Inicio Explorar Ayuda
Iniciar sesión
NitoTV
/
merdian
Seguir 3
Destacar 0
Fork 0
Archivos Incidencias 0 Pull Requests 1 Wiki
Árbol: 1a2fcb4cf5
Ramas Etiquetas
merdian
/
Meridian
/
meridianTV
/
patchfinder64.c

patchfinder64.c 36 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302 
  1. //
    2. 

  2. //  patchfinder64.c
    3. 

  3. //  extra_recipe
    4. 

  4. //
    5. 

  5. //  Created by xerub on 06/06/2017.
    6. 

  6. //  Copyright © 2017 xerub. All rights reserved.
    7. 

  7. //
    8. 

  8. 

  9. #include <assert.h>
    10. 

  10. #include <stdint.h>
    11. 

  11. #include <string.h>
    12. 

  12. #include "kernel.h"
    13. 

  13. 

  14. typedef unsigned long long addr_t;
    15. 

  15. 

  16. #define IS64(image) (*(uint8_t *)(image) & 1)
    17. 

  17. 

  18. #define MACHO(p) ((*(unsigned int *)(p) & ~1) == 0xfeedface)
    19. 

  19. 

  20. /* generic stuff *************************************************************/
    21. 

  21. 

  22. #define UCHAR_MAX 255
    23. 

  23. 

  24. static unsigned char *
    25. 

  25. boyermoore_horspool_memmem(const unsigned char* haystack, size_t hlen,
    26. 

  26.                            const unsigned char* needle,   size_t nlen)
    27. 

  27. {
    28. 

  28.     size_t last, scan = 0;
    29. 

  29.     size_t bad_char_skip[UCHAR_MAX + 1]; /* Officially called:
    30. 

  30.                                           * bad character shift */
    31. 

  31. 

  32.     /* Sanity checks on the parameters */
    33. 

  33.     if (nlen <= 0 || !haystack || !needle)
    34. 

  34.         return NULL;
    35. 

  35. 

  36.     /* ---- Preprocess ---- */
    37. 

  37.     /* Initialize the table to default value */
    38. 

  38.     /* When a character is encountered that does not occur
    39. 

  39.      * in the needle, we can safely skip ahead for the whole
    40. 

  40.      * length of the needle.
    41. 

  41.      */
    42. 

  42.     for (scan = 0; scan <= UCHAR_MAX; scan = scan + 1)
    43. 

  43.         bad_char_skip[scan] = nlen;
    44. 

  44. 

  45.     /* C arrays have the first byte at [0], therefore:
    46. 

  46.      * [nlen - 1] is the last byte of the array. */
    47. 

  47.     last = nlen - 1;
    48. 

  48. 

  49.     /* Then populate it with the analysis of the needle */
    50. 

  50.     for (scan = 0; scan < last; scan = scan + 1)
    51. 

  51.         bad_char_skip[needle[scan]] = last - scan;
    52. 

  52. 

  53.     /* ---- Do the matching ---- */
    54. 

  54. 

  55.     /* Search the haystack, while the needle can still be within it. */
    56. 

  56.     while (hlen >= nlen)
    57. 

  57.     {
    58. 

  58.         /* scan from the end of the needle */
    59. 

  59.         for (scan = last; haystack[scan] == needle[scan]; scan = scan - 1)
    60. 

  60.             if (scan == 0) /* If the first byte matches, we've found it. */
    61. 

  61.                 return (void *)haystack;
    62. 

  62. 

  63.         /* otherwise, we need to skip some bytes and start again.
    64. 

  64.            Note that here we are getting the skip value based on the last byte
    65. 

  65.            of needle, no matter where we didn't match. So if needle is: "abcd"
    66. 

  66.            then we are skipping based on 'd' and that value will be 4, and
    67. 

  67.            for "abcdd" we again skip on 'd' but the value will be only 1.
    68. 

  68.            The alternative of pretending that the mismatched character was
    69. 

  69.            the last character is slower in the normal case (E.g. finding
    70. 

  70.            "abcd" in "...azcd..." gives 4 by using 'd' but only
    71. 

  71.            4-2==2 using 'z'. */
    72. 

  72.         hlen     -= bad_char_skip[haystack[last]];
    73. 

  73.         haystack += bad_char_skip[haystack[last]];
    74. 

  74.     }
    75. 

  75. 

  76.     return NULL;
    77. 

  77. }
    78. 

  78. 

  79. /* disassembler **************************************************************/
    80. 

  80. 

  81. static int HighestSetBit(int N, uint32_t imm)
    82. 

  82. {
    83. 

  83. 	int i;
    84. 

  84. 	for (i = N - 1; i >= 0; i--) {
    85. 

  85. 		if (imm & (1 << i)) {
    86. 

  86. 			return i;
    87. 

  87. 		}
    88. 

  88. 	}
    89. 

  89. 	return -1;
    90. 

  90. }
    91. 

  91. 

  92. static uint64_t ZeroExtendOnes(unsigned M, unsigned N)	// zero extend M ones to N width
    93. 

  93. {
    94. 

  94. 	(void)N;
    95. 

  95. 	return ((uint64_t)1 << M) - 1;
    96. 

  96. }
    97. 

  97. 

  98. static uint64_t RORZeroExtendOnes(unsigned M, unsigned N, unsigned R)
    99. 

  99. {
    100. 

  100. 	uint64_t val = ZeroExtendOnes(M, N);
    101. 

  101. 	if (R == 0) {
    102. 

  102. 		return val;
    103. 

  103. 	}
    104. 

  104. 	return ((val >> R) & (((uint64_t)1 << (N - R)) - 1)) | ((val & (((uint64_t)1 << R) - 1)) << (N - R));
    105. 

  105. }
    106. 

  106. 

  107. static uint64_t Replicate(uint64_t val, unsigned bits)
    108. 

  108. {
    109. 

  109. 	uint64_t ret = val;
    110. 

  110. 	unsigned shift;
    111. 

  111. 	for (shift = bits; shift < 64; shift += bits) {	// XXX actually, it is either 32 or 64
    112. 

  112. 		ret |= (val << shift);
    113. 

  113. 	}
    114. 

  114. 	return ret;
    115. 

  115. }
    116. 

  116. 

  117. static int DecodeBitMasks(unsigned immN, unsigned imms, unsigned immr, int immediate, uint64_t *newval)
    118. 

  118. {
    119. 

  119. 	unsigned levels, S, R, esize;
    120. 

  120. 	int len = HighestSetBit(7, (immN << 6) | (~imms & 0x3F));
    121. 

  121. 	if (len < 1) {
    122. 

  122. 		return -1;
    123. 

  123. 	}
    124. 

  124. 	levels = ZeroExtendOnes(len, 6);
    125. 

  125. 	if (immediate && (imms & levels) == levels) {
    126. 

  126. 		return -1;
    127. 

  127. 	}
    128. 

  128. 	S = imms & levels;
    129. 

  129. 	R = immr & levels;
    130. 

  130. 	esize = 1 << len;
    131. 

  131. 	*newval = Replicate(RORZeroExtendOnes(S + 1, esize, R), esize);
    132. 

  132. 	return 0;
    133. 

  133. }
    134. 

  134. 

  135. static int DecodeMov(uint32_t opcode, uint64_t total, int first, uint64_t *newval)
    136. 

  136. {
    137. 

  137. 	unsigned o = (opcode >> 29) & 3;
    138. 

  138. 	unsigned k = (opcode >> 23) & 0x3F;
    139. 

  139. 	unsigned rn, rd;
    140. 

  140. 	uint64_t i;
    141. 

  141. 

  142. 	if (k == 0x24 && o == 1) {			// MOV (bitmask imm) <=> ORR (immediate)
    143. 

  143. 		unsigned s = (opcode >> 31) & 1;
    144. 

  144. 		unsigned N = (opcode >> 22) & 1;
    145. 

  145. 		if (s == 0 && N != 0) {
    146. 

  146. 			return -1;
    147. 

  147. 		}
    148. 

  148. 		rn = (opcode >> 5) & 0x1F;
    149. 

  149. 		if (rn == 31) {
    150. 

  150. 			unsigned imms = (opcode >> 10) & 0x3F;
    151. 

  151. 			unsigned immr = (opcode >> 16) & 0x3F;
    152. 

  152. 			return DecodeBitMasks(N, imms, immr, 1, newval);
    153. 

  153. 		}
    154. 

  154. 	} else if (k == 0x25) {				// MOVN/MOVZ/MOVK
    155. 

  155. 		unsigned s = (opcode >> 31) & 1;
    156. 

  156. 		unsigned h = (opcode >> 21) & 3;
    157. 

  157. 		if (s == 0 && h > 1) {
    158. 

  158. 			return -1;
    159. 

  159. 		}
    160. 

  160. 		i = (opcode >> 5) & 0xFFFF;
    161. 

  161. 		h *= 16;
    162. 

  162. 		i <<= h;
    163. 

  163. 		if (o == 0) {				// MOVN
    164. 

  164. 			*newval = ~i;
    165. 

  165. 			return 0;
    166. 

  166. 		} else if (o == 2) {			// MOVZ
    167. 

  167. 			*newval = i;
    168. 

  168. 			return 0;
    169. 

  169. 		} else if (o == 3 && !first) {		// MOVK
    170. 

  170. 			*newval = (total & ~((uint64_t)0xFFFF << h)) | i;
    171. 

  171. 			return 0;
    172. 

  172. 		}
    173. 

  173. 	} else if ((k | 1) == 0x23 && !first) {		// ADD (immediate)
    174. 

  174. 		unsigned h = (opcode >> 22) & 3;
    175. 

  175. 		if (h > 1) {
    176. 

  176. 			return -1;
    177. 

  177. 		}
    178. 

  178. 		rd = opcode & 0x1F;
    179. 

  179. 		rn = (opcode >> 5) & 0x1F;
    180. 

  180. 		if (rd != rn) {
    181. 

  181. 			return -1;
    182. 

  182. 		}
    183. 

  183. 		i = (opcode >> 10) & 0xFFF;
    184. 

  184. 		h *= 12;
    185. 

  185. 		i <<= h;
    186. 

  186. 		if (o & 2) {				// SUB
    187. 

  187. 			*newval = total - i;
    188. 

  188. 			return 0;
    189. 

  189. 		} else {				// ADD
    190. 

  190. 			*newval = total + i;
    191. 

  191. 			return 0;
    192. 

  192. 		}
    193. 

  193. 	}
    194. 

  194. 

  195. 	return -1;
    196. 

  196. }
    197. 

  197. 

  198. /* patchfinder ***************************************************************/
    199. 

  199. 

  200. static addr_t
    201. 

  201. step64(const uint8_t *buf, addr_t start, size_t length, uint32_t what, uint32_t mask)
    202. 

  202. {
    203. 

  203.     addr_t end = start + length;
    204. 

  204.     while (start < end) {
    205. 

  205.         uint32_t x = *(uint32_t *)(buf + start);
    206. 

  206.         if ((x & mask) == what) {
    207. 

  207.             return start;
    208. 

  208.         }
    209. 

  209.         start += 4;
    210. 

  210.     }
    211. 

  211.     return 0;
    212. 

  212. }
    213. 

  213. 

  214. static addr_t
    215. 

  215. step64_back(const uint8_t *buf, addr_t start, size_t length, uint32_t what, uint32_t mask)
    216. 

  216. {
    217. 

  217.     addr_t end = start - length;
    218. 

  218.     while (start >= end) {
    219. 

  219.         uint32_t x = *(uint32_t *)(buf + start);
    220. 

  220.         if ((x & mask) == what) {
    221. 

  221.             return start;
    222. 

  222.         }
    223. 

  223.         start -= 4;
    224. 

  224.     }
    225. 

  225.     return 0;
    226. 

  226. }
    227. 

  227. 

  228. static addr_t
    229. 

  229. bof64(const uint8_t *buf, addr_t start, addr_t where)
    230. 

  230. {
    231. 

  231.     for (; where >= start; where -= 4) {
    232. 

  232.         uint32_t op = *(uint32_t *)(buf + where);
    233. 

  233.         if ((op & 0xFFC003FF) == 0x910003FD) {
    234. 

  234.             unsigned delta = (op >> 10) & 0xFFF;
    235. 

  235.             //printf("%x: ADD X29, SP, #0x%x\n", where, delta);
    236. 

  236.             if ((delta & 0xF) == 0) {
    237. 

  237.                 addr_t prev = where - ((delta >> 4) + 1) * 4;
    238. 

  238.                 uint32_t au = *(uint32_t *)(buf + prev);
    239. 

  239.                 if ((au & 0xFFC003E0) == 0xA98003E0) {
    240. 

  240.                     //printf("%x: STP x, y, [SP,#-imm]!\n", prev);
    241. 

  241.                     return prev;
    242. 

  242.                 }
    243. 

  243.             }
    244. 

  244.         }
    245. 

  245.     }
    246. 

  246.     return 0;
    247. 

  247. }
    248. 

  248. 

  249. static addr_t
    250. 

  250. xref64(const uint8_t *buf, addr_t start, addr_t end, addr_t what)
    251. 

  251. {
    252. 

  252.     addr_t i;
    253. 

  253.     uint64_t value[32];
    254. 

  254. 

  255.     memset(value, 0, sizeof(value));
    256. 

  256. 

  257.     end &= ~3;
    258. 

  258.     for (i = start & ~3; i < end; i += 4) {
    259. 

  259.         uint32_t op = *(uint32_t *)(buf + i);
    260. 

  260.         unsigned reg = op & 0x1F;
    261. 

  261.         if ((op & 0x9F000000) == 0x90000000) {
    262. 

  262.             signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8);
    263. 

  263.             //printf("%llx: ADRP X%d, 0x%llx\n", i, reg, ((long long)adr << 1) + (i & ~0xFFF));
    264. 

  264.             value[reg] = ((long long)adr << 1) + (i & ~0xFFF);
    265. 

  265.         /*} else if ((op & 0xFFE0FFE0) == 0xAA0003E0) {
    266. 

  266.             unsigned rd = op & 0x1F;
    267. 

  267.             unsigned rm = (op >> 16) & 0x1F;
    268. 

  268.             //printf("%llx: MOV X%d, X%d\n", i, rd, rm);
    269. 

  269.             value[rd] = value[rm];*/
    270. 

  270.         } else if ((op & 0xFF000000) == 0x91000000) {
    271. 

  271.             unsigned rn = (op >> 5) & 0x1F;
    272. 

  272.             unsigned shift = (op >> 22) & 3;
    273. 

  273.             unsigned imm = (op >> 10) & 0xFFF;
    274. 

  274.             if (shift == 1) {
    275. 

  275.                 imm <<= 12;
    276. 

  276.             } else {
    277. 

  277.                 //assert(shift == 0);
    278. 

  278.                 if (shift > 1) continue;
    279. 

  279.             }
    280. 

  280.             //printf("%llx: ADD X%d, X%d, 0x%x\n", i, reg, rn, imm);
    281. 

  281.             value[reg] = value[rn] + imm;
    282. 

  282.         } else if ((op & 0xF9C00000) == 0xF9400000) {
    283. 

  283.             unsigned rn = (op >> 5) & 0x1F;
    284. 

  284.             unsigned imm = ((op >> 10) & 0xFFF) << 3;
    285. 

  285.             //printf("%llx: LDR X%d, [X%d, 0x%x]\n", i, reg, rn, imm);
    286. 

  286.             if (!imm) continue;			// XXX not counted as true xref
    287. 

  287.             value[reg] = value[rn] + imm;	// XXX address, not actual value
    288. 

  288.         /*} else if ((op & 0xF9C00000) == 0xF9000000) {
    289. 

  289.             unsigned rn = (op >> 5) & 0x1F;
    290. 

  290.             unsigned imm = ((op >> 10) & 0xFFF) << 3;
    291. 

  291.             //printf("%llx: STR X%d, [X%d, 0x%x]\n", i, reg, rn, imm);
    292. 

  292.             if (!imm) continue;			// XXX not counted as true xref
    293. 

  293.             value[rn] = value[rn] + imm;	// XXX address, not actual value*/
    294. 

  294.         } else if ((op & 0x9F000000) == 0x10000000) {
    295. 

  295.             signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8);
    296. 

  296.             //printf("%llx: ADR X%d, 0x%llx\n", i, reg, ((long long)adr >> 11) + i);
    297. 

  297.             value[reg] = ((long long)adr >> 11) + i;
    298. 

  298.         } else if ((op & 0xFF000000) == 0x58000000) {
    299. 

  299.             unsigned adr = (op & 0xFFFFE0) >> 3;
    300. 

  300.             //printf("%llx: LDR X%d, =0x%llx\n", i, reg, adr + i);
    301. 

  301.             value[reg] = adr + i;		// XXX address, not actual value
    302. 

  302.         }
    303. 

  303.         if (value[reg] == what) {
    304. 

  304.             return i;
    305. 

  305.         }
    306. 

  306.     }
    307. 

  307.     return 0;
    308. 

  308. }
    309. 

  309. 

  310. static addr_t
    311. 

  311. calc64(const uint8_t *buf, addr_t start, addr_t end, int which)
    312. 

  312. {
    313. 

  313.     addr_t i;
    314. 

  314.     uint64_t value[32];
    315. 

  315. 

  316.     memset(value, 0, sizeof(value));
    317. 

  317. 

  318.     end &= ~3;
    319. 

  319.     for (i = start & ~3; i < end; i += 4) {
    320. 

  320.         uint32_t op = *(uint32_t *)(buf + i);
    321. 

  321.         unsigned reg = op & 0x1F;
    322. 

  322.         if ((op & 0x9F000000) == 0x90000000) {
    323. 

  323.             signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8);
    324. 

  324.             //printf("%llx: ADRP X%d, 0x%llx\n", i, reg, ((long long)adr << 1) + (i & ~0xFFF));
    325. 

  325.             value[reg] = ((long long)adr << 1) + (i & ~0xFFF);
    326. 

  326.         /*} else if ((op & 0xFFE0FFE0) == 0xAA0003E0) {
    327. 

  327.             unsigned rd = op & 0x1F;
    328. 

  328.             unsigned rm = (op >> 16) & 0x1F;
    329. 

  329.             //printf("%llx: MOV X%d, X%d\n", i, rd, rm);
    330. 

  330.             value[rd] = value[rm];*/
    331. 

  331.         } else if ((op & 0xFF000000) == 0x91000000) {
    332. 

  332.             unsigned rn = (op >> 5) & 0x1F;
    333. 

  333.             unsigned shift = (op >> 22) & 3;
    334. 

  334.             unsigned imm = (op >> 10) & 0xFFF;
    335. 

  335.             if (shift == 1) {
    336. 

  336.                 imm <<= 12;
    337. 

  337.             } else {
    338. 

  338.                 //assert(shift == 0);
    339. 

  339.                 if (shift > 1) continue;
    340. 

  340.             }
    341. 

  341.             //printf("%llx: ADD X%d, X%d, 0x%x\n", i, reg, rn, imm);
    342. 

  342.             value[reg] = value[rn] + imm;
    343. 

  343.         } else if ((op & 0xF9C00000) == 0xF9400000) {
    344. 

  344.             unsigned rn = (op >> 5) & 0x1F;
    345. 

  345.             unsigned imm = ((op >> 10) & 0xFFF) << 3;
    346. 

  346.             //printf("%llx: LDR X%d, [X%d, 0x%x]\n", i, reg, rn, imm);
    347. 

  347.             if (!imm) continue;			// XXX not counted as true xref
    348. 

  348.             value[reg] = value[rn] + imm;	// XXX address, not actual value
    349. 

  349.         } else if ((op & 0xF9C00000) == 0xF9000000) {
    350. 

  350.             unsigned rn = (op >> 5) & 0x1F;
    351. 

  351.             unsigned imm = ((op >> 10) & 0xFFF) << 3;
    352. 

  352.             //printf("%llx: STR X%d, [X%d, 0x%x]\n", i, reg, rn, imm);
    353. 

  353.             if (!imm) continue;			// XXX not counted as true xref
    354. 

  354.             value[rn] = value[rn] + imm;	// XXX address, not actual value
    355. 

  355.         } else if ((op & 0x9F000000) == 0x10000000) {
    356. 

  356.             signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8);
    357. 

  357.             //printf("%llx: ADR X%d, 0x%llx\n", i, reg, ((long long)adr >> 11) + i);
    358. 

  358.             value[reg] = ((long long)adr >> 11) + i;
    359. 

  359.         } else if ((op & 0xFF000000) == 0x58000000) {
    360. 

  360.             unsigned adr = (op & 0xFFFFE0) >> 3;
    361. 

  361.             //printf("%llx: LDR X%d, =0x%llx\n", i, reg, adr + i);
    362. 

  362.             value[reg] = adr + i;		// XXX address, not actual value
    363. 

  363.         }
    364. 

  364.     }
    365. 

  365.     return value[which];
    366. 

  366. }
    367. 

  367. 

  368. static addr_t
    369. 

  369. calc64mov(const uint8_t *buf, addr_t start, addr_t end, int which)
    370. 

  370. {
    371. 

  371.     addr_t i;
    372. 

  372.     uint64_t value[32];
    373. 

  373. 

  374.     memset(value, 0, sizeof(value));
    375. 

  375. 

  376.     end &= ~3;
    377. 

  377.     for (i = start & ~3; i < end; i += 4) {
    378. 

  378.         uint32_t op = *(uint32_t *)(buf + i);
    379. 

  379.         unsigned reg = op & 0x1F;
    380. 

  380.         uint64_t newval;
    381. 

  381.         int rv = DecodeMov(op, value[reg], 0, &newval);
    382. 

  382.         if (rv == 0) {
    383. 

  383.             if (((op >> 31) & 1) == 0) {
    384. 

  384.                 newval &= 0xFFFFFFFF;
    385. 

  385.             }
    386. 

  386.             value[reg] = newval;
    387. 

  387.         }
    388. 

  388.     }
    389. 

  389.     return value[which];
    390. 

  390. }
    391. 

  391. 

  392. static addr_t
    393. 

  393. find_call64(const uint8_t *buf, addr_t start, size_t length)
    394. 

  394. {
    395. 

  395.     return step64(buf, start, length, 0x94000000, 0xFC000000);
    396. 

  396. }
    397. 

  397. 

  398. static addr_t
    399. 

  399. follow_call64(const uint8_t *buf, addr_t call)
    400. 

  400. {
    401. 

  401.     long long w;
    402. 

  402.     w = *(uint32_t *)(buf + call) & 0x3FFFFFF;
    403. 

  403.     w <<= 64 - 26;
    404. 

  404.     w >>= 64 - 26 - 2;
    405. 

  405.     return call + w;
    406. 

  406. }
    407. 

  407. 

  408. static addr_t
    409. 

  409. follow_cbz(const uint8_t *buf, addr_t cbz)
    410. 

  410. {
    411. 

  411.     return cbz + ((*(int *)(buf + cbz) & 0x3FFFFE0) << 10 >> 13);
    412. 

  412. }
    413. 

  413. 

  414. /* kernel iOS10 **************************************************************/
    415. 

  415. 

  416. #include <fcntl.h>
    417. 

  417. #include <stdio.h>
    418. 

  418. #include <stdlib.h>
    419. 

  419. #include <unistd.h>
    420. 

  420. #include <mach-o/loader.h>
    421. 

  421. 

  422. #ifdef __ENVIRONMENT_TV_OS_VERSION_MIN_REQUIRED__
    423. 

  423. #include <mach/mach.h>
    424. 

  424. size_t kread(uint64_t where, void *p, size_t size);
    425. 

  425. #endif
    426. 

  426. 

  427. static uint8_t *kernel = NULL;
    428. 

  428. static size_t kernel_size = 0;
    429. 

  429. 

  430. static addr_t xnucore_base = 0;
    431. 

  431. static addr_t xnucore_size = 0;
    432. 

  432. static addr_t prelink_base = 0;
    433. 

  433. static addr_t prelink_size = 0;
    434. 

  434. static addr_t cstring_base = 0;
    435. 

  435. static addr_t cstring_size = 0;
    436. 

  436. static addr_t pstring_base = 0;
    437. 

  437. static addr_t pstring_size = 0;
    438. 

  438. static addr_t kerndumpbase = -1;
    439. 

  439. static addr_t kernel_entry = 0;
    440. 

  440. static void *kernel_mh = 0;
    441. 

  441. static addr_t kernel_delta = 0;
    442. 

  442. 

  443. int
    444. 

  444. init_patchfinder(const char *filename)
    445. 

  445. {
    446. 

  446.     size_t rv;
    447. 

  447.     uint8_t buf[0x4000];
    448. 

  448.     unsigned i, j;
    449. 

  449.     const struct mach_header *hdr = (struct mach_header *)buf;
    450. 

  450.     const uint8_t *q;
    451. 

  451.     addr_t min = -1;
    452. 

  452.     addr_t max = 0;
    453. 

  453.     int is64 = 0;
    454. 

  454.     
    455. 

  455. #ifdef __ENVIRONMENT_TV_OS_VERSION_MIN_REQUIRED__
    456. 

  456. #define close(f)
    457. 

  457.     rv = kread(kernel_base, buf, sizeof(buf));
    458. 

  458.     if (rv != sizeof(buf)) {
    459. 

  459.         printf("failed kread, got size: %zu \n", rv);
    460. 

  460.         return -1;
    461. 

  461.     }
    462. 

  462. #else	/* __ENVIRONMENT_TV_OS_VERSION_MIN_REQUIRED__ */
    463. 

  463.     printf("this code right here has run ............. \n");
    464. 

  464.     int fd = open(filename, O_RDONLY);
    465. 

  465.     if (fd < 0) {
    466. 

  466.         printf("failed at open, got fd: %s \n", fd);
    467. 

  467.         return -1;
    468. 

  468.     }
    469. 

  469. 

  470.     rv = rk32_via_tfp0(tfp0, fd);
    471. 

  471.     //rv = read(fd, buf, sizeof(buf));
    472. 

  472.     if (rv != sizeof(buf)) {
    473. 

  473.         close(fd);
    474. 

  474.         printf("failed at buf read, got rv: %d \n", rv);
    475. 

  475.         return -1;
    476. 

  476.     }
    477. 

  477. #endif	/* __ENVIRONMENT_TV_OS_VERSION_MIN_REQUIRED__ */
    478. 

  478. 

  479.     if (!MACHO(buf)) {
    480. 

  480.         close(fd);
    481. 

  481.         printf("failed macho, buf: %s \n", buf);
    482. 

  482.         return -1;
    483. 

  483.     }
    484. 

  484. 

  485.     if (IS64(buf)) {
    486. 

  486.         is64 = 4;
    487. 

  487.     }
    488. 

  488. 

  489.     q = buf + sizeof(struct mach_header) + is64;
    490. 

  490.     for (i = 0; i < hdr->ncmds; i++) {
    491. 

  491.         const struct load_command *cmd = (struct load_command *)q;
    492. 

  492.         if (cmd->cmd == LC_SEGMENT_64) {
    493. 

  493.             const struct segment_command_64 *seg = (struct segment_command_64 *)q;
    494. 

  494.             if (min > seg->vmaddr) {
    495. 

  495.                 min = seg->vmaddr;
    496. 

  496.             }
    497. 

  497.             if (max < seg->vmaddr + seg->vmsize) {
    498. 

  498.                 max = seg->vmaddr + seg->vmsize;
    499. 

  499.             }
    500. 

  500.             if (!strcmp(seg->segname, "__TEXT_EXEC")) {
    501. 

  501.                 xnucore_base = seg->vmaddr;
    502. 

  502.                 xnucore_size = seg->filesize;
    503. 

  503.             }
    504. 

  504.             if (!strcmp(seg->segname, "__PLK_TEXT_EXEC")) {
    505. 

  505.                 prelink_base = seg->vmaddr;
    506. 

  506.                 prelink_size = seg->filesize;
    507. 

  507.             }
    508. 

  508.             if (!strcmp(seg->segname, "__TEXT")) {
    509. 

  509.                 const struct section_64 *sec = (struct section_64 *)(seg + 1);
    510. 

  510.                 for (j = 0; j < seg->nsects; j++) {
    511. 

  511.                     if (!strcmp(sec[j].sectname, "__cstring")) {
    512. 

  512.                         cstring_base = sec[j].addr;
    513. 

  513.                         cstring_size = sec[j].size;
    514. 

  514.                     }
    515. 

  515.                 }
    516. 

  516.             }
    517. 

  517.             if (!strcmp(seg->segname, "__PRELINK_TEXT")) {
    518. 

  518.                 const struct section_64 *sec = (struct section_64 *)(seg + 1);
    519. 

  519.                 for (j = 0; j < seg->nsects; j++) {
    520. 

  520.                     if (!strcmp(sec[j].sectname, "__text")) {
    521. 

  521.                         pstring_base = sec[j].addr;
    522. 

  522.                         pstring_size = sec[j].size;
    523. 

  523.                     }
    524. 

  524.                 }
    525. 

  525.             }
    526. 

  526.         }
    527. 

  527.         if (cmd->cmd == LC_UNIXTHREAD) {
    528. 

  528.             uint32_t *ptr = (uint32_t *)(cmd + 1);
    529. 

  529.             uint32_t flavor = ptr[0];
    530. 

  530.             struct {
    531. 

  531.                 uint64_t x[29];	/* General purpose registers x0-x28 */
    532. 

  532.                 uint64_t fp;	/* Frame pointer x29 */
    533. 

  533.                 uint64_t lr;	/* Link register x30 */
    534. 

  534.                 uint64_t sp;	/* Stack pointer x31 */
    535. 

  535.                 uint64_t pc; 	/* Program counter */
    536. 

  536.                 uint32_t cpsr;	/* Current program status register */
    537. 

  537.             } *thread = (void *)(ptr + 2);
    538. 

  538.             if (flavor == 6) {
    539. 

  539.                 kernel_entry = thread->pc;
    540. 

  540.             }
    541. 

  541.         }
    542. 

  542.         q = q + cmd->cmdsize;
    543. 

  543.     }
    544. 

  544. 

  545.     kerndumpbase = min;
    546. 

  546.     xnucore_base -= kerndumpbase;
    547. 

  547.     prelink_base -= kerndumpbase;
    548. 

  548.     cstring_base -= kerndumpbase;
    549. 

  549.     pstring_base -= kerndumpbase;
    550. 

  550.     kernel_size = max - min;
    551. 

  551. 

  552. #ifdef __ENVIRONMENT_TV_OS_VERSION_MIN_REQUIRED__
    553. 

  553.     kernel = malloc(kernel_size);
    554. 

  554.     if (!kernel) {
    555. 

  555.         printf("failed to malloc kern \n");
    556. 

  556.         return -1;
    557. 

  557.     }
    558. 

  558.     
    559. 

  559.     rv = kread(kerndumpbase, kernel, kernel_size);
    560. 

  560.     // rv = kread(kerndumpbase, kernel, kernel_size);
    561. 

  561.     if (rv != kernel_size) {
    562. 

  562.         free(kernel);
    563. 

  563.         printf("failed to kread kern, rv: %zu \n", rv);
    564. 

  564.         return -1;
    565. 

  565.     }
    566. 

  566. 

  567.     kernel_mh = kernel + kernel_base - min;
    568. 

  568. 

  569.     (void)filename;
    570. 

  570. #undef close
    571. 

  571. #else	/* __ENVIRONMENT_TV_OS_VERSION_MIN_REQUIRED__ */
    572. 

  572.     kernel = calloc(1, kernel_size);
    573. 

  573.     if (!kernel) {
    574. 

  574.         close(fd);
    575. 

  575.         printf("failed to calloc kern, kernel: %d \n", kernel);
    576. 

  576.         return -1;
    577. 

  577.     }
    578. 

  578. 

  579.     q = buf + sizeof(struct mach_header) + is64;
    580. 

  580.     for (i = 0; i < hdr->ncmds; i++) {
    581. 

  581.         const struct load_command *cmd = (struct load_command *)q;
    582. 

  582.         if (cmd->cmd == LC_SEGMENT_64) {
    583. 

  583.             const struct segment_command_64 *seg = (struct segment_command_64 *)q;
    584. 

  584.             size_t sz = pread(fd, kernel + seg->vmaddr - min, seg->filesize, seg->fileoff);
    585. 

  585.             if (sz != seg->filesize) {
    586. 

  586.                 close(fd);
    587. 

  587.                 free(kernel);
    588. 

  588.                 printf("sz != seg->filesize, sz: %zu", sz);
    589. 

  589.                 return -1;
    590. 

  590.             }
    591. 

  591.             if (!kernel_mh) {
    592. 

  592.                 kernel_mh = kernel + seg->vmaddr - min;
    593. 

  593.             }
    594. 

  594.             if (!strcmp(seg->segname, "__LINKEDIT")) {
    595. 

  595.                 kernel_delta = seg->vmaddr - min - seg->fileoff;
    596. 

  596.             }
    597. 

  597.         }
    598. 

  598.         q = q + cmd->cmdsize;
    599. 

  599.     }
    600. 

  600. 

  601.     close(fd);
    602. 

  602. 

  603.     (void)base;
    604. 

  604. #endif	/* __ENVIRONMENT_TV_OS_VERSION_MIN_REQUIRED__ */
    605. 

  605.     return 0;
    606. 

  606. }
    607. 

  607. 

  608. void
    609. 

  609. term_kernel(void)
    610. 

  610. {
    611. 

  611.     free(kernel);
    612. 

  612. }
    613. 

  613. 

  614. /* these operate on VA ******************************************************/
    615. 

  615. 

  616. #define INSN_RET  0xD65F03C0, 0xFFFFFFFF
    617. 

  617. #define INSN_CALL 0x94000000, 0xFC000000
    618. 

  618. #define INSN_B    0x14000000, 0xFC000000
    619. 

  619. #define INSN_CBZ  0x34000000, 0xFC000000
    620. 

  620. 

  621. addr_t
    622. 

  622. find_register_value(addr_t where, int reg)
    623. 

  623. {
    624. 

  624.     addr_t val;
    625. 

  625.     addr_t bof = 0;
    626. 

  626.     where -= kerndumpbase;
    627. 

  627.     if (where > xnucore_base) {
    628. 

  628.         bof = bof64(kernel, xnucore_base, where);
    629. 

  629.         if (!bof) {
    630. 

  630.             bof = xnucore_base;
    631. 

  631.         }
    632. 

  632.     } else if (where > prelink_base) {
    633. 

  633.         bof = bof64(kernel, prelink_base, where);
    634. 

  634.         if (!bof) {
    635. 

  635.             bof = prelink_base;
    636. 

  636.         }
    637. 

  637.     }
    638. 

  638.     val = calc64(kernel, bof, where, reg);
    639. 

  639.     if (!val) {
    640. 

  640.         return 0;
    641. 

  641.     }
    642. 

  642.     return val + kerndumpbase;
    643. 

  643. }
    644. 

  644. 

  645. addr_t
    646. 

  646. find_reference(addr_t to, int n, int prelink)
    647. 

  647. {
    648. 

  648.     addr_t ref, end;
    649. 

  649.     addr_t base = xnucore_base;
    650. 

  650.     addr_t size = xnucore_size;
    651. 

  651.     if (prelink) {
    652. 

  652.         base = prelink_base;
    653. 

  653.         size = prelink_size;
    654. 

  654.     }
    655. 

  655.     if (n <= 0) {
    656. 

  656.         n = 1;
    657. 

  657.     }
    658. 

  658.     end = base + size;
    659. 

  659.     to -= kerndumpbase;
    660. 

  660.     do {
    661. 

  661.         ref = xref64(kernel, base, end, to);
    662. 

  662.         if (!ref) {
    663. 

  663.             return 0;
    664. 

  664.         }
    665. 

  665.         base = ref + 4;
    666. 

  666.     } while (--n > 0);
    667. 

  667.     return ref + kerndumpbase;
    668. 

  668. }
    669. 

  669. 

  670. addr_t
    671. 

  671. find_strref(const char *string, int n, int prelink)
    672. 

  672. {
    673. 

  673.     uint8_t *str;
    674. 

  674.     addr_t base = cstring_base;
    675. 

  675.     addr_t size = cstring_size;
    676. 

  676.     if (prelink) {
    677. 

  677.         base = pstring_base;
    678. 

  678.         size = pstring_size;
    679. 

  679.     }
    680. 

  680.     str = boyermoore_horspool_memmem(kernel + base, size, (uint8_t *)string, strlen(string));
    681. 

  681.     if (!str) {
    682. 

  682.         return 0;
    683. 

  683.     }
    684. 

  684.     return find_reference(str - kernel + kerndumpbase, n, prelink);
    685. 

  685. }
    686. 

  686. 

  687. addr_t
    688. 

  688. find_gPhysBase(void)
    689. 

  689. {
    690. 

  690.     addr_t ret, val;
    691. 

  691.     addr_t ref = find_strref("\"pmap_map_high_window_bd: insufficient pages", 1, 0);
    692. 

  692.     if (!ref) {
    693. 

  693.         return 0;
    694. 

  694.     }
    695. 

  695.     ref -= kerndumpbase;
    696. 

  696.     ret = step64(kernel, ref, 64, INSN_RET);
    697. 

  697.     if (!ret) {
    698. 

  698.         return 0;
    699. 

  699.     }
    700. 

  700.     val = calc64(kernel, ref, ret, 8);
    701. 

  701.     if (!val) {
    702. 

  702.         return 0;
    703. 

  703.     }
    704. 

  704.     return val + kerndumpbase;
    705. 

  705. }
    706. 

  706. 

  707. addr_t
    708. 

  708. find_kernel_pmap(void)
    709. 

  709. {
    710. 

  710.     addr_t call, bof, val;
    711. 

  711.     addr_t ref = find_strref("\"pmap_map_bd\"", 1, 0);
    712. 

  712.     if (!ref) {
    713. 

  713.         return 0;
    714. 

  714.     }
    715. 

  715.     ref -= kerndumpbase;
    716. 

  716.     call = step64_back(kernel, ref, 64, INSN_CALL);
    717. 

  717.     if (!call) {
    718. 

  718.         return 0;
    719. 

  719.     }
    720. 

  720.     bof = bof64(kernel, xnucore_base, call);
    721. 

  721.     if (!bof) {
    722. 

  722.         return 0;
    723. 

  723.     }
    724. 

  724.     val = calc64(kernel, bof, call, 2);
    725. 

  725.     if (!val) {
    726. 

  726.         return 0;
    727. 

  727.     }
    728. 

  728.     return val + kerndumpbase;
    729. 

  729. }
    730. 

  730. 

  731. addr_t
    732. 

  732. find_amfiret(void)
    733. 

  733. {
    734. 

  734.     addr_t ret;
    735. 

  735.     addr_t ref = find_strref("AMFI: hook..execve() killing pid %u: %s\n", 1, 1);
    736. 

  736.     if (!ref) {
    737. 

  737.         return 0;
    738. 

  738.     }
    739. 

  739.     ref -= kerndumpbase;
    740. 

  740.     ret = step64(kernel, ref, 512, INSN_RET);
    741. 

  741.     if (!ret) {
    742. 

  742.         return 0;
    743. 

  743.     }
    744. 

  744.     return ret + kerndumpbase;
    745. 

  745. }
    746. 

  746. 

  747. addr_t
    748. 

  748. find_ret_0(void)
    749. 

  749. {
    750. 

  750.     addr_t off;
    751. 

  751.     uint32_t *k;
    752. 

  752.     k = (uint32_t *)(kernel + xnucore_base);
    753. 

  753.     for (off = 0; off < xnucore_size - 4; off += 4, k++) {
    754. 

  754.         if (k[0] == 0xAA1F03E0 && k[1] == 0xD65F03C0) {
    755. 

  755.             return off + xnucore_base + kerndumpbase;
    756. 

  756.         }
    757. 

  757.     }
    758. 

  758.     k = (uint32_t *)(kernel + prelink_base);
    759. 

  759.     for (off = 0; off < prelink_size - 4; off += 4, k++) {
    760. 

  760.         if (k[0] == 0xAA1F03E0 && k[1] == 0xD65F03C0) {
    761. 

  761.             return off + prelink_base + kerndumpbase;
    762. 

  762.         }
    763. 

  763.     }
    764. 

  764.     return 0;
    765. 

  765. }
    766. 

  766. 

  767. addr_t
    768. 

  768. find_amfi_memcmpstub(void)
    769. 

  769. {
    770. 

  770.     addr_t call, dest, reg;
    771. 

  771.     addr_t ref = find_strref("%s: Possible race detected. Rejecting.", 1, 1);
    772. 

  772.     if (!ref) {
    773. 

  773.         return 0;
    774. 

  774.     }
    775. 

  775.     ref -= kerndumpbase;
    776. 

  776.     call = step64_back(kernel, ref, 64, INSN_CALL);
    777. 

  777.     if (!call) {
    778. 

  778.         return 0;
    779. 

  779.     }
    780. 

  780.     dest = follow_call64(kernel, call);
    781. 

  781.     if (!dest) {
    782. 

  782.         return 0;
    783. 

  783.     }
    784. 

  784.     reg = calc64(kernel, dest, dest + 8, 16);
    785. 

  785.     if (!reg) {
    786. 

  786.         return 0;
    787. 

  787.     }
    788. 

  788.     return reg + kerndumpbase;
    789. 

  789. }
    790. 

  790. 

  791. addr_t
    792. 

  792. find_sbops(void)
    793. 

  793. {
    794. 

  794.     addr_t off, what;
    795. 

  795.     uint8_t *str = boyermoore_horspool_memmem(kernel + pstring_base, pstring_size, (uint8_t *)"Seatbelt sandbox policy", sizeof("Seatbelt sandbox policy") - 1);
    796. 

  796.     if (!str) {
    797. 

  797.         return 0;
    798. 

  798.     }
    799. 

  799.     what = str - kernel + kerndumpbase;
    800. 

  800.     for (off = 0; off < kernel_size - prelink_base; off += 8) {
    801. 

  801.         if (*(uint64_t *)(kernel + prelink_base + off) == what) {
    802. 

  802.             return *(uint64_t *)(kernel + prelink_base + off + 24);
    803. 

  803.         }
    804. 

  804.     }
    805. 

  805.     return 0;
    806. 

  806. }
    807. 

  807. 

  808. addr_t
    809. 

  809. find_lwvm_mapio_patch(void)
    810. 

  810. {
    811. 

  811.     addr_t call, dest, reg;
    812. 

  812.     addr_t ref = find_strref("_mapForIO", 1, 1);
    813. 

  813.     if (!ref) {
    814. 

  814.         return 0;
    815. 

  815.     }
    816. 

  816.     ref -= kerndumpbase;
    817. 

  817.     call = step64(kernel, ref, 64, INSN_CALL);
    818. 

  818.     if (!call) {
    819. 

  819.         return 0;
    820. 

  820.     }
    821. 

  821.     call = step64(kernel, call + 4, 64, INSN_CALL);
    822. 

  822.     if (!call) {
    823. 

  823.         return 0;
    824. 

  824.     }
    825. 

  825.     dest = follow_call64(kernel, call);
    826. 

  826.     if (!dest) {
    827. 

  827.         return 0;
    828. 

  828.     }
    829. 

  829.     reg = calc64(kernel, dest, dest + 8, 16);
    830. 

  830.     if (!reg) {
    831. 

  831.         return 0;
    832. 

  832.     }
    833. 

  833.     return reg + kerndumpbase;
    834. 

  834. }
    835. 

  835. 

  836. addr_t
    837. 

  837. find_lwvm_mapio_newj(void)
    838. 

  838. {
    839. 

  839.     addr_t call;
    840. 

  840.     addr_t ref = find_strref("_mapForIO", 1, 1);
    841. 

  841.     if (!ref) {
    842. 

  842.         return 0;
    843. 

  843.     }
    844. 

  844.     ref -= kerndumpbase;
    845. 

  845.     call = step64(kernel, ref, 64, INSN_CALL);
    846. 

  846.     if (!call) {
    847. 

  847.         return 0;
    848. 

  848.     }
    849. 

  849.     call = step64(kernel, call + 4, 64, INSN_CALL);
    850. 

  850.     if (!call) {
    851. 

  851.         return 0;
    852. 

  852.     }
    853. 

  853.     call = step64(kernel, call + 4, 64, INSN_CALL);
    854. 

  854.     if (!call) {
    855. 

  855.         return 0;
    856. 

  856.     }
    857. 

  857.     call = step64_back(kernel, call, 64, INSN_B);
    858. 

  858.     if (!call) {
    859. 

  859.         return 0;
    860. 

  860.     }
    861. 

  861.     return call + 4 + kerndumpbase;
    862. 

  862. }
    863. 

  863. 

  864. addr_t
    865. 

  865. find_cpacr_write(void)
    866. 

  866. {
    867. 

  867.     addr_t off;
    868. 

  868.     uint32_t *k;
    869. 

  869.     k = (uint32_t *)(kernel + xnucore_base);
    870. 

  870.     for (off = 0; off < xnucore_size - 4; off += 4, k++) {
    871. 

  871.         if (k[0] == 0xd5181040) {
    872. 

  872.             return off + xnucore_base + kerndumpbase;
    873. 

  873.         }
    874. 

  874.     }
    875. 

  875.     return 0;
    876. 

  876. }
    877. 

  877. 

  878. addr_t
    879. 

  879. find_str(const char *string)
    880. 

  880. {
    881. 

  881.     uint8_t *str = boyermoore_horspool_memmem(kernel, kernel_size, (uint8_t *)string, strlen(string));
    882. 

  882.     if (!str) {
    883. 

  883.         return 0;
    884. 

  884.     }
    885. 

  885.     return str - kernel + kerndumpbase;
    886. 

  886. }
    887. 

  887. 

  888. addr_t
    889. 

  889. find_entry(void)
    890. 

  890. {
    891. 

  891.     /* XXX returns an unslid address */
    892. 

  892.     return kernel_entry;
    893. 

  893. }
    894. 

  894. 

  895. const unsigned char *
    896. 

  896. find_mh(void)
    897. 

  897. {
    898. 

  898.     return kernel_mh;
    899. 

  899. }
    900. 

  900. 

  901. addr_t
    902. 

  902. find_amfiops(void)
    903. 

  903. {
    904. 

  904.     addr_t off, what;
    905. 

  905.     uint8_t *str = boyermoore_horspool_memmem(kernel + pstring_base, pstring_size, (uint8_t *)"Apple Mobile File Integrity", sizeof("Apple Mobile File Integrity") - 1);
    906. 

  906.     if (!str) {
    907. 

  907.         return 0;
    908. 

  908.     }
    909. 

  909.     what = str - kernel + kerndumpbase;
    910. 

  910.     /* XXX will only work on a dumped kernel */
    911. 

  911.     for (off = 0; off < kernel_size - prelink_base; off += 8) {
    912. 

  912.         if (*(uint64_t *)(kernel + prelink_base + off) == what) {
    913. 

  913.             return *(uint64_t *)(kernel + prelink_base + off + 0x18);
    914. 

  914.         }
    915. 

  915.     }
    916. 

  916.     return 0;
    917. 

  917. }
    918. 

  918. 

  919. addr_t
    920. 

  920. find_sysbootnonce(void)
    921. 

  921. {
    922. 

  922.     addr_t off, what;
    923. 

  923.     uint8_t *str = boyermoore_horspool_memmem(kernel + cstring_base, cstring_size, (uint8_t *)"com.apple.System.boot-nonce", sizeof("com.apple.System.boot-nonce") - 1);
    924. 

  924.     if (!str) {
    925. 

  925.         return 0;
    926. 

  926.     }
    927. 

  927.     what = str - kernel + kerndumpbase;
    928. 

  928.     for (off = 0; off < kernel_size - xnucore_base; off += 8) {
    929. 

  929.         if (*(uint64_t *)(kernel + xnucore_base + off) == what) {
    930. 

  930.             return xnucore_base + off + 8 + 4 + kerndumpbase;
    931. 

  931.         }
    932. 

  932.     }
    933. 

  933.     return 0;
    934. 

  934. }
    935. 

  935. 

  936. uint64_t find_copyout(void) {
    937. 

  937.     // Find the first reference to the string
    938. 

  938.     addr_t ref = find_strref("\"%s(%p, %p, %lu) - transfer too large\"", 2, 0);
    939. 

  939.     if (!ref) {
    940. 

  940.         return 0;
    941. 

  941.     }
    942. 

  942.     ref -= kerndumpbase;
    943. 

  943.     
    944. 

  944.     uint64_t start = 0;
    945. 

  945.     for (int i = 4; i < 0x100*4; i+=4) {
    946. 

  946.         uint32_t op = *(uint32_t*)(kernel+ref-i);
    947. 

  947.         if (op == 0xd10143ff) { // SUB SP, SP, #0x50
    948. 

  948.             start = ref-i;
    949. 

  949.             break;
    950. 

  950.         }
    951. 

  951.     }
    952. 

  952.     if (!start) {
    953. 

  953.         return 0;
    954. 

  954.     }
    955. 

  955.     
    956. 

  956.     return start + kerndumpbase;
    957. 

  957. }
    958. 

  958. 

  959. uint64_t find_bzero(void) {
    960. 

  960.     // Just find SYS #3, c7, c4, #1, X3, then get the start of that function
    961. 

  961.     addr_t off;
    962. 

  962.     uint32_t *k;
    963. 

  963.     k = (uint32_t *)(kernel + xnucore_base);
    964. 

  964.     for (off = 0; off < xnucore_size - 4; off += 4, k++) {
    965. 

  965.         if (k[0] == 0xd50b7423) {
    966. 

  966.             off += xnucore_base;
    967. 

  967.             break;
    968. 

  968.         }
    969. 

  969.     }
    970. 

  970.     
    971. 

  971.     uint64_t start = bof64(kernel, xnucore_base, off);
    972. 

  972.     if (!start) {
    973. 

  973.         return 0;
    974. 

  974.     }
    975. 

  975.     
    976. 

  976.     return start + kerndumpbase;
    977. 

  977. }
    978. 

  978. 

  979. addr_t find_bcopy(void) {
    980. 

  980.     // Jumps straight into memmove after switching x0 and x1 around
    981. 

  981.     // Guess we just find the switch and that's it
    982. 

  982.     addr_t off;
    983. 

  983.     uint32_t *k;
    984. 

  984.     k = (uint32_t *)(kernel + xnucore_base);
    985. 

  985.     for (off = 0; off < xnucore_size - 4; off += 4, k++) {
    986. 

  986.         if (k[0] == 0xAA0003E3 && k[1] == 0xAA0103E0 && k[2] == 0xAA0303E1 && k[3] == 0xd503201F) {
    987. 

  987.             return off + xnucore_base + kerndumpbase;
    988. 

  988.         }
    989. 

  989.     }
    990. 

  990.     k = (uint32_t *)(kernel + prelink_base);
    991. 

  991.     for (off = 0; off < prelink_size - 4; off += 4, k++) {
    992. 

  992.         if (k[0] == 0xAA0003E3 && k[1] == 0xAA0103E0 && k[2] == 0xAA0303E1 && k[3] == 0xd503201F) {
    993. 

  993.             return off + prelink_base + kerndumpbase;
    994. 

  994.         }
    995. 

  995.     }
    996. 

  996.     return 0;
    997. 

  997. }
    998. 

  998. 

  999. addr_t find_trustcache(void) {
    1000. 

  1000.     addr_t call, func, val;
    1001. 

  1001.     addr_t ref = find_strref("amfi_prevent_old_entitled_platform_binaries", 1, 1);
    1002. 

  1002.     if (!ref) {
    1003. 

  1003.         ref = find_strref("com.apple.MobileFileIntegrity", 1, 1);
    1004. 

  1004.     }
    1005. 

  1005.     if (!ref) {
    1006. 

  1006.         printf("didnt find string ref\n");
    1007. 

  1007.         return 0;
    1008. 

  1008.     }
    1009. 

  1009.     ref -= kerndumpbase;
    1010. 

  1010.     call = step64(kernel, ref, 32, INSN_CALL);
    1011. 

  1011.     if (!call) {
    1012. 

  1012.         printf("couldn't find the call\n");
    1013. 

  1013.         return 0;
    1014. 

  1014.     }
    1015. 

  1015.     call = step64(kernel, call+4, 32, INSN_CALL);
    1016. 

  1016.     func = follow_call64(kernel, call);
    1017. 

  1017.     if (!func) {
    1018. 

  1018.         printf("couldn't follow the call\n");
    1019. 

  1019.         return 0;
    1020. 

  1020.     }
    1021. 

  1021.     val = calc64(kernel, func, func + 16, 8);
    1022. 

  1022.     if (!val) {
    1023. 

  1023.         return 0;
    1024. 

  1024.     }
    1025. 

  1025.     return val + kerndumpbase;
    1026. 

  1026. }
    1027. 

  1027. 

  1028. addr_t find_amficache(void) {
    1029. 

  1029.     addr_t call, func, bof, val;
    1030. 

  1030.     addr_t ref = find_strref("amfi_prevent_old_entitled_platform_binaries", 1, 1);
    1031. 

  1031.     if (!ref) {
    1032. 

  1032.         ref = find_strref("com.apple.MobileFileIntegrity", 1, 1);
    1033. 

  1033.     }
    1034. 

  1034.     if (!ref) {
    1035. 

  1035.         printf("didnt find string ref\n");
    1036. 

  1036.         return 0;
    1037. 

  1037.     }
    1038. 

  1038.     ref -= kerndumpbase;
    1039. 

  1039.     call = step64(kernel, ref, 32, INSN_CALL);
    1040. 

  1040.     if (!call) {
    1041. 

  1041.         printf("couldn't find the call\n");
    1042. 

  1042.         return 0;
    1043. 

  1043.     }
    1044. 

  1044.     call = step64(kernel, call+4, 32, INSN_CALL);
    1045. 

  1045.     func = follow_call64(kernel, call);
    1046. 

  1046.     if (!func) {
    1047. 

  1047.         printf("couldn't follow the call\n");
    1048. 

  1048.         return 0;
    1049. 

  1049.     }
    1050. 

  1050.     bof = bof64(kernel, func - 256, func);
    1051. 

  1051.     if (!bof) {
    1052. 

  1052.         printf("couldn't find the start of the function\n");
    1053. 

  1053.         return 0;
    1054. 

  1054.     }
    1055. 

  1055.     val = calc64(kernel, bof, func, 9);
    1056. 

  1056.     if (!val) {
    1057. 

  1057.         printf("couldn't find x9\n");
    1058. 

  1058.         return 0;
    1059. 

  1059.     }
    1060. 

  1060.     return val + kerndumpbase;
    1061. 

  1061. }
    1062. 

  1062. 

  1063. // #ifdef HAVE_MAIN
    1064. 

  1064. 

  1065. /* extra_recipe **************************************************************/
    1066. 

  1066. 

  1067. #define INSN_STR8 0xF9000000 | 8, 0xFFC00000 | 0x1F
    1068. 

  1068. 

  1069. addr_t
    1070. 

  1070. find_AGXCommandQueue_vtable(void)
    1071. 

  1071. {
    1072. 

  1072.     addr_t val, str8;
    1073. 

  1073.     addr_t ref = find_strref("AGXCommandQueue", 1, 1);
    1074. 

  1074.     if (!ref) {
    1075. 

  1075.         return 0;
    1076. 

  1076.     }
    1077. 

  1077.     val = find_register_value(ref, 0);
    1078. 

  1078.     if (!val) {
    1079. 

  1079.         return 0;
    1080. 

  1080.     }
    1081. 

  1081.     ref = find_reference(val, 1, 1);
    1082. 

  1082.     if (!ref) {
    1083. 

  1083.         return 0;
    1084. 

  1084.     }
    1085. 

  1085.     ref -= kerndumpbase;
    1086. 

  1086.     str8 = step64(kernel, ref, 32, INSN_STR8);
    1087. 

  1087.     if (!str8) {
    1088. 

  1088.         return 0;
    1089. 

  1089.     }
    1090. 

  1090.     val = calc64(kernel, ref, str8, 8);
    1091. 

  1091.     if (!val) {
    1092. 

  1092.         return 0;
    1093. 

  1093.     }
    1094. 

  1094.     return val + kerndumpbase;
    1095. 

  1095. }
    1096. 

  1096. 

  1097. addr_t
    1098. 

  1098. find_allproc(void)
    1099. 

  1099. {
    1100. 

  1100.     addr_t val, bof, str8;
    1101. 

  1101.     addr_t ref = find_strref("\"pgrp_add : pgrp is dead adding process\"", 1, 0);
    1102. 

  1102.     if (!ref) {
    1103. 

  1103.         return 0;
    1104. 

  1104.     }
    1105. 

  1105.     ref -= kerndumpbase;
    1106. 

  1106.     bof = bof64(kernel, xnucore_base, ref);
    1107. 

  1107.     if (!bof) {
    1108. 

  1108.         return 0;
    1109. 

  1109.     }
    1110. 

  1110.     str8 = step64_back(kernel, ref, ref - bof, INSN_STR8);
    1111. 

  1111.     if (!str8) {
    1112. 

  1112.         return 0;
    1113. 

  1113.     }
    1114. 

  1114.     val = calc64(kernel, bof, str8, 8);
    1115. 

  1115.     if (!val) {
    1116. 

  1116.         return 0;
    1117. 

  1117.     }
    1118. 

  1118.     return val + kerndumpbase;
    1119. 

  1119. }
    1120. 

  1120. 

  1121. addr_t
    1122. 

  1122. find_call5(void)
    1123. 

  1123. {
    1124. 

  1124.     addr_t bof;
    1125. 

  1125.     uint8_t gadget[] = { 0x95, 0x5A, 0x40, 0xF9, 0x68, 0x02, 0x40, 0xF9, 0x88, 0x5A, 0x00, 0xF9, 0x60, 0xA2, 0x40, 0xA9 };
    1126. 

  1126.     uint8_t *str = boyermoore_horspool_memmem(kernel + prelink_base, prelink_size, gadget, sizeof(gadget));
    1127. 

  1127.     if (!str) {
    1128. 

  1128.         return 0;
    1129. 

  1129.     }
    1130. 

  1130.     bof = bof64(kernel, prelink_base, str - kernel);
    1131. 

  1131.     if (!bof) {
    1132. 

  1132.         return 0;
    1133. 

  1133.     }
    1134. 

  1134.     return bof + kerndumpbase;
    1135. 

  1135. }
    1136. 

  1136. 

  1137. addr_t
    1138. 

  1138. find_realhost(addr_t priv)
    1139. 

  1139. {
    1140. 

  1140.     addr_t val;
    1141. 

  1141.     if (!priv) {
    1142. 

  1142.         return 0;
    1143. 

  1143.     }
    1144. 

  1144.     priv -= kerndumpbase;
    1145. 

  1145.     val = calc64(kernel, priv, priv + 12, 0);
    1146. 

  1146.     if (!val) {
    1147. 

  1147.         return 0;
    1148. 

  1148.     }
    1149. 

  1149.     return val + kerndumpbase;
    1150. 

  1150. }
    1151. 

  1151. 

  1152. uint64_t find_boot_args(unsigned* cmdline_offset) {
    1153. 

  1153.     /*
    1154. 

  1154.      ADRP            X8, #_PE_state@PAGE
    1155. 

  1155.      ADD             X8, X8, #_PE_state@PAGEOFF
    1156. 

  1156.      LDR             X8, [X8,#(PE_state__boot_args - 0xFFFFFFF0078BF098)]
    1157. 

  1157.      ADD             X8, X8, #0x6C
    1158. 

  1158.      STR             X8, [SP,#0x550+var_550]
    1159. 

  1159.      ADRP            X0, #aBsdInitCannotF@PAGE ; "\"bsd_init: cannot find root vnode: %s"...
    1160. 

  1160.      ADD             X0, X0, #aBsdInitCannotF@PAGEOFF ; "\"bsd_init: cannot find root vnode: %s"...
    1161. 

  1161.      BL              _panic
    1162. 

  1162.      */
    1163. 

  1163. 

  1164.     addr_t ref = find_strref("\"bsd_init: cannot find root vnode: %s\"", 1, 0);
    1165. 

  1165. 

  1166.     if (ref == 0) {
    1167. 

  1167.         return 0;
    1168. 

  1168.     }
    1169. 

  1169. 

  1170.     ref -= kerndumpbase;
    1171. 

  1171.     // skip add & adrp for panic str
    1172. 

  1172.     ref -= 8;
    1173. 

  1173.     uint32_t *insn = (uint32_t*)(kernel+ref);
    1174. 

  1174. 

  1175.     // skip str
    1176. 

  1176.     --insn;
    1177. 

  1177.     // add xX, xX, #cmdline_offset
    1178. 

  1178.     uint8_t xm = *insn&0x1f;
    1179. 

  1179.     if (((*insn>>5)&0x1f) != xm || ((*insn>>22)&3) != 0) {
    1180. 

  1180.         return 0;
    1181. 

  1181.     }
    1182. 

  1182. 

  1183.     *cmdline_offset = (*insn>>10) & 0xfff;
    1184. 

  1184. 

  1185.     uint64_t val = kerndumpbase;
    1186. 

  1186. 

  1187.     --insn;
    1188. 

  1188.     // ldr xX, [xX, #(PE_state__boot_args - PE_state)]
    1189. 

  1189.     if ((*insn & 0xF9C00000) != 0xF9400000) {
    1190. 

  1190.         return 0;
    1191. 

  1191.     }
    1192. 

  1192.     // xd == xX, xn == xX,
    1193. 

  1193.     if ((*insn&0x1f) != xm || ((*insn>>5)&0x1f) != xm) {
    1194. 

  1194.         return 0;
    1195. 

  1195.     }
    1196. 

  1196. 

  1197.     val += ((*insn >> 10) & 0xFFF) << 3;
    1198. 

  1198. 

  1199.     --insn;
    1200. 

  1200.     // add xX, xX, #_PE_state@PAGEOFF
    1201. 

  1201.     if ((*insn&0x1f) != xm || ((*insn>>5)&0x1f) != xm || ((*insn>>22)&3) != 0) {
    1202. 

  1202.         return 0;
    1203. 

  1203.     }
    1204. 

  1204. 

  1205.     val += (*insn>>10) & 0xfff;
    1206. 

  1206. 

  1207.     --insn;
    1208. 

  1208.     if ((*insn & 0x1f) != xm) {
    1209. 

  1209.         return 0;
    1210. 

  1210.     }
    1211. 

  1211. 

  1212.     // pc
    1213. 

  1213.     val += ((uint8_t*)(insn) - kernel) & ~0xfff;
    1214. 

  1214. 

  1215.     // don't ask, I wrote this at 5am
    1216. 

  1216.     val += (*insn<<9 & 0x1ffffc000) | (*insn>>17 & 0x3000);
    1217. 

  1217. 

  1218.     return val;
    1219. 

  1219. }
    1220. 

  1220. 

  1221. #include <mach-o/nlist.h>
    1222. 

  1222. 

  1223. addr_t
    1224. 

  1224. find_symbol(const char *symbol)
    1225. 

  1225. {
    1226. 

  1226.     unsigned i;
    1227. 

  1227.     const struct mach_header *hdr = kernel_mh;
    1228. 

  1228.     const uint8_t *q;
    1229. 

  1229.     int is64 = 0;
    1230. 

  1230. 

  1231.     if (IS64(hdr)) {
    1232. 

  1232.         is64 = 4;
    1233. 

  1233.     }
    1234. 

  1234. 

  1235.     /* XXX will only work on a decrypted kernel */
    1236. 

  1236.     if (!kernel_delta) {
    1237. 

  1237.         return 0;
    1238. 

  1238.     }
    1239. 

  1239. 

  1240.     /* XXX I should cache these.  ohwell... */
    1241. 

  1241.     q = (uint8_t *)(hdr + 1) + is64;
    1242. 

  1242.     for (i = 0; i < hdr->ncmds; i++) {
    1243. 

  1243.         const struct load_command *cmd = (struct load_command *)q;
    1244. 

  1244.         if (cmd->cmd == LC_SYMTAB) {
    1245. 

  1245.             const struct symtab_command *sym = (struct symtab_command *)q;
    1246. 

  1246.             const char *stroff = (const char *)kernel + sym->stroff + kernel_delta;
    1247. 

  1247.             if (is64) {
    1248. 

  1248.                 uint32_t k;
    1249. 

  1249.                 const struct nlist_64 *s = (struct nlist_64 *)(kernel + sym->symoff + kernel_delta);
    1250. 

  1250.                 for (k = 0; k < sym->nsyms; k++) {
    1251. 

  1251.                     if (s[k].n_type & N_STAB) {
    1252. 

  1252.                         continue;
    1253. 

  1253.                     }
    1254. 

  1254.                     if (s[k].n_value && (s[k].n_type & N_TYPE) != N_INDR) {
    1255. 

  1255.                         if (!strcmp(symbol, stroff + s[k].n_un.n_strx)) {
    1256. 

  1256.                             /* XXX this is an unslid address */
    1257. 

  1257.                             return s[k].n_value;
    1258. 

  1258.                         }
    1259. 

  1259.                     }
    1260. 

  1260.                 }
    1261. 

  1261.             }
    1262. 

  1262.         }
    1263. 

  1263.         q = q + cmd->cmdsize;
    1264. 

  1264.     }
    1265. 

  1265.     return 0;
    1266. 

  1266. }
    1267. 

  1267. 

  1268. /* test **********************************************************************/
    1269. 

  1269. 

  1270. /*
    1271. 

  1271. int
    1272. 

  1272. main(int argc, char **argv)
    1273. 

  1273. {
    1274. 

  1274.     int rv;
    1275. 

  1275.     addr_t base = 0;
    1276. 

  1276.     const addr_t vm_kernel_slide = 0;
    1277. 

  1277.     rv = init_kernel(base, (argc > 1) ? argv[1] : "krnl");
    1278. 

  1278.     assert(rv == 0);
    1279. 

  1279. 

  1280.     addr_t AGXCommandQueue_vtable = find_AGXCommandQueue_vtable();
    1281. 

  1281.     printf("\t\t\t<string>0x%llx</string>\n", AGXCommandQueue_vtable - vm_kernel_slide);
    1282. 

  1282.     addr_t OSData_getMetaClass = find_symbol("__ZNK6OSData12getMetaClassEv");
    1283. 

  1283.     printf("\t\t\t<string>0x%llx</string>\n", OSData_getMetaClass);
    1284. 

  1284.     addr_t OSSerializer_serialize = find_symbol("__ZNK12OSSerializer9serializeEP11OSSerialize");
    1285. 

  1285.     printf("\t\t\t<string>0x%llx</string>\n", OSSerializer_serialize);
    1286. 

  1286.     addr_t k_uuid_copy = find_symbol("_uuid_copy");
    1287. 

  1287.     printf("\t\t\t<string>0x%llx</string>\n", k_uuid_copy);
    1288. 

  1288.     addr_t allproc = find_allproc();
    1289. 

  1289.     printf("\t\t\t<string>0x%llx</string>\n", allproc);
    1290. 

  1290.     addr_t realhost = find_realhost(find_symbol("_host_priv_self") + vm_kernel_slide);
    1291. 

  1291.     printf("\t\t\t<string>0x%llx</string>\n", realhost - vm_kernel_slide);
    1292. 

  1292.     addr_t call5 = find_call5();
    1293. 

  1293.     printf("\t\t\t<string>0x%llx</string>\n", call5 - vm_kernel_slide);
    1294. 

  1294. 

  1295.     assert(find_symbol("_rootvnode") == find_gPhysBase() + 0x38 - vm_kernel_slide);
    1296. 

  1296. 

  1297.     term_kernel();
    1298. 

  1298.     return 0;
    1299. 

  1299. }*/
    1300. 

  1300. 

  1301. // #endif	/* HAVE_MAIN */
    1302. 

  1302.