update

comex · Feb 18, 2015 · f9dc323 · f9dc323
1 parent 079750b
commit f9dc323
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 10 deletions.
diff --git a/block.py b/block.py
@@ -1,4 +1,5 @@
 from construct import *
+StrictRepeater = Array
 from stuff import OConst, call
 # note: structdefpatch.py is optional, but it allows everything but the actual pointer data to be omitted in the input
 # to make this nicer, block and offset/size names ought to start with _, so they are also omitted in the output

diff --git a/cs.py b/cs.py
@@ -1,24 +1,32 @@
-import sys, os, re
+import sys, os, re, hashlib
 from optparse import OptionParser
-import macho, macho_cs
 import construct
+import macho, macho_cs
 from construct_try import construct_try
 
 if __name__ == '__main__':
     parser = OptionParser()
     parser.add_option('-H', '--hashes', dest='hashes', action='store_true', default=False, help='print the actual hashes')
+    parser.add_option('', '--verify-hashes', dest='verify_hashes', action='store_true', default=False, help='and verify them')
     parser.add_option('-c', '--certs', dest='certs', default=None, help='save the certificates blob (DER-encoded PKCS#7) to a file')
     options, args = parser.parse_args()
     filename = args[0]
 
+    should_print = not options.hashes and not options.verify_hashes
+
     if not options.hashes:
-        macho_cs.Hashes_ = construct.Struct('Hashes')
+        macho_cs.Hashes_ = construct.OnDemand(macho_cs.Hashes_)
 
     f = open(filename, 'rb')
-    data = construct_try(lambda: macho.MachOOrFat.parse_stream(f))
-    for cmd in data.data.commands:
+    data = construct_try(lambda: macho.MachOOrFat.parse_stream(f)).data
+    try:
+        data = data.FatArch[0].MachO
+    except:
+        pass
+    for cmd in data.commands:
         if cmd.cmd == 'LC_CODE_SIGNATURE':
-            print cmd
+            if should_print:
+                print cmd
             if options.certs:
                 try:
                     for blob in cmd.data.blob.data.BlobIndex:
@@ -27,4 +35,20 @@
                             break
                 except:
                     pass
+            if options.verify_hashes:
+                cd = cmd.data.blob.data.BlobIndex[0].blob.data
+                end_offset = (cd.codeLimit + 0xfff) & ~0xfff
+                start_offset = end_offset - cd.nCodeSlots * 0x1000
+                hashes = cd.hashes
+                if hasattr(hashes, 'value'): hashes = hashes.value
+                for i in xrange(cd.nCodeSlots):
+                    expected = hashes[cd.nSpecialSlots + i]
+                    f.seek(start_offset + 0x1000 * i)
+                    actual_data = f.read(min(0x1000, cd.codeLimit - f.tell()))
+                    actual = hashlib.sha1(actual_data).digest()
+                    print '[%s] exp=%s act=%s' % (
+                        ('bad', 'ok ')[expected == actual],
+                        expected.encode('hex'),
+                        actual.encode('hex')
+                    )
 
diff --git a/macho.py b/macho.py
@@ -42,8 +42,19 @@
         LC_DYLD_INFO = 0x22,
         LC_DYLD_INFO_ONLY = 0x80000022,
         LC_LOAD_UPWARD_DYLIB = 0x80000023,
+        LC_VERSION_MIN_MACOSX = 0x24,
+        LC_VERSION_MIN_IPHONEOS = 0x25,
+        LC_FUNCTION_STARTS = 0x26,
+        LC_DYLD_ENVIRONMENT = 0x27,
+        LC_MAIN = 0x80000028,
+        LC_DATA_IN_CODE = 0x29,
+        LC_SOURCE_VERSION = 0x2a,
+        LC_DYLIB_CODE_SIGN_DRS = 0x2b,
+        LC_ENCRYPTION_INFO_64 = 0x2c,
+        LC_LINKER_OPTION = 0x2d,
+        LC_LINKER_OPTIMIZATION_HINT = 0x2e,
     ),
-                
+
     UInt32("cmdsize"),
     Peek(Switch("data", lambda ctx: ctx['cmd'], {
         'LC_SEGMENT': Struct('segment',
@@ -79,7 +90,6 @@
     OnDemand(Bytes('bytes', lambda ctx: ctx['cmdsize'] - 8)),
     #Probe(),
 )
-
 
 MachO = Struct("MachO",
     Anchor("macho_start"),
@@ -153,6 +163,7 @@
     Peek(UInt32("magic")),
     Switch("data", lambda ctx: ctx['magic'], {
         0xfeedface: MachO,
+        0xfeedfacf: MachO,
         0xcafebabe: Fat,
         0xbebafeca: Fat,
     })

diff --git a/macho_cs.py b/macho_cs.py
@@ -138,13 +138,14 @@ def _decode(self, obj, context):
         _default_ = Pass,
     ),
     UBInt32("length"),
-    Switch("data", lambda ctx: ctx['magic'], {
+    Peek(Switch("data", lambda ctx: ctx['magic'], {
         'CSMAGIC_REQUIREMENT': Requirement,
         'CSMAGIC_REQUIREMENTS': Entitlements,
         'CSMAGIC_CODEDIRECTORY': CodeDirectory,
         'CSMAGIC_ENTITLEMENT': Entitlement,
         'CSMAGIC_BLOBWRAPPER': BlobWrapper,
         'CSMAGIC_EMBEDDED_SIGNATURE': SuperBlob,
-    }, default = Pass),
+    })),
+    OnDemand(Bytes('bytes', lambda ctx: ctx['length'] - 8)),
 )