This is the fourth day of my participation in the August More text Challenge. For details, see: August More Text Challenge

IOS underlying principles + reverse article summary

This article focuses on two ways of code injection: FrameWork injection and Dylib injection

Code injection

Generally modify the original program, is to use the way of code injection, injection code will choose to use the FrameWork or Dylib and other third-party library injection.

View the Mach-o file

Before looking at injection, we first need to understand how static libraries in the IPA package are injected. There are two ways to view the Mach-o executable

  • 1. Terminal command:otool -l WeChat
  • 2, MachOView binary analysis tool (note: the analysis may be unable to analyze the situation, can be opened by CMD + O)

Mach-OThe main thing to look at in the fileload Commands(that is, load the command set), from here you can see dynamic library loading, etc. Most of them are in the format:LC_LOAD_DYLIB (XXX)Is to load XXX in the specified path, as shown below

So, in summary, if code needs to be injected, it should be in the form of a dynamic library

Mode 1: Manual injection of the Framework

Step 1: Dynamic library into the App package, that is, Framework injection

  • 1. Create oneFramework, namedCJLHookTarget -> + -> ios -> Framework

  • 2, create in CJLHookinjectFile, and write the injection code in the lifecycle method load function
+(void)load{NSLog(@"CJLHook ------ "); }Copy the code
  • 3. Compile the project (note: the project still needs to be re-signed), and then look at the Frameworks of the project executable file Wechat, and look at the Frameworks of the project, which you can see hereCJLHook, but the load function is not executed

Reason why load will not be executedThe Load Commands in the Mach-o file are not foundCJLHook, so the load function will not be executed

Step 2: Yololib is manually injected, modifying the Mach-o field

  • 4, throughyololibThe mach-o field is modified by the tool:./yololib WeChat Frameworks/CJLHook.framework/CJLHook(Note: Copy the WeChat executable file)

– First argument: target executable

- Second argument: path of CJLHookCopy the code
  • 5. Look at the Mach-o executable and you can see that it has been added

  • 6. Repackaging, the process is as follows:

    • Unzip wechat -7.0.8.ipa

    • Replace the executable file in Payload with the Mach-o file from the previous step

    • Repackage: zip -ry WeChat. Ipa Payload/

    • Then replace the IPA package

  • 7. Run the program and you can see that the load in CJLHook is successfully executed

Method 2: Dylib injection

Preparation: Create an empty project and re-sign WeChat, please refer to this article iOS Reverse 10: Application re-signature (2)

Dylib injection

  • 1, select target -> + -> MAC OS ->Library, namedCJLHook

  • 2, inBuild SettingConfigure the CJLHook

    • 1) Change the Base SDK to ios

    • 2) Code Signing identify is changed to iOS Developer

  • 3. Copy lib in the current project

– 1)、Build Phase -> + -> New Copy File...– 2), and then select the target file to copy to:Frameworks– 3) and adddylib

  • 4, in the CJLHookRewrite the loadfunction
#import "CJLHook. H "@implementation CJLHook +(void)load{NSLog(@"CJLHook ---- "); } @endCopy the code
  • 5, script injection dylib, willyololibCopy to the root directory inappSign.shAdd the following command at the end
# injection. / yololib "$$APP_BINARY TARGET_APP_PATH/Frameworks/libCJLHook. Dylib" "Copy the code
  • The Frameworks file in mach-o has already included the dylib of CJLHook

  • 7. Run the program. It can be seen from the log that the load in CJLHook is executed

conclusion

  • Code injection: The preferred method is to use the FrameWork or Dylib library

  • Framwork manual injection process:

    • 1. Create a Framwork through Xcode and install the library into the APP package

    • 2. Inject the path of Framwork library through Yololib. Command: $yololib (space) MachO file path (space) Library path

    • 3. All Framwork loads are performed by DYLD loading into memory

    • 4. The successfully injected library path is written to the LC_LOAD_DYLIB field of the MachO file

  • Dylib injection process:

    • 1. Create a new Dylib library in Xcode (note: Dylib belongs to MacOS, so you need to modify the related properties)

    • 2. Add Target dependencies and let Xcode package the custom Dylib files into the APP package.

    • 3. Yololib was used for injection.