After understanding iOS App signature, we found that Apple is to verify whether our certificate can sign our App through signature, so can we use our certificate to sign other people’s App? Theoretically, as long as we have this certificate, we can sign this App, so we can use our certificate to sign other apps.
1. Who signed the App’s signature?
We usually use Xcode for development, and we don’t pay much attention to it. Actually, the signing of the App is done by the CodeSign tool in our Mac system, but Xcode does it for us.
2. Preparation
First we need a broken shell App, broken shell App is jailbreak App, you can go to PP assistant download. Use WeChat otool – l | grep cry can check whether hit shell
Localhost: ~ / Documents/SecurityProducts / 003 - heavy signature CodeSign application/ipa/WeChat - 7.0.5 (jailbreak app)/content/WeChat. App: otool-l WeChat | grep cry
cryptoff 16384
cryptsize 100237312
cryptid 0
Copy the codeNote: cryptid
0 means unencrypted (i.e., cracked shell)1 stands for encrypted
3. How to use itCodeSignRe-sign?
Note that wechat login installed in this way will be blocked
Detailed process screenshots are shown below.
The steps are as follows:
- You need a shell breaker
WeChat.ipa- Unpack the
WeChat.ipa- find
WeChat.appCopy to a new folderWeChatCodeSignUnder the- Right click
Display package contentsDelete unsigned plug-ins (PlugIns和Watch)- The input terminal
security find-identity -v -p codesigningFind the certificate and copy the one you needName of the certificate- Enter the
WeChat.app/FrameWorkFolder, and then everything under the folderFrameworkThe terminal enters the current directory and enters the signature codeCodesign -fs "Certificate name" xxx.framework- Create a new
XcodeprojectWeChatDemoAnd run to the phone once- in
WeChatDemoFound in theWeChatDemo.app- Right-click to display the package contents and copy the description file
embedded.mobileprovisiontoWeChatCodeSignAnd copy toWeChat.appA copy of.- in
WeChatDemoCreate a new oneplistfileent.plist(Name optional)- The input terminal
security cms -Di embedded.mobileprovisionOpen theembedded.mobileprovision- copy
embedded.mobileprovision下keyforEntitlementstheValue(Signature information) toent.plist- copy
ent.plisttoWeChatCodeSignUnder the- Enter the
WeChat.appfindinfo.plistMore toWeChatDemothebundle id- The last to enter
WeChatCodeSignDirectory, yesAppThe packet is signed and the terminal entersCodesign-fs "Certificate Name" --no-strict -- Entitlements =ent.plist WeChat. AppCommand + Shift + 2The installation
Detailed process Screenshot
Download the jailbreak WeChat. Ipa package
After downloading the wechat. ipa package, unpack the ipA package and copy it to WeChatCodeSign in a new folder
Right-click on WeChat. App to display package contents remove unsigned PlugIns and watches
· Terminal type security find-identity -v -p coDesigning to find the certificate and copy the certificate name (“Apple Development: ZZZZZZ (ABENW7IAHK)”)
Note: there is a pit here, if you have multiple certificates with the same name, but with different numbers in front of the certificate, remember to delete the useless certificate, otherwise the signature will be reported: signed with an ambiguous certificate.
The terminal enters codesign-fs “Certificate name” xxx.framework and signs the XXx. framework under WeChat. App/framework in turn
Create WeChatDemo, edit or run it once, copy wechatDemo. app to WeChatCodeSign and copy embedded. Mobileprovision to WeChatCodeSign.
In WeChatDemo, create a new plist file, ent.plist (name it whatever you want)
Enter security cmS-di Embedded. Mobileprovision. Open Embedded. Mobileprovision and copy embedded Key is Entitlements Value(signature information) to ENT.plist
Copy ent. Plist to WeChatCodeSign, go to WeChat. App, find info.plist, change it to the bundle ID of WeChatDemo, and go to WeChatCodeSign. Terminal input codesign-fs “certificate name” –no-strict — Entitlements =ent.plist WeChat. App To sign the APP package
Command + Shift + 2 Install WeChat
4, the use ofXcodeRe-sign
Using Xcode to re-sign is basically the same as signing by hand, except that Xcode does the job of copying the description file into the.app package, generating ent.plist and finally signing the app package, and the rest of the work needs to be done.
- Same preparation as above
- Delete the deleted file
- Signature FrameWork package
- then
WeChat.appCovering our new construction.apppackage - Just run it
Note: there is a catch: when using Xcode to re-sign, the new function must have the same name as WeChat, otherwise Xcode will read WeChat’s MacOView file and will not execute the replacement package because it cannot be found.
5, useShellRe-sign
Re-signing with Shell (about Shell) means writing a script that lets Xcode do all the work in one step.
The re-signature script is as follows:
# ${SRCROOT} this is the directory where the project files are located
TEMP_PATH="${SRCROOT}/Temp"
We will create an APP folder under the project directory in advance and put the IPA package in it
ASSETS_PATH="${SRCROOT}/APP"
# Destination IPA packet path
TARGET_IPA_PATH="${ASSETS_PATH}/*.ipa"
Clear the Temp folder
rm -rf "${SRCROOT}/Temp"
mkdir -p "${SRCROOT}/Temp"
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 1. Decompress IPA into Temp
unzip -oqq "$TARGET_IPA_PATH" -d "$TEMP_PATH"
Get the path to the unzipped temporary APP
TEMP_APP_PATH=$(set -- "$TEMP_PATH/Payload/"*.app;echo "The $1")
$TEMP_APP_PATH = $TEMP_APP_PATH
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 2. Copy the extracted. App into the project
# BUILT_PRODUCTS_DIR Path to the APP package generated by the project
# TARGET_NAME Target name
TARGET_APP_PATH="$BUILT_PRODUCTS_DIR/$TARGET_NAME.app"
echo "App path:$TARGET_APP_PATH"
rm -rf "$TARGET_APP_PATH"
mkdir -p "$TARGET_APP_PATH"
cp -rf "$TEMP_APP_PATH/" "$TARGET_APP_PATH"
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 3. Delete extension and WatchAPP. Personal certificate cannot sign Extention
rm -rf "$TARGET_APP_PATH/PlugIns"
rm -rf "$TARGET_APP_PATH/Watch"
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 4. Update the info.plist file CFBundleIdentifier
# Set :"Set: KEY Value"
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier $PRODUCT_BUNDLE_IDENTIFIER" "$TARGET_APP_PATH/Info.plist"
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 5. Grant execute permissions to MachO files
Get MachO file path
APP_BINARY=`plutil -convert xml1 -o - $TARGET_APP_PATH/Info.plist|grep -A1 Exec|tail -n1|cut -f2 -d\>|cut -f1 -d\ < `# execute permission on
chmod +x "$TARGET_APP_PATH/$APP_BINARY"
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 6. Re-sign the third-party FrameWorks
TARGET_APP_FRAMEWORKS_PATH="$TARGET_APP_PATH/Frameworks"
if [ -d "$TARGET_APP_FRAMEWORKS_PATH" ];
then
for FRAMEWORK in "$TARGET_APP_FRAMEWORKS_PATH/"*
do
Sign #
/usr/bin/codesign --force --sign "$EXPANDED_CODE_SIGN_IDENTITY" "$FRAMEWORK"
done
fi
Copy the codeSh to create a Shell file. Then enter vim appshell. sh to open the file. Press I to paste the file.
Then copy our appshell. sh to WeChatDemo, create a new App folder under WeChatDemo and put our WeChat.
Add New Run Script Phase under WeChatDemo
Error: Not enough permission to run appshell. sh
So let’s use terminal LS -L to see the permissions
Tancheng @ localhost ~ / Documents/SecurityProducts / 003 - heavy signature/code/WeChatDemo CodeSign application: ls-l
total 8
drwxr-xr-x 3 tancheng staff 96 10 17 11:07 APP
drwxr-xr-x 13 tancheng staff 416 10 19 10:21 WeChatDemo
drwxr-xr-x 5 tancheng staff 160 10 19 10:50 WeChatDemo.xcodeproj
drwxr-xr-x 4 tancheng staff 128 10 19 10:02 WeChatDemoTests
drwxr-xr-x 4 tancheng staff 128 10 19 10:02 WeChatDemoUITests
-rw-r--r-- 1 tancheng staff 1979 10 19 10:40 appShell.sh
Copy the codeNow that I have read the permission description and figured out how to change the permission, let’s try it on the terminal.
So now that we see that the permissions have changed, let’s try running the code again and see that we have successfully run WeChat.
That’s all you have to do to re-sign your iOS app.