/
patch.c
28 lines (27 loc) · 1 KB
/
patch.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
// patch out injectStringGated
#include "lsym.h"
lsym_map_t *lsym_map_file_writable(const char *path) {
int fd=open(path, O_RDWR);
struct stat sb;
fstat(fd, &sb);
void* map = mmap(NULL, sb.st_size & 0xFFFFFFFF, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
lsym_map_t* ret = (lsym_map_t*)malloc(sizeof(lsym_map_t));
ret->map = map;
ret->path = path;
ret->sz = sb.st_size & 0xFFFFFFFF;
return ret;
}
int main() {
if (getuid()) {
printf("run as root\n");
return 1;
}
lsym_map_t* mapping = lsym_map_file_writable("/System/Library/Extensions/IOHIDFamily.kext/Contents/MacOS/IOHIDFamily");
uint8_t* vuln = ((uint8_t*)mapping->map + lsym_find_symbol(mapping, "__ZN23IOHIDSecurePromptClient17injectStringGatedEPvS0_S0_S0_"));
if (vuln == mapping->map || *vuln == 0xC3) {
printf("already patched!\n");
return 0;
}
printf("original: \\x%x at offset 0x%p\n", *vuln, (void*)((uint64_t) vuln - (uint64_t)mapping->map));
*vuln = 0xC3;
}