Undecimus: Is it possible to use MSHookFunction in a command line program on iOS 11.3.1 [using unc0ver 1.1.4]
Hi, I'm using unc0ver 1.1.4 for iOS 11.3.1
I am developing a patch for a binary which runs as root daemon.
I tried insert_dylib tool, and successfully inserted my dylib into the binary (as a LC_LOAD_DYLIB command).
The test code of my dylib runs well, but if I use MSHookFunction or Fishhook, the process just got killed. Is this expected ? Is there any solution to get hooking code working for root daemon ?
Exception Type: EXC_BAD_ACCESS (SIGKILL - CODESIGNING)
Exception Subtype: unknown at 0x00000001007e8000
VM Region Info: 0x1007e8000 is in 0x1007e8000-0x1007ec000; bytes after start: 0 bytes before end: 16383
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
__LLVM 00000001007e4000-00000001007e8000 [ 16K] rw-/rw- SM=COW ...MyPatch.dylib
---> __LINKEDIT 00000001007e8000-00000001007ec000 [ 16K] r--/rw- SM=COW ...MyPatch.dylib
__TEXT 00000001007ec000-00000001007f4000 [ 32K] r-x/rwx SM=COW ...bstrate.dylib
Termination Reason: Namespace CODESIGNING, Code 0x2
Triggered by Thread: 0
Thread 0 Crashed:
0 dyld 0x1008d891c 0x1008c0000 + 0x1891c // ImageLoaderMachOCompressed::rebase(ImageLoader::LinkContext const&, unsigned long) + 0xa0
1 dyld 0x1008d88fc 0x1008c0000 + 0x188fc // ImageLoaderMachOCompressed::rebase(ImageLoader::LinkContext const&, unsigned long) + 0x80
2 dyld 0x1008d1b7c 0x1008c0000 + 0x11b7c // ImageLoader::recursiveRebase(ImageLoader::LinkContext const&) + 0x90
3 dyld 0x1008d1b54 0x1008c0000 + 0x11b54 // ImageLoader::recursiveRebase(ImageLoader::LinkContext const&) + 0x68
4 dyld 0x1008d0a64 0x1008c0000 + 0x10a64 // ImageLoader::link(ImageLoader::LinkContext const&, bool, bool, bool, ImageLoader::RPathChain const&, char const*) + 0xd8
5 dyld 0x1008c518c 0x1008c0000 + 0x518c // dyld::link(ImageLoader*, bool, bool, ImageLoader::RPathChain const&, unsigned int) + 0xe4
6 dyld 0x1008c6e9c 0x1008c0000 + 0x6e9c // dyld::_main(macho_header const*, unsigned long, int, char const**, char const**, char const**, unsigned long*) + 0x15c0
7 dyld 0x1008c121c 0x1008c0000 + 0x121c // _dyld_start + 0x44
ChrisYang2009
All 8 comments
wtf are you doing why would you patch an apple root daemon, that changes the code signature and it won't be able to run for the most part(mostly when not jailbroken), This may very well result in a bootloop depending on the daemon. @ChrisYang2009
Cryptiiiic
on 14 Nov 2018
@Cryptiiiic thanks for your reply.
I'm not patching an apple root daemon, it's just a third party command line program which runs as root.
I wrote a demo command line program with MSHookFunction, and found it also get killed 9, the exception type is the same as original post.
So my question becomes: Is it possible to use MSHookFunction in a command line program?
#include <stdio.h>
#include <time.h>
#include <unistd.h>
#include <CydiaSubstrate/CydiaSubstrate.h>
static time_t (*old_time)(time_t *a);
static time_t new_time(time_t *a) {
return 123456;
}
int main (int argc, const char * argv[])
{
printf("uid: %d\n", getuid()); // tested as root/mobile, nothing different
printf("time: %ld\n", time(0));
// 鈫撯啌鈫撯啌鈫撯啌 killed 9
MSHookFunction((void *)time,
(void *)new_time,
(void **)&old_time);
// 鈫戔啈鈫戔啈鈫戔啈 killed 9
printf("time: %ld\n", time(0));
printf("Hello, World!\n");
return 0;
}
the entitlements used:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>platform-application</key>
<true/>
<key>com.apple.private.skip-library-validation</key>
<true/>
</dict>
</plist>
@ChrisYang2009 There's might be a solution in a week or two depending on how well private testing goes. If you don't know what I'm referring to, look at the other branch on this github.
Cryptiiiic
on 15 Nov 2018
Substrate is supported by commit c3c23b2, however, substrate is still being tested and there are a few issues we need to work out before public release.
If you're trying to use substrate 0.9.6301 or earlier, that's not going to work out well.
Samgisaninja
on 15 Nov 2018
ok, thank you guys, I will wait the next public release to test :)
ChrisYang2009
on 16 Nov 2018
@Cryptiiiic
/* Set platform binary flag */
#define FLAG_PLATFORMIZE (1 << 1)
void platformize_me() {
void* handle = dlopen("/usr/lib/libjailbreak.dylib", RTLD_LAZY);
if (!handle) return;
// Reset errors
dlerror();
typedef void (*fix_entitle_prt_t)(pid_t pid, uint32_t what);
fix_entitle_prt_t ptr = (fix_entitle_prt_t)dlsym(handle, "jb_oneshot_entitle_now");
const char *dlsym_error = dlerror();
if (dlsym_error) return;
ptr(getpid(), FLAG_PLATFORMIZE);
}
I tested with this code, and MSHookFunction just work after platformize_me called.
ChrisYang2009
on 16 Nov 2018
@ChrisYang2009 That's pretty weird. When you platformitize from a tweak, you are just platformitizing the process. Not sure what happens when you MSHookFunction that causes the process to get killed. Maybe there's a more detailed log in syslog. Hopefully this is fixed with substrate.
Cryptiiiic
on 16 Nov 2018
@Cryptiiiic Yes, I don't know the reason. But I can confirm the following cases work on iOS 11.3.1 with unc0ver 1.1.4:
- call
platformize_meand then usingMSHookFunctiondirectly in a command line program insert_dyliba custom dylib into a third party command line program. callplatformize_meand then usingMSHookFunctionin dylib-tweak'sctor(Logos Tweak)
both cases will get Killed: 9 if no platformize_me called.
However, I will keep test if you publish a new release. Thanks you guys.
ChrisYang2009
on 17 Nov 2018
Related issues
pwn20wndstuff
路
4Comments
bachle22
路
4Comments
piaoapiao
路
4Comments
rorcores
路
4Comments
NAVECCIER
路
3Comments
Most helpful comment
Substrate is supported by commit c3c23b2, however, substrate is still being tested and there are a few issues we need to work out before public release.
If you're trying to use substrate 0.9.6301 or earlier, that's not going to work out well.