Skip to content

Commit 3111c43

Browse files
khanhduytran0khanhduytran0
committed
Patch stuff
1 parent b37ebd2 commit 3111c43

File tree

5 files changed

+56
-58
lines changed

5 files changed

+56
-58
lines changed

Makefile

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,24 +6,19 @@ include $(THEOS)/makefiles/common.mk
66
ADDITIONAL_LDFLAGS = -rpath @loader_path/Frameworks
77
THEOS_PACKAGE_SCHEME = rootless
88

9-
LIBRARY_NAME = SelfJIT
10-
SelfJIT_FILES = SelfJIT.c
11-
SelfJIT_INSTALL_PATH = /Applications/SpringBoardTS.app
12-
include $(THEOS_MAKE_PATH)/library.mk
13-
149
TWEAK_NAME = SpringBoardTweak
1510
SpringBoardTweak_FILES = Tweak.x
1611
SpringBoardTweak_CFLAGS = -fobjc-arc
1712
SpringBoardTweak_INSTALL_PATH = /Applications/SpringBoardTS.app
1813
SpringBoardTweak_FRAMEWORKS = UIKit
1914
SpringBoardTweak_PRIVATE_FRAMEWORKS = CommonUtilities UIKitServices WatchdogClient FrontBoard
20-
# CommonUtilities UIKitServices SpringBoard ToneLibrary WatchdogClient
2115
include $(THEOS_MAKE_PATH)/tweak.mk
2216

2317
APPLICATION_NAME = SpringBoardTS
24-
$(APPLICATION_NAME)_FRAMEWORKS = CydiaSubstrate
18+
# $(APPLICATION_NAME)_FRAMEWORKS = CydiaSubstrate
2519
# $(APPLICATION_NAME)_PRIVATE_FRAMEWORKS = ChronoServices FrontBoard
26-
$(APPLICATION_NAME)_FILES = main.m
20+
$(APPLICATION_NAME)_BUNDLE_NAME = SpringBoardTS
21+
$(APPLICATION_NAME)_FILES = hook.c main.m
2722
$(APPLICATION_NAME)_CFLAGS = -fcommon -fobjc-arc -Wno-error
2823
$(APPLICATION_NAME)_CODESIGN_FLAGS = -Sentitlements.plist -Icom.apple.springboardts
2924

SelfJIT.c

Lines changed: 0 additions & 31 deletions
This file was deleted.

entitlements.plist

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
<plist version="1.0">
44
<dict>
55
<key>application-identifier</key>
6-
<string>com.apple.springboard</string>
6+
<string>com.apple.springboardts</string>
77
<key>aps-connection-initiate</key>
88
<true/>
99
<key>backupd-connection-initiate</key>
@@ -91,10 +91,10 @@
9191
<dict/>
9292
</dict>
9393
</dict>
94-
<!--
94+
9595
<key>com.apple.assertiond.system-shell</key>
9696
<true/>
97-
-->
97+
9898
<key>com.apple.assistant.announcement_state</key>
9999
<true/>
100100
<key>com.apple.assistant.client</key>
@@ -198,7 +198,7 @@
198198
<key>com.apple.developer.homekit</key>
199199
<true/>
200200
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
201-
<string>com.apple.springboard</string>
201+
<string>com.apple.springboardts</string>
202202
<key>com.apple.duet.activityscheduler.allow</key>
203203
<true/>
204204
<key>com.apple.duet.expertcenter.consumer</key>
@@ -810,10 +810,8 @@
810810
<true/>
811811
<key>com.apple.private.wallpaperkit.service.migration</key>
812812
<true/>
813-
<!--
814813
<key>com.apple.private.xpc.launchd.app-server</key>
815814
<true/>
816-
-->
817815
<key>com.apple.proactive.ActionPrediction.predictions</key>
818816
<true/>
819817
<key>com.apple.proactive.AppPrediction.predictions</key>
@@ -850,6 +848,8 @@
850848
<true/>
851849
<key>com.apple.runningboard.assertions.frontboard</key>
852850
<true/>
851+
<key>com.apple.runningboard.assertions.frontboardts</key>
852+
<true/>
853853
<key>com.apple.runningboard.hereditarygrantoriginator</key>
854854
<true/>
855855
<key>com.apple.runningboard.posterkit.host</key>

hook.c

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
#include <assert.h>
2+
#include <dlfcn.h>
3+
#include <fcntl.h>
4+
#include <sys/stat.h>
5+
#include <sys/mman.h>
6+
#include <mach-o/loader.h>
7+
#include <mach-o/nlist.h>
8+
#include <mach-o/dyld.h>
9+
#include <mach-o/dyld_images.h>
10+
#include <sys/syscall.h>
11+
12+
#define ASM(...) __asm__(#__VA_ARGS__)
13+
// ldr x8, value; br x8; value: .ascii "\x41\x42\x43\x44\x45\x46\x47\x48"
14+
static char patch[] = {0x88,0x00,0x00,0x58,0x00,0x01,0x1f,0xd6,0x1f,0x20,0x03,0xd5,0x1f,0x20,0x03,0xd5,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41};
15+
16+
// Since we're patching libsystem_kernel, we must avoid calling to its functions
17+
static void builtin_memcpy(char *target, char *source, size_t size) {
18+
for (int i = 0; i < size; i++) {
19+
target[i] = source[i];
20+
}
21+
}
22+
23+
// Originated from _kernelrpc_mach_vm_protect_trap
24+
kern_return_t builtin_vm_protect(mach_port_name_t task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_max, vm_prot_t new_prot);
25+
ASM(
26+
.global _builtin_vm_protect \n
27+
_builtin_vm_protect: \n
28+
mov x16, #-0xe \n
29+
svc #0x80 \n
30+
ret
31+
);
32+
33+
void redirectFunction(void *patchAddr, void *target) {
34+
kern_return_t kret = builtin_vm_protect(mach_task_self(), (vm_address_t)patchAddr, sizeof(patch), false, PROT_READ | PROT_WRITE | VM_PROT_COPY);
35+
assert(kret == KERN_SUCCESS);
36+
37+
builtin_memcpy((char *)patchAddr, patch, sizeof(patch));
38+
*(void **)((char*)patchAddr + 16) = target;
39+
40+
kret = builtin_vm_protect(mach_task_self(), (vm_address_t)patchAddr, sizeof(patch), false, PROT_READ | PROT_EXEC);
41+
assert(kret == KERN_SUCCESS);
42+
}

main.m

Lines changed: 5 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,10 @@
66
#include <spawn.h>
77

88
int csops(pid_t pid, unsigned int ops, void *useraddr, size_t usersize);
9-
int csops_audittoken(pid_t pid, unsigned int ops, void * useraddr, size_t usersize, audit_token_t * token);
10-
bool os_variant_has_internal_content(const char* subsystem);
119
int ptrace(int, int, int, int);
1210
uint32_t SecTaskGetCodeSignStatus();
1311

14-
int (*orig_csops)(pid_t pid, unsigned int ops, void * useraddr, size_t usersize);
15-
int (*orig_csops_audittoken)(pid_t pid, unsigned int ops, void * useraddr, size_t usersize, audit_token_t * token);
12+
void redirectFunction(void *patchAddr, void *target);
1613

1714
// JIT
1815
#define CS_DEBUGGED 0x10000000
@@ -29,10 +26,6 @@ uint32_t hooked_SecTaskGetCodeSignStatus() {
2926
return 0x36803809; // CS_PLATFORM_BINARY
3027
}
3128

32-
bool hooked_os_variant_has_internal_content(const char* subsystem) {
33-
return true;
34-
}
35-
3629
int (*SBSystemAppMain)(int argc, char *argv[], char *envp[]);
3730

3831
int main(int argc, char *argv[], char *envp[]) {
@@ -51,16 +44,15 @@ int main(int argc, char *argv[], char *envp[]) {
5144
}
5245
}
5346

54-
assert(isJITEnabled());
55-
MSHookFunction(&SecTaskGetCodeSignStatus, &hooked_SecTaskGetCodeSignStatus, NULL);
56-
MSHookFunction(&os_variant_has_internal_content, &hooked_os_variant_has_internal_content, NULL);
47+
//assert(isJITEnabled());
48+
redirectFunction((void *)SecTaskGetCodeSignStatus, (void *)hooked_SecTaskGetCodeSignStatus);
5749

58-
[NSUserDefaults.standardUserDefaults setBool:YES forKey:@"SBDontLockAfterCrash"];
50+
//[NSUserDefaults.standardUserDefaults setBool:YES forKey:@"SBDontLockAfterCrash"];
5951
void *handle = dlopen("/System/Library/PrivateFrameworks/SpringBoard.framework/SpringBoard", RTLD_GLOBAL);
6052

6153
void *tweakHandle = dlopen("@executable_path/SpringBoardTweak.dylib", RTLD_GLOBAL|RTLD_NOW);
6254
if (!tweakHandle) {
63-
//[@(dlerror()) writeToFile:@"/tmp/AAAAA.txt" atomically:YES];
55+
[@(dlerror()) writeToFile:@"/tmp/AAAAA.txt" atomically:YES];
6456
abort();
6557
}
6658

0 commit comments

Comments
 (0)