Home Explore Help
Sign In
NitoTV
/
merdian
Watch 3
Star 0
Fork 0
Files Issues 0 Pull Requests 1 Wiki
Tree: 5f2f3a64eb
Branches Tags
merdian
/
Meridian
/
meridianTV
/
electra_extras
/
sbinject
/
SBInject.x

SBInject.x 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269 
  1. #import <dlfcn.h>
    2. 

  2. #import <objc/runtime.h>
    3. 

  3. #import <stdlib.h>
    4. 

  4. #import <stdio.h>
    5. 

  5. #import <unistd.h>
    6. 

  6. #import <pthread.h>
    7. 

  7. #import <sys/stat.h>
    8. 

  8. #import <sys/types.h>
    9. 

  9. #import <CommonCrypto/CommonDigest.h>
    10. 

  10. #include <syslog.h>
    11. 

  11. 

  12. #define PROC_PIDPATHINFO_MAXSIZE  (1024)
    13. 

  13. int proc_pidpath(pid_t pid, void *buffer, uint32_t buffersize);
    14. 

  14. 

  15. #define dylibDir @"/Library/MobileSubstrate/DynamicLibraries/"
    16. 

  16. 

  17. NSArray *sbinjectGenerateDylibList() {
    18. 

  18. 

  19.     NSString *processName = [[NSProcessInfo processInfo] processName];
    20. 

  20.     // launchctl, amfid you are special cases
    21. 

  21.     if ([processName isEqualToString:@"launchctl"]) {
    22. 

  22.         HBLogInfo(@"launchctl exit");
    23. 

  23.         return nil;
    24. 

  24.     }
    25. 

  25.     if ([processName isEqualToString:@"amfid"]) {
    26. 

  26.         HBLogInfo(@"amfid exit");
    27. 

  27.         return nil;
    28. 

  28.     }
    29. 

  29.     // Create an array containing all the filenames in dylibDir (/opt/simject)
    30. 

  30.     NSError *e = nil;
    31. 

  31.     NSArray *dylibDirContents = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:dylibDir error:&e];
    32. 

  32.     if (e) {
    33. 

  33.         return nil;
    34. 

  34.     }
    35. 

  35.     // Read current bundle identifier
    36. 

  36.     NSString *bundleIdentifier = NSBundle.mainBundle.bundleIdentifier;
    37. 

  37.     NSLog(@"bundleID: %@", bundleIdentifier);
    38. 

  38.     // We're only interested in the plist files
    39. 

  39.     NSArray *plists = [dylibDirContents filteredArrayUsingPredicate:[NSPredicate predicateWithFormat:@"SELF ENDSWITH %@", @"plist"]];
    40. 

  40.     // Create an empty mutable array that will contain a list of dylib paths to be injected into the target process
    41. 

  41.     NSMutableArray *dylibsToInject = [NSMutableArray array];
    42. 

  42.     // Loop through the list of plists
    43. 

  43.     for (NSString *plist in plists) {
    44. 

  44.         // We'll want to deal with absolute paths, so append the filename to dylibDir
    45. 

  45.         NSString *plistPath = [dylibDir stringByAppendingPathComponent:plist];
    46. 

  46.         NSDictionary *filter = [NSDictionary dictionaryWithContentsOfFile:plistPath];
    47. 

  47.         // This boolean indicates whether or not the dylib has already been injected
    48. 

  48.         BOOL isInjected = NO;
    49. 

  49.         // If supported iOS versions are specified within the plist, we check those first
    50. 

  50.         NSArray *supportedVersions = filter[@"CoreFoundationVersion"];
    51. 

  51.         if (supportedVersions) {
    52. 

  52.             if (supportedVersions.count != 1 && supportedVersions.count != 2) {
    53. 

  53.                 continue; // Supported versions are in the wrong format, we should skip
    54. 

  54.             }
    55. 

  55.             if (supportedVersions.count == 1 && [supportedVersions[0] doubleValue] > kCFCoreFoundationVersionNumber) {
    56. 

  56.                 continue; // Doesn't meet lower bound
    57. 

  57.             }
    58. 

  58.             if (supportedVersions.count == 2 && ([supportedVersions[0] doubleValue] > kCFCoreFoundationVersionNumber || [supportedVersions[1] doubleValue] <= kCFCoreFoundationVersionNumber)) {
    59. 

  59.                 continue; // Outside bounds
    60. 

  60.             }
    61. 

  61.         }
    62. 

  62.         // Decide whether or not to load the dylib based on the Bundles values
    63. 

  63.         
    64. 

  64.         NSArray *injectBundles = filter[@"Filter"][@"Bundles"];
    65. 

  65.         //NSLog(@"bundles: %@", injectBundles);
    66. 

  66. 

  67.         if ([injectBundles containsObject:bundleIdentifier]){
    68. 

  68. 

  69.             //NSLog(@"inject bundles contains object: %@", bundleIdentifier);
    70. 

  70.             
    71. 

  71.             [dylibsToInject addObject:[[plistPath stringByDeletingPathExtension] stringByAppendingString:@".dylib"]];
    72. 

  72.             isInjected = YES;
    73. 

  73.             break;
    74. 

  74.         }
    75. 

  75.         /*
    76. 

  76.         for (NSString *entry in filter[@"Filter"][@"Bundles"]) {
    77. 

  77.             // Check to see whether or not this bundle is actually loaded in this application or not
    78. 

  78.             if (!CFBundleGetBundleWithIdentifier((CFStringRef)entry)) {
    79. 

  79.                 // If not, skip it
    80. 

  80.                 continue;
    81. 

  81.             }
    82. 

  82.             [dylibsToInject addObject:[[plistPath stringByDeletingPathExtension] stringByAppendingString:@".dylib"]];
    83. 

  83.             isInjected = YES;
    84. 

  84.             break;
    85. 

  85.         }
    86. 

  86.         */
    87. 

  87.         if (!isInjected) {
    88. 

  88.             // Decide whether or not to load the dylib based on the Executables values
    89. 

  89.             for (NSString *process in filter[@"Filter"][@"Executables"]) {
    90. 

  90.                 if ([process isEqualToString:processName]) {
    91. 

  91.                     [dylibsToInject addObject:[[plistPath stringByDeletingPathExtension] stringByAppendingString:@".dylib"]];
    92. 

  92.                     isInjected = YES;
    93. 

  93.                     break;
    94. 

  94.                 }
    95. 

  95.             }
    96. 

  96.         }
    97. 

  97.         if (!isInjected) {
    98. 

  98.             // Decide whether or not to load the dylib based on the Classes values
    99. 

  99.             for (NSString *clazz in filter[@"Filter"][@"Classes"]) {
    100. 

  100.                 // Also check if this class is loaded in this application or not
    101. 

  101.                 if (!NSClassFromString(clazz)) {
    102. 

  102.                     // This class couldn't be loaded, skip
    103. 

  103.                     continue;
    104. 

  104.                 }
    105. 

  105.                 // It's fine to add this dylib at this point
    106. 

  106.                 [dylibsToInject addObject:[[plistPath stringByDeletingPathExtension] stringByAppendingString:@".dylib"]];
    107. 

  107.                 isInjected = YES;
    108. 

  108.                 break;
    109. 

  109.             }
    110. 

  110.         }
    111. 

  111.     }
    112. 

  112.     [dylibsToInject sortUsingSelector:@selector(caseInsensitiveCompare:)];
    113. 

  113.     return dylibsToInject;
    114. 

  114. }
    115. 

  115. 

  116. int file_exist(char *filename) {
    117. 

  117.     struct stat buffer;
    118. 

  118.     int r = stat(filename, &buffer);
    119. 

  119.     return (r == 0);
    120. 

  120. }
    121. 

  121. 

  122. 

  123. 

  124. @interface SpringBoard : NSObject
    125. 

  125. - (BOOL)launchApplicationWithIdentifier:(NSString *)identifier suspended:(BOOL)suspended;
    126. 

  126. - (id)sharedApplication;
    127. 

  127. @end
    128. 

  128. 

  129. %group SafeMode
    130. 

  130. %hook FBApplicationInfo
    131. 

  131. - (NSDictionary *)environmentVariables {
    132. 

  132.     NSDictionary *originalVariables = %orig;
    133. 

  133.     NSMutableDictionary *newVariables = [originalVariables mutableCopy];
    134. 

  134.     [newVariables setObject:@1 forKey:@"_SafeMode"];
    135. 

  135.     return [newVariables autorelease];
    136. 

  136. }
    137. 

  137. %end
    138. 

  138. /*
    139. 

  139. %hook SBLockScreenManager
    140. 

  140. -(BOOL)_finishUIUnlockFromSource:(int)arg1 withOptions:(id)arg2 {
    141. 

  141.     BOOL ret = %orig;
    142. 

  142.     [(SpringBoard *)[%c(UIApplication) sharedApplication] launchApplicationWithIdentifier:@"org.coolstar.SafeMode" suspended:NO];
    143. 

  143.     return ret;
    144. 

  144. }
    145. 

  145. 

  146. // Necessary on iPhone X to show after swipe unlock gesture
    147. 

  147. -(void)lockScreenViewControllerDidDismiss {
    148. 

  148.     %orig;
    149. 

  149.     [(SpringBoard *)[%c(UIApplication) sharedApplication] launchApplicationWithIdentifier:@"org.coolstar.SafeMode" suspended:NO];
    150. 

  150. }
    151. 

  151. %end
    152. 

  152. */
    153. 

  153. %end
    154. 

  154. 

  155. static BOOL isSpringBoardOrBackboard = NO;
    156. 

  156. static NSString *processHash = @"";
    157. 

  157. BOOL safeMode = false;
    158. 

  158. 

  159. void SpringBoardSigHandler(int signo, siginfo_t *info, void *uap){
    160. 

  160.     if (isSpringBoardOrBackboard){
    161. 

  161.         FILE *f = fopen("/var/mobile/Library/.sbinjectSafeMode", "w");
    162. 

  162.         fprintf(f, "Hello World\n");
    163. 

  163.         fclose(f);
    164. 

  164.     }
    165. 

  165.     FILE *f = fopen([[NSString stringWithFormat:@"%@/.safeMode-%@", NSTemporaryDirectory(), processHash] UTF8String], "w");
    166. 

  166.     fprintf(f, "Hello World!\n");
    167. 

  167.     fclose(f);
    168. 

  168. 

  169.     raise(signo);
    170. 

  170. }
    171. 

  171. 

  172. __attribute__ ((constructor))
    173. 

  173. static void ctor(void) {
    174. 

  174.     @autoreleasepool {
    175. 

  175.         if (NSBundle.mainBundle.bundleIdentifier == nil || ![NSBundle.mainBundle.bundleIdentifier isEqualToString:@"org.coolstar.SafeMode"]){
    176. 

  176.             char pathbuf[PROC_PIDPATHINFO_MAXSIZE] = {0};
    177. 

  177.             int ret = proc_pidpath(getpid(), pathbuf, sizeof(pathbuf));
    178. 

  178.             if (ret > 0){
    179. 

  179.                 uint8_t digest[CC_SHA1_DIGEST_LENGTH];
    180. 

  180. 

  181.                 CC_SHA1(pathbuf, ret, digest);
    182. 

  182. 

  183.                 NSMutableString *output = [NSMutableString stringWithCapacity:CC_SHA1_DIGEST_LENGTH * 2];
    184. 

  184. 

  185.                 for (int i = 0; i < CC_SHA1_DIGEST_LENGTH; i++)
    186. 

  186.                 {
    187. 

  187.                     [output appendFormat:@"%02x", digest[i]];
    188. 

  188.                 }
    189. 

  189.                 processHash = [[NSString alloc] initWithString:output];
    190. 

  190.             }
    191. 

  191. 

  192.             safeMode = false;
    193. 

  193.             NSString *processName = [[NSProcessInfo processInfo] processName];
    194. 

  194. 

  195.             struct sigaction action;
    196. 

  196.             memset(&action, 0, sizeof(action));
    197. 

  197.             action.sa_sigaction = &SpringBoardSigHandler;
    198. 

  198.             action.sa_flags = SA_SIGINFO | SA_RESETHAND;
    199. 

  199.             sigemptyset(&action.sa_mask);
    200. 

  200. 

  201.             sigaction(SIGQUIT, &action, NULL);
    202. 

  202.             sigaction(SIGILL, &action, NULL);
    203. 

  203.             sigaction(SIGTRAP, &action, NULL);
    204. 

  204.             sigaction(SIGABRT, &action, NULL);
    205. 

  205.             sigaction(SIGEMT, &action, NULL);
    206. 

  206.             sigaction(SIGFPE, &action, NULL);
    207. 

  207.             sigaction(SIGBUS, &action, NULL);
    208. 

  208.             sigaction(SIGSEGV, &action, NULL);
    209. 

  209.             sigaction(SIGSYS, &action, NULL);
    210. 

  210. 

  211.             if ([processName isEqualToString:@"backboardd"] || [NSBundle.mainBundle.bundleIdentifier isEqualToString:@"com.apple.springboard"]){
    212. 

  212.                 isSpringBoardOrBackboard = YES;
    213. 

  213.                 if (file_exist("/var/mobile/Library/.sbinjectSafeMode")){
    214. 

  214.                     safeMode = true;
    215. 

  215.                     if ([NSBundle.mainBundle.bundleIdentifier isEqualToString:@"com.apple.springboard"]){
    216. 

  216.                         unlink("/var/mobile/Library/.sbinjectSafeMode");
    217. 

  217.                         NSLog(@"Entering Safe Mode!");
    218. 

  218.                         %init(SafeMode);
    219. 

  219.                     }
    220. 

  220.                 }
    221. 

  221.             }
    222. 

  222. 

  223.             if ([NSBundle.mainBundle.bundleIdentifier isEqualToString:@"com.apple.springboard"]){
    224. 

  224.                 dlopen("/usr/lib/TweakInjectMapsCheck.dylib", RTLD_LAZY | RTLD_GLOBAL);
    225. 

  225.             }
    226. 

  226. 

  227.             const char *safeModeByProcPath = [[NSString stringWithFormat:@"%@/.safeMode-%@", NSTemporaryDirectory(), processHash] UTF8String];
    228. 

  228.             if (file_exist((char *)safeModeByProcPath)){
    229. 

  229.                 safeMode = true;
    230. 

  230.                 unlink(safeModeByProcPath);
    231. 

  231.             }
    232. 

  232. 

  233.             if (getenv("_MSSafeMode")){
    234. 

  234.                 if (strcmp(getenv("_MSSafeMode"),"1") == 0){
    235. 

  235.                     safeMode = true;
    236. 

  236.                 }
    237. 

  237.             }
    238. 

  238.             if (getenv("_SafeMode")){
    239. 

  239.                 if (strcmp(getenv("_SafeMode"),"1") == 0){
    240. 

  240.                     safeMode = true;
    241. 

  241.                 }
    242. 

  242.             }
    243. 

  243.             if (getenv("_SubstituteSafeMode")){
    244. 

  244.                 if (strcmp(getenv("_SubstituteSafeMode"),"1") == 0){
    245. 

  245.                     safeMode = true;
    246. 

  246.                 }
    247. 

  247.             }
    248. 

  248. 

  249.             if (!safeMode){
    250. 

  250. 

  251.                 //HBLogInfo(@"In bundle: %@", NSBundle.mainBundle.bundleIdentifier);
    252. 

  252. 

  253.                 NSArray *theList = sbinjectGenerateDylibList();
    254. 

  254.                 //HBLogInfo(@"theList: %@", theList);
    255. 

  255.                 for (NSString *dylib in theList) {
    256. 

  256.                     NSLog(@"Injecting %@", dylib);
    257. 

  257.                     void *dl = dlopen([dylib UTF8String], RTLD_LAZY | RTLD_GLOBAL);
    258. 

  258. 

  259.                     if (dl == NULL) {
    260. 

  260.                         NSLog(@"Injection failed: '%s'", dlerror());
    261. 

  261.                     }
    262. 

  262.                 }
    263. 

  263.             } else {
    264. 

  264.                 NSLog(@"TweakInject: Entering Safe Mode!");
    265. 

  265.             }
    266. 

  266.         }
    267. 

  267.     }
    268. 

  268. }
    269. 

  269.