Created
February 18, 2019 01:23
-
-
Save PsychoTea/dd6798d898b121612e32da8545dfdb38 to your computer and use it in GitHub Desktop.
amfid_payload w/ task_for_pid-allow patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
COPY_RESOURCE("amfid_payload.dylib", "/jb/amfid_payload.dylib"); | |
inject_trust("/jb/amfid_payload.dylib"); | |
uint32_t amfid_pid = get_pid_for_name("amfid"); | |
uint64_t osbool_val = rk64(offs.data.osboolean_true + kernel_slide); | |
VAL_CHECK(osbool_val); | |
uint64_t our_ucred = rk64(myproc + 0x100); | |
VAL_CHECK(our_ucred); | |
uint64_t our_cr_label = rk64(our_ucred + 0x78); | |
VAL_CHECK(our_cr_label); | |
uint64_t our_ents = rk64(our_cr_label + 0x8); | |
VAL_CHECK(our_ents); | |
uint64_t OSDictionary_vtab = rk64(our_ents); | |
VAL_CHECK(OSDictionary_vtab); | |
// OSDictionary::SetObject = vtable->0xf8 | |
uint64_t OSDictionary_SetItem = rk64(OSDictionary_vtab + 0xf8); | |
VAL_CHECK(OSDictionary_SetItem); | |
const char *str_to_patch = "task_for_pid-allow"; | |
int str_len = strlen(str_to_patch) + 1; | |
uint64_t str_alloc = kalloc(str_len); | |
kwrite(str_alloc, (void *)str_to_patch, str_len); | |
LOG("str_alloc: %llx", str_alloc); | |
// kexecute automatically adds kernel_slide, however this vtab entry is already slid | |
LOG("OSDict::SetItem return: %llx", kexecute(OSDictionary_SetItem - kernel_slide, 3, our_ents, str_alloc, osbool_val)); | |
kfree(str_alloc, str_len); | |
ret = inject_library(amfid_pid, "/jb/amfid_payload.dylib"); | |
if (ret != KERN_SUCCESS) | |
{ | |
LOG("failed to inject amfid payload"); | |
goto out; | |
} | |
LOG("amfid patched?!"); | |
int tries = 0; | |
while (access("/var/tmp/amfid.alive", F_OK) != 0 && tries < 100) | |
{ | |
LOG("waiting for amfid..."); | |
usleep(500000); | |
tries++; | |
} | |
if (tries >= 100) | |
{ | |
LOG("failed to patch amfid :("); | |
ret = KERN_FAILURE; | |
goto out; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment