防护方案-tweak插件的猫腻
一、防护tweak插件
1、Build Settings->Other Linker Flags->-Wl,-sectcreate,__RESTRICT,__restrica,/dev/null
2、这样就会在Mach-O中添加 Section(_RESTRICT,__restrica)
3、设置后 dyld.cpp中
函数 static bool hasRestrictedSegment(const macho_header* mh)返回true
如果加载tweak运行程序会闪退。
二、反-防护tweak插件
1、下载 Synalyze It! Pro
2、修改Mach-O中的_RESTRICT和__restrica的这俩个字符串名称
二、反-反-防护tweak插件
#import <mach-o/loader.h>
#import <mach-o/dyld.h>
1、找一个类的load方法加入以下代码
+(void)load {
//MachO 最先加载的是我们自己的可执行文件
const struct mach_header * header = _dyld_get_image_header(0);
if (hasRestrictedSegment(header)) {
NSLog(@"防止Tweak注入");
}else{
NSLog(@"被修改了!!");
exit(0);
}
}
static bool hasRestrictedSegment(const struct macho_header* mh)
{
const uint32_t cmd_count = mh->ncmds;
const struct load_command* const cmds = (struct load_command*)(((char*)mh)+sizeof(struct macho_header));
const struct load_command* cmd = cmds;
for (uint32_t i = 0; i < cmd_count; ++i) {
switch (cmd->cmd) {
case LC_SEGMENT_COMMAND:
{
const struct macho_segment_command* seg = (struct macho_segment_command*)cmd;
printf("seg name: %s\n", seg->segname);
if (strcmp(seg->segname, "__RESTRICT") == 0) {
const struct macho_section* const sectionsStart = (struct macho_section*)((char*)seg + sizeof(struct macho_segment_command));
const struct macho_section* const sectionsEnd = §ionsStart[seg->nsects];
for (const struct macho_section* sect=sectionsStart; sect < sectionsEnd; ++sect) {
if (strcmp(sect->sectname, "__restrict") == 0)
return true;
}
}
}
break;
}
cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
}
return false;
}
2、这样就能检测到二进制文件被修改,从而直接杀掉程序。
网友评论