高德是中國領先的數字地圖內容,導航和位置服務解決方案提供商。蘋果自帶的地圖採用的就是高德的數據,高足見德之權威ios
昨天突發奇想,對高德地圖上中一個官方不提供的功能產生了濃厚的興趣,試圖經過破解的方式來實現這個功能。誰知剛架上LLDB,居然就出現了這樣的一幕......面試
FunMaker-5:~ root# debugserver *:1234 -a "AMapiPhone"
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89
for armv7.
Attaching to process AMapiPhone...
Segmentation fault: 11
複製代碼
很顯然,高德地圖作了反動態調試保護。爲了幹掉這層保護,咱們先得搞清楚它採用了什麼保護方法。由於現有的公開反動態調試保護只有ptrace的方法這一種,因此天然而然地,咱們先從它下手。api
FunMaker-5:~ root# debugserver -x backboard *:1234 /var/mobile/Containers/Bundle/Application/1C86F6A1-E50A-434E-B08E-C39C200EFA0A/AMapiPhone.app/AMapiPhone
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89
for armv7.
Listening to port 1234 for a connection from *...
複製代碼
(lldb) process connect connect://localhost:1234
Process 5171 stopped
* thread #1: tid = 0x1433, 0x1feb8000 dyld`_dyld_start, stop reason = signal SIGSTOP
frame #0: 0x1feb8000 dyld`_dyld_start
dyld`_dyld_start:
-> 0x1feb8000: mov r8, sp
0x1feb8004: sub sp, sp, #16
0x1feb8008: bic sp, sp, #7
0x1feb800c: ldr r3, [pc, #112] ; _dyld_start + 132
複製代碼
LLDB停了下來,咱們先「C」一下,看看是什麼效果:bash
(lldb) c
Process 5171 resuming
Process 5171 exited with status = 45 (0x0000002d)
複製代碼
進程直接退出,進一步驗證了高德地圖中含有反動態調試的功能。沒什麼好說的了,咱們這就來看看怎麼幹掉這層保護。cookie
依據這個 帖子26,能夠知道定位調用ptrace地方的方法很簡單,就是在ptrace上下個斷點:app
FunMaker-5:~ root# debugserver -x backboard *:1234 /var/mobile/Containers/Bundle/Application/1C86F6A1-E50A-434E-B08E-C39C200EFA0A/AMapiPhone.app/AMapiPhone
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89
for armv7.
Listening to port 1234 for a connection from *...
Got a connection, launched process /var/mobile/Containers/Bundle/Application/1C86F6A1-E50A-434E-B08E-C39C200EFA0A/AMapiPhone.app/AMapiPhone (pid = 678).
複製代碼
snakeninnysiMac:~ snakeninny$ /Applications/OldXcode.app/Contents/Developer/usr/bin/lldb
(lldb) process connect connect://localhost:1234
Process 6907 stopped
* thread #1: tid = 0x1afb, 0x1fe54000 dyld`_dyld_start, stop reason = signal SIGSTOP
frame #0: 0x1fe54000 dyld`_dyld_start
dyld`_dyld_start:
-> 0x1fe54000: mov r8, sp
0x1fe54004: sub sp, sp, #16
0x1fe54008: bic sp, sp, #7
0x1fe5400c: ldr r3, [pc, #112] ; _dyld_start + 132
(lldb) b ptrace
Breakpoint 1: no locations (pending).
WARNING: Unable to resolve breakpoint to any actual locations.
(lldb) c
Process 6907 resuming
1 location added to breakpoint 1
Process 6907 stopped
* thread #1: tid = 0x1afb, 0x37031e64 libsystem_kernel.dylib`__ptrace, queue = 'com.apple.main-thread, stop reason = breakpoint 1.1
frame #0: 0x37031e64 libsystem_kernel.dylib`__ptrace
libsystem_kernel.dylib`__ptrace:
-> 0x37031e64: ldr r12, [pc, #4] ; ptrace + 12
libsystem_kernel.dylib`ptrace + 4:
0x37031e68: ldr r12, [pc, r12]
0x37031e6c: b 0x37031e74 ; ptrace + 16
0x37031e70: rsbeq pc, r11, #48
(lldb) p/x $lr
(unsigned int) $0 = 0x000dbd19
(lldb) image list -o -f
0] 0x000d1000 /private/var/mobile/Containers/Bundle/Application/1C86F6A1-E50A-434E-B08E-C39C200EFA0A/AMapiPhone.app/AMapiPhone(0x00000000000d5000)
複製代碼
因此ptrace的調用者位於0xdbd19 - 0xd1000 = 0xAD19處,如圖所示:ide
這段代碼的含義很明顯了,動態調用ptrace函數,來達到反動態調試的目的這段代碼位於sub_ACF0內部,咱們來看看sub_ACF0的顯式調用者: 函數
只有一個sub_AD24看看它內部的實現:學習
它是主要的函數。好了,高德地圖經過在主函數中動態調用ptrace的函數來達到反動態調試目的,你們能夠參考學習。spa
根據這個帖子 ,咱們能夠勾在IDA的功能窗口中看到的任意形如sub_xxx的函數.tweak的核心代碼以下:
#import <substrate.h>
#import <mach-o/dyld.h>
#import <dlfcn.h>
void (*old_sub_ACF0)(void);
void new_sub_ACF0(void)
{
// old_sub_ACF0();
NSLog(@"iOSRE: anti-anti-debugging");
}
%ctor
{
@autoreleasepool
{
unsigned long _sub_ACF0 = (_dyld_get_image_vmaddr_slide(0) + 0xACF0) | 0x1;
if (_sub_ACF0) NSLog(@"iOSRE: Found sub_ACF0!");
MSHookFunction((void *)_sub_ACF0, (void *)&new_sub_ACF0, (void **)&old_sub_ACF0);
}
}
複製代碼
編譯打包安裝,咱們看看有了這個好辦法的加持,動態調試的效果:
(lldb) process connect connect://localhost:1234
Process 10222 stopped
* thread #1: tid = 0x27ee, 0x1fea3000 dyld`_dyld_start, stop reason = signal SIGSTOP
frame #0: 0x1fea3000 dyld`_dyld_start
dyld`_dyld_start:
-> 0x1fea3000: mov r8, sp
0x1fea3004: sub sp, sp, #16
0x1fea3008: bic sp, sp, #7
0x1fea300c: ldr r3, [pc, #112] ; _dyld_start + 132
(lldb) c
Process 10222 resuming
(lldb) 2015-02-09 19:55:05.129 AMapiPhone[737:10222] iOSRE: Found sub_ACF0!
2015-02-09 19:55:05.478 AMapiPhone[737:10222] iOSRE: anti-anti-debugging
2015-02-09 19:55:06.598 AMapiPhone[737:10222] DiskCookieStorage changing policy from 2 to 0, cookie file: file:///private/var/mobile/Containers/Data/Application/6AE478A8-7838-4C33-B716-D2810ED78CB9/Library/Cookies/Cookies.binarycookies
2015-02-09 19:55:07.596 AMapiPhone[737:10222] reInit /var/mobile/Containers/Data/Application/6AE478A8-7838-4C33-B716-D2810ED78CB9/Documents/autonavi/data/cache/vmap4res/style-icons-upate-recorder.data
vmap_basedb_create-offline /var/mobile/Containers/Data/Application/6AE478A8-7838-4C33-B716-D2810ED78CB9/Documents/autonavi/data/vmap/
複製代碼
LLDB成功進入了高德地圖內部,misson完成〜開始hack吧!