Skip to content

Disable ASLR for dyld_shared_cache load

Jump to bottom
Lev Aronsky edited this page Mar 25, 2020 · 3 revisions

Disable ASLR for dyld_shared_cache load

In iOS, DYLD shared cache is a combination of multiple private and public frameworks that the system uses to improve the performance.

The dyld_shared_cache file (that can be found at /System/Library/Caches/com.apple.dyld) has a significant amount of code used by the system. Therefore, there is a high incentive to disable ASLR when loading that library.

Let us see how to do it:

We will patch the dyld executable, which is responsible for loading dyld_shared_cache.

Open the binary in a disassembler of your choice and navigate to the 0x00022720 address:

  • 000226f8 - 0002270c: Generate a random ASLR offset and store it in x20

  • 0002271c: Check whether -disable_aslr was configured.

  • 00022720: If configured, put 0 (xzr) in param_1 (x0). Otherwise, use the randomly generated value from x20.

Simply patching the instruction at 00022720 to unconditionally put 0 into x0 will do the trick:

Now, all we have to do is save the patched binary, sign it, place the signature in static_tc, and run QEMU with the patched dyld.

Information about static trust cache and its use can be found here

Perform the following steps from the directory in which kernelcache.release.n66.out resides:

Mount the main disk image, and copy the dyld binary.

$ hdiutil attach -imagekey diskimage-class=CRawDiskImage ./hfs.main
$ cp /Volumes/PeaceB16B92.arm64UpdateRamDisk/usr/lib/dyld .

Patch the dyld as described above and save the binary.

Now sign the executable, insert the hash into static trust-cache, and copy the patched binary to the main disk:

$ jtool --sign --ent  ent.xml --inplace ./dyld.bin

When ent.xml is an entitlements of the original dyld executable:

$ jtool --ent  /Volumes/PeaceB16B92.arm64UpdateRamDisk/usr/lib/dyld

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
    <key>com.apple.private.security.container-required</key>
    <false/>
</dict>
</plist>


$ jtool --sig --ent ./dyld.bin  | grep CDHash | cut -d' ' -f6 | cut -c 1-40 >> ./tchashes
$ python xnu-qemu-arm64-tools/bootstrap_scripts/create_trustcache.py tchashes static_tc
$ sudo mv /Volumes/PeaceB16B92.arm64UpdateRamDisk/usr/lib/dyld /Volumes/PeaceB16B92.arm64UpdateRamDisk/usr/lib/dyld_orig
$ sudo mv ./dyld.bin /Volumes/PeaceB16B92.arm64UpdateRamDisk/usr/lib/dyld
$ hdiutil detach /Volumes/PeaceB16B92.arm64UpdateRamDisk

Now, ASLR is disabled for the dynamic cache library!

Clone this wiki locally