Proteas Proteas

## mac_policy_ops-19E287_vs_20A5343i.diff
diff --git a/mac_policy_ops.c b/mac_policy_ops.c
index 798bd29..bb3c425 100644
--- a/mac_policy_ops.c
+++ b/mac_policy_ops.c
@@ -2,10 +2,10 @@ struct mac_policy_ops
 {
   mpo_audit_check_postselect_t *mpo_audit_check_postselect;
   mpo_audit_check_preselect_t *mpo_audit_check_preselect;
-  mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
-  mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;

## DCrypt-Proteas.sh

#!/bin/sh
#
# DeCrypt - v1.2 (2013-02-05)
#  - v1.1 (2008-10-21)
#  - v1.2 (2013-02-05)
# FloydianSlip, Proteas
#
# Heavily based on xcrack
#

## macos-kern-info.d
#! /usr/sbin/dtrace -C -s

/*
	requirement: disable SIP
*/

#pragma D option quiet
BEGIN {
	printf("vm_kernel_slide: 0x%p\n", (`vm_kernel_slide));
	printf("vm_kernel_base: 0x%p\n", (`vm_kernel_base));

## Makefile

all: driver exp

driver: dummymod.c
	cc -D_KERNEL -m64 -xmodel=kernel -c dummymod.c
	/usr/bin/ld -r -o dummy dummymod.o

exp:
	cc -o hexp hexpl.c -lsched -m64 -lkstat


## iOS-v14.0-18A5301v-WebContent-Unix-Mach-MIG.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                Proteas
                / iOS-v14.0-18A5301v-WebContent-Unix-Mach-MIG.md
            
            
              Last active
              July 8, 2020 04:23
            
              
                WebContent's sandbox rules of syscall-unix, syscall-mach, mig-kernel in iOS-v14.0-18A5301v
              
          
    iOS-v14.0-18A5301v-WebContent-Unix-Mach-MIG

Syscall-Unix

SYS_exit
SYS_read
SYS_write
SYS_open
SYS_close
SYS_link


## ent-diff-iPhone11,2-17E262-vs-17F75.diff
*** ent-list-17E262-iPhone11,2.json	2020-05-25 11:16:14.000000000 +0800
--- ent-list-17F75-iPhone11,2.json	2020-05-25 11:02:29.000000000 +0800
***************
*** 389,394 ****
--- 389,395 ----
      "com.apple.developer.default-data-protection",
+     "com.apple.developer.exposure-notification",
      "com.apple.developer.extension-host.photo-editing",
***************
*** 820,826 ****

## dyld-actions-during-loading.txt
======== dyld by Proteas ========
seg name: __PAGEZERO
seg name: __TEXT
seg name: __DATA
seg name: __LINKEDIT
ImageLoader=72, ImageLoaderMachO=120, ImageLoaderMachOClassic=144, ImageLoaderMachOCompressed=128
notifySingle(state=10, image=/bin/ls)
addMappedRange(0x100000000->0x10000A000) for ls
sSharedCacheSlide=0x57333000, loadedAddress=0x7fffc7333000, preferedLoadAddress=0x7fff70000000
addRootImage(0x7fdce1f01eb0, /bin/ls)

## gdbGetStrippedSymbols.sh
#!/bin/sh
# gdbGetStrippedSymbols.sh
# @author Dominik Hadl (@dominikhadl)
# @description This script automates the setup of gdb on a stripped applicaiton adds symbols. It uses objc-symbols to get the symbols,
#             then SymTabCreator and finally creates a command that is automatically loaded into gdb on start.
# @license Licensed under WTFPL license (see http://www.wtfpl.net/txt/copying/ for full license).
# @dependencies
#  			1. objc-symbols
#			2. SymTabCreator
#			3. gdb (really non-obvious)

## o_direct_race.c

#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/syscall.h>

## dtrace-sample.d
#!/usr/sbin/dtrace -s

#pragma D option flowindent

/* monitor file open */
syscall::open:entry
{
	printf("%s %s", execname, copyinstr(arg0));
}
	diff --git a/mac_policy_ops.c b/mac_policy_ops.c
	index 798bd29..bb3c425 100644
	--- a/mac_policy_ops.c
	+++ b/mac_policy_ops.c
	@@ -2,10 +2,10 @@ struct mac_policy_ops
	{
	mpo_audit_check_postselect_t *mpo_audit_check_postselect;
	mpo_audit_check_preselect_t *mpo_audit_check_preselect;
	- mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
	- mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;

	#!/bin/sh
	#
	# DeCrypt - v1.2 (2013-02-05)
	# - v1.1 (2008-10-21)
	# - v1.2 (2013-02-05)
	# FloydianSlip, Proteas
	#
	# Heavily based on xcrack
	#
	#! /usr/sbin/dtrace -C -s

	/*
	requirement: disable SIP
	*/

	#pragma D option quiet
	BEGIN {
	printf("vm_kernel_slide: 0x%p\n", (`vm_kernel_slide));
	printf("vm_kernel_base: 0x%p\n", (`vm_kernel_base));

	all: driver exp

	driver: dummymod.c
	cc -D_KERNEL -m64 -xmodel=kernel -c dummymod.c
	/usr/bin/ld -r -o dummy dummymod.o

	exp:
	cc -o hexp hexpl.c -lsched -m64 -lkstat
	*** ent-list-17E262-iPhone11,2.json 2020-05-25 11:16:14.000000000 +0800
	--- ent-list-17F75-iPhone11,2.json 2020-05-25 11:02:29.000000000 +0800
	***************
	* 389,394 **
	--- 389,395 ----
	"com.apple.developer.default-data-protection",
	+ "com.apple.developer.exposure-notification",
	"com.apple.developer.extension-host.photo-editing",
	***************
	* 820,826 **
	======== dyld by Proteas ========
	seg name: __PAGEZERO
	seg name: __TEXT
	seg name: __DATA
	seg name: __LINKEDIT
	ImageLoader=72, ImageLoaderMachO=120, ImageLoaderMachOClassic=144, ImageLoaderMachOCompressed=128
	notifySingle(state=10, image=/bin/ls)
	addMappedRange(0x100000000->0x10000A000) for ls
	sSharedCacheSlide=0x57333000, loadedAddress=0x7fffc7333000, preferedLoadAddress=0x7fff70000000
	addRootImage(0x7fdce1f01eb0, /bin/ls)
	#!/bin/sh
	# gdbGetStrippedSymbols.sh
	# @author Dominik Hadl (@dominikhadl)
	# @description This script automates the setup of gdb on a stripped applicaiton adds symbols. It uses objc-symbols to get the symbols,
	# then SymTabCreator and finally creates a command that is automatically loaded into gdb on start.
	# @license Licensed under WTFPL license (see http://www.wtfpl.net/txt/copying/ for full license).
	# @dependencies
	# 1. objc-symbols
	# 2. SymTabCreator
	# 3. gdb (really non-obvious)

	#define _GNU_SOURCE

	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <fcntl.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <sys/syscall.h>
	#!/usr/sbin/dtrace -s

	#pragma D option flowindent

	/* monitor file open */
	syscall::open:entry
	{
	printf("%s %s", execname, copyinstr(arg0));
	}