| #!/bin/bash | |
| # If you like this script and my work on libimobiledevice, please | |
| # consider becoming a patron at https://patreon.com/nikias - Thanks <3 | |
| REV=1.0.14 | |
| export MACOSX_DEPLOYMENT_TARGET=10.13 | |
| if test "`echo -e Test`" != "Test" 2>&1; then | |
| echo Please run this with zsh or bash. |
You also might wanna just use Whisky which does this automatically
This guide works on macOS 13.4+ using Command Line Tools for XCode 15 Beta!
In the recent WWDC, Apple announced and released the "game porting toolkit", which upon further inspection this is just a modified version of CrossOver's fork of wine which is a "compatibility layer" that allows you to run Windows applications on macOS and Linux.
| #!/usr/bin/env bash | |
| set -e | |
| PROJECT="$1" | |
| if [ -z "$PROJECT" ]; then | |
| echo "Usage: $0 <project>" | |
| exit 1 | |
| fi |
| #include <stdlib.h> | |
| #include <stdio.h> | |
| #include <pthread/pthread.h> | |
| #include <mach/mach.h> | |
| struct ool_msg { | |
| mach_msg_header_t hdr; | |
| mach_msg_body_t body; | |
| mach_msg_ool_ports_descriptor_t ool_ports[]; | |
| }; |
| // To compile: clang++ -arch x86_64 -arch arm64 -std=c++20 library_injector.cpp -lbsm -lEndpointSecurity -o library_injector, | |
| // then codesign with com.apple.developer.endpoint-security.client and run the | |
| // program as root. | |
| #include <EndpointSecurity/EndpointSecurity.h> | |
| #include <algorithm> | |
| #include <array> | |
| #include <bsm/libbsm.h> | |
| #include <cstdint> | |
| #include <cstdlib> |
This is not a tutorial, just a small guide to myself but feel free to get some infos here.
Working on an iPhone 7 running iOS 14.5.1
Jailbreak an iPhone/iPad/whatever
If necessary, you'll need to bypass Jailbreak detection for some apps with tweaks like A-Bypass, Hestia, HideJB, etc.
Get the PID of the app you want to capture traffic from with frida-ps -Ua ( a is for showing running apps only, you can -U to show all running processes instead)
pip3 install frida-tools or your systemfrida -U -Fsource https://codeshare.frida.re/@federicodotta/ios13-pinning-bypass/
* Description: iOS 13 SSL Bypass based on https://codeshare.frida.re/@machoreverser/ios12-ssl-bypass/ and https://github.com/nabla-c0d3/ssl-kill-switch2
| #if 0 | |
| Fixed in iOS 13.0 with CVE-2019-8712. | |
| ApplePPM::setProperties() : OSArray::initWithArray called without locks leads to OOB Writes | |
| __thiscall ApplePPM::setProperties(ApplePPM *this,OSDictionary *param_1) | |
| { | |
| ... | |
| ... | |
JSC is the JavaScript engine from Apple's JavaScriptCore (WebKit) as a console application that you can use to run script in the terminal.
For more info visit the JSC's webkit wiki page.
Using jsc is simple, the one issue is that Apple keeps changing the location for jsc. To deal with this issue I just create a symbolic link to the binary:
| // macOS x86_64 syscall works as follows: | |
| // Syscall id is moved into rax | |
| // 1st argument is moved into rdi | |
| // 2nd argument is moved into rsi | |
| // 3rd argument is moved into rdx | |
| // ... plus some more | |
| // Return value is stored in rax (where we put syscall value) | |
| // Mac syscall enum that contains the value to correctly call it | |
| enum Syscall: Int { |