一闰蚕、Tweak原理

Theos創(chuàng)建Tweak插件,編譯后會生成一個動態(tài)庫和一個對應(yīng)包名的plist文件,打包后會把生成的文件打包成.deb包并安裝到手機中,Cydia通過監(jiān)聽程序的啟動通過plist文件中的包名選擇加載哪個動態(tài)庫到應(yīng)用進程中,(dyld通過DYLD_INSERT_LIARARIES環(huán)境變量動態(tài)注入插件動態(tài)庫),注入的動態(tài)庫并不會改變原來應(yīng)用的二進制文件.

二靴迫、防止Tweak插件注入

• Build Settings 搜索Other Linker Flags(product->Build Settings->Linking->Other Linker Flags)
  輸入: -Wl,-sectcreate,__RESTRICT,__restrict,/dev/null

三因惭、利用二進制修改器破壞防護

• 通過二進制修改器修改二進制文件,MachO文件因為二進制被修改光绕，所以必須得重新簽名洼冻∏票校可通過MonkeyDev重簽骤宣。

四秦爆、使用dyld源碼進行防護

• 查看restrict段是否被修改而進行防護,dyld中核心代碼(dyld.cpp)

static bool hasRestrictedSegment(const macho_header* mh)
{
    const uint32_t cmd_count = mh->ncmds;
    const struct load_command* const cmds = (struct load_command*)(((char*)mh)+sizeof(macho_header));
    const struct load_command* cmd = cmds;
    for (uint32_t i = 0; i < cmd_count; ++i) {
        switch (cmd->cmd) {
            case LC_SEGMENT_COMMAND:
            {
                const struct macho_segment_command* seg = (struct macho_segment_command*)cmd;
                
                //dyld::log("seg name: %s\n", seg->segname);
                if (strcmp(seg->segname, "__RESTRICT") == 0) {
                    const struct macho_section* const sectionsStart = (struct macho_section*)((char*)seg + sizeof(struct macho_segment_command));
                    const struct macho_section* const sectionsEnd = &sectionsStart[seg->nsects];
                    for (const struct macho_section* sect=sectionsStart; sect < sectionsEnd; ++sect) {
                        if (strcmp(sect->sectname, "__restrict") == 0) 
                            return true;
                    }
                }
            }
            break;
        }
        cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
    }
        
    return false;
}