From 2c327a00831904c66c6a5c10f8ae6e54e63b2188 Mon Sep 17 00:00:00 2001
From: opa334 <opa334@users.noreply.github.com>
Date: Sun, 26 Nov 2023 18:29:32 +0100
Subject: [PATCH] Implement signing with new CoreTrust bypass

---
 Exploits/fastPathSign/src/adhoc.h  |   2 +-
 Exploits/fastPathSign/src/adhoc.m  |   2 +-
 RootHelper/external/lib/libchoma.a | Bin 91888 -> 91872 bytes
 RootHelper/main.m                  |  69 ++++++++++++++++++++++++++++-
 4 files changed, 69 insertions(+), 4 deletions(-)

diff --git a/Exploits/fastPathSign/src/adhoc.h b/Exploits/fastPathSign/src/adhoc.h
index 8b16b98..6a491c1 100644
--- a/Exploits/fastPathSign/src/adhoc.h
+++ b/Exploits/fastPathSign/src/adhoc.h
@@ -1,3 +1,3 @@
 #include <stdbool.h>
 
-int binary_sign_adhoc(char *path, bool preserveMetadata);
\ No newline at end of file
+int binary_sign_adhoc(const char *path, bool preserveMetadata);
\ No newline at end of file
diff --git a/Exploits/fastPathSign/src/adhoc.m b/Exploits/fastPathSign/src/adhoc.m
index d20ae9a..1b37404 100644
--- a/Exploits/fastPathSign/src/adhoc.m
+++ b/Exploits/fastPathSign/src/adhoc.m
@@ -89,7 +89,7 @@ extern const CFStringRef kSecCodeInfoResourceDirectory; /* Internal */
 }
 #endif
 
-int binary_sign_adhoc(char *path, bool preserveMetadata)
+int binary_sign_adhoc(const char *path, bool preserveMetadata)
 {
 	NSString *filePath = [NSString stringWithUTF8String:path];
 	OSStatus status = 0;
diff --git a/RootHelper/external/lib/libchoma.a b/RootHelper/external/lib/libchoma.a
index 041242b9ca366d61b19ceb5f53c0d39d2602d130..fdd802d5ffcf53f999319b4bfcf68ee71754bc26 100644
GIT binary patch
delta 2705
zcmZXW3rv$&6vyw^f);_&R<H$y79WFdJjz2EZk0OCMjXpP&7wwpEE=CfT*$<@t<BKE
zqD!pT1f!W?n6cF+uyu<PO&}qQh?1Z&8D`FWY(C1eIB;%j6N&qu_H@a%8^8X(^St*v
z_nwOr!-?u};?W$<%cWkMYw=*MB4#BELEJfAi0zMsILs`VCPdqi5I2&9=qXi1o=ymZ
zSrO~tAKvUenPXCyDq?(w5X2o(?N>vK6s1innksi=w-DWlLJ;pVO_Xu~dY)o2Pq9mb
zCFBWlh`E;aTbcWrhnelnZsv97IgbB5Nw}kHPRHtK?XNMnFh61XnPZ&bFXs20=m|3w
z3#M8)n5&phu1O7ZEAxQP9V?cX6#-^H^A0o2G@!^-TsyOhxr*7qY-OHe_AvKF%dd!Q
z{6T+|<AwI6h<EoYR!qBV(8fwV#&QZ4K>B6m7o5~ioxss(_iR!u3FQ?IhfMimwaEe-
zjZq~=OR~%|ERl|Cot{*vk(fvkVxf@tHk2A~BO{IZ>>ZGHv&({Y(y*~|1Szo+aYAlB
zU6G{fg~*1~BhQ@fNgbGW^VyzE|I~pj|5S_I(DAymIC!=rO;P>~e%slkNnNJ(sudn*
zr}l?e)mP-At|G-Hw{{h{w~2_l%@t9E=aweHbL;0WjTbqOhc38!Ll;DEs2l7CgJ2N6
z2wns)gO|ZRun)WnUKPFKzIa=m=W(ie9%nSB6*kJzB6^>{AtJt(`f%t?5z&dZm7!Cj
z_br-So!9RiTc&tbGX?fL)!7~=Ekdmlkx-Q@qEp0VXnIGMPlyVXB3&muCf`8LB?I2c
z?$>Sz+Y?=pd^y#%aK<|SvpsA5&j+S?WlzZhnKYadeDBK(n#zz8i&m$*BGK$xWY_*b
zd)!Vl^|e^T+V;Bn%IskExdKHt`&^l|=u6C;fE@oCK6%q;RR-lGepPAoTa|z;!EckS
z^IMbXu+wOhW1pJcbh6Dt6dnOn!QG$<bb#38!a3j^&;sJj)!>tf&I$ZjpdSI#z$>5;
zYy)S3Tfmv%dXVzhu$&L3lONWOyfX_A;stG6<B8GfNDOA3|3Goa&tU_;UXRBIJB`C6
z<II-vk^GQlYBd_w>_5o<8`=If+uvb%h~+~p$LHHlvR2F$VRo1UMH(KJ6F$KtB%`JQ
ztEma!L*p|%q^;2f-wk||{ZAKGmXwyu@}box6;+^-PyL3Wn&ru%C9@__3>u^+i!KYF
z5bMOa$sct<xn;@qs_f2;nCN2dAo5ZxR->94Ihi(7ju>p&Dtkq9!m7hwk=Gh{8Dy%l
ztZ)=>Wn{4laTF%HBx>={z(I&U=xZ?>k45e^79TSt1RHN;801u0vL5$Oq*H4RkEMx-
z(94~rbKM9|SCgX+yi%k0+|mlqF~lAp$0_$|H->+K4Vx1Qfi|VzDN;R7TOw#guR%w8
zZHe&4F93=qoi5eYI}YZjqJc>^vTS5IBPzQi`5COpWQR<avsun&IhW;JmhCLtS*8is
zcC7UO*!R9pN!k@McVyvIL>oT7plkoN3w_K1WsFv#eI!dsH=#AtDa42F#qohfHjL%S
z<!3X3b@%RTgL{AaO;L`>Gl$I5u|lVK=q<^HzM(NflKVCe2sKy$qy`;<^(C+ed=d13
z3&7o=4J-%qK?C>#m;l<ryXb0?uP|$w4yFa12m3*EG0nFg#C%1Cow#D69Szb14v;2z
z3NPy9UqPI<!cnkTe)PaxG9S`%%7K3cU;+3PXQ>pt1UkSYAZ2OB9D4cPgS<-o1=;O_
z1lC(XOjB5m?y`b(<&gJ%+!Pdj2_%{RlcSdl9_B5j=%*+#MN{kN!rBAQg+35ty$+-=
z8O65bKz}>N`T$rgKYwVpm%!Q#37uHe6r-~d%!7UnNYOg5SPnllS5odyv<_I`43hO3
zLNmceY+w<H)ke3Ah`;H215su_YEfF{nMdZ_c$0sOc)HedxN-NeY?pT)S>5rbKMxPO
z43DEeG+g9`r=O!LII4kVS`}rD&$5Z-6>Q%@GM;$;btL2aRJJ=1i(5^$hH{lo=?_&Y
Tw%~YZVWP}?To>H;cz^TXd_+?v

delta 2676
zcmX|@eQeWJ6o$`jJLrIYGTIFXEdyK!>l`q)Kq#wj;*=(i4-F_|PBz>S*&GCFAZc|$
zF!K+}B^kj8Lm;eV$Vf4=gv1eJoH!y75@#e!r-+3RM8w#dE%=`H)SKNtzxUjG&;2|n
z3tvrncs1p~Ohb8D!0ui;T&u`3nTWY%B9Zq2QKztY0ufyy8cHP^Sg5GbOk}qzdJX-}
zZw8Lc%zpT+qPvrbm@RSZ`77m0kyeIEU*vP5b16j3Tf%I1`8Dh^#ZsB#Z3EF@A<<sp
zda*YN-xGEUyM*V2-wRL6_`g!g7hiJ@R>y09PS_~?Ko}H`ii3ZIKZ>JA!Za+H&!SYg
zM(C0=@d%rQyUo7DVFkp{D;yC1B#a6(amakQMZ!wq8sRqKKH(?AKH;wT@hkdHHuQHH
zKKNcr<aWQsiurakjftZk6+HzDV0#t!3;k&vKdeUzr<=+amzU`&pRUz@ORerJFzK6?
zOhXyzk&O$pYB7Y%9F?F$7g;OwyjTeryI5=C5OYzcZa7+zx-Ok)29!e|KiZepG2!}H
zYi@9ScV2M3N^d;2LKTEg9m`N^B=kl14nvyJ7zi)&ySj}(FAG=b@)IS>p_@(=`|2qc
zu6M^2`EM9Z{u{q;G6dlB5Z$Ji!#2MwJlpSzoN)I?c2R%i7`UDKpHxz;r=u<!siK&f
z_OFg~Qa}3$+Xh^tRVom+^0)z4_$j}Oef1bOM$IYi7%9R$l*2kT3%-o0XLQ@if=TOx
zW3B6gPdX+9bl-xxq01+~G-M4DRdDC<L=1$J?$FuOE0uoSQ>`BA(Y;nxqgMrOs#(8_
zU%w9E*Q3wlH%DI&+Pb>uDYI(SqaRv*#W>qEA}3!<Hh2x!goAWm0`tL(ApSfT5_BB^
zb75}-Gr$dC7U%#ipb4A`j^SZj!TTWVK`;k&ATrtS91y0-9(&@$6*YxEJF`>yl9#;=
z`%6cyK|7aD)`*UC@)-7r{y}t&^lz5__0nD<&*W9nD@5-Vot&?kwUG)a`L6O|$Uyar
z!$(*IYme^lwPojEpIkmdW$XQkp?kd-X2jp}l7$uJ`qGuP*)=#RE)J}lOHFRqmQ`xG
zC4X8%vz?pTrW37<zxC{7)15>Qs<!HX9n15~I9o36_%HGTJo958)LBCnc{S1+cLr;l
zv<~Zrp^Bn)h=Vd%58F{O2-i!ss9X>w|JVG`<snbz+$wc_e77k$Zd8HM42pFdZPDW$
zGozI5zk$w&!c!?0nW~rPT70kb3!EAckJSb=8_9o=yWGui$9jzQ(R*mawV=B@W>*6)
zO7pwyDPR^t05-N87f>J>UObj<<}`QzUC@z+uwspHi0drT)8hJtm}8n4@}xta=ozAC
zh@K^SmgpkUMXYuDh-K2CArVoKB_o#nK_wDf;i-$Tq<e@+j?{yvbImxz_}04yrmLL!
zCMaHLPlqjv*Aj2x&3pxow~^D`Q6C-OT^)Q<rS!2=(?e%RZX1_9-`?KZzSQ2bZD+&Q
zmPY$K4R5t<vX^@2dhMHA+aWhK+nbvj8k^ef4Lj_un>TN7+QH3Rw|Yw^g#y3)q0~iv
ze6KZi2;s-YA6Fg(8<%UWe1wOViD(-}=;5lJV`wb~Z-Mi{Uhrw~FgOc*11tiUfrVfx
zI1e<7jvz&_eUEU1uo|2Ldmq-q^X&&QpU=4mAEhvOK?I&>M}n?y^y2i;2=c_GAW!@l
zIR$HW-Um6I41+xWCWt`yTuad90q4SA4VHk#pc8+OG3z4mBDeqv%K0%q*s&K$E<<1a
zt#HXqqOEQyur3$GikvlwW;@8Kj(gumYFYqZ1X=UHCK=j!r*J)wevCWj(Su+CTKmA+
zu=gfdX9jt5!*~}q*l#9S*9-DydO*aX=VXGeJ>Wup_KvmDf!1|UJlYI$Zxe_|<e>yz
zCoz;~>rSxF3v&N4WD?{NXB%$+84zRRcg@6eP0tkS!CL>40~o~FHCa0G!PzyLe)e%Y
z^h=VdcoNpH=+WP8zGOB!0}FdOgk$9LBKJadB(s%_IwD>wM1LdtebLETTSV`a_IB2&
n$@w<1HsS1QEV?~XqK5SGNTu?GMk9+;RJl%nus+oM!0Y`F_y8=U

diff --git a/RootHelper/main.m b/RootHelper/main.m
index 0a13adc..89de375 100644
--- a/RootHelper/main.m
+++ b/RootHelper/main.m
@@ -13,6 +13,10 @@
 #ifndef EMBEDDED_ROOT_HELPER
 #import "adhoc.h"
 #import "coretrust_bug.h"
+#import <choma/FAT.h>
+#import <choma/MachO.h>
+#import <choma/FileStream.h>
+#import <choma/Host.h>
 #endif
 
 #import <SpringBoardServices/SpringBoardServices.h>
@@ -356,6 +360,14 @@ BOOL codeCertChainContainsFakeAppStoreExtensions(SecStaticCodeRef codeRef)
 	return evaluatesToCustomAnchor;
 }
 
+#ifdef EMBEDDED_ROOT_HELPER
+// The embedded root helper is not able to sign apps
+// But it does not need that functionality anyways
+int signApp(NSString* appPath)
+{
+	return -1;
+}
+#else
 int signApp(NSString* appPath)
 {
 	NSDictionary* appInfoDict = infoDictionaryForAppPath(appPath);
@@ -378,7 +390,59 @@ int signApp(NSString* appPath)
 		}
 	}
 
-	SecStaticCodeRef codeRef = getStaticCodeRef(executablePath);
+	// XXX: There used to be a check here whether the main binary was already signed with bypass
+	// In that case it would skip signing aswell, no clue if that's still desirable
+
+	NSURL* fileURL;
+	NSDirectoryEnumerator *enumerator = [[NSFileManager defaultManager] enumeratorAtURL:[NSURL fileURLWithPath:appPath] includingPropertiesForKeys:nil options:0 errorHandler:nil];
+	while(fileURL = [enumerator nextObject])
+	{
+		NSString *filePath = fileURL.path;
+		FAT *fat = fat_init_from_path(filePath.fileSystemRepresentation);
+		if (fat) {
+			// This is FAT or MachO, sign and apply CoreTrust bypass
+			MachO *machoForExtraction = fat_find_preferred_slice(fat);
+			if (machoForExtraction) {
+				NSLog(@"Starting signing of %@\n", filePath);
+				NSString *tmpPath = [NSTemporaryDirectory() stringByAppendingPathComponent:[NSUUID UUID].UUIDString];
+				MemoryStream *sliceOutStream = file_stream_init_from_path(tmpPath.fileSystemRepresentation, 0, 0, FILE_STREAM_FLAG_WRITABLE | FILE_STREAM_FLAG_AUTO_EXPAND);
+				MemoryStream *sliceStream = macho_get_stream(machoForExtraction);
+				memory_stream_copy_data(sliceStream, 0, sliceOutStream, 0, memory_stream_get_size(sliceStream));
+				memory_stream_free(sliceOutStream);
+
+				// Now we have the single slice at tmpPath, which we will sign and apply the bypass, then copy over the original file
+
+				NSLog(@"[%@] Adhoc signing...", filePath);
+
+				// First attempt ad hoc signing
+				int r = binary_sign_adhoc(tmpPath.fileSystemRepresentation, true);
+				if (r != 0) {
+					NSLog(@"[%@] Adhoc signing failed with error code %d, continuing anyways...\n", filePath, r);
+				}
+				else {
+					NSLog(@"[%@] Adhoc signing worked!\n", filePath);
+				}
+
+				NSLog(@"[%@] Applying CoreTrust bypass...", filePath);
+				r = apply_coretrust_bypass(tmpPath.fileSystemRepresentation);
+				if (r == 0) {
+					NSLog(@"[%@] Applied CoreTrust bypass!", filePath);
+				}
+				else {
+					NSLog(@"[%@] CoreTrust bypass failed!!! :(", filePath);
+					fat_free(fat);
+					return 175;
+				}
+
+				// tempFile is now signed, overwrite original file at filePath with it
+				[[NSFileManager defaultManager] removeItemAtPath:filePath error:nil];
+				[[NSFileManager defaultManager] moveItemAtPath:tmpPath toPath:filePath error:nil];
+			}
+			fat_free(fat);
+		}
+	}
+
+	/*SecStaticCodeRef codeRef = getStaticCodeRef(executablePath);
 	if(codeRef != NULL)
 	{
 		if(codeCertChainContainsFakeAppStoreExtensions(codeRef))
@@ -391,9 +455,10 @@ int signApp(NSString* appPath)
 	else
 	{
 		NSLog(@"[signApp] failed to get static code, can't derive entitlements from %@, continuing anways...", executablePath);
-	}
+	}*/
 	return 0;
 }
+#endif
 
 void applyPatchesToInfoDictionary(NSString* appPath)
 {