首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. iOS安全
    3. 发新帖
[原创] iOS 9 Home Depot 越獄代碼分析
发表于: 2017-8-3 17:24 5111

[原创] iOS 9 Home Depot 越獄代碼分析

djpvd 活跃值
4
2017-8-3 17:24
5111
以下範例 iOS 9.1

LWVM Patch

搜尋字串 _mapForIO

參考項目1

來到這裡

com.apple.driver.LightweightVolumeManager:__text:80B6470A loc_80B6470A
com.apple.driver.LightweightVolumeManager:__text:80B6470A                 LDR             R0, =(aLwvmSIOTo0x016 - 0x80B64714)
com.apple.driver.LightweightVolumeManager:__text:80B6470C                 LDR             R1, =(a_mapforio - 0x80B64718)
com.apple.driver.LightweightVolumeManager:__text:80B6470E                 LDR             R2, [R7,#arg_4]
com.apple.driver.LightweightVolumeManager:__text:80B64710                 ADD             R0, PC  ; "LwVM::%s - I/O to 0x%016llx/0x%08lx doe"...
com.apple.driver.LightweightVolumeManager:__text:80B64712                 LDR             R3, [R7,#arg_0]
com.apple.driver.LightweightVolumeManager:__text:80B64714                 ADD             R1, PC  ; "_mapForIO"
com.apple.driver.LightweightVolumeManager:__text:80B64716                 STR             R2, [SP,#0x3C+var_3C]
com.apple.driver.LightweightVolumeManager:__text:80B64718                 MOV             R2, R5
com.apple.driver.LightweightVolumeManager:__text:80B6471A
com.apple.driver.LightweightVolumeManager:__text:80B6471A loc_80B6471A
com.apple.driver.LightweightVolumeManager:__text:80B6471A                 BL              sub_80B6A69C
com.apple.driver.LightweightVolumeManager:__text:80B6471E                 LDR             R0, =0xE00002C2
com.apple.driver.LightweightVolumeManager:__text:80B64720                 B               loc_80B64836
com.apple.driver.LightweightVolumeManager:__text:80B64722 ; ---------------------------------------------------------------------------
com.apple.driver.LightweightVolumeManager:__text:80B64722
com.apple.driver.LightweightVolumeManager:__text:80B64722 loc_80B64722
com.apple.driver.LightweightVolumeManager:__text:80B64722                 LDR             R0, [SP,#0x3C+var_28]
com.apple.driver.LightweightVolumeManager:__text:80B64724                 CMP             R0, #2
com.apple.driver.LightweightVolumeManager:__text:80B64726                 ITT EQ
com.apple.driver.LightweightVolumeManager:__text:80B64728                 LDREQ           R0, [SP,#0x3C+var_2C]
com.apple.driver.LightweightVolumeManager:__text:80B6472A                 CMPEQ           R0, #0
com.apple.driver.LightweightVolumeManager:__text:80B6472C                 BNE             loc_80B6473E
com.apple.driver.LightweightVolumeManager:__text:80B6472E                 LDR.W           R1, [R10,#0x104]
com.apple.driver.LightweightVolumeManager:__text:80B64732                 LDR             R0, =0xE00002C4
com.apple.driver.LightweightVolumeManager:__text:80B64734                 LDRB.W          R1, [R1,#0x20]
com.apple.driver.LightweightVolumeManager:__text:80B64738                 CMP             R1, #0
com.apple.driver.LightweightVolumeManager:__text:80B6473A                 BNE.W           loc_80B64836 ; 改為 NOP


(kernel_base + 0xB6373A)  C0 46 C0 46


Remount Patch

搜尋 Byte 02 91 03 94 04 91 07 99 08 9A

網上看到這一段

__TEXT:__text:800F0660                 BLX             _copyinstr
__TEXT:__text:800F0664                 MOV             R5, R0
__TEXT:__text:800F0666                 CBNZ            R5, loc_800F06C0
__TEXT:__text:800F0668
__TEXT:__text:800F0668 loc_800F0668
__TEXT:__text:800F0668                 TST.W           R11, #0x20
__TEXT:__text:800F066C                 BNE             loc_800F0692
__TEXT:__text:800F066E                 LDR             R1, [SP,#0x1B8+var_198]
__TEXT:__text:800F0670                 LDRB.W          R0, [R1,#0x2C]
__TEXT:__text:800F0674                 TST.W           R0, #1
__TEXT:__text:800F0678                 BEQ             loc_800F069A 改為 B
__TEXT:__text:800F067A                 LDR.W           R0, [R1,#0x84]
__TEXT:__text:800F067E                 LDRB.W          R0, [R0,#0x3D]
__TEXT:__text:800F0682                 TST.W           R0, #0x40
__TEXT:__text:800F0686                 BEQ             loc_800F069A
__TEXT:__text:800F0688                 TST.W           R11, #1
__TEXT:__text:800F068C                 BNE             loc_800F0696 改為 B
__TEXT:__text:800F068E                 MOVS            R5, #1
__TEXT:__text:800F0690                 B               loc_800F06C0
__TEXT:__text:800F0692 ; ---------------------------------------------------------------------------
__TEXT:__text:800F0692
__TEXT:__text:800F0692 loc_800F0692
__TEXT:__text:800F0692                 MOVS            R5, #1
__TEXT:__text:800F0694                 B               loc_800F06C0


(kernel_base + 0xEF68D)  E0

(kernel_base + 0xEF679)  E0


掛載 FileSystem 為讀寫模式

mount("hfs", "/", 0x10000, "/dev/disk0s1s1");



[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

收藏
免费 1
支持
分享
最新回复 (9)
djpvd
雪    币: 320
活跃值: (104)
能力值: (RANK:180 )
在线值:
发帖
回帖
粉丝
私信
2
AMFI Patch


** 找尋 amfi_patch_addr

搜尋字串 int _validateCodeDirectoryHashInDaemon

選擇參考項目二,來到這裡

com.apple.driver.AppleMobileFileIntegrity:__text:8074B8D2                 BL              sub_8074C1F0 ; 進入
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8D6                 CMP             R0, #0
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8D8                 BEQ             loc_8074B956
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8DA                 LDR             R0, [R4]
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8DC                 CMP             R0, #0
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8DE                 BNE             loc_8074B8C8
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E0                 B               loc_8074B906
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E2 ; ---------------------------------------------------------------------------
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E2
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E2 loc_8074B8E2
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E2                 LDR             R0, =(aSVerify_code_0 - 0x8074B8EC)
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E4                 MOV             R2, R4
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E6                 LDR             R1, =(aInt_validate_0 - 0x8074B8EE)
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8E8                 ADD             R0, PC  ; "%s: verify_code_directory returned 0x%x"...
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8EA                 ADD             R1, PC  ; "int _validateCodeDirectoryHashInDaemon("...
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8EC                 BL              sub_8074BEA0
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F0                 B               loc_8074B820
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F2 ; ---------------------------------------------------------------------------
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F2
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F2 loc_8074B8F2
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F2                 LDR             R0, =(aSUnableToVerif - 0x8074B8FA)
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F4                 LDR             R1, =(aInt_validate_0 - 0x8074B8FC)
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F6                 ADD             R0, PC  ; "%s: unable to verify audit token came f"...
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8F8                 ADD             R1, PC  ; "int _validateCodeDirectoryHashInDaemon("...
com.apple.driver.AppleMobileFileIntegrity:__text:8074B8FA                 BL              sub_8074BEA0

點擊上面 BL sub_8074C1F0 進入

來到這裡

com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1F0 sub_8074C1F0
com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1F0                 MOV             R12, #(off_807650EC - 0x8074C1FC)
com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1F8                 ADD             R12, PC ; off_807650EC
com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1FA                 LDR.W           R12, [R12]
com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1FE                 BX              R12
com.apple.driver.AppleMobileFileIntegrity:__stub:8074C1FE ; End of function sub_8074C1F0

點擊 off_807650EC 來到這裡

com.apple.driver.AppleMobileFileIntegrity:__nl_symbol_ptr:807650EC off_807650EC    DCD _memcmp+1

記住 807650EC 位置 offset 為 0x7640EC


** 找尋 branch_target

找到 find_clock_ops offset 位置

詳見 https://github.com/benjamin-42/Trident/blob/master/Trident/exploit.c

__DATA:__data:804063CC                 DCD sub_8001EB08+1      ; clock_ops

sub_8001EB08 點進去

到這裡

__TEXT:__text:8001EB08 sub_8001EB08
__TEXT:__text:8001EB08                 MOV             R3, R0
__TEXT:__text:8001EB0A                 LDR             R0, [R2]
__TEXT:__text:8001EB0C                 CMP             R0, #1
__TEXT:__text:8001EB0E                 ITT NE
__TEXT:__text:8001EB10                 MOVNE           R0, #5
__TEXT:__text:8001EB12                 BXNE            LR
__TEXT:__text:8001EB14                 MOVS            R0, #0x12
__TEXT:__text:8001EB16                 CMP             R3, #5
__TEXT:__text:8001EB18                 IT HI
__TEXT:__text:8001EB1A                 BXHI            LR
__TEXT:__text:8001EB1C                 MOVS            R2, #1
__TEXT:__text:8001EB1E                 LSLS            R2, R3
__TEXT:__text:8001EB20                 TST.W           R2, #0x3A
__TEXT:__text:8001EB24                 ITTTT NE
__TEXT:__text:8001EB26                 MOVNEW          R0, #0x9680
__TEXT:__text:8001EB2A                 MOVTNE.W        R0, #0x98
__TEXT:__text:8001EB2E                 STRNE           R0, [R1]
__TEXT:__text:8001EB30                 MOVNE           R0, #0  ; 這裡記住 offset
__TEXT:__text:8001EB32                 BX              LR


記住 8001EB30 位置 offset 為 0x1DB30

在 amfi_patch_addr 寫入 (kernel_base + branch_target + 1)


2017-8-3 17:29
0
djpvd
雪    币: 320
活跃值: (104)
能力值: (RANK:180 )
在线值:
发帖
回帖
粉丝
私信
3
amfi_substrate_patch

搜尋字串 com.apple.rootless.install

X 參考項目1來到

com.apple.driver.AppleMobileFileIntegrity:__text:8074A090                 ADD             R1, PC  ; "com.apple.rootless.install"
com.apple.driver.AppleMobileFileIntegrity:__text:8074A092                 BL              sub_8074A4D0
com.apple.driver.AppleMobileFileIntegrity:__text:8074A096                 LDRB.W          R0, [R7,#var_21]
com.apple.driver.AppleMobileFileIntegrity:__text:8074A09A                 MOV             R2, R6
com.apple.driver.AppleMobileFileIntegrity:__text:8074A09C                 LDR             R1, [R7,#arg_0]
com.apple.driver.AppleMobileFileIntegrity:__text:8074A09E                 CMP             R0, #0          改為 NOP  00 BF

(kernel_base + 0x74909E) 寫入 00 BF


real_vm_map_enter_patch

搜尋 Byte 19 98 40 F4 80 10 19 90

來到

__TEXT:__text:800D730A loc_800D730A
__TEXT:__text:800D730A                 LDR             R0, [SP,#0x234+var_1D0]
__TEXT:__text:800D730C                 ORR.W           R0, R0, #0x100000
__TEXT:__text:800D7310                 STR             R0, [SP,#0x234+var_1D0]
__TEXT:__text:800D7312
__TEXT:__text:800D7312 loc_800D7312
__TEXT:__text:800D7312                 LDRB.W          R0, [R9,#2]
__TEXT:__text:800D7316                 TST.W           R0, #0x20
__TEXT:__text:800D731A                 BEQ             loc_800D73CA
__TEXT:__text:800D731C                 LDR             R0, [SP,#0x234+var_1E8]
__TEXT:__text:800D731E                 CBZ             R0, loc_800D7376
__TEXT:__text:800D7320                 LDR             R0, [R7,#arg_C]
__TEXT:__text:800D7322                 CBNZ            R0, loc_800D7376
__TEXT:__text:800D7324                 MOV             R5, R9
__TEXT:__text:800D7326                 MOV             R4, LR
__TEXT:__text:800D7328                 TST.W           R11, #2
__TEXT:__text:800D732C                 BEQ             loc_800D7340 點擊跳轉

來到

__TEXT:__text:800D7340 loc_800D7340
__TEXT:__text:800D7340                 TST.W           R11, #4
__TEXT:__text:800D7344                 BEQ             loc_800D7358 ; 改為 NOP
__TEXT:__text:800D7346                 LDR             R0, [R7,#arg_8]
__TEXT:__text:800D7348                 MOVS            R2, #4
__TEXT:__text:800D734A                 LDR             R1, [SP,#0x234+var_1E8]
__TEXT:__text:800D734C                 BL              sub_8038E6C8
__TEXT:__text:800D7350                 CMP             R0, #0
__TEXT:__text:800D7352                 IT NE
__TEXT:__text:800D7354                 BICNE.W         R11, R11, #4 ; 改為 NOP


(kernel_base + 0xD6344) 寫入 00 BF

(kernel_base + 0xD6354)  寫入 00 BF 00 BF


real_vm_map_protect_patch

搜尋 Byte 12 F4 00 1F 4B 68

來到這裡

__TEXT:__text:8007FEBE                 TST.W           R2, #0x200000
__TEXT:__text:8007FEC2                 LDR             R3, [R1,#4]
__TEXT:__text:8007FEC4                 LDR             R0, [R1,#0xC]
__TEXT:__text:8007FEC6                 MOV             R1, R10
__TEXT:__text:8007FEC8                 AND.W           R2, R10, #6
__TEXT:__text:8007FECC                 IT EQ
__TEXT:__text:8007FECE                 BICEQ.W         R1, R1, #4 ; 改為 NOP
__TEXT:__text:8007FED2                 CMP             R2, #6


(kernel_base + 0x7EECE)  寫入 00 BF 00 BF


2017-8-3 17:35
0
djpvd
雪    币: 320
活跃值: (104)
能力值: (RANK:180 )
在线值:
发帖
回帖
粉丝
私信
4

i_can_has_debugger_patch

搜尋字串 Darwin Kernel

點擊進去

-0x4 改為1

__TEXT:__const:803AB734 dword_803AB734  DCD 0 改為 1
__TEXT:__const:803AB734
__TEXT:__const:803AB738                 EXPORT _version
__TEXT:__const:803AB738 _version        DCB "Darwin Kernel Version 15.0.0: Fri Oct  2 14:07:07 PDT 2015; root"

(kernel_base + 0x3AA734) 寫入 0x1


another_amfi_hack

找尋 amfi_hack_addr 

搜尋字串 AMFI: hook..execve() killing pid %u: %s

X參考來到

com.apple.driver.AppleMobileFileIntegrity:__text:8074A05A                 ADD             R0, PC  ; "AMFI: hook..execve() killing pid %u: %s"...
com.apple.driver.AppleMobileFileIntegrity:__text:8074A05C                 BL              sub_8074C280
com.apple.driver.AppleMobileFileIntegrity:__text:8074A060                 MOVS            R0, #1
com.apple.driver.AppleMobileFileIntegrity:__text:8074A062                 B               loc_8074A22E  點擊
com.apple.driver.AppleMobileFileIntegrity:__text:8074A064 ; ---------------------------------------------------------------------------
com.apple.driver.AppleMobileFileIntegrity:__text:8074A064
com.apple.driver.AppleMobileFileIntegrity:__text:8074A064 loc_8074A064
com.apple.driver.AppleMobileFileIntegrity:__text:8074A064                 LDR.W           R8, [SP,#0x30+var_1C]
com.apple.driver.AppleMobileFileIntegrity:__text:8074A068
com.apple.driver.AppleMobileFileIntegrity:__text:8074A068 loc_8074A068
com.apple.driver.AppleMobileFileIntegrity:__text:8074A068                 CMP.W           R8, #0
com.apple.driver.AppleMobileFileIntegrity:__text:8074A06C                 BEQ.W           loc_8074A21A
com.apple.driver.AppleMobileFileIntegrity:__text:8074A070                 LDR             R1, =(aGetTaskAllow - 0x8074A080)
com.apple.driver.AppleMobileFileIntegrity:__text:8074A072                 MOVS            R0, #0
com.apple.driver.AppleMobileFileIntegrity:__text:8074A074                 SUB.W           R2, R7, #-var_21
com.apple.driver.AppleMobileFileIntegrity:__text:8074A078                 STRB.W          R0, [R7,#var_21]
com.apple.driver.AppleMobileFileIntegrity:__text:8074A07C                 ADD             R1, PC  ; "get-task-allow"


amfi_hack_addr offset 0x74922E

com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E loc_8074A22E
com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E                 ADD             SP, SP, #0x18
com.apple.driver.AppleMobileFileIntegrity:__text:8074A230                 POP.W           {R8,R10,R11}
com.apple.driver.AppleMobileFileIntegrity:__text:8074A234                 POP             {R4-R7,PC}
com.apple.driver.AppleMobileFileIntegrity:__text:8074A234 ; End of function sub_80749F24

(kernel_base + 0xA0C) 寫入 44 F2 0F 00 C0 F6 00 60 CA F8 00 00 4F F0 00 00

__TEXT:HEADER:80001A0C                 MOV             R0, #0xE00400F
__TEXT:HEADER:80001A14                 STR.W           R0, [R10]
__TEXT:HEADER:80001A18                 MOV.W           R0, #0

然後將 8074A22E 的代碼搬到 0xA0C 代碼下面

(kernel_base + 0xA0C + 0x10) 寫入 06 B0 BD E8 00 0D F0 BD (offset 0x74922E 的代碼)

__TEXT:HEADER:80001A0C                 MOV             R0, #0xE00400F
__TEXT:HEADER:80001A14                 STR.W           R0, [R10]
__TEXT:HEADER:80001A18                 MOV.W           R0, #0
---- 搬過來的代碼
__TEXT:HEADER:80001A1C                 ADD             SP, SP, #0x18
__TEXT:HEADER:80001A1E                 POP.W           {R8,R10,R11}
__TEXT:HEADER:80001A22                 POP             {R4-R7,PC}

在 loc_8074A22E PATCH

(kernel_base + 0x74922E) 寫入 DF F8 02 F0

(kernel_base + 0x74922E + 0x4) 寫入 (kernel_base + 0xA0C + 1) 

com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E loc_8074A22E
com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E                 LDR.W           PC, =(sub_80001A0C+1)



task_for_pid_off

搜尋 Byte  F0 B5 03 AF 2D E9 00 0D 84 B0 01 46 91 E8 41

找到

__TEXT:__text:802FF034                 PUSH            {R4-R7,LR}
__TEXT:__text:802FF036                 ADD             R7, SP, #0xC
__TEXT:__text:802FF038                 PUSH.W          {R8,R10,R11}
__TEXT:__text:802FF03C                 SUB             SP, SP, #0x10
__TEXT:__text:802FF03E                 MOV             R1, R0
__TEXT:__text:802FF040                 LDMIA.W         R1, {R0,R6}
__TEXT:__text:802FF044                 LDR             R5, [R1,#8]
__TEXT:__text:802FF046                 MOVS            R1, #0
__TEXT:__text:802FF048                 STR             R1, [SP,#0x28+var_1C]
__TEXT:__text:802FF04A                 CMP             R6, #0  ; 改為 CMP R6, #FF

(kernel_base + 0x2FE04A) 寫入 0xFF


2017-8-3 17:43
0
djpvd
雪    币: 320
活跃值: (104)
能力值: (RANK:180 )
在线值:
发帖
回帖
粉丝
私信
5
cs_enforcement_disable_amfi

搜尋BYTE  20 68 40 F4 40 70 20 60 00 20 90 BD

來到這裡

com.apple.driver.AppleMobileFileIntegrity:__text:8074BA20                 PUSH            {R4,R7,LR}
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA22                 ADD             R7, SP, #4
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA24                 LDR             R0, =(byte_80765BE9 - 0x8074BA2A) 這裡
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA26                 ADD             R0, PC ; byte_80765BE8
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA28                 LDRB            R0, [R0]
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA2A                 CMP             R0, #1
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA2C                 BNE             loc_8074BA36
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA2E                 MOVS            R0, #0
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA30                 BL              sub_8074BED0
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA34                 CBNZ            R0, loc_8074BA44
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA36
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA36 loc_8074BA36
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA36                 LDR             R4, [R7,#arg_C]
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA38                 CMP             R4, #0
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA3A                 BEQ             loc_8074BA48
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA3C
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA3C loc_8074BA3C
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA3C                 LDR             R0, [R4]
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA3E                 ORR.W           R0, R0, #0x300
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA42                 STR             R0, [R4]
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA44
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA44 loc_8074BA44
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA44                 MOVS            R0, #0
com.apple.driver.AppleMobileFileIntegrity:__text:8074BA46                 POP             {R4,R7,PC}

80765BE9 offset 為 0x764BE9

(kernel_base + 0x764BE9) 寫入 0x1


2017-8-3 17:48
0
djpvd
雪    币: 320
活跃值: (104)
能力值: (RANK:180 )
在线值:
发帖
回帖
粉丝
私信
6

Sandbox Patch

搜尋字串 Seatbelt sandbox policy

找到這裡

com.apple.security.sandbox:__data:80EBA824                 DCD aSandbox_0          ; "Sandbox"
com.apple.security.sandbox:__data:80EBA828                 DCD aSeatbeltSandbo     ; "Seatbelt sandbox policy"
com.apple.security.sandbox:__data:80EBA82C                 DCD off_80EBA84C
com.apple.security.sandbox:__data:80EBA830                 DCB    1
com.apple.security.sandbox:__data:80EBA831                 DCB    0
com.apple.security.sandbox:__data:80EBA832                 DCB    0
com.apple.security.sandbox:__data:80EBA833                 DCB    0
com.apple.security.sandbox:__data:80EBA834                 DCD unk_80EBA850        ; 跳往 sbops
com.apple.security.sandbox:__data:80EBA838                 DCB    0
com.apple.security.sandbox:__data:80EBA839                 DCB    0
com.apple.security.sandbox:__data:80EBA83A                 DCB    0
com.apple.security.sandbox:__data:80EBA83B                 DCB    0
com.apple.security.sandbox:__data:80EBA83C                 DCD unk_80F26190
com.apple.security.sandbox:__data:80EBA840                 DCB    0
com.apple.security.sandbox:__data:80EBA841                 DCB    0
com.apple.security.sandbox:__data:80EBA842                 DCB    0
com.apple.security.sandbox:__data:80EBA843                 DCB    0
com.apple.security.sandbox:__data:80EBA844                 DCB    0
com.apple.security.sandbox:__data:80EBA845                 DCB    0
com.apple.security.sandbox:__data:80EBA846                 DCB    0
com.apple.security.sandbox:__data:80EBA847                 DCB    0
com.apple.security.sandbox:__data:80EBA848                 DCB    0
com.apple.security.sandbox:__data:80EBA849                 DCB    0
com.apple.security.sandbox:__data:80EBA84A                 DCB    0
com.apple.security.sandbox:__data:80EBA84B                 DCB    0
com.apple.security.sandbox:__data:80EBA84C off_80EBA84C    DCD aSb
com.apple.security.sandbox:__data:80EBA84C                                         ; "sb"
com.apple.security.sandbox:__data:80EBA850 unk_80EBA850
com.apple.security.sandbox:__data:80EBA850                                         ; sbops

80EBA850 就是 sbops

offset 為 0xEB9850


Patch 清為零 4 byte

(kernel_base + sbops + 0x90) 寫入 0x00000000

(kernel_base + sbops + 0x1e0) 寫入 0x00000000

(kernel_base + sbops + 0x3f0) 寫入 0x00000000

(kernel_base + sbops + 0x3f8) 寫入 0x00000000

(kernel_base + sbops + 0x3fc) 寫入 0x00000000

(kernel_base + sbops + 0x400) 寫入 0x00000000

(kernel_base + sbops + 0x404) 寫入 0x00000000

(kernel_base + sbops + 0x408) 寫入 0x00000000

(kernel_base + sbops + 0x40c) 寫入 0x00000000

(kernel_base + sbops + 0x410) 寫入 0x00000000

(kernel_base + sbops + 0x414) 寫入 0x00000000

(kernel_base + sbops + 0x420) 寫入 0x00000000

(kernel_base + sbops + 0x424) 寫入 0x00000000

(kernel_base + sbops + 0x42c) 寫入 0x00000000

(kernel_base + sbops + 0x438) 寫入 0x00000000

(kernel_base + sbops + 0x44c) 寫入 0x00000000

(kernel_base + sbops + 0x450) 寫入 0x00000000

(kernel_base + sbops + 0x454) 寫入 0x00000000

(kernel_base + sbops + 0x458) 寫入 0x00000000

(kernel_base + sbops + 0x460) 寫入 0x00000000

(kernel_base + sbops + 0x464) 寫入 0x00000000

(kernel_base + sbops + 0x468) 寫入 0x00000000

(kernel_base + sbops + 0x46c) 寫入 0x00000000

(kernel_base + sbops + 0x4bc) 寫入 0x00000000

(kernel_base + sbops + 0x4f0) 寫入 0x00000000

(kernel_base + sbops + 0x3d4) 寫入 0x00000000

(kernel_base + sbops + 0x168) 寫入 0x00000000


2017-8-3 17:52
0
cvcvxk
雪    币: 8865
活跃值: (2379)
能力值: ( LV12,RANK:760 )
在线值:
发帖
回帖
粉丝
私信
7
屌炸天了
2017-8-4 01:10
0
everettjf
雪    币: 259
活跃值: (41)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
8
2017-8-6 00:36
0
飘云
雪    币: 2443
活跃值: (464)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
9
666
2017-8-7 09:46
0
俺是小号
雪    币: 23
活跃值: (13)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
6666
2017-8-7 13:57
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//