IOS - 越狱检测
创始人
2024-05-29 15:24:08
0

判断是否能打开越狱软件

利用URL Scheme来查看是否能够代开比如cydia这些越狱软件

    //Check cydia URL hook canOpenURL 来绕过if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.avl.com"]]){return YES;}if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.example.package"]]){return YES;}

frida-trace -U -f 包名 -m “+[NSURL URIWithString:]”

包名 可以用 frida-ps -Ua来查看, 然后更改生成的js路径脚本

 /** Auto-generated by Frida. Please modify to match the signature of +[NSURL URLWithString:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call +[NSURL URLWithString:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var URLName = ObjC.Object(args[2]);if(URLName.containsString_) {if(URLName.containsString_("http://") ||URLName.containsString_("https://") ||URLName.containsString_("file://")) {} else {if(URLName.containsString_("://")) {log(`+[NSURL URLWithString:]` + URLName);args[2] = ObjC.classes.NSString.stringWithString_("xxxxxx://");}}}},/*** Called synchronously when about to return from +[NSURL URLWithString:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}

判断是否可以访问一些越狱的文件

越狱后会产生额外的文件,通过判断是否存在这些文件来判断是否越狱了,可以用fopen和FileManager两个不同的方法去获取

BOOL fileExist(NSString* path)
{NSFileManager *fileManager = [NSFileManager defaultManager];BOOL isDirectory = NO;if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){return YES;}return NO;
}BOOL directoryExist(NSString* path)
{NSFileManager *fileManager = [NSFileManager defaultManager];BOOL isDirectory = YES;if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){return YES;}return NO;
}BOOL canOpen(NSString* path)
{FILE *file = fopen([path UTF8String], "r");if(file==nil){return fileExist(path) || directoryExist(path);}fclose(file);return YES;
}
 NSArray* checks = [[NSArray alloc] initWithObjects:@"/Application/Cydia.app",@"/Library/MobileSubstrate/MobileSubstrate.dylib",@"/bin/bash",@"/usr/sbin/sshd",@"/etc/apt",@"/usr/bin/ssh",@"/private/var/lib/apt",@"/private/var/lib/cydia",@"/private/var/tmp/cydia.log",@"/Applications/WinterBoard.app",@"/var/lib/cydia",@"/private/etc/dpkg/origins/debian",@"/bin.sh",@"/private/etc/apt",@"/etc/ssh/sshd_config",@"/private/etc/ssh/sshd_config",@"/Applications/SBSetttings.app",@"/private/var/mobileLibrary/SBSettingsThemes/",@"/private/var/stash",@"/usr/libexec/sftp-server",@"/usr/libexec/cydia/",@"/usr/sbin/frida-server",@"/usr/bin/cycript",@"/usr/local/bin/cycript",@"/usr/lib/libcycript.dylib",@"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",@"/System/Library/LaunchDaemons/com.ikey.bbot.plist",@"/Applications/FakeCarrier.app",@"/Library/MobileSubstrate/DynamicLibraries/Veency.plist",@"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",@"/usr/libexec/ssh-keysign",@"/usr/libexec/sftp-server",@"/Applications/blackra1n.app",@"/Applications/IntelliScreen.app",@"/Applications/Snoop-itConfig.app"@"/var/lib/dpkg/info", nil];//Check installed appfor(NSString* check in checks){if(canOpen(check)){return YES;}}

frida-trace -U -f 包名 -m “-[NSFileManager fileExistsAtPath:]”

/** Auto-generated by Frida. Please modify to match the signature of -[NSFileManager fileExistsAtPath:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call -[NSFileManager fileExistsAtPath:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var fileName = ObjC.Object(args[2]);if(fileName.containsString_) {if(fileName.containsString_("apt") ||fileName.containsString_("MobileSubstrate") ||fileName.containsString_("Cydia") ||fileName.containsString_("bash") ||fileName.containsString_("ssh") ||fileName.containsString_("/bin/sh") ||fileName.containsString_("Applications") ||fileName.containsString_("/bin/su") ||fileName.containsString_("dpkg") ) {console.log('fileExistsAtPath called from:\n' +Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');args[2] = ObjC.classes.NSString.stringWithString_("/xxxxxx");log(`-[NSFileManager fileExistsAtPath: ${fileName}`);}}//log(`-[NSFileManager fileExistsAtPath: ${fileName}`);},/*** Called synchronously when about to return from -[NSFileManager fileExistsAtPath:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}

关键词检测 :JailBroken 及 JailBreak 等;

使用frida脚本简单干掉:

在启动就注入进去, -f是通过spawn,也就是重启apk注入js

frida -U -f 包名 --no-pause -l 过越狱检测.js

//越狱检测- 简单先将返回1的Nop掉
var resolver = new ApiResolver('objc');
resolver.enumerateMatches('*[* *Jailb*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});
resolver.enumerateMatches('*[* *JailB*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});
resolver.enumerateMatches('*[* *jailB*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});

相关内容

热门资讯

安卓系统可以去水印吗,轻松恢复... 你有没有遇到过这种情况:手机里下载了好多好看的视频,结果一看,哎哟,全是水印!心里那个不舒服啊,是不...
安卓系统平板看论文,安卓平板论... 你有没有想过,在安卓系统平板上阅读论文竟然可以这么酷炫?想象你手捧着一款轻薄的平板,在阳光明媚的午后...
安卓能刷pe系统,一键实现系统... 你有没有想过,你的安卓手机是不是也能来个“变身大法”,从普通模式升级到超级模式呢?没错,今天就要来聊...
安卓系统的运动数据在哪,运动数... 你有没有发现,手机里的安卓系统里藏着不少秘密呢?比如,你每天的运动数据,它们都藏在哪个角落里呢?别急...
系统miui是不是安卓系统软件... 你有没有想过,你的手机里那个熟悉的MIUI系统,它到底是不是安卓系统的一部分呢?这可是个有趣的问题,...
安卓修改系统版本骗软件,软件骗... 你知道吗?在安卓系统世界里,有时候一些小改动就能掀起大波澜。今天,就让我带你一探究竟,揭秘那些通过修...
安卓平板如何刷凤凰系统,凤凰系... 亲爱的平板用户,你是否厌倦了安卓系统的千篇一律?想要给你的平板来个焕然一新的变身?那就跟着我一起,探...
安卓手机哪款系统好,安卓手机系... 你有没有想过,你的安卓手机系统到底怎么样?是不是有时候觉得卡顿,有时候又觉得功能不够强大?别急,今天...
安卓系统qq炫舞怎么换系统,轻... 亲爱的安卓用户们,你是不是也和我一样,对QQ炫舞这款游戏爱得深沉呢?但是,有时候,我们可能会觉得系统...
安卓原生系统图案忘了,图案解锁... 亲爱的手机控们,你是否也有过这样的经历:手机屏幕上那些熟悉的安卓原生系统图案,突然间就消失得无影无踪...
安卓苹果系统版本列表,安卓与i... 你有没有发现,手机更新换代的速度简直就像坐上了火箭呢?从安卓到苹果,每个系统版本的更新都像是一场科技...
在安卓系统和网关通信,安卓系统... 在安卓系统中,网关通信是如何工作的?在当今数字化的世界里,安卓系统已经成为了智能手机和平板电脑的主流...
恢复删除的短信安卓系统,轻松找... 手机里的短信,有时候就像生活中的小确幸,记录着我们的喜怒哀乐。但你知道吗?有时候,一条重要的短信不小...
bemyeyes安卓系统,功能... 你有没有想过,如果有一款手机系统,它不仅能让你轻松管理日常事务,还能让你的手机瞬间变身成为你的私人助...
汽车怎么下载安卓系统,如何下载... 你有没有想过,你的爱车也能装上安卓系统,变成一个智能移动中心呢?没错,现在汽车界也开始流行“跨界”了...
安卓系统软件编写,功能与特性的... 你有没有想过,手机里的那些神奇应用是怎么诞生的呢?没错,就是安卓系统软件编写这个神秘的过程。今天,就...
安卓系统微信总是延迟,具体操作... 你是不是也遇到了这样的烦恼?每次打开微信,总是慢吞吞的,让人等得心焦火燎。没错,说的就是你,安卓系统...
安卓系统格式化指令,轻松掌握数... 手机里的安卓系统突然出了点小状况,是不是让你有点头疼呢?别急,今天就来给你详细说说安卓系统格式化指令...
电脑安卓系统卡嘛,安卓系统卡顿... 你有没有遇到过这种情况:手机用得正欢,突然间,安卓系统就像老牛拉车一样慢吞吞的,让人抓狂!电脑安卓系...
华为荣耀的安卓系统精简,极致体... 你有没有发现,现在的手机越来越像是一个小型的电脑了?各种功能齐全,操作复杂,有时候用起来还真是让人头...