PsychoTea/amfid.c

## amfid.c
    {
        COPY_RESOURCE("amfid_payload.dylib", "/jb/amfid_payload.dylib");

        inject_trust("/jb/amfid_payload.dylib");

        uint32_t amfid_pid = get_pid_for_name("amfid");

        uint64_t osbool_val = rk64(offs.data.osboolean_true + kernel_slide);
        VAL_CHECK(osbool_val);

        uint64_t our_ucred = rk64(myproc + 0x100);
        VAL_CHECK(our_ucred);

        uint64_t our_cr_label = rk64(our_ucred + 0x78);
        VAL_CHECK(our_cr_label);

        uint64_t our_ents = rk64(our_cr_label + 0x8);
        VAL_CHECK(our_ents);

        uint64_t OSDictionary_vtab = rk64(our_ents);
        VAL_CHECK(OSDictionary_vtab);

        // OSDictionary::SetObject = vtable->0xf8
        uint64_t OSDictionary_SetItem = rk64(OSDictionary_vtab + 0xf8);
        VAL_CHECK(OSDictionary_SetItem);

        const char *str_to_patch = "task_for_pid-allow";

        int str_len = strlen(str_to_patch) + 1;
        uint64_t str_alloc = kalloc(str_len);

        kwrite(str_alloc, (void *)str_to_patch, str_len);

        LOG("str_alloc: %llx", str_alloc);

        // kexecute automatically adds kernel_slide, however this vtab entry is already slid
        LOG("OSDict::SetItem return: %llx", kexecute(OSDictionary_SetItem - kernel_slide, 3, our_ents, str_alloc, osbool_val));

        kfree(str_alloc, str_len);

        ret = inject_library(amfid_pid, "/jb/amfid_payload.dylib");
        if (ret != KERN_SUCCESS)
        {
            LOG("failed to inject amfid payload");
            goto out;
        }

        LOG("amfid patched?!");

        int tries = 0;
        while (access("/var/tmp/amfid.alive", F_OK) != 0 && tries < 100)
        {
            LOG("waiting for amfid...");
            usleep(500000);
            tries++;
        }

        if (tries >= 100)
        {
            LOG("failed to patch amfid :(");
            ret = KERN_FAILURE;
            goto out;
        }
    }
	{
	COPY_RESOURCE("amfid_payload.dylib", "/jb/amfid_payload.dylib");

	inject_trust("/jb/amfid_payload.dylib");

	uint32_t amfid_pid = get_pid_for_name("amfid");

	uint64_t osbool_val = rk64(offs.data.osboolean_true + kernel_slide);
	VAL_CHECK(osbool_val);

	uint64_t our_ucred = rk64(myproc + 0x100);
	VAL_CHECK(our_ucred);

	uint64_t our_cr_label = rk64(our_ucred + 0x78);
	VAL_CHECK(our_cr_label);

	uint64_t our_ents = rk64(our_cr_label + 0x8);
	VAL_CHECK(our_ents);

	uint64_t OSDictionary_vtab = rk64(our_ents);
	VAL_CHECK(OSDictionary_vtab);

	// OSDictionary::SetObject = vtable->0xf8
	uint64_t OSDictionary_SetItem = rk64(OSDictionary_vtab + 0xf8);
	VAL_CHECK(OSDictionary_SetItem);

	const char *str_to_patch = "task_for_pid-allow";

	int str_len = strlen(str_to_patch) + 1;
	uint64_t str_alloc = kalloc(str_len);

	kwrite(str_alloc, (void *)str_to_patch, str_len);

	LOG("str_alloc: %llx", str_alloc);

	// kexecute automatically adds kernel_slide, however this vtab entry is already slid
	LOG("OSDict::SetItem return: %llx", kexecute(OSDictionary_SetItem - kernel_slide, 3, our_ents, str_alloc, osbool_val));

	kfree(str_alloc, str_len);

	ret = inject_library(amfid_pid, "/jb/amfid_payload.dylib");
	if (ret != KERN_SUCCESS)
	{
	LOG("failed to inject amfid payload");
	goto out;
	}

	LOG("amfid patched?!");

	int tries = 0;
	while (access("/var/tmp/amfid.alive", F_OK) != 0 && tries < 100)
	{
	LOG("waiting for amfid...");
	usleep(500000);
	tries++;
	}

	if (tries >= 100)
	{
	LOG("failed to patch amfid :(");
	ret = KERN_FAILURE;
	goto out;
	}
	}