bughz/TrollStore
1
0
Fork 0
mirror of https://github.com/opa334/TrollStore.git synced 2025-07-07 00:38:46 +08:00
Code Issues Projects Releases Wiki Activity

Merge 2d33ae4502 into d11c04666a

Browse Source
This commit is contained in:
a1109471307 2025-07-03 19:12:06 +08:00 committed by GitHub
commit c9c2743f81
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 216 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ExploitManager/TSExploitDescriptor.h Normal file
View File

@ -0,0 +1,7 @@
@interface TSExploitDescriptor : NSObject
@property (nonatomic, copy) NSString *identifier;
@property (nonatomic, copy) NSString *minOS;
@property (nonatomic, copy) NSString *maxOS;
+ (instancetype)descriptorWithJSON:(NSDictionary *)json;
- (BOOL)isCompatibleWithCurrentDevice;
@end

16
ExploitManager/TSExploitDescriptor.m Normal file
View File

@ -0,0 +1,16 @@
@implementation TSExploitDescriptor
+ (instancetype)descriptorWithJSON:(NSDictionary *)json {
TSExploitDescriptor *desc = [TSExploitDescriptor new];
desc.identifier = json[@"id"];
desc.minOS = json[@"min_ios"];
desc.maxOS = json[@"max_ios"];
return desc;
}
- (BOOL)isCompatibleWithCurrentDevice {
//
return YES;
}
@end

5
ExploitManager/TSExploitManager.h Normal file
View File

@ -0,0 +1,5 @@
@interface TSExploitManager : NSObject
+ (instancetype)sharedManager;
- (void)loadDescriptorsFromDirectory:(NSString *)dirPath;
- (nullable TSExploitDescriptor *)bestDescriptorForCurrentDevice;
@end

12
Exploits/kfd-CVE-2023-41991.json: Normal file
View File

@ -0,0 +1,12 @@
{
"id": "kfd-CVE-2023-41991",
"name": "Kernel File Descriptor Exploit",
"min_ios": "16.0",
"max_ios": "16.6.1",
"supported_devices": [
"iPhone14,1", "iPhone14,2", "iPhone14,3", "iPhone14,4",
"iPhone14,5", "iPhone14,6", "iPhone14,7", "iPhone14,8",
"iPhone15,1", "iPhone15,2", "iPhone15,3", "iPhone15,4"
],
"entry_function": "exploit_kfd"
}

25
Modules/TSModuleManager.h Normal file
View File

@ -0,0 +1,25 @@
#import <Foundation/Foundation.h>
NS_ASSUME_NONNULL_BEGIN
typedef NS_ENUM(NSUInteger, TSModuleType) {
TSModuleTypeExploit,
TSModuleTypeInstallation,
TSModuleTypePersistence,
TSModuleTypeSecurity
};
@protocol TSModuleProtocol <NSObject>
- (BOOL)executeWithParameters:(NSDictionary *)params;
- (void)cleanupResources;
@property (nonatomic, readonly) TSModuleType moduleType;
@end
@interface TSModuleManager : NSObject
+ (instancetype)sharedManager;
- (void)registerModule:(id<TSModuleProtocol>)module forType:(TSModuleType)type;
- (nullable id<TSModuleProtocol>)moduleForType:(TSModuleType)type;
- (BOOL)executeModule:(TSModuleType)type parameters:(NSDictionary *)params;
@end
NS_ASSUME_NONNULL_END

11
Modules/TSModuleManager.m Normal file
View File

@ -0,0 +1,11 @@
#import "TSModuleManager.h"
@interface TSModuleManager ()
@property (nonatomic, strong) NSMutableDictionary<NSNumber *, id<TSModuleProtocol>> *modules;
@end
@implementation TSModuleManager
//
@end

7
Modules/TSStreamingInstaller.h Normal file
View File

@ -0,0 +1,7 @@
#import <Foundation/Foundation.h>
@interface TSStreamingInstaller : NSObject
- (instancetype)initWithIPAAtPath:(NSString *)ipaPath;
- (BOOL)installToDestination:(NSString *)destinationPath;
@property (nonatomic, copy) void (^progressHandler)(float progress);
@end

61
Modules/TSStreamingInstaller.m Normal file
View File

@ -0,0 +1,61 @@
#import "TSStreamingInstaller.h"
#import "minizip/unzip.h"
#define CHUNK_SIZE 16384
@implementation TSStreamingInstaller {
unzFile _zipFile;
BOOL _cancelled;
}
- (BOOL)installToDestination:(NSString *)destPath {
// ZIP
_zipFile = unzOpen64([self.ipaPath UTF8String]);
if (!_zipFile) return NO;
// ZIP
unz_global_info64 globalInfo;
unzGetGlobalInfo64(_zipFile, &globalInfo);
for (int i = 0; i < globalInfo.number_entry; i++) {
if (_cancelled) break;
//
unz_file_info64 fileInfo;
char filename[256];
unzGetCurrentFileInfo64(_zipFile, &fileInfo, filename, sizeof(filename), NULL, 0, NULL, 0);
NSString *fullPath = [destPath stringByAppendingPathComponent:[NSString stringWithUTF8String:filename]];
if (filename[strlen(filename)-1] == '/') {
//
[[NSFileManager defaultManager] createDirectoryAtPath:fullPath withIntermediateDirectories:YES attributes:nil error:nil];
} else {
//
FILE *fp = fopen([fullPath UTF8String], "wb");
unzOpenCurrentFile(_zipFile);
void *buffer = malloc(CHUNK_SIZE);
while (true) {
int bytes = unzReadCurrentFile(_zipFile, buffer, CHUNK_SIZE);
if (bytes <= 0) break;
fwrite(buffer, 1, bytes, fp);
}
fclose(fp);
free(buffer);
unzCloseCurrentFile(_zipFile);
}
//
float progress = (float)(i+1) / (float)globalInfo.number_entry;
if (self.progressHandler) self.progressHandler(progress);
unzGoToNextFile(_zipFile);
}
unzClose(_zipFile);
return !_cancelled;
}
@end

22
TrollStore/TSAppDelegate.m
View File

@ -1,9 +1,23 @@
#import "TSAppDelegate.h" #import "TSModuleManager.h"
#import "TSRootViewController.h" #import "TSExploitManager.h"
@implementation TSAppDelegate @implementation TSAppDelegate
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
//
NSString *exploitsPath = [[NSBundle mainBundle] pathForResource:@"Exploits" ofType:nil];
[[TSExploitManager sharedManager] loadExploitDescriptorsFromDirectory:exploitsPath];
//
// id<TSModuleProtocol> exploitModule = [TSExploitModule new];
// [[TSModuleManager sharedManager] registerModule:exploitModule forType:TSModuleTypeExploit];
//
// id<TSModuleProtocol> installModule = [TSInstallationModule new];
// [[TSModuleManager sharedManager] registerModule:installModule forType:TSModuleTypeInstallation];
// ...
return YES;
}(NSDictionary *)launchOptions {
return YES; return YES;
} }

54
TrollStore/TSTrollStore.m Normal file
View File

@ -0,0 +1,54 @@
#import "TSStreamingInstaller.h"
#import "TSExploitManager.h"
- (void)installIPAAtPath:(NSString *)ipaPath {
TSExploitDescriptor *descriptor = [[TSExploitManager sharedManager] bestExploitDescriptorForCurrentDevice];
if (!descriptor) {
UIAlertController *alert = [UIAlertController alertControllerWithTitle:@"错误"
message:@"当前设备或iOS版本没有可用的漏洞"
preferredStyle:UIAlertControllerStyleAlert];
[alert addAction:[UIAlertAction actionWithTitle:@"确定" style:UIAlertActionStyleDefault handler:nil]];
[self presentViewController:alert animated:YES completion:nil];
return;
}
if (![[TSExploitManager sharedManager] applyExploitWithDescriptor:descriptor]) {
UIAlertController *alert = [UIAlertController alertControllerWithTitle:@"错误"
message:@"漏洞应用失败"
preferredStyle:UIAlertControllerStyleAlert];
[alert addAction:[UIAlertAction actionWithTitle:@"确定" style:UIAlertActionStyleDefault handler:nil]];
[self presentViewController:alert animated:YES completion:nil];
return;
}
TSStreamingInstaller *installer = [[TSStreamingInstaller alloc] initWithIPAAtPath:ipaPath];
__weak typeof(self) weakSelf = self;
installer.progressHandler = ^(float progress) {
dispatch_async(dispatch_get_main_queue(), ^{
[weakSelf.progressView setProgress:progress animated:YES];
weakSelf.statusLabel.text = [NSString stringWithFormat:@"安装中: %.0f%%", progress * 100];
});
};
installer.completionHandler = ^(BOOL success, NSError *error) {
dispatch_async(dispatch_get_main_queue(), ^{
if (success) {
[weakSelf showSuccessAlert:@"安装成功"];
} else {
[weakSelf showErrorAlert:[NSString stringWithFormat:@"安装失败: %@", error.localizedDescription]];
}
[weakSelf.progressView setHidden:YES];
});
};
NSString *destinationPath = [self trollStoreInstallPath];
[self.progressView setHidden:NO];
[self.progressView setProgress:0 animated:NO];
self.statusLabel.text = @"准备安装...";
dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
[installer installToDestination:destinationPath];
});
}