123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255 |
- #include "kmem.h"
- #include "kern_utils.h"
- #include "sandbox.h"
- #include "patchfinder64.h"
- #include "kexecute.h"
- typedef uint64_t extension_hdr_t;
- typedef uint64_t extension_t;
- struct extension_hdr {
- /* 0x00 */ extension_hdr_t next;
- /* 0x08 */ uint64_t desc;
- /* 0x10 */ extension_t ext_lst;
- /* 0x18 */
- };
- struct extension {
- /* 0x00 */ extension_t next;
- /* 0x08 */ uint64_t desc; // always 0xffffffffffffffff
- /* 0x10 */ uint64_t ext_lst; // zero, since it's extension and not a header
- /* 0x18 */ uint8_t something[32]; // zeroed from what I've seen
- /* 0x38 */ uint32_t type; // see ext_type enum
- /* 0x3c */ uint32_t subtype; // either 0 or 4 (or whatever unhex gave?..)
- /* 0x40 */ uint64_t data; // a c string, meaning depends on type and hdr which had this extension
- /* 0x48 */ uint64_t data_len; // strlen(data)
- /* 0x50 */ uint64_t unk0; // always 0
- /* 0x58 */ uint64_t unk1; // always 0xdeadbeefdeadbeef
- /* 0x60 */
- };
- uint64_t _smalloc(uint64_t size) {
- return kexecute(find_smalloc(), size, 0, 0, 0, 0, 0, 0);
- }
- uint64_t smalloc(uint64_t size) {
- uint64_t ret = _smalloc(size);
-
- if (ret != 0) {
- // IOAlloc's of small size go to zalloc
- ret = zm_fix_addr(ret);
- }
- return ret;
- }
- uint64_t sstrdup(const char* s) {
- size_t slen = strlen(s) + 1;
- uint64_t ks = smalloc(slen);
- if (ks) {
- kwrite(ks, s, slen);
- }
- return ks;
- }
- // Notice: path should *not* end with '/' !
- uint64_t extension_create_file(const char* path, uint64_t nextptr) {
- size_t slen = strlen(path);
- if (path[slen - 1] == '/') {
- fprintf(stderr, "No traling slash in path pls\n");
- return 0;
- }
- uint64_t ext_p = smalloc(sizeof(struct extension));
- uint64_t ks = sstrdup(path);
- if (ext_p && ks) {
- struct extension ext;
- bzero(&ext, sizeof(ext));
- ext.next = nextptr;
- ext.desc = 0xffffffffffffffff;
-
- // ext.type = 0;
- // ext.subtype = 0;
- ext.data = ks;
- ext.data_len = slen;
- kwrite(ext_p, &ext, sizeof(ext));
- } else {
- // XXX oh no a leak
- }
- return ext_p;
- }
- // get 64 higher bits of 64bit int multiplication
- // https://stackoverflow.com/a/28904636
- // ofc in asm it's done with 1 instruction huh
- // XXX there has to be a cleaner way utilizing hardware support
- uint64_t mulhi(uint64_t a, uint64_t b) {
- uint64_t a_lo = (uint32_t)a;
- uint64_t a_hi = a >> 32;
- uint64_t b_lo = (uint32_t)b;
- uint64_t b_hi = b >> 32;
- uint64_t a_x_b_hi = a_hi * b_hi;
- uint64_t a_x_b_mid = a_hi * b_lo;
- uint64_t b_x_a_mid = b_hi * a_lo;
- uint64_t a_x_b_lo = a_lo * b_lo;
- uint64_t carry_bit = ((uint64_t)(uint32_t)a_x_b_mid +
- (uint64_t)(uint32_t)b_x_a_mid +
- (a_x_b_lo >> 32) ) >> 32;
- uint64_t multhi = a_x_b_hi +
- (a_x_b_mid >> 32) + (b_x_a_mid >> 32) +
- carry_bit;
- return multhi;
- }
- int hashing_magic(const char *desc) {
- // inlined into exception_add
- uint64_t hashed = 0x1505;
- // if desc == NULL, then returned value would be 8
- // APPL optimizes it for some reason
- // but meh, desc should never be NULL or you get
- // null dereference in exception_add
- // if (desc == NULL) return 8;
- if (desc != NULL) {
- for (const char* dp = desc; *dp != '\0'; ++dp) {
- hashed += hashed << 5;
- hashed += (int64_t) *dp;
- }
- }
- uint64_t magic = 0xe38e38e38e38e38f;
- uint64_t hi = mulhi(hashed, magic);
- hi >>= 3;
- hi = (hi<<3) + hi;
- hashed -= hi;
- return hashed;
- }
- static const char *ent_key = "com.apple.security.exception.files.absolute-path.read-only";
- uint64_t make_ext_hdr(const char* key, uint64_t ext_lst) {
- struct extension_hdr hdr;
- uint64_t khdr = smalloc(sizeof(hdr));
- if (khdr) {
- // we add headers to end
- hdr.next = 0;
- hdr.desc = sstrdup(key);
- if (hdr.desc == 0) {
- // XXX leak
- return 0;
- }
- hdr.ext_lst = ext_lst;
- kwrite(khdr, &hdr, sizeof(hdr));
- }
- return khdr;
- }
- void extension_add(uint64_t ext, uint64_t sb, const char* desc) {
- // XXX patchfinder + kexecute would be way better
- int slot = hashing_magic(ent_key);
- uint64_t insert_at_p = sb + sizeof(void*) + slot * sizeof(void*);
- uint64_t insert_at = rk64(insert_at_p);
- while (insert_at != 0) {
- uint64_t kdsc = rk64(insert_at + offsetof(struct extension_hdr, desc));
- if (kstrcmp(kdsc, desc) == 0) {
- break;
- }
- insert_at_p = insert_at;
- insert_at = rk64(insert_at);
- }
- if (insert_at == 0) {
- insert_at = make_ext_hdr(ent_key, ext);
- wk64(insert_at_p, insert_at);
- } else {
- // XXX no duplicate check
- uint64_t ext_lst_p = insert_at + offsetof(struct extension_hdr, ext_lst);
- uint64_t ext_lst = rk64(ext_lst_p);
- while (ext_lst != 0) {
- fprintf(stderr, "ext_lst_p = 0x%llx ext_lst = 0x%llx\n", ext_lst_p, ext_lst);
- ext_lst_p = ext_lst + offsetof(struct extension, next);
- ext_lst = rk64(ext_lst_p);
- }
- fprintf(stderr, "ext_lst_p = 0x%llx ext_lst = 0x%llx\n", ext_lst_p, ext_lst);
- wk64(ext_lst_p, ext);
- }
- }
- // 1 if yes
- int has_file_extension(uint64_t sb, const char* path) {
- const char* desc = ent_key;
- int found = 0;
- int slot = hashing_magic(ent_key);
- uint64_t insert_at_p = sb + sizeof(void*) + slot * sizeof(void*);
- uint64_t insert_at = rk64(insert_at_p);
- while (insert_at != 0) {
- uint64_t kdsc = rk64(insert_at + offsetof(struct extension_hdr, desc));
- if (kstrcmp(kdsc, desc) == 0) {
- break;
- }
- insert_at_p = insert_at;
- insert_at = rk64(insert_at);
- }
- if (insert_at != 0) {
- uint64_t ext_lst = rk64(insert_at + offsetof(struct extension_hdr, ext_lst));
- uint64_t plen = strlen(path);
- char *exist = malloc(plen + 1);
- exist[plen] = '\0';
- while (ext_lst != 0) {
- // XXX no type/subtype check
- uint64_t data_len = rk64(ext_lst + offsetof(struct extension, data_len));
- if (data_len == plen) {
- uint64_t data = rk64(ext_lst + offsetof(struct extension, data));
- kread(data, exist, plen);
- if (strcmp(path, exist) == 0) {
- found = 1;
- break;
- }
- }
- ext_lst = rk64(ext_lst);
- }
-
- free(exist);
- }
- return found;
- }
|