Thank you, Teacher Hank

In the last chapter, we talked about the principle of applying signatures and the principle of re-signing. We don’t want to repeat it. If you haven’t seen it, you can click here

IOS Reverse – Application signing and re-signing principles.

This chapter provides an overview of shell script re-signing. Some students may think that there are many tools that can quickly help us to re-sign and fulfill our requirements, but I prefer to communicate with you about the fundamental things here, rather than simply using third-party tools to meet our needs.

A shell script

What is a shell script?

The shell is a special interactive tool that provides users with a way to launch programs, manage files in the file system, and processes running on the system. A Shell generally refers to a command-line tool. It allows you to enter a text command, then interpret the command and execute it in the kernel.

A Shell script is a script file that uses various commands in a text file for one-time execution.

The script executes related commands

$source FileName  Copy the code

  • Read and execute the command in FileName in the current shell environment
  • Features:


• Commands can force a script to immediately affect the current environment (typically used to load configuration files).

• Commands force all commands in the script, regardless of file permissions. 

$bashThe FileName,$zsh FileNameCopy the code

  • Create a subshell to execute the sentences in the script.

$./FileNameCopy the code

  • Read and execute commands from a file. However, the script file must have executable permissions.

Here to some dry goods, script heavy signature source. There are also a lot of online search, as long as we are happy. I don’t know why, after I write bash, the code format is always out of order, you can find other sources in the literature, here I map

If you want a simple introduction to the shell, consult Andy’s literature. A total of three articles, rough and easy to understand.

User, group, and permission

Unix and Linux are multi-user, multi-task systems, so the concept of users and groups is built into such systems. Then the same file permissions also have corresponding owning user and owning group.



Mac File Attributes



                                                                   ↑

[Permission][Connection][Owner][Group][File size][Last modified date][File name]



First: file type

Common:

  • [D] dictionary
  • [-] files

The last nine, file permissions, in groups of three,

  • Group 1: permissions RWX for the file owner
  • Group 2: permissions r-x for the other users in this group
  • Group 3: permission r-x for users not in this group

File permissions

[r] : read, read

[w] : Write, write

[x] : execute

Note: the position of these three groups of permissions will not change, the sequence is RWX, the corresponding position appears [-], indicating that there is no permission

Change permission: chmod

To change file permissions, run the chmod command. There are two Settings: numeric type change and symbol type change.

File permissions are classified into three identities :[user][group][other] Three permissions :[read] [write] [execute]

Number type:

Compare each permission number: R :4 W :2 x:1

If a file has permissions of [– rwxr-xr-x]

User : 4+2+1 = 7

Group: 4+0+1 = 5

Other: 4+0+1 = 5

Command: chmod 755 File name



Symbol type:

Chmod [u, g, O, a] [+(Add), -(remove), =(set)] [r, w, x] File name

[a]=[u+g+o] [a]=[u+g+o]

Code injection

Generally modify the original program, is the use of code injection, injection code will choose to use FrameWork or Dylib and other three-party library injection.

Here is a brief introduction to DYLD, Dynamical Load, also known as dynamic linker, exists in the operating system. The app starts by default when the phone is turned on. DYLD is executed in the phone’s memory, the CPU schedules DYLD, and DYLD loads the loaded application (MacO) into memory. When DYLD reads the MacO file, it first reads the Load Commands field, which contains the Foundation \UIKit library. For example, when we call the NSLog function, we must call it in the Foundation library. But who knows the real address of Foundation library? DYLD. If the dependent library is no longer in memory, load it.

So, we’re going to insert a self-written Framework into Load Commands.


Injection steps

Use MacOview to query the binaries of the package contents in the IPA folder and view Load Commands.







  • Framwork injection
• Create a new Framwork with Xcode and install the library into the APP package

• Inject the Framwork library path via yololib. Command: $yololib (space) MachO file path (space) library path

Yololib WeChat Frameworks/xxxxHook framework/xxxxHook / / loaded into the MachO Load under the Command of LC_LOAD_DYLIBCopy the code

• All Framwork loading is performed by DYLD loading into memory

• The successfully injected library path is written to the LC_LOAD_DYLIB field of the MachO file

The successfully injected binary is then replaced with the binary under TARGET_IPA_PATH mentioned earlier.

Save the Payload folder and compress the Payload.

zip -ry WeChat.ipa PayloadCopy the code

Finally, the GENERATED IPA can be installed to the mobile phone by re-signing.

  • Dylib injection
• Create a Dylib library with Xcode (note: Dylib belongs to MacOS and needs to be modified)
• Add a Target dependency that lets Xcode package custom Dylib files into the APP package.

• Use Yololib for injection.

Injection of code can be done either way. If I write wrong, not clear, but also hope you can put forward, we discuss progress together, if you like this article, move a little hand point like it.

For yololib and MachOview installation files, leave a message.