10- Apply re-signature

preface

This article continues the other basics of reverse preparation 👉 apply re-signing. The concepts are first introduced, and then tools and scripts are used to automate the process of re-signing once, combined with examples.

First, re-signature

In brief, signature is a security mechanism of Apple inc., which allows apps to be executed by iOS system only when the signature is valid.

1.1 Concepts of re-signatures

Re-signature means replacing the original signature with the existing one on the basis of the original APP.

1.2 Why do I need to Re-sign

1. inNo source codeIn the case of an application that you’ve already doneResources to modify(Such as modifiedStart the figureoricon, etc.). After the modification, if you want to makeAPPcanNormal usetheAPPBe sure toThe signature againThen compress it into an IPA file.
2. If you want yourAPP It’s not reviewed by Apple, you canTo releasetoHTTPS serverOn,Don’t escapeCan also beThe installationAnd,There is no limit on the number of devicesSo you have toPersonal Developer signatureTo replaceEnterprise developer in-house certificate signatureAfter,OTA releaseWill do.
3. A developerThe application needs to be inAnother developerPost toApp Store. Uploaded IPA package, yesHeavy signatureAfter the package.
4. Expired or invalidSignature applications are required for normal useThe signature again.

Second, re-signature tool -CodeSign

Codesign installs Xcode, and Xcode also uses this tool to complete the signing process. The signature file contains 👇

1. Resource file
2. Macho file
3. framework
4. . other

2.1 Terminal Commands

Before re-signing using the CoDesign tool, let’s take a look at some terminal instructions for signing 👇 1. Viewing Signature Information

codesign -vv -d xxx.app
Copy the code

2. List the signable certificates in your keychain

security find-identity -v -p codesigning
Copy the code

3. Otool analyzes macho file information and exports it to a specified file

otool -l xxx > ~/Desktop/machoMessage.txt
Copy the code

Cryptid 0 indicates that no encryption algorithm is used (i.e., shelled), while others indicate encryption.

Can also be directly filtered to see whether to crack 👇

otool -l xxx | grep cryptid
Copy the code

4. Forcibly replace the signature

Codesign -fs Certificate string file name

codesign -fs "Apple Development: [email protected] (9AN9M5S786)" andromeda.framework
Copy the code

5. Add permission to the file

Chmod +x executable fileCopy the code

6. View the description file

security cms -D -i .. /embedded.mobileprovisionCopy the code

7. Macho signature

Codesign-fs "certificate string" --no-strict -- Entitlements = Permission file. Plist APP packageCopy the code

8. Compress input files into output files

Zip -ry Output file Input fileCopy the code

2.2 Re-signing the codesign command

Take wechat (7.0.8) as an example. Re-sign wechat using a free developer account and install it on a non-jailbroken phone. (wechat (7.0.8) IPA package will be attached at the end of the article)

1. unzip.ipaPackage,PayloadFound in the.appRight,Display package contents.

To decompress 👇, change the suffix. Ipa to. Zip

⚠️ Since the free certificate does not have the ability to sign PlugIns and Watch, delete these two folders directly 👇

2. Signature Frameworks

Sign Frameworks one by one in the Frameworks directory (using your own native free certificate) 👇

codesign -fs "Apple Development: [email protected] (9AN9M5S786)" andromeda.framework
Copy the code

3. Make sure you sign itapptheMacho filetheExecutable permission

➜  WeChat.app ls -l WeChat
Copy the code

4. Obtain the description file of the free account

Create air project use free account & real machine compile and run to get description file.

Trust the description file in Settings – General – Description file.

Then copy the obtained description file to the WeChat APP package.

5. Modify thebundleId

Find the WeChat info.plist to modify BundleId for our generated description file BundleId👇

6. Gets the permission to the description file

security cms -D -i embedded.mobileprovision
Copy the code

Find the corresponding Entitlements Entitlements Entitlements👇

<dict>
																			
				<key>application-identifier</key>
		<string>J7C267M8SE.com.xl.-XFAlgorithmPrj.testWeChat</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>J7C267M8SE.*</string>
		</array>
				
				<key>get-task-allow</key>
		<true/>
				
				<key>com.apple.developer.team-identifier</key>
		<string>J7C267M8SE</string>
														
	</dict>
Copy the code

Then create an Entitlements. Plist file, paste the permissions content into 👇

Copy Entitlements file (Entitlements. Plist) to the same directory as Payload, WeChat. App 👇

7. The signatureWechat

codesign -fs "Apple Development: [email protected] (9AN9M5S786)" --no-strict --entitlements=entitlements.plist WeChat.app
Copy the code

Then check the signature information of WeChat. App, it has been replaced with 👇

At this time, install the WeChat. App package to the mobile phone through Xcode, and it should be able to install 👇 normally

Then debug->attach to process->WeChat to debug WeChat 👇

⚠️ Note: at this time do not use your common account login re-signed wechat (may be blocked).

summary

The above steps for re-signing 👇

1. Remove plug-ins and.app packages with plug-ins
   • PlugInsandWatchfolder
2. rightFrameworksLibraries in folders are re-signed
   • codesign -fs "Apple Development: [email protected] (xxxxxxxxxx)" andromeda.framework
3. +X (executable) permissions on executable files
   • chmod +x WeChat
4. addDescription file
   • createshellProject, real machine run, will describe the file installed to the phone
   • System SettingstrustThe description file
5. replaceWeChat.appIn the packageinfo.plistBundleId (the BundleId must be the same as in the description file)
6. Re-sign the.app package by entitlments
   • security cms -D -i embedded.mobileprovisionGets the permission to the description file
   • newEntitlements.plistFile, will permissionsDict partPasted in
   • Sign the App package with the permission file:codesign -fs "Apple Development: [email protected] (xxxxxxxxxx)" --no-strict --entitlements=entitlements.plist WeChat.app
7. XCode installationWeChat.appPackage,debug->attach to process->WeChatDebug wechat.

And you’re done! 🍺 🍺 🍺 🍺 🍺 🍺 🍺 🍺 🍺 🍺 🍺 🍺 🍺 🍺

3. Debug tripartite applications with Xcode re-signature

The above is the way of attaching to process to debug wechat, can we directly debug joint adjustment as we usually develop? Of course can! See the steps below at 👇

1. New project with the same name as wechatWeChat

2. Real machine operationThe empty project
3. Decompress wechat.ipaPackage, and deleteWatchandPlugInsfolder
4. Heavy signatureFrameworks
5. Modify theBundleId
6. Will be modifiedWeChat.appReplace the empty projectProductsIn theWeChat.app

7. run

At this time, there is WeChat. App in the Products project, Xcode thinks there is, so it directly uses this. At this point you can debug (no need for attach)

Note: ⚠️ in some systems, there will be a black screen on wechat for re-signing. It is recommended to re-sign by script.

SHELL script

The shell is a special interactive tool that provides users with a way to launch programs, manage files in the file system, and processes running on the system. A Shell generally refers to a command-line tool. It allows you to enter a text command, then interpret the command and execute it in the kernel. A Shell script is a script file that uses various commands in a text file for one-time execution. The most commonly used related directive is 👇

4.1 Script Switchover

chsh -s /bin/zsh
Copy the code

4.2 Methods of Executing scripts

Start by creating a shell script file shell. Sh and enter the terminal command 👇

You can create a.txt file and change the suffix to.sh

mkdir shell1
cd shell1
touch test.txt
Copy the code

👇 is shown in the figure above

1. bash FileName,zsh FileName
   • What it does: Recreate oneSubshell (process)Execute the sentences in the script in the subshell. The currentThe environment has not changed.
2. source FileName
   • Role:Current Shell environmentRead and execute the command in FileName
   • Features: Commands can force a script to immediately affect the current environment (typically used to load configuration files).

The command forces all commands in the script, regardless of file permissions. 3../FileName * Function: Reads and executes commands in a file. However, the script file must have executable permissions.

4.3 MAC Shell Types

cd /private/etc
cat shells
Copy the code

• bash 👉 macOSThe defaultShell (The old system),The new systemSwitch to azsh.
• csh👉 wastcshTo replace the
• dash👉 thanbashMuch smaller and more efficient.
• ksh👉 compatiblebash
• sh👉 has beenbashTo replace the
• tcsh👉 integratescshMore features are provided
• zsh👉 replaced thebash

User groups & text permissions

Chmod +x: shell. Sh: chmod +x: shell.

Unix and Linux are multi-user, multi-task systems, so the concept of users and groups is built into such systems. Then the same file permissions also have the corresponding owner of the user and group. Unlike Windows, Unix, Linux, and macOS are multi-user systems 👇

5.1 Mac File Properties

On a Mac, you can run the ls -l command to view the properties of all files in the current file directory, for example, 👇

The red box on the far left is [Permission], and the right is [Link] [Owner] [Group] [file size] [Last modified date] [file name].

5.2 permissions

The permission has 10 digits 👇

In the figure above 👇

• Bit 1 file type D /-

  • d👉 Directory
  • -👉 file

• Last 9 bits, file permissions:

  • [r]👉 read, read
  • [w]👉 write, write
  • [x]👉 execute

⚠️ the positions of the three permissions remain unchanged and are RWX in sequence. Present – The corresponding position indicates that this permission is not available.

• The full permissions of a file are divided into three groups:
  • The first group 👉 file owner permissions
  • The second group 👉 this group of other user permissions
  • Third group 👉 Permissions of users who are not in this group

5.3 chmod

1. File permissions are changedusechmodCommand.
2. There are two Settings: 👉Numeric typesChange andsymbolsChange.
3. File permissions can be divided into 👇
   • Three kinds ofidentity 👉 [user][group][other]
   • threepermissions 👉 [read] [write] [execute]

5.3.1 Number Types

Each permission number comparison: R :4 (0100) W :2 (0010) x:1 (0001), the advantage of this design is that it can be by bit or. Same with displacement enumeration in our development.

For example, if the permission of a file is [! – rwxr-xr-x], 👇 User 👉 4+2+1 = 7 Group 👉 4+0+1 = 5 Other 👉 4+0+1 = 5 Then the command is 👉 chmod 755 file name

The corresponding table of numbers and permissions 👇

Where 0 indicates no permission.

5.3.2 Symbol types

Chmod [u (User), g (Group), o (Other), a (All)], [+ (join), – (minus), = (set)] [r, w, x] file name

For example 👇

chmod a+x test.txt
Copy the code

The default is all.

6. Automatic re-signing of shell scripts

The script implementation logic is the same as coDesign logic. The full script is at 👇

${SRCROOT}/Temp ="${SRCROOT}/Temp" ASSETS_PATH="${SRCROOT}/APP" # target ipA package path TARGET_IPA_PATH="${ASSETS_PATH}/*. Ipa TEMP_PATH mkdir -p TEMP_PATH # 1. Unzip -oqq "$TARGET_IPA_PATH" -d "$TEMP_PATH" # Retrieve the temporary APP path TEMP_APP_PATH=$(set --) "$TEMP_PATH/Payload/"*.app; Echo "$1") #2. Echo "$1") #2 $TARGET_APP_PATH ="$BUILT_PRODUCTS_DIR/$target_name. app" echo "app path:$TARGET_APP_PATH" Rm -rf "$TARGET_APP_PATH" mkdir -p "$TARGET_APP_PATH" cp -rf "$TEMP_APP_PATH/" "$TARGET_APP_PATH" #  3. Rm -rf "$TARGET_APP_PATH/PlugIns" rm -rf "$TARGET_APP_PATH/Watch" # 4. Update info. Plist file CFBundleIdentifier # Set :"Set: KEY Value" "target file path" PlistBuddy is shipped with Apple. /usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier $PRODUCT_BUNDLE_IDENTIFIER" "$TARGET_APP_PATH/Info.plist" /usr/libexec/plistbuddy -c "Delete :UISupportedDevices" "$TARGET_APP_PATH/Info.plist" # 5. To execute permissions on MachO file # to MachO file name APP_BINARY = ` plutil - convert xml1 - o - $TARGET_APP_PATH/Info. The plist | grep - A1 Exec | tail - n1 | the cut - f2 - d \ > | the cut - f1 - d \ < # ` executable permissions chmod + x "$TARGET_APP_PATH / $APP_BINARY" # 6. $frameworks_path ="$frameworks_path/FrameWorks "if [-d "$TARGET_APP_FRAMEWORKS_PATH"]; Then for FRAMEWORK in "$TARGET_APP_FRAMEWORKS_PATH/"* do # sign --force --sign -- fs /usr/bin/codesign --force --sign "$EXPANDED_CODE_SIGN_IDENTITY" "$FRAMEWORK" done fiCopy the code

use

1. createAn empty project(e.g.shellTestWeChat), compile and run the empty project toA:(trustCertificate).
2. willappResign.shCopy the script toProject Root directory(beThe executablePermissions).
3. inProject Root directorycreateThe APP folderAnd willWeChat. IpaCopy toThe APP folder.
4. The configuration script

5. Run the project

Ps: How to debug an arbitrary app?

1. Obtain the corresponding IPA package

Dump ipA packages 👇 using jailbroken mobile phones

Download the old ipA package, you can change the version number by grabbing the download link in iTunes (the suffix is the app version, directly change the version).

iTunes

2. Hit a shell

After breaking the shell, you need to delete the UISupportedDevices supported in info.plist because it dumps the genuine package on the jailbroken phone. Of course you can write it in the script 👇

/usr/libexec/plistbuddy -c "Delete :UISupportedDevices" "$TARGET_APP_PATH/Info.plist"Copy the code

Save the deletion and repackage ipA 👇

zip -ry WeChat1.ipa Payload/
Copy the code

conclusion

Application of re-signature can be said to be the first step in reverse preparation, I hope you can follow the order of this article, practical operation again, all say that practice is the only criterion for testing truth, this is very important!

• Codesign heavy signature
  • deleteDocuments that cannot be signed:PlugInsandWatch(Includes Extension)
  • Re-sign the library in Frameworks
  • Add MachOExecutable permission
  • Modify theInfo.plistFile (BundleID)
  • copyDescription file(This description file must be trusted in iOS real machine)
  • Use the permission file in the description fileSign the entire App package
• Xcode heavy signature
  • deleteDocuments that cannot be signed:PlugInsandWatch(Includes Extension)
  • Re-sign the library in Frameworks
  • Add MachOExecutable permission
  • Modify theInfo.plistFile (BundleID)
  • copyDescription file(This description file must be trusted in iOS real machine)
  • Copy the App package inXcode project directoryLeave the rest to meXcode)
• A Shell script
  • Switch shell
  • $CHSH -s Shell path
  • Shell default is now available in macOSzsh(earlybash)
  • The configuration file
    • zsh 👉 .zshrc
    • bash 👉 .bash_profile
  • File permissions & user groups
    • Each file has its ownUsers, groups, and others
    • File permissions
      • attribution👉 Users, groups, and others
      • permissions👉 Write, read, and execute
    • Example Change the permission chmod
      • The Numbers:r:4 w:2 x:1
      • chmod 751The file name
        • user👉 4 + 2 + 1 = 7
        • group👉 4 + 0 + 1 = 5
        • other👉 0 + 0 + 1 = 1
      • character
        • Attribution 👉u(user)g(group)o(other)a(all)
        • +(add)-(take out)=(set)
        • The defaulta 👉 chmod + x