一、Tweak原理
Theos创建Tweak插件,编译后会生成一个动态库和一个对应包名的plist文件,打包后会把生成的文件打包成.deb包并安装到手机中,Cydia通过监听程序的启动通过plist文件中的包名选择加载哪个动态库到应用进程中,(dyld通过DYLD_INSERT_LIARARIES环境变量动态注入插件动态库),注入的动态库并不会改变原来应用的二进制文件.
二、防止Tweak插件注入
- Build Settings 搜索Other Linker Flags(product->Build Settings->Linking->Other Linker Flags)
输入: -Wl,-sectcreate,__RESTRICT,__restrict,/dev/null
三、利用二进制修改器破坏防护
- 通过二进制修改器修改二进制文件,MachO文件因为二进制被修改,所以必须得重新签名。可通过MonkeyDev重签。
四、使用dyld源码进行防护
- 查看restrict段是否被修改而进行防护,dyld中核心代码(dyld.cpp)
static bool hasRestrictedSegment(const macho_header* mh)
{
const uint32_t cmd_count = mh->ncmds;
const struct load_command* const cmds = (struct load_command*)(((char*)mh)+sizeof(macho_header));
const struct load_command* cmd = cmds;
for (uint32_t i = 0; i < cmd_count; ++i) {
switch (cmd->cmd) {
case LC_SEGMENT_COMMAND:
{
const struct macho_segment_command* seg = (struct macho_segment_command*)cmd;
//dyld::log("seg name: %s\n", seg->segname);
if (strcmp(seg->segname, "__RESTRICT") == 0) {
const struct macho_section* const sectionsStart = (struct macho_section*)((char*)seg + sizeof(struct macho_segment_command));
const struct macho_section* const sectionsEnd = §ionsStart[seg->nsects];
for (const struct macho_section* sect=sectionsStart; sect < sectionsEnd; ++sect) {
if (strcmp(sect->sectname, "__restrict") == 0)
return true;
}
}
}
break;
}
cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
}
return false;
}
