Snapchat Detection on iOS

栏目: IT技术 · 发布时间: 4年前

内容简介:Previously we took a look atAll the research in this post is based on Snapchat 10.65.0.66 (832559634).

Previously we took a look at Snapchat’s root detection methods on Android . This time we are taking a look at how they detect jailbreaks, tweaks and hooks on iOS.

All the research in this post is based on Snapchat 10.65.0.66 (832559634).

Snapchat Detection on iOS

This is the message you see when you try to login with a detected tweak, although not all tweaks trigger this message. Two examples that trigger this message are Flex 3 and Wraith . Some just flag your account and will get you banned later in a ban wave if you are unlucky.

Avoiding bans

So obviously the first thing we want to look at is, what has the community tried so far to stay hidden? If you google around a bit you will most likely end up with these result. For a few of them, I will list the most notable features.

  • NoSub (or variants)
    • Disable Cydia Substrate / Substitute entirely for specific apps.
    • Only if you can find an updated version and don’t want to use tweaks on Snapchat.
  • UnSub
    • Hooks and filters libc file system calls.
    • Spoofs the libc getenv to remove the DYLD_INSERT_LIBRARIES variable.
    • Spoofs _dyld_image_count and _dyld_get_image_name to hide tweak related dylibs.
  • Shadow
    • Too much to list.. it hooks way too much.
    • Still misses lots of stuff for Snapchat specifically.

Even Snapchat themselves recommend NoSub ..

Snapchat Detection on iOS

But it seems that nobody knows what Snapchat is exactly doing to detect everything. Which is why I am writing this post. Only one that I have seen publicly making efforts to figure this out is the developer of Phantom, CokePokes.

How are they doing it?

I will try my best to explain every check they do in Snapchat 10.65.0.66.

When you launch the app they create a new thread using pthread_create that runs all the checks. At the end of these checks an integer is stored with flags of everything that was detected on the device. Some of these checks are then ran every 31 seconds.

All the code executed for these checks is obfuscated with Snapchats in-house obfuscation tools and thus very annoying to look at using tools such as IDA.

Code signature checks

One of the first things they do is checking and storing stuff from the code signature. This happens using the sys_csops(169) syscall, which is pretty much undocumented but is very similar to the code here.

They execute the following operations:

CS_OPS_STATUS
CS_OPS_CDHASH
CS_OPS_ENTITLEMENTS_BLOB

The most important one of this is the CS_OPS_STATUS , this retrieves the current codesigning status of the process. A jailbroken device can respond with messy status flags. Such as:

CS_GET_TASK_ALLOW
CS_INSTALLER
CS_PLATFORM_BINARY
CS_DEBUGGED
CS_VALID

A normal device would have these flags:

CS_VALID
CS_HARD
CS_KILL
CS_ENFORCEMENT
CS_REQUIRE_LV
CS_DYLD_PLATFORM
CS_SIGNED

For all available flags and their descriptions, see this page .

The result of CS_OPS_STATUS and CS_OPS_CDHASH are stored and later sent to the Snapchat servers, encrypted.

Bundle check

This is a simple check but quite effective if not noticed by a tweak developer. Pseudo code looks like this.

x0 = CFBundleGetMainBundle()
x1 = CFBundleGetIdentifier(x0)
x2 = CFStringGetCStringPtr(x1)
strncmp("com.toyopagroup.picaboo", x2)

Dyld check

Snapchat has two methods to iterate all loaded dylibs.

First attempt

One way is using dyld_get_image_header and dladdr . They iterate over dyld_get_image_header until it returns null and checks if it has seen everything with dyld_image_count . The dladdr method provides them with the path of the dylib. These are checked against a few unknown strings but removing everything substrate related from the dyld list fixes this check.

Second attempt

The other method they use is calling task_info with flavor TASK_DYLD_INFO . This also gives them a list of all loaded dylibs and must be fixed separately from the first dyld check.

File system checks

There are a couple of file system checks, of which all use the sys_access(33) syscall.

First list

  • /Library/Application Support/PhLite/phlite.bundle/AuthAPI.pem
  • /private/var/tmp/cydia.log
  • /bin/bash
  • /usr/sbin/sshd
  • /usr/libexec/ssh-keysign
  • /usr/libexec/sftp-server
  • /etc/ssh/sshd_config
  • /.installed_yaluX
  • /Library/LaunchDaemons/dropbear.plist
  • /usr/local/bin/dropbear
  • /System/Library/Caches/com.apple.dyld/enable-dylibs-to-override-cache
  • /.cydia_no_stash
  • /var/log/jailbreakd-stdout.log
  • /etc/motd
  • /usr/lib/libsubstitute.dylib
  • /var/tmp/slide.txt

Second list

  • /private/var/containers/Bundle/Application/AD659AF8-68C3-4E4B-BF02-236E1F733005/Snapchat.app/Ghay
  • /private/var/containers/Bundle/Application/AD659AF8-68C3-4E4B-BF02-236E1F733005/Snapchat.app/Snapchat.crc
  • /private/var/containers/Bundle/Application/AD659AF8-68C3-4E4B-BF02-236E1F733005/Snapchat.app/embedded.mobileprovision

Last one (and expected to exist)

  • /private/var/containers/Bundle/Application/AD659AF8-68C3-4E4B-BF02-236E1F733005/Snapchat.app/PlugIns

The last one makes it a bit harder to fix, since you can not simply replace the arm instructions with something that makes it always return false. Thus requiring an inline hook as replacement for the syscall so you gain full control over it.

Obj-C - Class checks

A lot of classes are checked from a lot of different tweaks. This is done using objc_getClass .

SCOthmanPrefs
SCOthmanSnapSaver
SCOFiltersOthman
SCSnapchPrefs
SCSnapchLocation
SCOFiltersSnapch
PHSnapSaver
PHRegisterViewController
phlite
dfnvrknsv
PHSSaver
PHMainSettingsVC
SCPPrivacySettings
SCPSettings
SCPSavedMediaSettings
SNAPCHAT_SCPSnapUsageSettings
SNAPCHAT_SCPSegmentedController
SNAPCHAT_CZPickerView
CTAdBase
CTRequestModel
CTBannerView
CPAdManager
MMNativeAdController
TweakBoxStartupManager
SNAPCHAT_GPHelper
SCKsausaPrefs
SCSCGoodSnapSaver
SNAPCHAT_XXXXXXX_GPHelper
SCOFiltersHelper
_xxx
PHSSaver
SIGMAPOINT_GPHelper
SCS SnapSaver
SCW wSnapSaver
CYJSObject
P D
R t
AVCameraViewControlIer
SCAppDeIegate
FLEXManager
oJXM
fJWs
yytp
FLManager
DecryptScriptAlertView
DzAdsManager

Obj-C - Method checks

They also check methods. This happens using objc_getClass and then class_getInstanceMethod . If any exists, you get flagged.

  • NSMutableString
    a
    b
    c
    
  • SCAppDelegate
    • MZ42SGH98C:
  • SCOperaPageViewController
    • saveButtonPressed
  • UIViewController
    • dzDidTapGalleryButton

Obj-C - Method integrity checks

Next up is Snapchats own methods. For the classes listed below they first call class_copyMethodList . Then for every Method they check if the IMP pointer (address of the function) is within its own __text segment. This is how they detect whether a method has been hooked.

SCAppDelegate
MainViewController
SCChatMainViewController
SCChatViewControllerV3
SCScreenshotDetector
SCBaseMediaOperaPresenter
SCOperaPageViewController
SCLoginService
SCAdsHoldoutExperimentContext
SCExperimentManager
SCCaptionDefaultTextView
SCChatTypingHandler
Story
SCChatMessageV3
SCOperaViewersLayer

Thanks to dzan for telling me to check the __text segment. :-)

Symbol checks

They also check for a couple of symbols using dlsym . If the result is not null, you get flagged.

MSHookMessageEx
MSHookFunction
_Z17replaced_readlinkPKcPcm
hooksArray
_OBJC_METACLASS_$__xxx
_OBJC_CLASS_$_PHSSaverV2
plist
flexBreakPoint
convert_coordinates_from_device_to_interface
OBJC_METACLASS_$_DzSnapHelper
ChKey2

Symbol hook checks

A few symbols are resolved using dlsym to check whether they have been hooked. They first resolve dlsym using dlsym .. yeah.. That result gets used for the dlsym of the symbols below. For every address returned, the first 4 bytes are checked for common hook related instructions.

dlsym
objc_getClass
class_getInstanceMethod
sel_registerName
class_copyMethodList
_dyld_image_count
_dyld_get_image_header
dladdr

Environment variables

I need to be honest, this is a very annoying way how they check for injection because it is annoying to fix. Instead of using getenv they use the environ variable. Since it is a variable, you can not “hook” it.

At least the following variables are detected.

DYLD_INSERT_LIBRARIES=/usr/lib/TweakInject.dylib
_MSSafeMode=0

Sandbox check

Probably not an issue for anyone.

Snapchat Detection on iOS

Fingerprinting

Not much detection done here but still relevant, using sys_sysctl(202) they request at least the following properties.

kern.version
kern.osversion
kern.proc.pid.<PID>
hw.machine

Other

The syscall sys_proc_info(33) is also called a couple of times, which could reveal stuff that is ptracing the process. They also use sys_open(5) , mmap , sys_close(6) and sys_lstat64(340) on the Snapchat binary. Probably to check for modifications or generating a checksum.

How all this stuff was found

A lot of the work was done using a small iOS emulator build on top of Unicorn . Using an emulator you can see everything they do. Building this was also teached me a lot about the CoreFoundation library of iOS.

Snapchat Detection on iOS

Later I implemented a counter for all of my discoveries in a tweak called SnapHide while carefully keeping track of how my changes modified the detection flags and slowly getting rid of all of them. You can easily find fixes for checks mentioned in this blog post in the “Detections” directory.

You could alternatively trace the syscalls using any of the methods discussed in the WhoYouGonnaSyscall talk by Hexploitable . Slides of the talk can be found here .

A story on how I wasted hours on fixing syscalls

Let’s take sys_access(33) as an example. It’s implementation looks like this . In short, when a file exists and permission is granted, return 0 . Otherwise return -1 . First thing I did was force both of the results in my emulator but I saw no changes happening to the detection flags.

Later when implementing a fix for this in the SnapHide tweak, I was unable to have it fail. The arm instructions look like this:

MOV             X0, X27 ; path
MOV             X1, #0  ; mode
MOV             X16, #0x21
SVC             0x80    ; SYS_access
MOV             X0, #0xFFFFFFFFFFFFFFFF
CSEL            X0, X0, XZR, CS
MOV             X27, X0 ; Use result

In pseudo code:

v23 = mac_syscall(SYS_access, a20, 0);
v24 = -1;
if ( !v20 )
  v24 = 0;
*(v21 + 496) = v24;

Coming from android I was very confused what happened here. Looking at the instructions, they seem to directly clear the result from the syscall. Looking at the pseudo code reveals a bit more information. Apparently what happens is, “A syscall return errno an sets the carry flag on error” from here . Setting and clearing the carry flag resulted in detection changes. This took me a few hours to figure out for some reason. Later I found out that I could simply remove the MOV & CSEL instruction. Which gave me 8 bytes more space for patching.

Thanks to @iGio90 for telling me to check all registers for changes in lldb.

I use Unsub and haven’t been banned (yet)

Awesome! That’s a good thing. However, keep in mind that some of the checks above are not countered by UnSub at this moment. Everything that has syscall mentioned for example is not countered and you will not be able to sign in if you have Flex 3 installed. UnSub does not prevent Cydia Substrate from loading, it attempts to hide it . Which also fails because Snapchat does not even use this call.

Written with the assumption this is the UnSub everybody uses.

Conclusion

This was a very fun but also very annoying 2 weeks with a lot of headaches. I hope this brings some light into why some stuff gets people banned. If there are any issue’s with with tweak feel free to submit an issue on GitHub. If there’s something you’d like me to expand on, let me know!


以上所述就是小编给大家介绍的《Snapchat Detection on iOS》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

垃圾回收算法手册:自动内存管理的艺术

垃圾回收算法手册:自动内存管理的艺术

Richard Jones、Eliot Moss、Antony Hosking / 王雅光、薛迪 / 机械工业出版社 / 2016-3 / 139

在自动内存管理领域,Richard Jones于1996年出版的《Garbage Collection:Algorithms for Automatic Dynamic Memory Management》可谓是一部里程碑式的作品。接近20年过去了,垃圾回收技术得到了非常大的发展,因此有必要将该领域当前最先进的技术呈现给读者。本书汇集了自动内存管理研究者和开发者们在过去50年间的丰富经验,在本书中......一起来看看 《垃圾回收算法手册:自动内存管理的艺术》 这本书的介绍吧!

在线进制转换器
在线进制转换器

各进制数互转换器

MD5 加密
MD5 加密

MD5 加密工具

XML、JSON 在线转换
XML、JSON 在线转换

在线XML、JSON转换工具