Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- private rule _fat
- {
- // 0 belong 0xcafebabe
- // >4 belong 1 Mach-O universal binary with 1 architecture
- // >4 belong >1
- // >>4 belong <20 Mach-O universal binary with %ld architectures
- strings:
- $fat = { CA FE BA BE }
- condition:
- $fat at 0 and uint32(4) < 0x14000000
- }
- private rule _macho
- {
- strings:
- $macho1 = { CE FA ED FE } // Little Endian
- $macho2 = { CF FA ED FE } // Little Endian 64
- $macho3 = { FE ED FA CE } // Big Endian
- $macho4 = { FE ED FA CF } // Big Endian 64
- condition:
- for any of ( $macho* ) : ( $ at 0 ) or _fat
- }
- rule lib_jb
- {
- strings:
- $import = "libguiinject.dylib"
- condition:
- _macho and $import
- }
- rule app_jb
- {
- strings:
- $import1 = "@executable_path/jailbreak" nocase
- $import2 = "@executable_path/patch" nocase
- condition:
- _macho and any of ( $import* )
- }
- rule ipa_jb
- {
- strings:
- $zip = "PK"
- $import1 = ".app/jailbreak" nocase
- $import2 = ".app/patch" nocase
- condition:
- $zip at 0 and any of ( $import* )
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
