1,通过调用ptrace函数可以阻止调试器依附。
其中x0-x3存储的为函数入参,x16存储的为函数编号,通过Apple提供的System Call Table 可以查出ptrace的编号为26,最后一句指令发起了系统调用。通过使用asm指令能够将汇编代码嵌入我们的函数中,构成反调试方法。
// 使用inline方式将函数在调用处强制展开,防止被hook和追踪符号
static __attribute__((always_inline)) void anti_debug()
{
// 判断是否是ARM64处理器指令集
#ifdef __arm64__
// volatile修饰符能够防止汇编指令被编译器忽略
__asm__ __volatile__
(
"mov X0, #26\n"
"mov X1, #31\n"
"mov X2, #0\n"
"mov X3, #0\n"
"mov X4, #0\n"
"mov w16, #0\n"
"svc #0x80"
);
#endif
}
调用
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
// Override point for customization after application launch.
anti_debug();
return YES;
}
2,反调试检测
static __attribute__((always_inline)) void check_svc_integrity() {
int pid;
static jmp_buf protectionJMP;
#ifdef __arm64__
__asm__ __volatile__("mov x0, #0\n"
"mov w16, #20\n"
"svc #0x80\n"
"cmp x0, #0\n"
"b.ne #24\n"
"mov x1, #0\n"
"mov sp, x1\n"
"mov x29, x1\n"
"mov x30, x1\n"
"ret\n"
"mov %[result], x0\n"
: [result] "=r" (pid)
:
:
);
if(pid == 0) {
longjmp(protectionJMP, 1);
}
#endif
}
//需要头文件#include <unistd.h>
void AntiDebug_isatty() {
if (isatty(1)) {
exit(1);
} else {
}
}
调用
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
// Override point for customization after application launch.
check_svc_integrity();
AntiDebug_isatty();
check_svc_integrity();
return YES;
}
参考https://juejin.im/post/5d9891abf265da5b926bc2b7?utm_source=gold_browser_extension
网友评论