Welcome to the iOS Reverse series.
- IOS reverse RSA theory
- IOS reverse hash theory
- IOS reverse application re-signature + wechat re-signature combat
- IOS reverse Shell script + script re-signature
- IOS reverse code injection +Hook
- IOS reverse MachO file
- IOS reverse dyLD process
- IOS reverse HOOK principle of Fishhook
- IOS reverse LLDB debugging
Shell scripts
Definition 1.
- The Shell is a special interactive tool that provides users with a way to launch programs, manage files in the file system, and processes running on the system. A Shell generally refers to a command-line tool that allows you to type a text command, then interpret the command and execute it in the kernel
- A Shell script is a script file that uses various commands in a text file for one-time execution
2. The terminal executes the script file
1. Read and run the command in FileName in the current shell environment
$ source FileName
Copy the code
-
Command to force a script to immediately affect the current environment (typically used to load configuration files)
-
Commands force the execution of all commands in the script, regardless of file permissions. 2. Create a subshell and execute the code in the subshell
$ bash/zsh FileName
Copy the code
3. Read and execute the commands in the file. However, the script file must have executable permissions
$ ./FileName
Copy the code
3. / usr/local/bin directory
This directory is for users to place their own executable programs, so we usually put our executable script files in this directory (remember to add executable permission) can directly execute scripts in any directory (function is the same as ls, PWD).
2. Users, groups, and permissions
Unix and Linux are multi-user, multi-task systems, so the concept of users and groups is built into such systems. Then the same file permissions also have corresponding owning user and owning group
1.Mac file attributes
// View the current list file permission ls-l
Copy the code
2. File types and permissions
- File type :(common)
- [D] where is the directory?
- [-] files
- File permissions:
- [r] : read [w] : write [x] : execute
- Note: the position of these three permissions will not change, which is RWX in turn, and the minus sign [-] appears in the corresponding position, indicating that there is no permission
- The full permissions of a file are divided into three groups:
- Group 1: permissions of the file owner
- Group 2: Permissions for other users in this group
- Group 3: Permissions of users who are not in this group
3. Modify the permission
To change file permissions, run the chmod command. There are two Settings: numeric type change and symbol type change
- File permissions are classified into three identities: [user][group][other]
- Three permissions: [read] [write] [execute] R :4 W :2 x:1
1. Number type
- Compare each permission number: R :4 W :2 x:1
- If a file has permissions of [– rwxr-xr-x]
- User : 4+2+1 = 7
- Group: 4+0+1 = 5
- Other: 4+0+1 = 5
- Command: chmod 755 File name
- The corresponding permissions of various identities are calculated
2. The symbol type chmod [u, g, o, a] [+ (join) / – (minus) / = (set)] [r, w, x] file name
Chmod g-w 123.txt add all executable permissions to the file (default: a) chmod +x 123.txtCopy the code
Now that you have a brief understanding of the Shell, you can get to the point of the day
Script re-signature
Script re-signing is an extension of application re-signing and Shell scripting
1. Xcode creates any project and finds the location to add the script
2. Prepare the resource folder
Create an APP folder in the project directory and place the jailbreak IPA package
3.1 Writing a Script
Copy the script code to the script
# ${SRCROOT} this is the directory where the project files are located
TEMP_PATH="${SRCROOT}/Temp"
We will create an APP folder under the project directory in advance and put the IPA package in it
ASSETS_PATH="${SRCROOT}/APP"
# Destination IPA packet path
TARGET_IPA_PATH="${ASSETS_PATH}/*.ipa"
Clear the Temp folder
rm -rf "${SRCROOT}/Temp"
mkdir -p "${SRCROOT}/Temp"
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 1. Decompress IPA into Temp
unzip -oqq "$TARGET_IPA_PATH" -d "$TEMP_PATH"
Get the path to the unzipped temporary APP
TEMP_APP_PATH=$(set -- "$TEMP_PATH/Payload/"*.app;echo "The $1")
$TEMP_APP_PATH = $TEMP_APP_PATH
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 2. Copy the extracted. App into the project
# BUILT_PRODUCTS_DIR Path to the APP package generated by the project
# TARGET_NAME Target name
TARGET_APP_PATH="$BUILT_PRODUCTS_DIR/$TARGET_NAME.app"
echo "App path:$TARGET_APP_PATH"
rm -rf "$TARGET_APP_PATH"
mkdir -p "$TARGET_APP_PATH"
cp -rf "$TEMP_APP_PATH/" "$TARGET_APP_PATH"
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 3. Delete extension and WatchAPP. Personal certificate cannot sign Extention
rm -rf "$TARGET_APP_PATH/PlugIns"
rm -rf "$TARGET_APP_PATH/Watch"
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 4. Update the info.plist file CFBundleIdentifier
# Set :"Set: KEY Value"
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier $PRODUCT_BUNDLE_IDENTIFIER" "$TARGET_APP_PATH/Info.plist"
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 5. Grant execute permissions to MachO files
Get MachO file path WeChat
APP_BINARY=`plutil -convert xml1 -o - $TARGET_APP_PATH/Info.plist|grep -A1 Exec|tail -n1|cut -f2 -d\>|cut -f1 -d\ < `# execute permission on
chmod +x "$TARGET_APP_PATH/$APP_BINARY"
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 6. Re-sign the third-party FrameWorks
TARGET_APP_FRAMEWORKS_PATH="$TARGET_APP_PATH/Frameworks"
if [ -d "$TARGET_APP_FRAMEWORKS_PATH" ];
then
for FRAMEWORK in "$TARGET_APP_FRAMEWORKS_PATH/"*
do
Sign #
/usr/bin/codesign --force --sign "$EXPANDED_CODE_SIGN_IDENTITY" "$FRAMEWORK"
done
fi
# injection
#yololib "$TARGET_APP_PATH/$APP_BINARY" "Frameworks/XXXX.framework/XXXX"
Copy the code
3.2 Or write it as a script file
File the 3.1 script
$ vi app.sh
Copy the code
Put it in the project root directory and write the following code when executing the script
chmod +x app.sh
./app.sh
Copy the code
4. Run
Connect to your phone and Run the Command+Run project to wrap the jailbreak on your phone
Of course, this approach can also be used to attach processes like re-signing