Permalink
Browse files

fixes

  • Loading branch information...
1 parent 9149062 commit e6d05a9368aeb01185fea27339d9d9707bed6f3f @comex committed Jul 12, 2011
Showing with 59 additions and 8 deletions.
  1. +2 −0 Makefile
  2. +49 −0 codesign_allocate.c
  3. +6 −5 grapher.cpp
  4. +2 −3 make_kernel_patchfile.c
View
@@ -33,6 +33,8 @@ $(OUTDIR)/grapher: $(OUTDIR)/grapher.o $(DATA)/$(OUTDIR)/libdata.a
$(GXX) -o $@ $^ -O3
$(OUTDIR)/decrypt_kern: $(OUTDIR)/decrypt_kern.o $(DATA)/$(OUTDIR)/libdata.a
$(GCC) -o $@ $^ -O3
+$(OUTDIR)/codesign_allocate: $(OUTDIR)/codesign_allocate.o
+ $(GCC) -o $@ $^ -O3
clean: .clean
rm -f sandboxc-{armv6,armv7}.c sandbox-{armv6,armv7}.o
View
@@ -0,0 +1,49 @@
+#include <assert.h>
+#include <data/mach-o/binary.h>
+#include <mach-o/loader.h>
+#include <copyfile.h>
+
+int main(int argc, char **argv) {
+ const char *infile = NULL, *outfile = NULL;
+ size_t size = 0;
+ for(char **p = argv; *p; p++) {
+ if(!strcmp(*p, "-i")) {
+ infile = *p++;
+ } else if(!strcmp(*p, "-a")) {
+ p++;
+ size = strtol(*p++, NULL, 0);
+ } else if(!strcmp(*p, "-o")) {
+ outfile = *p++;
+ } else {
+ die("??");
+ }
+
+ assert(!copyfile(infile, outfile, NULL, COPYFILE_ALL));
+
+ int fd = open(outfile, O_RDWR);
+ assert(fd != -1);
+ off_t fend = lseek(fd, 0, SEEK_END);
+ ftruncate(fd, fend + size);
+ void *file = mmap(NULL, (size_t) fend, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+ assert(file != MAP_FAILED);
+
+ struct mach_header *mh = file;
+ mh->ncmds++;
+ mh->sizeofcmds += sizeof(struct linkedit_data_command);
+ CMD_ITERATE(mh, cmd) {
+ if(cmd->cmd == LC_SEGMENT) {
+ struct segment_command *sc = (void *) cmd;
+ if(!strncmp(sc->segname, "__LINKEDIT", 16)) {
+ sc->filesize += size;
+ sc->vmsize += size;
+ }
+ } else if(cmd->cmd == 0) {
+ struct linkedit_data_command *dc = (void *) cmd;
+ dc->cmd = LC_CODE_SIGNATURE;
+ dc->cmdsize = sizeof(*dc);
+ dc->dataoff = (uint32_t) fend;
+ dc->datasize = (uint32_t) size;
+ }
+ }
+
+}
View
@@ -356,7 +356,7 @@ struct Binary {
assert(constructor);
unordered_map<addr_t, const char *> metaClasses;
for(auto edge : constructor->backward) {
- auto nameAddr = edge->source->refs.begin()->second;
+ auto nameAddr = edge->source->refs.begin()->first.second;
if(!nameAddr) continue;
// xxx
auto className = (const char *) rangeconv((range_t) {&binary, nameAddr, 128}, 0).start;
@@ -366,25 +366,26 @@ struct Binary {
addr_t metaClass;
auto it = mcInstantiator->refs.begin();
for(it++; it != mcInstantiator->refs.end(); it++) {
- if(it->second == edge->source->startAddr) {
+ if(it->first.second == edge->source->startAddr) {
auto it2 = it;
it2--;
- metaClass = it2->second;
+ metaClass = it2->first.second;
goto ok;
}
}
continue;
ok:
+ if(explain) printf("ok %s\n", className);
metaClasses[metaClass] = className;
}
auto constructed = funcsByName["__ZNK11OSMetaClass19instanceConstructedEv"];
for(auto edge : constructed->backward) {
if(edge->source->refs.size() == 4) {
auto it = edge->source->refs.begin();
- auto metaClass = it->second;
+ auto metaClass = it->first.second;
it++; it++;
- auto vtable = it->second - 8;
+ auto vtable = it->first.second - 8;
auto className = metaClasses[metaClass];
if(!className) continue;
View
@@ -87,8 +87,7 @@ void do_kernel(struct binary *binary, struct binary *sandbox) {
patch("cs_enforcement_disable", resolve_ldr(binary, csedp), uint32_t, {1});
addr_t scratch = resolve_ldr(binary, is_armv7 ? (mystery + 9) : 42);
-
-
+ scratch = (scratch + 3) & ~3;
// patches
//patch("-lunchd",
@@ -120,7 +119,7 @@ void do_kernel(struct binary *binary, struct binary *sandbox) {
//if(!strcmp(name, "c_dvp_struct_offset")) return spec2(0xde, 0xad, 0xbe);
die("? %s", name);
})
- b_relocate(sandbox, (void *) l.arg, (void *) l.func, 0);
+ b_relocate(sandbox, (void *) l.arg, RELOC_DEFAULT, (void *) l.func, 0);
prange_t sandbox_pr = rangeconv_off(sandbox->segments[0].file_range, MUST_FIND);
store_file(sandbox_pr, "/tmp/wtf.o", 0644);
patch_with_range("sb_evaluate hook",

0 comments on commit e6d05a9

Please sign in to comment.