fix a bug

jakeajames · Jun 21, 2019 · d908c17 · d908c17
1 parent eb7b55a
commit d908c17
Show file tree

Hide file tree

Showing 8 changed files with 132 additions and 43 deletions.
diff --git a/amfi_utils.h b/amfi_utils.h
@@ -11,6 +11,7 @@ void getSHA256inplace(const uint8_t* code_dir, uint8_t *out);
 uint8_t *getSHA256(const uint8_t* code_dir);
 uint8_t *getCodeDirectory(const char* name);
 uint64_t ubc_cs_blob_allocate(vm_size_t size);
+void kern_free(uint64_t addr, vm_size_t size);
 int cs_validate_csblob(const uint8_t *addr, size_t length, CS_CodeDirectory **rcd, CS_GenericBlob **rentitlements);
 uint64_t getCodeSignatureLC(FILE *file, int64_t *machOff);
 const struct cs_hash *cs_find_md(uint8_t type);

diff --git a/amfi_utils.m b/amfi_utils.m
@@ -159,27 +159,61 @@ int strtail(const char *str, const char *tail)
 }
 
 int cs_validate_csblob(const uint8_t *addr, size_t length, CS_CodeDirectory **rcd, CS_GenericBlob **rentitlements) {
-    uint64_t rcdptr = Kernel_alloc(8);
-    uint64_t entptr = Kernel_alloc(8);
+    uint64_t rcdptr = Kernel_alloc(sizeof(uint64_t));
+    uint64_t entptr = Kernel_alloc(sizeof(uint64_t));
 
     int ret = (int)Kernel_Execute(Find_cs_validate_csblob(), (uint64_t)addr, length, rcdptr, entptr, 0, 0, 0);
     *rcd = (CS_CodeDirectory *)KernelRead_64bits(rcdptr);
     *rentitlements = (CS_GenericBlob *)KernelRead_64bits(entptr);
 
-    Kernel_free(rcdptr, 8);
-    Kernel_free(entptr, 8);
+    Kernel_free(rcdptr, sizeof(uint64_t));
+    Kernel_free(entptr, sizeof(uint64_t));
 
     return ret;
 }
 
 uint64_t ubc_cs_blob_allocate(vm_size_t size) {
-    uint64_t size_p = Kernel_alloc(sizeof(vm_size_t));
-    if (!size_p) return 0;
-    KernelWrite(size_p, &size, sizeof(vm_size_t));
-    uint64_t alloced = Kernel_Execute(Find_kalloc_canblock(), size_p, 1, Find_cs_blob_allocate_site(), 0, 0, 0, 0);
-    Kernel_free(size_p, sizeof(vm_size_t));
-    if (alloced) alloced = ZmFixAddr(alloced);
-    return alloced;
+    if (size <= 0x1ff8) {
+        uint64_t size_p = Kernel_alloc(sizeof(vm_size_t));
+        if (!size_p) return 0;
+        KernelWrite(size_p, &size, sizeof(vm_size_t));
+
+        uint64_t kall = Find_kalloc_canblock();
+        if (!kall) return 0;
+
+        uint64_t site = Find_cs_blob_allocate_site();
+        if (!site) return 0;
+
+        uint64_t alloced = Kernel_Execute(kall, size_p, 1, site, 0, 0, 0, 0);
+        if (!alloced) return 0;
+
+        Kernel_free(size_p, sizeof(vm_size_t));
+        alloced = ZmFixAddr(alloced);
+        return alloced;
+    }
+    else {
+        size = (size + 0x3fff) & ~0x3fff;
+        uint64_t addrp = Kernel_alloc(sizeof(uint64_t));
+        if (!addrp) return 0;
+
+        uint64_t kernel_map = Find_kernel_map();
+        if (!kernel_map) return 0;
+
+        kernel_map = KernelRead_64bits(kernel_map);
+        if (!kernel_map) return 0;
+
+        uint64_t alloc = Find_kernel_memory_allocate();
+        if (!alloc) return 0;
+
+        Kernel_Execute(alloc, kernel_map, addrp, size, 0, 0, 0, 0);
+        addrp = KernelRead_64bits(addrp);
+        return addrp;
+    }
+}
+
+void kern_free(uint64_t addr, vm_size_t size) {
+    if (size > 0x1ff8) size = (size + 0x3fff) & ~0x3fff;
+    Kernel_Execute(Find_kfree(), addr, size, 0, 0, 0, 0, 0);
 }
 
 const struct cs_hash *cs_find_md(uint8_t type) {

diff --git a/downloads/jelbrekLib.a b/downloads/jelbrekLib.a
diff --git a/downloads/jelbrekLib.h b/downloads/jelbrekLib.h
@@ -1,5 +1,5 @@
-
 typedef int (*kexecFunc)(uint64_t function, size_t argument_count, ...);
+typedef char hash_t[20];
 
 extern uint32_t KASLR_Slide;
 extern uint64_t KernelBase;
@@ -41,6 +41,7 @@ void term_jelbrek(void);
      7: file mmap() failed
 */
 int trustbin(const char *path);
+int trust_hash(hash_t hash);
 
 /*
  Purpose:

diff --git a/jelbrek.h b/jelbrek.h
@@ -33,6 +33,7 @@
 
 
 typedef int (*kexecFunc)(uint64_t function, size_t argument_count, ...);
+typedef char hash_t[20];
 
 extern uint32_t KASLR_Slide;
 extern uint64_t KernelBase;
@@ -74,6 +75,7 @@ void term_jelbrek(void);
      7: file mmap() failed
 */
 int trustbin(const char *path);
+int trust_hash(hash_t hash);
 
 /*
  Purpose:

diff --git a/jelbrek.m b/jelbrek.m
@@ -345,6 +345,36 @@ int trustbin(const char *path) {
     return 0;
 }
 
+int trust_hash(hash_t hash) {
+    uint64_t trust_chain = Find_trustcache();
+
+    printf("[*] trust_chain at 0x%llx\n", trust_chain);
+
+    struct trust_chain fake_chain;
+    fake_chain.next = KernelRead_64bits(trust_chain);
+    //((uint64_t*)fake_chain.uuid)[0] = 0xbadbabeabadbabe;
+    //((uint64_t*)fake_chain.uuid)[1] = 0xbadbabeabadbabe;
+
+    arc4random_buf(fake_chain.uuid, 16);
+
+    fake_chain.count = 1;
+
+    size_t length = (sizeof(fake_chain) + sizeof(hash_t) + 0x3FFF) & ~0x3FFF;
+    uint64_t kernel_trust = Kernel_alloc(length);
+    printf("[*] allocated: 0x%zx => 0x%llx\n", length, kernel_trust);
+
+    KernelWrite(kernel_trust, &fake_chain, sizeof(fake_chain));
+    KernelWrite(kernel_trust + sizeof(fake_chain), hash, sizeof(hash_t));
+
+#if __arm64e__
+    Kernel_Execute(Find_pmap_load_trust_cache_ppl(), kernel_trust, length, 0, 0, 0, 0, 0);
+#else
+    KernelWrite_64bits(trust_chain, kernel_trust);
+#endif
+
+    return 0;
+}
+
 static const char *csblob_parse_teamid(struct cs_blob *csblob) {
     const CS_CodeDirectory *cd;
 
@@ -589,7 +619,7 @@ int bypassCodeSign(const char *macho) {
 
     if (cs_validate_csblob((const uint8_t *)new_blob_addr, len, &_cd, &_entitlements)) {
         printf("[-] Invalid blob\n");
-        Kernel_Execute(Find_kfree(), new_blob_addr, new_blob_size, 0, 0, 0, 0, 0);
+        kern_free(new_blob_addr, new_blob_size);
         goto error;
     }
 
@@ -698,7 +728,7 @@ int bypassCodeSign(const char *macho) {
 error:;
     if (file) fclose(file);
     if (vnode) vnode_put(vnode);
-    if (addr) Kernel_Execute(Find_kfree(), addr, blob_size, 0, 0, 0, 0, 0);
+    if (addr) kern_free(addr, blob_size);
     if (blob) free(blob);
     if (buf_blob) free(buf_blob);
     if (rcd) free(rcd);
@@ -710,7 +740,7 @@ int bypassCodeSign(const char *macho) {
 success:;
     if (file) fclose(file);
     if (vnode) vnode_put(vnode);
-    if (addr) Kernel_Execute(Find_kfree(), addr, blob_size, 0, 0, 0, 0, 0);
+    if (addr) kern_free(addr, blob_size);
     if (blob) free(blob);
     if (buf_blob) free(buf_blob);
     if (rcd) free(rcd);

diff --git a/patchfinder64.h b/patchfinder64.h
@@ -27,6 +27,8 @@ uint64_t Find_kalloc_canblock(void);
 uint64_t Find_cs_blob_allocate_site(void);
 uint64_t Find_kfree(void);
 uint64_t Find_cs_find_md(void);
+uint64_t Find_kernel_memory_allocate(void);
+uint64_t Find_kernel_map(void);
 
 // PAC
 uint64_t Find_l2tp_domain_module_start(void);

diff --git a/patchfinder64.m b/patchfinder64.m
@@ -1459,34 +1459,6 @@ uint64_t Find_bootargs(void) {
     return val + KASLR_Slide;
 }
 
-addr_t Find_kernel_map() {
-    uint64_t ref = Find_strref("AMFI: Trying to load a trust cache while device is locked, only", 1, 1, false);
-    if (!ref) {
-        ref = Find_strref("AMFI: Trying to load a trust cache while device is locked, only", 1, 0, false);
-        if (!ref) {
-            return 0;
-        }
-    }
-    ref -= KernDumpBase;
-
-    uint64_t func = BOF64(Kernel, (ref > XNUCore_Base) ? XNUCore_Base : Prelink_Base, ref);
-    if (!func) {
-        return 0;
-    }
-
-    ref = Step64(Kernel, func, 60, INSN_ADRP);
-    if (!ref) {
-        return 0;
-    }
-
-    uint64_t val = Calc64(Kernel, ref, ref + 8, 25);
-    if (!val) {
-        return 0;
-    }
-
-    return (*(uint64_t *)(Kernel + val)) ? *(uint64_t *)(Kernel + val) : val + KernDumpBase + KASLR_Slide;
-}
-
 addr_t Find_l2tp_domain_module_start() {
     uint64_t string = (uint64_t)Boyermoore_horspool_memmem(Kernel + Data_base, Data_size, (const unsigned char *)"com.apple.driver.AppleSynopsysOTGDevice", strlen("com.apple.driver.AppleSynopsysOTGDevice")) - (uint64_t)Kernel;
     if (!string) {
@@ -1858,3 +1830,50 @@ addr_t Find_cs_find_md() {
 
     return addr + KernDumpBase + KASLR_Slide;
 }
+
+addr_t Find_kernel_memory_allocate() {
+    uint64_t ref = Find_strref("\"kernel_memory_allocate: VM is not ready\"", 1, 0, true);
+    if (!ref) {
+        return 0;
+    }
+    ref -= KernDumpBase;
+
+    uint64_t func = BOF64(Kernel, XNUCore_Base, ref);
+    if (!func) {
+        return 0;
+    }
+
+    return func + KernDumpBase + KASLR_Slide;
+}
+
+addr_t Find_kernel_map() {
+    uint64_t kalloc_canblock = Find_kalloc_canblock();
+    if (!kalloc_canblock) {
+        return 0;
+    }
+    kalloc_canblock -= (KernDumpBase + KASLR_Slide);
+
+    uint64_t kern_alloc = Find_kernel_memory_allocate();
+    if (!kern_alloc) {
+        return 0;
+    }
+    kern_alloc -= (KernDumpBase + KASLR_Slide);
+
+    uint64_t val = 0;
+    uint64_t func = kalloc_canblock;
+
+    for (int i = 0; i < 5; i++) {
+        func = Step64(Kernel, func + 4, 4*80, INSN_CALL);
+
+        if (Follow_call64(Kernel, func) == kern_alloc) {
+            val = Calc64(Kernel, kalloc_canblock, func, 10);
+            break;
+        }
+    }
+
+    if (!val) {
+        return 0;
+    }
+
+    return val + KernDumpBase + KASLR_Slide;
+}