前言
重签名需求:改变了应用的二进制文件,或者增加、修改了应用里面的资源,应用本身的签名就会被破坏。
I 预备知识
1.1 security命令
Command line interface to keychains and Security framework
- Usage: security [-h][-i] [-l][-p prompt] [-q][-v] [command][opt …]
-i Run in interactive mode.
-l Run /usr/bin/leaks -nocontext before exiting.
-p Set the prompt to "prompt" (implies -i).
-q Be less verbose.
-v Be more verbose about what's going on.
help Show all commands, or show usage for a command.1.2 搜索本机的证书
- find-identity
security find-identity -v -p codesigning1.2 查看签名证书
- 解压ipa文件,然后找到embedded.mobileprovision这个文件
- 解密embedded.mobileprovision文件 macos方法:
security cms -D -i embedded.mobileprovisionwindows方法:
openssl smime -inform der -verify -noverify -in embedded.mobileprovision- 文件内容分析
get-task-allow 是否允许调试
II 重签名
2.1 获取证书列表
security find-identity -v -p codesigning2.2 生成Entitlements.plist: 沙盒的配置列表
列出了哪些行为会被允许,哪些行为会被拒绝。在签名的时候,Xcode会将这个文件作为 –entitlements 参数的内容传递给codesign.
xcode 的capabilities选项卡上进行的相应权限操作,相关条目也会添加到授权文件。
- 查询一个应用的授权文件
➜ provision git:(master) ✗ codesign -d --entitlements - /Users/devzkn/decrypted/WeChat6.6.0/Payload/WeChat.app
Executable=/Users/devzkn/decrypted/WeChat6.6.0/Payload/WeChat.app/WeChat
??qqh<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.siri</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string>88L2Q4487U</string>
<key>com.apple.developer.healthkit</key>
<true/>
<key>application-identifier</key>
<string></string>
<key>com.apple.developer.networking.HotspotHelper</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
</array>
<key>aps-environment</key>
<string>production</string>
<key>com.apple.developer.networking.HotspotConfiguration</key>
<true/>
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:help.wechat.com</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string></string>
</array>
</dict>
</plist>%2.2.1 编译生成目标app,从目标app目录下获取embedded.mobileprovision
- 获取profile.plist
security cms -D -i /Users/devzkn/Library/Developer/Xcode/DerivedData/2018wxrobot-eenymyxpjytdqfhdejnwlypbodwy/Build/Products/Debug-iphoneos//embedded.mobileprovision > profile.plist- 使用plistBuddy 从profile.plist 提取Entitlements
/usr/libexec/plistBuddy -x -c 'print :Entitlements' profile.plist > entitlements.plist2.2.2 从开发者后台下载PP文件,然后提取授权文件( 略)
2.3 复制xx.mobileprovision 到.app 目录下
2.4 签名
对.app 目录下的所有动态库、插件、watch目录下的extension进行签名
codesign -f -s 0B3D26F0E551CC07F2iPhoneDeveloperkey xxx.dylib- 对整个app目录进行签名
codesign -f -s 0B3D26F0E551CC07F2iPhoneDeveloperkey --entitlements entitlements.plist target.app2.5 打包
mkdir -p Payload
cp -a Target.app ./Payload
zip -qr Target.ipa ./Payload2.6 例子1:签名动态库
- 列出可签名证书
security find-identity -v -p codesigning- 为dumpecrypted.dylib签名
codesign --force --verify --verbose --sign "iPhone Developer: xxx xxxx (xxxxxxxxxx)" dumpdecrypted.dylib2.6 例子2: 恢复调用栈之后,对app重新签名
/zhangkn/res…
A reverse engineering tool to restore stripped symbol table for iOS app.
III 打包脚本
➜ git:(develop) cat ~/bin/knipa
#!/bin/bash
echo "==================(create ipa file...)=================="
# cd `dirname $0`;
rm -rf ./Target.ipa;
rm -rf ./Payload;
mkdir Payload;
APP=$(find . -type d | grep ".app$" | head -n 1)
cp -rf "$APP" ./Payload;
data="`date +%F-%T-%N`"
postName="$data"-".ipa"
zip -r -q "$postName" ./Payload;
rm -rf ./Payload;
open .
# 移动ipa包到特定目录
mkdir -p ~/Downloads/knPayload
cp -a "$postName" ~/Downloads/knPayload
open ~/Downloads/knPayload
echo "==================(done)=================="
exit;see also
1、使用 Xcode 调试第三方应用(重签名) 2、提高APP被逆向的难度
