通过在 Xcode 里的 Other Linker Flags 设置参数,可以防止App被注入dylib(仅限于iOS 10 以下系统) 比如,某艺,XX音乐等
dylib无法注入,也就意味着没办法用cycript动态调试App,只能干瞪眼
Other Linker Flags 参数
-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null
通过阅读dyld源代码,我们可以得知其大概原理
static ImageLoader* loadPhase3(const char* path, const char* orgPath, const LoadContext& context, std::vector<const char*>* exceptions) { ImageLoader* image = NULL; if ( strncmp(path, "@executable_path/", 17) == 0 ) { // executable_path cannot be in used in any binary in a setuid process rdar://problem/4589305 if ( sProcessIsRestricted ) throwf("unsafe use of @executable_path in %s with restricted binary", context.origin); } else if ( (strncmp(path, "@loader_path/", 13) == 0) && (context.origin != NULL) ) { // @loader_path cannot be used from the main executable of a setuid process rdar://problem/4589305 if ( sProcessIsRestricted && (strcmp(context.origin, sExecPath) == 0) ) throwf("unsafe use of @loader_path in %s with restricted binary", context.origin); } else if (sProcessIsRestricted && (path[0] != '/' )) { throwf("unsafe use of relative rpath %s in %s with restricted binary", path, context.origin); } return loadPhase4(path, orgPath, context, exceptions); }
当dylib加载路径是以 @executable_path、@loader_path 或者不是以 '/'开头,则会抛出异常使进程结束。
针对以上情况,分享一个修改__RESTRICT命令的工具,原理是将Mach-O文件中的 RESTRICT命令改为 SESTRICT,使该命令因为无法识别而失效。
使用
./AAntiCrack --replace-restrict <应用可执行文件mach-o>
此工具还有注入dylib功能,将dylib与mach-o放在同一目录下,然后执行
./AAntiCrack --replace-restrict -i dylib路径 <应用可执行文件mach-o>
即可实现动态库注入,与反反注入
相关链接: