|
|
|
[分享] 聽說 32-bit iOS 8.4.1 可以越獄了
那是部分人自私的藉口 有本事利用漏洞滲透的人去鎖機幹嘛 真的有本事的話應該搞銀行看能不能搬到錢才對吧 學習滲透為的就是做這種小動作 那你們 China Hacker 也太沒志氣了吧 大概是民族性的問題吧 |
|
[分享] 聽說 32-bit iOS 8.4.1 可以越獄了
Trident 漏洞以前潛在很久了,發明 Trident 漏洞的原作者 不是為了越獄,而是為了竊取對方資料。那也是因為有人去報案被分析出來才又被公開的。 小學生要幹到Trident那種程度我看很難 再者 iOS 漏洞都不比銀行 WEB /資料庫 漏洞值錢 另外怕被竊聽的話 你們的警察公安不用越獄也能竊聽
|
|
[原创 ]iOS Dualboot 手動修改
四 安裝與啟動RootFS 解密 範例 iPhone 4S 7.1.2 RootFS 解密 dmg extract 058-4365-009.dmg rootfs.dmg -k <key> dmg build decrypted.dmg rootfs.dmg rm decrypted.dmg 或 vfdecrypt -k <key> -i 058-4365-009.dmg -o rootfs.dmg 上傳解密的 RootFS 到手機 /private/var/root/ scp rootfs.dmg root@device_ip:/private/var/root/ 格式化分割區 如果區塊大小是 4096 BSIZE="4096" OPT="-b" 如果區塊大小是 8192 BSIZE="8192" OPT="-J -b" format disk0s1s3 /sbin/newfs_hfs -s $OPT $BSIZE -n a=$BSIZE,c=$BSIZE,e=$BSIZE /dev/disk0s1s3 format disk0s1s4 * 如果區塊大小是 4096 (iOS 9以前的版本) /sbin/newfs_hfs -s $OPT $BSIZE -n a=$BSIZE,c=$BSIZE,e=$BSIZE /dev/disk0s1s4 * 如果區塊大小是 8192 (iOS 9以後的版本要加 -P 未實驗) /sbin/newfs_hfs -s $OPT -P $BSIZE -n a=$BSIZE,c=$BSIZE,e=$BSIZE /dev/disk0s1s4 回復rootfs到disk0s1s3 asr restore --source /private/var/root/rootfs.dmg --target /dev/disk0s1s3 --erase 完成後執行 fsck_hfs -f /dev/disk0s1s3 清除暫存 rm /private/var/root/rootfs.dmg 建立掛載點目錄 mkdir -p /mnt3 mkdir -p /mnt4 掛載第三分割區 mount_hfs /dev/disk0s1s3 /mnt3 掛載第四分割區 mount_hfs /dev/disk0s1s4 /mnt4 移動 /private/var/ 內容到第四分割區 mv -v /mnt3/private/var/* /mnt4/ rm -rf /mnt4/log/asl/SweepStore rm -rf /mnt4/mobile/Library/PreinstalledAssets/* 修改起動分割區 sed -i 's/disk0s1/disk0s1s3/g' /mnt3/private/etc/fstab sed -i 's/disk0s2/disk0s1s4/g' /mnt3/private/etc/fstab 複製基頻文件 mkdir -p /mnt3/usr/local/standalone/firmware/Baseband/Trek cp -r /usr/local/standalone/firmware/Baseband/Trek/* /mnt3/usr/local/standalone/firmware/Baseband/Trek/ cd /usr/local/standalone/firmware/Baseband/Trek zip -r0 /mnt3/usr/local/standalone/firmware/Baseband/Trek/Trek-personalized.zip * 複製keybags mkdir /mnt4/keybags chown -R 0:0 /mnt4/keybags chmod -R 700 /mnt4/keybags rm /mnt4/keybags/systembag.kb cp -r /private/var/keybags/* /mnt4/keybags/
keybag 修復 # keybagd 補釘 詳見 keybagd Patch rm /mnt3/usr/libexec/keybagd 修改好之後上傳替換 scp keybagd root@device_ip:/mnt3/usr/libexec/ # keybagd 重新簽名 * iOS 7 cat << EOF > /tmp/e.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.keystore.device</key> <true/> <key>com.apple.keystore.stash.access</key> <true/> </dict> </plist> EOF * iOS 6 cat << EOF > /tmp/e.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.keystore.device</key> <true/> </dict> </plist> EOF ldid -S/tmp/e.xml /mnt3/usr/libexec/keybagd 安裝 fixkeybag 下載原始碼自行編譯 https://github.com/NyanSatan/fixkeybag 編譯並複製到 /mnt3/sbin/ 或從 dualbootstuff 複製 cp -a /usr/share/dualbootstuff/fixkeybag /mnt3/usr/libexec/ 開機自動載入 fixkeybag echo "bsexec .. /usr/libexec/fixkeybag" >> /mnt3/private/etc/launchd.conf 或 cat << EOF > /mnt3/System/Library/LaunchDaemons/acom.dualboot.fixkeybag.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>acom.dualboot.fixkeybag</string> <key>POSIXSpawnType</key> <string>Interactive</string> <key>ProgramArguments</key> <array> <string>/usr/libexec/fixkeybag</string> </array> <key>RunAtLoad</key> <true/> <key>LaunchOnlyOnce</key> <true/> <key>UserName</key> <string>root</string> </dict> </plist> EOF 重新簽名 cat << EOF > /tmp/ent.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.keystore.device</key> <true/> <key>get-task-allow</key> <true/> <key>run-unsigned-code</key> <true/> <key>task_for_pid-allow</key> <true/> </dict> </plist> EOF ldid -S/tmp/ent.xml /mnt3/usr/libexec/fixkeybag 添加 bootchain 文件 提取 kernelcache.release.n94 解密。 xpwntool kernelcache.release.n94 kernelcache -iv <IV> -k <KEY> -decrypt 提取 ramdisk.dmg 解密。 xpwntool ramdisk.dmg ramdisk -iv <IV> -k <Key> -decrypt 提取 DeviceTree.n94ap.img3 解密。 xpwntool DeviceTree.n94ap.img3 devicetree -iv <IV> -k <Key> -decrypt 提取 applelogo@2x~iphone.s5l8940x.img3 解密 xpwntool applelogo@2x~iphone.s5l8940x.img3 applelogo -iv <IV> -k <Key> -decrypt 將 applelogo、ramdisk、kernelcache、devicetree 上傳第二系統根目錄 root@device_ip:/mnt3/ 註: applelogo 非必要 將已修改好的 iBSS、iBEC 上傳到 root@device_ip:/ 修復權限 chown -R 0:0 /mnt3/kernelcache chown -R 0:0 /mnt3/ramdisk chown -R 0:0 /mnt3/devicetree 卸載分割區 umount /mnt3 umount /mnt4 啟動系統 要啟動第二系統,請拔下傳輸線,勿處於充電狀態。 執行multi_kloader命令之後會進入睡眠模式,按一下Home鍵,開始引導第二系統。 啟動命令 iPhone 4S 4smulti_kloader /iBSS /iBEC 其他 multi_kloader /iBSS /iBEC
|
|
[原创 ]iOS Dualboot 手動修改
三 磁碟分割調整第二分割區大小 ================================ 調整 /private/var 分割區大小來釋放空間,來建立另外兩個新的分割區。 * 檢查空間 使用 ssh 連接裝置 ssh root@device_ip # df -B1 Filesystem 1B-blocks Used Available Use% Mounted on /dev/disk0s1s1 2332835840 2224795648 84713472 97% / devfs 26624 26624 0 100% /dev /dev/disk0s1s2 13521633280 476921856 13044711424 4% /private/var /dev/disk1 240852992 69222400 171630592 29% /Developer / 為系統分割區(system) /private/var 為資料分割區(data) 1B-blocks 總空間 Used 已用空間 Available 可用空間 上面看到資料分割區: 總空間為 13521633280 byte (約12.59GB) 已經使用 476921856 byte (約454.8MB) 剩餘空間 13044711424 byte (約12.14GB) 資料分割區至少預留400-500MB的可用空間,iOS是從真實的可用空間中減去200MB,所以至少必須留700MB以上的空間。 例如:我們要分配8GB的空間給第二系統, 其餘的可用空間留給「disk0s1s2 資料分割區」 計算新的大小 8*1024*1024*1024 = 8589934592 byte 第二分區大小 - 第三分割區大小 = 第二分割區新的大小 總空間(13521633280) - 8G(8589934592) = 資料分割區新的大小(4931698688) byte (約4.59GB) 用法: hfs_resize 掛載點 新的大小(byte) 範例:調整 /private/var 容量為4.59G(4931698688 byte) hfs_resize /private/var 4931698688 然後執行df查看調整結果 # df -B1 Filesystem 1B-blocks Used Available Use% Mounted on /dev/disk0s1s1 2332835840 2224795648 84713472 97% / devfs 26624 26624 0 100% /dev /dev/disk0s1s2 4931698688 474763264 4456935424 10% /private/var /dev/disk1 240852992 69222400 171630592 29% /Developer 編輯分割區 編輯磁碟 gptfdisk /dev/rdisk0s1 列出分割表 p Command (? for help): p Disk /dev/rdisk0s1: 3870731 sectors, 14.8 GiB Logical sector size: 4096 bytes Disk identifier (GUID): DA60F21F-DD91-4076-A4D3-632BA7F38079 Partition table holds up to 2 entries First usable sector is 6, last usable sector is 3870725 Partitions will be aligned on 2-sector boundaries Total free space is 0 sectors (0 bytes) Number Start (sector) End (sector) Size Code Name 1 6 569545 2.2 GiB AF00 System 2 569546 3870725 12.6 GiB AF00 Data 第一分割區 開始區塊 6 結束區塊 569545 第二分割區 開始區塊 569546 結束區塊 3870725 1個區塊等於 4096-byte (4KB),區塊對齊也就是俗稱的4K對齊。 第二分割區修正hfs_resize 調整可能無法對齊區塊,所以必須使用gptfdisk重新對齊資料分割區的區塊。 顯示分割區2的詳細信息 i 2 Command (? for help): i Partition number (1-2): 2 Partition GUID code: 48465300-0000-11AA-AA11-00306543ECAC (Apple HFS/HFS+) Partition unique GUID: 353A726C-E8E1-4A9C-BD2D-BF34F7810862 First sector: 569546 (at 2.2 GiB) Last sector: 3870725 (at 14.8 GiB) Partition size: 3301180 sectors (12.6 GiB) Attribute flags: 0003000000000000 Partition name: 'Data' 記住 Partition unique GUID : 353A726C-E8E1-4A9C-BD2D-BF34F7810862 後面恢復GUID會用到。 刪除第二分割區 d 2 Command (? for help): d Partition number (1-2): 2 計算第二分割區區塊大小 新的大小(byte) / 4096 = 區塊大小 4931698688 / 4096 = 1204028 開始區塊 + 區塊大小 = 結束區塊 569546 + 1204028 = 1773574 記住第二分割區結束區塊大小為 1773574 修正第二分割區區塊大小 建立新的分割區 n ENTER 1773574 ENTER Command (? for help): n Using 2 First sector (569546-3870725, default = 569546) or {+-}size{KMGTP}: Last sector (569546-3870725, default = 3870725) or {+-}size{KMGTP}: 1773574 Current type is 'Apple HFS/HFS+' Hex code or GUID (L to show codes, Enter = AF00): Changed type of partition to 'Apple HFS/HFS+' 修改第二分割區標籤為 Data c 2 Data Command (? for help): c Partition number (1-2): 2 Enter name: Data 查看修改結果 p Command (? for help): p Disk /dev/rdisk0s1: 3870731 sectors, 14.8 GiB Logical sector size: 4096 bytes Disk identifier (GUID): DA60F21F-DD91-4076-A4D3-632BA7F38079 Partition table holds up to 2 entries First usable sector is 6, last usable sector is 3870725 Partitions will be aligned on 2-sector boundaries Total free space is 2097151 sectors (8.0 GiB) Number Start (sector) End (sector) Size Code Name 1 6 569545 2.2 GiB AF00 System 2 569546 1773574 4.6 GiB AF00 Data 修正第二分割區 Attribute flags 通常系統分割區 Attribute flags 為 0000000000000000 資料分割區 Attribute flags 為 0003000000000000 x a 2 48 49 ENTER Command (? for help): x Expert command (? for help): a Partition number (1-2): 2 Known attributes are: 0: system partition 1: hide from EFI 2: legacy BIOS bootable 60: read-only 62: hidden 63: do not automount Attribute value is 0000000000000000. Set fields are: No fields set Toggle which attribute field (0-63, 64 or <Enter> to exit): 48 Have enabled the 'Undefined bit #48' attribute. Attribute value is 0001000000000000. Set fields are: 48 (Undefined bit #48) Toggle which attribute field (0-63, 64 or <Enter> to exit): 49 Have enabled the 'Undefined bit #49' attribute. Attribute value is 0003000000000000. Set fields are: 48 (Undefined bit #48) 49 (Undefined bit #49) Toggle which attribute field (0-63, 64 or <Enter> to exit): 恢復先前的GUID 先前紀錄的 Partition unique GUID 為 353A726C-E8E1-4A9C-BD2D-BF34F7810862 c 2 353A726C-E8E1-4A9C-BD2D-BF34F7810862 Expert command (? for help): c Partition number (1-2): 2 Enter the partition's new unique GUID ('R' to randomize): 353A726C-E8E1-4A9C-BD2D-BF34F7810862 New GUID is 353A726C-E8E1-4A9C-BD2D-BF34F7810862 到此第二分割區搞定..... 建立第二系統分割區 修改分割表允許擁有4個分割區 s 4 Expert command (? for help): s Current partition table size is 32. Enter new size (32 up, default 128): 4 Caution: The partition table size should officially be 16KB or larger, which works out to 128 entries. In practice, smaller tables seem to work with most OSes, but this practice is risky. I'm proceeding with the resize, but you may want to reconsider this action and undo it. Adjusting GPT size from 4 to 32 to fill the sector 返回主選單 m Expert command (? for help): m Command (? for help): 建立第三分割區(為第二系統的系統分割區) 設定前須先確定要安裝的目標系統容量大小,然後計算第三分割區區塊大小,設置第三分割區結束區塊。 或者可以自行分配大一點的區塊給第三分割區 例如分配2.2GB的空間給第三分割區 2.2GB = 2248MB 2248*1024*1024=2357198848 byte 2357198848 / 4096 = 575488 (區塊大小) 開始區塊 + 區塊大小 = 結束區塊 1773576 + 575488 = 2349064 n 3 ENTER 2349064 ENTER Command (? for help): n Partition number (3-32, default 3): 3 First sector (3-3870728, default = 1773576) or {+-}size{KMGTP}: Last sector (1773576-3870728, default = 3870728) or {+-}size{KMGTP}: 2349064 Current type is 'Apple HFS/HFS+' Hex code or GUID (L to show codes, Enter = AF00): Changed type of partition to 'Apple HFS/HFS+' 建立第四分割區(為第二系統的資料分割區) 設置第四分割區結束區塊為: Last sector (2349066-3870728, default = 3870728) 的 3870728 - 3 = 3870725 也就是第四分割區結束區塊後面必須預留3個區塊空間 n 4 ENTER 3870725 ENTER Command (? for help): n Partition number (4-32, default 4): 4 First sector (3-3870728, default = 2349066) or {+-}size{KMGTP}: Last sector (2349066-3870728, default = 3870728) or {+-}size{KMGTP}: 3870725 Current type is 'Apple HFS/HFS+' Hex code or GUID (L to show codes, Enter = AF00): Changed type of partition to 'Apple HFS/HFS+' 分割區標籤與第四分割區 Attribute flags,可以不用改修改第三分割區標籤為 iOSFS c 3 iOSFS Command (? for help): c Partition number (1-3): 3 Enter name: iOSFS 修改第四分割區標籤為 iOSData c 4 iOSData Command (? for help): c Partition number (1-4): 4 Enter name: iOSData 設置第四分割區 Attribute flags x a 4 48 49 ENTER Command (? for help): x Expert command (? for help): a Partition number (1-4): 4 Known attributes are: 0: system partition 1: hide from EFI 2: legacy BIOS bootable 60: read-only 62: hidden 63: do not automount Attribute value is 0000000000000000. Set fields are: No fields set Toggle which attribute field (0-63, 64 or <Enter> to exit): 48 Have enabled the 'Undefined bit #48' attribute. Attribute value is 0001000000000000. Set fields are: 48 (Undefined bit #48) Toggle which attribute field (0-63, 64 or <Enter> to exit): 49 Have enabled the 'Undefined bit #49' attribute. Attribute value is 0003000000000000. Set fields are: 48 (Undefined bit #48) 49 (Undefined bit #49) Toggle which attribute field (0-63, 64 or <Enter> to exit): 列出分割表 p Command (? for help): p Disk /dev/rdisk0s1: 3870731 sectors, 14.8 GiB Logical sector size: 4096 bytes Disk identifier (GUID): DA60F21F-DD91-4076-A4D3-632BA7F38079 Partition table holds up to 32 entries First usable sector is 3, last usable sector is 3870728 Partitions will be aligned on 2-sector boundaries Total free space is 8 sectors (32.0 KiB) Number Start (sector) End (sector) Size Code Name 1 6 569545 2.2 GiB AF00 System 2 569546 1773574 4.6 GiB AF00 Data 3 1773576 2349064 2.2 GiB AF00 Apple HFS/HFS+ 4 2349066 3870725 5.8 GiB AF00 Apple HFS/HFS+ 最後如果沒問題按 w 然後 Y 寫入 如果有問題按 q 退出,從頭開始 Do you want to proceed? (Y/N): Y OK; writing new GUID partition table (GPT) to /dev/rdisk0s1. Warning: Devices opened with shared lock will not have their partition table automatically reloaded! Warning: The kernel may continue to use old or deleted partitions. You should reboot or remove the drive. The operation has completed successfully. 寫入之後按輸入幾次 sync # sync # sync # sync # sync 確認新的分割區是否出現 # ls /dev/disk* /dev/disk0 /dev/disk0s1s1 /dev/disk0s1s3 /dev/disk1 /dev/disk0s1 /dev/disk0s1s2 /dev/disk0s1s4 |
|
[原创 ]iOS Dualboot 手動修改
3. keybagd Patchfor iOS 6/7 安裝第二系統後 使用scp下載 root@device_ip:/mnt3/usr/libexec/keybagd 到電腦修改,改完後替換源文件並重新簽名。 搜尋 RegisterBackupBag __const:0000A27C DCD cfstr_Com_apple_keys ; "com.apple.keystore.device" __const:0000A280 DCD cfstr_Registerbackup ; "RegisterBackupBag" __const:0000A284 DCD sub_23B8+1 ; 這裡點進去 __text:000023B8 PUSH {R4-R7,LR} __text:000023BA ADD R7, SP, #0xC ; 改為 MOVS R0, #0 POP {R4-R7,PC} __text:000023BC STR.W R8, [SP,#0xC+var_10]! __text:000023C0 SUB SP, SP, #0x34 __text:000023C2 MOV R5, R1 __text:000023C4 MOV R1, #(cfstr_Backupkeybagke - 0x23D2) ; "BackupKeyBagKeys" __text:000023CC MOV R8, R0 __text:000023CE ADD R1, PC ; "BackupKeyBagKeys" __text:000023D0 MOV R0, R5 __text:000023D2 BL sub_1CA4 __text:000023D6 MOVW R1, #(:lower16:(cfstr_Passcode - 0x23E6)) ; "Passcode" __text:000023DA MOV R6, R0 __text:000023DC MOVT.W R1, #(:upper16:(cfstr_Passcode - 0x23E6)) ; "Passcode" __text:000023E0 MOV R0, R5 __text:000023E2 ADD R1, PC ; "Passcode" 0x13BA 00 20 F0 BD 搜尋 EXPORT _AppleKeyStoreKeyBagChangeSecret x 返回 來到這裡 __text:0000622A BL _AppleKeyStoreKeyBagGetSystem __text:0000622E MOV R1, R0 __text:00006230 MOV.W R0, #0xFFFFFFFF __text:00006234 CBNZ R1, loc_6266 ; 改為 B __text:00006236 LDR R0, [SP,#0x1C+var_14] __text:00006238 MOV R1, R6 __text:0000623A MOV R2, R5 __text:0000623C BL _AppleKeyStoreKeyBagChangeSecret __text:00006240 MOV R1, R0 __text:00006242 MOV.W R0, #0xFFFFFFFF __text:00006246 CBNZ R1, loc_6266 __text:00006248 LDR R0, [SP,#0x1C+var_14] __text:0000624A MOV R2, #(aPrivateVar - 0x625A) ; "/private/var/" __text:00006252 MOV.W R8, #1 __text:00006256 ADD R2, PC ; "/private/var/" __text:00006258 MOVS R1, #0 __text:0000625A MOV R3, R4 __text:0000625C STR.W R8, [SP,#0x1C+var_1C] __text:00006260 STR R1, [SP,#0x1C+var_18] __text:00006262 BL _KBSaveBagHandle 0x5234 17 E0 搜尋 EXPORT _KBUpdateSystemKeyBag __text:00006338 EXPORT _KBUpdateSystemKeyBag __text:00006338 PUSH {R4-R7,LR} __text:0000633A ADD R7, SP, #0xC __text:0000633C STR.W R8, [SP,#0xC+var_10]! __text:00006340 SUB SP, SP, #0xC __text:00006342 MOV R5, R0 __text:00006344 MOV R0, #(aPrivateVarKeyb - 0x6358) ; "/private/var//keybags" __text:0000634C MOV R1, #(aSystembag - 0x635A) ; "systembag" __text:00006354 ADD R0, PC ; "/private/var//keybags" __text:00006356 ADD R1, PC ; "systembag" __text:00006358 BL _KBLoadKeyBag __text:0000635C MOV R6, R0 __text:0000635E CMP R6, #0 __text:00006360 BEQ loc_63EC ; 改為 B __text:00006362 MOVW R1, #(:lower16:(cfstr_Opaquestuff - 0x6370)) ; "OpaqueStuff" __text:00006366 MOV R0, R6 __text:00006368 MOVT.W R1, #(:upper16:(cfstr_Opaquestuff - 0x6370)) ; "OpaqueStuff" 0x5360 ?? E0 搜尋字串 auto-boot __text:00002BCA ADD R0, PC ; "keybagd" __text:00002BCC BL sub_2A4C __text:00002BD0 MOV R0, #(aAutoBoot - 0x2BE4) ; "auto-boot" __text:00002BD8 MOV R1, #(aFalse - 0x2BE6) ; 將字串改為 true __text:00002BE0 ADD R0, PC ; "auto-boot" __text:00002BE2 ADD R1, PC ; "false" 搜尋字串 false 改為 true 0x00結尾 |
|
[原创 ]iOS Dualboot 手動修改
2. iBEC Patch解密 iBEC 用法: xpwntool 輸入 輸出 -iv <IV> -k <Key> IDA Pro 載入 查看 ROM:00000044 LDR R1, =0x9FF00000 0x9FF00000 為載入基址 Edit > Segments > Rebase program...設定基址為 0x9FF00000 搜尋 TEXT "CMP R1, #0x41 ; 'A'" 代碼開頭 x 返回 ROM:9FF1A3D0 MOV R1, R5 ROM:9FF1A3D2 MOV R2, R6 ROM:9FF1A3D4 BL sub_9FF19CC0 ; 返回到此 改為 MOVS R0, #0 STR R0, [R3] 0x1A3D4 00 20 18 60 然後往上看代碼 ROM:9FF1A35C BL sub_9FF19C14 ; 這裡進入 ROM:9FF1A360 MOV.W R10, #0xFFFFFFFF ROM:9FF1A364 CMP R0, #0 ROM:9FF1A366 BNE.W loc_9FF1A57E ROM:9FF1A36A LDR R0, [SP,#0xC8+var_84] ROM:9FF1A36C MOVS R5, #0 ROM:9FF1A36E CMP R6, #0 ROM:9FF1A370 LDR R0, [R0] ROM:9FF1A372 LDR R0, [R0,#0x10] ROM:9FF1A374 STR R0, [SP,#0xC8+var_9C] ROM:9FF1A376 BEQ loc_9FF1A390 ; x 2 ROM:9FF1A378 ROM:9FF1A378 loc_9FF1A378 ROM:9FF1A378 MOV.W R10, #0xFFFFFFFF ROM:9FF1A37C CMP R5, R6 ROM:9FF1A37E BCS.W loc_9FF1A57E ROM:9FF1A382 LDR.W R0, [R8,R5,LSL#2] ROM:9FF1A386 ADDS R5, #1 ROM:9FF1A388 LDR R1, [SP,#0xC8+var_9C] ROM:9FF1A38A CMP R0, R1 ROM:9FF1A38C BNE loc_9FF1A378 ROM:9FF1A38E LDR R5, [SP,#0xC8+var_9C] ROM:9FF1A390 ROM:9FF1A390 loc_9FF1A390 x 2 ROM:9FF1A390 LDR R1, [R4,#0xC] ; x 2 ROM:9FF1A392 MOVW R2, #0x6733 ROM:9FF1A396 LDR R0, [R4,#0x10] ROM:9FF1A398 MOVT.W R2, #0x696D ROM:9FF1A39C CMP R1, R2 ROM:9FF1A39E ITT EQ ROM:9FF1A3A0 MOVEQ R6, #1 ROM:9FF1A3A2 TSTEQ.W R0, #0x200 ROM:9FF1A3A6 BEQ loc_9FF1A3AE ; x 1 ROM:9FF1A3A8 AND.W R0, R0, #4 ROM:9FF1A3AC LSRS R6, R0, #2 ROM:9FF1A3AE ROM:9FF1A3AE loc_9FF1A3AE x 1 ROM:9FF1A3AE BL sub_9FF1DF64 ROM:9FF1A3B2 MOV R1, R0 ROM:9FF1A3B4 MOVS R0, #0 ROM:9FF1A3B6 STRB.W R0, [SP,#0xC8+var_90] ROM:9FF1A3BA LDR R0, [SP,#0xC8+var_84] ROM:9FF1A3BC CMP R0, #0 ROM:9FF1A3BE BEQ.W loc_9FF1A60A ROM:9FF1A3C2 CMP R1, #0 ROM:9FF1A3C4 LDR.W R8, [R4,#0x10] ROM:9FF1A3C8 IT NE ROM:9FF1A3CA ORRNE.W R6, R6, #4 ROM:9FF1A3CE ADD R3, SP, #0xC8+var_90 ROM:9FF1A3D0 MOV R1, R5 ROM:9FF1A3D2 MOV R2, R6 ROM:9FF1A3D4 BL sub_9FF19CC0 ; 改為 MOVS R0, #0 STR R0, [R3] 來到這裡 ROM:9FF19C14 sub_9FF19C14 ROM:9FF19C14 PUSH {R4-R7,LR} ROM:9FF19C16 ADD R7, SP, #0xC ROM:9FF19C18 PUSH.W {R8,R10} ROM:9FF19C1C MOV R6, R2 ROM:9FF19C1E MOV R8, R0 ROM:9FF19C20 MOV R10, R3 ROM:9FF19C22 MOV R5, R1 ROM:9FF19C24 MOVS R0, #0x16 ROM:9FF19C26 CMP R6, #0x14 ROM:9FF19C28 BCC loc_9FF19CB8 ROM:9FF19C2A LDR R1, [R5] ROM:9FF19C2C MOVW R2, #0x6733 ROM:9FF19C30 MOVS R0, #0x16 ROM:9FF19C32 MOVT.W R2, #0x496D ROM:9FF19C36 CMP R1, R2 ROM:9FF19C38 BNE loc_9FF19CB8 ROM:9FF19C3A LDR R1, [R5,#8] ROM:9FF19C3C SUB.W R2, R6, #0x14 ROM:9FF19C40 MOVS R0, #0x16 ROM:9FF19C42 CMP R1, R2 ROM:9FF19C44 BHI loc_9FF19CB8 ; 改為 NOP ROM:9FF19C46 LDR R2, [R5,#0xC] ROM:9FF19C48 MOVS R0, #0x16 ROM:9FF19C4A CMP R2, R1 ROM:9FF19C4C BHI loc_9FF19CB8 0x19C44 00 BF 找尋字串 debug-enabled x 選擇第一項目 來到這裡 ROM:9FF1AED0 loc_9FF1AED0 ROM:9FF1AED0 LDR.W R0, =aDebugEnabled ; "debug-enabled" ROM:9FF1AED4 ADD R1, SP, #0xAC+var_3C ROM:9FF1AED6 STR R0, [SP,#0xAC+var_3C] ROM:9FF1AED8 ADD R2, SP, #0xAC+var_40 ROM:9FF1AEDA LDR R0, [SP,#0xAC+var_34] ROM:9FF1AEDC ADD R3, SP, #0xAC+var_38 ROM:9FF1AEDE BL sub_9FF17B8C ROM:9FF1AEE2 CMP R0, #1 ROM:9FF1AEE4 BNE loc_9FF1AEF6 ROM:9FF1AEE6 MOVS R0, #0x20 ; ' ' ROM:9FF1AEE8 BL sub_9FF20E40 ; 改為 MOVS R0, #1 ROM:9FF1AEEC CMP R0, #1 ROM:9FF1AEEE ITTT EQ ROM:9FF1AEF0 LDREQ R0, [SP,#0xAC+var_40] ROM:9FF1AEF2 MOVEQ R1, #1 ROM:9FF1AEF4 STREQ R1, [R0] 0x1AEE8 01 20 01 20 找尋字串 upgrade 改為 fsboot 找尋字串 false 改為 true 找尋字串 Reliance on this certificate by any party assumes acceptance 位於 offset 0x42680 0x42680+0x9FF00000=0x9FF42680 Byte = 80 26 F4 9F 在 0x42680 寫入 rd=disk0s1s3 cs_enforcement_disable=1 -v amfi=0xff 搜尋 rd=md0 nand-enable-reformat=1 -progress offset 位於 offset 0x3B810 0x3B810+0x9FF00000=0x9FF3B810 Byte = 10 B8 F3 9F 搜尋指標指向 0x9FF3B810 的位址 找尋 Byte 10 B8 F3 9F 0x1C250 指標指向 0x9FF3B810 將 rd=md0 ... 指標替換為 rd=disk0s1s3 cs_enforcement_disable=1 -v amfi=0xff 的指標 offset 0x1C250 寫入 80 26 F4 9F (0x9FF42680) 修改完後添加img3檔頭 用法: xpwntool 輸入 輸出 -t <原始加密文件> 範例: xpwntool iBEC.dec iBEC -t iBEC.n94ap.RELEASE.dfu
|
|
[原创 ]iOS Dualboot 手動修改
二 Patching bootchain1. iBSS Patch解密 iBSS xpwntool 輸入 輸出 -iv <IV> -k <Key> IDA Pro 載入 查看 ROM:00000044 LDR R1, =0x34000000 0x34000000 為載入基址 Edit > Segments > Rebase program...設定基址為 0x34000000 搜尋字串 iBSS ready, asking for DFU... 來到這裡 ROM:340008F2 LDR R0, =aIbssReadyAskin ; "iBSS ready, asking for DFU...\n" ROM:340008F4 BL sub_3400C850 ROM:340008F8 BL sub_34007A18 ROM:340008FC MOVW R10, #0 ROM:34000900 ADD.W R11, SP, #0x14 ROM:34000904 MOV.W R8, #1 ROM:34000908 MOVT.W R10, #0x8FE0 ; 改為 #0x7FD0 ROM:3400090C ROM:3400090C loc_3400090C ROM:3400090C MOVS R0, #1 ROM:3400090E BL sub_340098B4 ROM:34000912 MOV.W R0, #0x200000 ROM:34000916 MOV.W R1, #0x200000 ROM:3400091A STR R0, [SP,#0x14] ROM:3400091C MOV R0, R10 ROM:3400091E STR.W R10, [SP,#0x18] ROM:34000922 BL sub_3400B12C ; 改為NOP ROM:34000926 MOV R6, R0 ROM:34000928 CMP R6, #0 ROM:3400092A BLT loc_3400090C ; 改為NOP iPhone 4S 改為 #0xBFD0 0x908 ?B F? D0 ?? 其他改為 #0x7FD0 0x908 ?7 F? D0 ?? iOS 8 則搜尋 HEX 00 00 E0 8F (0x8FE00000) 改為 與 multi_kloader 批配的 iBEC Remap addresses 0x7FD00000 搜尋字串 Apple Mobile Device (DFU Mode) x 選擇第一項目 來到這裡 ROM:3400A638 sub_3400A638 ROM:3400A638 PUSH {R4,R7,LR} ROM:3400A63A LDR R4, =0x34012D34 ROM:3400A63C MOVS R0, #0 ROM:3400A63E ADD R7, SP, #4 ROM:3400A640 LDRB R1, [R4] ROM:3400A642 CMP R1, #0 ROM:3400A644 IT NE ROM:3400A646 POPNE {R4,R7,PC} ROM:3400A648 LDR R0, =aAppleMobileDev ; "Apple Mobile Device (DFU Mode)" ROM:3400A64A BL sub_3400A6B8 sub_3400A638 x 返回 ROM:3400B12C sub_3400B12C ROM:3400B12C PUSH {R4-R7,LR} ROM:3400B12E LDR R5, =0x34012EF0 ROM:3400B130 ADD R7, SP, #0xC ROM:3400B132 STRD.W R0, R1, [R5] ROM:3400B136 BL sub_3400A638 ; 返回到此 sub_3400B12C x 返回 ROM:340008F2 LDR R0, =aIbssReadyAskin ; "iBSS ready, asking for DFU...\n" ROM:340008F4 BL sub_3400C850 ROM:340008F8 BL sub_34007A18 ROM:340008FC MOVW R10, #0 ROM:34000900 ADD.W R11, SP, #0x14 ROM:34000904 MOV.W R8, #1 ROM:34000908 MOVT.W R10, #0x8FE0 ; 改為 #0xBFD0 ROM:3400090C ROM:3400090C loc_3400090C ROM:3400090C MOVS R0, #1 ROM:3400090E BL sub_340098B4 ROM:34000912 MOV.W R0, #0x200000 ROM:34000916 MOV.W R1, #0x200000 ROM:3400091A STR R0, [SP,#0x14] ROM:3400091C MOV R0, R10 ROM:3400091E STR.W R10, [SP,#0x18] ROM:34000922 BL sub_3400B12C ; 返回到此 改為NOP ROM:34000926 MOV R6, R0 ROM:34000928 CMP R6, #0 ROM:3400092A BLT loc_3400090C ; BLT loop 改為NOP 0x922 00 BF 00 BF 0x92A 00 BF 搜尋 TEXT "CMP R1, #0x41 ; 'A'" 代碼開頭 x 返回 ROM:340065E8 IT NE ROM:340065EA ORRNE.W R6, R6, #4 ROM:340065EE ADD R3, SP, #0xC8+var_90 ROM:340065F0 MOV R1, R5 ROM:340065F2 MOV R2, R6 ROM:340065F4 BL sub_34006190 ; 來到這裡 改為 MOVS R0, #0 STR R0, [R3] ROM:340065F8 MOVS R1, #0 ROM:340065FA CMP R0, #0 0x65F4 00 20 18 60 然後往上看 ROM:3400657C BL sub_340060E4 ; 這裡進入 ROM:34006580 MOV.W R10, #0xFFFFFFFF ROM:34006584 CMP R0, #0 ROM:34006586 BNE.W loc_3400679E ROM:3400658A LDR R0, [SP,#0xC8+var_84] ROM:3400658C MOVS R5, #0 ROM:3400658E CMP R6, #0 ROM:34006590 LDR R0, [R0] ROM:34006592 LDR R0, [R0,#0x10] ROM:34006594 STR R0, [SP,#0xC8+var_9C] ROM:34006596 BEQ loc_340065B0 x 2 ROM:34006598 ROM:34006598 loc_34006598 ROM:34006598 MOV.W R10, #0xFFFFFFFF ROM:3400659C CMP R5, R6 ROM:3400659E BCS.W loc_3400679E ROM:340065A2 LDR.W R0, [R8,R5,LSL#2] ROM:340065A6 ADDS R5, #1 ROM:340065A8 LDR R1, [SP,#0xC8+var_9C] ROM:340065AA CMP R0, R1 ROM:340065AC BNE loc_34006598 ROM:340065AE LDR R5, [SP,#0xC8+var_9C] ROM:340065B0 ROM:340065B0 loc_340065B0 x 2 ROM:340065B0 LDR R1, [R4,#0xC] ROM:340065B2 MOVW R2, #0x6733 ROM:340065B6 LDR R0, [R4,#0x10] ROM:340065B8 MOVT.W R2, #0x696D ROM:340065BC CMP R1, R2 ROM:340065BE ITT EQ ROM:340065C0 MOVEQ R6, #1 ROM:340065C2 TSTEQ.W R0, #0x200 ROM:340065C6 BEQ loc_340065CE ; x 1 ROM:340065C8 AND.W R0, R0, #4 ROM:340065CC LSRS R6, R0, #2 ROM:340065CE ROM:340065CE loc_340065CE x 1 ROM:340065CE BL sub_34006EB0 ROM:340065D2 MOV R1, R0 ROM:340065D4 MOVS R0, #0 ROM:340065D6 STRB.W R0, [SP,#0xC8+var_90] ROM:340065DA LDR R0, [SP,#0xC8+var_84] ROM:340065DC CMP R0, #0 ROM:340065DE BEQ.W loc_3400682A ROM:340065E2 CMP R1, #0 ROM:340065E4 LDR.W R8, [R4,#0x10] ROM:340065E8 IT NE ROM:340065EA ORRNE.W R6, R6, #4 ROM:340065EE ADD R3, SP, #0xC8+var_90 ROM:340065F0 MOV R1, R5 ROM:340065F2 MOV R2, R6 ROM:340065F4 BL sub_34006190 ; 改為 MOVS R0, #0 STR R0, [R3] 來到這裡 ROM:340060E4 sub_340060E4 ROM:340060E4 PUSH {R4-R7,LR} ROM:340060E6 ADD R7, SP, #0xC ROM:340060E8 PUSH.W {R8,R10} ROM:340060EC MOV R6, R2 ROM:340060EE MOV R8, R0 ROM:340060F0 MOV R10, R3 ROM:340060F2 MOV R5, R1 ROM:340060F4 MOVS R0, #0x16 ROM:340060F6 CMP R6, #0x14 ROM:340060F8 BCC loc_34006188 ROM:340060FA LDR R1, [R5] ROM:340060FC MOVW R2, #0x6733 ROM:34006100 MOVS R0, #0x16 ROM:34006102 MOVT.W R2, #0x496D ROM:34006106 CMP R1, R2 ROM:34006108 BNE loc_34006188 ROM:3400610A LDR R1, [R5,#8] ROM:3400610C SUB.W R2, R6, #0x14 ROM:34006110 MOVS R0, #0x16 ROM:34006112 CMP R1, R2 ROM:34006114 BHI loc_34006188 ; 改為 NOP ROM:34006116 LDR R2, [R5,#0xC] ROM:34006118 MOVS R0, #0x16 ROM:3400611A CMP R2, R1 ROM:3400611C BHI loc_34006188 0x6114 00 BF 修改完後不用加密
|
|
[原创] iOS 9 Home Depot 越獄代碼分析
Sandbox Patch搜尋字串 Seatbelt sandbox policy 找到這裡 com.apple.security.sandbox:__data:80EBA824 DCD aSandbox_0 ; "Sandbox" com.apple.security.sandbox:__data:80EBA828 DCD aSeatbeltSandbo ; "Seatbelt sandbox policy" com.apple.security.sandbox:__data:80EBA82C DCD off_80EBA84C com.apple.security.sandbox:__data:80EBA830 DCB 1 com.apple.security.sandbox:__data:80EBA831 DCB 0 com.apple.security.sandbox:__data:80EBA832 DCB 0 com.apple.security.sandbox:__data:80EBA833 DCB 0 com.apple.security.sandbox:__data:80EBA834 DCD unk_80EBA850 ; 跳往 sbops com.apple.security.sandbox:__data:80EBA838 DCB 0 com.apple.security.sandbox:__data:80EBA839 DCB 0 com.apple.security.sandbox:__data:80EBA83A DCB 0 com.apple.security.sandbox:__data:80EBA83B DCB 0 com.apple.security.sandbox:__data:80EBA83C DCD unk_80F26190 com.apple.security.sandbox:__data:80EBA840 DCB 0 com.apple.security.sandbox:__data:80EBA841 DCB 0 com.apple.security.sandbox:__data:80EBA842 DCB 0 com.apple.security.sandbox:__data:80EBA843 DCB 0 com.apple.security.sandbox:__data:80EBA844 DCB 0 com.apple.security.sandbox:__data:80EBA845 DCB 0 com.apple.security.sandbox:__data:80EBA846 DCB 0 com.apple.security.sandbox:__data:80EBA847 DCB 0 com.apple.security.sandbox:__data:80EBA848 DCB 0 com.apple.security.sandbox:__data:80EBA849 DCB 0 com.apple.security.sandbox:__data:80EBA84A DCB 0 com.apple.security.sandbox:__data:80EBA84B DCB 0 com.apple.security.sandbox:__data:80EBA84C off_80EBA84C DCD aSb com.apple.security.sandbox:__data:80EBA84C ; "sb" com.apple.security.sandbox:__data:80EBA850 unk_80EBA850 com.apple.security.sandbox:__data:80EBA850 ; sbops 80EBA850 就是 sbops offset 為 0xEB9850 Patch 清為零 4 byte (kernel_base + sbops + 0x90) 寫入 0x00000000 (kernel_base + sbops + 0x1e0) 寫入 0x00000000 (kernel_base + sbops + 0x3f0) 寫入 0x00000000 (kernel_base + sbops + 0x3f8) 寫入 0x00000000 (kernel_base + sbops + 0x3fc) 寫入 0x00000000 (kernel_base + sbops + 0x400) 寫入 0x00000000 (kernel_base + sbops + 0x404) 寫入 0x00000000 (kernel_base + sbops + 0x408) 寫入 0x00000000 (kernel_base + sbops + 0x40c) 寫入 0x00000000 (kernel_base + sbops + 0x410) 寫入 0x00000000 (kernel_base + sbops + 0x414) 寫入 0x00000000 (kernel_base + sbops + 0x420) 寫入 0x00000000 (kernel_base + sbops + 0x424) 寫入 0x00000000 (kernel_base + sbops + 0x42c) 寫入 0x00000000 (kernel_base + sbops + 0x438) 寫入 0x00000000 (kernel_base + sbops + 0x44c) 寫入 0x00000000 (kernel_base + sbops + 0x450) 寫入 0x00000000 (kernel_base + sbops + 0x454) 寫入 0x00000000 (kernel_base + sbops + 0x458) 寫入 0x00000000 (kernel_base + sbops + 0x460) 寫入 0x00000000 (kernel_base + sbops + 0x464) 寫入 0x00000000 (kernel_base + sbops + 0x468) 寫入 0x00000000 (kernel_base + sbops + 0x46c) 寫入 0x00000000 (kernel_base + sbops + 0x4bc) 寫入 0x00000000 (kernel_base + sbops + 0x4f0) 寫入 0x00000000 (kernel_base + sbops + 0x3d4) 寫入 0x00000000 (kernel_base + sbops + 0x168) 寫入 0x00000000 |
|
[原创] iOS 9 Home Depot 越獄代碼分析
cs_enforcement_disable_amfi搜尋BYTE 20 68 40 F4 40 70 20 60 00 20 90 BD 來到這裡 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA20 PUSH {R4,R7,LR} com.apple.driver.AppleMobileFileIntegrity:__text:8074BA22 ADD R7, SP, #4 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA24 LDR R0, =(byte_80765BE9 - 0x8074BA2A) 這裡 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA26 ADD R0, PC ; byte_80765BE8 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA28 LDRB R0, [R0] com.apple.driver.AppleMobileFileIntegrity:__text:8074BA2A CMP R0, #1 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA2C BNE loc_8074BA36 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA2E MOVS R0, #0 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA30 BL sub_8074BED0 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA34 CBNZ R0, loc_8074BA44 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA36 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA36 loc_8074BA36 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA36 LDR R4, [R7,#arg_C] com.apple.driver.AppleMobileFileIntegrity:__text:8074BA38 CMP R4, #0 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA3A BEQ loc_8074BA48 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA3C com.apple.driver.AppleMobileFileIntegrity:__text:8074BA3C loc_8074BA3C com.apple.driver.AppleMobileFileIntegrity:__text:8074BA3C LDR R0, [R4] com.apple.driver.AppleMobileFileIntegrity:__text:8074BA3E ORR.W R0, R0, #0x300 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA42 STR R0, [R4] com.apple.driver.AppleMobileFileIntegrity:__text:8074BA44 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA44 loc_8074BA44 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA44 MOVS R0, #0 com.apple.driver.AppleMobileFileIntegrity:__text:8074BA46 POP {R4,R7,PC} 80765BE9 offset 為 0x764BE9 (kernel_base + 0x764BE9) 寫入 0x1 |
|
[原创] iOS 9 Home Depot 越獄代碼分析
i_can_has_debugger_patch搜尋字串 Darwin Kernel 點擊進去 -0x4 改為1 __TEXT:__const:803AB734 dword_803AB734 DCD 0 改為 1 __TEXT:__const:803AB734 __TEXT:__const:803AB738 EXPORT _version __TEXT:__const:803AB738 _version DCB "Darwin Kernel Version 15.0.0: Fri Oct 2 14:07:07 PDT 2015; root" (kernel_base + 0x3AA734) 寫入 0x1 another_amfi_hack找尋 amfi_hack_addr 搜尋字串 AMFI: hook..execve() killing pid %u: %s X參考來到 com.apple.driver.AppleMobileFileIntegrity:__text:8074A05A ADD R0, PC ; "AMFI: hook..execve() killing pid %u: %s"... com.apple.driver.AppleMobileFileIntegrity:__text:8074A05C BL sub_8074C280 com.apple.driver.AppleMobileFileIntegrity:__text:8074A060 MOVS R0, #1 com.apple.driver.AppleMobileFileIntegrity:__text:8074A062 B loc_8074A22E 點擊 com.apple.driver.AppleMobileFileIntegrity:__text:8074A064 ; --------------------------------------------------------------------------- com.apple.driver.AppleMobileFileIntegrity:__text:8074A064 com.apple.driver.AppleMobileFileIntegrity:__text:8074A064 loc_8074A064 com.apple.driver.AppleMobileFileIntegrity:__text:8074A064 LDR.W R8, [SP,#0x30+var_1C] com.apple.driver.AppleMobileFileIntegrity:__text:8074A068 com.apple.driver.AppleMobileFileIntegrity:__text:8074A068 loc_8074A068 com.apple.driver.AppleMobileFileIntegrity:__text:8074A068 CMP.W R8, #0 com.apple.driver.AppleMobileFileIntegrity:__text:8074A06C BEQ.W loc_8074A21A com.apple.driver.AppleMobileFileIntegrity:__text:8074A070 LDR R1, =(aGetTaskAllow - 0x8074A080) com.apple.driver.AppleMobileFileIntegrity:__text:8074A072 MOVS R0, #0 com.apple.driver.AppleMobileFileIntegrity:__text:8074A074 SUB.W R2, R7, #-var_21 com.apple.driver.AppleMobileFileIntegrity:__text:8074A078 STRB.W R0, [R7,#var_21] com.apple.driver.AppleMobileFileIntegrity:__text:8074A07C ADD R1, PC ; "get-task-allow" amfi_hack_addr offset 0x74922E com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E loc_8074A22E com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E ADD SP, SP, #0x18 com.apple.driver.AppleMobileFileIntegrity:__text:8074A230 POP.W {R8,R10,R11} com.apple.driver.AppleMobileFileIntegrity:__text:8074A234 POP {R4-R7,PC} com.apple.driver.AppleMobileFileIntegrity:__text:8074A234 ; End of function sub_80749F24 (kernel_base + 0xA0C) 寫入 44 F2 0F 00 C0 F6 00 60 CA F8 00 00 4F F0 00 00 __TEXT:HEADER:80001A0C MOV R0, #0xE00400F __TEXT:HEADER:80001A14 STR.W R0, [R10] __TEXT:HEADER:80001A18 MOV.W R0, #0 然後將 8074A22E 的代碼搬到 0xA0C 代碼下面 (kernel_base + 0xA0C + 0x10) 寫入 06 B0 BD E8 00 0D F0 BD (offset 0x74922E 的代碼) __TEXT:HEADER:80001A0C MOV R0, #0xE00400F __TEXT:HEADER:80001A14 STR.W R0, [R10] __TEXT:HEADER:80001A18 MOV.W R0, #0 ---- 搬過來的代碼 __TEXT:HEADER:80001A1C ADD SP, SP, #0x18 __TEXT:HEADER:80001A1E POP.W {R8,R10,R11} __TEXT:HEADER:80001A22 POP {R4-R7,PC} 在 loc_8074A22E PATCH (kernel_base + 0x74922E) 寫入 DF F8 02 F0 (kernel_base + 0x74922E + 0x4) 寫入 (kernel_base + 0xA0C + 1) com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E loc_8074A22E com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E LDR.W PC, =(sub_80001A0C+1) task_for_pid_off搜尋 Byte F0 B5 03 AF 2D E9 00 0D 84 B0 01 46 91 E8 41 找到 __TEXT:__text:802FF034 PUSH {R4-R7,LR} __TEXT:__text:802FF036 ADD R7, SP, #0xC __TEXT:__text:802FF038 PUSH.W {R8,R10,R11} __TEXT:__text:802FF03C SUB SP, SP, #0x10 __TEXT:__text:802FF03E MOV R1, R0 __TEXT:__text:802FF040 LDMIA.W R1, {R0,R6} __TEXT:__text:802FF044 LDR R5, [R1,#8] __TEXT:__text:802FF046 MOVS R1, #0 __TEXT:__text:802FF048 STR R1, [SP,#0x28+var_1C] __TEXT:__text:802FF04A CMP R6, #0 ; 改為 CMP R6, #FF (kernel_base + 0x2FE04A) 寫入 0xFF
|
|
[原创] iOS 9 Home Depot 越獄代碼分析
amfi_substrate_patch搜尋字串 com.apple.rootless.install X 參考項目1來到 com.apple.driver.AppleMobileFileIntegrity:__text:8074A090 ADD R1, PC ; "com.apple.rootless.install" com.apple.driver.AppleMobileFileIntegrity:__text:8074A092 BL sub_8074A4D0 com.apple.driver.AppleMobileFileIntegrity:__text:8074A096 LDRB.W R0, [R7,#var_21] com.apple.driver.AppleMobileFileIntegrity:__text:8074A09A MOV R2, R6 com.apple.driver.AppleMobileFileIntegrity:__text:8074A09C LDR R1, [R7,#arg_0] com.apple.driver.AppleMobileFileIntegrity:__text:8074A09E CMP R0, #0 改為 NOP 00 BF (kernel_base + 0x74909E) 寫入 00 BF real_vm_map_enter_patch搜尋 Byte 19 98 40 F4 80 10 19 90 來到 __TEXT:__text:800D730A loc_800D730A __TEXT:__text:800D730A LDR R0, [SP,#0x234+var_1D0] __TEXT:__text:800D730C ORR.W R0, R0, #0x100000 __TEXT:__text:800D7310 STR R0, [SP,#0x234+var_1D0] __TEXT:__text:800D7312 __TEXT:__text:800D7312 loc_800D7312 __TEXT:__text:800D7312 LDRB.W R0, [R9,#2] __TEXT:__text:800D7316 TST.W R0, #0x20 __TEXT:__text:800D731A BEQ loc_800D73CA __TEXT:__text:800D731C LDR R0, [SP,#0x234+var_1E8] __TEXT:__text:800D731E CBZ R0, loc_800D7376 __TEXT:__text:800D7320 LDR R0, [R7,#arg_C] __TEXT:__text:800D7322 CBNZ R0, loc_800D7376 __TEXT:__text:800D7324 MOV R5, R9 __TEXT:__text:800D7326 MOV R4, LR __TEXT:__text:800D7328 TST.W R11, #2 __TEXT:__text:800D732C BEQ loc_800D7340 點擊跳轉 來到 __TEXT:__text:800D7340 loc_800D7340 __TEXT:__text:800D7340 TST.W R11, #4 __TEXT:__text:800D7344 BEQ loc_800D7358 ; 改為 NOP __TEXT:__text:800D7346 LDR R0, [R7,#arg_8] __TEXT:__text:800D7348 MOVS R2, #4 __TEXT:__text:800D734A LDR R1, [SP,#0x234+var_1E8] __TEXT:__text:800D734C BL sub_8038E6C8 __TEXT:__text:800D7350 CMP R0, #0 __TEXT:__text:800D7352 IT NE __TEXT:__text:800D7354 BICNE.W R11, R11, #4 ; 改為 NOP (kernel_base + 0xD6344) 寫入 00 BF (kernel_base + 0xD6354) 寫入 00 BF 00 BF real_vm_map_protect_patch搜尋 Byte 12 F4 00 1F 4B 68 來到這裡 __TEXT:__text:8007FEBE TST.W R2, #0x200000 __TEXT:__text:8007FEC2 LDR R3, [R1,#4] __TEXT:__text:8007FEC4 LDR R0, [R1,#0xC] __TEXT:__text:8007FEC6 MOV R1, R10 __TEXT:__text:8007FEC8 AND.W R2, R10, #6 __TEXT:__text:8007FECC IT EQ __TEXT:__text:8007FECE BICEQ.W R1, R1, #4 ; 改為 NOP __TEXT:__text:8007FED2 CMP R2, #6 (kernel_base + 0x7EECE) 寫入 00 BF 00 BF |
|
[原创] iOS 9 Home Depot 越獄代碼分析
AMFI Patch** 找尋 amfi_patch_addr 搜尋字串 int _validateCodeDirectoryHashInDaemon 選擇參考項目二,來到這裡 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8D2 BL sub_8074C1F0 ; 進入 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8D6 CMP R0, #0 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8D8 BEQ loc_8074B956 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8DA LDR R0, [R4] com.apple.driver.AppleMobileFileIntegrity:__text:8074B8DC CMP R0, #0 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8DE BNE loc_8074B8C8 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E0 B loc_8074B906 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E2 ; --------------------------------------------------------------------------- com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E2 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E2 loc_8074B8E2 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E2 LDR R0, =(aSVerify_code_0 - 0x8074B8EC) com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E4 MOV R2, R4 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E6 LDR R1, =(aInt_validate_0 - 0x8074B8EE) com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E8 ADD R0, PC ; "%s: verify_code_directory returned 0x%x"... com.apple.driver.AppleMobileFileIntegrity:__text:8074B8EA ADD R1, PC ; "int _validateCodeDirectoryHashInDaemon("... com.apple.driver.AppleMobileFileIntegrity:__text:8074B8EC BL sub_8074BEA0 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F0 B loc_8074B820 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F2 ; --------------------------------------------------------------------------- com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F2 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F2 loc_8074B8F2 com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F2 LDR R0, =(aSUnableToVerif - 0x8074B8FA) com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F4 LDR R1, =(aInt_validate_0 - 0x8074B8FC) com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F6 ADD R0, PC ; "%s: unable to verify audit token came f"... com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F8 ADD R1, PC ; "int _validateCodeDirectoryHashInDaemon("... com.apple.driver.AppleMobileFileIntegrity:__text:8074B8FA BL sub_8074BEA0 點擊上面 BL sub_8074C1F0 進入 來到這裡 com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1F0 sub_8074C1F0 com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1F0 MOV R12, #(off_807650EC - 0x8074C1FC) com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1F8 ADD R12, PC ; off_807650EC com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1FA LDR.W R12, [R12] com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1FE BX R12 com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1FE ; End of function sub_8074C1F0 點擊 off_807650EC 來到這裡 com.apple.driver.AppleMobileFileIntegrity:__nl_symbol_ptr:807650EC off_807650EC DCD _memcmp+1 記住 807650EC 位置 offset 為 0x7640EC ** 找尋 branch_target 找到 find_clock_ops offset 位置 詳見 https://github.com/benjamin-42/Trident/blob/master/Trident/exploit.c __DATA:__data:804063CC DCD sub_8001EB08+1 ; clock_ops sub_8001EB08 點進去 到這裡 __TEXT:__text:8001EB08 sub_8001EB08 __TEXT:__text:8001EB08 MOV R3, R0 __TEXT:__text:8001EB0A LDR R0, [R2] __TEXT:__text:8001EB0C CMP R0, #1 __TEXT:__text:8001EB0E ITT NE __TEXT:__text:8001EB10 MOVNE R0, #5 __TEXT:__text:8001EB12 BXNE LR __TEXT:__text:8001EB14 MOVS R0, #0x12 __TEXT:__text:8001EB16 CMP R3, #5 __TEXT:__text:8001EB18 IT HI __TEXT:__text:8001EB1A BXHI LR __TEXT:__text:8001EB1C MOVS R2, #1 __TEXT:__text:8001EB1E LSLS R2, R3 __TEXT:__text:8001EB20 TST.W R2, #0x3A __TEXT:__text:8001EB24 ITTTT NE __TEXT:__text:8001EB26 MOVNEW R0, #0x9680 __TEXT:__text:8001EB2A MOVTNE.W R0, #0x98 __TEXT:__text:8001EB2E STRNE R0, [R1] __TEXT:__text:8001EB30 MOVNE R0, #0 ; 這裡記住 offset __TEXT:__text:8001EB32 BX LR 記住 8001EB30 位置 offset 為 0x1DB30 在 amfi_patch_addr 寫入 (kernel_base + branch_target + 1) |