IOS - 越狱检测
创始人
2024-05-29 15:24:08
0

判断是否能打开越狱软件

利用URL Scheme来查看是否能够代开比如cydia这些越狱软件

    //Check cydia URL hook canOpenURL 来绕过if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.avl.com"]]){return YES;}if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.example.package"]]){return YES;}

frida-trace -U -f 包名 -m “+[NSURL URIWithString:]”

包名 可以用 frida-ps -Ua来查看, 然后更改生成的js路径脚本

 /** Auto-generated by Frida. Please modify to match the signature of +[NSURL URLWithString:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call +[NSURL URLWithString:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var URLName = ObjC.Object(args[2]);if(URLName.containsString_) {if(URLName.containsString_("http://") ||URLName.containsString_("https://") ||URLName.containsString_("file://")) {} else {if(URLName.containsString_("://")) {log(`+[NSURL URLWithString:]` + URLName);args[2] = ObjC.classes.NSString.stringWithString_("xxxxxx://");}}}},/*** Called synchronously when about to return from +[NSURL URLWithString:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}

判断是否可以访问一些越狱的文件

越狱后会产生额外的文件,通过判断是否存在这些文件来判断是否越狱了,可以用fopen和FileManager两个不同的方法去获取

BOOL fileExist(NSString* path)
{NSFileManager *fileManager = [NSFileManager defaultManager];BOOL isDirectory = NO;if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){return YES;}return NO;
}BOOL directoryExist(NSString* path)
{NSFileManager *fileManager = [NSFileManager defaultManager];BOOL isDirectory = YES;if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){return YES;}return NO;
}BOOL canOpen(NSString* path)
{FILE *file = fopen([path UTF8String], "r");if(file==nil){return fileExist(path) || directoryExist(path);}fclose(file);return YES;
}
 NSArray* checks = [[NSArray alloc] initWithObjects:@"/Application/Cydia.app",@"/Library/MobileSubstrate/MobileSubstrate.dylib",@"/bin/bash",@"/usr/sbin/sshd",@"/etc/apt",@"/usr/bin/ssh",@"/private/var/lib/apt",@"/private/var/lib/cydia",@"/private/var/tmp/cydia.log",@"/Applications/WinterBoard.app",@"/var/lib/cydia",@"/private/etc/dpkg/origins/debian",@"/bin.sh",@"/private/etc/apt",@"/etc/ssh/sshd_config",@"/private/etc/ssh/sshd_config",@"/Applications/SBSetttings.app",@"/private/var/mobileLibrary/SBSettingsThemes/",@"/private/var/stash",@"/usr/libexec/sftp-server",@"/usr/libexec/cydia/",@"/usr/sbin/frida-server",@"/usr/bin/cycript",@"/usr/local/bin/cycript",@"/usr/lib/libcycript.dylib",@"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",@"/System/Library/LaunchDaemons/com.ikey.bbot.plist",@"/Applications/FakeCarrier.app",@"/Library/MobileSubstrate/DynamicLibraries/Veency.plist",@"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",@"/usr/libexec/ssh-keysign",@"/usr/libexec/sftp-server",@"/Applications/blackra1n.app",@"/Applications/IntelliScreen.app",@"/Applications/Snoop-itConfig.app"@"/var/lib/dpkg/info", nil];//Check installed appfor(NSString* check in checks){if(canOpen(check)){return YES;}}

frida-trace -U -f 包名 -m “-[NSFileManager fileExistsAtPath:]”

/** Auto-generated by Frida. Please modify to match the signature of -[NSFileManager fileExistsAtPath:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call -[NSFileManager fileExistsAtPath:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var fileName = ObjC.Object(args[2]);if(fileName.containsString_) {if(fileName.containsString_("apt") ||fileName.containsString_("MobileSubstrate") ||fileName.containsString_("Cydia") ||fileName.containsString_("bash") ||fileName.containsString_("ssh") ||fileName.containsString_("/bin/sh") ||fileName.containsString_("Applications") ||fileName.containsString_("/bin/su") ||fileName.containsString_("dpkg") ) {console.log('fileExistsAtPath called from:\n' +Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');args[2] = ObjC.classes.NSString.stringWithString_("/xxxxxx");log(`-[NSFileManager fileExistsAtPath: ${fileName}`);}}//log(`-[NSFileManager fileExistsAtPath: ${fileName}`);},/*** Called synchronously when about to return from -[NSFileManager fileExistsAtPath:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}

关键词检测 :JailBroken 及 JailBreak 等;

使用frida脚本简单干掉:

在启动就注入进去, -f是通过spawn,也就是重启apk注入js

frida -U -f 包名 --no-pause -l 过越狱检测.js

//越狱检测- 简单先将返回1的Nop掉
var resolver = new ApiResolver('objc');
resolver.enumerateMatches('*[* *Jailb*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});
resolver.enumerateMatches('*[* *JailB*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});
resolver.enumerateMatches('*[* *jailB*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});

相关内容

热门资讯

安卓4.4系统tv软件,探索安... 亲爱的读者们,你是否曾为家里的电视屏幕增添一些智能的魔力而烦恼?别担心,今天我要给你带来一个超级实用...
安卓系统的研究人物,安卓系统发... 你知道吗?在科技飞速发展的今天,安卓系统可是占据了智能手机市场的大半壁江山。而在这片广阔的天地里,有...
山寨苹果刷会安卓系统,安卓系统... 你知道吗?在科技圈里,总有一些让人眼前一亮的小秘密。今天,我要给你揭秘一个关于山寨苹果刷安卓系统的神...
安卓系统新用户登录,畅享智能生... 你刚刚入手了一台全新的安卓手机,是不是有点小激动呢?别急,别急,让我来给你详细介绍一下安卓系统新用户...
安卓8.0系统推荐版本,体验流... 你有没有发现,手机系统更新换代的速度简直就像小孩子的成长一样快?这不,安卓8.0系统已经悄悄地来到了...
安卓系统怎么分享位置吗,一键操... 你是不是也有过这样的经历:和朋友约好见面,却因为找不到对方而急得团团转?别担心,今天就来教你怎么在安...
安卓系统更新加速器,畅享极速升... 你有没有发现,手机更新系统的时候总是慢吞吞的,让人等得心痒痒?别急,今天就来给你安利一款神器——安卓...
百答系统和安卓系统区别,差异解... 你有没有想过,为什么你的手机里装了那么多应用,却还是觉得信息不够全面?其实,这背后的大脑——操作系统...
安卓锁系统设置软件,软件设置与... 手机里的秘密可多了去了,是不是有时候你也会觉得,这手机里的信息要是被别人看到了可怎么办呢?别担心,今...
安卓电视u盘游戏系统,轻松畅享... 你有没有想过,家里的安卓电视也能玩上那些刺激的电脑游戏呢?没错,就是那种让你一玩就停不下来的游戏!今...
挂载安卓系统为读写权限,读写权... 你有没有想过,你的手机里那些神奇的安卓系统,竟然可以赋予某些应用读写权限?这听起来是不是有点像科幻电...
安卓12系统怎么打补丁,保障设... 亲爱的安卓用户们,你是否也遇到了系统卡顿、bug频发的小烦恼呢?别急,今天就来给你支个招——安卓12...
客厅电脑用安卓系统好吗,体验智... 亲爱的读者,你是不是在为客厅电脑选择操作系统而烦恼呢?安卓系统,这个我们日常手机上常见的操作系统,是...
安卓系统能看访客记录,轻松查看... 你有没有想过,你的安卓手机里藏着一个小秘密?没错,就是访客记录!是的,你没听错,你的手机里竟然能查看...
印度安卓系统电脑推荐,性能卓越... 你有没有想过,在印度这片神奇的土地上,用一台安卓系统电脑会是怎样的体验呢?想象阳光洒在泰姬陵的白色大...
安卓系统合作公司,安卓系统合作... 你知道吗?在科技的世界里,安卓系统可是个超级明星呢!它不仅拥有庞大的用户群体,还吸引了一大批合作公司...
苹果表有安卓系统时间,时间同步... 你有没有发现,最近苹果表也开始支持安卓系统了?没错,就是那个一直以封闭著称的苹果,竟然也开始拥抱安卓...
原生安卓系统裁剪图片,原生安卓... 你有没有发现,用原生安卓系统拍照,有时候拍出来的照片分辨率超高,但就是有点大,想裁剪却不知道怎么操作...
安卓系统蓝牙开关APP,安卓系... 你有没有遇到过这种情况:手机里的安卓系统蓝牙开关总是让人摸不着头脑?有时候想开蓝牙,却找不到开关在哪...
安卓系统能登录ios系统王者吗... 你有没有想过,安卓系的手机能不能登录iOS系统的王者荣耀呢?这可是个让人好奇不已的问题哦!毕竟,两个...