越狱内核有什么变化？ [英] What changes in a jailbroken kernel?

问题描述

看过这个问题关于保护你的应用程序不被破解，我看到顶级回答者提到了一些能够看到设备是否被内核中的某些内部不平衡所越狱的事情。仔细研究了一下，我发现了内核架构概述指南，并了解与Mach-BSD内核交互的方法。我需要知道的是：我在寻找什么？当设备在内核的上下文中被越狱时，是否存在某种键或内部状态会发生变化？

Having seen this question on protecting your app from being cracked, I saw that the top answerer mentioned something about being able to see if a device was jailbroken by some internal imbalance in the kernel. Having looked into it a bit more, I discovered the Kernel Architecture Overview guide, and have knowledge of ways to interact with the Mach-BSD kernel. All I need to know is: What am I looking for? Is there some kind of key or internal state that changes when the device is jailbroken in the context of the kernel?

要清楚，我不是在寻找代码（我知道如何自己做这些事情），我正在寻找寻找的东西......听起来很奇怪。我已经看到了链接问题中的答案，我知道它们有效，但我想知道所有内核路由，这似乎是一种通用而有效的方法来检查而不是搜索可能会更改或删除可能具有不同名称的键的目录。

To be clear, I'm not looking for code (I know how to do these things myself), I'm looking for what to look for... As weird as that sounds. I've seen the answers in the linked questions, I know that they work, but I'm wondering about an all kernel route, which seems more of a generic and efficient way to check instead of searching for directories that might change or plist keys that might have different names.

我也不打算因盗版而禁用该应用程序的任何功能（只显示基于条件的消息或某事。）

I also don't intend to disable any functionality on the part of the app because of piracy (just show a message or something based on a condition).

推荐答案

所有现代内核补丁都基于 comex的补丁。

All the "modern" kernel patches are based on comex's patches.

正在修补的主要内容是：

the main things which are being patched are:

• security.mac.proc_enforce


• cs_enforcement_disable（内核和AMFI）


• PE_i_can_has_debugger


• vm_map_enter


• vm_map_protect


• ...

• security.mac.proc_enforce
• cs_enforcement_disable (kernel and AMFI)
• PE_i_can_has_debugger
• vm_map_enter
• vm_map_protect
• …

哦，还有沙盒补丁。如果您想了解有关所有这些补丁的更多信息，我建议您查看 iOS黑客手册 。

Oh, and there are sandbox patches too. If you wanna read more about all these patches I suggest you take a look at iOS Hacker's Handbook.

编辑：
我想出了一个简单的想法来检查设备是否已越狱，但我不是确定Apple是否允许使用这些功能：

I just came up with a simple idea to check if the device is jailbroken, but I'm not sure if Apple allows the use of these functions:

1. 使用mach_vm_allocate（）分配一些内存

1. allocate some memory using mach_vm_allocate()

通过mach_vm_protect（）将该页面的保护更改为VM_PROT_READ | VM_PROT_EXECUTE | VM_PROT_COPY

change the protection of that page via mach_vm_protect() to VM_PROT_READ | VM_PROT_EXECUTE | VM_PROT_COPY

由于iOS版本不允许来自您应用程序内部的VM_PROT_EXECUTE，这将失败，检查mach_vm_protect（）的返回值，如果没有越狱，但是如果设备越狱，则会成功。

Since the stock iOS doesn't allow VM_PROT_EXECUTE from inside your app this will fail, check the return value of mach_vm_protect(), when not jailbroken, but succeed if the device is jailbroken.

这篇关于越狱内核有什么变化？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！