#include #include #include #include "libtakeover.hpp" #include #include #include #import "FindProcess.h" static char* dylib = "/usr/lib/CycriptLoader.dylib"; static pid_t pid = -1; int main(int argc, char* argv[]){ if (argc < 2){ printf("Usage: cycripter &\n\n"); printf("\tIt is important to append & when running this task!!! Otherwise upon exit it brings down the injected process with it, not sure why that happens yet.\n\n"); return 0; } char *process_name = argv[1]; pid = [FindProcess find_process:process_name]; printf("\n%s PID is %d\n", process_name, pid); task_t remoteTask; kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask); if (kr != KERN_SUCCESS) { printf("Failed to get task for pid %u!\n", pid); return -1; } //printf("Remote task: 0x%x\n", remoteTask); tihmstar::takeover mytk(remoteTask); mytk.kidnapThread(); void *dylibPathAddr = mytk.allocMem(0x100 + strlen(dylib) + 1); mytk.writeMem((void *)(0x100 + (uint64_t)dylibPathAddr), strlen(dylib) + 1, dylib); //printf("Dylib Path Addr: 0x%llx\n", 0x100 + (uint64_t)dylibPathAddr); //printf("Start listening...\n"); FindProcess *proc = [FindProcess new]; [proc startListeningForAppName:[NSString stringWithUTF8String:process_name]]; //printf("Trying dlopen...\n"); uint64_t ret = mytk.callfunc((void *)&dlopen, {0x100 + (uint64_t)dylibPathAddr, 2}); //printf("dylib opened at addr: 0x%llx\n", ret); mytk.deallocMem(dylibPathAddr, 0x100 + strlen(dylib) + 1); if (ret != 0){ printf("No error occurred!\n"); } else { uint64_t error = mytk.callfunc((void *)&dlerror, {}); if (error == 0){ printf("Error occurred, but dlerror returned NULL!\n"); return -1; } else { uint64_t len = mytk.callfunc((void *)&strlen, {error}); char *local_cstring = (char *)malloc(len + 1); mytk.readMem((void *)error, len + 1, local_cstring); printf("Error is %s\n", local_cstring); return -1; } } CFRunLoopRun(); return 0; }