×

iOS安全攻防(十四)防止tweak依附

96
Visitor
2016.06.12 19:17* 字数 877

本人郑重声明:并不鼓励窃取用户隐私等行为,一切hack学习都只是为了研究如何防御

tweak的出现,让各种裸奔App的开发者瞬间跪了,自己的App被玩弄于鼓掌之间,但是,一些防护性优秀App的出现,给安全性堪忧的AppStore注入了一针强心剂,他们用到的防护方式处于业界领先地位,值得我们学习。

下面以支付宝为例,讲述怎么破解防止tweak依附

手机下载支付宝,打开终端,通过ssh连接手机;运行手机支付宝,劫持支付宝进程

ps -e //获取支付宝进程
cycript -p AlipayWallet  // 劫持线程(
/var/mobile/Applications/D14A5661-C596-4A05-907A-5316D4628131/AlipayWallet.app/AlipayWallet)

结果如下


cycript.png

劫持失败,再尝试通过debugserver+lldb依附AlipayWallet

debugserver *:1234 -a AlipayWallet  // attach AlipayWallet

依附失败,效果如下


attach.png

事情变得棘手了:注入dylib和动态调试都失败了。动态调试失败,很大的概率是采用了ptrace方法,而dylib注入失败是比较少碰到的情况,我们就从它下手,看看到底发生了什么。

dylib的注入一般是通过DYLD_INSERT_LIBRARIES这个环境变量来实现的,现在dylib连注入都失败,即其constructor根本未得到执行,说明此行为不是由支付宝的代码完成的,而应该发生在代码执行前,既然这样的话,此行为多半是因Mach头部的某个标注,导致dyld有意为之的。

下载dyld的源代码,着重看pruneEnvironmentVariables这个函数

//
// For security, setuid programs ignore DYLD_* environment variables.
// Additionally, the DYLD_* enviroment variables are removed
// from the environment, so that any child processes don't see them.
//
static void pruneEnvironmentVariables(const char* envp[], const char*** applep){ 
// delete all DYLD_* and LD_LIBRARY_PATH environment variables int removedCount = 0; 
const char** d = envp; 
for(const char** s = envp; *s != NULL; s++) {
 if ( (strncmp(*s, "DYLD_", 5) != 0) && (strncmp(*s, "LD_LIBRARY_PATH=", 16) != 0) ) {     
*d++ = *s;      
}
 else {
 ++removedCount;    
    }
    }   
*d++ = NULL; 
if ( removedCount != 0 ) {
 dyld::log("dyld: DYLD_ environment variables being ignored because ");
 switch (sRestrictedReason) { 
case restrictedNot: break; 
case restrictedBySetGUid: dyld::log("main executable (%s) is setuid or setgid\n", sExecPath); 
break; 
case restrictedBySegment: dyld::log("main executable (%s) has __RESTRICT/__restrict section\n", sExecPath);
 break; 
case restrictedByEntitlements: dyld::log("main executable (%s) is code signed with entitlements\n", sExecPath); 
break;      
}   
}
 // slide apple parameters 
if ( removedCount > 0 ) {       
*applep = d;
 do {       
*d = d[removedCount];   
    }
 while ( *d++ != NULL );
 for(int i=0; i < removedCount; ++i)    {
*d++ = NULL;    
}
 // disable framework and library fallback paths for setuid binaries rdar:
//problem/4589305 
sEnv.DYLD_FALLBACK_FRAMEWORK_PATH = NULL;
    sEnv.DYLD_FALLBACK_LIBRARY_PATH = NULL;}

三种情况下,DYLD_环境变量会被dyld无视,分别是:

  1. 可执行文件被setuid或setgid了;
  2. 可执行文件含有__RESTRICT/__restrict这个section;
  3. 可执行文件被签了某个entitlements。

其中,因为Apple的审核机制,1和3不能由用户指定,因此不大可能出现在AppStore App中。为了确保万无一失,我们简单验证一下就好了:

ldid -e AlipayWallet
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
 <dict>
  <key>keychain-access-groups</key>
  <array>
   <string>8H6B3SFEU4.com.ali.group</string>
  </array>

  <key>com.apple.developer.team-identifier</key>
  <string>BPM6A296T5</string>

  <key>com.apple.developer.healthkit</key>
  <true/>

  <key>application-identifier</key>
  <string>8H6B3SFEU4.com.alipay.iphoneclient</string>

  <key>aps-environment</key>
  <string>production</string>

  <key>com.apple.security.application-groups</key>
  <array>
   <string>group.com.alipay.wallet</string>
  </array>

 </dict>
</plist><?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
 <dict>
  <key>keychain-access-groups</key>
  <array>
   <string>8H6B3SFEU4.com.ali.group</string>
  </array>

  <key>com.apple.developer.team-identifier</key>
  <string>BPM6A296T5</string>

  <key>com.apple.developer.healthkit</key>
  <true/>

  <key>application-identifier</key>
  <string>8H6B3SFEU4.com.alipay.iphoneclient</string>

  <key>aps-environment</key>
  <string>production</string>

  <key>com.apple.security.application-groups</key>
  <array>
   <string>group.com.alipay.wallet</string>
  </array>

 </dict>
</plist>

从上面代码中可以看出,支付宝这个可执行文件既没有setuid/setgid位,也没有特殊的entitlements,那么它含有__RESTRICT/__restrict这个section的可能性激增,打开MachOView,执行AlipayWallet

machOView.png

ok,我们找到了问题所在,既然anti-DYLD_INSERT_LIBRARIES是由__RESTRICT/__restrict实现的,那么anti_DYLD_INSERT_LIBRARIES自然就等同于anti-RESTRICT/restrict了,而要anti-RESTRICT/restrict也很简单,把AlipayWallet这个可执行文件用MacVim等二进制编辑器打开,把所有的_RESTRICT/_restrict字符串重命名一下就好了

下载完MacVim后,进入目录,终端输入make编译一下:

cd ./macvim-master     // 到macvim-master目录下
make      // 编译

编译完成后,根据提示找到MacVim.app

macvim_Path.png

打开,拖动AlipayWallet到其界面,command + f替换

macvim_Replace.png

替换后的AlipayWallet如下:

machOView_Replace.png

这样dyld就找不到__RESTRICT/__restrict,也就不会忽略DYLD_INSERT_LIBRARIES了,把改过以后的AlipayWallet拷贝回iOS

scp AlipayWallet root@192.168.xxx.xxx:/var/mobile/Applications
/D14A5661-C596-4A05-907A-5316D4628131/AlipayWallet.app
/AlipayWallet

因为我们对App的可执行文件进行了静态patch,其md5值已经改变,所以Apple签名失效,正常情况下支付宝App无法启动。要解决这个问题,很方便,也很惭愧,因为要用到盗版App的利器AppSync,在Cydia中搜索AppSync,安装并重启SpringBoard后即可禁用iOS的签名校验

attach_Success.png

成功attach,test一下,设置支付宝登录界面背景

IMG_0102.jpg

ok, finished!

未经允许,禁止转载
Reverse
Web note ad 1