iOS WhatsApp 企业证书重签名后闪退

需求: 使用restore-symbol恢复符号表,通过iOS App Signer重签名WhatsApp应用, 安装后闪退,签名证书为企业证书.

日志: crash日志,已上传WhatsApp.crash (59.0 KB)

操作步骤:

1. app store 下载WhatsApp,脱壳处理
2. 使用restore-symbol恢复符号表
3. 使用iOS App Signer 重签名
4. 安装成功后,启动应用闪退

环境: iOS 9.3.3 越狱

补充一下,后面又测试了一下, app store下载的包通过frida-ios-dump工具直接脱壳,脱壳后的app包不做任何修改,直接通过mobiledevice安装,也是闪退.

这有个Assert
4 Core 0x101b7d054 0x101900000 + 2609236

检查到异常 assert 了

app包里确实有一个Assert.car文件,但是是自带的没做过处理,一般这种情况怎样处理,小白不太了解,
第二个疑问就是,请教一下前辈是如何定位到问题所在的…

是的,包里有一个Assert.car文件.但是是自带的没处理也有问题吗,同楼上的问题,请教前辈什么思路定位到问题所在的,还有就是如何解决一下,望回复,十分感谢

神仙跨服聊天

一个是断言
一个是图片素材包

app文件下载到AppGroupp路径，重签app，自然找不到文件了。

原来是这个意思,知识储备薄弱,理解错了,十分感谢回复

你好,刚接触逆向没多久,所以一些隐含的意思get不到,请问您说的路径的问题是指的什么问题,

App Groups网上查询下就知道了；

NSURL *groupURL = [[NSFileManager defaultManager] containerURLForSecurityApplicationGroupIdentifier:@"group.com.simon.app.test"];
 NSUserDefaults *userDefaults = [[NSUserDefaults alloc] initWithSuiteName:@"group.company.appGroupName"];

App Groups 的相关内容我查资料了解过,我的疑问是,App Groups 不应该会导致直接crash, 我是按照AloneMonkey @AloneMonkey 大佬的<iOS应用逆向与安全>的操作搞的,

whatsApp 会将一部分文件保存在app Group中,重签后app无法找到原来的App Group路径;
无法保存文件也无法获取文件。
// hook AppGroup 重定向
%hook NSUserDefaults
-(id)initWithSuiteName:(NSString *)suitename
{
DLog (@"======>>>>>> SuiteName orig → %@",suitename);

if([suitename isEqualToString:@"group.net.whatsapp.WhatsAppSMB.shared"])
{
    suitename =@"group.com.x1";
}
if([suitename isEqualToString:@"group.net.whatsapp.WhatsApp.shared"])
{
    suitename =@"group.com.x2";
}
if([suitename isEqualToString:@"group.net.whatsapp.WhatsApp.private"])
{
    suitename =@"group.com.x3";
}
if([suitename isEqualToString:@"group.com.facebook.family"])
{
    suitename =@"group.com.x4";
}
DLog (@"======>>>>>> SuiteName new -> %@",suitename);
id r = %orig;
return r;

}

-(id)_initWithSuiteName:(NSString *)suitename container:(id)path
{

DLog (@"======>>>>>> _initWithSuiteName orig -> %@,path -> %@",suitename,path);
id r = %orig;
return r;

}
%end

%hook NSFileManager
-(NSURL *)containerURLForSecurityApplicationGroupIdentifier:(NSString *)groupIdentifier
{
NSLog (@"======>>>>>> groupIdentifier → %@",groupIdentifier);
if([groupIdentifier isEqualToString:@“group.net.whatsapp.WhatsAppSMB.shared”])
{
groupIdentifier =@“group.com.x1”;
}
if([groupIdentifier isEqualToString:@“group.net.whatsapp.WhatsApp.shared”])
{
groupIdentifier =@“group.com.x2”;
}
if([groupIdentifier isEqualToString:@“group.net.whatsapp.WhatsApp.private”])
{
groupIdentifier =@“group.com.x3”;
}
if([groupIdentifier isEqualToString:@“group.com.facebook.family”])
{
groupIdentifier =@“group.com.x4”;
}
NSURL * path = %orig;
NSLog (@"======>>>>>> groupIdentifier path-> %@",path);
return path;
}
%end

太强了字数补丁

使用这个hook之后，还是崩溃

• thread #1, queue = ‘com.apple.main-thread’, stop reason = signal SIGABRT
  • frame #0: 0x00000001caffb0dc libsystem_kernel.dylib__pthread_kill + 8 frame #1: 0x00000001cb074094 libsystem_pthread.dylibpthread_kill$VARIANT$mp + 380
    frame #2: 0x00000001caf53ea8 libsystem_c.dylibabort + 140 frame #3: 0x00000001ca620788 libc++abi.dylibabort_message + 132
    frame #4: 0x00000001ca620934 libc++abi.dylibdefault_terminate_handler() + 308 frame #5: 0x00000001ca637e00 libobjc.A.dylib_objc_terminate() + 124
    frame #6: 0x00000001ca62c838 libc++abi.dylibstd::__terminate(void (*)()) + 16 frame #7: 0x00000001ca62c8c4 libc++abi.dylibstd::terminate() + 84
    frame #8: 0x00000001ca637d5c libobjc.A.dylibobjc_terminate + 12 frame #9: 0x00000001cae9d7e8 libdispatch.dylib_dispatch_client_callout + 36
    frame #10: 0x00000001cae40eb8 libdispatch.dylib_dispatch_once_callout + 28 frame #11: 0x00000001025a835c CoreWASharedDirectoryURL + 56
    frame #12: 0x00000001026f13f0 CoreWAMenuItemImageInCoreForName + 26392 frame #13: 0x00000001026f0908 CoreWAMenuItemImageInCoreForName + 23600
    frame #14: 0x000000010119bf34 WhatsApp_mh_execute_header + 7110452 frame #15: 0x00000001026f1e60 CoreWAProcessInit + 68
    ================分隔符========================================================================================================
    错误 18:13:13.044914 +0800 WhatsApp container_create_or_lookup_app_group_paths: error = (container_error_t)11
    错误 18:13:13.045224 +0800 WhatsApp Failed to create container with identifier due to container manager error: 11
    默认 18:13:13.045875 +0800 WhatsApp ======>>>>>> groupIdentifier path-> (null)
    默认 18:13:13.046448 +0800 WhatsApp *** Assertion failure in NSURL * _Nonnull WASharedDirectoryURL(void)_block_invoke(), /Users/radermacher/Development/iphone/Core/Core/Source/Global/WAContext.m:75
    默认 18:13:13.143229 +0800 WhatsApp *** Terminating app due to uncaught exception ‘NSInternalInconsistencyException’, reason: ‘No shared app group’
    *** First throw call stack:
    (0x1cb45f180 0x1ca6379f8 0x1cb37888c 0x1cbe89898 0x1025a843c 0x1cae9d7d4 0x1cae40eb8 0x1025a835c 0x1026f13f0 0x1026f0908 0x10119bf34 0x1026f1e60 0x10130d648 0x1f7c440f0 0x1f7c45854 0x1f7c4afe0 0x1f750e2a4 0x1f751683c 0x1f750df28 0x1f750e818 0x1f750cb64 0x1f750c82c 0x1f751136c 0x1f7512150 0x1f7511224 0x1f7515f24 0x1f7c495e8 0x1f7845e04 0x1cdddb9fc 0x1cdde540c 0x1cdde4c14 0x1cae9d7d4 0x1cae425dc 0x1cde16040 0x1cde15cdc 0x1cde16294 0x1cb3f0f1c 0x1cb3f0e9c 0x1cb3f0784 0x1cb3eb6c0 0x1cb3eafb4 0x1cd5ec79c 0x1f7c4cc38 0x100d191e8 0x1caeae8e0)

======>>>>>> groupIdentifier path-> (null)
默认 18:13:13.046448 +0800 WhatsApp *** Assertion failure in NSURL * _Nonnull WASharedDirectoryURL(void)_block_invoke(), /Users/radermacher/Development/iphone/Core/Core/Source/Global/WAContext.m:75
默认 18:13:13.143229 +0800 WhatsApp *** Terminating app due to uncaught exception ‘NSInternalInconsistencyException’, reason: ‘No shared app group’
[/quote]

groupIdentifier =@“group.com.x1”; 写自己的groupIdentifier

大佬，按照你的方法启动不会崩溃了，但是填完手机号发验证码的时候又crash了，你知道是啥原因吗？

image664×622 85.7 KB