Home Explore Help
Sign In
NitoTV
/
merdian
Watch 3
Star 0
Fork 0
Files Issues 0 Pull Requests 1 Wiki
Tree: 55cb733ca3
Branches Tags
merdian
/
Meridian
/
Meridian
/
amfi.m

amfi.m 6.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237 
  1. //
    2. 

  2. //  amfi.m
    3. 

  3. //  Meridian
    4. 

  4. //
    5. 

  5. //  Created by Ben Sparkes on 19/12/2017.
    6. 

  6. //  Copyright © 2017 Ben Sparkes. All rights reserved.
    7. 

  7. //
    8. 

  8. 

  9. #import "patchfinder64.h"
    10. 

  10. #import "kernel.h"
    11. 

  11. #import "amfi.h"
    12. 

  12. #import "helpers.h"
    13. 

  13. #import "ViewController.h"
    14. 

  14. #import <Foundation/Foundation.h>
    15. 

  15. #import <CommonCrypto/CommonDigest.h>
    16. 

  16. #import <mach-o/loader.h>
    17. 

  17. #import <mach-o/dyld_images.h>
    18. 

  18. #import <mach-o/fat.h>
    19. 

  19. #import <mach-o/swap.h>
    20. 

  20. #import <sys/stat.h>
    21. 

  21. #import <sys/event.h>
    22. 

  22. #import <dlfcn.h>
    23. 

  23. #import <pthread.h>
    24. 

  24. #import <sys/spawn.h>
    25. 

  25. 

  26. uint64_t trust_cache;
    27. 

  27. uint64_t amficache;
    28. 

  28. 

  29. int init_amfi() {
    30. 

  30.     trust_cache = find_trustcache();
    31. 

  31.     amficache = find_amficache();
    32. 

  32.     
    33. 

  33.     NSLog(@"[amfi] trust_cache = 0x%llx \n", trust_cache);
    34. 

  34.     NSLog(@"[amfi] amficache = 0x%llx \n", amficache);
    35. 

  35.     
    36. 

  36.     if (trust_cache == 0 ||
    37. 

  37.         amficache == 0) {
    38. 

  38.         return -1;
    39. 

  39.     }
    40. 

  40.     
    41. 

  41.     return 0;
    42. 

  42. }
    43. 

  43. 

  44. // creds to stek29(?)
    45. 

  45. int inject_trust(const char *path) {
    46. 

  46.     if (file_exists(path) != 0) {
    47. 

  47.         NSLog(@"[amfi] you wanka, %s doesn't exist!", path);
    48. 

  48.         return -1;
    49. 

  49.     }
    50. 

  50.     
    51. 

  51.     typedef char hash_t[20];
    52. 

  52.     
    53. 

  53.     struct trust_chain {
    54. 

  54.         uint64_t next;
    55. 

  55.         unsigned char uuid[16];
    56. 

  56.         unsigned int count;
    57. 

  57.         hash_t hash[1];
    58. 

  58.     };
    59. 

  59.     
    60. 

  60.     struct trust_chain fake_chain;
    61. 

  61.     
    62. 

  62.     fake_chain.next = rk64(trust_cache);
    63. 

  63.     *(uint64_t *)&fake_chain.uuid[0] = 0xabadbabeabadbabe;
    64. 

  64.     *(uint64_t *)&fake_chain.uuid[8] = 0xabadbabeabadbabe;
    65. 

  65.     fake_chain.count = 1;
    66. 

  66.     
    67. 

  67.     uint8_t *codeDir = get_code_directory(path, 0);
    68. 

  68.     if (codeDir == NULL) {
    69. 

  69.         NSLog(@"[amfi] was given null code dir for %s!", path);
    70. 

  70.         return -2;
    71. 

  71.     }
    72. 

  72.     
    73. 

  73.     uint8_t *hash = get_sha1(codeDir);
    74. 

  74.     memmove(fake_chain.hash[0], hash, 20);
    75. 

  75.     
    76. 

  76.     free(hash);
    77. 

  77.     
    78. 

  78.     uint64_t kernel_trust = 0;
    79. 

  79.     mach_vm_allocate(tfp0, &kernel_trust, sizeof(fake_chain), VM_FLAGS_ANYWHERE);
    80. 

  80.     
    81. 

  81.     kwrite(kernel_trust, &fake_chain, sizeof(fake_chain));
    82. 

  82.     wk64(trust_cache, kernel_trust);
    83. 

  83.     
    84. 

  84.     NSLog(@"[amfi] signed %s \n", path);
    85. 

  85.     return 0;
    86. 

  86. }
    87. 

  87. 

  88. uint8_t *get_code_directory(const char* file_path, uint64_t file_off) {
    89. 

  89.     FILE* fd = fopen(file_path, "r");
    90. 

  90.     
    91. 

  91.     if (fd == NULL) {
    92. 

  92.         NSLog(@"[amfi] couldn't open file %s", file_path);
    93. 

  93.         fclose(fd);
    94. 

  94.         return NULL;
    95. 

  95.     }
    96. 

  96.     
    97. 

  97.     fseek(fd, 0L, SEEK_END);
    98. 

  98.     uint64_t file_len = ftell(fd);
    99. 

  99.     fseek(fd, 0L, SEEK_SET);
    100. 

  100.     
    101. 

  101.     if (file_off > file_len){
    102. 

  102.         NSLog(@"[amfi] file offset greater than length");
    103. 

  103.         fclose(fd);
    104. 

  104.         return NULL;
    105. 

  105.     }
    106. 

  106.     
    107. 

  107.     uint32_t magic;
    108. 

  108.     fread(&magic, sizeof(magic), 1, fd);
    109. 

  109.     fseek(fd, 0, SEEK_SET);
    110. 

  110.     
    111. 

  111.     int is_swap = (magic == MH_CIGAM || magic == MH_CIGAM_64 || magic == FAT_CIGAM);
    112. 

  112.     
    113. 

  113.     uint64_t off = file_off;
    114. 

  114.     int ncmds = 0;
    115. 

  115.     
    116. 

  116.     if (magic == MH_MAGIC_64) {
    117. 

  117.         struct mach_header_64 mh64;
    118. 

  118.         fread(&mh64, sizeof(mh64), 1, fd);
    119. 

  119.         off += sizeof(mh64);
    120. 

  120.         ncmds = mh64.ncmds;
    121. 

  121.     } else if (magic == MH_MAGIC) {
    122. 

  122.         struct mach_header mh;
    123. 

  123.         fread(&mh, sizeof(mh), 1, fd);
    124. 

  124.         off += sizeof(mh);
    125. 

  125.         ncmds = mh.ncmds;
    126. 

  126.     } else if (magic == FAT_CIGAM || magic == FAT_CIGAM_64) {
    127. 

  127.         struct fat_header header;
    128. 

  128.         fread(&header, sizeof(header), 1, fd);
    129. 

  129.         if (is_swap) swap_fat_header(&header, 0);
    130. 

  130.         
    131. 

  131.         int arch_offset = sizeof(header);
    132. 

  132.         for (int i = 0; i < header.nfat_arch; i++) {
    133. 

  133.             struct fat_arch arch;
    134. 

  134.             fseek(fd, arch_offset, 0);
    135. 

  135.             fread(&arch, sizeof(struct fat_arch), 1, fd);
    136. 

  136.             if (is_swap) swap_fat_arch(&arch, 1, 0);
    137. 

  137.             
    138. 

  138.             if (arch.cputype != CPU_TYPE_ARM64) continue;
    139. 

  139.             
    140. 

  140.             fseek(fd, arch.offset, 0);
    141. 

  141.             
    142. 

  142.             uint32_t magic;
    143. 

  143.             fread(&magic, sizeof(magic), 1, fd);
    144. 

  144.             
    145. 

  145.             if (magic == MH_MAGIC) {
    146. 

  146.                 struct mach_header mh;
    147. 

  147.                 fread(&mh, sizeof(mh), 1, fd);
    148. 

  148.                 off += arch.offset + sizeof(mh);
    149. 

  149.                 ncmds = mh.ncmds;
    150. 

  150.             } else if (magic == MH_MAGIC_64) {
    151. 

  151.                 struct mach_header_64 mh64;
    152. 

  152.                 fread(&mh64, sizeof(mh64), 1, fd);
    153. 

  153.                 off += arch.offset + sizeof(mh64);
    154. 

  154.                 ncmds = mh64.ncmds;
    155. 

  155.             }
    156. 

  156.             
    157. 

  157.             arch_offset += sizeof(arch);
    158. 

  158.         }
    159. 

  159.     } else {
    160. 

  160.         NSLog(@"[amfi] your magic is not valid in these lands! %ux", magic);
    161. 

  161.         fclose(fd);
    162. 

  162.         return NULL;
    163. 

  163.     }
    164. 

  164.     
    165. 

  165.     if (off > file_len) {
    166. 

  166.         NSLog(@"[amfi] unexpected end of file");
    167. 

  167.         fclose(fd);
    168. 

  168.         return NULL;
    169. 

  169.     }
    170. 

  170.     
    171. 

  171.     fseek(fd, off, SEEK_SET);
    172. 

  172.     
    173. 

  173.     for (int i = 0; i < ncmds; i++) {
    174. 

  174.         if (off + sizeof(struct load_command) > file_len) {
    175. 

  175.             NSLog(@"[amfi] unexpected end of file");
    176. 

  176.             fclose(fd);
    177. 

  177.             return NULL;
    178. 

  178.         }
    179. 

  179.         
    180. 

  180.         const struct load_command cmd;
    181. 

  181.         fseek(fd, off, SEEK_SET);
    182. 

  182.         fread((void*)&cmd, sizeof(struct load_command), 1, fd);
    183. 

  183.         if (cmd.cmd == LC_CODE_SIGNATURE) {
    184. 

  184.             uint32_t off_cs;
    185. 

  185.             fread(&off_cs, sizeof(uint32_t), 1, fd);
    186. 

  186.             uint32_t size_cs;
    187. 

  187.             fread(&size_cs, sizeof(uint32_t), 1, fd);
    188. 

  188.             
    189. 

  189.             if (off_cs + file_off + size_cs > file_len) {
    190. 

  190.                 NSLog(@"[amfi] unexpected end of file");
    191. 

  191.                 fclose(fd);
    192. 

  192.                 return NULL;
    193. 

  193.             }
    194. 

  194.             
    195. 

  195.             uint8_t *cd = malloc(size_cs);
    196. 

  196.             fseek(fd, off_cs + file_off, SEEK_SET);
    197. 

  197.             fread(cd, size_cs, 1, fd);
    198. 

  198.             return cd;
    199. 

  199.         } else {
    200. 

  200.             off += cmd.cmdsize;
    201. 

  201.             if (off > file_len) {
    202. 

  202.                 NSLog(@"[amfi] unexpected end of file");
    203. 

  203.                 fclose(fd);
    204. 

  204.                 return NULL;
    205. 

  205.             }
    206. 

  206.         }
    207. 

  207.     }
    208. 

  208.     
    209. 

  209.     NSLog(@"[amfi] couldn't find the code sig for %s", file_path);
    210. 

  210.     fclose(fd);
    211. 

  211.     return NULL;
    212. 

  212. }
    213. 

  213. 

  214. // creds to nullpixel
    215. 

  215. uint8_t *get_sha1(uint8_t* code_dir) {
    216. 

  216.     uint8_t *out = malloc(CC_SHA1_DIGEST_LENGTH);
    217. 

  217.     
    218. 

  218.     uint32_t* code_dir_int = (uint32_t*)code_dir;
    219. 

  219.     
    220. 

  220.     uint32_t realsize = 0;
    221. 

  221.     for (int j = 0; j < 10; j++) {
    222. 

  222.         if (swap_uint32(code_dir_int[j]) == 0xfade0c02) {
    223. 

  223.             realsize = swap_uint32(code_dir_int[j+1]);
    224. 

  224.             code_dir += 4*j;
    225. 

  225.         }
    226. 

  226.     }
    227. 

  227.     
    228. 

  228.     CC_SHA1(code_dir, realsize, out);
    229. 

  229.     
    230. 

  230.     return out;
    231. 

  231. }
    232. 

  232. 

  233. uint32_t swap_uint32(uint32_t val) {
    234. 

  234.     val = ((val << 8) & 0xFF00FF00) | ((val >> 8) & 0xFF00FF);
    235. 

  235.     return (val << 16) | (val >> 16);
    236. 

  236. }
    237. 

  237.