IOS - 越狱检测
创始人
2024-05-29 15:24:08
0

判断是否能打开越狱软件

利用URL Scheme来查看是否能够代开比如cydia这些越狱软件

    //Check cydia URL hook canOpenURL 来绕过if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.avl.com"]]){return YES;}if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.example.package"]]){return YES;}

frida-trace -U -f 包名 -m “+[NSURL URIWithString:]”

包名 可以用 frida-ps -Ua来查看, 然后更改生成的js路径脚本

 /** Auto-generated by Frida. Please modify to match the signature of +[NSURL URLWithString:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call +[NSURL URLWithString:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var URLName = ObjC.Object(args[2]);if(URLName.containsString_) {if(URLName.containsString_("http://") ||URLName.containsString_("https://") ||URLName.containsString_("file://")) {} else {if(URLName.containsString_("://")) {log(`+[NSURL URLWithString:]` + URLName);args[2] = ObjC.classes.NSString.stringWithString_("xxxxxx://");}}}},/*** Called synchronously when about to return from +[NSURL URLWithString:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}

判断是否可以访问一些越狱的文件

越狱后会产生额外的文件,通过判断是否存在这些文件来判断是否越狱了,可以用fopen和FileManager两个不同的方法去获取

BOOL fileExist(NSString* path)
{NSFileManager *fileManager = [NSFileManager defaultManager];BOOL isDirectory = NO;if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){return YES;}return NO;
}BOOL directoryExist(NSString* path)
{NSFileManager *fileManager = [NSFileManager defaultManager];BOOL isDirectory = YES;if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){return YES;}return NO;
}BOOL canOpen(NSString* path)
{FILE *file = fopen([path UTF8String], "r");if(file==nil){return fileExist(path) || directoryExist(path);}fclose(file);return YES;
}
 NSArray* checks = [[NSArray alloc] initWithObjects:@"/Application/Cydia.app",@"/Library/MobileSubstrate/MobileSubstrate.dylib",@"/bin/bash",@"/usr/sbin/sshd",@"/etc/apt",@"/usr/bin/ssh",@"/private/var/lib/apt",@"/private/var/lib/cydia",@"/private/var/tmp/cydia.log",@"/Applications/WinterBoard.app",@"/var/lib/cydia",@"/private/etc/dpkg/origins/debian",@"/bin.sh",@"/private/etc/apt",@"/etc/ssh/sshd_config",@"/private/etc/ssh/sshd_config",@"/Applications/SBSetttings.app",@"/private/var/mobileLibrary/SBSettingsThemes/",@"/private/var/stash",@"/usr/libexec/sftp-server",@"/usr/libexec/cydia/",@"/usr/sbin/frida-server",@"/usr/bin/cycript",@"/usr/local/bin/cycript",@"/usr/lib/libcycript.dylib",@"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",@"/System/Library/LaunchDaemons/com.ikey.bbot.plist",@"/Applications/FakeCarrier.app",@"/Library/MobileSubstrate/DynamicLibraries/Veency.plist",@"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",@"/usr/libexec/ssh-keysign",@"/usr/libexec/sftp-server",@"/Applications/blackra1n.app",@"/Applications/IntelliScreen.app",@"/Applications/Snoop-itConfig.app"@"/var/lib/dpkg/info", nil];//Check installed appfor(NSString* check in checks){if(canOpen(check)){return YES;}}

frida-trace -U -f 包名 -m “-[NSFileManager fileExistsAtPath:]”

/** Auto-generated by Frida. Please modify to match the signature of -[NSFileManager fileExistsAtPath:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call -[NSFileManager fileExistsAtPath:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var fileName = ObjC.Object(args[2]);if(fileName.containsString_) {if(fileName.containsString_("apt") ||fileName.containsString_("MobileSubstrate") ||fileName.containsString_("Cydia") ||fileName.containsString_("bash") ||fileName.containsString_("ssh") ||fileName.containsString_("/bin/sh") ||fileName.containsString_("Applications") ||fileName.containsString_("/bin/su") ||fileName.containsString_("dpkg") ) {console.log('fileExistsAtPath called from:\n' +Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');args[2] = ObjC.classes.NSString.stringWithString_("/xxxxxx");log(`-[NSFileManager fileExistsAtPath: ${fileName}`);}}//log(`-[NSFileManager fileExistsAtPath: ${fileName}`);},/*** Called synchronously when about to return from -[NSFileManager fileExistsAtPath:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}

关键词检测 :JailBroken 及 JailBreak 等;

使用frida脚本简单干掉:

在启动就注入进去, -f是通过spawn,也就是重启apk注入js

frida -U -f 包名 --no-pause -l 过越狱检测.js

//越狱检测- 简单先将返回1的Nop掉
var resolver = new ApiResolver('objc');
resolver.enumerateMatches('*[* *Jailb*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});
resolver.enumerateMatches('*[* *JailB*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});
resolver.enumerateMatches('*[* *jailB*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});

相关内容

热门资讯

安卓手机苹果系统app,兼容性... 你有没有发现,现在手机市场上,安卓和苹果两大阵营的较量越来越激烈了?尤其是安卓手机和苹果系统APP之...
华为手机还原为安卓系统 你有没有发现,有时候华为手机用久了,系统变得有点“臃肿”,运行速度也不如以前那么流畅了呢?别急,今天...
如何把win系统程序改为安卓系... 你是不是也和我一样,手里拿着一台运行着Windows系统的电脑,却突然对安卓系统产生了浓厚的兴趣?想...
安卓系统切换电脑桌面,安卓系统... 你有没有想过,你的安卓手机和电脑桌面之间也能来个亲密接触呢?没错,就是那种无缝切换的感觉,让你在手机...
安卓系统永远在更新吗,引领智能... 你有没有发现,每次打开你的安卓手机,总感觉它像是个永不停歇的小宇宙,总是在更新更新再更新?没错,安卓...
安卓系统好用的折叠手机,安卓系... 你有没有发现,最近手机界可是热闹非凡呢!各大品牌纷纷推出了自家的折叠手机,而安卓系统的好用折叠手机更...
安卓掌机3326系统,深度解析... 你有没有听说过安卓掌机3326系统?这可是最近在游戏圈里火得一塌糊涂的存在呢!想象一台小小的掌机,却...
安卓系统的ping命令大全 你有没有想过,在安卓系统里,那些看似普通的命令其实藏着大大的秘密呢?今天,就让我带你一探究竟,揭开安...
安卓系统绘图板在哪 你有没有发现,用安卓手机画画简直是一种享受呢?不过,有时候找不着绘图板的功能,是不是让你有点头疼呢?...
安卓养老系统叫什么名,智能养老... 你有没有发现,随着智能手机的普及,我们这些“老司机”也开始对手机系统有了更高的要求?这不,最近我在网...
安卓系统刷机怎么激活 你那安卓手机是不是突然卡顿得厉害,或者想尝试一些新功能,却发现自己被困在原版系统里出不来?别急,今天...
安卓系统设置开机自启,深度解析... 你有没有发现,手机用久了,开机速度越来越慢,有时候甚至慢得像蜗牛爬?这可真是让人头疼啊!你知道吗,这...
导航大屏安卓系统版本 你有没有发现,现在汽车里的导航大屏越来越智能了?这不,最近我就在研究这些导航大屏的安卓系统版本,发现...
苹果6备份安卓系统,苹果6备份... 你有没有想过,把苹果6的备份转移到安卓系统上,这事儿听起来是不是有点儿像是在玩穿越时空的魔法?不过别...
安卓系统的彩蛋怎么进,解锁隐藏... 你有没有发现,安卓系统里藏着不少小秘密呢?今天,就让我带你一起探索安卓系统里的彩蛋,看看那些隐藏在角...
安卓系统怎么总重启,探究安卓系... 手机突然重启,是不是瞬间感觉整个人都不好了?尤其是安卓系统,有时候就像个顽皮的孩子,时不时地来个“突...
vr设备是安卓系统吗,安卓系统... 亲爱的读者,你是否曾好奇过VR设备使用的操作系统是安卓系统吗?在这个虚拟与现实交织的时代,VR设备已...
安卓2.3系统输入法 你有没有发现,手机上的输入法真的是个神奇的小玩意儿?它就像你的私人秘书,帮你把心里的话变成文字,记录...
安卓12系统来电话黑屏,安卓1... 最近是不是你也遇到了安卓12系统来电话时手机黑屏的尴尬情况?这可真是让人头疼啊!手机屏幕突然变成了一...
小米9安卓9原生系统,极致性能... 亲爱的数码爱好者们,今天我要和你聊聊一款手机,它不仅在国内市场掀起了一阵热潮,更是让全球的米粉们为之...