Application Signature Principle

Apple uses the principle of two-layer signature, which is outlined here, with many more details

  1. Apple servers generate a pair of secret keys, keeping the private key and copying the public key to all remote devices
  2. Local will generate a pair of secret key, private key to keep, public key generation CSR file to Apple developer website to request a certificate, the essence of the certificate is apple server to take their own private key, to sign your public key
  3. After obtaining the certificate, you can go to the Apple Developer website to add a description file. The description file contains the Bundle ID (APPID), serial number of the device on which the APP can be installed, and the certificate you just applied for, application date, and expiration date.
  4. Put the description file in your APP package and sign your APP with your local private key
  5. After signing the name, the device starts to verify the validity of the APP. First, the description file is verified. The description file is signed just like the certificate, so the public key in the phone is used to verify the validity. When the description file is valid, the authentication certificate is also valid, and then the public key in the certificate is also valid to verify that the APP itself is valid, so that we can know that the APP is indeed published by the developer. Finally, judge the device serial number, expiration date, etc., so that the APP can be opened on the phone. If your APP flashes back, it is usually a piece of your description file that is invalid.

Applying Re-signing

Viewing Signature Information

Find an IPA package for any app, break it yourself or get it from three parties (like Ace assistant, etc.)

The IPA package suffix is changed to zip, and you can extract the folder Payload. The application package can be seen in the following figure:

Enter the following command in the path between the terminal and the application package:

Codesign-vv-d App name. AppCopy the code

We can see the signature information of the APP:

List the signable certificates in your keychain

To view the signable certificate in the keystring, enter the following command:

security find-identity -v -p codesigning
Copy the code

View executable information and whether it is encrypted

Find the application package, right click to open the package content, find the executable file, the name should be the same as the name of the app:

Enter the following command:

Otool -L Mini Legion// If it is too long, you can print it to a fileOtool -l Mini-legion > content.txtCopy the code

We see that there’s a lot of Load commands and sections and stuff in this file, and we’ll talk about that later

Let’s find out if we care about encryption:

Otool - l mini bianconeri | grep cryptCopy the code

If cryptid is 0, it is not encrypted. Otherwise, it is encrypted. What we say is breaking the shell refers to this, the general tripartite platform to get IPA packages are broken the shell, that is, decrypted, if it is in the App Store down, or simply copied from the jailbroken phone, then are not broken the shell, that is, encrypted, about how to break the shell behind the article will talk.

APP manually re-sign

Application package Displays the package content

deletePlugins&Watch

Delete Plugins&Watch (some apps do not exist), unless you want to study the Extension of the application or watch app, otherwise it is useless, and the certificate signed with Plugins&Watch also needs corresponding permissions, which is quite tedious, so deletion does not affect the application running on the mobile phone

Re-sign all dynamic libraries in the Frameworks folder

Let’s take a look at the Framework’s signature information:

We replace the certificate with the following command to implement re-signing:

codesign -fs "Certificate Name" SVProgressHUD.framework
Copy the code

We look at the signature message again and find that the signature has been replaced:

We follow this process and sign all the dynamic libraries in turn

Grants executable permissions to executable files

In general, executable files have executable permissions.

The ls -l | grep mini legionCopy the code

Mysql > add executable permission to user group x;

chmod 755Mini legionCopy the code

Look again after adding:

Now we are done adding executable permissions. If we do not add executable permissions, an error will be reported after signing

Get description file

Get the description file (mobileprovision file), which can be downloaded from the Apple Developer website, but must be the account you just re-signed the Framework certificate. The description file and the certificate must be the same.

Another easy way to get the description file is to use Xcode to get it for us, create an empty project and run it on the phone, and then go to the Product folder and find the APP package

We find the file in the corresponding path and right-click the package contents to see the description file:

Once you have the description file, copy it into the package contents

Replace BundleID in info.plist file

We find the APPID, the Bundle ID, in the description file

Then change the Bundle identifier in the info.plist file to match the description file, but my description file is wildcard, so don’t change it

Delete Supported Devices from the info.plist file

Look for UISupportedDevices in the info.plist file, usually at the end of the file. If so, delete the entire item. This value is the number of devices supported by your application package. If you are cracking the shell on a lower version of the phone, there will be fewer supported phone models. If you do not remove this item, the final installation will show unable to install.

Obtain the configuration permission file

Before the final signature, we also need a configuration permissions file, there are two ways to obtain:

  1. In the record of your empty project running successfully, click on the signature detail code

We see entitlements following — Entitlements file, entitlements, although the format is Xcent, we are not familiar with, but drag into a text editor to look:

It’s essentially a PList file

  1. Another type of access file, we build a plist file, file generally calledentitlements.plistFind the description file and type the following command:
security cms -D -i embedded.mobileprovision
Copy the code

There will be a lot of information, search within the contents of the Entitlements section:

We can just copy this into Entitlements. Plist.

Personally, I recommend the second way, which is certainly not wrong. If it is the first way, I will see if the content needs to be adjusted

Re – signing and installation

Entitlements file entitlements. Plist, copy it to the same directory of the application package, execute the following code

Codesign-fs Certificate name --no-strict -- Entitlements =entitlements. Plist mini corps. AppCopy the code

Finally, we verify that the certificate has been changed to our own. Finally, we open Devices and Simulators in Xcode and click the plus sign to install:

Unsurprisingly, you should already have it installed. (If you have the same bundle ID but not the same certificate, you can delete the old version on your phone first.)

Use Xcode to re-sign

  1. Create a new project with the same name as the application package
  2. Change the bundleID of the application package to the same as the project
  3. Delete plug-ins and watch content, etc
  4. Re-sign the framework of the application package
  5. Run the empty project
  6. Replace the project package with the application package and run again

In general, it’s a little more convenient than manually writing scripts:

# ${SRCROOT} this is the directory where the project files are located
TEMP_PATH="${SRCROOT}/Temp"
We will create an APP folder under the project directory in advance and put the IPA package in it
ASSETS_PATH="${SRCROOT}/APP"
# Destination IPA packet path
TARGET_IPA_PATH="${ASSETS_PATH}/*.ipa"
Clear the Temp folder
rm -rf "${SRCROOT}/Temp"
mkdir -p "${SRCROOT}/Temp"

# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 1. Decompress IPA into Temp
unzip -oqq "$TARGET_IPA_PATH" -d "$TEMP_PATH"
Get the path to the unzipped temporary APP
TEMP_APP_PATH=$(set -- "$TEMP_PATH/Payload/"*.app;echo "The $1")
$TEMP_APP_PATH = $TEMP_APP_PATH

# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 2. Copy the extracted. App into the project
# BUILT_PRODUCTS_DIR Path to the APP package generated by the project
# TARGET_NAME Target name
TARGET_APP_PATH="$BUILT_PRODUCTS_DIR/$TARGET_NAME.app"
echo "App path:$TARGET_APP_PATH"

rm -rf "$TARGET_APP_PATH"
mkdir -p "$TARGET_APP_PATH"
cp -rf "$TEMP_APP_PATH/" "$TARGET_APP_PATH"

# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 3. Delete extension and WatchAPP. Personal certificate cannot sign Extention
rm -rf "$TARGET_APP_PATH/PlugIns"
rm -rf "$TARGET_APP_PATH/Watch"

# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 4. Update the info.plist file CFBundleIdentifier
# Set :"Set: KEY Value"
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier $PRODUCT_BUNDLE_IDENTIFIER" "$TARGET_APP_PATH/Info.plist"

# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 5. Grant execute permissions to MachO files
Get MachO file path
APP_BINARY=`plutil -convert xml1 -o - $TARGET_APP_PATH/Info.plist|grep -A1 Exec|tail -n1|cut -f2 -d\>|cut -f1 -d\<`
# execute permission on
chmod +x "$TARGET_APP_PATH/$APP_BINARY"

# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
# 6. Re-sign the third-party FrameWorks
TARGET_APP_FRAMEWORKS_PATH="$TARGET_APP_PATH/Frameworks"
if [ -d "$TARGET_APP_FRAMEWORKS_PATH" ];
then
for FRAMEWORK in "$TARGET_APP_FRAMEWORKS_PATH/"*
do

Sign #
/usr/bin/codesign --force --sign "$EXPANDED_CODE_SIGN_IDENTITY" "$FRAMEWORK"
done
fi
Copy the code

First execute an empty project to the phone, add the script to run on the line.

other

IPA decompression and generated commands:

# decompression
unzip -oqq "$TARGET_IPA_PATH" -d "$TEMP_PATH"
# compress to IPA
zip -ry WeChat.ipa Payload
Copy the code

  • Re-signed software: iOS App Signer

  • Application reverse famous framework: MonkeyDev