This is the second day of my participation in the August More text Challenge. For details, see: August More Text Challenge

IOS underlying principles + reverse article summary

This paper mainly introduces several ways of re-signature, and how to re-sign the application.

Apply re-signature

According to iOS Reverse 09: Application Signature, the signature is the Hash value decryption of the original data. Re-signature, as the name implies, means to re-encrypt the Hash value of the original data.

This section describes the following re-signature methods:

  • Codesign heavy signature

  • Xcode heavy signature

  • The Shell script is re-signed

Let’s introduce one by one

Method 1: Codesign re-signature

In iOS, Xcode provides us with a signature tool, namely CoDesign, which can be re-signed through some commands, as shown below

  • $Security find- identity-V-P Codesigning: Designing: Write your signature certificate on your keystring

  • $Codesign – fs “certificate string” file name: forcibly replace the signature

  • $Chmod +x Executable: Add permissions to files

  • $security cms -D -i .. / embedded. Mobileprovision: view the description file

  • $codesign-fs “Certificate string” –no-strict — ENTITLEMENTS = Permission file.plist APP package

  • $Zip -ry Output file Input file Compresses the input file into an output file

Codesign demo

How to get the IPA package for jailbroken phones

  • 1. Set up the link: sh usbconnect.sh

  • 2. Connect the mobile phone to sh usbx. sh

  • 3. Check the process: ps -a

  • 4, screening process, find WeChat process: ps – A | grep WeChat

  • 5. Copy: SCP -r -p 12345 root@localhost: path

  • 6. Check the copied app package: CD WeChat

  • 7, view the executable file: otool -l WeChat | grep crypt (cryptid is 1 at this time, says encrypted)

  • 8. View app permission: codesign-vv -d WeChat. App (with signature permission)

The preparatory work

Note: The required information can be linked here, password: CH5c

  • 1, prepare a wechat jailbreak package, here is to prepare throughMyZipUnpack theWeChat - 7.0.8. Ipa
    • One of theWeChat.appContains two things: app + App signature information

  • 2. Check the signature information of app package (CMD+G) :codesign -vv -d WeChat.app

  • 3, Look at your keystring certificate: Security find- identity-V-P Codesigning

  • 4. View the executable file details: otool -l WeChat > ~/Desktop/123.txt. Where there is crypTID encryption ID (0 means no encryption algorithm is used)

Codesign Re-signature step

To re-sign an application, perform the following steps:

  • 1. Remove plugins and app packages with plugins (e.g. Watch, plugins)

  • 2. Re-sign the library in Frameworks

  • 3, give the executable file + X (executable) permission

  • 4, create a new air project

  • 5, add the description file (the air project in 4 is compiled by the real machine and needs to run, because the description file needs to be installed on the mobile phone)

  • 6. Replace the BundleID in the. App package (the BundleID in the.app info.plist file must be the same as the BundleID in the description file)

  • 7. Re-sign the app package through Entilements.

    • $Security CMS -d -i embedded. Mobileprovision

    • 2) Copy Entilements from the description file to generate the PList file. (File name/ppR.plist)

    • $codesign-fs “Apple Development: XX(XX)” –no-strict –entitlements= /. Plist Apply. APP

  • 8. Finally, install through Xcode

  • Note: The most important two pieces of Mach-O are: code block + data block, where encryption is mainly encrypted code

Codesign re-signature demonstration
  • Premise:

    • Required signature: wechat executable file (i.e. Mach-o file) + Frameworks

    • Need to delete: plugins (free regular account cannot be signed, can be deleted) + Watch (also cannot be signed, can not be deleted)

  • Frameworks: Codesign-vV-d Andromeda. Framework Frameworks: Frameworks: vV-d Andromeda

  • 2. Frameworks:codesign -fs "Apple Development: [email protected] (C2893S7GXH)" andromeda.framework

And then execute the exitcd ..

  • 3, view executable files:ls -l WeChat

– Note: Re-signing must have executable permission, i.e- x

  • 4. Create a project, obtain the description file corresponding to [email protected] (C2893S7GXH), for example, XXX XXX (Personal Team), obtain the description file in the executable file, and copy it to the WeChat package

  • 5. The description file is related to BundleID. You need to change the BundleID com.tencent

  • 6. The permission to view the file is security CMS -d -i embedded. Mobileprovision

To viewEntitlements(permissions) is a plist fileCopy it to a PList file namedEntitlements(path: propertyList – open sourceCode – copy)Copy it to the payload folder

  • 7. Signed app (i.e. Mach-o signature) :codesign -fs "Apple Development: [email protected] (C2893S7GXH)" --no-strict --entitlements=Entitlements.plist WeChat.app
  • 8. Viewing WeChat signature:codesign -vv -d WeChat.app, the signature information has been replaced

  • 9, installation,

  • Debug: Debug – Attach to process – WeChat

Disadvantages of Codesign re-signature: the process is too tedious

Method 2: Re-sign with Xcode

In the following, we re-sign through Xcode. The steps are as follows:

  • 1. Delete Plugins and watches

  • 2. Frameworks

  • Create and run an empty project

  • 4. Change the BundleID in info.plist to the BundleID of the empty project

  • 5. Replace the app package of Empty Project with the modified APP package

  • 6. Direct operation

Compared with CodeSign re-signing: 3 (execute file permission), 5 (add description file), 7 (re-sign through authorization file. App package)

Xcode re-signing demonstration

  • 1. Replace the WeChat in product with the WeChat that we need to re-sign before

  • 2. Run CMD+R again

conclusion

  • Re-signature: Re-encrypts the Hash value of the original data

  • Codesign re-signature steps:

    • 1. Remove plugins and app packages with plugins (e.g. Watch, plugins)

    • 2. Re-sign the library in Frameworks

    • 3, give the executable file + X (executable) permission

    • 4, create a new air project

    • 5, add the description file (the air project in 4 is compiled by the real machine and needs to run, because the description file needs to be installed on the mobile phone)

    • 6. Replace the BundleID in the. App package (the BundleID in the.app info.plist file must be the same as the BundleID in the description file)

    • 7. Re-sign the app package through Entilements.

      • $Security CMS -d -i embedded. Mobileprovision

      • 2) Copy Entilements from the description file to generate the PList file. (File name/ppR.plist)

      • $codesign-fs “Apple Development: XX(XX)” –no-strict –entitlements= /. Plist Apply. APP

    • 8. Finally, install through Xcode

  • Xcode re-signing steps:

    • 1. Delete Plugins and watches

    • 2. Frameworks

    • Create and run an empty project

    • 4. Change the BundleID in info.plist to the BundleID of the empty project

    • 5. Replace the app package of Empty Project with the modified APP package

    • 6. Direct operation