Support injection of TrollInstaller2 into ANY AppStore encrypted IPA

2025-11-04 07:32:36 +08:00 · 2022-10-07 18:34:06 +02:00 · 2022-10-07 18:34:06 +02:00 · 7dd6c86c3d
commit 7dd6c86c3d
parent e9aaaa1bbc
9 changed files with 136 additions and 40 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,4 +5,4 @@ packages/
 xcuserdata
 .vscode
 pwnify_compiled
-Developer.ipa
+InstallerVictim.ipa
--- a/Installer/TrollInstaller2/TSI2AppDelegate.h
+++ b/Installer/TrollInstaller2/TSI2AppDelegate.h
@ -1,6 +0,0 @@
 #import <UIKit/UIKit.h>
@interface TSI2AppDelegate : UIResponder <UIApplicationDelegate>
@end
--- a/Installer/TrollInstaller2/TSI2AppDelegateNoScene.h
+++ b/Installer/TrollInstaller2/TSI2AppDelegateNoScene.h
@ -0,0 +1,7 @@
 #import <UIKit/UIKit.h>
@interface TSI2AppDelegateNoScene : UIResponder <UIApplicationDelegate>
@property (nonatomic, strong) UIWindow *window;
@property (nonatomic, strong) UINavigationController *rootViewController;
@end
--- a/Installer/TrollInstaller2/TSI2AppDelegateNoScene.m
+++ b/Installer/TrollInstaller2/TSI2AppDelegateNoScene.m
@ -0,0 +1,14 @@
 #import "TSI2AppDelegateNoScene.h"
 #import "TSI2RootViewController.h"
@implementation TSI2AppDelegateNoScene
 - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
 	_window = [[UIWindow alloc] initWithFrame:[UIScreen mainScreen].bounds];
 	_rootViewController = [[UINavigationController alloc] initWithRootViewController:[[TSI2RootViewController alloc] init]];
 	_window.rootViewController = _rootViewController;
 	[_window makeKeyAndVisible];
 	return YES;
 }
@end
--- a/Installer/TrollInstaller2/TSI2AppDelegateWithScene.h
+++ b/Installer/TrollInstaller2/TSI2AppDelegateWithScene.h
@ -0,0 +1,6 @@
 #import <UIKit/UIKit.h>
@interface TSI2AppDelegateWithScene : UIResponder <UIApplicationDelegate>
@end
--- a/Installer/TrollInstaller2/TSI2AppDelegateWithScene.m
+++ b/Installer/TrollInstaller2/TSI2AppDelegateWithScene.m
@ -1,6 +1,6 @@
-#import "TSI2AppDelegate.h"
+#import "TSI2AppDelegateWithScene.h"
-@implementation TSI2AppDelegate
+@implementation TSI2AppDelegateWithScene
 - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
 	return YES;
--- a/Installer/TrollInstaller2/main.m
+++ b/Installer/TrollInstaller2/main.m
@ -1,14 +1,69 @@
 #import <Foundation/Foundation.h>
-#import "TSI2AppDelegate.h"
+#import "TSI2AppDelegateNoScene.h"
 #import "TSI2AppDelegateWithScene.h"
 #import "TSI2SceneDelegate.h"
 #import <objc/runtime.h>
 extern int rootHelperMain(int argc, char *argv[], char *envp[]);
-void classFixup(void)
+BOOL sceneDelegateFix(void)
 {
-	Class newClass = objc_allocateClassPair([TSI2SceneDelegate class], "WWDC.SceneDelegate", 0);
+	NSString* sceneDelegateClassName = nil;
 	NSDictionary* UIApplicationSceneManifest = [NSBundle.mainBundle objectForInfoDictionaryKey:@"UIApplicationSceneManifest"];
 	if(UIApplicationSceneManifest && [UIApplicationSceneManifest isKindOfClass:NSDictionary.class])
 	{
 		NSDictionary* UISceneConfiguration = UIApplicationSceneManifest[@"UISceneConfigurations"];
 		if(UISceneConfiguration && [UISceneConfiguration isKindOfClass:NSDictionary.class])
 		{
 			NSArray* UIWindowSceneSessionRoleApplication = UISceneConfiguration[@"UIWindowSceneSessionRoleApplication"];
 			if(UIWindowSceneSessionRoleApplication && [UIWindowSceneSessionRoleApplication isKindOfClass:NSArray.class])
 			{
 				NSDictionary* sceneToUse = nil;
 				if(UIWindowSceneSessionRoleApplication.count > 1)
 				{
 					for(NSDictionary* scene in UIWindowSceneSessionRoleApplication)
 					{
 						if([scene isKindOfClass:NSDictionary.class])
 						{
 							NSString* UISceneConfigurationName = scene[@"UISceneConfigurationName"];
 							if([UISceneConfigurationName isKindOfClass:NSString.class])
 							{
 								if([UISceneConfigurationName isEqualToString:@"Default Configuration"])
 								{
 									sceneToUse = scene;
 									break;
 								}
 							}
 						}
 					}
 					if(!sceneToUse)
 					{
 						sceneToUse = UIWindowSceneSessionRoleApplication.firstObject;
 					}
 				}
 				else
 				{
 					sceneToUse = UIWindowSceneSessionRoleApplication.firstObject;
 				}
 				if(sceneToUse && [sceneToUse isKindOfClass:NSDictionary.class])
 				{
 					sceneDelegateClassName = sceneToUse[@"UISceneDelegateClassName"];
 				}
 			}
 		}
 	}
 	if(sceneDelegateClassName && [sceneDelegateClassName isKindOfClass:NSString.class])
 	{
 		Class newClass = objc_allocateClassPair([TSI2SceneDelegate class], sceneDelegateClassName.UTF8String, 0);
 		objc_registerClassPair(newClass);
 		return YES;
 	}
 	return NO;
 }
 int main(int argc, char *argv[], char *envp[]) {
@ -21,8 +76,15 @@ int main(int argc, char *argv[], char *envp[]) {
 		}
 		else
 		{
-			classFixup();
+			BOOL usesSceneDelegate = sceneDelegateFix();
-			return UIApplicationMain(argc, argv, nil, NSStringFromClass(TSI2AppDelegate.class));
+			if(usesSceneDelegate)
 			{
 				return UIApplicationMain(argc, argv, nil, NSStringFromClass(TSI2AppDelegateWithScene.class));
 			}
 			else
 			{
 				return UIApplicationMain(argc, argv, nil, NSStringFromClass(TSI2AppDelegateNoScene.class));
 			}
 		}
 	}
 }
--- a/_compile/build_trollinstaller2.sh
+++ b/_compile/build_trollinstaller2.sh
@ -6,23 +6,38 @@ then
    mkdir -p ./out
 fi
 if [ -d "./out/tmppwn" ]
 then
    rm -rf ./out/tmppwn
 fi
 if [ -f "./out/TrollInstaller2_arm64e.ipa" ]
 then
    rm ./out/TrollInstaller2_arm64e.ipa
 fi
 mkdir ./out/tmppwn || true 2> /dev/null
 cd ../Installer/TrollInstaller2
 make clean
 make package
 cd - 2> /dev/null
 lipo -thin arm64e ../Installer/TrollInstaller2/.theos/obj/debug/TrollInstaller2.app/TrollInstaller2 -output ./out/tmppwn/pwn_arm64e
 ldid -S -M -Kcert.p12 ./out/tmppwn/pwn_arm64e
 unzip ./target/InstallerVictim.ipa -d ./out/tmppwn
 cd ./out/tmppwn/Payload
 APP_NAME=$(find *.app -maxdepth 0)
 BINARY_NAME=$(echo "$APP_NAME" | cut -f 1 -d '.')
 cd - 2> /dev/null
 ./pwnify_compiled ./out/tmppwn/Payload/$APP_NAME/$BINARY_NAME ./out/tmppwn/pwn_arm64e
 rm ./out/tmppwn/pwn_arm64e
 cd ./out/tmppwn
 zip -vr ../TrollInstaller2_arm64e.ipa *
 cd -
-lipo -thin arm64e ../Installer/TrollInstaller2/.theos/obj/debug/TrollInstaller2.app/TrollInstaller2 -output ./out/pwn_arm64e
+rm -rf ./out/tmppwn
 ldid -S -M -Kcert.p12 ./out/pwn_arm64e
 mkdir ./out/devpwn
 unzip target/Developer.ipa -d ./out/devpwn
 ./pwnify_compiled ./out/devpwn/Payload/Developer.app/Developer ./out/pwn_arm64e
 rm ./out/pwn_arm64e
 cd ./out/devpwn
 zip -vr devpwn.ipa *
 cd -
 cp ./out/devpwn/devpwn.ipa ./out/DeveloperInstaller.ipa
 rm -rf ./out/devpwn
--- a/install_trollinstaller2.md
+++ b/install_trollinstaller2.md
@ -8,15 +8,15 @@
 1. Do `git clone https://github.com/opa334/TrollStore`
-2. Get a stock "Apple Developer" IPA using [ipatool](https://github.com/majd/ipatool/releases/tag/v1.1.4) (iOS 15 only)
+2. Get ANY encrypted AppStore IPA using [ipatool](https://github.com/majd/ipatool/releases/tag/v1.1.4)
 - Unzip, then do `chmod +x ~/Downloads/ipatool`
 - `sudo mv ~/Downloads/ipatool /usr/local/bin`
 - `ipatool auth login` 
 - `ipatool download -b developer.apple.wwdc-Release`
-> For iOS 14 please follow [this](https://github.com/flowerible/How-to-Downgrade-apps-on-AppStore-with-iTunes-and-Charles-Proxy) you will need Windows, once you get ipa switch back to Mac preceed.
+> For iOS 14 please make sure to use an app that still supports iOS 14
-3. Rename the output ipa to `Developer.ipa`, and put it into ~/TrollStore/_compile/target/Developer.ipa
+3. Rename the output ipa to `InstallerVictim.ipa`, and put it into ~/TrollStore/_compile/InstallerVictim.ipa
 4. Grab pwnify_compiled from Fugu14 repo (https://github.com/LinusHenze/Fugu14/blob/master/tools/pwnify_compiled), sign it using codesign (`codesign -f -s - <path/to/pwnify_compiled>`) and put it at ~/TrollStore/_compile/pwnify_compiled
@ -25,18 +25,16 @@
 - Rename the Procursus ldid for your arch to `ldid`, then do `chmod +x ~/Downloads/ldid`
 - `sudo mv ~/Downloads/ldid /usr/local/bin`
 > As of right now you need to add an "`out`" folder in _compile
 6. cd into _compile and run `./build_trollinstaller2.sh` (`chmod +x ./build_trollinstaller2.sh` if you get a permission error)
-7. Wait a bit, when done, there will be a `DeveloperInstaller.ipa` in ~/TrollStore/_compile/out
+7. Wait a bit, when done, there will be a `TrollInstaller2.ipa` in ~/TrollStore/_compile/out
 > If this fails and gives you a `devpwn.ipa`, unzip that ipa and put all the contents in it back into their original places.
 ## Using compiled IPA (does not neccessarily require a Mac if you obtained the IPA from non orthodox ways)
-8. You can install that to a device using e.g. ideviceinstaller(do `brew install ideviceinstaller` then do `ideviceinstaller -i DeveloperInstaller.ipa`)
+8. You can install that to a device using e.g. ideviceinstaller(do `brew install ideviceinstaller` then do `ideviceinstaller -i TrollInstaller2.ipa`)
 Alternatively, you can use Sideloadly if you select "Normal Installation".
 (Other methods may also work, but make sure you don't use a signing cert, you can also use an enterprise plist or something to install it via Safari as shown in Fugu15 demo, something like iFunBox may also work)
-9. After installation, you can use the "Developer" app on your device to install TrollStore
+9. After installation, you can use the newly installed app on your device to install TrollStore