diff --git a/.gitignore b/.gitignore index d28f89b..2663f57 100644 --- a/.gitignore +++ b/.gitignore @@ -5,4 +5,4 @@ packages/ xcuserdata .vscode pwnify_compiled -Developer.ipa \ No newline at end of file +InstallerVictim.ipa \ No newline at end of file diff --git a/Installer/TrollInstaller2/TSI2AppDelegate.h b/Installer/TrollInstaller2/TSI2AppDelegate.h deleted file mode 100644 index 15625a6..0000000 --- a/Installer/TrollInstaller2/TSI2AppDelegate.h +++ /dev/null @@ -1,6 +0,0 @@ - -#import - -@interface TSI2AppDelegate : UIResponder - -@end \ No newline at end of file diff --git a/Installer/TrollInstaller2/TSI2AppDelegateNoScene.h b/Installer/TrollInstaller2/TSI2AppDelegateNoScene.h new file mode 100644 index 0000000..621ac54 --- /dev/null +++ b/Installer/TrollInstaller2/TSI2AppDelegateNoScene.h @@ -0,0 +1,7 @@ + +#import + +@interface TSI2AppDelegateNoScene : UIResponder +@property (nonatomic, strong) UIWindow *window; +@property (nonatomic, strong) UINavigationController *rootViewController; +@end \ No newline at end of file diff --git a/Installer/TrollInstaller2/TSI2AppDelegateNoScene.m b/Installer/TrollInstaller2/TSI2AppDelegateNoScene.m new file mode 100644 index 0000000..a9c643c --- /dev/null +++ b/Installer/TrollInstaller2/TSI2AppDelegateNoScene.m @@ -0,0 +1,14 @@ +#import "TSI2AppDelegateNoScene.h" +#import "TSI2RootViewController.h" + +@implementation TSI2AppDelegateNoScene + +- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { + _window = [[UIWindow alloc] initWithFrame:[UIScreen mainScreen].bounds]; + _rootViewController = [[UINavigationController alloc] initWithRootViewController:[[TSI2RootViewController alloc] init]]; + _window.rootViewController = _rootViewController; + [_window makeKeyAndVisible]; + return YES; +} + +@end \ No newline at end of file diff --git a/Installer/TrollInstaller2/TSI2AppDelegateWithScene.h b/Installer/TrollInstaller2/TSI2AppDelegateWithScene.h new file mode 100644 index 0000000..61bff32 --- /dev/null +++ b/Installer/TrollInstaller2/TSI2AppDelegateWithScene.h @@ -0,0 +1,6 @@ + +#import + +@interface TSI2AppDelegateWithScene : UIResponder + +@end \ No newline at end of file diff --git a/Installer/TrollInstaller2/TSI2AppDelegate.m b/Installer/TrollInstaller2/TSI2AppDelegateWithScene.m similarity index 92% rename from Installer/TrollInstaller2/TSI2AppDelegate.m rename to Installer/TrollInstaller2/TSI2AppDelegateWithScene.m index 6da70a0..60b1c0b 100644 --- a/Installer/TrollInstaller2/TSI2AppDelegate.m +++ b/Installer/TrollInstaller2/TSI2AppDelegateWithScene.m @@ -1,6 +1,6 @@ -#import "TSI2AppDelegate.h" +#import "TSI2AppDelegateWithScene.h" -@implementation TSI2AppDelegate +@implementation TSI2AppDelegateWithScene - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { return YES; diff --git a/Installer/TrollInstaller2/main.m b/Installer/TrollInstaller2/main.m index 5557169..4228da0 100644 --- a/Installer/TrollInstaller2/main.m +++ b/Installer/TrollInstaller2/main.m @@ -1,14 +1,69 @@ #import -#import "TSI2AppDelegate.h" +#import "TSI2AppDelegateNoScene.h" +#import "TSI2AppDelegateWithScene.h" #import "TSI2SceneDelegate.h" #import extern int rootHelperMain(int argc, char *argv[], char *envp[]); -void classFixup(void) +BOOL sceneDelegateFix(void) { - Class newClass = objc_allocateClassPair([TSI2SceneDelegate class], "WWDC.SceneDelegate", 0); - objc_registerClassPair(newClass); + NSString* sceneDelegateClassName = nil; + + NSDictionary* UIApplicationSceneManifest = [NSBundle.mainBundle objectForInfoDictionaryKey:@"UIApplicationSceneManifest"]; + if(UIApplicationSceneManifest && [UIApplicationSceneManifest isKindOfClass:NSDictionary.class]) + { + NSDictionary* UISceneConfiguration = UIApplicationSceneManifest[@"UISceneConfigurations"]; + if(UISceneConfiguration && [UISceneConfiguration isKindOfClass:NSDictionary.class]) + { + NSArray* UIWindowSceneSessionRoleApplication = UISceneConfiguration[@"UIWindowSceneSessionRoleApplication"]; + if(UIWindowSceneSessionRoleApplication && [UIWindowSceneSessionRoleApplication isKindOfClass:NSArray.class]) + { + NSDictionary* sceneToUse = nil; + if(UIWindowSceneSessionRoleApplication.count > 1) + { + for(NSDictionary* scene in UIWindowSceneSessionRoleApplication) + { + if([scene isKindOfClass:NSDictionary.class]) + { + NSString* UISceneConfigurationName = scene[@"UISceneConfigurationName"]; + if([UISceneConfigurationName isKindOfClass:NSString.class]) + { + if([UISceneConfigurationName isEqualToString:@"Default Configuration"]) + { + sceneToUse = scene; + break; + } + } + } + } + + if(!sceneToUse) + { + sceneToUse = UIWindowSceneSessionRoleApplication.firstObject; + } + } + else + { + sceneToUse = UIWindowSceneSessionRoleApplication.firstObject; + } + + if(sceneToUse && [sceneToUse isKindOfClass:NSDictionary.class]) + { + sceneDelegateClassName = sceneToUse[@"UISceneDelegateClassName"]; + } + } + } + } + + if(sceneDelegateClassName && [sceneDelegateClassName isKindOfClass:NSString.class]) + { + Class newClass = objc_allocateClassPair([TSI2SceneDelegate class], sceneDelegateClassName.UTF8String, 0); + objc_registerClassPair(newClass); + return YES; + } + + return NO; } int main(int argc, char *argv[], char *envp[]) { @@ -21,8 +76,15 @@ int main(int argc, char *argv[], char *envp[]) { } else { - classFixup(); - return UIApplicationMain(argc, argv, nil, NSStringFromClass(TSI2AppDelegate.class)); + BOOL usesSceneDelegate = sceneDelegateFix(); + if(usesSceneDelegate) + { + return UIApplicationMain(argc, argv, nil, NSStringFromClass(TSI2AppDelegateWithScene.class)); + } + else + { + return UIApplicationMain(argc, argv, nil, NSStringFromClass(TSI2AppDelegateNoScene.class)); + } } } } diff --git a/_compile/build_trollinstaller2.sh b/_compile/build_trollinstaller2.sh index 43f06ef..9aa30a9 100755 --- a/_compile/build_trollinstaller2.sh +++ b/_compile/build_trollinstaller2.sh @@ -6,23 +6,38 @@ then mkdir -p ./out fi +if [ -d "./out/tmppwn" ] +then + rm -rf ./out/tmppwn +fi + +if [ -f "./out/TrollInstaller2_arm64e.ipa" ] +then + rm ./out/TrollInstaller2_arm64e.ipa +fi + +mkdir ./out/tmppwn || true 2> /dev/null + cd ../Installer/TrollInstaller2 make clean make package +cd - 2> /dev/null + +lipo -thin arm64e ../Installer/TrollInstaller2/.theos/obj/debug/TrollInstaller2.app/TrollInstaller2 -output ./out/tmppwn/pwn_arm64e +ldid -S -M -Kcert.p12 ./out/tmppwn/pwn_arm64e + +unzip ./target/InstallerVictim.ipa -d ./out/tmppwn + +cd ./out/tmppwn/Payload +APP_NAME=$(find *.app -maxdepth 0) +BINARY_NAME=$(echo "$APP_NAME" | cut -f 1 -d '.') +cd - 2> /dev/null + +./pwnify_compiled ./out/tmppwn/Payload/$APP_NAME/$BINARY_NAME ./out/tmppwn/pwn_arm64e +rm ./out/tmppwn/pwn_arm64e + +cd ./out/tmppwn +zip -vr ../TrollInstaller2_arm64e.ipa * cd - -lipo -thin arm64e ../Installer/TrollInstaller2/.theos/obj/debug/TrollInstaller2.app/TrollInstaller2 -output ./out/pwn_arm64e -ldid -S -M -Kcert.p12 ./out/pwn_arm64e - -mkdir ./out/devpwn -unzip target/Developer.ipa -d ./out/devpwn - -./pwnify_compiled ./out/devpwn/Payload/Developer.app/Developer ./out/pwn_arm64e -rm ./out/pwn_arm64e - -cd ./out/devpwn -zip -vr devpwn.ipa * -cd - - -cp ./out/devpwn/devpwn.ipa ./out/DeveloperInstaller.ipa -rm -rf ./out/devpwn \ No newline at end of file +rm -rf ./out/tmppwn \ No newline at end of file diff --git a/install_trollinstaller2.md b/install_trollinstaller2.md index d1b6fd2..91b49f9 100644 --- a/install_trollinstaller2.md +++ b/install_trollinstaller2.md @@ -8,15 +8,15 @@ 1. Do `git clone https://github.com/opa334/TrollStore` -2. Get a stock "Apple Developer" IPA using [ipatool](https://github.com/majd/ipatool/releases/tag/v1.1.4) (iOS 15 only) +2. Get ANY encrypted AppStore IPA using [ipatool](https://github.com/majd/ipatool/releases/tag/v1.1.4) - Unzip, then do `chmod +x ~/Downloads/ipatool` - `sudo mv ~/Downloads/ipatool /usr/local/bin` - `ipatool auth login` - `ipatool download -b developer.apple.wwdc-Release` -> For iOS 14 please follow [this](https://github.com/flowerible/How-to-Downgrade-apps-on-AppStore-with-iTunes-and-Charles-Proxy) you will need Windows, once you get ipa switch back to Mac preceed. +> For iOS 14 please make sure to use an app that still supports iOS 14 -3. Rename the output ipa to `Developer.ipa`, and put it into ~/TrollStore/_compile/target/Developer.ipa +3. Rename the output ipa to `InstallerVictim.ipa`, and put it into ~/TrollStore/_compile/InstallerVictim.ipa 4. Grab pwnify_compiled from Fugu14 repo (https://github.com/LinusHenze/Fugu14/blob/master/tools/pwnify_compiled), sign it using codesign (`codesign -f -s - `) and put it at ~/TrollStore/_compile/pwnify_compiled @@ -25,18 +25,16 @@ - Rename the Procursus ldid for your arch to `ldid`, then do `chmod +x ~/Downloads/ldid` - `sudo mv ~/Downloads/ldid /usr/local/bin` -> As of right now you need to add an "`out`" folder in _compile - 6. cd into _compile and run `./build_trollinstaller2.sh` (`chmod +x ./build_trollinstaller2.sh` if you get a permission error) -7. Wait a bit, when done, there will be a `DeveloperInstaller.ipa` in ~/TrollStore/_compile/out - -> If this fails and gives you a `devpwn.ipa`, unzip that ipa and put all the contents in it back into their original places. +7. Wait a bit, when done, there will be a `TrollInstaller2.ipa` in ~/TrollStore/_compile/out ## Using compiled IPA (does not neccessarily require a Mac if you obtained the IPA from non orthodox ways) -8. You can install that to a device using e.g. ideviceinstaller(do `brew install ideviceinstaller` then do `ideviceinstaller -i DeveloperInstaller.ipa`) +8. You can install that to a device using e.g. ideviceinstaller(do `brew install ideviceinstaller` then do `ideviceinstaller -i TrollInstaller2.ipa`) + +Alternatively, you can use Sideloadly if you select "Normal Installation". (Other methods may also work, but make sure you don't use a signing cert, you can also use an enterprise plist or something to install it via Safari as shown in Fugu15 demo, something like iFunBox may also work) -9. After installation, you can use the "Developer" app on your device to install TrollStore +9. After installation, you can use the newly installed app on your device to install TrollStore