One "silly" question. I have looked into my app's binary data in hex editor. And on my huge surprise - function names were in there!?
So if i was a cracker .. i can easyly cind your function named "crackCheck" and avoid its execution or something like that. So, naming protection function is also important isnt it?
One "silly" question. I have looked into my app's binary data in hex editor. And on my huge surprise - function names were in there!?
So if i was a cracker .. i can easyly cind your function named "crackCheck" and avoid its execution or something like that. Ao, naming protection function is also important isnt it?
Not silly and very true. I don't remember all of the details but there is a Mobile Orchard podcast that goes into detail about the iPhone OS "runtime". What I recall is that method names and class names are used by the OS so they are included in the binary. I believe that this is the podcast:
It is best to use in line code if you can. But if you do use special methods or classes you should avoid obvious names. You don't want to give the cracker any clues.
One "silly" question. I have looked into my app's binary data in hex editor. And on my huge surprise - function names were in there!?
So if i was a cracker .. i can easyly cind your function named "crackCheck" and avoid its execution or something like that. So, naming protection function is also important isnt it?
Were you looking at a Release or Debug build? I believe symbol information is usually available in Debug builds, but I thought it was excluded from Release builds.
Quote:
Originally Posted by iPhoneAppStudio
Not silly and very true. I don't remember all of the details but there is a Mobile Orchard podcast that goes into detail about the iPhone OS "runtime". What I recall is that method names and class names are used by the OS so they are included in the binary. I believe that this is the podcast:
It is best to use in line code if you can. But if you do use special methods or classes you should avoid obvious names. You don't want to give the cracker any clues.
I just listened to that podcast, and there was nothing I heard that indicated that unmangled method names were visible in the runtime. To me, it sounded like selectors are used for looking up class methods, and Ash described selectors essentially as a unique hash of the string representation of the method name.
I was looking at release build. Function names - were there! Thats why i was confused and thats why i have renamed my protection functions into totally silly names. Now beat that crackers
Anyway ... there is one more thing. Cracker can always avoid execution or change behaviour of your protection function and then you're screwed. I have an idea how to protect that - CRC check protection. Has anyone experimented with that? I have experimented under windows/x86 but not yet on iphone/arm. Any links on that?
Are you guys using Objective C/C++ or plain C/C++? If it's an Objective C class, then the method calls are dynamic (that's why it's slower) and thus the method names are stored in the binary.
Use C/C++ and turn off RTTI, then function names won't get to your binaries.
Another suggestion: don't use names like "Info.plist", etc. - scramble the names and keep them scrambled in the binary.
__________________ Game Pack - All-in-1 Game Pack Shinro - A combination of Minesweeper and Sudoku Nibbles - Remake of a classic snake game Hooptie Browser - Humorous web filter
Here, to be exact - i was using example from the first page of this thread:
Quote:
void ZNDebugIntegrity() { ...
Looks like plain C function to me? ZNDebugIntegrity - right there in my hex editor! Oh, so you are saying to turn of that RTTI thingie. Where is that in xcode ... probably i'll find it later myself, thanks.
Yes, it is a plain C function. Are you sure you are looking at release build?
For the sake of purity, you can name the file with .c extension. So the compiler won't even think "Objective C".
__________________ Game Pack - All-in-1 Game Pack Shinro - A combination of Minesweeper and Sudoku Nibbles - Remake of a classic snake game Hooptie Browser - Humorous web filter
Yes, I am sure, in release build - and also in distribution build! Where is RTTI option in xcode? Will try to find it later myself anyway ...
Oh, it's called "Enable C++ Runtime Types" in xcode, disable it (unless you are using them). It doesn't solve the problem though. The mangled function names are still there. I guess Apple wants to keep them there for stack trace reports or something, or maybe to easily check if we are using some taboo API. I guess the only solution is to give these functions/classes some silly names.
__________________ Game Pack - All-in-1 Game Pack Shinro - A combination of Minesweeper and Sudoku Nibbles - Remake of a classic snake game Hooptie Browser - Humorous web filter
I have taken two of the methods from here and combined them to make it twice as hard to crack my app (I understand the argument about there always being a way around whatever protection is put in place, but it is nice to at least feel like you are helping stop your app being cracked):
I then halt the game and show an alert and a fake progress bar saying that the device's data is being sent to Apple... that should make them delete the cracked app :P.
Just one question.. is there any way to test the protection without cracking it and putting on a jailbroken phone (not being something I want to do)?
Thanks
Cam
My app congratulates the user on actually cracking it... Because i'm cool
My app congratulates the user on actually cracking it... Because i'm cool
Hmm... but usually only one person actually cracks it. Every other "user" who runs the app is simply downloading the already-cracked version from the web.
My app congratulates the user on actually cracking it... Because i'm cool
Cool indeed, but cracker can also post-crack that message so it does not display and then we got your fully cracked app. Tada!
Besides that, you give a cracker a starting point with that message so he knows where to start post-cracking process.
Insted of that, my idea is that when application detects that it is cracked then it silently starts working wrong, so the cracker can not be sure where to start post-cracking process.
I just done that and some cracker posted "cracked" version of my app which is not usable at all! He probably didnt have time to actually try and use application. There are tons of other apps for him to crack. Maybe some other time.
is_encrypted is the king! Rename it and adjust a little to suit your needs.
2 other anti debugging techniques.
1. use PTRACE_TRACEME to trace the app itself. gdb won't be able to attach
2. gdb opens some more file descriptors than the usual 3 for the child process. So you can check if more than 5 file descriptors exists. if they exist you can exit your app.
and of course you can use asm to do the basic PT_DENY_ATTACH
anyhow, I'm not an AppStore dev, I develop for the CydiaStore. Doesn't apple rely on being able to use gdb with your executable in order to test your app?
and make sure you avoid all kind of strings. strings are a dead giveaway (encrypted or not), especially you only need to break in gdb right before the msg_send and you can print out the objects in the registers (po $r0). Don't use objC for checks. try to use as much C as possible.
Regarding the javaconvert method, the info plist size differs whether you build it for simulator or device. Don't forget to change to the device build plist size before the the final distribution build.
#define kInfoSize 500
//Place your NSLog Plist Size into the above Define statment
You could always tie the functionality of your app into whether your anti piracy function runs.
E.G- When the crackCheck method is called, it sets another variable indicating that it ran. Your app can then check for that variable at opportune times. That way if a cracker disables the crackCheck method, the app still won't work. However, if he DOESN'T disable it, the anti-crack method runs and they get caught.
You could always tie the functionality of your app into whether your anti piracy function runs.
E.G- When the crackCheck method is called, it sets another variable indicating that it ran. Your app can then check for that variable at opportune times. That way if a cracker disables the crackCheck method, the app still won't work. However, if he DOESN'T disable it, the anti-crack method runs and they get caught.
most cracker don't NOP the call for the crackCheck method, they simply change for example CMP R0, #0 to something like CMP R0, R0. So your idea won't have any actual use.
You need to understand how cracking works to get it done right.
a guy called Reilly wrote a detailed tutorial on how to manually crack apps with additional protection: everyone who works on anti-crack stuff should read it: ARTeam Website: Downloads / / Patching Applications from Apple?s AppStore with additional protection (online view has only 6 pages. download the zip to read the pdf with over 30 pages).
As far as I can see, most crackers do not RUN application at all after "cracking" it!
Thats why tons of non-working "cracks" come up on various download locations! I'm kinda mad but maybe that's a good thing after all, who knows ...
What are the risks involved in adding these anticrack measures? Can they somehow malfunction in a legally bought app for a JailBroken iphone?? That will ruin the reputation in the appstore.
I heard some stories where the app wouldnt even start in a normal legally bought for app.. Im very tempted to use these methods, but im afraid if it'll have accidentally some adverse effect. Is anyone already using them?
What are the risks involved in adding these anticrack measures? Can they somehow malfunction in a legally bought app for a JailBroken iphone?? That will ruin the reputation in the appstore.
I heard some stories where the app wouldnt even start in a normal legally bought for app.. Im very tempted to use these methods, but im afraid if it'll have accidentally some adverse effect. Is anyone already using them?
You need to implement your code absolutely fail proof and correctly and make sure that the anti-piracy measurements are not activated when the app was legally purchased. You need to figure out what your app needs to look out for in order to see if the app was pirated or not. If the app detects that it was pirated then it can (legally) do anything it wants, including turning the iDevice into an iBrick. Nobody can you (the developer) hold responsible when a pirated (stolen) copyrighted product creates havok.
If you wanna be sure that your anti piracy code is working correctly, then you need to do what a pirate does: Crack it yourself with the pirate's tools and test it.
Linear Mode
