直接hook sysctl本身
嗯嗯 试了张总WTFJH的工具集 里面的init_sysctl_hook() 安装后app打开就闪退。。报错如下
May 5 18:31:04 ahahaha JCB[448]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/antisys.dylib
May 5 18:31:05 ahahaha ReportCrash[449]: MS:Notice: Injecting: (null) [ReportCrash] (847.21)
…
May 5 18:31:05 ahahaha ReportCrash[449]: ReportCrash acting against PID 448
难道是反反反动态调试?哈哈
那玩意我只测试了ptrace,禁用下sysctl试试。目前没空修
1 个赞
看一下CrashReport,程序是在哪里出错的…
应该是我的实现机制。有空了改成低层实现吧
我试了也是这样
各位大大好,我看完书之后,对于Cydia上的某个app的功能很兴趣,但是动态调试的过程中,发现出现错误
Attaching to process xxx…
Segmentation fault: 11
大概知道是反动态调试的关係,查了许久之后找到狗神的此篇文章:实战:干掉高德地图7.2.0版iOS客户端的反动态调试保护 - 干货分享 - 睿论坛
但是裡面的第二步骤,我就失败了,因为使用指令ps -e之后只有看到
//Applications/XXX.app/XXX
我使用Cycript -p TargetApp他也只是卡在loading一直无法进入操作
所以我无法去找到bundle path的可执行档案用LLDB去启动,请问还有解吗?
我为了测试证明不是debugserver的问题,有去试过app store上的apps 还有cydia上的app例如activator,全部都可以被动态调试,就只有我有兴趣的cydia app不能调试QQ
如果有需要知道是哪个app再跟我说,因为我怕违反留言规则,被删留言
App名不敏感,你直接发个新帖,然后在帖子里详细描述一下问题吧
1 个赞
好的大大!
有一个地方没看明白,“ptrace的调用者位于0xdbd19 - 0xd1000 = 0xAD19处”, 而截图显示代码调用处地址是0xAD18,差了1。望回复,谢谢。
我自己的理解,不一定对:每一条汇编指令,都是有长度的,在此处,0xAD18和0xAD19,都是MOV R0, R4
大佬大佬。你这个问题解决了吗?我也遇到和你一样的问题,一筹莫展啊
解决了话给点思路。多谢了!
请问大佬,如何确定是main函数呢
看到了关键词UIApplicationMain
明白了,多谢
大神解决没有?调试某宝(v10.1.52),遇到同样的问题,怎么破?
debugserver
debugserver *:6666 -x posix /var/containers/Bundle/Application/0A23FF1E-A123-4FDE-88E6-4515D4C10997/xxxxxx.app/xxxxxx
lldb
(lldb) process connect connect://localhost:6666
Process 1151 stopped
* thread #1, stop reason = signal SIGSTOP
frame #0: 0x0000000105a4d000
-> 0x105a4d000: mov x28, sp
0x105a4d004: and sp, x28, #0xfffffffffffffff0
0x105a4d008: mov x0, #0x0
0x105a4d00c: mov x1, #0x0
Target 0: (No executable module.) stopped.
(lldb) br s -n ptrace
Breakpoint 1: no locations (pending).
WARNING: Unable to resolve breakpoint to any actual locations.
(lldb) c
Process 1151 resuming
objc[1151]: Class SSKeychain is implemented in both /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices (0x1ad0af2b0) and /private/var/containers/Bundle/Application/0A23FF1E-A123-4FDE-88E6-4515D4C10997/AlipayWallet.app/AlipayWallet (0x104828800). One of the two will be used. Which one is undefined.
objc[1151]: Class AntLogPreference is implemented in both /private/var/containers/Bundle/Application/0A23FF1E-A123-4FDE-88E6-4515D4C10997/AlipayWallet.app/AlipayWallet (0x1048267d0) and /private/var/containers/Bundle/Application/0A23FF1E-A123-4FDE-88E6-4515D4C10997/AlipayWallet.app/AlipayWallet (0x1048267d0). One of the two will be used. Which one is undefined.
objc[1151]: Class AntLogSerialQueue is implemented in both /private/var/containers/Bundle/Application/0A23FF1E-A123-4FDE-88E6-4515D4C10997/AlipayWallet.app/AlipayWallet (0x104832c10) and /private/var/containers/Bundle/Application/0A23FF1E-A123-4FDE-88E6-4515D4C10997/AlipayWallet.app/AlipayWallet (0x104832c10). One of the two will be used. Which one is undefined.
objc[1151]: Class DATaskManager is implemented in both /System/Library/PrivateFrameworks/DataAccess.framework/DataAccess (0x1ad3964508). One of the two will be used. Which one is undefined.
objc[1151]: Class LAUtils is implemented in both /System/Library/Frameworks/LocalAuthentication.framework/Support/SharedUtils.framework/SharedUtils (0x1ad508780) and /private/var/containers/Bundle/Application/0A23FF1E-A123-4FDE-88E6-4515D4C10997/AlipayWallet.app/AlipayWallet (0x10487c770). One of the two will be used. Which one is undefined.
objc[1151]: Class SPUtils is implemented in both /System/Library/Frameworks/WatchKit.framework/WatchKit (0x1ad653b80) and /private two will be used. Which one is undefined.
Process 1151 exited with status = 45 (0x0000002d)
process continue 后,直接退出
inline反调试或者syscall,
1 个赞
支付宝不是你这种水平搞得定的
exited with status = 45 (0x0000002d)
这种退出状态码, 就是ptrace 搞的鬼