{"id":612,"date":"2023-07-09T03:51:08","date_gmt":"2023-07-08T18:51:08","guid":{"rendered":"https:\/\/h4ck.kr\/?p=612"},"modified":"2023-07-11T22:58:46","modified_gmt":"2023-07-11T13:58:46","slug":"ios-ipados-%ed%83%88%ec%98%a5-%eb%b0%8f-%eb%94%94%eb%b2%84%ea%b9%85-%ed%83%90%ec%a7%80-%eb%b0%a9%eb%b2%95","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=612","title":{"rendered":"iOS\/iPadOS \ud0c8\uc625 \ubc0f \ub514\ubc84\uae45 \ud0d0\uc9c0 \ubc29\ubc95"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">1. \ud30c\uc77c \ud0d0\uc9c0<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1-1. Objective-C \uba54\uc18c\ub4dc<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8211; (<strong>BOOL<\/strong>)isReadableFileAtPath:(<strong>NSString *<\/strong>)path;<\/li>\n\n\n\n<li>&#8211; (<strong>BOOL<\/strong>)fileExistsAtPath: (<strong>NSString *<\/strong>)path isDirectory: (<strong>BOOL *<\/strong>)isDirectory<\/li>\n\n\n\n<li>&#8211; (<strong>BOOL<\/strong>)fileExistsAtPath: (<strong>NSString *<\/strong>)path<\/li>\n\n\n\n<li>&#8211; (<strong>NSArray *<\/strong>)contentsOfDirectoryAtPath:(<strong>NSString *<\/strong>)path error:(<strong>NSError * _Nullable *<\/strong>)error;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">if ([[NSFileManager defaultManager] fileExistsAtPath:@\u201d\/Applications\/Sileo.app\u201d]]) {\n    return YES;    \/\/Detected Jailbroken\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">1-2. C System Library<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>FILE *<\/strong>fopen<strong>(const char *<\/strong><em>pathname<\/em>,<strong> const char *<\/strong><em>mode<\/em><strong>);<\/strong><\/li>\n\n\n\n<li><strong>int<\/strong> access(<strong>const char *<\/strong><em>path<\/em>, <strong>int<\/strong> <em>amode<\/em>);<\/li>\n\n\n\n<li><strong>int <\/strong>open(<strong>const char *<\/strong><em>path<\/em>, <strong>int<\/strong> <em>oflag<\/em>, &#8230;);<\/li>\n\n\n\n<li><strong>int<\/strong> lstat(<strong>const char *<\/strong><em>path<\/em>, <strong>struct stat *<\/strong> <em>buf<\/em>);<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;unistd.h>\n\nif (access(\"\/Applications\/Sileo.app\", F_OK) == 0) {\n    return YES;    \/\/Detected Jailbroken\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">1-3. Supervisor Call (Low-level, SVC #0x80)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">static inline int SVC_statfs64(const char* path, struct statfs *buf) {\n    int64_t flag = 0;\n    __asm __volatile(\"mov x0, %0\" :: \"r\" ((int64_t)SYS_statfs64)); \/\/SYS_statfs64\n    __asm __volatile(\"mov x1, %0\" :: \"r\" (path)); \/\/path\n    __asm __volatile(\"mov x2, %0\" :: \"r\" (buf));    \/\/struct statfs\n    __asm __volatile(\"mov x16, %0\" :: \"r\" ((int64_t)SYS_syscall));   \/\/SYS_syscall\n    __asm __volatile(\"svc #0x80\"); \/\/supervisor call\n    __asm __volatile(\"mov %0, x0\" : \"=r\" (flag));\n    return (int)flag;\n}\n\nstatic inline int SVC_Access(const char* detectionPath, int64_t mode) {\n    int64_t flag = 0;\n    __asm __volatile(\"mov x0, %0\" :: \"r\" ((int64_t)SYS_access)); \/\/SYS_access\n    __asm __volatile(\"mov x1, %0\" :: \"r\" (detectionPath)); \/\/path\n    __asm __volatile(\"mov x2, %0\" :: \"r\" (mode));    \/\/mode\n    __asm __volatile(\"mov x16, %0\" :: \"r\" ((int64_t)SYS_syscall));   \/\/SYS_syscall\n    __asm __volatile(\"svc #0x80\"); \/\/supervisor call\n    __asm __volatile(\"mov %0, x0\" : \"=r\" (flag));\n    return (int)flag;\n}\n\nif(SVC_Access(\"Applications\/Sileo\/app\", F_OK) != ENOENT) {\n    return YES;    \/\/Detected Jailbroken\n}<\/pre>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">-(NSArray *)jailbreakFiles {\n\tNSArray *file = [NSArray arrayWithObjects:\n\t                 @\"\/Applications\/Cydia.app\",\n\t                 @\"\/Applications\/Sileo.app\",\n\t                 @\"\/var\/binpack\",\n\t                 @\"\/Library\/MobileSubstrate\/DynamicLibraries\",\n\t                 @\"\/Library\/PreferenceBundles\/LibertyPref.bundle\",\n\t                 @\"\/Library\/PreferenceBundles\/ShadowPreferences.bundle\",\n\t                 @\"\/Library\/PreferenceBundles\/ABypassPrefs.bundle\",\n\t                 @\"\/Library\/PreferenceBundles\/FlyJBPrefs.bundle\",\n\t                 @\"\/usr\/lib\/libhooker.dylib\",\n\t                 @\"\/usr\/lib\/libsubstitute.dylib\",\n\t                 @\"\/usr\/lib\/substrate\",\n\t                 @\"\/usr\/lib\/TweakInject\",\n\t                 nil];\n\treturn file;\n}\n...\n+(BOOL)isJailbreakFileExist {\n\tBOOL check = NO;\n\tNSArray *jbPatternFile = [[[XFJailbreakPattern alloc] init] jailbreakFiles];\n\tNSFileManager *fileManager = [NSFileManager defaultManager];\n\tfor (NSString *jbFile in jbPatternFile) {\n\t\tconst char *jbFile2 = [jbFile cStringUsingEncoding:NSUTF8StringEncoding];\n\n\t\t\/\/NSFileManager fileExistsAtPath\n\t\tif ([fileManager fileExistsAtPath:jbFile]) {\n\t\t\tNSLog(@\"NSFilemanager: %@\", jbFile);\n\t\t\tcheck = YES;\n\t\t}\n\n\t\t\/\/System Library - opendir: Sustitute doesn't like hooking opendir :)\n\t\tDIR *dirPoint = opendir(jbFile2);\n\t\tif (dirPoint != NULL) {\n\t\t\tNSLog(@\"opendir: %@ - %p\", jbFile, dirPoint);\n\t\t\tcheck = YES;\n\t\t}\n\n\t\t\/\/syscall - SYS_access\n\t\tif(syscall(SYS_access, jbFile2, F_OK) == 0) {\n\t\t\tNSLog(@\"Syscall SYS_access: %@\", jbFile);\n\t\t\tcheck = YES;\n\t\t}\n\n\t\t\/\/SVC #0x80 - SYS_syscall - SYS_access, SYS_access, SYS_lstat64, SYS_stat64, SYS_statfs64, SYS_open\n\t#if defined __arm64__ || defined __arm64e__\n\t\tint64_t flag = ENOENT;\n\t\t__asm __volatile(\"mov x0, #0x21\"); \/\/access\n\t\t__asm __volatile(\"mov x1, %0\" :: \"r\" (jbFile2)); \/\/path\n\t\t__asm __volatile(\"mov x2, #0\"); \/\/mode\n\t\t__asm __volatile(\"mov x16, #0\");   \/\/syscall\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"mov %0, x0\" : \"=r\" (flag));\n\t#else\n\t\tint flag = ENOENT;\n\t\t__asm __volatile(\"mov r0, #0x21\"); \/\/access\n\t\t__asm __volatile(\"mov r1, %0\" :: \"r\" (jbFile2)); \/\/path\n\t\t__asm __volatile(\"mov r2, #0\"); \/\/mode\n\t\t__asm __volatile(\"mov r12, #0\"); \/\/syscall\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"mov %0, r0\" : \"=r\" (flag));\n\t#endif\n\t\tif (flag != ENOENT ) {\n\t\t\tNSLog(@\"SVC #0x80 SYS_syscall - SYS_access: %s\", jbFile2);\n\t\t\tcheck = YES;\n\t\t}\n\n\t#if defined __arm64__ || defined __arm64e__\n\t\tflag = ENOENT;\n\t\t__asm __volatile(\"mov x0, %0\" :: \"r\" (jbFile2)); \/\/path\n\t\t__asm __volatile(\"mov x1, #0\"); \/\/mode\n\t\t__asm __volatile(\"mov x16, #0x21\");   \/\/access\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"mov %0, x0\" : \"=r\" (flag));\n\t#else\n\t\tflag = ENOENT;\n\t\t__asm __volatile(\"mov r0, %0\" :: \"r\" (jbFile2)); \/\/path\n\t\t__asm __volatile(\"mov r1, #0\"); \/\/mode\n\t\t__asm __volatile(\"mov r12, #0x21\"); \/\/access\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"mov %0, r0\" : \"=r\" (flag));\n\t#endif\n\t\tif (flag != ENOENT ) {\n\t\t\tNSLog(@\"SVC #0x80 SYS_access: %s\", jbFile2);\n\t\t\tcheck = YES;\n\t\t}\n\n\t\tstruct stat statPoint;\n\n\t#if defined __arm64__ || defined __arm64e__\n\t\tflag = ENOENT;\n\t\t__asm __volatile(\"mov x0, %0\" :: \"r\" (jbFile2)); \/\/path\n\t\t__asm __volatile(\"mov x1, %0\" :: \"r\" (&amp;statPoint)); \/\/struct stat\n\t\t__asm __volatile(\"mov x16, #0x154\");   \/\/lstat64\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"mov %0, x0\" : \"=r\" (flag));\n\t#else\n\t\tflag = ENOENT;\n\t\t__asm __volatile(\"mov r0, %0\" :: \"r\" (jbFile2)); \/\/path\n\t\t__asm __volatile(\"mov x1, %0\" :: \"r\" (&amp;statPoint)); \/\/struct stat\n\t\t__asm __volatile(\"mov r12, #0x154\"); \/\/lstat64\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"mov %0, r0\" : \"=r\" (flag));\n\t#endif\n\t\tif (flag != ENOENT ) {\n\t\t\tNSLog(@\"SVC #0x80 SYS_lstat64: %s\", jbFile2);\n\t\t\tcheck = YES;\n\t\t}\n\n\t#if defined __arm64__ || defined __arm64e__\n\t\tflag = ENOENT;\n\t\t__asm __volatile(\"mov x0, %0\" :: \"r\" (jbFile2)); \/\/path\n\t\t__asm __volatile(\"mov x1, %0\" :: \"r\" (&amp;statPoint)); \/\/struct stat\n\t\t__asm __volatile(\"mov x16, #0x152\");   \/\/stat64\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"mov %0, x0\" : \"=r\" (flag));\n\t#else\n\t\tflag = ENOENT;\n\t\t__asm __volatile(\"mov r0, %0\" :: \"r\" (jbFile2)); \/\/path\n\t\t__asm __volatile(\"mov x1, %0\" :: \"r\" (&amp;statPoint)); \/\/struct stat\n\t\t__asm __volatile(\"mov r12, #0x152\"); \/\/stat64\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"mov %0, r0\" : \"=r\" (flag));\n\t#endif\n\t\tif (flag != ENOENT ) {\n\t\t\tNSLog(@\"SVC #0x80 SYS_stat64: %s\", jbFile2);\n\t\t\tcheck = YES;\n\t\t}\n\n\t\tstruct statfs statfsPoint;\n\t#if defined __arm64__ || defined __arm64e__\n\t\tflag = ENOENT;\n\t\t__asm __volatile(\"mov x0, %0\" :: \"r\" (jbFile2)); \/\/path\n\t\t__asm __volatile(\"mov x1, %0\" :: \"r\" (&amp;statfsPoint)); \/\/struct statfs\n\t\t__asm __volatile(\"mov x16, #0x159\");   \/\/statfs64\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"mov %0, x0\" : \"=r\" (flag));\n\t#else\n\t\tflag = ENOENT;\n\t\t__asm __volatile(\"mov r0, %0\" :: \"r\" (jbFile2)); \/\/path\n\t\t__asm __volatile(\"mov x1, %0\" :: \"r\" (&amp;statfsPoint)); \/\/struct statfs\n\t\t__asm __volatile(\"mov r12, #0x159\"); \/\/statfs64\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"mov %0, r0\" : \"=r\" (flag));\n\t#endif\n\t\tif (flag != ENOENT ) {\n\t\t\tNSLog(@\"SVC #0x80 SYS_statfs64: %s\", jbFile2);\n\t\t\tcheck = YES;\n\t\t}\n\n\t#if defined __arm64__ || defined __arm64e__\n\t\tflag = 0;\n\t\t__asm __volatile(\"mov x0, %0\" :: \"r\" (jbFile2)); \/\/path\n\t\t__asm __volatile(\"mov x1, #0\");\n\t\t__asm __volatile(\"mov x2, #0\");\n\t\t__asm __volatile(\"mov x16, #0x5\");     \/\/open\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"bcc #0xC\");\n\t\t__asm __volatile(\"mov x0, #0x0\");\n\t\t__asm __volatile(\"b #0x8\");\n\t\t__asm __volatile(\"mov x0, #0x1\");\n\t\t__asm __volatile(\"mov %0, x0\" : \"=r\" (flag));\n\t#else\n\t\tflag = 0;\n\t\t__asm __volatile(\"mov r0, %0\" :: \"r\" (jbFile2)); \/\/ path\n\t\t__asm __volatile(\"mov r1, #0\");\n\t\t__asm __volatile(\"mov r2, #0\");\n\t\t__asm __volatile(\"mov r12, #0x5\"); \/\/ open\n\t\t__asm __volatile(\"svc #0x80\"); \/\/supervisor call\n\t\t__asm __volatile(\"bcc #0x6\");\n\t\t__asm __volatile(\"mov r0, 0x0\");\n\t\t__asm __volatile(\"b #0x4\");\n\t\t__asm __volatile(\"mov r0, #0x1\");\n\t\t__asm __volatile(\"mov %0, r0\" : \"=r\" (flag));\n\t#endif\n\t\tif(flag == 1) {\n\t\t\tNSLog(@\"SVC #0x80 SYS_open: %s\", jbFile2);\n\t\t\tcheck = YES;\n\t\t}\n\t}\n\treturn check;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">2. \uc0cc\ub4dc\ubc15\uc2a4 \uc6b0\ud68c \ud0d0\uc9c0<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">2-1. Objective-C \/ C System Library<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">NSError *error;\n[@\"Jailbreak Test\" writeToFile:@\u201d\/private\/var\/sandbox.txt\u201d atomically:YES encoding:NSUTF8StringEncoding error:&amp;error];\n\nif(error == nil) {\n    return YES;    \/\/Detected Jailbroken\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">2-2. Private API<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>int<\/strong> sandbox_check(<strong>pid_t<\/strong>, <strong>const char *<\/strong>operation, <strong>int <\/strong>sandbox_filter_type, &#8230;);<br>(operation: file-read*)<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">void *sandbox = dlopen(\"\/usr\/lib\/system\/libsystem_sandbox.dylib\", RTLD_NOW);\nif(sandbox != NULL)\n{\n    _sandbox_check = dlsym(sandbox, \"sandbox_check\");\n    if(_sandbox_check != NULL)\n    {\n        int filter = SANDBOX_FILTER_PATH | SANDBOX_CHECK_NO_REPORT;\n        if(_sandbox_check(getpid(), \"file-read*\", filter, \"\/Library\") != 1)\n        {\n            return YES;    \/\/Detected Jailbroken\n        }\n    }\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">3. URL Scheme \ud0d0\uc9c0<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>-(<strong>BOOL<\/strong>)canOpenURL:(<strong>NSURL *<\/strong>)arg1;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">NSURL *url = [NSURL URLWithString:@\"sileo:\/\/\"];\nif([[UIApplication sharedApplication] canOpenURL:url]) {\n    return YES;    \/\/Detected Jailbroken\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">4. \ud6c4\ud0b9 \ub77c\uc774\ube0c\ub7ec\ub9ac \ud0d0\uc9c0<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">4-1. Private API<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>kern_return_t<\/strong> task_info(<strong>task_name_t<\/strong> target_task, <strong>task_flavor_t<\/strong> flavor, <strong>task_info_t<\/strong> task_info_out, <strong>mach_msg_type_number_t *<\/strong>task_info_outCnt);<\/li>\n\n\n\n<li><strong>uint32_t<\/strong> _dyld_image_count(<strong>void<\/strong>);<\/li>\n\n\n\n<li><strong>const struct mach_header*<\/strong> _dyld_get_image_header(<strong>uint32_t<\/strong> image_index);<\/li>\n\n\n\n<li><strong>const char*<\/strong> _dyld_get_image_name(<strong>uint32_t<\/strong> image_index);<\/li>\n\n\n\n<li><strong>kern_return_t<\/strong> vm_region_recurse_64(<strong>vm_map_read_t <\/strong>target_task, <strong>vm_address_t *<\/strong>address, <strong>vm_size_t *<\/strong>size, <strong>natural_t *<\/strong>nesting_depth, <strong>vm_region_recurse_info_t<\/strong> info, <strong>mach_msg_type_number_t<\/strong> *infoCnt)<\/li>\n\n\n\n<li><strong>kern_return_t <\/strong>vm_region_64(<strong>vm_map_read_t<\/strong> target_task,<strong> vm_address_t *<\/strong>address, <strong>vm_size_t *<\/strong>size, <strong>vm_region_flavor_t<\/strong> flavor, <strong>vm_region_info_t<\/strong> info, <strong>mach_msg_type_number_t *<\/strong>infoCnt, <strong>mach_port_t *<\/strong>object_name);<\/li>\n\n\n\n<li><strong>int<\/strong> proc_regionfilename(int pid, <strong>uint64_t <\/strong>address, <strong>void *<\/strong> buffer, <strong>uint32_t<\/strong> buffersize);<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">+(BOOL)isJailbreakInjectExist {\n    BOOL check = NO;\n\n\tinteger_t task_info_out[TASK_DYLD_INFO_COUNT];\n\tmach_msg_type_number_t task_info_outCnt = TASK_DYLD_INFO_COUNT;\n\tif(task_info(mach_task_self_, TASK_DYLD_INFO, task_info_out, &amp;task_info_outCnt) == KERN_SUCCESS) {\n\t\tstruct task_dyld_info dyld_info = *(struct task_dyld_info*)(void*)(task_info_out);\n\t\tstruct dyld_all_image_infos* infos = (struct dyld_all_image_infos *) dyld_info.all_image_info_addr;\n\t\tstruct dyld_uuid_info* pUuid_info  = (struct dyld_uuid_info*) infos->uuidArray;\n\n\t\tfor( int i = 0; i &lt; infos->uuidArrayCount; i++, pUuid_info += 1)\n\t\t{\n\t\t\tconst struct mach_header_64* mheader = (const struct mach_header_64*)pUuid_info->imageLoadAddress;\n\t\t\tif (mheader->filetype == MH_DYLIB) {\n\t\t\t\tif(mheader->magic == MH_MAGIC_64 &amp;&amp; mheader->ncmds > 0)\n\t\t\t\t{\n\t\t\t\t\tvoid *loadCmd = (void*)(mheader + 1);\n\t\t\t\t\tstruct segment_command_64 *sc = (struct segment_command_64 *)loadCmd;\n\t\t\t\t\tfor (int index = 0; index &lt; mheader->ncmds; ++index, sc = (struct segment_command_64*)((BYTE*)sc + sc->cmdsize))\n\t\t\t\t\t{\n\t\t\t\t\t\tif (sc->cmd == LC_ID_DYLIB) {\n\t\t\t\t\t\t\tstruct dylib_command *dc = (struct dylib_command *)sc;\n\t\t\t\t\t\t\tstruct dylib dy = dc->dylib;\n\t\t\t\t\t\t\tconst char *detectedDyld = (char*)dc + dy.name.offset;\n\t\t\t\t\t\t\tfor (NSString *jbDyld in jbPatternDyld) {\n\t\t\t\t\t\t\t\tif([[NSString stringWithUTF8String:detectedDyld] containsString:jbDyld]) {\n\t\t\t\t\t\t\t\t\tNSLog(@\"dyld2: %s\", detectedDyld);\n\t\t\t\t\t\t\t\t\tcheck = YES;\n\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn check;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h4 class=\"wp-block-heading\">Reference<\/h4>\n\n\n\n<p><a href=\"https:\/\/knight.sc\/reverse%20engineering\/2019\/04\/15\/detecting-task-modifications.html\">https:\/\/knight.sc\/reverse%20engineering\/2019\/04\/15\/detecting-task-modifications.html<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.romainthomas.fr\/post\/22-08-singpass-rasp-analysis\/\">https:\/\/www.romainthomas.fr\/post\/22-08-singpass-rasp-analysis\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/gist.github.com\/ddrccw\/8412847#file-hello-h-L122\">https:\/\/gist.github.com\/ddrccw\/8412847#file-hello-h-L122<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/TannerJin\/AntiMSHookFunction\/blob\/master\/AntiMSHookFunction\/AntiMSHookFunctionARM.c\">https:\/\/github.com\/TannerJin\/AntiMSHookFunction\/blob\/master\/AntiMSHookFunction\/AntiMSHookFunctionARM.c<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4-2. C System Library<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>int<\/strong> dladdr(<strong>void<\/strong> <strong>*<\/strong>addr, <strong>Dl_info <\/strong>*info);<\/li>\n\n\n\n<li><strong>void *<\/strong>dlopen(<strong>const<\/strong> <strong>char<\/strong> <strong>*<\/strong>filename, <strong>int<\/strong> flag);<\/li>\n\n\n\n<li><strong>void<\/strong> <strong>*<\/strong>dlsym(<strong>void<\/strong> *handle, <strong>const<\/strong> <strong>char<\/strong> <strong>*<\/strong>symbol);<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">-(NSArray *)jailbreakSymbols {\n\tNSArray *symbol = [NSArray arrayWithObjects:\n\t                   @\"MSHookFunction\",\n\t                   @\"MSHookMessageEx\",\n\t                   @\"MSFindSymbol\",\n\t                   @\"MSGetImageByName\",\n\t                   @\"ZzBuildHook\",\n\t                   @\"DobbyHook\",\n\t                   @\"LHHookFunctions\",\n\t                   nil];\n\treturn symbol;\n}\n...\nNSArray *jbPatternSymbol = [[[XFJailbreakPattern alloc] init] jailbreakSymbols];\nfor (NSString *jbSymbol in jbPatternSymbol) {\n\tconst char *jbSymbol2 = [jbSymbol cStringUsingEncoding:NSUTF8StringEncoding];\n\tvoid* dlpoint = dlsym((void *)RTLD_DEFAULT, jbSymbol2);\n\tif(dlpoint != NULL) {\n\t\treturn YES;    \/\/Detected Jailbroken\n\t}\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">static void _check_image(const struct mach_header *header, intptr_t slide) {\n  NSSet *dylibSet = [NSSet setWithObjects:\n                     @\"\/usr\/lib\/CepheiUI.framework\/CepheiUI\",\n                     @\"\/usr\/lib\/libsubstitute.dylib\"\n                     @\"\/usr\/lib\/substitute-inserter.dylib\",\n                     @\"\/usr\/lib\/substitute-loader.dylib\",\n                     nil];\n  \n  Dl_info info;\n  if (dladdr(header, &amp;info) == 0) {\n    char *dlerro = dlerror();\n    if(dlerro == NULL &amp;&amp; info.dli_fname != NULL) {\n      NSString *libName = [NSString stringWithUTF8String:info.dli_fname];\n      if ([dylibSet containsObject:libName]) {\n        return YES;    \/\/Detected Jailbroken\n      }\n    }\n    return;\n  }\n}\n\nbool hasHookedMethods(void)\n{\n    bool ret = false;\n    MethodsList = [[NSMutableArray alloc] init];\n    \n    int classCount = 5;\n    const char* classes[5] =\n    {\n        \"NSFileManager\",\n        \"UIApplication\",\n        \"NSString\",\n        \"NSData\",\n        \"NSBundle\",\n    };\n    \n    for(int i = 0; i &lt; classCount; i++)\n    {\n        Class ourClass = objc_getClass(classes[i]);\n        unsigned int methodCount = 0;\n        Method *methods = class_copyMethodList(ourClass, &amp;methodCount);\n        \n        for (unsigned int i = 0; i &lt; methodCount; i++) {\n            Method method = methods[i];\n            Dl_info image_info;\n            if(dladdr(class_getMethodImplementation(ourClass, method_getName(method)), &amp;image_info) != 0)\n            {\n                struct mach_header_64 *header = image_info.dli_fbase;\n                if(header &amp;&amp; header->magic == MH_MAGIC_64)\n                {\n                    struct load_command *loadCmd = (struct load_command *) (header + 1);\n                    struct segment_command_64 *sc = (struct segment_command_64 *)loadCmd;\n\n                    for (int index = 0; index &lt; header->ncmds; ++index, sc = (struct segment_command_64*)((char*)sc + sc->cmdsize))\n                    {\n                        if(sc->cmd == LC_LOAD_DYLIB)\n                        {\n                            struct dylib_command *dc = (struct dylib_command *)sc;\n                            struct dylib dy = dc->dylib;\n                            const char *detectedDyld = (char*)dc + dy.name.offset;\n                            if(strcmp(detectedDyld, \"\/Library\/Frameworks\/CydiaSubstrate.framework\/CydiaSubstrate\") == 0)\n                            {\n                                NSString *func = [NSString stringWithFormat:@\"%s %s\", class_getName(ourClass), sel_getName(method_getName(method))];\n                                [MethodsList addObject:func];\n                                ret = true;\n                            }\n                        }\n                    }\n                }\n            }\n        }\n    }\n    \n    return ret;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">5. \ucee4\ub110 \uc811\uadfc \ud0d0\uc9c0<\/h2>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<ul class=\"wp-block-list\">\n<li><strong>kern_return_t<\/strong> task_for_pid(<strong>mach_port_t <\/strong>parent, <strong>int <\/strong>pid, <strong>mach_port_t *<\/strong>task_out );<\/li>\n\n\n\n<li><strong>kern_return_t <\/strong>host_get_special_port(<strong>host_priv_t <\/strong>host_priv, <strong>int <\/strong>node, <strong>int <\/strong>which, <strong>mach_port_t *<\/strong>port);<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">bool hasKernelTaskPort(void)\n{\n    mach_port_t kernel_task = MACH_PORT_NULL;\n    kern_return_t ret = task_for_pid(mach_task_self(), 0, &amp;kernel_task);\n    if(ret == KERN_SUCCESS &amp;&amp; MACH_PORT_VALID(kernel_task))\n    {\n        kernelTaskPort = kernel_task;\n        mach_port_deallocate(mach_task_self(), kernel_task);\n        return true;\n    }\n    else\n    {\n        host_t host = mach_host_self();\n        ret = host_get_special_port(host, HOST_LOCAL_NODE, 4, &amp;kernel_task);\n        if(ret == KERN_SUCCESS &amp;&amp; MACH_PORT_VALID(kernel_task))\n        {\n            kernelTaskPort = kernel_task;\n            mach_port_deallocate(mach_task_self(), kernel_task);\n            return true;\n        }\n        mach_port_deallocate(mach_task_self(), host);\n    }\n    return false;\n}\n\nif(hasKernelTaskPort()) {\n    return YES;    \/\/Detected Jailbroken\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">6. \ud658\uacbd \ud0d0\uc9c0<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>char ***<\/strong>_NSGetEnviron(<strong>void<\/strong>);<\/li>\n\n\n\n<li><strong>char *<\/strong>getenv(<strong>const char *<\/strong>varname);<\/li>\n\n\n\n<li><strong>extern char **<\/strong>environ;<\/li>\n\n\n\n<li>[[NSProcessInfo processInfo] environment];<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">-(NSArray *)jailbreakEnvs {\n\tNSArray *env = [NSArray arrayWithObjects:\n\t                @\"JB_ROOT_PATH\",\n\t                @\"_MSSafeMode\",\n\t                @\"DYLD_INSERT_LIBRARIES\",\n\t                @\"substitute\",\n\t                nil];\n\treturn env;\n}\n\n+(BOOL)isJailbreakInjectExist {\n    BOOL check = NO;\n\n    NSArray *jbPatternEnv = [[[XFJailbreakPattern alloc] init] jailbreakEnvs];\n\n\tchar ***envp = _NSGetEnviron();\n\tif (envp) {\n\t\tchar **env = *envp;\n\t\twhile (*env) {\n\t\t\tfor (NSString *jbEnv in jbPatternEnv) {\n\t\t\t\tif([[NSString stringWithUTF8String:*env] containsString:jbEnv]) {\n\t\t\t\t\tcheck = YES;\n\t\t\t\t}\n\t\t\t}\n\t\t\tenv++;\n\t\t}\n\t}\n\n\t\/\/Env Check2\n\textern char **environ;\n\tfor(int i=0; environ[i]; i++)\n\t{\n\t\tfor (NSString *jbEnv in jbPatternEnv) {\n\t\t\tif([[NSString stringWithUTF8String:environ[i]] containsString:jbEnv]) {\n\t\t\t\tcheck = YES;\n\t\t\t}\n\t\t}\n\t}\n\n\treturn check;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">7. \ub8e8\ud2b8 \ud30c\uc77c \uc2dc\uc2a4\ud15c \uc4f0\uae30 \uc5ec\ubd80 \/ \ub9ac\ub9c8\uc6b4\ud2b8 (iOS ~14.x)<\/h2>\n\n\n\n<p>rootless \ud0c8\uc625 \ud658\uacbd\uc5d0\uc11c\ub294 \/usr\/standalone\/firmware \ub9c8\uc6b4\ud2b8\ub41c Device \uacbd\ub85c\ub97c \ucc38\uace0\ud558\uc5ec <br>\/private\/preboot\/(UUID)\uc5d0 \uc811\uadfc\ud574\uc11c stat\uc73c\ub85c \ud30c\uc77c \uac2f\uc218 \ud655\uc778<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>int <\/strong>statfs(<strong>const char *<\/strong>path, <strong>struct statfs *<\/strong>buf);<\/li>\n\n\n\n<li><strong>int <\/strong>getmntinfo(<strong>struct statfs **<\/strong>mntbufp, <strong>int <\/strong>flags);<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">bool hasRenamedRootFS(void)\n{\n    struct statfs *st;\n    \n    int num_fs = getmntinfo(&amp;st, MNT_NOWAIT);\n    if(num_fs != 0) {\n        for (int i = 0; i &lt; num_fs; i++) {\n            if(strstr(st[i].f_mntfromname, \"com.apple.os.update-\") != NULL) {\n                return false;\n            }\n            if(strstr(st[i].f_mntfromname, \"orig-fs\") != NULL) {\n                return true;\n            }\n            \n            if(strcmp(st[i].f_mntfromname, \"\/dev\/disk0s1s1\") == 0) {\n                if(SYSTEM_VERSION_GREATER_THAN_OR_EQUAL_TO(@\"11.3\"))\n                    return true;\n            }\n        }\n    }\n    \n    return false;\n}\n\nstatic inline int SVC_statfs64(const char* path, struct statfs *buf) {\n    int64_t flag = 0;\n    __asm __volatile(\"mov x0, %0\" :: \"r\" ((int64_t)SYS_statfs64)); \/\/SYS_statfs64\n    __asm __volatile(\"mov x1, %0\" :: \"r\" (path)); \/\/path\n    __asm __volatile(\"mov x2, %0\" :: \"r\" (buf));    \/\/struct statfs\n    __asm __volatile(\"mov x16, %0\" :: \"r\" ((int64_t)SYS_syscall));   \/\/SYS_syscall\n    __asm __volatile(\"svc #0x80\"); \/\/supervisor call\n    __asm __volatile(\"mov %0, x0\" : \"=r\" (flag));\n    return (int)flag;\n}\n\nbool hasRootFSmountedRW(void)\n{\n    struct statfs rootfs;\n    if(SVC_statfs64(\"\/\", &amp;rootfs) == 0)\n    {\n        if(rootfs.f_flags &amp; MNT_RDONLY)\n        {\n            return false;\n        }\n    }\n    return true;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">8. \ud3ec\ud2b8 <\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>int<\/strong>&nbsp;bind(<strong>int<\/strong>&nbsp;sockfd,&nbsp;<strong>struct<\/strong>&nbsp;<strong>sockaddr *<\/strong>myaddr, <strong>socklen_t<\/strong> addrlen);<\/li>\n\n\n\n<li><strong>int<\/strong>&nbsp;socket(<strong>int<\/strong>&nbsp;domain,&nbsp;<strong>int<\/strong>&nbsp;type,&nbsp;<strong>int<\/strong>&nbsp;protocol);<\/li>\n\n\n\n<li><strong>SSH \ud3ec\ud2b8:<\/strong> 22, 2222 |<strong> Frida \ud3ec\ud2b8:<\/strong> 27042<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">bool hasSSHAvailable(void)\n{\n    int server_socket = socket(AF_INET, SOCK_STREAM, 0);\n    if(server_socket == -1)\n    {\n        return false;\n    }\n    \n    struct sockaddr_in server_addr;\n    memset(&amp;server_addr, 0, sizeof(server_addr));\n    server_addr.sin_family = AF_INET;\n    server_addr.sin_port = htons(22);\n    server_addr.sin_addr.s_addr = htonl(INADDR_ANY);\n    \n    int status = bind(server_socket, (struct sockaddr *)&amp;server_addr, sizeof(server_addr));\n    if(status == 0) {\n        close(server_socket);\n        return false;\n    }\n    \n    return true;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">9. \ub514\ubc84\uae45<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>pid_t <\/strong>getppid(<strong>void<\/strong>);<\/li>\n\n\n\n<li><strong>int <\/strong>sysctl(<strong>const int *<\/strong>name, <strong>u_int <\/strong>namelen, <strong>void *<\/strong>oldp, <strong>size_t *<\/strong>oldlenp, <strong>const void *<\/strong>newp, <strong>size_t <\/strong>newlen);<\/li>\n\n\n\n<li><strong>long <\/strong>ptrace<strong>(enum __ptrace_request <\/strong><em>request<\/em><strong>, pid_t <\/strong><em>pid<\/em><strong>,<\/strong> <strong>void *<\/strong><em>addr<\/em><strong>, void *<\/strong><em>data<\/em><strong>);<\/strong><\/li>\n\n\n\n<li><strong>int <\/strong>isatty(<strong>int <\/strong><em>fd<\/em>);<\/li>\n\n\n\n<li><strong>int <\/strong>ioctl(<strong>int <\/strong>fd, <strong>unsigned long<\/strong> request, \u2026);<\/li>\n\n\n\n<li><strong>kern_return_t <\/strong>task_get_exception_ports(<strong>task_t <\/strong>task, <strong>exception_mask_t <\/strong>exception_mask, <strong>exception_mask_array_t <\/strong>masks, <strong>mach_msg_type_number_t *<\/strong>masksCnt, <strong>exception_handler_array_t <\/strong>old_handlers, <strong>exception_behavior_array_t <\/strong>old_behaviors, <strong>exception_flavor_array_t <\/strong>old_flavors);<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">bool hasDebuggerAttached(void)\n{\n    bool ret = false;\n    \n    int mib[4];\n    struct kinfo_proc info;\n    size_t info_size = sizeof(info);\n\n    info.kp_proc.p_flag = 0;\n\n    mib[0] = CTL_KERN;\n    mib[1] = KERN_PROC;\n    mib[2] = KERN_PROC_PID;\n    mib[3] = getpid();\n\n    if (sysctl(mib, 4, &amp;info, &amp;info_size, NULL, 0) == 0)\n    {\n        int traceStatus = info.kp_proc.p_flag &amp; P_TRACED;\n        if(traceStatus != 0)\n            ret = true;\n    }\n\n    int launchdPid = 1;\n    if (getppid() != launchdPid)\n        ret = true;\n\n    if(isatty(STDERR_FILENO) != 0)\n        ret = true;\n\n    struct winsize ws;\n    if (!ioctl(STDOUT_FILENO, TIOCGWINSZ, &amp;ws))\n        ret = true;\n    \n    mach_msg_type_number_t count = 0;\n    exception_mask_t masks[EXC_TYPES_COUNT];\n    mach_port_t ports[EXC_TYPES_COUNT];\n    exception_behavior_t behaviors[EXC_TYPES_COUNT];\n    thread_state_flavor_t flavors[EXC_TYPES_COUNT];\n    exception_mask_t mask = EXC_MASK_ALL &amp; ~(EXC_MASK_RESOURCE | EXC_MASK_GUARD);\n    \n    kern_return_t result = task_get_exception_ports(mach_task_self(), mask, masks, &amp;count, ports, behaviors, flavors);\n    if (result == KERN_SUCCESS)\n    {\n        for (mach_msg_type_number_t portIndex = 0; portIndex &lt; count; portIndex++)\n        {\n            if (MACH_PORT_VALID(ports[portIndex]))\n            {\n                ret = true;\n            }\n        }\n    }\n    \n    return ret;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">10. \ucf54\ub4dc \uc11c\uba85<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>int <\/strong>fcntl(<strong>int <\/strong>fildes, <strong>int <\/strong>cmd, \u2026);  (cmd = <strong>F_ADDSIGS, F_CHECK_LV<\/strong>)<\/li>\n\n\n\n<li><strong>int <\/strong>csops(<strong>pid_t <\/strong>pid, <strong>unsigned int <\/strong>ops, <strong>void *<\/strong>useraddr, <strong>size_t <\/strong>usersize); (ops = <strong>CS_OPS_MARKKILL<\/strong>)<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Example<\/h4>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">bool hasCodeSigningValidated(void)\n{\n    bool ret = false;\n\n    FILE* dyld_file = fopen(\"\/usr\/lib\/dyld\", \"rb\");\n    fsignatures_t siginfo;\n    if(dyld_file != NULL)\n    {\n        uint8_t firstPage[4096];\n        if(fread(firstPage, 1, 4096, dyld_file) == 4096)\n        {\n            struct mach_header *mh = (struct mach_header*)firstPage;\n            uint32_t cmd_count = mh->ncmds;\n            struct load_command *cmds = (struct load_command*)((char*)firstPage+(sizeof(struct mach_header_64)));\n            struct load_command *cmd = cmds;\n            for (uint32_t i = 0; i &lt; cmd_count; ++i)\n            {\n                if (cmd->cmd == LC_CODE_SIGNATURE)\n                {\n                    const struct linkedit_data_command *sigcmd = (struct linkedit_data_command*) cmd;\n                    siginfo.fs_file_start = O_DIRECTORY;\n                    siginfo.fs_blob_start = malloc(sigcmd->datasize);\n                    siginfo.fs_blob_size = sigcmd->datasize;\n                }\n                cmd = (struct load_command*)(((char*)cmd)+cmd->cmdsize);\n            }\n        }\n    }\n    fclose(dyld_file);\n    \n    int dyld_fd = open(\"\/usr\/lib\/dyld\", O_RDONLY, 0);\n    if(dyld_fd != -1)\n    {\n        int result = fcntl(dyld_fd, F_ADDSIGS, &amp;siginfo);\n        if(result == -1)\n        {\n            if(errno == EBADEXEC || errno == EPERM)\n            {\n                ret = true;\n            }\n        }\n    }\n    close(dyld_fd);\n    \n    return ret;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n<h4 class=\"wp-block-heading\">Reference<\/h4>\n\n\n\n<p><a href=\"https:\/\/lapcatsoftware.com\/articles\/hardened-runtime-xpc.html\">https:\/\/lapcatsoftware.com\/articles\/hardened-runtime-xpc.html<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.synacktiv.com\/sites\/default\/files\/2021-10\/2021_sthack_jailbreak.pdf\">https:\/\/www.synacktiv.com\/sites\/default\/files\/2021-10\/2021_sthack_jailbreak.pdf<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">11. Mach \uc811\uadfc<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>int<\/strong> sandbox_check(<strong>pid_t<\/strong>, <strong>const char *<\/strong>operation, <strong>int <\/strong>sandbox_filter_type, &#8230;);<br>(operation: mach-lookup)<\/li>\n\n\n\n<li><strong>kern_return_t <\/strong>bootstrap_check_in(<strong>mach_port_t <\/strong>bp, const <strong>name_t <\/strong>service_name, <strong>mach_port_t *<\/strong>sp);<\/li>\n\n\n\n<li><strong>kern_return_t <\/strong>bootstrap_look_up(<strong>mach_port_t <\/strong>bp, const <strong>name_t <\/strong>service_name, <strong>mach_port_t *<\/strong>sp);<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Reference<\/h4>\n\n\n\n<p><a href=\"https:\/\/github.com\/Lessica\/shadow\/blob\/master\/Shadow.dylib\/hooks\/mach.x#L3\">https:\/\/github.com\/Lessica\/shadow\/blob\/master\/Shadow.dylib\/hooks\/mach.x#L3<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/Lessica\/shadow\/blob\/master\/Shadow.dylib\/hooks\/sandbox.x#L104\">https:\/\/github.com\/Lessica\/shadow\/blob\/master\/Shadow.dylib\/hooks\/sandbox.x#L104<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. \ud30c\uc77c \ud0d0\uc9c0 1-1. Objective-C \uba54\uc18c\ub4dc Example 1-2. C System Library Example 1-3. Supervisor Call (Low-level, SVC #0x80) Example 2. \uc0cc\ub4dc\ubc15\uc2a4 \uc6b0\ud68c \ud0d0\uc9c0 2-1. Objective-C \/ C System Library Example 2-2. Private API Example 3. URL Scheme \ud0d0\uc9c0 Example 4. \ud6c4\ud0b9 \ub77c\uc774\ube0c\ub7ec\ub9ac \ud0d0\uc9c0 4-1. Private API Example Reference https:\/\/knight.sc\/reverse%20engineering\/2019\/04\/15\/detecting-task-modifications.html https:\/\/www.romainthomas.fr\/post\/22-08-singpass-rasp-analysis\/ https:\/\/gist.github.com\/ddrccw\/8412847#file-hello-h-L122 https:\/\/github.com\/TannerJin\/AntiMSHookFunction\/blob\/master\/AntiMSHookFunction\/AntiMSHookFunctionARM.c 4-2. C System&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=612\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">iOS\/iPadOS \ud0c8\uc625 \ubc0f \ub514\ubc84\uae45 \ud0d0\uc9c0 \ubc29\ubc95<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1],"tags":[11],"class_list":["post-612","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ios"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/612","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=612"}],"version-history":[{"count":4,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/612\/revisions"}],"predecessor-version":[{"id":617,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/612\/revisions\/617"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=612"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=612"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}