请选择 进入手机版 | 继续访问电脑版
您好,欢迎访问! 登录

QQ登录

只需一步,快速开始

立即注册 切换到窄版
查看: 1352|回复: 1

[教程] 废除IOS程序的ASLR+源代码+bin--支持IOS7

[复制链接]

  离线 

25

主题

51

帖子

159

积分

版主

Rank: 7Rank: 7Rank: 7

积分
159
发表于 2014-6-18 11:46:14 | 显示全部楼层 |阅读模式
  1. //
  2. // removePIE.c
  3. // cygwin编译:/toolchain4/pre/bin/arm-apple-darwin9-gcc removePIE.c -o removePIE
  4. //
  5. // 飘云修改编译版
  6. // www.dllhook.com


  7. #include <stdio.h>
  8. #include <stdlib.h>
  9. #include <string.h>
  10. #include <stdint.h>
  11. #include <mach-o/loader.h>

  12. void hexify(unsigned char *data, uint32_t size){
  13.         while(size--)
  14.                 printf("%02x", *data++);}

  15. void fcopy(FILE *f1, FILE *f2){
  16.     char buffer[BUFSIZ];
  17.     size_t n;
  18.    
  19.     while ((n = fread(buffer, sizeof(char), sizeof(buffer), f1)) > 0){
  20.         if (fwrite(buffer, sizeof(char), n, f2) != n)
  21.             printf("Error copying backup");}
  22. }

  23. int main(int argc, char *argv[]){
  24.         struct mach_header currentHeader;
  25.        
  26.         FILE *fp; //edited file pointer
  27.         FILE *fw; //backup file pointer
  28.         char fwName[80];
  29.         char fwPrefix[4] = ".bak"; //app.bak
  30.        
  31.         if(argc < 1){
  32.                 printf("Please enter the filename binary: in the format removePIE filename");
  33.                 return EXIT_FAILURE;}
  34.         if((fp = fopen(argv[1], "rb+")) == NULL) {
  35.                 printf("Error, unable to open file\n");
  36.                 return EXIT_FAILURE; }
  37.         //create app.bak filename
  38.         strlcpy(fwName, argv[1], strlen(argv[1])+1);
  39.         strlcat(fwName, fwPrefix, strlen(fwPrefix)+1);
  40.         if((fw = fopen(fwName, "wb")) == NULL){
  41.         return EXIT_FAILURE;}
  42.        
  43.         if((fread(¤tHeader.magic, sizeof(int32_t), 1, fp)) == (int)NULL)
  44.         {printf("Error reading magic constant in file\n");
  45.         return EXIT_FAILURE;}
  46.        
  47.         if(currentHeader.magic == MH_MAGIC || currentHeader.magic == 0xbebafeca){ //little endian
  48.                 printf("loading header\n");
  49.                 fseek(fp, 0, SEEK_SET);
  50.                 if((fread(¤tHeader, sizeof(currentHeader), 1, fp)) == (int)NULL)
  51.                 {
  52.                         printf("Error reading MACH-O header");
  53.                         return EXIT_FAILURE;
  54.                 }
  55.                 fseek(fp, 0, SEEK_SET); //set fp back to 0 to get full copy
  56.                 printf("\nbacking up application binary...\n");
  57.                 fcopy(fp, fw);
  58.                 fclose(fw);
  59.                 printf("\nbinary backed up to:\t%s\n", fwName);
  60.                 printf("\nmach_header:\t");
  61.                 hexify((unsigned char *)¤tHeader,sizeof(currentHeader));
  62.                 printf("\noriginal flags:\t");
  63.                 hexify((unsigned char *)¤tHeader.flags, sizeof(currentHeader.flags));
  64.                 printf("\nDisabling ASLR/PIE ...\n");
  65.                 currentHeader.flags &= ~MH_PIE;
  66.                 printf("new flags:\t");
  67.                 hexify((unsigned char *)¤tHeader.flags, sizeof(currentHeader.flags));
  68.                
  69.                 fseek(fp, 0, SEEK_SET);
  70.                 if((fwrite(¤tHeader, sizeof(char), 28, fp)) == (int)NULL)
  71.                 {
  72.                         printf("Error writing to application file %s\n",fwName);
  73.                 }
  74.                 printf("\nASLR has been disabled for %s\n", argv[1]);
  75.                 //exit and close memory
  76.                 //free(mach_header);
  77.                 fclose(fp);
  78.                 return EXIT_SUCCESS;
  79.         }
  80.         else if(currentHeader.magic == MH_CIGAM) // big endian
  81.         {
  82.                 printf("file is big-endian, not an iOS binary");
  83.                 return EXIT_FAILURE;
  84.         }
  85.         else
  86.         {
  87.                 printf("File is not a MACH_O binary");
  88.                 return EXIT_FAILURE;
  89.         }

  90.         return EXIT_FAILURE;
  91. }
复制代码

使用实例:

Administratorde-iPhone:/tmp root# ./removePIE debug
loading header

backing up application binary...

binary backed up to:    debug.bak

mach_header:    cefaedfe0c00000000000000020000000c000000b004000085000000
original flags: 85000000
Disabling ASLR/PIE ...
new flags:      85000000
ASLR has been disabled for debug


点这里下载编译好的bin

我不会告诉你,在游源签到是一种执着!
回复

使用道具 举报

  离线 

0

主题

60

帖子

72

积分

游源小侠

Rank: 2Rank: 2

积分
72
发表于 2016-10-16 13:47:50 | 显示全部楼层
呵呵,好帖一定要顶,支持












回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

站点统计|Archiver|手机版|小黑屋|游源网 ( 冀ICP备14006073号-1

Copyright 2013 最新最精彩-社区论坛 版权所有 discuz 模板All Rights Reserved.

Powered by Discuz! X3.1

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表