This is the second day of my participation in the August More text Challenge. For details, see: August More Text Challenge
IOS underlying principles + reverse article summary
This paper mainly introduces several ways of re-signature, and how to re-sign the application.
Apply re-signature
According to iOS Reverse 09: Application Signature, the signature is the Hash value decryption of the original data. Re-signature, as the name implies, means to re-encrypt the Hash value of the original data.
This section describes the following re-signature methods:
-
Codesign heavy signature
-
Xcode heavy signature
-
The Shell script is re-signed
Let’s introduce one by one
Method 1: Codesign re-signature
In iOS, Xcode provides us with a signature tool, namely CoDesign, which can be re-signed through some commands, as shown below
-
$Security find- identity-V-P Codesigning: Designing: Write your signature certificate on your keystring
-
$Codesign – fs “certificate string” file name: forcibly replace the signature
-
$Chmod +x Executable: Add permissions to files
-
$security cms -D -i .. / embedded. Mobileprovision: view the description file
-
$codesign-fs “Certificate string” –no-strict — ENTITLEMENTS = Permission file.plist APP package
-
$Zip -ry Output file Input file Compresses the input file into an output file
Codesign demo
How to get the IPA package for jailbroken phones
-
1. Set up the link: sh usbconnect.sh
-
2. Connect the mobile phone to sh usbx. sh
-
3. Check the process: ps -a
-
4, screening process, find WeChat process: ps – A | grep WeChat
-
5. Copy: SCP -r -p 12345 root@localhost: path
-
6. Check the copied app package: CD WeChat
-
7, view the executable file: otool -l WeChat | grep crypt (cryptid is 1 at this time, says encrypted)
-
8. View app permission: codesign-vv -d WeChat. App (with signature permission)
The preparatory work
Note: The required information can be linked here, password: CH5c
- 1, prepare a wechat jailbreak package, here is to prepare through
MyZip
Unpack theWeChat - 7.0.8. Ipa
- One of the
WeChat.app
Contains two things: app + App signature information
- One of the
-
2. Check the signature information of app package (CMD+G) :
codesign -vv -d WeChat.app
-
3, Look at your keystring certificate: Security find- identity-V-P Codesigning
-
4. View the executable file details: otool -l WeChat > ~/Desktop/123.txt. Where there is crypTID encryption ID (0 means no encryption algorithm is used)
Codesign Re-signature step
To re-sign an application, perform the following steps:
-
1. Remove plugins and app packages with plugins (e.g. Watch, plugins)
-
2. Re-sign the library in Frameworks
-
3, give the executable file + X (executable) permission
-
4, create a new air project
-
5, add the description file (the air project in 4 is compiled by the real machine and needs to run, because the description file needs to be installed on the mobile phone)
-
6. Replace the BundleID in the. App package (the BundleID in the.app info.plist file must be the same as the BundleID in the description file)
-
7. Re-sign the app package through Entilements.
-
$Security CMS -d -i embedded. Mobileprovision
-
2) Copy Entilements from the description file to generate the PList file. (File name/ppR.plist)
-
$codesign-fs “Apple Development: XX(XX)” –no-strict –entitlements= /. Plist Apply. APP
-
-
8. Finally, install through Xcode
-
Note: The most important two pieces of Mach-O are: code block + data block, where encryption is mainly encrypted code
Codesign re-signature demonstration
-
Premise:
-
Required signature: wechat executable file (i.e. Mach-o file) + Frameworks
-
Need to delete: plugins (free regular account cannot be signed, can be deleted) + Watch (also cannot be signed, can not be deleted)
-
-
Frameworks: Codesign-vV-d Andromeda. Framework Frameworks: Frameworks: vV-d Andromeda
- 2. Frameworks:
codesign -fs "Apple Development: [email protected] (C2893S7GXH)" andromeda.framework
And then execute the exitcd ..
- 3, view executable files:
ls -l WeChat
– Note: Re-signing must have executable permission, i.e- x
-
4. Create a project, obtain the description file corresponding to [email protected] (C2893S7GXH), for example, XXX XXX (Personal Team), obtain the description file in the executable file, and copy it to the WeChat package
-
5. The description file is related to BundleID. You need to change the BundleID com.tencent
-
6. The permission to view the file is security CMS -d -i embedded. Mobileprovision
To viewEntitlements
(permissions) is a plist fileCopy it to a PList file namedEntitlements
(path: propertyList – open sourceCode – copy)Copy it to the payload folder
- 7. Signed app (i.e. Mach-o signature) :
codesign -fs "Apple Development: [email protected] (C2893S7GXH)" --no-strict --entitlements=Entitlements.plist WeChat.app
- 8. Viewing WeChat signature:
codesign -vv -d WeChat.app
, the signature information has been replaced
- 9, installation,
- Debug: Debug – Attach to process – WeChat
Disadvantages of Codesign re-signature: the process is too tedious
Method 2: Re-sign with Xcode
In the following, we re-sign through Xcode. The steps are as follows:
-
1. Delete Plugins and watches
-
2. Frameworks
-
Create and run an empty project
-
4. Change the BundleID in info.plist to the BundleID of the empty project
-
5. Replace the app package of Empty Project with the modified APP package
-
6. Direct operation
Compared with CodeSign re-signing: 3 (execute file permission), 5 (add description file), 7 (re-sign through authorization file. App package)
Xcode re-signing demonstration
- 1. Replace the WeChat in product with the WeChat that we need to re-sign before
- 2. Run CMD+R again
conclusion
-
Re-signature: Re-encrypts the Hash value of the original data
-
Codesign re-signature steps:
-
1. Remove plugins and app packages with plugins (e.g. Watch, plugins)
-
2. Re-sign the library in Frameworks
-
3, give the executable file + X (executable) permission
-
4, create a new air project
-
5, add the description file (the air project in 4 is compiled by the real machine and needs to run, because the description file needs to be installed on the mobile phone)
-
6. Replace the BundleID in the. App package (the BundleID in the.app info.plist file must be the same as the BundleID in the description file)
-
7. Re-sign the app package through Entilements.
-
$Security CMS -d -i embedded. Mobileprovision
-
2) Copy Entilements from the description file to generate the PList file. (File name/ppR.plist)
-
$codesign-fs “Apple Development: XX(XX)” –no-strict –entitlements= /. Plist Apply. APP
-
-
8. Finally, install through Xcode
-
-
Xcode re-signing steps:
-
1. Delete Plugins and watches
-
2. Frameworks
-
Create and run an empty project
-
4. Change the BundleID in info.plist to the BundleID of the empty project
-
5. Replace the app package of Empty Project with the modified APP package
-
6. Direct operation
-