The last blog “IOS reverse development (3) application signature” in detail explained the IOS application signature, certificate principle. This blog mainly focuses on actual practice, explaining how to bypass the Apple certificate signature, re-sign the App, and then let our App can be arbitrarily installed to the mobile phone.
Next, I will re-sign the app in three ways.
2. There are three ways to re-sign the App
In fact, we ended up signing apps using CoDesign, which Apple integrated with Xcode. This tool does a lot of things for us that we can re-sign with just a few commands. Everything looks so easy!!
So, next, we’re going to re-sign the App in three different ways. We’re going to re-sign the App using a free certificate.
2.0 Signature Preparations
We re-sign the APP. The signature APP here is re-signed by wechat, a blockbuster APP that everyone can use. The version I use is wechat 7.0.8
We can install something on the MAC calledPP assistant toolsThis tool can be downloaded to the IPA package you want. Other assistant tools are also available, or you can download them online.
Let’s review developer credentials from our previous blog, “IOS Reverse Development (3) App Signing.”
Developers debug the signing process of installing the app to the phone:
The Mac generates public key M and private key M
Public key M is transmitted to the Apple server, and private key A of the Apple server encrypts public key M to generate A certificate and returns the certificate to Xcode
Xcode downloads profile and other description files, encrypts the APP with the public key M to generate app signature, and then packages the APP signature, certificate and profile file together into IPA
The mobile phone decrypts the certificate twice. The mobile phone decrypts the certificate with the public key A in the mobile phone system to obtain the public key M, and then compares the profile description file to check the permissions to see whether it is legal. Then use the public key M to decrypt the APP signature
The public key A in the phone corresponds to the private key A of the Apple server
There are also some encryption and re-signing commands you need to know:
View profile information:/ Users/MAC/Library/MobileDevice/Provisioning \ Profiles and security CMS - D - I e871987c-b4c5-4658-8338-f6e4cabaff8e.mobileprovision
Check the signature information: Decompress the IPA package, enter Payload, and check the signature information of the. Appcodesign -vv -d WeChat.app
View all certificates:security find-identity -v -p codesigning
Check executable file macho encrypted information: app shows package content, find the executable file with the same otool -l WeChat | grep crypt
$security find-identity -v -p codesigningList the signable certificates in your keychain
$Codesign - fsThe Certificate String file name forces the signature replacement
$Chmod +xExecutable adds permissions to files
$security cms -D -i .. /embedded.mobileprovisionViewing the Description file
First, we enter the directory where we downloaded the WeChat. App and run the following command:codesign -v -d WeChat.appTake a look at the contents of the package
The downloaded jailbreak app WeChat 7.0.8 is as follows:
If we want to sign with the codesign command, we need to follow the command with the certificate information.
To check the MAC certificate information, run the security find-identity -v -p codesigning command
Next, we enter WeChat. App to check the contents of the package:
We use otool to view the content of the WeChat executable file. Terminal input:otool -l WeChat:
We can also redirect this information to TXT text: terminal input command:otool -l WeChat > ~/Desktop/123.txt
In addition, we can directly through the commandotool -l WeChat | grep cryScreen out the cryptid content you want:
Otool -l WeChat selects the content starting with “cry” through the output character of the pipeline and grep.
Cryptid == 0 indicates that no encryption is performed. Cryptid == 1 indicates encryption. This encryption is symmetric, because you need to encrypt the entire app package, and the Appstore encrypts it.
Let’s think about the question, when do we decrypt it?
Is it installation decryption or runtime decryption? For security, run-time decryption is a must, and it needs to be re-decrypted every time it runs. Although this will affect the operation efficiency, Apple has to decrypt the APP every time when it is running for security.
Apps that are not encrypted cannot be installed directly on Apple devices.
2.1.1 Manually Re-signing the APP
So with all of this preparation, now we’re really starting to re-sign.
First, we go to the WeChat. App directory and find the Pluslns directory, because we can’t sign ordinary plug-ins, so we have to kill them.
Then we find the Watch directory. Since there are plug-ins under the Watch directory, we have to kill them too.
Next, we find the Frameworks directory where we need to sign all.framework files with our own certificates.
We use the command line, CD to the WeChat. App /Frameworks/ directory, through the ls command to view, there are 6 framework files as follows:
Next, I will use my own certificate: “Apple Development: Chen Lin (QY73GRZ4AG)” to sign each of the above six frameworks. Use the codesign-fs “Apple Development: Chen Lin (QY73GRZ4AG)” xx framework name. framework command to sign.
As shown in the figure above, the system will pop up the input box for accessing the secret key. Input as required and always allow. Enter the login password of your own computer account. After this is allowed, you can see the message with the signature replaced as follows.
We use the same command to sign each of the six frameworks in turn.
Next, let’s take a look at the executable file WeChat. Then how can we judge that the executable file has permission to execute?
In general, the color of the executable can be used to determine that the black file is allowed to execute, and the white file is not.
We now use the chmod +x WeChat command to add executable permissions to the whole WeChat. App.
Next, we also need to add the description file to WeChat. App.
We apply for a new description file by creating a new demo project. Description file cannot be added. We can only apply for a new project from Apple server, and Xcode will help us apply.
The description file has been applied, but if it is not connected to the real phone to run, in fact, the description file has not been downloaded and saved to our iPhone, so we need to run command+R to run it on the real phone.
If the description file corresponding to the certificate is run on the real iPhone for the first time, the mobile phone system will pop up a trust dialog box, asking you to trust it. If it is not the first time, it will not pop up. When it’s done, the description file we need is stored on our real iPhone.
We can obtain the generated description file from Products/ wechatDemo. app of the WeChatDemo project.
After obtaining the description file, we copied the embedded. Mobileprovision description file with Command+ C and pasted it into the WeChat. App directory with Command+V. In this way, we added a description file of our own to the wechat app.
After the description file is copied to the WeChat. App, we also need to modify the configuration of the description file in the info.plist in the WeChat. App, and keep the bundle identifier consistent.
Next, we also need to sign the whole WeChat. App package, for which we need to use the authorization file in the description file we just applied.
We first copy the description file we applied to the weik.app equivalent directory
Take a look at the description file using the command line: Security cms-di Embedded. Mobileprovision:
There is one very important thing in the description file, and this is the content of our permission file:
For ease of use, we will create a new plist file in the demo project we created earlier.
Let’s confirm whether the PList file is copied correctly:
We have successfully extracted the permissions from the description file into the new Kongyuluwechatent.plist file.
Then we copy this file to the same directory as WeChat. App:
Next, the important step comes, we through the command line, input command: codesign-fs “certificate name” –no-strict — Entitlements = Kongyuluwechatent.plist WeChat. App
codesign -fs "Apple Development: chen lin (QY73GRZ4AG)" --no-strict --entitlements=kongyuluWechatEnt.plist WeChat.app
Copy the code
In this way, our manual signature is done, and the WeChat. App processed in this way will make Apple phone think that our app is in the development stage of app, so that we can re-sign the app, directly installed on our phone.
Next, we can test whether the WeChat. App we re-signed can be installed on the mobile phone
First open up our Xcode, shortcut Command + Shift +2 to bring up the device page
After selecting WeChat. App, it will prompt you whether you want to overwrite the installation. Select Yes
There are a lot of steps to manually re-sign. Here we briefly summarize the steps, which are divided into 9 steps:
Create project WeChatDemo, select certificate and real machine debugging
Enter the package content, because the free certificate cannot re-sign the plug-in, so delete the PlugIns folder, and also delete the plug-in in Watch
Re-sign Frameworks in Frameworks. Some packages have no Frameworks and ignore this step: go to the Frameworks folder; Security find-identity -v -p codesign-fs “iPhone Developer: [email protected] (Q4M32A5HU5) “QYUniversalFramework codesignDemo framework / / selection and project the same certificate
Give executable file execution permission: chmod +x WeChat
Wechatdemo. app of Products in the WeChatDemo project displays the package content, locate the Embedded. Mobileprovision file in the package, and copy it to the iQiyi. App package that needs to be re-signed
Copy the WeChatDemo project’s Bundle identifier to the Info.plist Bundle identifier in the package content of WeChat
Find embedded. Mobileprovision file in step 5, then security CMS-D -I embedded. Mobileprovision find Entitlements, then send Entitlements below: “Dict > Source Code, copy it into the plist file and get the following:
Put the plist file obtained in step 7 and WeChat. App in a folder new for re-signing
Ipa install: Xcode Command + Shift +2 into device Management, select the + sign to find just the WeChat. Ipa
2.2 Re-signing using Xcode
The process of manual re-signature is described in detail in the above, there are many small partners must have doubts, we spend so much money to re-signature is for what?
Re-signing an app has at least two benefits:
After re-signing, we can dynamically debug our re-signed apps through Xcode.
After re-signing, we can also dynamically inject our own code to achieve the purpose of cracking.
Next we will implement re-signing through Xcode.
(1) We first open Xcode and create a new project named WeChat by shortcut key: “Command + Shift + N”.
(2) We need to connect the real iPhone first and run the WeChat project on the real iPhone. Run Command + Shift + R once. This will get us the description file we need. Then we need to copy the current official WeChat version and replace the WeChat. App in the new project Products
Products/WeChat. App Can be found in the debug-iphoneOS directory by right-clicking Show Finder, and replaced directly as shown below:
(3) After the replacement, we cannot run it directly to the real computer through Xcode. I still need to complete several steps. As with manual signature, first we need to delete the plug-in information that we cannot sign, delete the Watch directory and Pluglsn directory under WeChat. App
(4) Then, we also need to re-sign all Frameworks under the Frameworks directory.
So we are done, directly “Command + Shift + R” to run the app, so re-signed wechat can run on our real machine, so easy.
Note: there is no need to change the bundle Id in the original wechat app. Xcode will automatically change it to the bundle Id of our new project.
Here’s a summary of the xcode re-signing steps:
New project WeChat, select certificate and real machine debugging
Replace WeChat. App with WeChat project Products. App
Enter the content of the replaced WeChat. App package and delete the PlugIns folder and Watch folder
Re-signing re-signs Frameworks in Frameworks. Some packages have no Frameworks and ignore this step
The Bundle identifier of info.plist in the updated WeChat. App package is changed to the Bundle identifier of the WeChat project
Give executable file execution permission: chmod +x WeChat
Running project WeChat
Note: if the name of the new project is inconsistent with the name of the app you want to sign, the signature will fail, and the demo of the new project will still run, not the wechat app you want to overwrite. Because when Xcode runs, it automatically changes the executable to the name of your new project. The name of our newly created project is Demo. We changed the name to WeChat. App and replaced Demo. app. In this way, we need to run a script to perform the re-signature operation more gracefully.
We’ll cover re-signing via Shell scripts next.
2.3 Re-signing using shell Scripts
Create project cosignAutoDemo, select certificate and real machine debug, create APP and Temp folder in project root directory:
xcode->Build Phases->+New Run Script Phase
The shell code in Run Script is as follows:
#${SRCROOT}This is the directory where the project files are located
TEMP_PATH="${SRCROOT}/Temp"
#Resources folder
ASSETS_PATH="${SRCROOT}/APP"
#Ipa package path
TARGET_IPA_PATH="${ASSETS_PATH}/*.ipa"
#Creating a Temp folder
rm -rf "${SRCROOT}/Temp"
mkdir -p "${SRCROOT}/Temp"
#----------------------------------------#1. Decompress IPA to Temp
unzip -oqq "$TARGET_IPA_PATH" -d "$TEMP_PATH"
#Get the path to the unzipped temporary APPTEMP_APP_PATH=$(set -- "$TEMP_PATH/Payload/"*.app; echo "$1")#echo"The path is:$TEMP_APP_PATH"
#----------------------------------------#2. Copy the decompressed. App into the project#BUILT_PRODUCTS_DIR Specifies the path of the APP package generated by the project#TARGET_NAME target nameTARGET_APP_PATH="$BUILT_PRODUCTS_DIR/$target_name. app" echo "app path :$TARGET_APP_PATH" rm -rf "$TARGET_APP_PATH" mkdir -p "$TARGET_APP_PATH" cp -rf "$TEMP_APP_PATH/" "$TARGET_APP_PATH"
#----------------------------------------#3. Delete extension and WatchAPP. Personal certificate cannot sign Extention
rm -rf "$TARGET_APP_PATH/PlugIns"
rm -rf "$TARGET_APP_PATH/Watch"
#----------------------------------------#4. Update the info.plist file CFBundleIdentifier#Settings:"Set : KEY Value""Target file path"
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier $PRODUCT_BUNDLE_IDENTIFIER" "$TARGET_APP_PATH/Info.plist"
#----------------------------------------#5. Grant execute permission to MachO file#Path to get the MachO file
APP_BINARY=`plutil -convert xml1 -o - $TARGET_APP_PATH/Info.plist|grep -A1 Exec|tail -n1|cut -f2 -d\>|cut -f1 -d\<`
#Executable permission on
chmod +x "$TARGET_APP_PATH/$APP_BINARY"
#----------------------------------------#6. Re-sign the third-party FrameWorks
TARGET_APP_FRAMEWORKS_PATH="$TARGET_APP_PATH/Frameworks"
if [ -d "$TARGET_APP_FRAMEWORKS_PATH" ];
then
for FRAMEWORK in "$TARGET_APP_FRAMEWORKS_PATH/"*
do
#The signature
/usr/bin/codesign --force --sign "$EXPANDED_CODE_SIGN_IDENTITY" "$FRAMEWORK"
done
fi
Copy the code
Place the IPA package in the APP folder and run it. Wouldn’t it be easier if we were done?
We can also save the Script as xcodecoDesign. sh file and write the xcodecoDesign. sh file path in the code of the Run Script shell. Finally, chmod +x xcodecoDesign.sh is ready to run.
Here’s an easier way to do it, called a third party, which is basically a fool’s game, by installing the official instructions.
2.4 Re-sign using the third-party tool MonkeyDev
To install MonkeyDev, click here to download
Create MonkeyApp project monkeyDemo
Put the IPA package in the TargetApp folder of monkeyDemo and run it
