CrackProof iOS版分析(二)补充
- 内容介绍
- 文章标签
- 相关推荐
0x0
最近又研究了一下,仅作简单的补充
0x1 dyld
iOS加载Mach-O的时候会由dyld调用目标Mach-O全部的mod_init_func来完成初始化,和安卓的.init_proc段是一个作用
hook一下全局的pthread再配合trace日志,可以知道mod_init_func_0调用了pthread来创建线程进行越狱检测,触发pthread的调用点为0xa03050c,创建的函数为0xa07ce90
creator: UnityFramework:0x10b89450c!0xa03050c 0x10b89450c !0xa03050c (0xa03050c)
start_routine: UnityFramework:0x10b8e0e90!0xa07ce90 0x10b8e0e90 !0xa07ce90 (0xa07ce90)
arg: 0x10ccf5118
pthread_t*: 0x16fb10650 -> 0x16fffb000
attr: default
backtrace:
#0 UnityFramework:0x10b89450c!0xa03050c 0x10b89450c !0xa03050c (0xa03050c)
#1 UnityFramework:0x10b896cbc!0xa032cbc 0x10b896cbc !0xa032cbc (0xa032cbc)
#2 UnityFramework:0x10bab1668!0xa24d668 0x10bab1668 !0xa24d668 (0xa24d668)
#3 dyld:0x10059842c!0x2842c 0x10059842c dyld!invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const::
0x0
最近又研究了一下,仅作简单的补充
0x1 dyld
iOS加载Mach-O的时候会由dyld调用目标Mach-O全部的mod_init_func来完成初始化,和安卓的.init_proc段是一个作用
hook一下全局的pthread再配合trace日志,可以知道mod_init_func_0调用了pthread来创建线程进行越狱检测,触发pthread的调用点为0xa03050c,创建的函数为0xa07ce90
creator: UnityFramework:0x10b89450c!0xa03050c 0x10b89450c !0xa03050c (0xa03050c)
start_routine: UnityFramework:0x10b8e0e90!0xa07ce90 0x10b8e0e90 !0xa07ce90 (0xa07ce90)
arg: 0x10ccf5118
pthread_t*: 0x16fb10650 -> 0x16fffb000
attr: default
backtrace:
#0 UnityFramework:0x10b89450c!0xa03050c 0x10b89450c !0xa03050c (0xa03050c)
#1 UnityFramework:0x10b896cbc!0xa032cbc 0x10b896cbc !0xa032cbc (0xa032cbc)
#2 UnityFramework:0x10bab1668!0xa24d668 0x10bab1668 !0xa24d668 (0xa24d668)
#3 dyld:0x10059842c!0x2842c 0x10059842c dyld!invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const::