Code Protection Technology For Mach-O File Format

There are many security mechanisms for anti-debugging on iOS. But due to the development of iOS jailbreak technique after jailbreak, the hacker can debug and modify the executable files, analyze key flows of the software, obtain its core algorithm and crack charged software. Packer protection is a commonly used method of code protection and has good flexibility. Moreover, it can also use other means of protection to protect the security code. Code protection technology and anti-debugging technology of PE documents in the Windows system has developed quite abundantly. Code obfuscation techniques, packing and anti-debugging techniques are the main methods of Code protection. Currently,it has realized the code protection design based on code obfuscation techniques. However, in the iOS system, there are relatively few types of code protection technology for Mach-O.This paper targets to the lag of code protection technology for Mach-O executable on iOS. Consideration of code tamper, code injection on iOS, this paper has proposed a code protection scheme MFP(Mach-O File Protector)featuring with both encryption function and anti-debugging function based on UPX(the Ultimate Packer for executables).By analysis of UPX packing program, we add encryption module and anti-debugging module to the stub code by using cross-compiling technology. The code is encrypted with 3DES encryption algorithm and MD5 digital abstract algorithm. At the same time by forging Symbol Table and adding the KAUTH_SCOPE_PROCESS callback function are used for anti-debugging. Compared with UPX, MFP encrypt Mach-O executable through 3DES and insert anti-debugging code to disable mainstream debugging software.The paper analyzes the security of iOS system and the challenges of iOS jailbreak for code security. By encrypting and anti-debugging techniques, the paper has achieved the code protection method on Mach-O files.