) {if(URLName.containsString_("Http://") ||   URLName.containsString_("https://") ||   URLName.containsString_("file://")) {} else {if(URLName.containsString_("://")) {log(`+[NSURL URLWithString:]` + URLName);args[2] = ObjC.classes.NSString.stringWithString_("xxxxxx://");}}}  },    onLeave(log, retval, state) {  }}

判断是否可以访问一些越狱的文件

越狱后会产生额外的文件，通过判断是否存在这些文件来判断是否越狱了，可以用fopen和FileManager两个不同的方法去获取

BOOL fileExist(NSString* path){    NSFileManager *fileManager = [NSFileManager defaultManager];    BOOL isDirectory = NO;    if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){        return YES;    }    return NO;}BOOL directoryExist(NSString* path){    NSFileManager *fileManager = [NSFileManager defaultManager];    BOOL isDirectory = YES;    if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){        return YES;    }    return NO;}BOOL canOpen(NSString* path){    FILE *file = fopen([path UTF8String], "r");    if(file==nil){        return fileExist(path) || directoryExist(path);    }    fclose(file);    return YES;}

  NSArray* checks = [[NSArray alloc] initWithObjects:@"/Application/Cydia.app",                       @"/Library/MobileSubstrate/MobileSubstrate.dylib",                       @"/bin/bash",                       @"/usr/sbin/sshd",                       @"/etc/apt",                       @"/usr/bin/ssh",                       @"/private/var/lib/apt",                       @"/private/var/lib/cydia",                       @"/private/var/tmp/cydia.log",                       @"/Applications/WinterBoard.app",                       @"/var/lib/cydia",                       @"/private/etc/dpkg/origins/debian",                       @"/bin.sh",                       @"/private/etc/apt",                       @"/etc/ssh/sshd_config",                       @"/private/etc/ssh/sshd_config",                       @"/Applications/SBSetttings.app",                       @"/private/var/mobileLibrary/SBSettingsThemes/",                       @"/private/var/stash",                       @"/usr/libexec/sftp-server",                       @"/usr/libexec/cydia/",                       @"/usr/sbin/frida-server",                       @"/usr/bin/cycript",                       @"/usr/local/bin/cycript",                       @"/usr/lib/libcycript.dylib",                       @"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",                       @"/System/Library/LaunchDaemons/com.ikey.bbot.plist",                       @"/Applications/FakeCarrier.app",                       @"/Library/MobileSubstrate/DynamicLibraries/Veency.plist",                       @"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",                       @"/usr/libexec/ssh-keysign",                       @"/usr/libexec/sftp-server",                       @"/Applications/blackra1n.app",                       @"/Applications/IntelliScreen.app",                       @"/Applications/Snoop-itConfig.app"                       @"/var/lib/dpkg/info", nil];    //Check installed app    for(NSString* check in checks)    {        if(canOpen(check))        {            return YES;        }    }

 frida-trace -U -f 包名  -m  "-[NSFileManager fileExistsAtPath:]"

{    onEnter(log, args, state) {var fileName = ObjC.Object(args[2]);if(fileName.containsString_) {if(fileName.containsString_("apt") ||       fileName.containsString_("MobileSubstrate") ||       fileName.containsString_("Cydia") ||       fileName.containsString_("bash") ||       fileName.containsString_("ssh") ||   fileName.containsString_("/bin/sh") ||       fileName.containsString_("Applications") ||   fileName.containsString_("/bin/su") ||   fileName.containsString_("dpkg")     ) {console.log('fileExistsAtPath called from:\n' +Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');   args[2] = ObjC.classes.NSString.stringWithString_("/xxxxxx");   log(`-[NSFileManager fileExistsAtPath: ${fileName}`);    }}//log(`-[NSFileManager fileExistsAtPath: ${fileName}`);  },    onLeave(log, retval, state) {  }}

关键词检测：JailBroken 及 JailBreak 等；

使用frida脚本简单干掉：

在启动就注入进去， -f是通过spawn,也就是重启apk注入js

frida -U -f 包名 --no-pause -l 过越狱检测.js

//越狱检测- 简单先将返回1的Nop掉var resolver = new apiResolver('objc');resolver.enumerateMatches('*[* *Jailb*]', {    onMatch: function (match) {        let funcName = match.name;        let funcAddr = match.address;        Interceptor.attach(ptr(funcAddr), {            onEnter: function (args) {            }, onLeave: function (retval) {                if (retval.toInt32() === 1) {                    retval.replace(0);                }                console.log(funcName, retval);            }        });    }, onComplete: function () {    }});resolver.enumerateMatches('*[* *JailB*]', {    onMatch: function (match) {        let funcName = match.name;        let funcAddr = match.address;        Interceptor.attach(ptr(funcAddr), {            onEnter: function (args) {            }, onLeave: function (retval) {                if (retval.toInt32() === 1) {                    retval.replace(0);                }                console.log(funcName, retval);            }        });    }, onComplete: function () {    }});resolver.enumerateMatches('*[* *jailB*]', {    onMatch: function (match) {        let funcName = match.name;        let funcAddr = match.address;        Interceptor.attach(ptr(funcAddr), {            onEnter: function (args) {            }, onLeave: function (retval) {                if (retval.toInt32() === 1) {                    retval.replace(0);                }                console.log(funcName, retval);            }        });    }, onComplete: function () {    }});