IOS - 越狱检测
创始人
2024-05-29 15:24:08
0

判断是否能打开越狱软件

利用URL Scheme来查看是否能够代开比如cydia这些越狱软件

    //Check cydia URL hook canOpenURL 来绕过if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.avl.com"]]){return YES;}if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.example.package"]]){return YES;}

frida-trace -U -f 包名 -m “+[NSURL URIWithString:]”

包名 可以用 frida-ps -Ua来查看, 然后更改生成的js路径脚本

 /** Auto-generated by Frida. Please modify to match the signature of +[NSURL URLWithString:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call +[NSURL URLWithString:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var URLName = ObjC.Object(args[2]);if(URLName.containsString_) {if(URLName.containsString_("http://") ||URLName.containsString_("https://") ||URLName.containsString_("file://")) {} else {if(URLName.containsString_("://")) {log(`+[NSURL URLWithString:]` + URLName);args[2] = ObjC.classes.NSString.stringWithString_("xxxxxx://");}}}},/*** Called synchronously when about to return from +[NSURL URLWithString:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}

判断是否可以访问一些越狱的文件

越狱后会产生额外的文件,通过判断是否存在这些文件来判断是否越狱了,可以用fopen和FileManager两个不同的方法去获取

BOOL fileExist(NSString* path)
{NSFileManager *fileManager = [NSFileManager defaultManager];BOOL isDirectory = NO;if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){return YES;}return NO;
}BOOL directoryExist(NSString* path)
{NSFileManager *fileManager = [NSFileManager defaultManager];BOOL isDirectory = YES;if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){return YES;}return NO;
}BOOL canOpen(NSString* path)
{FILE *file = fopen([path UTF8String], "r");if(file==nil){return fileExist(path) || directoryExist(path);}fclose(file);return YES;
}
 NSArray* checks = [[NSArray alloc] initWithObjects:@"/Application/Cydia.app",@"/Library/MobileSubstrate/MobileSubstrate.dylib",@"/bin/bash",@"/usr/sbin/sshd",@"/etc/apt",@"/usr/bin/ssh",@"/private/var/lib/apt",@"/private/var/lib/cydia",@"/private/var/tmp/cydia.log",@"/Applications/WinterBoard.app",@"/var/lib/cydia",@"/private/etc/dpkg/origins/debian",@"/bin.sh",@"/private/etc/apt",@"/etc/ssh/sshd_config",@"/private/etc/ssh/sshd_config",@"/Applications/SBSetttings.app",@"/private/var/mobileLibrary/SBSettingsThemes/",@"/private/var/stash",@"/usr/libexec/sftp-server",@"/usr/libexec/cydia/",@"/usr/sbin/frida-server",@"/usr/bin/cycript",@"/usr/local/bin/cycript",@"/usr/lib/libcycript.dylib",@"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",@"/System/Library/LaunchDaemons/com.ikey.bbot.plist",@"/Applications/FakeCarrier.app",@"/Library/MobileSubstrate/DynamicLibraries/Veency.plist",@"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",@"/usr/libexec/ssh-keysign",@"/usr/libexec/sftp-server",@"/Applications/blackra1n.app",@"/Applications/IntelliScreen.app",@"/Applications/Snoop-itConfig.app"@"/var/lib/dpkg/info", nil];//Check installed appfor(NSString* check in checks){if(canOpen(check)){return YES;}}

frida-trace -U -f 包名 -m “-[NSFileManager fileExistsAtPath:]”

/** Auto-generated by Frida. Please modify to match the signature of -[NSFileManager fileExistsAtPath:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call -[NSFileManager fileExistsAtPath:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var fileName = ObjC.Object(args[2]);if(fileName.containsString_) {if(fileName.containsString_("apt") ||fileName.containsString_("MobileSubstrate") ||fileName.containsString_("Cydia") ||fileName.containsString_("bash") ||fileName.containsString_("ssh") ||fileName.containsString_("/bin/sh") ||fileName.containsString_("Applications") ||fileName.containsString_("/bin/su") ||fileName.containsString_("dpkg") ) {console.log('fileExistsAtPath called from:\n' +Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');args[2] = ObjC.classes.NSString.stringWithString_("/xxxxxx");log(`-[NSFileManager fileExistsAtPath: ${fileName}`);}}//log(`-[NSFileManager fileExistsAtPath: ${fileName}`);},/*** Called synchronously when about to return from -[NSFileManager fileExistsAtPath:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}

关键词检测 :JailBroken 及 JailBreak 等;

使用frida脚本简单干掉:

在启动就注入进去, -f是通过spawn,也就是重启apk注入js

frida -U -f 包名 --no-pause -l 过越狱检测.js

//越狱检测- 简单先将返回1的Nop掉
var resolver = new ApiResolver('objc');
resolver.enumerateMatches('*[* *Jailb*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});
resolver.enumerateMatches('*[* *JailB*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});
resolver.enumerateMatches('*[* *jailB*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});

相关内容

热门资讯

安卓系统热点限速软件,优化热点... 你有没有遇到过这种情况:手机连接热点后,网速就像蜗牛爬行一样慢,简直让人抓狂!别急,今天就来给你揭秘...
安卓系统占内存多,揭秘内存消耗... 你有没有发现,手机用着用着,内存就不够用了?尤其是安卓系统,好像特别能吃内存,让人头疼不已。今天,就...
最近安卓系统奔溃,揭秘原因与应... 最近手机界可是炸开了锅呢!安卓系统竟然出现了大规模奔溃,这可真是让人摸不着头脑。咱们一起来探究这背后...
ce系统能刷安卓系统吗,揭秘能... 你有没有想过,你的安卓手机是不是也能用上CE系统呢?这可不是天方夜谭,今天就来给你揭秘一下这个神秘的...
安卓系统UI设计特色,创新与用... 你有没有发现,每次打开安卓手机,那界面设计得真是让人眼前一亮呢?今天,就让我带你一起探索一下安卓系统...
ipod有安卓系统吗,跨界融合... 你有没有想过,那个曾经风靡一时的iPod,它到底有没有安卓系统呢?这个问题,估计让不少音乐爱好者都好...
安卓多少系统最高的,揭秘最高版... 你有没有想过,你的安卓手机到底升级到了哪个系统版本呢?是不是好奇安卓系统里哪个版本才是最高级的呢?别...
现在安卓最高的系统,揭秘安卓1... 你有没有发现,手机更新换代的速度简直就像坐上了火箭呢!这不,最近安卓系统又来了一次大升级,听说这是现...
安卓系统怎么隐藏相册,安卓系统... 你是不是也有那么几本“私人珍藏”,不想让旁人随意翻看呢?比如,手机里的相册,里面藏着我们的喜怒哀乐,...
安卓桌面挂件系统下载,下载与个... 你有没有发现,手机桌面上的那些小玩意儿,简直就是生活的调味品?今天,咱们就来聊聊安卓桌面挂件系统下载...
wp手机加安卓系统,探索跨界新... 你有没有想过,为什么你的手机总是那么卡,而别人的手机却流畅得像风一样?是不是觉得自己的手机有点OUT...
省电手机推荐安卓系统,安卓系统... 手机这玩意儿,对于我们这些手机控来说,简直就是生活的必需品。但是,你知道吗?现在市面上那么多手机,要...
安卓系统衰落怎么恢复,探寻衰落... 你有没有发现,最近安卓系统好像有点儿“水土不服”了呢?曾经的霸主地位,如今似乎有些动摇。不过别急,今...
安卓系统手机应用锁,安全无忧的... 你有没有发现,现在手机里的秘密越来越多,是不是也跟小秘密一样,想要找个地方藏起来呢?没错,今天就要来...
安卓系统书院源app,安卓系统... 你有没有发现,手机里的安卓系统越来越智能了?今天,我要给你介绍一个特别有意思的书院源app,它可是安...
安卓系统8.1平板推荐,安卓8... 你有没有想过,拥有一款性能卓越、体验流畅的安卓系统8.1平板,简直就是移动办公和娱乐的完美搭档?没错...
谷歌不给华为安卓系统,探索替代... 你知道吗?最近科技圈可是炸开了锅!谷歌突然宣布,不给华为提供安卓系统了!这可不仅仅是两家公司之间的小...
选择安卓系统原因调查,揭秘安卓... 你有没有想过,为什么那么多人会选择安卓系统呢?是不是好奇他们到底看中了安卓的哪些“小秘密”?今天,就...
安卓系统的安全证书,守护移动安... 你知道吗?在咱们这个科技飞速发展的时代,手机已经成了我们生活中不可或缺的好伙伴。而说起手机,安卓系统...
谷歌安卓系统挣钱吗,如何通过它... 你有没有想过,那个无处不在的谷歌安卓系统,它到底是怎么赚钱的呢?没错,就是那个让我们的手机、平板、智...