If we hook Method Swizzle in our project, can others hook our project? ?
First, write the basic protection, use hook inside, no hook outside
1, new project: basic protection, write a simple page
The code is as follows:
2, requirements: external hook btnClick2, internal hook btnClick1, need to ensure that external hook btnClick2 invalid, internal hook btnClick1 valid.
3. Drag in the Fishhook code and create the hookMgr class
Method old = class_getInstanceMethod(objc_getClass("ViewController")); @selector(btnClick1:)); Method new = class_getInstanceMethod(self, @selector(click1Hook:)); method_exchangeImplementations(old, new); // Struct rebinding bd; bd.name = "method_exchangeImplementations"; bd.replacement=myExchang; bd.replaced=(void *)&exchangeP; struct rebinding rebindings[]={bd}; rebind_symbols(rebindings, 1); } // Retain the original exchange function void (* exchangeP)(Method _Nonnull m1, Method _Nonnull m2); Void myExchang(Method _Nonnull m1, Method _Nonnull m2){NSLog(@" hook detected "); } -(void)click1Hook:(id)sender{NSLog(@" original APP hook "); }Copy the code
Description: * Before doing a safeguard, I’ll write my own internal code that requires Runtime exchange, such as opening btnClick1 for my own internal hook, and disabling other hooks. * Using fishhook hook method_exchangeImplementations method, So that when we use the method_exchangeImplementations method externally, we’ll invalidate it
4, run, click button 1 and button 2 respectively, at this time the internal hook btnClick1 method, external temporarily no hook any method
2. Prepare for IPA
1. The packaging of ipa
- Copy the basic protection.app
- Create a folder Payload and copy the basic defense. App to the Payload folder
- CD To the upper-level directory of Payload. Run the command to compress the packet and generate the IPA
zip -ry Hook.ipa Payload
Third, external hook, injection code
1. New project: Hook basic protection
IOS Reverse Code Injection (Framework)
Hook btnClick2 (btnClick2, btnClick2);
+(void)load { Method old = class_getInstanceMethod(objc_getClass("ViewController"), @selector(btnClick2:)); Method new = class_getInstanceMethod(self, @selector(click2Hook:)); method_exchangeImplementations(old, new); } -(void)click2Hook:(id)sender{NSLog(@"btnClick2 successfully "); }Copy the code
Run, click button 1 and button 2 respectively, it is found that btnClick2 exchange is successful, protection failed
2. Consider the cause of defense failure
-
1. Add NSLog(@”hookMgr– load “) to the load method of hookMgr in basic protection works;
-
2. Add NSLog(@”ViewController– load “) to ViewController load;
-
Add it to the Load method of the AppDelegate
+(void)load{
NSLog(@"AppDelegate--Load");
}
Copy the code
- 4. Compile the basic protection project and run it again to generate the basic protection app and repackage it
zip -ry Hook.ipa Payload
- 5. Copy Hook. Ipa to the APP folder of Hook basic protection project, open Hook basic protection project, add to WJHook load method,
NSLog(@"WJHook---load");
Then run
WJHook(attacker) is called first, hookMgr(guard) is called last, then the attack method has been successfully exchanged, you guard to defend, obviously useless. Therefore, the above btnClick2 method is still swapped externally and hookMgr is not protected.
As a developer, it is particularly important to have a learning atmosphere and a communication circle. Here is an iOS communication group: 642363427. Welcome to join us, no matter you are small white or big bull, share BAT, Ali interview questions, interview experience, discuss technology, iOS developers exchange learning and growth together!
3. Solutions
1. Change the order of Complie Sources
Before the change
The modified
2. Since the external dynamic library is loaded first, the defender creates its own dynamic library
- New dynamic library antiHook in basic protection works
- Compile operation
- Generate basic protection.app and repackage
zip -ry Hook.ipa Payload
- Copy Hook. Ipa to the APP folder of Hook basic protection works
3. Open the basic protection project of Hook and run it
-
It is found that our guard hookMgr executes first and detects the hook
-
At this point the btnClick2 Method cannot be exchanged externally by hook “Method Swizzle”
4, disadvantages
-
If you want to exchange methods inside hookMgr, you need to write the exchange code inside hookMgr in advance, and then defend it.
-
Because internally there’s no way to hook any more, so some tripartite libraries if you use Method Swizzle, then you’ll have to do a lot of modifications, so you’ll need to replace exchangeIMPLEMENTATIONS with exchangeP, all the method_exchangeImplementations we used in the project
- If you hook it using Cydia Substrate or MonkeyDev, it will still hook successfully
5. MonkeyDev for example:
1, create MonkeyDev project MonkeyDemo, this process needs to be installed firstMonkeyDev 2, copy the protected Hook. Ipa to MonkeyDemo->TargetApp folder
- % Hook ViewController represents the hook ViewController class
- -(void)btnClick2:(id) org indicates hook btnClick2
- HookMgr was loaded first, but MonkeyDev still managed to hook
6. Why MonkeyDev and Cydia Substrate can hook successfully?
1. Firstly, understand the components of Cydia Substrate (MonkeyDev also integrates Cydia Substrate) : Cydia Substrate is mainly composed of three parts:
- 1.MobileHooker
MobileHooker is used for hooks as the name suggests. It defines a series of macros and functions, with the objC Runtime and Fishhook called at the bottom to replace system or target application functions. There are two functions:
- MSHookMessageEx works primarily with Objective-C methods
void MSHookMessageEx(Class class, SEL selector, IMP replacement, IMP result)
- MSHookFunction works mainly with C and C++ functions
void MSHookFunction(voidfunction,void* replacement,void** p_original)
- 2.MobileLoader
MobileLoader is used to load third-party dylib in a running application. When MobileLoader starts up, it automatically loads a third-party dynamic library in the specified directory, which is the hack we wrote.
- 3.safe mode
Because of the uneven quality of APP programs, crashes are inevitable, cracking programs are dylib in nature, parasitic in other people’s processes. If an error occurs in a system process, the entire process may crash and the iOS system may break down. Therefore, CydiaSubstrate introduces the safe mode, in which all tripartite dylib based on CydiaSubstratede will be disabled, which is convenient for error detection and repair.
- The MSHookMessageEx low-level calls objC runtime and Fishhook to replace system or target application functions
So, in our guarding code, we just guarded the method_exchangeImplementations method, but method_setImplementation and method_getImplementation are not guarded, Therefore, it is assumed that Cydia Substrate is hooked by these two methods.
Experiment 3.
- Added protection for method_setImplementation and method_getImplementation in the basic Protection 2 project
-
Compile and generate basic protection app, and package it again into Hook. Ipa
-
Copy Hook. Ipa to the MonkeyDemo->TargetApp folder
-
Run the MonkeyDemo project
As shown in the figure, the hook of MonkeyDev is protected. When the hook is detected, the APP is forced to exit
So, the above protection is really unbreakable? By modifying MachO file and calling the dynamic library of hook before protecting the dynamic library, you can implement hook, because you did the protection after I hook successfully. But it’s hard for novices to get past it. Attack and defense are still learning!