// // JB.m // isJailbroken // // Created by Anthony Viriya on 8/21/19. // Copyright © 2019 AVL. All rights reserved. // Reference : https://www.theiphonewiki.com/wiki/Bypassing_Jailbreak_Detection // #import "JB.h" #import #import #import @implementation JB #define A(c) (c) - 0x19 #define HIDE_STR(str) do { char *p = str; while (*p) *p++ -= 0x19; } while (0) typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data); #if !defined(PT_DENY_ATTACH) #define PT_DENY_ATTACH 31 #endif BOOL DEBUGGING = YES; #if TARGET_IPHONE_SIMULATOR && !defined(LC_ENCRYPTION_INFO) #define LC_ENCRYPTION_INFO 0x21 struct encryption_info_command { uint32_t cmd; uint32_t cmdsize; uint32_t cryptoff; uint32_t cryptsize; uint32_t cryptid; }; #endif void LOG(NSString* loc) { NSLog(@"Found: %@", loc); } CFRunLoopSourceRef gSocketSource; BOOL fileExist(NSString* path) { NSFileManager *fileManager = [NSFileManager defaultManager]; BOOL isDirectory = NO; if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){ return YES; } return NO; } BOOL directoryExist(NSString* path) { NSFileManager *fileManager = [NSFileManager defaultManager]; BOOL isDirectory = YES; if([fileManager fileExistsAtPath:path isDirectory:&isDirectory]){ return YES; } return NO; } BOOL canOpen(NSString* path) { FILE *file = fopen([path UTF8String], "r"); if(file==nil){ return fileExist(path) || directoryExist(path); } fclose(file); return YES; } // Preventing libobjc hooked, strstr implementation const char* tuyul(const char* X, const char* Y) { if (*Y == '\0') return X; for (int i = 0; i < strlen(X); i++) { if (*(X + i) == *Y) { char* ptr = tuyul(X + i + 1, Y + 1); return (ptr) ? ptr - 1 : NULL; } } return NULL; } BOOL isRunningOnMac() { BOOL isiOSAppOnMac = NO; if (@available(iOS 14.0, *)) { isiOSAppOnMac = [NSProcessInfo processInfo].isiOSAppOnMac; } return isiOSAppOnMac; } BOOL isJb() { // Check cydia URL if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.avl.com"]]) { return YES; } NSArray* checks = [[NSArray alloc]initWithObjects:@"/Application/Cydia.app", @"/Library/MobileSubstrate/MobileSubstrate.dylib", @"/bin/bash", @"/usr/sbin/sshd", @"/etc/apt", @"/usr/bin/ssh", @"/private/var/lib/apt", @"/private/var/lib/cydia", @"/private/var/tmp/cydia.log", @"/Applications/WinterBoard.app", @"/var/lib/cydia", @"/private/etc/dpkg/origins/debian", @"/bin.sh", @"/private/etc/apt", @"/etc/ssh/sshd_config", @"/private/etc/ssh/sshd_config", @"/Applications/SBSetttings.app", @"/private/var/mobileLibrary/SBSettingsThemes/", @"/private/var/stash", @"/usr/libexec/sftp-server", @"/usr/libexec/cydia/", @"/usr/sbin/frida-server",// jb new @"/usr/bin/cycript", @"/usr/local/bin/cycript", @"/usr/lib/libcycript.dylib", @"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", @"/System/Library/LaunchDaemons/com.ikey.bbot.plist", @"/Applications/FakeCarrier.app", @"/Library/MobileSubstrate/DynamicLibraries/Veency.plist", @"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist", @"/usr/libexec/ssh-keysign", @"/usr/libexec/sftp-server", @"/Applications/blackra1n.app", @"/Applications/IntelliScreen.app", @"/Applications/Snoop-itConfig.app", @"/var/checkra1n.dmg", @"/var/binpack", @"/usr/bin/frida-server", @"/usr/bin/sshd", @"/private/var/mobile/Library/SBSettings/Themes", @"/bin/sh", @"/usr/bin/sshd", @"/bin/sh", @"/var/log/syslog", @"/var/lib/apt", @"/Applications/MxTube.app", @"/Applications/unc0ver.app", @"/Applications/Cydia.app", @"/Applications/RockApp.app", @"/Applications/Icy.app", @"/Applications/SBSettings.app", @"/usr/lib/OShadow.dylib", @"/usr/lib/0Shadow.dylib", @"Library/MobileSubstrate/DynamicLibraries/0Shadow.dylib", @"Library/MobileSubstrate/DynamicLibraries/0Shadow", @"Library/PreferenceBundles/ShadowPreferences.bundle", @"Library/PreferenceLoader/Preferences/ShadowPreferences.plist", @"/Library/MobileSubstrate/DynamicLibraries/Veency.plist", @"/Library/MobileSubstrate/DynamicLibraries/0Shadow.plist", @"/Library/MobileSubstrate/DynamicLibraries/OShadow.plist", @"/Library/MobileSubstrate/DynamicLibraries/0Shadow.dylib", @"/Library/MobileSubstrate/DynamicLibraries/OShadow.dylib", // jb new nil]; //Check installed app for(NSString* check in checks) { if(canOpen(check)) { if(DEBUGGING){LOG(check);} return YES; } } //symlink verification struct stat sym; if(lstat("/Applications", &sym) || lstat("/var/stash/Library/Ringtones", &sym) || lstat("/var/stash/Library/Wallpaper", &sym) || lstat("/var/stash/usr/include", &sym) || lstat("/var/stash/usr/libexec", &sym) || lstat("/var/stash/usr/share", &sym) || lstat("/var/stash/usr/arm-apple-darwin9", &sym)) { if(sym.st_mode & S_IFLNK) { if(DEBUGGING){LOG(@"Symlink");} return YES; } } //Check process forking int pid = fork(); if(!pid) { exit(1); } if(pid >= 0) { if(DEBUGGING){LOG(@"Fork");} return YES; } //Check permission to write to /private NSString *path = @"/private/avl.txt"; NSFileManager *fileManager = [NSFileManager defaultManager]; @try { NSError* error; NSString *test = @"AVL was here"; [test writeToFile:test atomically:NO encoding:NSStringEncodingConversionAllowLossy error:&error]; [fileManager removeItemAtPath:path error:nil]; if(error==nil) { if(DEBUGGING){LOG(@"File creation");} return YES; } return NO; } @catch (NSException *exception) { return NO; } } char* UNHIDE_STR(char* str){ do { char *p = str; while (*p) *p++ += 0x19; } while (0); return str; } char* decryptString(char* str){ str = UNHIDE_STR(str); str[strlen(str)]='\0'; return str; } BOOL isInjectedWithDynamicLibrary() { int i=0; while(true){ const char *name = _dyld_get_image_name(i++); if(name==NULL){ break; } if (name != NULL) { char cyinjectHide[] = { A('c'), A('y'), A('i'), A('n'), A('j'), A('e'), A('c'), A('t'), 0 }; char libcycriptHide[] = { A('l'), A('i'), A('b'), A('c'), A('y'), A('c'), A('r'), A('i'), A('p'), A('t'), 0 }; char libfridaHide[] = { A('F'), A('r'), A('i'), A('d'), A('a'), A('G'), A('a'), A('d'), A('g'), A('e'), A('t'), 0 }; char zzzzLibertyDylibHide[] = { A('z'), A('z'), A('z'), A('z'), A('L'), A('i'), A('b'), A('e'), A('r'), A('t'), A('y'), A('.'), A('d'), A('y'), A('l'), A('i'), A('b'), 0 }; char sslkillswitch2dylib[] = { A('S'), A('S'), A('L'), A('K'), A('i'), A('l'), A('l'), A('S'), A('w'), A('i'), A('t'), A('c'), A('h'), A('2'), A('.'), A('d'), A('y'), A('l'), A('i'), A('b'), 0 }; char zeroshadowdylib[] = { A('0'), A('S'), A('h'), A('a'), A('d'), A('o'), A('w'), A('.'), A('d'), A('y'), A('l'), A('i'), A('b'), 0 }; char mobilesubstratedylib[] = { A('M'), A('o'), A('b'), A('i'), A('l'), A('e'), A('S'), A('u'), A('b'), A('s'), A('t'), A('r'), A('a'), A('t'), A('e'), A('.'), A('d'), A('y'), A('l'), A('i'), A('b'), 0 }; char libsparkapplistdylib[] = { A('l'), A('i'), A('b'), A('s'), A('p'), A('a'), A('r'), A('k'), A('a'), A('p'), A('p'), A('l'), A('i'), A('s'), A('t'), A('.'), A('d'), A('y'), A('l'), A('i'), A('b'), 0 }; char SubstrateInserterdylib[] = { A('S'), A('u'), A('b'), A('s'), A('t'), A('r'), A('a'), A('t'), A('e'), A('I'), A('n'), A('s'), A('e'), A('r'), A('t'), A('e'), A('r'), A('.'), A('d'), A('y'), A('l'), A('i'), A('b'), 0 }; char zzzzzzUnSubdylib[] = { A('z'), A('z'), A('z'), A('z'), A('z'), A('z'), A('U'), A('n'), A('S'), A('u'), A('b'), A('.'), A('d'), A('y'), A('l'), A('i'), A('b'), 0 }; char kor[] = { A('.'), A('.'), A('.'), A('!'), A('@'), A('#'), 0 }; char cephei[] = { A('/'),A('u'),A('s'),A('r'),A('/'),A('l'),A('i'),A('b'),A('/'),A('C'),A('e'),A('p'),A('h'),A('e'),A('i'),A('.'),A('f'),A('r'),A('a'),A('m'),A('e'),A('w'),A('o'),A('r'),A('k'),A('/'),A('C'),A('e'),A('p'),A('h'),A('e'),A('i'), 0 }; if (tuyul(name, decryptString(cephei)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } if (tuyul(name, decryptString(kor)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } if (tuyul(name, decryptString(mobilesubstratedylib)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } if(tuyul(name, decryptString(libsparkapplistdylib)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } if (tuyul(name, decryptString(cyinjectHide)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } if (tuyul(name, decryptString(libcycriptHide)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } if (tuyul(name, decryptString(libfridaHide)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } if (tuyul(name, decryptString(zzzzLibertyDylibHide)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } if (tuyul(name, decryptString(sslkillswitch2dylib)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } if (tuyul(name, decryptString(zeroshadowdylib)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } if (tuyul(name, decryptString(SubstrateInserterdylib)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } if (tuyul(name, decryptString(zzzzzzUnSubdylib)) != NULL){ if(DEBUGGING){LOG([[NSString alloc] initWithFormat:@"%s", name]);} return YES; } } } // 查看是否有注入异常的类,比如HBPreferences 是越狱常用的类,这里无法绕过,只要多找一些特征类就可以,注意,很多反越狱插件会混淆,所以可能要通过查关键方法来识别 NSArray *checksClass = [[NSArray alloc] initWithObjects:@"HBPreferences",nil]; for(NSString *className in checksClass) { if (NSClassFromString(className) != NULL) { return YES; } } NSArray *checksClass2 = [[NSArray alloc] initWithObjects:@"Shadow",nil]; for(NSString *className in checksClass2) { if (NSClassFromString(className) != NULL) { return YES; } } if(isStatNotSystemLib()){ return YES; } if(dyldEnvironmentVariables()){ return YES; } return NO; } // Returns true if the current process is being debugged (either // running under the debugger or has a debugger attached post facto). // Thanks to https://developer.apple.com/library/archive/qa/qa1361/_index.html BOOL isDebugged() { int junk; int mib[4]; struct kinfo_proc info; size_t size; info.kp_proc.p_flag = 0; mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; mib[3] = getpid(); size = sizeof(info); junk = sysctl(mib, sizeof(mib) / sizeof(*mib), &info, &size, NULL, 0); assert(junk == 0); return ( (info.kp_proc.p_flag & P_TRACED) != 0 ); } BOOL isFromAppStore() { #if TARGET_IPHONE_SIMULATOR return NO; #else NSString *provisionPath = [[NSBundle mainBundle] pathForResource:@"embedded" ofType:@"mobileprovision"]; if (nil == provisionPath || 0 == provisionPath.length) { return YES; } return NO; #endif } BOOL isSecurityCheckPassed() { if(TARGET_IPHONE_SIMULATOR)return NO; if(TARGET_OS_OSX)return NO; return !isJb() && !isInjectedWithDynamicLibrary() && !isDebugged(); } BOOL isStatNotSystemLib(){ if(TARGET_IPHONE_SIMULATOR)return NO; int ret ; Dl_info dylib_info; int (*func_stat)(const char *, struct stat *) = stat; if ((ret = dladdr(func_stat, &dylib_info))) { NSString *fName = [NSString stringWithUTF8String: dylib_info.dli_fname]; if(![fName isEqualToString:@"/usr/lib/system/libsystem_kernel.dylib"]){ return YES; } } char *JbPaths[] = {"/Applications/Cydia.app", "/usr/sbin/sshd", "/bin/bash", "/etc/apt", "/Library/MobileSubstrate", "/User/Applications/"}; for (int i = 0;i < sizeof(JbPaths) / sizeof(char *);i++) { struct stat stat_info; if (0 == stat(JbPaths[i], &stat_info)) { return YES; } } return NO; } #pragma mark 通过环境变量DYLD_INSERT_LIBRARIES检测是否越狱 BOOL dyldEnvironmentVariables() { if(TARGET_IPHONE_SIMULATOR)return NO; return !(NULL == getenv("DYLD_INSERT_LIBRARIES")); } @end