bughz
/
TrollStore
mirror of https://github.com/opa334/TrollStore.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

TrollStore 2: First working POC :D

This commit is contained in:
opa334 2023-11-26 20:43:30 +01:00
parent 2c327a0083
commit 17ba8fbaa7
10 changed files with 97 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Exploits/fastPathSign/src/adhoc.h
View File

@ -1,3 +0,0 @@
#include <stdbool.h>
int binary_sign_adhoc(const char *path, bool preserveMetadata);

4
Exploits/fastPathSign/src/codesign.h Normal file
View File

@ -0,0 +1,4 @@
#import <stdbool.h>
#import <Foundation/Foundation.h>
int codesign_sign_adhoc(const char *path, bool preserveMetadata, NSDictionary *customEntitlements);

32
Exploits/fastPathSign/src/adhoc.m → Exploits/fastPathSign/src/codesign.m
View File

@ -89,7 +89,7 @@ extern const CFStringRef kSecCodeInfoResourceDirectory; /* Internal */
} }
#endif #endif
int binary_sign_adhoc(const char *path, bool preserveMetadata) int codesign_sign_adhoc(const char *path, bool preserveMetadata, NSDictionary *customEntitlements)
{ {
NSString *filePath = [NSString stringWithUTF8String:path]; NSString *filePath = [NSString stringWithUTF8String:path];
OSStatus status = 0; OSStatus status = 0;
@ -99,8 +99,31 @@ int binary_sign_adhoc(const char *path, bool preserveMetadata)
SecIdentityRef identity = (SecIdentityRef)kCFNull; SecIdentityRef identity = (SecIdentityRef)kCFNull;
NSMutableDictionary* parameters = [[NSMutableDictionary alloc] init]; NSMutableDictionary* parameters = [[NSMutableDictionary alloc] init];
parameters[(__bridge NSString*)kSecCodeSignerIdentity] = (__bridge id)identity; parameters[(__bridge NSString*)kSecCodeSignerIdentity] = (__bridge id)identity;
uint64_t preserveMetadataFlags = 0;
if (preserveMetadata) { if (preserveMetadata) {
parameters[(__bridge NSString*)kSecCodeSignerPreserveMetadata] = @(kSecCSPreserveIdentifier | kSecCSPreserveRequirements | kSecCSPreserveEntitlements | kSecCSPreserveResourceRules); preserveMetadataFlags = (kSecCSPreserveIdentifier | kSecCSPreserveRequirements | kSecCSPreserveEntitlements | kSecCSPreserveResourceRules);
if (!customEntitlements) {
preserveMetadataFlags |= kSecCSPreserveEntitlements;
}
parameters[(__bridge NSString*)kSecCodeSignerPreserveMetadata] = @(preserveMetadataFlags);
}
if (customEntitlements) {
NSError *error;
NSData *xmlData = [NSPropertyListSerialization dataWithPropertyList:customEntitlements format:NSPropertyListXMLFormat_v1_0 options:0 error:&error];
if (!xmlData) {
NSLog(@"Failed to encode entitlements: %@", error);
return -1;
}
else {
// Super easy to use API, definitely not busted...
// Did I forget to mention it just segfaults if you don't add this prefix?
uint32_t entitlementsData[xmlData.length+8];
entitlementsData[0] = OSSwapHostToBigInt32(0xFADE7171);
entitlementsData[1] = OSSwapHostToBigInt32(xmlData.length+8);
[xmlData getBytes:&entitlementsData[2] length:xmlData.length];
parameters[(__bridge NSString*)kSecCodeSignerEntitlements] = [NSData dataWithBytes:entitlementsData length:xmlData.length+8];
}
} }
SecCodeSignerRef signerRef; SecCodeSignerRef signerRef;
@ -137,4 +160,9 @@ int binary_sign_adhoc(const char *path, bool preserveMetadata)
} }
return retval; return retval;
}
NSDictionary *codesign_dump_entitlements(NSString *path)
{
return nil;
} }

22
Exploits/fastPathSign/src/main.c → Exploits/fastPathSign/src/main.m
View File

@ -1,4 +1,4 @@
#include "adhoc.h" #include "codesign.h"
#include "coretrust_bug.h" #include "coretrust_bug.h"
#include <choma/FAT.h> #include <choma/FAT.h>
#include <choma/MachO.h> #include <choma/MachO.h>
@ -52,12 +52,22 @@ int apply_coretrust_bypass_wrapper(const char *inputPath, const char *outputPath
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
if (argc != 2) return -1; if (argc < 2) return -1;
char *machoPath = extract_preferred_slice(argv[1]); char *input = argv[argc-1];
NSDictionary *customEntitlements = nil;
if (argc == 4) {
if (!strcmp(argv[1], "--entitlements")) {
NSString *entitlementsPath = [NSString stringWithUTF8String:argv[2]];
customEntitlements = [NSDictionary dictionaryWithContentsOfFile:entitlementsPath];
}
}
char *machoPath = extract_preferred_slice(input);
printf("Extracted best slice to %s\n", machoPath); printf("Extracted best slice to %s\n", machoPath);
int r = binary_sign_adhoc(machoPath, true); int r = codesign_sign_adhoc(machoPath, true, customEntitlements);
if (r != 0) { if (r != 0) {
printf("Failed adhoc signing (%d) Continuing anyways...\n", r); printf("Failed adhoc signing (%d) Continuing anyways...\n", r);
} }
@ -72,8 +82,8 @@ int main(int argc, char *argv[]) {
return -1; return -1;
} }
if (copyfile(machoPath, argv[1], 0, COPYFILE_ALL | COPYFILE_MOVE | COPYFILE_UNLINK) == 0) { if (copyfile(machoPath, input, 0, COPYFILE_ALL | COPYFILE_MOVE | COPYFILE_UNLINK) == 0) {
chmod(argv[1], 0755); chmod(input, 0755);
printf("Applied CoreTrust Bypass!\n"); printf("Applied CoreTrust Bypass!\n");
} }
else { else {

4
Makefile
View File

@ -1,6 +1,6 @@
TOPTARGETS := all clean TOPTARGETS := all clean
$(TOPTARGETS): pre_build make_roothelper make_trollstore make_trollhelper make_trollhelper_package assemble_trollstore make_trollhelper_embedded build_installer15 build_installer64e $(TOPTARGETS): pre_build make_fastPathSign make_roothelper make_trollstore make_trollhelper make_trollhelper_package assemble_trollstore make_trollhelper_embedded build_installer15 build_installer64e
pre_build: pre_build:
@rm -rf ./_build 2>/dev/null || true @rm -rf ./_build 2>/dev/null || true
@ -8,6 +8,8 @@ pre_build:
make_external: make_external:
make_fastPathSign:
@$(MAKE) -C ./Exploits/fastPathSign $(MAKECMDGOALS)
make_roothelper: make_roothelper:
@$(MAKE) -C ./RootHelper FINALPACKAGE=1 $(MAKECMDGOALS) @$(MAKE) -C ./RootHelper FINALPACKAGE=1 $(MAKECMDGOALS)

6
RootHelper/Makefile
View File

@ -1,14 +1,16 @@
TARGET := iphone:clang:16.4:14.0 TARGET := iphone:clang:16.4:14.0
ARCHS = arm64 ARCHS = arm64
TARGET_CODESIGN = ../Exploits/fastPathSign/fastPathSign
include $(THEOS)/makefiles/common.mk include $(THEOS)/makefiles/common.mk
TOOL_NAME = trollstorehelper TOOL_NAME = trollstorehelper
trollstorehelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m) ../Exploits/fastPathSign/src/coretrust_bug.c ../Exploits/fastPathSign/src/adhoc.m trollstorehelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m) ../Exploits/fastPathSign/src/coretrust_bug.c ../Exploits/fastPathSign/src/codesign.m
trollstorehelper_CFLAGS = -fobjc-arc -I../Shared $(shell pkg-config --cflags libcrypto) -Iexternal/include -I../Exploits/fastPathSign/src trollstorehelper_CFLAGS = -fobjc-arc -I../Shared $(shell pkg-config --cflags libcrypto) -Iexternal/include -I../Exploits/fastPathSign/src
trollstorehelper_LDFLAGS = -Lexternal/lib -lcrypto -lchoma trollstorehelper_LDFLAGS = -Lexternal/lib -lcrypto -lchoma
trollstorehelper_CODESIGN_FLAGS = -Sentitlements.plist -K../cert.p12 trollstorehelper_CODESIGN_FLAGS = --entitlements entitlements.plist
trollstorehelper_INSTALL_PATH = /usr/local/bin trollstorehelper_INSTALL_PATH = /usr/local/bin
trollstorehelper_LIBRARIES = archive trollstorehelper_LIBRARIES = archive
trollstorehelper_PRIVATE_FRAMEWORKS = SpringBoardServices BackBoardServices MobileContainerManager trollstorehelper_PRIVATE_FRAMEWORKS = SpringBoardServices BackBoardServices MobileContainerManager

BIN
RootHelper/external/lib/libchoma.a vendored
View File

Binary file not shown.

61
RootHelper/main.m
View File

@ -11,7 +11,7 @@
#import <mach-o/loader.h> #import <mach-o/loader.h>
#import <mach-o/fat.h> #import <mach-o/fat.h>
#ifndef EMBEDDED_ROOT_HELPER #ifndef EMBEDDED_ROOT_HELPER
#import "adhoc.h" #import "codesign.h"
#import "coretrust_bug.h" #import "coretrust_bug.h"
#import <choma/FAT.h> #import <choma/FAT.h>
#import <choma/MachO.h> #import <choma/MachO.h>
@ -398,45 +398,48 @@ int signApp(NSString* appPath)
while(fileURL = [enumerator nextObject]) while(fileURL = [enumerator nextObject])
{ {
NSString *filePath = fileURL.path; NSString *filePath = fileURL.path;
NSLog(@"Checking %@", filePath);
FAT *fat = fat_init_from_path(filePath.fileSystemRepresentation); FAT *fat = fat_init_from_path(filePath.fileSystemRepresentation);
if (fat) { if (fat) {
NSLog(@"%@ is binary", filePath);
// This is FAT or MachO, sign and apply CoreTrust bypass // This is FAT or MachO, sign and apply CoreTrust bypass
MachO *machoForExtraction = fat_find_preferred_slice(fat); MachO *machoForExtraction = fat_find_preferred_slice(fat);
if (machoForExtraction) { if (machoForExtraction) {
NSLog(@"Starting signing of %@\n", filePath);
NSString *tmpPath = [NSTemporaryDirectory() stringByAppendingPathComponent:[NSUUID UUID].UUIDString]; NSString *tmpPath = [NSTemporaryDirectory() stringByAppendingPathComponent:[NSUUID UUID].UUIDString];
MemoryStream *sliceOutStream = file_stream_init_from_path(tmpPath.fileSystemRepresentation, 0, 0, FILE_STREAM_FLAG_WRITABLE | FILE_STREAM_FLAG_AUTO_EXPAND);
MemoryStream *sliceStream = macho_get_stream(machoForExtraction); MemoryStream *sliceStream = macho_get_stream(machoForExtraction);
memory_stream_copy_data(sliceStream, 0, sliceOutStream, 0, memory_stream_get_size(sliceStream)); MemoryStream *sliceOutStream = file_stream_init_from_path(tmpPath.fileSystemRepresentation, 0, 0, FILE_STREAM_FLAG_WRITABLE | FILE_STREAM_FLAG_AUTO_EXPAND);
memory_stream_free(sliceOutStream); if (sliceOutStream) {
memory_stream_copy_data(sliceStream, 0, sliceOutStream, 0, memory_stream_get_size(sliceStream));
memory_stream_free(sliceOutStream);
// Now we have the single slice at tmpPath, which we will sign and apply the bypass, then copy over the original file // Now we have the single slice at tmpPath, which we will sign and apply the bypass, then copy over the original file
NSLog(@"[%@] Adhoc signing...", filePath); NSLog(@"[%@] Adhoc signing...", filePath);
// First attempt ad hoc signing // First attempt ad hoc signing
int r = binary_sign_adhoc(tmpPath.fileSystemRepresentation, true); int r = codesign_sign_adhoc(tmpPath.fileSystemRepresentation, true, nil);
if (r != 0) { if (r != 0) {
NSLog(@"[%@] Adhoc signing failed with error code %d, continuing anyways...\n", filePath, r); NSLog(@"[%@] Adhoc signing failed with error code %d, continuing anyways...\n", filePath, r);
}
else {
NSLog(@"[%@] Adhoc signing worked!\n", filePath);
}
NSLog(@"[%@] Applying CoreTrust bypass...", filePath);
r = apply_coretrust_bypass(tmpPath.fileSystemRepresentation);
if (r == 0) {
NSLog(@"[%@] Applied CoreTrust bypass!", filePath);
}
else {
NSLog(@"[%@] CoreTrust bypass failed!!! :(", filePath);
fat_free(fat);
return 175;
}
// tempFile is now signed, overwrite original file at filePath with it
[[NSFileManager defaultManager] removeItemAtPath:filePath error:nil];
[[NSFileManager defaultManager] moveItemAtPath:tmpPath toPath:filePath error:nil];
} }
else {
NSLog(@"[%@] Adhoc signing worked!\n", filePath);
}
NSLog(@"[%@] Applying CoreTrust bypass...", filePath);
r = apply_coretrust_bypass(tmpPath.fileSystemRepresentation);
if (r == 0) {
NSLog(@"[%@] Applied CoreTrust bypass!", filePath);
}
else {
NSLog(@"[%@] CoreTrust bypass failed!!! :(", filePath);
fat_free(fat);
return 175;
}
// tempFile is now signed, overwrite original file at filePath with it
[[NSFileManager defaultManager] removeItemAtPath:filePath error:nil];
[[NSFileManager defaultManager] moveItemAtPath:tmpPath toPath:filePath error:nil];
} }
fat_free(fat); fat_free(fat);
} }

5
TrollHelper/Makefile
View File

@ -2,6 +2,9 @@ export EMBEDDED_ROOT_HELPER ?= 0
TARGET := iphone:clang:16.4:14.0 TARGET := iphone:clang:16.4:14.0
INSTALL_TARGET_PROCESSES = TrollStorePersistenceHelper INSTALL_TARGET_PROCESSES = TrollStorePersistenceHelper
ARCHS = arm64
TARGET_CODESIGN = ../Exploits/fastPathSign/fastPathSign
include $(THEOS)/makefiles/common.mk include $(THEOS)/makefiles/common.mk
@ -11,7 +14,7 @@ TrollStorePersistenceHelper_FILES = $(wildcard *.m) $(wildcard ../Shared/*.m)
TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices TrollStorePersistenceHelper_FRAMEWORKS = UIKit CoreGraphics CoreServices
TrollStorePersistenceHelper_PRIVATE_FRAMEWORKS = Preferences MobileContainerManager TrollStorePersistenceHelper_PRIVATE_FRAMEWORKS = Preferences MobileContainerManager
TrollStorePersistenceHelper_CFLAGS = -fobjc-arc -I../Shared TrollStorePersistenceHelper_CFLAGS = -fobjc-arc -I../Shared
TrollStorePersistenceHelper_CODESIGN_FLAGS = -Sentitlements.plist -K../cert.p12 TrollStorePersistenceHelper_CODESIGN_FLAGS = --entitlements entitlements.plist
ifeq ($(EMBEDDED_ROOT_HELPER),1) ifeq ($(EMBEDDED_ROOT_HELPER),1)
TrollStorePersistenceHelper_CFLAGS += -DEMBEDDED_ROOT_HELPER=1 TrollStorePersistenceHelper_CFLAGS += -DEMBEDDED_ROOT_HELPER=1

5
TrollStore/Makefile
View File

@ -1,5 +1,8 @@
TARGET := iphone:clang:16.4:14.0 TARGET := iphone:clang:16.4:14.0
INSTALL_TARGET_PROCESSES = TrollStore INSTALL_TARGET_PROCESSES = TrollStore
ARCHS = arm64
TARGET_CODESIGN = ../Exploits/fastPathSign/fastPathSign
include $(THEOS)/makefiles/common.mk include $(THEOS)/makefiles/common.mk
@ -10,6 +13,6 @@ TrollStore_FRAMEWORKS = UIKit CoreGraphics CoreServices
TrollStore_PRIVATE_FRAMEWORKS = Preferences MobileIcons MobileContainerManager TrollStore_PRIVATE_FRAMEWORKS = Preferences MobileIcons MobileContainerManager
TrollStore_LIBRARIES = archive TrollStore_LIBRARIES = archive
TrollStore_CFLAGS = -fobjc-arc -I../Shared TrollStore_CFLAGS = -fobjc-arc -I../Shared
TrollStore_CODESIGN_FLAGS = -Sentitlements.plist -K../cert.p12 TrollStore_CODESIGN_FLAGS = --entitlements entitlements.plist
include $(THEOS_MAKE_PATH)/application.mk include $(THEOS_MAKE_PATH)/application.mk