From 487bdd105d823d597ebad88391e306988c5e9870 Mon Sep 17 00:00:00 2001 From: Sam Bingner Date: Fri, 29 Mar 2019 22:39:28 -1000 Subject: Update for new in-kernel offset cache --- main.m | 70 +++++++++++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 46 insertions(+), 24 deletions(-) (limited to 'main.m') diff --git a/main.m b/main.m index 0afddec..a4095d1 100644 --- a/main.m +++ b/main.m @@ -10,7 +10,8 @@ #include #include #include -#include "patchfinder64/patchfinder64.h" +#include +#include #include "CSCommon.h" #include "kern_funcs.h" #include "inject.h" @@ -46,31 +47,52 @@ int main(int argc, char* argv[]) { set_tfp0(tfp0); struct task_dyld_info dyld_info = { 0 }; mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT; - if (task_info(tfp0, TASK_DYLD_INFO, (task_info_t)&dyld_info, &count) != KERN_SUCCESS || - (kernel_base = dyld_info.all_image_info_addr) == 0) { + if (task_info(tfp0, TASK_DYLD_INFO, (task_info_t)&dyld_info, &count) == 0 && + dyld_info.all_image_info_addr != 0 && + dyld_info.all_image_info_addr != dyld_info.all_image_info_size + 0xfffffff007004000) { + + size_t blob_size = rk64(dyld_info.all_image_info_addr); + struct cache_blob *blob = create_cache_blob(blob_size); + if (kread(dyld_info.all_image_info_addr, blob, blob_size)) import_cache_blob(blob); + free(blob); + if (get_offset("kernel_slide") == kernel_slide) { +#ifdef DEBUG + print_cache(); +#endif + if (get_offset("kernel_base")) { + kernel_base = get_offset("kernel_base"); + } else { + kernel_base = dyld_info.all_image_info_size + 0xfffffff007004000; + } + } + } else if ((kernel_base = dyld_info.all_image_info_addr) != 0) { + kernel_slide = dyld_info.all_image_info_size; + @autoreleasepool { + NSMutableDictionary *offsets = [NSMutableDictionary dictionaryWithContentsOfFile:@"/jb/offsets.plist"]; + SETOFFSET(trustcache, (uint64_t)strtoull([offsets[@"TrustChain"] UTF8String], NULL, 16)); +#if __arm64e__ + SETOFFSET(kernel_task, (uint64_t)strtoull([offsets[@"KernelTask"] UTF8String], NULL, 16)); + // We should use this on other things but kexecute is broken for i6 at least + SETOFFSET(pmap_load_trust_cache, (uint64_t)strtoull([offsets[@"PmapLoadTrustCache"] UTF8String], NULL, 16)); + SETOFFSET(paciza_pointer__l2tp_domain_module_start, (uint64_t)strtoull([offsets[@"PacizaPointerL2TPDomainModuleStart"] UTF8String], NULL, 16)); + SETOFFSET(paciza_pointer__l2tp_domain_module_stop, (uint64_t)strtoull([offsets[@"PacizaPointerL2TPDomainModuleStop"] UTF8String], NULL, 16)); + SETOFFSET(l2tp_domain_inited, (uint64_t)strtoull([offsets[@"L2TPDomainInited"] UTF8String], NULL, 16)); + SETOFFSET(sysctl__net_ppp_l2tp, (uint64_t)strtoull([offsets[@"SysctlNetPPPL2TP"] UTF8String], NULL, 16)); + SETOFFSET(sysctl_unregister_oid, (uint64_t)strtoull([offsets[@"SysctlUnregisterOid"] UTF8String], NULL, 16)); + SETOFFSET(mov_x0_x4__br_x5, (uint64_t)strtoull([offsets[@"MovX0X4BrX5"] UTF8String], NULL, 16)); + SETOFFSET(mov_x9_x0__br_x1, (uint64_t)strtoull([offsets[@"MovX9X0BrX1"] UTF8String], NULL, 16)); + SETOFFSET(mov_x10_x3__br_x6, (uint64_t)strtoull([offsets[@"MovX10X3BrX6"] UTF8String], NULL, 16)); + SETOFFSET(kernel_forge_pacia_gadget, (uint64_t)strtoull([offsets[@"KernelForgePaciaGadget"] UTF8String], NULL, 16)); + SETOFFSET(kernel_forge_pacda_gadget, (uint64_t)strtoull([offsets[@"KernelForgePacdaGadget"] UTF8String], NULL, 16)); + SETOFFSET(IOUserClient__vtable, (uint64_t)strtoull([offsets[@"IOUserClientVtable"] UTF8String], NULL, 16)); + SETOFFSET(IORegistryEntry__getRegistryEntryID, (uint64_t)strtoull([offsets[@"IORegistryEntryGetRegistryEntryID"] UTF8String], NULL, 16)); +#endif + } + } else { return -3; } - kernel_slide = dyld_info.all_image_info_size; - @autoreleasepool { - NSMutableDictionary *offsets = [NSMutableDictionary dictionaryWithContentsOfFile:@"/jb/offsets.plist"]; - SETOFFSET(trustcache, (uint64_t)strtoull([offsets[@"TrustChain"] UTF8String], NULL, 16)); #if __arm64e__ - SETOFFSET(kernel_task, (uint64_t)strtoull([offsets[@"KernelTask"] UTF8String], NULL, 16)); - // We should use this on other things but kexecute is broken for i6 at least - SETOFFSET(pmap_load_trust_cache, (uint64_t)strtoull([offsets[@"PmapLoadTrustCache"] UTF8String], NULL, 16)); if (GETOFFSET(pmap_load_trust_cache)) pmap_load_trust_cache = _pmap_load_trust_cache; - SETOFFSET(paciza_pointer__l2tp_domain_module_start, (uint64_t)strtoull([offsets[@"PacizaPointerL2TPDomainModuleStart"] UTF8String], NULL, 16)); - SETOFFSET(paciza_pointer__l2tp_domain_module_stop, (uint64_t)strtoull([offsets[@"PacizaPointerL2TPDomainModuleStop"] UTF8String], NULL, 16)); - SETOFFSET(l2tp_domain_inited, (uint64_t)strtoull([offsets[@"L2TPDomainInited"] UTF8String], NULL, 16)); - SETOFFSET(sysctl__net_ppp_l2tp, (uint64_t)strtoull([offsets[@"SysctlNetPPPL2TP"] UTF8String], NULL, 16)); - SETOFFSET(sysctl_unregister_oid, (uint64_t)strtoull([offsets[@"SysctlUnregisterOid"] UTF8String], NULL, 16)); - SETOFFSET(mov_x0_x4__br_x5, (uint64_t)strtoull([offsets[@"MovX0X4BrX5"] UTF8String], NULL, 16)); - SETOFFSET(mov_x9_x0__br_x1, (uint64_t)strtoull([offsets[@"MovX9X0BrX1"] UTF8String], NULL, 16)); - SETOFFSET(mov_x10_x3__br_x6, (uint64_t)strtoull([offsets[@"MovX10X3BrX6"] UTF8String], NULL, 16)); - SETOFFSET(kernel_forge_pacia_gadget, (uint64_t)strtoull([offsets[@"KernelForgePaciaGadget"] UTF8String], NULL, 16)); - SETOFFSET(kernel_forge_pacda_gadget, (uint64_t)strtoull([offsets[@"KernelForgePacdaGadget"] UTF8String], NULL, 16)); - SETOFFSET(IOUserClient__vtable, (uint64_t)strtoull([offsets[@"IOUserClientVtable"] UTF8String], NULL, 16)); - SETOFFSET(IORegistryEntry__getRegistryEntryID, (uint64_t)strtoull([offsets[@"IORegistryEntryGetRegistryEntryID"] UTF8String], NULL, 16)); parameters_init(); kernel_task_port = tfp0; current_task = rk64(task_self_addr() + OFFSET(ipc_port, ip_kobject)); @@ -89,8 +111,8 @@ int main(int argc, char* argv[]) { } else { printf("Successfully injected [%d/%d] to trust cache.\n", (int)files.count - errs, (int)files.count); } +#if __arm64e__ kernel_call_deinit(); - +#endif return errs; - } } -- cgit v1.2.3