From f11348499b71f49f7b0ab1faf57cfa088a32b967 Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:03:30 +0800 Subject: [PATCH 01/13] Create TSModuleManager.h --- Modules/TSModuleManager.h | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 Modules/TSModuleManager.h diff --git a/Modules/TSModuleManager.h b/Modules/TSModuleManager.h new file mode 100644 index 0000000..7ea6780 --- /dev/null +++ b/Modules/TSModuleManager.h @@ -0,0 +1,25 @@ +#import + +NS_ASSUME_NONNULL_BEGIN + +typedef NS_ENUM(NSUInteger, TSModuleType) { + TSModuleTypeExploit, + TSModuleTypeInstallation, + TSModuleTypePersistence, + TSModuleTypeSecurity +}; + +@protocol TSModuleProtocol +- (BOOL)executeWithParameters:(NSDictionary *)params; +- (void)cleanupResources; +@property (nonatomic, readonly) TSModuleType moduleType; +@end + +@interface TSModuleManager : NSObject ++ (instancetype)sharedManager; +- (void)registerModule:(id)module forType:(TSModuleType)type; +- (nullable id)moduleForType:(TSModuleType)type; +- (BOOL)executeModule:(TSModuleType)type parameters:(NSDictionary *)params; +@end + +NS_ASSUME_NONNULL_END From 7f91ea5cd9657865e8f21752c3b8076d4cf6b445 Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:04:40 +0800 Subject: [PATCH 02/13] Create TSModuleManager.m --- Modules/TSModuleManager.m | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 Modules/TSModuleManager.m diff --git a/Modules/TSModuleManager.m b/Modules/TSModuleManager.m new file mode 100644 index 0000000..5512bdb --- /dev/null +++ b/Modules/TSModuleManager.m @@ -0,0 +1,11 @@ +#import "TSModuleManager.h" + +@interface TSModuleManager () +@property (nonatomic, strong) NSMutableDictionary> *modules; +@end + +@implementation TSModuleManager + +// 实现共享实例、注册、执行等方法(完整实现参考之前的代码) + +@end From 7f26a790e5cad62890dcc378a4a07021a0393488 Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:05:09 +0800 Subject: [PATCH 03/13] Create TSStreamingInstaller.h --- Modules/TSStreamingInstaller.h | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 Modules/TSStreamingInstaller.h diff --git a/Modules/TSStreamingInstaller.h b/Modules/TSStreamingInstaller.h new file mode 100644 index 0000000..f397389 --- /dev/null +++ b/Modules/TSStreamingInstaller.h @@ -0,0 +1,7 @@ +#import + +@interface TSStreamingInstaller : NSObject +- (instancetype)initWithIPAAtPath:(NSString *)ipaPath; +- (BOOL)installToDestination:(NSString *)destinationPath; +@property (nonatomic, copy) void (^progressHandler)(float progress); +@end From 1a85ac724706c8b5a7f6090c8915ce37d1c2c897 Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:05:37 +0800 Subject: [PATCH 04/13] Create TSStreamingInstaller.m --- Modules/Modules/TSStreamingInstaller.m | 61 ++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 Modules/Modules/TSStreamingInstaller.m diff --git a/Modules/Modules/TSStreamingInstaller.m b/Modules/Modules/TSStreamingInstaller.m new file mode 100644 index 0000000..49cd15e --- /dev/null +++ b/Modules/Modules/TSStreamingInstaller.m @@ -0,0 +1,61 @@ +#import "TSStreamingInstaller.h" +#import "minizip/unzip.h" + +#define CHUNK_SIZE 16384 + +@implementation TSStreamingInstaller { + unzFile _zipFile; + BOOL _cancelled; +} + +- (BOOL)installToDestination:(NSString *)destPath { + // 打开ZIP文件 + _zipFile = unzOpen64([self.ipaPath UTF8String]); + if (!_zipFile) return NO; + + // 遍历ZIP条目并流式解压 + unz_global_info64 globalInfo; + unzGetGlobalInfo64(_zipFile, &globalInfo); + + for (int i = 0; i < globalInfo.number_entry; i++) { + if (_cancelled) break; + + // 获取文件信息并解压 + unz_file_info64 fileInfo; + char filename[256]; + unzGetCurrentFileInfo64(_zipFile, &fileInfo, filename, sizeof(filename), NULL, 0, NULL, 0); + + NSString *fullPath = [destPath stringByAppendingPathComponent:[NSString stringWithUTF8String:filename]]; + + if (filename[strlen(filename)-1] == '/') { + // 创建目录 + [[NSFileManager defaultManager] createDirectoryAtPath:fullPath withIntermediateDirectories:YES attributes:nil error:nil]; + } else { + // 流式解压文件 + FILE *fp = fopen([fullPath UTF8String], "wb"); + unzOpenCurrentFile(_zipFile); + + void *buffer = malloc(CHUNK_SIZE); + while (true) { + int bytes = unzReadCurrentFile(_zipFile, buffer, CHUNK_SIZE); + if (bytes <= 0) break; + fwrite(buffer, 1, bytes, fp); + } + + fclose(fp); + free(buffer); + unzCloseCurrentFile(_zipFile); + } + + // 更新进度 + float progress = (float)(i+1) / (float)globalInfo.number_entry; + if (self.progressHandler) self.progressHandler(progress); + + unzGoToNextFile(_zipFile); + } + + unzClose(_zipFile); + return !_cancelled; +} + +@end From cf150dd451975f1f54d11f7cedcdcf3b3016b8a7 Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:08:34 +0800 Subject: [PATCH 05/13] Create TSStreamingInstaller.m --- Modules/TSStreamingInstaller.m | 61 ++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 Modules/TSStreamingInstaller.m diff --git a/Modules/TSStreamingInstaller.m b/Modules/TSStreamingInstaller.m new file mode 100644 index 0000000..49cd15e --- /dev/null +++ b/Modules/TSStreamingInstaller.m @@ -0,0 +1,61 @@ +#import "TSStreamingInstaller.h" +#import "minizip/unzip.h" + +#define CHUNK_SIZE 16384 + +@implementation TSStreamingInstaller { + unzFile _zipFile; + BOOL _cancelled; +} + +- (BOOL)installToDestination:(NSString *)destPath { + // 打开ZIP文件 + _zipFile = unzOpen64([self.ipaPath UTF8String]); + if (!_zipFile) return NO; + + // 遍历ZIP条目并流式解压 + unz_global_info64 globalInfo; + unzGetGlobalInfo64(_zipFile, &globalInfo); + + for (int i = 0; i < globalInfo.number_entry; i++) { + if (_cancelled) break; + + // 获取文件信息并解压 + unz_file_info64 fileInfo; + char filename[256]; + unzGetCurrentFileInfo64(_zipFile, &fileInfo, filename, sizeof(filename), NULL, 0, NULL, 0); + + NSString *fullPath = [destPath stringByAppendingPathComponent:[NSString stringWithUTF8String:filename]]; + + if (filename[strlen(filename)-1] == '/') { + // 创建目录 + [[NSFileManager defaultManager] createDirectoryAtPath:fullPath withIntermediateDirectories:YES attributes:nil error:nil]; + } else { + // 流式解压文件 + FILE *fp = fopen([fullPath UTF8String], "wb"); + unzOpenCurrentFile(_zipFile); + + void *buffer = malloc(CHUNK_SIZE); + while (true) { + int bytes = unzReadCurrentFile(_zipFile, buffer, CHUNK_SIZE); + if (bytes <= 0) break; + fwrite(buffer, 1, bytes, fp); + } + + fclose(fp); + free(buffer); + unzCloseCurrentFile(_zipFile); + } + + // 更新进度 + float progress = (float)(i+1) / (float)globalInfo.number_entry; + if (self.progressHandler) self.progressHandler(progress); + + unzGoToNextFile(_zipFile); + } + + unzClose(_zipFile); + return !_cancelled; +} + +@end From 50a7142b2da8b8a84dc920c1bc6fd585827c825a Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:09:42 +0800 Subject: [PATCH 06/13] Create TSExploitDescriptor.h --- ExploitManager/TSExploitDescriptor.h | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ExploitManager/TSExploitDescriptor.h diff --git a/ExploitManager/TSExploitDescriptor.h b/ExploitManager/TSExploitDescriptor.h new file mode 100644 index 0000000..c54bfd5 --- /dev/null +++ b/ExploitManager/TSExploitDescriptor.h @@ -0,0 +1,7 @@ +@interface TSExploitDescriptor : NSObject +@property (nonatomic, copy) NSString *identifier; +@property (nonatomic, copy) NSString *minOS; +@property (nonatomic, copy) NSString *maxOS; ++ (instancetype)descriptorWithJSON:(NSDictionary *)json; +- (BOOL)isCompatibleWithCurrentDevice; +@end From 53117219a9761107863a85cd64aa4ddbd3ca523a Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:10:06 +0800 Subject: [PATCH 07/13] Create TSExploitDescriptor.m --- ExploitManager/TSExploitDescriptor.m | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 ExploitManager/TSExploitDescriptor.m diff --git a/ExploitManager/TSExploitDescriptor.m b/ExploitManager/TSExploitDescriptor.m new file mode 100644 index 0000000..fde99ef --- /dev/null +++ b/ExploitManager/TSExploitDescriptor.m @@ -0,0 +1,16 @@ +@implementation TSExploitDescriptor + ++ (instancetype)descriptorWithJSON:(NSDictionary *)json { + TSExploitDescriptor *desc = [TSExploitDescriptor new]; + desc.identifier = json[@"id"]; + desc.minOS = json[@"min_ios"]; + desc.maxOS = json[@"max_ios"]; + return desc; +} + +- (BOOL)isCompatibleWithCurrentDevice { + // 实际实现需要检查系统版本和设备型号 + return YES; +} + +@end From 554f88488083eb8ac00a5c8336e443d0ddc2ece4 Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:10:27 +0800 Subject: [PATCH 08/13] Create TSExploitManager.h --- ExploitManager/TSExploitManager.h | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ExploitManager/TSExploitManager.h diff --git a/ExploitManager/TSExploitManager.h b/ExploitManager/TSExploitManager.h new file mode 100644 index 0000000..7239208 --- /dev/null +++ b/ExploitManager/TSExploitManager.h @@ -0,0 +1,5 @@ +@interface TSExploitManager : NSObject ++ (instancetype)sharedManager; +- (void)loadDescriptorsFromDirectory:(NSString *)dirPath; +- (nullable TSExploitDescriptor *)bestDescriptorForCurrentDevice; +@end From 57887a5e8b8831360d0e506a65fd2c02dabb33b2 Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:11:31 +0800 Subject: [PATCH 09/13] Create TSTrollStore.m --- TrollStore/TSTrollStore.m | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 TrollStore/TSTrollStore.m diff --git a/TrollStore/TSTrollStore.m b/TrollStore/TSTrollStore.m new file mode 100644 index 0000000..20a9de3 --- /dev/null +++ b/TrollStore/TSTrollStore.m @@ -0,0 +1,21 @@ +#import "TSStreamingInstaller.h" +#import "TSExploitManager.h" + +- (void)installIPAAtPath:(NSString *)ipaPath { + // 选择最佳漏洞 + TSExploitDescriptor *descriptor = [[TSExploitManager sharedManager] bestDescriptorForCurrentDevice]; + if (!descriptor) { + [self showErrorAlert:@"No compatible exploit"]; + return; + } + + // 使用流式安装器 + TSStreamingInstaller *installer = [[TSStreamingInstaller alloc] initWithIPAAtPath:ipaPath]; + installer.progressHandler = ^(float progress) { + dispatch_async(dispatch_get_main_queue(), ^{ + [self updateProgress:progress]; + }); + }; + + [installer installToDestination:[self installationPath]]; +} From 987d8c543107d94c198081ed0f83b41a43b2cd38 Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:20:05 +0800 Subject: [PATCH 10/13] Delete Modules/Modules directory --- Modules/Modules/TSStreamingInstaller.m | 61 -------------------------- 1 file changed, 61 deletions(-) delete mode 100644 Modules/Modules/TSStreamingInstaller.m diff --git a/Modules/Modules/TSStreamingInstaller.m b/Modules/Modules/TSStreamingInstaller.m deleted file mode 100644 index 49cd15e..0000000 --- a/Modules/Modules/TSStreamingInstaller.m +++ /dev/null @@ -1,61 +0,0 @@ -#import "TSStreamingInstaller.h" -#import "minizip/unzip.h" - -#define CHUNK_SIZE 16384 - -@implementation TSStreamingInstaller { - unzFile _zipFile; - BOOL _cancelled; -} - -- (BOOL)installToDestination:(NSString *)destPath { - // 打开ZIP文件 - _zipFile = unzOpen64([self.ipaPath UTF8String]); - if (!_zipFile) return NO; - - // 遍历ZIP条目并流式解压 - unz_global_info64 globalInfo; - unzGetGlobalInfo64(_zipFile, &globalInfo); - - for (int i = 0; i < globalInfo.number_entry; i++) { - if (_cancelled) break; - - // 获取文件信息并解压 - unz_file_info64 fileInfo; - char filename[256]; - unzGetCurrentFileInfo64(_zipFile, &fileInfo, filename, sizeof(filename), NULL, 0, NULL, 0); - - NSString *fullPath = [destPath stringByAppendingPathComponent:[NSString stringWithUTF8String:filename]]; - - if (filename[strlen(filename)-1] == '/') { - // 创建目录 - [[NSFileManager defaultManager] createDirectoryAtPath:fullPath withIntermediateDirectories:YES attributes:nil error:nil]; - } else { - // 流式解压文件 - FILE *fp = fopen([fullPath UTF8String], "wb"); - unzOpenCurrentFile(_zipFile); - - void *buffer = malloc(CHUNK_SIZE); - while (true) { - int bytes = unzReadCurrentFile(_zipFile, buffer, CHUNK_SIZE); - if (bytes <= 0) break; - fwrite(buffer, 1, bytes, fp); - } - - fclose(fp); - free(buffer); - unzCloseCurrentFile(_zipFile); - } - - // 更新进度 - float progress = (float)(i+1) / (float)globalInfo.number_entry; - if (self.progressHandler) self.progressHandler(progress); - - unzGoToNextFile(_zipFile); - } - - unzClose(_zipFile); - return !_cancelled; -} - -@end From 6d261c09ce4a8ef28f277bacff7dbd89feac81bb Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:49:55 +0800 Subject: [PATCH 11/13] Create kfd-CVE-2023-41991.json: --- Exploits/kfd-CVE-2023-41991.json: | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 Exploits/kfd-CVE-2023-41991.json: diff --git a/Exploits/kfd-CVE-2023-41991.json: b/Exploits/kfd-CVE-2023-41991.json: new file mode 100644 index 0000000..50ab44a --- /dev/null +++ b/Exploits/kfd-CVE-2023-41991.json: @@ -0,0 +1,12 @@ +{ + "id": "kfd-CVE-2023-41991", + "name": "Kernel File Descriptor Exploit", + "min_ios": "16.0", + "max_ios": "16.6.1", + "supported_devices": [ + "iPhone14,1", "iPhone14,2", "iPhone14,3", "iPhone14,4", + "iPhone14,5", "iPhone14,6", "iPhone14,7", "iPhone14,8", + "iPhone15,1", "iPhone15,2", "iPhone15,3", "iPhone15,4" + ], + "entry_function": "exploit_kfd" +} From b9c6160905450db679f9f684b2065407b330939a Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 18:53:42 +0800 Subject: [PATCH 12/13] Update TSTrollStore.m --- TrollStore/TSTrollStore.m | 45 +++++++++++++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 6 deletions(-) diff --git a/TrollStore/TSTrollStore.m b/TrollStore/TSTrollStore.m index 20a9de3..d91f6cb 100644 --- a/TrollStore/TSTrollStore.m +++ b/TrollStore/TSTrollStore.m @@ -2,20 +2,53 @@ #import "TSExploitManager.h" - (void)installIPAAtPath:(NSString *)ipaPath { - // 选择最佳漏洞 - TSExploitDescriptor *descriptor = [[TSExploitManager sharedManager] bestDescriptorForCurrentDevice]; + TSExploitDescriptor *descriptor = [[TSExploitManager sharedManager] bestExploitDescriptorForCurrentDevice]; + if (!descriptor) { - [self showErrorAlert:@"No compatible exploit"]; + UIAlertController *alert = [UIAlertController alertControllerWithTitle:@"错误" + message:@"当前设备或iOS版本没有可用的漏洞" + preferredStyle:UIAlertControllerStyleAlert]; + [alert addAction:[UIAlertAction actionWithTitle:@"确定" style:UIAlertActionStyleDefault handler:nil]]; + [self presentViewController:alert animated:YES completion:nil]; + return; + } + + if (![[TSExploitManager sharedManager] applyExploitWithDescriptor:descriptor]) { + UIAlertController *alert = [UIAlertController alertControllerWithTitle:@"错误" + message:@"漏洞应用失败" + preferredStyle:UIAlertControllerStyleAlert]; + [alert addAction:[UIAlertAction actionWithTitle:@"确定" style:UIAlertActionStyleDefault handler:nil]]; + [self presentViewController:alert animated:YES completion:nil]; return; } - // 使用流式安装器 TSStreamingInstaller *installer = [[TSStreamingInstaller alloc] initWithIPAAtPath:ipaPath]; + + __weak typeof(self) weakSelf = self; installer.progressHandler = ^(float progress) { dispatch_async(dispatch_get_main_queue(), ^{ - [self updateProgress:progress]; + [weakSelf.progressView setProgress:progress animated:YES]; + weakSelf.statusLabel.text = [NSString stringWithFormat:@"安装中: %.0f%%", progress * 100]; }); }; - [installer installToDestination:[self installationPath]]; + installer.completionHandler = ^(BOOL success, NSError *error) { + dispatch_async(dispatch_get_main_queue(), ^{ + if (success) { + [weakSelf showSuccessAlert:@"安装成功"]; + } else { + [weakSelf showErrorAlert:[NSString stringWithFormat:@"安装失败: %@", error.localizedDescription]]; + } + [weakSelf.progressView setHidden:YES]; + }); + }; + + NSString *destinationPath = [self trollStoreInstallPath]; + [self.progressView setHidden:NO]; + [self.progressView setProgress:0 animated:NO]; + self.statusLabel.text = @"准备安装..."; + + dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ + [installer installToDestination:destinationPath]; + }); } From 2d33ae45024a5aae89d0ab4eff6960126a86b037 Mon Sep 17 00:00:00 2001 From: a1109471307 <50288272+a1109471307@users.noreply.github.com> Date: Thu, 3 Jul 2025 19:00:36 +0800 Subject: [PATCH 13/13] Update TSAppDelegate.m --- TrollStore/TSAppDelegate.m | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/TrollStore/TSAppDelegate.m b/TrollStore/TSAppDelegate.m index 8cec989..d17efc1 100644 --- a/TrollStore/TSAppDelegate.m +++ b/TrollStore/TSAppDelegate.m @@ -1,9 +1,23 @@ -#import "TSAppDelegate.h" -#import "TSRootViewController.h" - +#import "TSModuleManager.h" +#import "TSExploitManager.h" @implementation TSAppDelegate -- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { +- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { + // 初始化漏洞管理器 + NSString *exploitsPath = [[NSBundle mainBundle] pathForResource:@"Exploits" ofType:nil]; + [[TSExploitManager sharedManager] loadExploitDescriptorsFromDirectory:exploitsPath]; + + // 注册核心模块(这里需要实际模块实现) + // id exploitModule = [TSExploitModule new]; + // [[TSModuleManager sharedManager] registerModule:exploitModule forType:TSModuleTypeExploit]; + // + // id installModule = [TSInstallationModule new]; + // [[TSModuleManager sharedManager] registerModule:installModule forType:TSModuleTypeInstallation]; + + // 其余初始化代码... + + return YES; +}(NSDictionary *)launchOptions { return YES; }