Proteas Proteas

## inject_trusts-iOS-v12.1.2-16C104-iPhone11,x.c
void inject_trusts(int pathc, const char *paths[])
{
    printf("[+] injecting into trust cache...\n");

    extern uint64_t g_kern_base;

    static uint64_t tc = 0;
    if (tc == 0) {
        /* loaded_trust_caches
         iPhone11,2-4-6: 0xFFFFFFF008F702C8

## pac-set-key.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              9 stars
            
          
                Proteas
                / pac-set-key.md
            
            
              Created
              September 22, 2018 12:50
            
          
    iOS-v12.0-16A366-iPhone11,6

instructions about setting pac key
__text:FFFFFFF007A0834C                 LDR             X0, =0xFEEDFACEFEEDFACF ; LDR X0, #348, 0xFFFFFFF007A084A8
__text:FFFFFFF007A08350                 MSR             #0, c2, c1, #2, X0 ; APIBKeyLo_EL1
__text:FFFFFFF007A08354                 MSR             #0, c2, c1, #3, X0 ; APIBKeyHi_EL1
__text:FFFFFFF007A08358                 ADD             X0, X0, #1
__text:FFFFFFF007A0835C                 MSR             #0, c2, c2, #2, X0 ; APDBKeyLo_EL1
__text:FFFFFFF007A08360                 MSR             #0, c2, c2, #3, X0 ; APDBKeyHi_EL1

  
## xnu-4570.1.46-arm64-steps.txt
Following are my steps to build the ARM64 version of xnu-4570.1.46, hope this is helpfull for saving time.
1. Use Xcode 9.0
2. Preparation is same as macOS, and there is a guide: https://0xcc.re/building-xnu-kernel-macosx-sierrra-10-12-x/
3. There is an ARM64 version libfirehose: https://github.com/Proteas/install_firehose_lib
4. Copy and edit the ARM64 config(CFLAGS, LDFLAGS) from darwin-on-arm/xnu to your target project
5. Example CFLAGS: -Darm64 -DARM64 -D__arm64__ -D__ARM64__ -DLP64 -DCONFIG_EMBEDDED -mkernel -DARM64_BOARD_CONFIG_T8011=1
6. Fix compiling stage errors by directly importing the missing headers or editing the code
7. Fix linking stage errors by implementing place holder funcitons for: chudxnu_cpu_alloc, etc
8. If missing symbol __divti3 in linking stage, get the runtime from llvm.

## dyld-actions-during-loading.txt
======== dyld by Proteas ========
seg name: __PAGEZERO
seg name: __TEXT
seg name: __DATA
seg name: __LINKEDIT
ImageLoader=72, ImageLoaderMachO=120, ImageLoaderMachOClassic=144, ImageLoaderMachOCompressed=128
notifySingle(state=10, image=/bin/ls)
addMappedRange(0x100000000->0x10000A000) for ls
sSharedCacheSlide=0x57333000, loadedAddress=0x7fffc7333000, preferedLoadAddress=0x7fff70000000
addRootImage(0x7fdce1f01eb0, /bin/ls)

## macos-kern-info.d
#! /usr/sbin/dtrace -C -s

/*
	requirement: disable SIP
*/

#pragma D option quiet
BEGIN {
	printf("vm_kernel_slide: 0x%p\n", (`vm_kernel_slide));
	printf("vm_kernel_base: 0x%p\n", (`vm_kernel_base));

## o_direct_race.c

#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/syscall.h>

## dtrace-sample.d
#!/usr/sbin/dtrace -s

#pragma D option flowindent

/* monitor file open */
syscall::open:entry
{
	printf("%s %s", execname, copyinstr(arg0));
}

## Makefile

all: driver exp

driver: dummymod.c
	cc -D_KERNEL -m64 -xmodel=kernel -c dummymod.c
	/usr/bin/ld -r -o dummy dummymod.o

exp:
	cc -o hexp hexpl.c -lsched -m64 -lkstat


## gdbGetStrippedSymbols.sh
#!/bin/sh
# gdbGetStrippedSymbols.sh
# @author Dominik Hadl (@dominikhadl)
# @description This script automates the setup of gdb on a stripped applicaiton adds symbols. It uses objc-symbols to get the symbols,
#             then SymTabCreator and finally creates a command that is automatically loaded into gdb on start.
# @license Licensed under WTFPL license (see http://www.wtfpl.net/txt/copying/ for full license).
# @dependencies
#  			1. objc-symbols
#			2. SymTabCreator
#			3. gdb (really non-obvious)

## DCrypt-Proteas.sh

#!/bin/sh
#
# DeCrypt - v1.2 (2013-02-05)
#  - v1.1 (2008-10-21)
#  - v1.2 (2013-02-05)
# FloydianSlip, Proteas
#
# Heavily based on xcrack
#
	void inject_trusts(int pathc, const char *paths[])
	{
	printf("[+] injecting into trust cache...\n");

	extern uint64_t g_kern_base;

	static uint64_t tc = 0;
	if (tc == 0) {
	/* loaded_trust_caches
	iPhone11,2-4-6: 0xFFFFFFF008F702C8
	Following are my steps to build the ARM64 version of xnu-4570.1.46, hope this is helpfull for saving time.
	1. Use Xcode 9.0
	2. Preparation is same as macOS, and there is a guide: https://0xcc.re/building-xnu-kernel-macosx-sierrra-10-12-x/
	3. There is an ARM64 version libfirehose: https://github.com/Proteas/install_firehose_lib
	4. Copy and edit the ARM64 config(CFLAGS, LDFLAGS) from darwin-on-arm/xnu to your target project
	5. Example CFLAGS: -Darm64 -DARM64 -D__arm64__ -D__ARM64__ -DLP64 -DCONFIG_EMBEDDED -mkernel -DARM64_BOARD_CONFIG_T8011=1
	6. Fix compiling stage errors by directly importing the missing headers or editing the code
	7. Fix linking stage errors by implementing place holder funcitons for: chudxnu_cpu_alloc, etc
	8. If missing symbol __divti3 in linking stage, get the runtime from llvm.
	======== dyld by Proteas ========
	seg name: __PAGEZERO
	seg name: __TEXT
	seg name: __DATA
	seg name: __LINKEDIT
	ImageLoader=72, ImageLoaderMachO=120, ImageLoaderMachOClassic=144, ImageLoaderMachOCompressed=128
	notifySingle(state=10, image=/bin/ls)
	addMappedRange(0x100000000->0x10000A000) for ls
	sSharedCacheSlide=0x57333000, loadedAddress=0x7fffc7333000, preferedLoadAddress=0x7fff70000000
	addRootImage(0x7fdce1f01eb0, /bin/ls)
	#! /usr/sbin/dtrace -C -s

	/*
	requirement: disable SIP
	*/

	#pragma D option quiet
	BEGIN {
	printf("vm_kernel_slide: 0x%p\n", (`vm_kernel_slide));
	printf("vm_kernel_base: 0x%p\n", (`vm_kernel_base));

	#define _GNU_SOURCE

	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <fcntl.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <sys/syscall.h>
	#!/usr/sbin/dtrace -s

	#pragma D option flowindent

	/* monitor file open */
	syscall::open:entry
	{
	printf("%s %s", execname, copyinstr(arg0));
	}

	all: driver exp

	driver: dummymod.c
	cc -D_KERNEL -m64 -xmodel=kernel -c dummymod.c
	/usr/bin/ld -r -o dummy dummymod.o

	exp:
	cc -o hexp hexpl.c -lsched -m64 -lkstat
	#!/bin/sh
	# gdbGetStrippedSymbols.sh
	# @author Dominik Hadl (@dominikhadl)
	# @description This script automates the setup of gdb on a stripped applicaiton adds symbols. It uses objc-symbols to get the symbols,
	# then SymTabCreator and finally creates a command that is automatically loaded into gdb on start.
	# @license Licensed under WTFPL license (see http://www.wtfpl.net/txt/copying/ for full license).
	# @dependencies
	# 1. objc-symbols
	# 2. SymTabCreator
	# 3. gdb (really non-obvious)

	#!/bin/sh
	#
	# DeCrypt - v1.2 (2013-02-05)
	# - v1.1 (2008-10-21)
	# - v1.2 (2013-02-05)
	# FloydianSlip, Proteas
	#
	# Heavily based on xcrack
	#