This series is a compilation of my early listening to MJ’s class. Some of the references are quoted, and some may have forgotten to add. If there are some references, please contact me.

IOS Reverse (1) Environment setup iOS Reverse (2) Cycript iOS Reverse (3) Reverse tool iOS Reverse (4) Unshell audit iOS Reverse (5) Theos tool iOS Reverse (6) Dynamic debugging iOS reverse (7) re-signature

Before reading this article, make sure you have the basics of encryption and signing, see iOS Security (II) Encryption and signing.

1. IOS signature mechanism

The iOS signature mechanism ensures that all apps installed on users’ mobile phones are officially approved and authenticated by Apple, and some permissions are granted.

Whether it’s commissioning a real phone or launching an APP, developers need to go through a complex set of steps

☞ generated CertificateSigningRequest certSigningRequest file

☞ Generate and obtain the iOS_development. cer and iOS_distribution. cer certificate files

☞ Add the App ID and register the device

☞ Generate and obtain the *. Mobileprovision file

What does each step do?

.certSigningRequest,.cer, and.mobileprovision

What exactly does the file contain? What’s the use?

##1. Apple’s signature process

The following is an overview of the Apple signature process in three cases:

  • How do users verify the security of apps downloaded from the App Store?
  • Developer Xcode installs the App directly, how does it conduct security verification?
  • How is security verified when publishing an App, whether to the App Store or third-party channels?

1.1 App Store Installation

If your APP is downloaded and installed from the AppStore, you will find no Mobileprovision file in it

The validation process is much simpler, something like this

1.2 the Xcode installation

1.3 complete

2. IOS signature mechanism steps

2.1. Generate the public and private keys of the Mac device

Keychain in the “from the certificate issuing authority request”, here is the local generates a pair of public and private key, save CertificateSigningRequest is public key, private key is stored in the local computer.

2.2 Generating a Certificate

2.3 Obtaining certificates

Cer and iOS_distribution. cer files

A certificate file that uses the Apple background private key to sign the Mac device public key

2.4 generate mobileprovision

2.5 Security Detection

p12

Local private key that can be imported to other computers for team development.

Second, re-signature

If you want to install the installation package that breaks the signature on a non-jailbroken mobile phone, re-sign the installation package.

Signature '. App 'package, if there is no'. App 'package, only ipa package, then directly unzip ipA, you can get'. App 'package.Copy the code

The package to be re-signed must be unhulled.

Again, it must be unshelled.

Therefore, the application of shell, first for shucking.

After the re-signature is packaged, you may need to check the device logs frequently during the installation.

  • Windows -> Device and Simulators -> View Device
  • Installation process: Windows -> Device and Simulators -> Open Consel

1. Re-sign the. App package

First, let’s discuss the simplest case, where the.app package contains no other dynamic libraries or App Extensions, etc.

Only the Mach-O file of the main program is applied.

1.1 to prepare

The embedded. Mobileprovision file must be generated by the payment certificate, appID and device must match, and embedded. Mobileprovision must be inside the. App

  • It can be automatically generated by Xcode and found in the compiled APP package;
  • You can go to the developer account center to generate a download;

1.2 Viewing the Local Certificate

Re-signing requires a certificate, so check with the following command:

$ security find-identity -v -p codesigning
  1) F11EAA6593D8BBE******3AA95C19BE66CB8250 "iPhone Distribution: **** Weng (69*****F36)"
  2) BC4FF0F29BD938EC****3AA5271F71D64894B60 "iPhone Developer: **** Weng (7R*****BXZ)"
Copy the code

1.3 Generating Permission Files

Extract Entitlements. Plist file from Embedded. Mobileprovision file.

$ security cms -D -i embedded.mobileprovision > temp.plist
 
$ /usr/libexec/PlistBuddy -x -c 'Print :Entitlements' temp.plist > entitlements.plist
Copy the code

1.4 the signature

1) App package signature

Sign the.app package

$CODESIGN-FS Certificate ID or name -- Entitlements.plist XXX. appCopy the code

Example:

$ codesign -fs BC4FF0F29******A5271F71D64894B60 --entitlements entitlements.plist CodesignApp.app
CodesignApp.app: replacing existing signature
Copy the code

2) Package ipA

Create the Payload folder, add the. App installation package, compress it into a ZIP package, and rename it to. Ipa.

1.5 GUI tools in one step

Just copy embedded. Mobileprovision into the. App package. Then, the iOS App Signer is used to achieve this step.

  • Just enter the.app File path in the Input File, only for the.app package signature, the.app internal dynamic library needs a separate signature.

  • IReSign is similar to this function, but has more operations.

  • The IPA package is exported after the signature is complete

2. App package with dynamic library

There are also two cases of including dynamic libraries:

  • Packages downloaded from the App Store include dynamic libraries, App Extensions, etc.
  • Tweak project, we need to load our own plug-ins;

2.1 App Store Download: Re-signed App package

  1. remove.appInside the package_CodeSignatureFolder.
  2. .appAll dynamic libraries (.framework,.dylib), App Extension(PlugIns folder, Extension named appex), and Watch App(Watch folder) in the package need to be re-signed

To view available certificates:

$ security find-identify -v -p codesigning
Copy the code

Signature:

$ cd.app internal directory $coDesign-fs Certificate ID or name xxx.dylibCopy the code
  1. willembedded.mobileprovisionCopy to.appInside the package
  2. IOS App Signer for the whole.appThe ipA packet is re-signed.

2.2 tweak project

The dynamic library we compiled in TheOS now needs to be packaged into a Mach-O file and signed to install on a non-jailbroken phone.

Developing dynamic library plug-ins (dylib) via Theos

  • The default is dependent on the/Library/Frameworks/CydiaSubstrate. Framework/CydiaSubstrate
  • If you want to package the dynamic library plug-in into ipA, you also need to package CydiaSubstrate into IPA, and modify the loading address of CydiaSubstrate.

The following uses test as an example:

1) to prepare

  • 1.test.app
    • Assume that mach-o in test.app istestmach
    • Use MJAppTool to find the path and copy it to the computer
    • If the APP is not unshelled, unshell the IPA first, copy the IPA to the computer, and get.appAnd then do something about it
  • 2.tweak_test.dylib
    • Theos developed by the dynamic library plug-in
    • /Library/MobileSubstrate/DynamicLibraries
  • 3.CydiaSubstrate
    • /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate

2) process

☞ Remove the _CodeSignature folder inside the. App package.

☞ Copy embedded. Mobileprovision to the. App package.

☞ place ②③ into ① : Copy directly, be careful!! Make sure ①②③ is in the same directory!!

☞ Insert ② into ① : use insert_dylib

☞ Change the address of load ③ in ② : use install_name_tool

▌ And ②③ Require separate signature: using CODesign

☞ Note: check whether there are other dynamic libraries in app, if so, still need!! Sign alone!!

☞ Give ① signature: use iOS App Signer to obtain ipA package

3) insert_dylib

Insert_dylib inserts the tweak_test.dylib dynamic library into the executable of the testMach main program in the. App.

A. Download the source code

Github.com/Tyilo/inser…

B. to compile

After downloading the source code, open the project, compile it as Release in the Edit Scheme, and find the command line program in Product.

Move it to /usr/local/bin.

C. use
$insert_dylib $insert_dylib $insert_dylib $insert_dylib $insert_dylib $insert_dylib $insert_dylib $insert_dylib $insert_dylib $insert_dylibCopy the code
  • –weak: Loads the dynamic library in an weak manner, and does not save the dynamic library even if it cannot be found.
  • –all-yes: all the following options are yes
  • Insert_dylib essentially adds an LC_LOAD_DYLIB or LC_LOAD_DYLIB to Load Commands in the Mach-O file

LC_LOAD_WEAK_DYLIB

D. instance

Suppose the Mach-o file Test and tweak_test.dylib are in the same directory.

Here we use an environment variable:

Executable_path ** stands for finding dynamic libraries under the Mach -o executable directory

$ cdExecutable_path /tweak_test.dylib testMach testmach --weak --all-yesCopy the code

4) Change the dynamic library loading address

You can use install_name_tool to change the loading address of dynamic libraries in the Mach -o file as follows:

$install_name_tool -change Old address New address Mach -o fileCopy the code

Here we need to modify the address of CydiaSubstrate in tweak_test.dylib:

Since tweak_test.dylib and CydiaSubstrate are in the same directory, another environment variable is used here:

**@loader_path ** indicates the directory where the dynamic library resides

$ install_name_tool  -change  /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate  @loader_path/CydiaSubstrate tweak_test.dylib
Copy the code

After modification:

In this way, Dylib will load CydiaSubstrate from the local directory.

5) Signature dynamic library

All dynamic libraries (.framework,.dylib), app Extension(PlugIns folder, Extension named appex) and Watch app (Watch folder) in the ‘. App ‘package need to be re-signed.

$ cd.app internal directory $coDesign-fs Certificate ID or name xxx.dylibCopy the code

6) other

  • View mach-O dynamic library dependencies

See if we have mach-o loaded the dynamic library generated by tweak, or look at the dynamic library loaded by the dynamic library: bash

  • $otool -l Mach -o file (can be dynamic library, dynamic library itself is Mach -o file)
(https://github.com/fastlane/fastlane/tree/master/sigh) - [sigh] [fastlane] (https://github.com/fastlane/fastlane) one of the tools, Bash $sudo gem install SighCopy the code
  • If the app only supports iPhone but not iPad, you can directly delete the Support Device by modifying the relevant configuration in the info.plist file.

reference

tool

  1. AppBox
  2. code signing  A new approach to code signing
  3. insert_dylib
  4. iOS App Signer

link

  1. Apple  Code Signing Guide
  2. Inside Code Signing Chinese
  3. iOS Code Signing: Under The Hood
  4. Principles of iOS App signature
  5. Rambling on about certificates and signing mechanisms for iOS applications