i_can_has_debugger_patch
搜尋字串 Darwin Kernel
點擊進去
-0x4 改為1
__TEXT:__const:803AB734 dword_803AB734 DCD 0 改為 1
__TEXT:__const:803AB734
__TEXT:__const:803AB738 EXPORT _version
__TEXT:__const:803AB738 _version DCB "Darwin Kernel Version 15.0.0: Fri Oct 2 14:07:07 PDT 2015; root"
(kernel_base + 0x3AA734) 寫入 0x1
another_amfi_hack
找尋 amfi_hack_addr
搜尋字串 AMFI: hook..execve() killing pid %u: %s
X參考來到
com.apple.driver.AppleMobileFileIntegrity:__text:8074A05A ADD R0, PC ; "AMFI: hook..execve() killing pid %u: %s"...
com.apple.driver.AppleMobileFileIntegrity:__text:8074A05C BL sub_8074C280
com.apple.driver.AppleMobileFileIntegrity:__text:8074A060 MOVS R0, #1
com.apple.driver.AppleMobileFileIntegrity:__text:8074A062 B loc_8074A22E 點擊
com.apple.driver.AppleMobileFileIntegrity:__text:8074A064 ; ---------------------------------------------------------------------------
com.apple.driver.AppleMobileFileIntegrity:__text:8074A064
com.apple.driver.AppleMobileFileIntegrity:__text:8074A064 loc_8074A064
com.apple.driver.AppleMobileFileIntegrity:__text:8074A064 LDR.W R8, [SP,#0x30+var_1C]
com.apple.driver.AppleMobileFileIntegrity:__text:8074A068
com.apple.driver.AppleMobileFileIntegrity:__text:8074A068 loc_8074A068
com.apple.driver.AppleMobileFileIntegrity:__text:8074A068 CMP.W R8, #0
com.apple.driver.AppleMobileFileIntegrity:__text:8074A06C BEQ.W loc_8074A21A
com.apple.driver.AppleMobileFileIntegrity:__text:8074A070 LDR R1, =(aGetTaskAllow - 0x8074A080)
com.apple.driver.AppleMobileFileIntegrity:__text:8074A072 MOVS R0, #0
com.apple.driver.AppleMobileFileIntegrity:__text:8074A074 SUB.W R2, R7, #-var_21
com.apple.driver.AppleMobileFileIntegrity:__text:8074A078 STRB.W R0, [R7,#var_21]
com.apple.driver.AppleMobileFileIntegrity:__text:8074A07C ADD R1, PC ; "get-task-allow"
amfi_hack_addr offset 0x74922E
com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E loc_8074A22E
com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E ADD SP, SP, #0x18
com.apple.driver.AppleMobileFileIntegrity:__text:8074A230 POP.W {R8,R10,R11}
com.apple.driver.AppleMobileFileIntegrity:__text:8074A234 POP {R4-R7,PC}
com.apple.driver.AppleMobileFileIntegrity:__text:8074A234 ; End of function sub_80749F24
(kernel_base + 0xA0C) 寫入 44 F2 0F 00 C0 F6 00 60 CA F8 00 00 4F F0 00 00
__TEXT:HEADER:80001A0C MOV R0, #0xE00400F
__TEXT:HEADER:80001A14 STR.W R0, [R10]
__TEXT:HEADER:80001A18 MOV.W R0, #0
然後將 8074A22E 的代碼搬到 0xA0C 代碼下面
(kernel_base + 0xA0C + 0x10) 寫入 06 B0 BD E8 00 0D F0 BD (offset 0x74922E 的代碼)
__TEXT:HEADER:80001A0C MOV R0, #0xE00400F
__TEXT:HEADER:80001A14 STR.W R0, [R10]
__TEXT:HEADER:80001A18 MOV.W R0, #0
---- 搬過來的代碼
__TEXT:HEADER:80001A1C ADD SP, SP, #0x18
__TEXT:HEADER:80001A1E POP.W {R8,R10,R11}
__TEXT:HEADER:80001A22 POP {R4-R7,PC}
在 loc_8074A22E PATCH
(kernel_base + 0x74922E) 寫入 DF F8 02 F0
(kernel_base + 0x74922E + 0x4) 寫入 (kernel_base + 0xA0C + 1)
com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E loc_8074A22E
com.apple.driver.AppleMobileFileIntegrity:__text:8074A22E LDR.W PC, =(sub_80001A0C+1)
task_for_pid_off
搜尋 Byte F0 B5 03 AF 2D E9 00 0D 84 B0 01 46 91 E8 41
找到
__TEXT:__text:802FF034 PUSH {R4-R7,LR}
__TEXT:__text:802FF036 ADD R7, SP, #0xC
__TEXT:__text:802FF038 PUSH.W {R8,R10,R11}
__TEXT:__text:802FF03C SUB SP, SP, #0x10
__TEXT:__text:802FF03E MOV R1, R0
__TEXT:__text:802FF040 LDMIA.W R1, {R0,R6}
__TEXT:__text:802FF044 LDR R5, [R1,#8]
__TEXT:__text:802FF046 MOVS R1, #0
__TEXT:__text:802FF048 STR R1, [SP,#0x28+var_1C]
__TEXT:__text:802FF04A CMP R6, #0 ; 改為 CMP R6, #FF
(kernel_base + 0x2FE04A) 寫入 0xFF