Kotani bald collection
- Dell today
briefly
Under theConfusion and reinforcement
(The project of Xiaoya Company has actually been written as a script, the key is also these methods)
1. Confusion of function names
-
Class-dump generates header files when we analyze code. And many of these class and function names are known by their names.
-
This is a very comfortable time to analyze your application boy
That’s the name of the function in our demo
- So we came up with an idea:
Obfuscating function names
So our easy way to do this is just define
#define ConfuseTest xgsufehdfdakldfgs
#define test sdsdsdsdsjhhfbsgh
Copy the code
This serves the purpose of obfuscating the function names
Note: Some analysis of your applicationReverse engineer
They are not soft persimmons. They all have two brushes! If you see anyObfuscated function names
They will be veryexcited
. And then the break point, lookFunction call stack
!!!!! Or watchingAssembly static analysis
!!!!!
Advice: Kotani has some advice: IfObfuscating function names
Words. Kotani advises confusing those as much as possibleNot important
! So when the reverse engineer analyzes it — it’sA waste of his time
. They might vomit blood! (Sorry to the reverse engineer)
2. String encryption
- Most of the guys have
Symmetric encryption
. We can use this to make ourselves importantString encryption
! Dell USESCCCrypt
There’s really nothing to say about that. Encrypt and decrypt
3. The Inline Inline
Gu might be giving us a clue. The brothers can also give Gu some advice
- Write one that brothers often use:
Xor encryption
- And then let’s look at the assembly
- We use the
The Inline Inline
static inline NSData * encodeData(NSData *sourceData) __attribute__ ((always_inline));
- Then look at the assembly
-
Inline Inline is to prevent us from calling the function bl after the reverse engineer can interrupt the point to look at the function call stack and parameters
-
After using Inline Inline. The code is copied directly to where it is called. So! The reverse masters are not so easy to spot!
You guys can check out Inlinehook. This blog will not cover how to change things in __TEXT__
4. Mix up tools
I only recommend one wave here.
-
Obfuscator-llvm was originally confused with obfuscator-llvm, but it was only supported in Xcode8 and is now basically useless
-
Now the most commonly used is netease net Shield and ZFJObsLib
-
No, nowadays, the confusion in big companies is probably caused by the bosses themselves
-
We can study ZFJObsLib how to do, you can make it simple to practice hands ~
ZFJObsLib details website
5. To summarize
-
Kotani doesn’t have much time now to work on obfuscation and reinforcement. I’ve been so busy with my work recently
-
Confusion and reinforcement, xiaogu feel only used in the project is reference!!
-
Hopefully one day the brothers will be able to write their own obfuscation tools.
-
I hope this blog is helpful for you guys. 😆