Startsida Utforska Hjälp
Logga in
NitoTV
/
merdian
Bevaka 3
Stjärnmärk 0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 1 Wiki
Träd: 1a2fcb4cf5
Grenar Taggar
merdian
/
Meridian
/
meridianTV
/
electra
/
the fun part
/
utilities
/
amfi_utils.h

amfi_utils.h 2.6 KB
Historik

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 
  1. //
    2. 

  2. //  amfi_utils.h
    3. 

  3. //  electra
    4. 

  4. //
    5. 

  5. //  Created by Jamie on 27/01/2018.
    6. 

  6. //  Copyright © 2018 Electra Team. All rights reserved.
    7. 

  7. //
    8. 

  8. 

  9. #ifndef amfi_utils_h
    10. 

  10. #define amfi_utils_h
    11. 

  11. 

  12. #import <sys/types.h>
    13. 

  13. #include <stdio.h>
    14. 

  14. #include <objc/runtime.h>
    15. 

  15. 

  16. 

  17. 

  18. void getSHA256inplace(const uint8_t* code_dir, uint8_t *out);
    19. 

  19. uint8_t *getSHA256(const uint8_t* code_dir);
    20. 

  20. uint8_t *getCodeDirectory(const char* name);
    21. 

  21. 

  22. // thx hieplpvip
    23. 

  23. void inject_trusts(int pathc, const char *paths[]);
    24. 

  24. 

  25. // Trust cache types
    26. 

  26. typedef char hash_t[20];
    27. 

  27. 

  28. struct trust_chain {
    29. 

  29.     uint64_t next;
    30. 

  30.     unsigned char uuid[16];
    31. 

  31.     unsigned int count;
    32. 

  32. } __attribute__((packed));
    33. 

  33. 

  34. /*
    35. 

  35.  Note this patch still came from @xerub's KPPless branch, but detailed below is kind of my adventures which I rediscovered most of what he did
    36. 

  36.  
    37. 

  37.  So, as said on twitter by @Morpheus______, iOS 11 now uses SHA256 for code signatures, rather than SHA1 like before.
    38. 

  38.  What confuses me though is that I believe the overall CDHash is SHA1, but each subhash is SHA256. In AMFI.kext, the memcmp
    39. 

  39.  used to check between the current hash and the hashes in the cache seem to be this CDHash. So the question is do I really need
    40. 

  40.  to get every hash, or just the main CDHash and insert that one into the trust chain?
    41. 

  41.  
    42. 

  42.  If we look at the trust chain code checker (0xFFFFFFF00637B3E8 6+ 11.1.2), it is pretty basic. The trust chain is in the format of
    43. 

  43.  the following (struct from xerub, but I've checked with AMFI that it is the case):
    44. 

  44.  
    45. 

  45.  struct trust_mem {
    46. 

  46.  uint64_t next;                 // +0x00 - the next struct trust_mem
    47. 

  47.  unsigned char uuid[16];        // +0x08 - The uuid of the trust_mem (it doesn't seem important or checked apart from when importing a new trust chain)
    48. 

  48.  unsigned int count;            // +0x18 - Number of hashes there are
    49. 

  49.  unsigned char hashes[];        // +0x1C - The hashes
    50. 

  50.  }
    51. 

  51.  
    52. 

  52.  The trust chain checker does the following:
    53. 

  53.  - Find the first struct that has a count > 0
    54. 

  54.  - Loop through all the hashes in the struct, comparing with the current hash
    55. 

  55.  - Keeps going through each chain, then when next is 0, it finishes
    56. 

  56.  
    57. 

  57.  UPDATE: a) was using an old version of JTool. Now I realised the CDHash is SHA256
    58. 

  58.  b) For launchd (whose hash resides in the AMFI cache), the first byte is used as an index sort of thing, and the next *19* bytes are used for the check
    59. 

  59.  This probably means that only the first 20 bytes of the CDHash are used in the trust cache check
    60. 

  60.  
    61. 

  61.  So our execution method is as follows:
    62. 

  62.  - Calculate the CD Hashes for the target resources that we want to play around with
    63. 

  63.  - Create a custom trust chain struct, and insert it into the existing trust chain - only storing the first 20 bytes of each hash
    64. 

  64.  - ??? PROFIT
    65. 

  65.  */
    66. 

  66. 

  67. #endif /* amfi_utils_h */
    68. 

  68.