This commit is contained in:
comex 2011-07-12 18:13:35 -04:00
parent 9149062ebb
commit e6d05a9368
4 changed files with 59 additions and 8 deletions

View File

@ -33,6 +33,8 @@ $(OUTDIR)/grapher: $(OUTDIR)/grapher.o $(DATA)/$(OUTDIR)/libdata.a
$(GXX) -o $@ $^ -O3
$(OUTDIR)/decrypt_kern: $(OUTDIR)/decrypt_kern.o $(DATA)/$(OUTDIR)/libdata.a
$(GCC) -o $@ $^ -O3
$(OUTDIR)/codesign_allocate: $(OUTDIR)/codesign_allocate.o
$(GCC) -o $@ $^ -O3
clean: .clean
rm -f sandboxc-{armv6,armv7}.c sandbox-{armv6,armv7}.o

49
codesign_allocate.c Normal file
View File

@ -0,0 +1,49 @@
#include <assert.h>
#include <data/mach-o/binary.h>
#include <mach-o/loader.h>
#include <copyfile.h>
int main(int argc, char **argv) {
const char *infile = NULL, *outfile = NULL;
size_t size = 0;
for(char **p = argv; *p; p++) {
if(!strcmp(*p, "-i")) {
infile = *p++;
} else if(!strcmp(*p, "-a")) {
p++;
size = strtol(*p++, NULL, 0);
} else if(!strcmp(*p, "-o")) {
outfile = *p++;
} else {
die("??");
}
assert(!copyfile(infile, outfile, NULL, COPYFILE_ALL));
int fd = open(outfile, O_RDWR);
assert(fd != -1);
off_t fend = lseek(fd, 0, SEEK_END);
ftruncate(fd, fend + size);
void *file = mmap(NULL, (size_t) fend, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
assert(file != MAP_FAILED);
struct mach_header *mh = file;
mh->ncmds++;
mh->sizeofcmds += sizeof(struct linkedit_data_command);
CMD_ITERATE(mh, cmd) {
if(cmd->cmd == LC_SEGMENT) {
struct segment_command *sc = (void *) cmd;
if(!strncmp(sc->segname, "__LINKEDIT", 16)) {
sc->filesize += size;
sc->vmsize += size;
}
} else if(cmd->cmd == 0) {
struct linkedit_data_command *dc = (void *) cmd;
dc->cmd = LC_CODE_SIGNATURE;
dc->cmdsize = sizeof(*dc);
dc->dataoff = (uint32_t) fend;
dc->datasize = (uint32_t) size;
}
}
}

View File

@ -356,7 +356,7 @@ struct Binary {
assert(constructor);
unordered_map<addr_t, const char *> metaClasses;
for(auto edge : constructor->backward) {
auto nameAddr = edge->source->refs.begin()->second;
auto nameAddr = edge->source->refs.begin()->first.second;
if(!nameAddr) continue;
// xxx
auto className = (const char *) rangeconv((range_t) {&binary, nameAddr, 128}, 0).start;
@ -366,15 +366,16 @@ struct Binary {
addr_t metaClass;
auto it = mcInstantiator->refs.begin();
for(it++; it != mcInstantiator->refs.end(); it++) {
if(it->second == edge->source->startAddr) {
if(it->first.second == edge->source->startAddr) {
auto it2 = it;
it2--;
metaClass = it2->second;
metaClass = it2->first.second;
goto ok;
}
}
continue;
ok:
if(explain) printf("ok %s\n", className);
metaClasses[metaClass] = className;
}
@ -382,9 +383,9 @@ struct Binary {
for(auto edge : constructed->backward) {
if(edge->source->refs.size() == 4) {
auto it = edge->source->refs.begin();
auto metaClass = it->second;
auto metaClass = it->first.second;
it++; it++;
auto vtable = it->second - 8;
auto vtable = it->first.second - 8;
auto className = metaClasses[metaClass];
if(!className) continue;

View File

@ -87,8 +87,7 @@ void do_kernel(struct binary *binary, struct binary *sandbox) {
patch("cs_enforcement_disable", resolve_ldr(binary, csedp), uint32_t, {1});
addr_t scratch = resolve_ldr(binary, is_armv7 ? (mystery + 9) : 42);
scratch = (scratch + 3) & ~3;
// patches
//patch("-lunchd",
@ -120,7 +119,7 @@ void do_kernel(struct binary *binary, struct binary *sandbox) {
//if(!strcmp(name, "c_dvp_struct_offset")) return spec2(0xde, 0xad, 0xbe);
die("? %s", name);
})
b_relocate(sandbox, (void *) l.arg, (void *) l.func, 0);
b_relocate(sandbox, (void *) l.arg, RELOC_DEFAULT, (void *) l.func, 0);
prange_t sandbox_pr = rangeconv_off(sandbox->segments[0].file_range, MUST_FIND);
store_file(sandbox_pr, "/tmp/wtf.o", 0644);
patch_with_range("sb_evaluate hook",