Merge 2d33ae4502 into d11c04666a

2025-07-06 16:28:45 +08:00 · 2025-07-03 19:12:06 +08:00 · 2025-07-03 19:12:06 +08:00 · c9c2743f81
commit c9c2743f81
parent d11c04666a 2d33ae4502
10 changed files with 216 additions and 4 deletions
--- a/ExploitManager/TSExploitDescriptor.h
+++ b/ExploitManager/TSExploitDescriptor.h
@ -0,0 +1,7 @@
+@interface TSExploitDescriptor : NSObject
+@property (nonatomic, copy) NSString *identifier;
+@property (nonatomic, copy) NSString *minOS;
+@property (nonatomic, copy) NSString *maxOS;
+ (instancetype)descriptorWithJSON:(NSDictionary *)json;
+- (BOOL)isCompatibleWithCurrentDevice;
+@end
--- a/ExploitManager/TSExploitDescriptor.m
+++ b/ExploitManager/TSExploitDescriptor.m
@ -0,0 +1,16 @@
+@implementation TSExploitDescriptor
+
+ (instancetype)descriptorWithJSON:(NSDictionary *)json {
+    TSExploitDescriptor *desc = [TSExploitDescriptor new];
+    desc.identifier = json[@"id"];
+    desc.minOS = json[@"min_ios"];
+    desc.maxOS = json[@"max_ios"];
+    return desc;
+}
+
+- (BOOL)isCompatibleWithCurrentDevice {
+    // 实际实现需要检查系统版本和设备型号
+    return YES;
+}
+
+@end
--- a/ExploitManager/TSExploitManager.h
+++ b/ExploitManager/TSExploitManager.h
@ -0,0 +1,5 @@
+@interface TSExploitManager : NSObject
+ (instancetype)sharedManager;
+- (void)loadDescriptorsFromDirectory:(NSString *)dirPath;
+- (nullable TSExploitDescriptor *)bestDescriptorForCurrentDevice;
+@end
--- a/Exploits/kfd-CVE-2023-41991.json:
+++ b/Exploits/kfd-CVE-2023-41991.json:
@ -0,0 +1,12 @@
+{
+  "id": "kfd-CVE-2023-41991",
+  "name": "Kernel File Descriptor Exploit",
+  "min_ios": "16.0",
+  "max_ios": "16.6.1",
+  "supported_devices": [
+    "iPhone14,1", "iPhone14,2", "iPhone14,3", "iPhone14,4", 
+    "iPhone14,5", "iPhone14,6", "iPhone14,7", "iPhone14,8",
+    "iPhone15,1", "iPhone15,2", "iPhone15,3", "iPhone15,4"
+  ],
+  "entry_function": "exploit_kfd"
+}
--- a/Modules/TSModuleManager.h
+++ b/Modules/TSModuleManager.h
@ -0,0 +1,25 @@
+#import <Foundation/Foundation.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+typedef NS_ENUM(NSUInteger, TSModuleType) {
+    TSModuleTypeExploit,
+    TSModuleTypeInstallation,
+    TSModuleTypePersistence,
+    TSModuleTypeSecurity
+};
+
+@protocol TSModuleProtocol <NSObject>
+- (BOOL)executeWithParameters:(NSDictionary *)params;
+- (void)cleanupResources;
+@property (nonatomic, readonly) TSModuleType moduleType;
+@end
+
+@interface TSModuleManager : NSObject
+ (instancetype)sharedManager;
+- (void)registerModule:(id<TSModuleProtocol>)module forType:(TSModuleType)type;
+- (nullable id<TSModuleProtocol>)moduleForType:(TSModuleType)type;
+- (BOOL)executeModule:(TSModuleType)type parameters:(NSDictionary *)params;
+@end
+
+NS_ASSUME_NONNULL_END
--- a/Modules/TSModuleManager.m
+++ b/Modules/TSModuleManager.m
@ -0,0 +1,11 @@
+#import "TSModuleManager.h"
+
+@interface TSModuleManager ()
+@property (nonatomic, strong) NSMutableDictionary<NSNumber *, id<TSModuleProtocol>> *modules;
+@end
+
+@implementation TSModuleManager
+
+// 实现共享实例、注册、执行等方法（完整实现参考之前的代码）
+
+@end
--- a/Modules/TSStreamingInstaller.h
+++ b/Modules/TSStreamingInstaller.h
@ -0,0 +1,7 @@
+#import <Foundation/Foundation.h>
+
+@interface TSStreamingInstaller : NSObject
+- (instancetype)initWithIPAAtPath:(NSString *)ipaPath;
+- (BOOL)installToDestination:(NSString *)destinationPath;
+@property (nonatomic, copy) void (^progressHandler)(float progress);
+@end
--- a/Modules/TSStreamingInstaller.m
+++ b/Modules/TSStreamingInstaller.m
@ -0,0 +1,61 @@
+#import "TSStreamingInstaller.h"
+#import "minizip/unzip.h"
+
+#define CHUNK_SIZE 16384
+
+@implementation TSStreamingInstaller {
+    unzFile _zipFile;
+    BOOL _cancelled;
+}
+
+- (BOOL)installToDestination:(NSString *)destPath {
+    // 打开ZIP文件
+    _zipFile = unzOpen64([self.ipaPath UTF8String]);
+    if (!_zipFile) return NO;
+    
+    // 遍历ZIP条目并流式解压
+    unz_global_info64 globalInfo;
+    unzGetGlobalInfo64(_zipFile, &globalInfo);
+    
+    for (int i = 0; i < globalInfo.number_entry; i++) {
+        if (_cancelled) break;
+        
+        // 获取文件信息并解压
+        unz_file_info64 fileInfo;
+        char filename[256];
+        unzGetCurrentFileInfo64(_zipFile, &fileInfo, filename, sizeof(filename), NULL, 0, NULL, 0);
+        
+        NSString *fullPath = [destPath stringByAppendingPathComponent:[NSString stringWithUTF8String:filename]];
+        
+        if (filename[strlen(filename)-1] == '/') {
+            // 创建目录
+            [[NSFileManager defaultManager] createDirectoryAtPath:fullPath withIntermediateDirectories:YES attributes:nil error:nil];
+        } else {
+            // 流式解压文件
+            FILE *fp = fopen([fullPath UTF8String], "wb");
+            unzOpenCurrentFile(_zipFile);
+            
+            void *buffer = malloc(CHUNK_SIZE);
+            while (true) {
+                int bytes = unzReadCurrentFile(_zipFile, buffer, CHUNK_SIZE);
+                if (bytes <= 0) break;
+                fwrite(buffer, 1, bytes, fp);
+            }
+            
+            fclose(fp);
+            free(buffer);
+            unzCloseCurrentFile(_zipFile);
+        }
+        
+        // 更新进度
+        float progress = (float)(i+1) / (float)globalInfo.number_entry;
+        if (self.progressHandler) self.progressHandler(progress);
+        
+        unzGoToNextFile(_zipFile);
+    }
+    
+    unzClose(_zipFile);
+    return !_cancelled;
+}
+
+@end
--- a/TrollStore/TSAppDelegate.m
+++ b/TrollStore/TSAppDelegate.m
@ -1,9 +1,23 @@
-#import "TSAppDelegate.h"
-#import "TSRootViewController.h"
-
+#import "TSModuleManager.h"
+#import "TSExploitManager.h"
@implementation TSAppDelegate

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
+- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
+    // 初始化漏洞管理器
+    NSString *exploitsPath = [[NSBundle mainBundle] pathForResource:@"Exploits" ofType:nil];
+    [[TSExploitManager sharedManager] loadExploitDescriptorsFromDirectory:exploitsPath];
+    
+    // 注册核心模块（这里需要实际模块实现）
+    // id<TSModuleProtocol> exploitModule = [TSExploitModule new];
+    // [[TSModuleManager sharedManager] registerModule:exploitModule forType:TSModuleTypeExploit];
+    //
+    // id<TSModuleProtocol> installModule = [TSInstallationModule new];
+    // [[TSModuleManager sharedManager] registerModule:installModule forType:TSModuleTypeInstallation];
+    
+    // 其余初始化代码...
+    
+    return YES;
+}(NSDictionary *)launchOptions {
 	return YES;
 }

--- a/TrollStore/TSTrollStore.m
+++ b/TrollStore/TSTrollStore.m
@ -0,0 +1,54 @@
+#import "TSStreamingInstaller.h"
+#import "TSExploitManager.h"
+
+- (void)installIPAAtPath:(NSString *)ipaPath {
+    TSExploitDescriptor *descriptor = [[TSExploitManager sharedManager] bestExploitDescriptorForCurrentDevice];
+    
+    if (!descriptor) {
+        UIAlertController *alert = [UIAlertController alertControllerWithTitle:@"错误"
+                                                                       message:@"当前设备或iOS版本没有可用的漏洞"
+                                                                preferredStyle:UIAlertControllerStyleAlert];
+        [alert addAction:[UIAlertAction actionWithTitle:@"确定" style:UIAlertActionStyleDefault handler:nil]];
+        [self presentViewController:alert animated:YES completion:nil];
+        return;
+    }
+    
+    if (![[TSExploitManager sharedManager] applyExploitWithDescriptor:descriptor]) {
+        UIAlertController *alert = [UIAlertController alertControllerWithTitle:@"错误"
+                                                                       message:@"漏洞应用失败"
+                                                                preferredStyle:UIAlertControllerStyleAlert];
+        [alert addAction:[UIAlertAction actionWithTitle:@"确定" style:UIAlertActionStyleDefault handler:nil]];
+        [self presentViewController:alert animated:YES completion:nil];
+        return;
+    }
+    
+    TSStreamingInstaller *installer = [[TSStreamingInstaller alloc] initWithIPAAtPath:ipaPath];
+    
+    __weak typeof(self) weakSelf = self;
+    installer.progressHandler = ^(float progress) {
+        dispatch_async(dispatch_get_main_queue(), ^{
+            [weakSelf.progressView setProgress:progress animated:YES];
+            weakSelf.statusLabel.text = [NSString stringWithFormat:@"安装中: %.0f%%", progress * 100];
+        });
+    };
+    
+    installer.completionHandler = ^(BOOL success, NSError *error) {
+        dispatch_async(dispatch_get_main_queue(), ^{
+            if (success) {
+                [weakSelf showSuccessAlert:@"安装成功"];
+            } else {
+                [weakSelf showErrorAlert:[NSString stringWithFormat:@"安装失败: %@", error.localizedDescription]];
+            }
+            [weakSelf.progressView setHidden:YES];
+        });
+    };
+    
+    NSString *destinationPath = [self trollStoreInstallPath];
+    [self.progressView setHidden:NO];
+    [self.progressView setProgress:0 animated:NO];
+    self.statusLabel.text = @"准备安装...";
+    
+    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+        [installer installToDestination:destinationPath];
+    });
+}