IOS - 越狱检测
创始人
2024-05-29 15:24:08
0

判断是否能打开越狱软件

利用URL Scheme来查看是否能够代开比如cydia这些越狱软件

    //Check cydia URL hook canOpenURL 来绕过if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.avl.com"]]){return YES;}if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.example.package"]]){return YES;}

frida-trace -U -f 包名 -m “+[NSURL URIWithString:]”

包名 可以用 frida-ps -Ua来查看, 然后更改生成的js路径脚本

 /** Auto-generated by Frida. Please modify to match the signature of +[NSURL URLWithString:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call +[NSURL URLWithString:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var URLName = ObjC.Object(args[2]);if(URLName.containsString_) {if(URLName.containsString_("http://") ||URLName.containsString_("https://") ||URLName.containsString_("file://")) {} else {if(URLName.containsString_("://")) {log(`+[NSURL URLWithString:]` + URLName);args[2] = ObjC.classes.NSString.stringWithString_("xxxxxx://");}}}},/*** Called synchronously when about to return from +[NSURL URLWithString:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}

判断是否可以访问一些越狱的文件

越狱后会产生额外的文件,通过判断是否存在这些文件来判断是否越狱了,可以用fopen和FileManager两个不同的方法去获取

BOOL fileExist(NSString* path)
{NSFileManager *fileManager = [NSFileManager defaultManager];BOOL isDirectory = NO;if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){return YES;}return NO;
}BOOL directoryExist(NSString* path)
{NSFileManager *fileManager = [NSFileManager defaultManager];BOOL isDirectory = YES;if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){return YES;}return NO;
}BOOL canOpen(NSString* path)
{FILE *file = fopen([path UTF8String], "r");if(file==nil){return fileExist(path) || directoryExist(path);}fclose(file);return YES;
}
 NSArray* checks = [[NSArray alloc] initWithObjects:@"/Application/Cydia.app",@"/Library/MobileSubstrate/MobileSubstrate.dylib",@"/bin/bash",@"/usr/sbin/sshd",@"/etc/apt",@"/usr/bin/ssh",@"/private/var/lib/apt",@"/private/var/lib/cydia",@"/private/var/tmp/cydia.log",@"/Applications/WinterBoard.app",@"/var/lib/cydia",@"/private/etc/dpkg/origins/debian",@"/bin.sh",@"/private/etc/apt",@"/etc/ssh/sshd_config",@"/private/etc/ssh/sshd_config",@"/Applications/SBSetttings.app",@"/private/var/mobileLibrary/SBSettingsThemes/",@"/private/var/stash",@"/usr/libexec/sftp-server",@"/usr/libexec/cydia/",@"/usr/sbin/frida-server",@"/usr/bin/cycript",@"/usr/local/bin/cycript",@"/usr/lib/libcycript.dylib",@"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",@"/System/Library/LaunchDaemons/com.ikey.bbot.plist",@"/Applications/FakeCarrier.app",@"/Library/MobileSubstrate/DynamicLibraries/Veency.plist",@"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",@"/usr/libexec/ssh-keysign",@"/usr/libexec/sftp-server",@"/Applications/blackra1n.app",@"/Applications/IntelliScreen.app",@"/Applications/Snoop-itConfig.app"@"/var/lib/dpkg/info", nil];//Check installed appfor(NSString* check in checks){if(canOpen(check)){return YES;}}

frida-trace -U -f 包名 -m “-[NSFileManager fileExistsAtPath:]”

/** Auto-generated by Frida. Please modify to match the signature of -[NSFileManager fileExistsAtPath:].* This stub is currently auto-generated from manpages when available.** For full API reference, see: https://frida.re/docs/javascript-api/*/{/*** Called synchronously when about to call -[NSFileManager fileExistsAtPath:].** @this {object} - Object allowing you to store state for use in onLeave.* @param {function} log - Call this function with a string to be presented to the user.* @param {array} args - Function arguments represented as an array of NativePointer objects.* For example use args[0].readUtf8String() if the first argument is a pointer to a C string encoded as UTF-8.* It is also possible to modify arguments by assigning a NativePointer object to an element of this array.* @param {object} state - Object allowing you to keep state across function calls.* Only one JavaScript function will execute at a time, so do not worry about race-conditions.* However, do not use this to store function arguments across onEnter/onLeave, but instead* use "this" which is an object for keeping state local to an invocation.*/onEnter(log, args, state) {var fileName = ObjC.Object(args[2]);if(fileName.containsString_) {if(fileName.containsString_("apt") ||fileName.containsString_("MobileSubstrate") ||fileName.containsString_("Cydia") ||fileName.containsString_("bash") ||fileName.containsString_("ssh") ||fileName.containsString_("/bin/sh") ||fileName.containsString_("Applications") ||fileName.containsString_("/bin/su") ||fileName.containsString_("dpkg") ) {console.log('fileExistsAtPath called from:\n' +Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n');args[2] = ObjC.classes.NSString.stringWithString_("/xxxxxx");log(`-[NSFileManager fileExistsAtPath: ${fileName}`);}}//log(`-[NSFileManager fileExistsAtPath: ${fileName}`);},/*** Called synchronously when about to return from -[NSFileManager fileExistsAtPath:].** See onEnter for details.** @this {object} - Object allowing you to access state stored in onEnter.* @param {function} log - Call this function with a string to be presented to the user.* @param {NativePointer} retval - Return value represented as a NativePointer object.* @param {object} state - Object allowing you to keep state across function calls.*/onLeave(log, retval, state) {}
}

关键词检测 :JailBroken 及 JailBreak 等;

使用frida脚本简单干掉:

在启动就注入进去, -f是通过spawn,也就是重启apk注入js

frida -U -f 包名 --no-pause -l 过越狱检测.js

//越狱检测- 简单先将返回1的Nop掉
var resolver = new ApiResolver('objc');
resolver.enumerateMatches('*[* *Jailb*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});
resolver.enumerateMatches('*[* *JailB*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});
resolver.enumerateMatches('*[* *jailB*]', {onMatch: function (match) {let funcName = match.name;let funcAddr = match.address;Interceptor.attach(ptr(funcAddr), {onEnter: function (args) {}, onLeave: function (retval) {if (retval.toInt32() === 1) {retval.replace(0);}console.log(funcName, retval);}});}, onComplete: function () {}
});

相关内容

热门资讯

安卓系统用的华为应用,探索智能... 你知道吗?在安卓系统里,华为的应用可是个宝库呢!它们不仅功能强大,而且使用起来超级方便。今天,就让我...
安卓变ios系统魅蓝 你知道吗?最近有个朋友突然告诉我,他要把自己的安卓手机换成iOS系统,而且还是魅蓝品牌的!这可真是让...
幻书启世录安卓系统,安卓世界中... 亲爱的读者们,你是否曾在某个夜晚,被一本神奇的书所吸引,仿佛它拥有着穿越时空的力量?今天,我要带你走...
电脑安装安卓系统进不去,安卓系... 电脑安装安卓系统后竟然进不去,这可真是让人头疼的问题啊!你是不是也遇到了这种情况,心里直呼“怎么办怎...
用键盘切换控制安卓系统,畅享安... 你有没有想过,用键盘来控制你的安卓手机?是的,你没听错,就是那个我们每天敲敲打打的小玩意儿——键盘。...
小米安卓镜像系统在哪,小米安卓... 你有没有想过,你的小米手机里有一个隐藏的宝藏——安卓镜像系统?没错,就是那个可以让你的手机瞬间变身成...
安卓手机下载排班系统,高效排班... 你有没有想过,每天忙碌的工作中,有没有什么好帮手能帮你轻松管理时间呢?今天,就让我来给你介绍一个超级...
桌面组件如何弄安卓系统,桌面组... 亲爱的桌面爱好者们,你是否曾梦想过将安卓系统搬到你的电脑桌面上?想象那些流畅的动画、丰富的应用,还有...
安卓13系统介绍视频,新功能与... 亲爱的读者们,你是否对安卓13系统充满好奇?想要一探究竟,却又苦于没有足够的时间去研究?别担心,今天...
车机安卓7.1系统,功能升级与... 你有没有发现,现在的车机系统越来越智能了?尤其是那些搭载了安卓7.1系统的车机,简直就像是个贴心的智...
安卓系统下如何读pdf,And... 你有没有遇到过这种情况:手机里存了一大堆PDF文件,可是怎么也找不到一个能顺畅阅读的工具?别急,今天...
安卓系统全国通用的吗,畅享智能... 你有没有想过,为什么你的手机里装的是安卓系统呢?安卓系统,这个名字听起来是不是有点神秘?今天,就让我...
假苹果手机8安卓系统,颠覆传统... 你有没有想过,如果苹果手机突然变成了安卓系统,会是怎样的景象呢?想象那熟悉的苹果外观,却运行着安卓的...
安卓12.0系统vivo有吗,... 你有没有听说最近安卓系统又升级啦?没错,就是那个让手机焕然一新的安卓12.0系统!那么,咱们国内的手...
核心芯片和安卓系统,探索核心芯... 你知道吗?在科技的世界里,有一对“黄金搭档”正悄悄改变着我们的生活。他们就是——核心芯片和安卓系统。...
如何调安卓系统屏幕颜色,安卓系... 亲爱的手机控们,你是否曾觉得安卓系统的屏幕颜色不够个性,或者是因为长时间盯着屏幕而感到眼睛疲劳?别担...
旧台式电脑安装安卓系统,轻松安... 你那台旧台式电脑是不是已经服役多年,性能逐渐力不从心,却又不忍心让它退役呢?别急,今天就来教你怎么给...
美国要求关闭安卓系统,科技霸权... 美国要求关闭安卓系统:一场技术革新还是政治博弈?在数字化时代,智能手机已经成为我们生活中不可或缺的一...
安卓系统日记本 你有没有发现,手机里的安卓系统日记本,简直就是记录生活点滴的宝藏库呢?想象每天忙碌的生活中,有没有那...
安卓手机广告最少的系统,探索安... 你有没有发现,用安卓手机的时候,广告总是无处不在,让人烦得要命?不过别急,今天我要给你揭秘一个秘密—...