判断是否能打开越狱软件
利用URL Scheme来查看是否能够代开比如cydia这些越狱软件
//Check cydia URL hook canOpenURL 来绕过 if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.avl.com"]]) { return YES; } if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.example.package"]]) { return YES; }
frida-trace -U -f 包名 -m "+[NSURL URLWithString:]"
包名 可以用 frida-ps -Ua来查看, 然后更改生成的js路径脚本
{ onEnter(log, args, state) {var URLName = ObjC.Object(args[2]);if(URLName.containsString_) {if(URLName.containsString_("http://") || URLName.containsString_("https://") || URLName.containsString_("file://")) {} else {if(URLName.containsString_("://")) {log(`+[NSURL URLWithString:]` + URLName);args[2] = ObjC.classes.NSString.stringWithString_("xxxxxx://");}}} }, onLeave(log, retval, state) { }}
判断是否可以访问一些越狱的文件
越狱后会产生额外的文件,通过判断是否存在这些文件来判断是否越狱了,可以用fopen和FileManager两个不同的方法去获取
BOOL fileExist(NSString* path){ NSFileManager *fileManager = [NSFileManager defaultManager]; BOOL isDirectory = NO; if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){ return YES; } return NO;}BOOL directoryExist(NSString* path){ NSFileManager *fileManager = [NSFileManager defaultManager]; BOOL isDirectory = YES; if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){ return YES; } return NO;}BOOL canOpen(NSString* path){ FILE *file = fopen([path UTF8String], "r"); if(file==nil){ return fileExist(path) || directoryExist(path); } fclose(file); return YES;}
NSArray* checks = [[NSArray alloc] initWithObjects:@"/Application/Cydia.app", @"/Library/MobileSubstrate/MobileSubstrate.dylib", @"/bin/bash", @"/usr/sbin/sshd", @"/etc/apt", @"/usr/bin/ssh", @"/private/var/lib/apt", @"/private/var/lib/cydia", @"/private/var/tmp/cydia.log", @"/Applications/WinterBoard.app", @"/var/lib/cydia", @"/private/etc/dpkg/origins/debian", @"/bin.sh", @"/private/etc/apt", @"/etc/ssh/sshd_config", @"/private/etc/ssh/sshd_config", @"/Applications/SBSetttings.app", @"/private/var/mobileLibrary/SBSettingsThemes/", @"/private/var/stash", @"/usr/libexec/sftp-server", @"/usr/libexec/cydia/", @"/usr/sbin/frida-server", @"/usr/bin/cycript", @"/usr/local/bin/cycript", @"/usr/lib/libcycript.dylib", @"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", @"/System/Library/LaunchDaemons/com.ikey.bbot.plist", @"/Applications/FakeCarrier.app", @"/Library/MobileSubstrate/DynamicLibraries/Veency.plist", @"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist", @"/usr/libexec/ssh-keysign", @"/usr/libexec/sftp-server", @"/Applications/blackra1n.app", @"/Applications/IntelliScreen.app", @"/Applications/Snoop-itConfig.app" @"/var/lib/dpkg/info", nil]; //Check installed app for(NSString* check in checks) { if(canOpen(check)) { return YES; } }
frida-trace -U -f 包名 -m "-[NSFileManager fileExistsAtPath:]"
{ onEnter(log, args, state) {var fileName = ObjC.Object(args[2]);if(fileName.containsString_) {if(fileName.containsString_("apt") || fileName.containsString_("MobileSubstrate") || fileName.containsString_("Cydia") || fileName.containsString_("bash") || fileName.containsString_("ssh") || fileName.containsString_("/bin/sh") || fileName.containsString_("Applications") || fileName.containsString_("/bin/su") || fileName.containsString_("dpkg") ) {console.log('fileExistsAtPath called from:\n' +Thread.backtrace(this.context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join('\n') + '\n'); args[2] = ObjC.classes.NSString.stringWithString_("/xxxxxx"); log(`-[NSFileManager fileExistsAtPath: ${fileName}`); }}//log(`-[NSFileManager fileExistsAtPath: ${fileName}`); }, onLeave(log, retval, state) { }}
关键词检测 :JailBroken 及 JailBreak 等;
使用frida脚本简单干掉:
在启动就注入进去, -f是通过spawn,也就是重启apk注入js
frida -U -f 包名 --no-pause -l 过越狱检测.js
//越狱检测- 简单先将返回1的Nop掉var resolver = new ApiResolver('objc');resolver.enumerateMatches('*[* *Jailb*]', { onMatch: function (match) { let funcName = match.name; let funcAddr = match.address; Interceptor.attach(ptr(funcAddr), { onEnter: function (args) { }, onLeave: function (retval) { if (retval.toInt32() === 1) { retval.replace(0); } console.log(funcName, retval); } }); }, onComplete: function () { }});resolver.enumerateMatches('*[* *JailB*]', { onMatch: function (match) { let funcName = match.name; let funcAddr = match.address; Interceptor.attach(ptr(funcAddr), { onEnter: function (args) { }, onLeave: function (retval) { if (retval.toInt32() === 1) { retval.replace(0); } console.log(funcName, retval); } }); }, onComplete: function () { }});resolver.enumerateMatches('*[* *jailB*]', { onMatch: function (match) { let funcName = match.name; let funcAddr = match.address; Interceptor.attach(ptr(funcAddr), { onEnter: function (args) { }, onLeave: function (retval) { if (retval.toInt32() === 1) { retval.replace(0); } console.log(funcName, retval); } }); }, onComplete: function () { }});
来源地址:https://blog.csdn.net/qq_41369057/article/details/131412976