mirror of https://github.com/opa334/TrollStore.git
TrollStore 2: First working POC :D
This commit is contained in:
parent
2c327a0083
commit
17ba8fbaa7
|
@ -1,3 +0,0 @@
|
||||||
#include <stdbool.h>
|
|
||||||
|
|
||||||
int binary_sign_adhoc(const char *path, bool preserveMetadata);
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
#import <stdbool.h>
|
||||||
|
#import <Foundation/Foundation.h>
|
||||||
|
|
||||||
|
int codesign_sign_adhoc(const char *path, bool preserveMetadata, NSDictionary *customEntitlements);
|
|
@ -89,7 +89,7 @@ extern const CFStringRef kSecCodeInfoResourceDirectory; /* Internal */
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
int binary_sign_adhoc(const char *path, bool preserveMetadata)
|
int codesign_sign_adhoc(const char *path, bool preserveMetadata, NSDictionary *customEntitlements)
|
||||||
{
|
{
|
||||||
NSString *filePath = [NSString stringWithUTF8String:path];
|
NSString *filePath = [NSString stringWithUTF8String:path];
|
||||||
OSStatus status = 0;
|
OSStatus status = 0;
|
||||||
|
@ -99,8 +99,31 @@ int binary_sign_adhoc(const char *path, bool preserveMetadata)
|
||||||
SecIdentityRef identity = (SecIdentityRef)kCFNull;
|
SecIdentityRef identity = (SecIdentityRef)kCFNull;
|
||||||
NSMutableDictionary* parameters = [[NSMutableDictionary alloc] init];
|
NSMutableDictionary* parameters = [[NSMutableDictionary alloc] init];
|
||||||
parameters[(__bridge NSString*)kSecCodeSignerIdentity] = (__bridge id)identity;
|
parameters[(__bridge NSString*)kSecCodeSignerIdentity] = (__bridge id)identity;
|
||||||
|
uint64_t preserveMetadataFlags = 0;
|
||||||
if (preserveMetadata) {
|
if (preserveMetadata) {
|
||||||
parameters[(__bridge NSString*)kSecCodeSignerPreserveMetadata] = @(kSecCSPreserveIdentifier | kSecCSPreserveRequirements | kSecCSPreserveEntitlements | kSecCSPreserveResourceRules);
|
preserveMetadataFlags = (kSecCSPreserveIdentifier | kSecCSPreserveRequirements | kSecCSPreserveEntitlements | kSecCSPreserveResourceRules);
|
||||||
|
if (!customEntitlements) {
|
||||||
|
preserveMetadataFlags |= kSecCSPreserveEntitlements;
|
||||||
|
}
|
||||||
|
parameters[(__bridge NSString*)kSecCodeSignerPreserveMetadata] = @(preserveMetadataFlags);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (customEntitlements) {
|
||||||
|
NSError *error;
|
||||||
|
NSData *xmlData = [NSPropertyListSerialization dataWithPropertyList:customEntitlements format:NSPropertyListXMLFormat_v1_0 options:0 error:&error];
|
||||||
|
if (!xmlData) {
|
||||||
|
NSLog(@"Failed to encode entitlements: %@", error);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
// Super easy to use API, definitely not busted...
|
||||||
|
// Did I forget to mention it just segfaults if you don't add this prefix?
|
||||||
|
uint32_t entitlementsData[xmlData.length+8];
|
||||||
|
entitlementsData[0] = OSSwapHostToBigInt32(0xFADE7171);
|
||||||
|
entitlementsData[1] = OSSwapHostToBigInt32(xmlData.length+8);
|
||||||
|
[xmlData getBytes:&entitlementsData[2] length:xmlData.length];
|
||||||
|
parameters[(__bridge NSString*)kSecCodeSignerEntitlements] = [NSData dataWithBytes:entitlementsData length:xmlData.length+8];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
SecCodeSignerRef signerRef;
|
SecCodeSignerRef signerRef;
|
||||||
|
@ -138,3 +161,8 @@ int binary_sign_adhoc(const char *path, bool preserveMetadata)
|
||||||
|
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
NSDictionary *codesign_dump_entitlements(NSString *path)
|
||||||
|
{
|
||||||
|
return nil;
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
#include "adhoc.h"
|
#include "codesign.h"
|
||||||
#include "coretrust_bug.h"
|
#include "coretrust_bug.h"
|
||||||
#include <choma/FAT.h>
|
#include <choma/FAT.h>
|
||||||
#include <choma/MachO.h>
|
#include <choma/MachO.h>
|
||||||
|
@ -52,12 +52,22 @@ int apply_coretrust_bypass_wrapper(const char *inputPath, const char *outputPath
|
||||||
|
|
||||||
|
|
||||||
int main(int argc, char *argv[]) {
|
int main(int argc, char *argv[]) {
|
||||||
if (argc != 2) return -1;
|
if (argc < 2) return -1;
|
||||||
|
|
||||||
char *machoPath = extract_preferred_slice(argv[1]);
|
char *input = argv[argc-1];
|
||||||
|
|
||||||
|
NSDictionary *customEntitlements = nil;
|
||||||
|
if (argc == 4) {
|
||||||
|
if (!strcmp(argv[1], "--entitlements")) {
|
||||||
|
NSString *entitlementsPath = [NSString stringWithUTF8String:argv[2]];
|
||||||
|
customEntitlements = [NSDictionary dictionaryWithContentsOfFile:entitlementsPath];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
char *machoPath = extract_preferred_slice(input);
|
||||||
printf("Extracted best slice to %s\n", machoPath);
|
printf("Extracted best slice to %s\n", machoPath);
|
||||||
|
|
||||||
int r = binary_sign_adhoc(machoPath, true);
|
int r = codesign_sign_adhoc(machoPath, true, customEntitlements);
|
||||||
if (r != 0) {
|
if (r != 0) {
|
||||||
printf("Failed adhoc signing (%d) Continuing anyways...\n", r);
|
printf("Failed adhoc signing (%d) Continuing anyways...\n", r);
|
||||||
}
|
}
|
||||||
|
@ -72,8 +82,8 @@ int main(int argc, char *argv[]) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (copyfile(machoPath, argv[1], 0, COPYFILE_ALL | COPYFILE_MOVE | COPYFILE_UNLINK) == 0) {
|
if (copyfile(machoPath, input, 0, COPYFILE_ALL | COPYFILE_MOVE | COPYFILE_UNLINK) == 0) {
|
||||||
chmod(argv[1], 0755);
|
chmod(input, 0755);
|
||||||
printf("Applied CoreTrust Bypass!\n");
|
printf("Applied CoreTrust Bypass!\n");
|
||||||
}
|
}
|
||||||
else {
|
else {
|
4
Makefile
4
Makefile
|
@ -1,6 +1,6 @@
|
||||||
TOPTARGETS := all clean
|
TOPTARGETS := all clean
|
||||||
|
|
||||||
$(TOPTARGETS): pre_build make_roothelper make_trollstore make_trollhelper make_trollhelper_package assemble_trollstore make_trollhelper_embedded build_installer15 build_installer64e
|
$(TOPTARGETS): pre_build make_fastPathSign make_roothelper make_trollstore make_trollhelper make_trollhelper_package assemble_trollstore make_trollhelper_embedded build_installer15 build_installer64e
|
||||||
|
|
||||||
pre_build:
|
pre_build:
|
||||||
@rm -rf ./_build 2>/dev/null || true
|
@rm -rf ./_build 2>/dev/null || true
|
||||||
|
@ -8,6 +8,8 @@ pre_build:
|
||||||
|
|
||||||
make_external:
|
make_external:
|
||||||
|
|
||||||
|
make_fastPathSign:
|
||||||
|
@$(MAKE) -C ./Exploits/fastPathSign $(MAKECMDGOALS)
|
||||||
|
|
||||||
make_roothelper:
|
make_roothelper:
|
||||||
@$(MAKE) -C ./RootHelper FINALPACKAGE=1 $(MAKECMDGOALS)
|
@$(MAKE) -C ./RootHelper FINALPACKAGE=1 $(MAKECMDGOALS)
|
||||||
|
|
|
@ -1,14 +1,16 @@
|
||||||
TARGET := iphone:clang:16.4:14.0
|
TARGET := iphone:clang:16.4:14.0
|
||||||
ARCHS = arm64
|
ARCHS = arm64
|
||||||
|
|
||||||
|
TARGET_CODESIGN = ../Exploits/fastPathSign/fastPathSign
|
||||||
|
|
||||||
include $(THEOS)/makefiles/common.mk
|
include $(THEOS)/makefiles/common.mk
|
||||||
|
|
||||||
TOOL_NAME = trollstorehelper
|
TOOL_NAME = trollstorehelper
|
||||||
|
|
||||||
trollstorehelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m) ../Exploits/fastPathSign/src/coretrust_bug.c ../Exploits/fastPathSign/src/adhoc.m
|
trollstorehelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m) ../Exploits/fastPathSign/src/coretrust_bug.c ../Exploits/fastPathSign/src/codesign.m
|
||||||
trollstorehelper_CFLAGS = -fobjc-arc -I../Shared $(shell pkg-config --cflags libcrypto) -Iexternal/include -I../Exploits/fastPathSign/src
|
trollstorehelper_CFLAGS = -fobjc-arc -I../Shared $(shell pkg-config --cflags libcrypto) -Iexternal/include -I../Exploits/fastPathSign/src
|
||||||
trollstorehelper_LDFLAGS = -Lexternal/lib -lcrypto -lchoma
|
trollstorehelper_LDFLAGS = -Lexternal/lib -lcrypto -lchoma
|
||||||
trollstorehelper_CODESIGN_FLAGS = -Sentitlements.plist -K../cert.p12
|
trollstorehelper_CODESIGN_FLAGS = --entitlements entitlements.plist
|
||||||
trollstorehelper_INSTALL_PATH = /usr/local/bin
|
trollstorehelper_INSTALL_PATH = /usr/local/bin
|
||||||
trollstorehelper_LIBRARIES = archive
|
trollstorehelper_LIBRARIES = archive
|
||||||
trollstorehelper_PRIVATE_FRAMEWORKS = SpringBoardServices BackBoardServices MobileContainerManager
|
trollstorehelper_PRIVATE_FRAMEWORKS = SpringBoardServices BackBoardServices MobileContainerManager
|
||||||
|
|
Binary file not shown.
|
@ -11,7 +11,7 @@
|
||||||
#import <mach-o/loader.h>
|
#import <mach-o/loader.h>
|
||||||
#import <mach-o/fat.h>
|
#import <mach-o/fat.h>
|
||||||
#ifndef EMBEDDED_ROOT_HELPER
|
#ifndef EMBEDDED_ROOT_HELPER
|
||||||
#import "adhoc.h"
|
#import "codesign.h"
|
||||||
#import "coretrust_bug.h"
|
#import "coretrust_bug.h"
|
||||||
#import <choma/FAT.h>
|
#import <choma/FAT.h>
|
||||||
#import <choma/MachO.h>
|
#import <choma/MachO.h>
|
||||||
|
@ -398,15 +398,17 @@ int signApp(NSString* appPath)
|
||||||
while(fileURL = [enumerator nextObject])
|
while(fileURL = [enumerator nextObject])
|
||||||
{
|
{
|
||||||
NSString *filePath = fileURL.path;
|
NSString *filePath = fileURL.path;
|
||||||
|
NSLog(@"Checking %@", filePath);
|
||||||
FAT *fat = fat_init_from_path(filePath.fileSystemRepresentation);
|
FAT *fat = fat_init_from_path(filePath.fileSystemRepresentation);
|
||||||
if (fat) {
|
if (fat) {
|
||||||
|
NSLog(@"%@ is binary", filePath);
|
||||||
// This is FAT or MachO, sign and apply CoreTrust bypass
|
// This is FAT or MachO, sign and apply CoreTrust bypass
|
||||||
MachO *machoForExtraction = fat_find_preferred_slice(fat);
|
MachO *machoForExtraction = fat_find_preferred_slice(fat);
|
||||||
if (machoForExtraction) {
|
if (machoForExtraction) {
|
||||||
NSLog(@"Starting signing of %@\n", filePath);
|
|
||||||
NSString *tmpPath = [NSTemporaryDirectory() stringByAppendingPathComponent:[NSUUID UUID].UUIDString];
|
NSString *tmpPath = [NSTemporaryDirectory() stringByAppendingPathComponent:[NSUUID UUID].UUIDString];
|
||||||
MemoryStream *sliceOutStream = file_stream_init_from_path(tmpPath.fileSystemRepresentation, 0, 0, FILE_STREAM_FLAG_WRITABLE | FILE_STREAM_FLAG_AUTO_EXPAND);
|
|
||||||
MemoryStream *sliceStream = macho_get_stream(machoForExtraction);
|
MemoryStream *sliceStream = macho_get_stream(machoForExtraction);
|
||||||
|
MemoryStream *sliceOutStream = file_stream_init_from_path(tmpPath.fileSystemRepresentation, 0, 0, FILE_STREAM_FLAG_WRITABLE | FILE_STREAM_FLAG_AUTO_EXPAND);
|
||||||
|
if (sliceOutStream) {
|
||||||
memory_stream_copy_data(sliceStream, 0, sliceOutStream, 0, memory_stream_get_size(sliceStream));
|
memory_stream_copy_data(sliceStream, 0, sliceOutStream, 0, memory_stream_get_size(sliceStream));
|
||||||
memory_stream_free(sliceOutStream);
|
memory_stream_free(sliceOutStream);
|
||||||
|
|
||||||
|
@ -415,7 +417,7 @@ int signApp(NSString* appPath)
|
||||||
NSLog(@"[%@] Adhoc signing...", filePath);
|
NSLog(@"[%@] Adhoc signing...", filePath);
|
||||||
|
|
||||||
// First attempt ad hoc signing
|
// First attempt ad hoc signing
|
||||||
int r = binary_sign_adhoc(tmpPath.fileSystemRepresentation, true);
|
int r = codesign_sign_adhoc(tmpPath.fileSystemRepresentation, true, nil);
|
||||||
if (r != 0) {
|
if (r != 0) {
|
||||||
NSLog(@"[%@] Adhoc signing failed with error code %d, continuing anyways...\n", filePath, r);
|
NSLog(@"[%@] Adhoc signing failed with error code %d, continuing anyways...\n", filePath, r);
|
||||||
}
|
}
|
||||||
|
@ -438,6 +440,7 @@ int signApp(NSString* appPath)
|
||||||
[[NSFileManager defaultManager] removeItemAtPath:filePath error:nil];
|
[[NSFileManager defaultManager] removeItemAtPath:filePath error:nil];
|
||||||
[[NSFileManager defaultManager] moveItemAtPath:tmpPath toPath:filePath error:nil];
|
[[NSFileManager defaultManager] moveItemAtPath:tmpPath toPath:filePath error:nil];
|
||||||
}
|
}
|
||||||
|
}
|
||||||
fat_free(fat);
|
fat_free(fat);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,6 +2,9 @@ export EMBEDDED_ROOT_HELPER ?= 0
|
||||||
|
|
||||||
TARGET := iphone:clang:16.4:14.0
|
TARGET := iphone:clang:16.4:14.0
|
||||||
INSTALL_TARGET_PROCESSES = TrollStorePersistenceHelper
|
INSTALL_TARGET_PROCESSES = TrollStorePersistenceHelper
|
||||||
|
ARCHS = arm64
|
||||||
|
|
||||||
|
TARGET_CODESIGN = ../Exploits/fastPathSign/fastPathSign
|
||||||
|
|
||||||
include $(THEOS)/makefiles/common.mk
|
include $(THEOS)/makefiles/common.mk
|
||||||
|
|
||||||
|
@ -11,7 +14,7 @@ TrollStorePersistenceHelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m)
|
||||||
TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices
|
TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices
|
||||||
TrollStorePersistenceHelper_PRIVATE_FRAMEWORKS = Preferences MobileContainerManager
|
TrollStorePersistenceHelper_PRIVATE_FRAMEWORKS = Preferences MobileContainerManager
|
||||||
TrollStorePersistenceHelper_CFLAGS = -fobjc-arc -I../Shared
|
TrollStorePersistenceHelper_CFLAGS = -fobjc-arc -I../Shared
|
||||||
TrollStorePersistenceHelper_CODESIGN_FLAGS = -Sentitlements.plist -K../cert.p12
|
TrollStorePersistenceHelper_CODESIGN_FLAGS = --entitlements entitlements.plist
|
||||||
|
|
||||||
ifeq ($(EMBEDDED_ROOT_HELPER),1)
|
ifeq ($(EMBEDDED_ROOT_HELPER),1)
|
||||||
TrollStorePersistenceHelper_CFLAGS += -DEMBEDDED_ROOT_HELPER=1
|
TrollStorePersistenceHelper_CFLAGS += -DEMBEDDED_ROOT_HELPER=1
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
TARGET := iphone:clang:16.4:14.0
|
TARGET := iphone:clang:16.4:14.0
|
||||||
INSTALL_TARGET_PROCESSES = TrollStore
|
INSTALL_TARGET_PROCESSES = TrollStore
|
||||||
|
ARCHS = arm64
|
||||||
|
|
||||||
|
TARGET_CODESIGN = ../Exploits/fastPathSign/fastPathSign
|
||||||
|
|
||||||
include $(THEOS)/makefiles/common.mk
|
include $(THEOS)/makefiles/common.mk
|
||||||
|
|
||||||
|
@ -10,6 +13,6 @@ TrollStore_FRAMEWORKS = UIKit CoreGraphics CoreServices
|
||||||
TrollStore_PRIVATE_FRAMEWORKS = Preferences MobileIcons MobileContainerManager
|
TrollStore_PRIVATE_FRAMEWORKS = Preferences MobileIcons MobileContainerManager
|
||||||
TrollStore_LIBRARIES = archive
|
TrollStore_LIBRARIES = archive
|
||||||
TrollStore_CFLAGS = -fobjc-arc -I../Shared
|
TrollStore_CFLAGS = -fobjc-arc -I../Shared
|
||||||
TrollStore_CODESIGN_FLAGS = -Sentitlements.plist -K../cert.p12
|
TrollStore_CODESIGN_FLAGS = --entitlements entitlements.plist
|
||||||
|
|
||||||
include $(THEOS_MAKE_PATH)/application.mk
|
include $(THEOS_MAKE_PATH)/application.mk
|
||||||
|
|
Loading…
Reference in New Issue