Links
Comment on page

14.反HOOK防护(二):Monkey

一、安装:MonkeyDev

安装完成后,重启Xcode,就可以看到有个MonkeyDev
1

二、重签名

创建一个MonkeyApp,我们看到目录下有个TargetApp,将需要重签名的ipa包或者app文件放进去。 并将Demo给为自己的一个可用的BundleID,运行即可!
2

三、Hook:Logos语法

Logos
1
我们可以看到这个文件,没有高亮。
1
在这里改一下类型为ObjectiveC++Source,切换一下文件就可以了。

3.1 试着Hook上一篇中我们做了防护的项目

这里我们准备HookViewControlleractionA

a. 将编译出的app文件放进TargetApp目录下

b. 用Logos语法写Hook代码

#import <UIKit/UIKit.h>
%hook ViewController
- (void)actionA:(id)sender {
NSLog(@"action-A-(Hooked!)");
}
%end
就这么简单!

c. 运行查看Log

2021-05-16 23:10:24.635341+0800 AntiHook[3859:1526960] ⚠️检测到了Hook!
2021-05-16 23:10:24.635477+0800 AntiHook[3859:1526960] ⚠️检测到了Hook!
2021-05-16 23:10:24.635519+0800 AntiHook[3859:1526960] [AntiAntiDebug Init]
🎉!!!congratulations!!!🎉
👍----------------insert dylib success----------------👍
[MethodTrace]
📚--------------------OCMethodTrace(Usage)-------------------📚
https://github.com/omxcodec/OCMethodTrace/blob/master/README.md
📚--------------------OCMethodTrace(Usage)-------------------📚
[MethodTrace] logLevel: 0: logWhen: 0 traceFlag: 2 traceObject: 0(未指定类)
[MethodTrace] Method Trace is disabled
Download cycript(https://cydia.saurik.com/api/latest/3) then run: ./cycript -r 192.168.0.102:6666
2021-05-16 23:10:24.915464+0800 AntiHook[3859:1526960] result: <UIApplication: 0x1017100d0>
2021-05-16 23:10:24.996174+0800 AntiHook[3859:1526960] INFO: Reveal Server started (Protocol Version 43).
2021-05-16 23:10:33.341774+0800 AntiHook[3859:1526960] action-A-(Hooked!)
虽然我们的防护代码检测到了Hook,但是依然成功了。

d. 思考

这里我们使用反HOOK防护(一)中的技术去进行防护,并没有成功防护到Monkey的Hook。我们大概可以推测出:它使用的是Set和Get进行的Hook!
下面我们针对Set Get进行一下防护验证我们的想法!

四、Set/Get Hook防护

这里我们简单修改下防护代码。
+ (void)load {
struct rebinding exchange;
exchange.name = "method_exchangeImplementations";
exchange.replacement = my_exchange;
exchange.replaced = (void *)&sysExchangePoint;
struct rebinding get;
get.name = "method_getImplementation";
get.replacement = my_get;
get.replaced = (void *)&sysExchangePoint;
struct rebinding set;
set.name = "method_setImplementation";
set.replacement = my_set;
set.replaced = (void *)&sysExchangePoint;
struct rebinding bds[] = { exchange, get, set };
rebind_symbols(bds, 3);
}
// 保存原函数的指针,这个可以暴露给自己使用
void (*sysExchangePoint)(Method _Nonnull methA, Method _Nonnull methB);
void my_exchange(Method _Nonnull methA, Method _Nonnull methB) {
NSLog(@"⚠️检测到了Hook!-method_exchangeImplementations");
}
void my_get(Method _Nonnull methA, Method _Nonnull methB) {
NSLog(@"⚠️检测到了Hook!-method_getImplementation");
}
void my_set(Method _Nonnull methA, Method _Nonnull methB) {
NSLog(@"⚠️检测到了Hook!-method_setImplementation");
}

4.1 防护成果

2021-05-17 23:25:17.892661+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_getImplementation
2021-05-17 23:25:17.892798+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_exchangeImplementations
2021-05-17 23:25:17.892840+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_getImplementation
2021-05-17 23:25:17.892874+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_exchangeImplementations
2021-05-17 23:25:17.892912+0800 AntiHook[3999:1630972] [AntiAntiDebug Init]
🎉!!!congratulations!!!🎉
👍----------------insert dylib success----------------👍
2021-05-17 23:25:17.914757+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_getImplementation
2021-05-17 23:25:17.914913+0800 AntiHook[3999:1630972] ⚠️检测到了Hook!-method_setImplementation
[MethodTrace]
...
2021-05-17 23:25:26.987849+0800 AntiHook[3999:1630972] action-A
2021-05-17 23:25:27.952512+0800 AntiHook[3999:1630972] action-A
2021-05-17 23:25:28.803100+0800 AntiHook[3999:1630972] action-B
2021-05-17 23:25:29.170666+0800 AntiHook[3999:1630972] action-B
可以看到我们的set/get防护代码被触发了,并且输出了点击按钮输出了正确的Log! 防护成功!也验证了我们的想法:Monkey的Hook是基于Get/Set的