继实战:干掉高德地图版本7.3.2版(运行了tweak代码,但是还会exited)

http://bbs.iosre.com/t/7-2-0-ios/770以上是原文链接。
狗神老师你好,在看了你的书之后,无意间看了上面的帖子很感兴趣,但是最后最后一步出现了问题?
1、我正常定位为ptrace地址:0x000095f1 函数是:sub_95C0;
2、按照你的tweak,安装包也成功。
3、但是在我重启iphone,开始lldb注入后,执行c命令本想等待的是成功,但是不幸的是依旧exited。(如下输出)

(lldb) process connect connect://192.168.1.101:1234

Process 5404 stopped

  • thread #1: tid = 0x2f470, 0x2be81028 dyld`_dyld_start, stop reason = signal SIGSTOP

    frame #0: 0x2be81028 dyld`_dyld_start

dyld`_dyld_start:

→ 0x2be81028: mov r8, sp

0x2be8102c: sub sp, sp, #16

0x2be81030: bic sp, sp, #7

0x2be81034: ldr r3, [pc, #112] ; _dyld_start + 132

(lldb) c

Process 5404 resuming

(lldb) 2015-06-27 23:11:17.667 AMapiPhone[5404:60b] iOSRE: Found sub_95C0!

2015-06-27 23:11:18.667 AMapiPhone[5404:60b] iOSRE: anti-anti-debugging

Process 5404 exited with status = 116 (0x00000074)

(lldb)

以下是我的1~2步骤截图:


各位大神能帮忙看下是我的错误呢??还是高德you做了保护?请教研究。

1 个赞

你看看syslog,里面有没有高德地图退出的相关信息?

Jun 27 23:33:13 helloworld007 networkd[145]: Analytics Engine: double ON for app: com.autonavi.amap
Jun 27 23:33:13 helloworld007 AMapiPhone[5508]: MS:Notice: Injecting: com.autonavi.amap [AMapiPhone] (847.24)
Jun 27 23:33:13 helloworld007 AMapiPhone[5508]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/AmapiPhoneDemo.dylib
Jun 27 23:33:13 helloworld007 AMapiPhone[5508]: iOSRE: Found sub_95C0!
Jun 27 23:33:13 helloworld007 AMapiPhone[5508]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RHRevealLoader.dylib
Jun 27 23:33:13 helloworld007 AMapiPhone[5508]: iOSRE: anti-anti-debugging
Jun 27 23:33:13 helloworld007 com.apple.launchd[1] (UIKitApplication:com.autonavi.amap[0x930f][5508]): (UIKitApplication:com.autonavi.amap[0x930f]) Exited with code: 116
Jun 27 23:33:13 helloworld007 com.apple.launchd[1] (UIKitApplication:com.autonavi.amap[0x930f]): (UIKitApplication:com.autonavi.amap[0x930f]) Throttling respawn: Will start in 2147483647 seconds
Jun 27 23:33:13 helloworld007 backboardd[5209]: Application ‘UIKitApplication:com.autonavi.amap[0x930f]’ exited abnormally with exit status 116
Jun 27 23:33:14 helloworld007 mstreamd[5506]: (Note ) mstreamd: Not monitoring for external power.

你把这个tweak装上之后,再用lldb在ptrace上下个断点试试,看看还会不会停下来

我看了一下,完整的sub_95c0是

0x000095c0         push       {r4, r5, r6, r7, lr}                              ; XREF=0x40ac, sub_c2c02c+34, sub_c2c02c+38, sub_c2c02c+42, sub_c38ee8+18, sub_c3ceec+72, sub_c3ceec+616, sub_c55964+28, sub_c55bc4+62, sub_c55bc4+134, sub_c55bc4+188
0x000095c2         add        r7, sp, #0xc
0x000095c4         str        r8, [sp, #0xfffffffc]!                            ; XREF=sub_d97a1c+74
0x000095c8         mov        r8, r1                                            ; XREF=sub_c4c084+48, sub_c54c8c+200, sub_c54c8c+204, sub_c54c8c+2030, sub_c54c8c+2038
0x000095ca         mov        r5, r0
0x000095cc         movs       r0, #0x0                                          ; argument #1 for method imp___picsymbolstub4__dlopen, XREF=sub_c3caa8+46, sub_c54c8c+146, sub_c54c8c+150
0x000095ce         movs       r1, #0xa                                          ; XREF=sub_c3c93c+12, sub_c3caf4+28, sub_c3caf4+36
0x000095d0         blx        imp___picsymbolstub4__dlopen
0x000095d4         movw       r1, #0x27de                                       ; "ptrace", :lower16:(0xf2bdc0 - 0x95e2)
0x000095d8         mov        r6, r0
0x000095da         movt       r1, #0xf2                                         ; "ptrace", :upper16:(0xf2bdc0 - 0x95e2)
0x000095de         add        r1, pc                                            ; "ptrace"
0x000095e0         blx        imp___picsymbolstub4__dlsym
0x000095e4         mov        r4, r0                                            ; XREF=sub_c54c8c+138, sub_c54c8c+142
0x000095e6         movs       r0, #0x1f
0x000095e8         movs       r1, #0x0
0x000095ea         movs       r2, #0x0
0x000095ec         movs       r3, #0x0
0x000095ee         blx        r4
0x000095f0         mov        r0, r6
0x000095f2         blx        imp___picsymbolstub4__dlclose
0x000095f6         movw       r0, #0xb16a                                       ; @selector(alloc), :lower16:(0x1474774 - 0x960a)
0x000095fa         movt       r0, #0x146                                        ; @selector(alloc), :upper16:(0x1474774 - 0x960a)
0x000095fe         movw       r2, #0x3fa8                                       ; :lower16:(objc_cls_ref_NSAutoreleasePool - 0x960c), XREF=sub_c54c8c+118, sub_c54c8c+124
0x00009602         movt       r2, #0x148                                        ; :upper16:(objc_cls_ref_NSAutoreleasePool - 0x960c)
0x00009606         add        r0, pc                                            ; @selector(alloc), XREF=sub_dcbcec+58
0x00009608         add        r2, pc                                            ; objc_cls_ref_NSAutoreleasePool
0x0000960a         ldr        r1, [r0]                                          ; "alloc",@selector(alloc), argument #2 for method imp___picsymbolstub4__objc_msgSend
0x0000960c         ldr        r0, [r2]                                          ; objc_cls_ref_NSAutoreleasePool,_OBJC_CLASS_$_NSAutoreleasePool
0x0000960e         blx        imp___picsymbolstub4__objc_msgSend
0x00009612         movw       r1, #0xb15a                                       ; @selector(init), :lower16:(0x1474778 - 0x961e)
0x00009616         movt       r1, #0x146                                        ; @selector(init), :upper16:(0x1474778 - 0x961e)
0x0000961a         add        r1, pc                                            ; @selector(init)
0x0000961c         ldr        r1, [r1]                                          ; "init",@selector(init)
0x0000961e         blx        imp___picsymbolstub4__objc_msgSend
0x00009622         mov        r4, r0
0x00009624         movw       r0, #0xb144                                       ; @selector(class), :lower16:(0x147477c - 0x9638)
0x00009628         movt       r0, #0x146                                        ; @selector(class), :upper16:(0x147477c - 0x9638)
0x0000962c         movw       r2, #0x3f7e                                       ; :lower16:(objc_cls_ref_AMapiPhoneAppDelegate - 0x963a)
0x00009630         movt       r2, #0x148                                        ; :upper16:(objc_cls_ref_AMapiPhoneAppDelegate - 0x963a)
0x00009634         add        r0, pc                                            ; @selector(class)
0x00009636         add        r2, pc                                            ; objc_cls_ref_AMapiPhoneAppDelegate
0x00009638         ldr        r1, [r0]                                          ; "class",@selector(class), argument #2 for method imp___picsymbolstub4__objc_msgSend
0x0000963a         ldr        r0, [r2]                                          ; objc_cls_ref_AMapiPhoneAppDelegate,objc_class_AMapiPhoneAppDelegate
0x0000963c         blx        imp___picsymbolstub4__objc_msgSend
0x00009640         blx        imp___picsymbolstub4__NSStringFromClass
0x00009644         mov        r3, r0                                            ; XREF=sub_c72f84+54
0x00009646         mov        r0, r5
0x00009648         mov        r1, r8
0x0000964a         movs       r2, #0x0
0x0000964c         blx        imp___picsymbolstub4__UIApplicationMain
0x00009650         mov        r5, r0
0x00009652         movw       r0, #0xb122                                       ; @selector(release), :lower16:(0x1474780 - 0x965e)
0x00009656         movt       r0, #0x146                                        ; @selector(release), :upper16:(0x1474780 - 0x965e)
0x0000965a         add        r0, pc                                            ; @selector(release)
0x0000965c         ldr        r1, [r0]                                          ; "release",@selector(release), argument #2 for method imp___picsymbolstub4__objc_msgSend
0x0000965e         mov        r0, r4
0x00009660         blx        imp___picsymbolstub4__objc_msgSend
0x00009664         mov        r0, r5
0x00009666         ldr        r8, [sp], #0x4
0x0000966a         pop        {r4, r5, r6, r7, pc}

注意,与原帖不同,sub_95c0除了调用ptrace来反动态调试外,还做了一些其他的初始化操作。你hook了这个函数后,需要手动把除ptrace外的操作给执行一下,才能让程序正常运行

是。“需要手动把除ptrace外的操作给执行一下,才能让程序正常运行”,小弟tweak还比较渣,狗神能详细点,怎么写TWeak吗?(这点不懂,给点指点)
感激不敬!!!

我给你举个例子:
7.2.0里的sub_AD24,用伪代码表示:

void sub_AD24(void)
{
    检测动态调试; // 跟程序主功能没关系
}

这个函数的功能仅仅是检测动态调试,跟程序主功能没关系,所以可以完全去掉。而7.3.2里的sub_95C0,用伪代码表示:

void sub_95C0(void)
{
    检测动态调试;// 跟程序主功能没关系
    各种初始化; // 跟程序主功能有关系
}

这个函数的功能不再仅仅是检测动态调试,而已经牵涉到程序主功能,所以不能完全去掉,否则会导致程序出错(exit 116)。因此,你的new_sub_95C0用伪代码表示,应该改成:

void new_sub_95C0(void)
{
    各种初始化; // 跟程序主功能有关系
}

也就是说,把“检测动态调试”去掉,而保留“各种初始化”。可以明白了吗?

1 个赞

这个原理之前你的回复 我就明白了。。。。。
现在在纠结怎么Code???

你把从0x000095f6开始的code全都还原出来,然后写在tweak里就好了

狗神详细指点下代码怎么写,折腾了一个下午没思路。
我的new_sub_95C0怎么改??

import “substrate.h”
import “mach-o/dyld.h”
import “dlfcn.h”

void (*old_sub_95C0)(void);

void new_sub_95C0(void)
{
NSLog(@“iOSRE: anti-anti-debugging”);

}

%ctor
{
@autoreleasepool
{
unsigned long _sub_95C0 = (_dyld_get_image_vmaddr_slide(0) + 0x95C0) | 0x1;
if (_sub_95C0) NSLog(@“iOSRE: Found sub_95C0!”);
MSHookFunction((void *)_sub_95C0, (void *)&new_sub_95C0, (void **)&old_sub_95C0);
}
}

1 个赞

原理跟你讲得很清楚了,实现细节不懂的话,看书补基础吧

狗神老师谢谢,一处理了。现在论坛的帖子怎么close啊??

直接 hook 了 ptrace而且成功了,但是还是不能调试啊

碰到一个问题手上有个加了ptrace保护的app,处理如下
FavIconViewController.nib`___lldb_unnamed_function4607$$FavIconViewController.nib:
→ 0x2e54648 <+232>: mov r0, r5
0x2e5464a <+234>: str r6, [sp, #0x70]
0x2e5464c <+236>: blx 0x2ecbf0c ; symbol stub for: dlclose
0x2e54650 <+240>: mov.w r0, #0x20000000
(lldb) br command add 2
error: ‘2’ is not a currently valid breakpoint id.
(lldb) br command add 1
Enter your debugger command(s). Type ‘DONE’ to end.

thread return
c
DONE
(lldb) c
Process 63937 resuming
Process 63937 stopped

  • thread #3: tid = 0x2f7e0, 0x02e54648 FavIconViewController.nib___lldb_unnamed_function4607$$FavIconViewController.nib + 232, queue = 'com.mother.of.dragons.queueofsevenkingdoms', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) frame #0: 0x02e54648 FavIconViewController.nib___lldb_unnamed_function4607$$FavIconViewController.nib + 232
    FavIconViewController.nib`___lldb_unnamed_function4607$$FavIconViewController.nib:
    → 0x2e54648 <+232>: mov r0, r5
    0x2e5464a <+234>: str r6, [sp, #0x70]
    0x2e5464c <+236>: blx 0x2ecbf0c ; symbol stub for: dlclose
    0x2e54650 <+240>: mov.w r0, #0x20000000

可以绕过退出问题,但是最后输入如何lldb命令都不行,除了c命令,每c一次就重复运行如下代码
→ 0x2e54648 <+232>: mov r0, r5
0x2e5464a <+234>: str r6, [sp, #0x70]
0x2e5464c <+236>: blx 0x2ecbf0c ; symbol stub for: dlclose
0x2e54650 <+240>: mov.w r0, #0x20000000

参考你的写法,hook之后打开app闪退了,请问是什么原因呢

认真看帖子

我成功lldb调试高德地图了(貌似必须要用usb连接才行,无线网失败),现在在逆向高德地图缓存在本地的amap.db数据库的解密,找到了它sqlite3_key的密钥,但是我在外面各种解密失败,怀疑是高德重写了sqlite3_key这个接口,请问有没有什么好的办法可以提取这个动态库?