├── .theos
├── fakeroot
├── build_session
├── obj
│ └── debug
│ │ ├── .stamp
│ │ ├── MemoryCheat
│ │ ├── arm64
│ │ ├── MemoryCheat
│ │ ├── main.mm.26b7b6ff.o
│ │ └── main.mm.26b7b6ff.md
│ │ ├── armv7
│ │ ├── MemoryCheat
│ │ ├── main.mm.88f6984a.o
│ │ └── main.mm.88f6984a.md
│ │ └── armv7s
│ │ ├── MemoryCheat
│ │ ├── main.mm.08745acd.o
│ │ └── main.mm.08745acd.md
├── packages
│ └── com.greycheatinglab.lazenca-0.0.1
├── last_package
└── _
│ ├── usr
│ └── bin
│ │ └── MemoryCheat
│ └── DEBIAN
│ └── control
├── theos
├── MemoryCheat
├── debs
├── com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm
│ ├── debian-binary
│ ├── data.tar.lzma
│ ├── control.tar.gz
│ └── data
│ │ └── usr
│ │ └── bin
│ │ └── MemoryCheat
└── com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm.deb
├── control
├── _
└── usr
│ └── bin
│ └── Entitlements.plist
├── ent.xml
├── ent.plist
├── Makefile
├── MemoryCheat.h
├── README.md
├── Write.h
├── Process.h
├── Map.h
├── Map_64.h
├── Thread.h
├── __handlers__
└── libSystem.B.dylib
│ └── printf.js
├── RunningProces.h
├── Comparator_64.h
├── main.mm
├── MemRead.h
├── Util.h
├── Http.h
├── MemRead_64.h
└── Comparator.h
/.theos/fakeroot:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/theos:
--------------------------------------------------------------------------------
1 | /opt/theos
--------------------------------------------------------------------------------
/.theos/build_session:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/.theos/obj/debug/.stamp:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/.theos/packages/com.greycheatinglab.lazenca-0.0.1:
--------------------------------------------------------------------------------
1 | 6
--------------------------------------------------------------------------------
/MemoryCheat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/MemoryCheat
--------------------------------------------------------------------------------
/debs/com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm/debian-binary:
--------------------------------------------------------------------------------
1 | 2.0
2 |
--------------------------------------------------------------------------------
/.theos/last_package:
--------------------------------------------------------------------------------
1 | ./debs/com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm.deb
2 |
--------------------------------------------------------------------------------
/.theos/_/usr/bin/MemoryCheat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/.theos/_/usr/bin/MemoryCheat
--------------------------------------------------------------------------------
/.theos/obj/debug/MemoryCheat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/.theos/obj/debug/MemoryCheat
--------------------------------------------------------------------------------
/.theos/obj/debug/arm64/MemoryCheat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/.theos/obj/debug/arm64/MemoryCheat
--------------------------------------------------------------------------------
/.theos/obj/debug/armv7/MemoryCheat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/.theos/obj/debug/armv7/MemoryCheat
--------------------------------------------------------------------------------
/.theos/obj/debug/armv7s/MemoryCheat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/.theos/obj/debug/armv7s/MemoryCheat
--------------------------------------------------------------------------------
/.theos/obj/debug/arm64/main.mm.26b7b6ff.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/.theos/obj/debug/arm64/main.mm.26b7b6ff.o
--------------------------------------------------------------------------------
/.theos/obj/debug/armv7/main.mm.88f6984a.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/.theos/obj/debug/armv7/main.mm.88f6984a.o
--------------------------------------------------------------------------------
/.theos/obj/debug/armv7s/main.mm.08745acd.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/.theos/obj/debug/armv7s/main.mm.08745acd.o
--------------------------------------------------------------------------------
/debs/com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm.deb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/debs/com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm.deb
--------------------------------------------------------------------------------
/debs/com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm/data.tar.lzma:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/debs/com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm/data.tar.lzma
--------------------------------------------------------------------------------
/debs/com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm/control.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/debs/com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm/control.tar.gz
--------------------------------------------------------------------------------
/debs/com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm/data/usr/bin/MemoryCheat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Lazenca/Lazenca-A-iOS/HEAD/debs/com.greycheatinglab.lazenca_0.0.1-6+debug_iphoneos-arm/data/usr/bin/MemoryCheat
--------------------------------------------------------------------------------
/control:
--------------------------------------------------------------------------------
1 | Package: com.greycheatinglab.lazenca
2 | Name: lazenca
3 | Depends:
4 | Version: 0.0.1
5 | Architecture: iphoneos-arm
6 | Description: An awesome tool of some sort!!
7 | Maintainer: GreyCheatingLab
8 | Author: GreyCheatingLab
9 | Section: System
10 | Tag: role::hacker
11 |
--------------------------------------------------------------------------------
/.theos/_/DEBIAN/control:
--------------------------------------------------------------------------------
1 | Package: com.greycheatinglab.lazenca
2 | Name: lazenca
3 | Depends:
4 | Architecture: iphoneos-arm
5 | Description: An awesome tool of some sort!!
6 | Maintainer: GreyCheatingLab
7 | Author: GreyCheatingLab
8 | Section: System
9 | Tag: role::hacker
10 | Version: 0.0.1-6+debug
11 | Installed-Size: 328
12 |
--------------------------------------------------------------------------------
/_/usr/bin/Entitlements.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | com.apple.springboard.debugapplications
5 |
6 | get-task-allow
7 |
8 | proc_info-allow
9 |
10 | task_for_pid-allow
11 |
12 |
13 |
--------------------------------------------------------------------------------
/ent.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | com.apple.springboard.debugapplications
6 |
7 | run-unsigned-code
8 |
9 | get-task-allow
10 |
11 | task_for_pid-allow
12 |
13 |
14 |
--------------------------------------------------------------------------------
/ent.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | com.apple.springboard.debugapplications
5 |
6 | get-task-allow
7 |
8 | task_for_pid-allow
9 |
10 | run-unsigned-code
11 |
12 | proc_info-allow
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | export ARCHS = armv7 armv7s arm64
2 | export TARGET = iphone:clang
3 | SDKVERSION_armv6 = 5.1
4 | TARGET_IPHONEOS_DEPLOYMENT_VERSION = 3.0
5 | TARGET_IPHONEOS_DEPLOYMENT_VERSION_arm64 = 7.0
6 |
7 | TOOL_NAME = MemoryCheat
8 | MemoryCheat_FILES = main.mm
9 | MemoryCheat_LDFLAGS += -Wl,-segalign,4000
10 | MemoryCheat_CODESIGN_FLAGS = -Sent.xml
11 | MemoryCheat_PRIVATE_FRAMEWORKS = Foundation,libsystem_kernel
12 |
13 | include theos/makefiles/common.mk
14 | include $(THEOS_MAKE_PATH)/tool.mk
15 |
--------------------------------------------------------------------------------
/MemoryCheat.h:
--------------------------------------------------------------------------------
1 | #ifdef __LP64__
2 | #include
3 | #import "Comparator_64.h"
4 | #import "MemRead_64.h"
5 | #import "Map_64.h"
6 | #else
7 | #include
8 | #import "Comparator.h"
9 | #import "MemRead.h"
10 | #import "Map.h"
11 | #endif
12 |
13 | #import "Util.h"
14 | #import "process.h"
15 |
16 |
17 | //검색 프로세스
18 | void SearchProcess(long number){
19 | if ((findDataList.size() == 0) && (isCMDRUNNING == 0)) {
20 | findWriteableRegions();
21 | readMemory(number);
22 | isCMDRUNNING++;
23 | }else{
24 | reReadMemory(number);
25 | }
26 | NumberComparator(number);
27 | printf("OriginalDatalist Size : %lu\n",findDataList.size());
28 | printf("Search End\n");
29 | }
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Lazenca A (iOS ver.)
2 | iOS Memory Cheat Tool(Engine)
3 | < Test ios version : 9.0.2 >
4 |
5 | ## 1.Set
6 | * chmod 6755 "Memorycheat File name"
7 | * chown root:wheel "Memorycheat File name"
8 |
9 | ## 2.Manual
10 | ### 2.1.Commands List
11 | ### 2.1.1. Basic Commands
12 | * Process : Output Process List
13 | * Attach : ex) attach < pid >
14 | * Search : ex) search < number >
15 | * Write : ex) write < Address(Hex to Decimal) > < number >
16 | * Showlist : Output Searched Value List
17 | * Threadlist : Output Thread List
18 | * Control : Control Individual Thread
19 | * Option : Enable(resume), Disable(suspend)
20 | * ex) CONTROL < option > < thread id >
21 | * Clear : data clear(search data)
22 | * Exit
23 |
24 | ## 3.Lazenca A (AOS ver.)
25 | Site : [Lazenca A(aos ver.)](https://github.com/Lazenca/Lazenca-A-Andoird)
26 |
27 | ## 4.Lazenca S (Anti Cheat Code)
28 | Site : [Lazenca S(aos ver.)](https://github.com/Lazenca/Lazenca-S)
29 |
30 |
--------------------------------------------------------------------------------
/Write.h:
--------------------------------------------------------------------------------
1 | #import "Util.h"
2 |
3 |
4 | void MemoryWrite(vm_address_t address,long value){
5 | vm_size_t outsize;
6 | vm_address_t startAddress = 0;
7 |
8 | #ifdef __LP64__
9 | unsigned int data;
10 | vm_read_overwrite(target_task, startAddress & 0xFFFFFFFFFFFFFFF8, 8, (vm_address_t)&data, &outsize);
11 |
12 | if (outsize) {
13 |
14 | }else{
15 | printf("vm_read_overwrite(%11lx) failed 1.",startAddress & 0xFFFFFFFFFFFFFFF8);
16 | }
17 | #else
18 | int data;
19 | vm_read_overwrite(target_task, startAddress & 0xFFFFFFFC, 8, (vm_address_t)&data, &outsize);
20 |
21 | if (outsize) {
22 |
23 | }else{
24 | printf("vm_read_overwrite(%11x) failed 1.",startAddress & 0xFFFFFFFC);
25 | }
26 | #endif
27 |
28 |
29 | #ifdef __LP64__
30 | unsigned int write_data;
31 | write_data = value;
32 | #else
33 | int write_data;
34 | write_data = value;
35 | #endif
36 |
37 | kern_return_t kr;
38 | kr = vm_write(target_task, address, (vm_address_t)&write_data, 4);
39 | if(kr){
40 | printf("Fail %x\n", kr);
41 | }else{
42 | printf("Sucess!\n");
43 | }
44 | }
--------------------------------------------------------------------------------
/Process.h:
--------------------------------------------------------------------------------
1 | #import "Util.h"
2 |
3 | int setPid(){
4 | target_task = 0;
5 | kern_return_t kret;
6 | char *err;
7 |
8 | kret = task_for_pid(mach_task_self(), pid, &target_task);
9 | printf("pid : %d, target_task : %d\n",pid,target_task);
10 |
11 | if(kret != KERN_SUCCESS){
12 | err = mach_error_string(kret);
13 | printf("task_for_pid(%d) failed. (%x: %s) \n", target_task, kret, err);
14 | }else{
15 | return 1;
16 | }
17 | return 0;
18 | }
19 |
20 | int attach(){
21 | kern_return_t kret;
22 | tmp_target_task = 0;
23 | kret = task_for_pid(mach_task_self(),pid,&tmp_target_task);
24 | if (kret) {
25 | printf("task_for_pid() failed with message %s!\n",mach_error_string(kret));
26 | }else{
27 | printf("attach - target_task : %d, tmp_target_task : %d\n",target_task, tmp_target_task);
28 | kret = task_suspend(target_task);
29 | if (kret != KERN_SUCCESS) {
30 | printf("task_suspend() failed with message %s!\n",mach_error_string(kret));
31 | }else{
32 | printf("task_suspend - Success\n");
33 | return 1;
34 | }
35 | }
36 | return 0;
37 | }
38 |
--------------------------------------------------------------------------------
/Map.h:
--------------------------------------------------------------------------------
1 | #include
2 | #import "Util.h"
3 |
4 | int findWriteableRegions(){
5 | vm_size_t size;
6 | vm_address_t address;
7 | natural_t nesting_depth;
8 | mach_msg_type_number_t infoCnt;
9 |
10 | regionList.clear();
11 |
12 | size = 0;
13 | address = 0;
14 | struct vm_region_submap_info info;
15 | infoCnt = VM_REGION_SUBMAP_INFO_COUNT;
16 |
17 | for (; !vm_region_recurse(target_task,&address,&size,&nesting_depth,(vm_region_recurse_info_t)&info,&infoCnt);) {
18 | if (info.is_submap) {
19 | ++nesting_depth;
20 | }else{
21 | if ((info.protection & (VM_PROT_WRITE | VM_PROT_READ)) == 3 && (info.max_protection & (VM_PROT_WRITE | VM_PROT_READ)) == 3) {
22 | regionStruct.startAddr = address;
23 | regionStruct.endAddr = size + address;
24 | regionStruct.size = size;
25 | regionList.push_back(regionStruct);
26 | printf("region: %016x-%016x\n",regionStruct.startAddr,regionStruct.endAddr);
27 | }
28 | address += size;
29 | }
30 | }
31 | return 1;
32 | }
33 |
34 |
35 | void setRegion(){
36 | regionList.clear();
37 | printf("SetRegion - target_task : %d\n",target_task);
38 |
39 | findWriteableRegions();
40 |
41 | printf("region Count %lu\n",regionList.size());
42 | }
43 |
44 |
--------------------------------------------------------------------------------
/Map_64.h:
--------------------------------------------------------------------------------
1 | #ifdef __LP64__
2 | #include
3 | #import "Util.h"
4 |
5 | int findWriteableRegions(){
6 | vm_size_t size;
7 | vm_address_t address;
8 | natural_t nesting_depth;
9 | mach_msg_type_number_t infoCnt;
10 |
11 | regionList.clear();
12 |
13 |
14 | size = 0LL;
15 | address = 0LL;
16 | struct vm_region_submap_info_64 info;
17 | infoCnt = VM_REGION_SUBMAP_INFO_COUNT_64;
18 |
19 | for (; !vm_region_recurse_64(target_task,&address,&size,&nesting_depth,(vm_region_recurse_info_t)&info,&infoCnt);) {
20 | if (info.is_submap) {
21 | ++nesting_depth;
22 | }else{
23 | if ((info.protection & (VM_PROT_WRITE | VM_PROT_READ)) == 3 && (info.max_protection & (VM_PROT_WRITE | VM_PROT_READ)) == 3 && address < searchRange) {
24 | regionStruct.startAddr = address;
25 | regionStruct.endAddr = size + address;
26 | regionStruct.size = size;
27 | regionList.push_back(regionStruct);
28 | printf("region 64: %016lx-%016lx\n",regionStruct.startAddr,regionStruct.endAddr);
29 | }
30 | address += size;
31 | }
32 | }
33 | return 1;
34 | }
35 |
36 |
37 | void setRegion(){
38 | regionList.clear();
39 | printf("SetRegion - target_task : %d\n",target_task);
40 |
41 | findWriteableRegions();
42 |
43 | printf("region Count %lu\n",regionList.size());
44 | }
45 | #else
46 | #endif
--------------------------------------------------------------------------------
/.theos/obj/debug/armv7/main.mm.88f6984a.md:
--------------------------------------------------------------------------------
1 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/.theos/obj/debug/armv7/main.mm.88f6984a.md /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/.theos/obj/debug/armv7/main.mm.88f6984a.o: \
2 | main.mm /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/Prefix.pch \
3 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/NullabilityCompat.h \
4 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSWebKitCompatHacks.h \
5 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/HBLog.h \
6 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/CoreFoundation/CFLogUtilities.h \
7 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSMacros.h \
8 | MemoryCheat.h Comparator.h Util.h MemRead.h process.h Map.h \
9 | RunningProces.h Thread.h Write.h
10 |
11 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/Prefix.pch:
12 |
13 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/NullabilityCompat.h:
14 |
15 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSWebKitCompatHacks.h:
16 |
17 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/HBLog.h:
18 |
19 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/CoreFoundation/CFLogUtilities.h:
20 |
21 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSMacros.h:
22 |
23 | MemoryCheat.h:
24 |
25 | Comparator.h:
26 |
27 | Util.h:
28 |
29 | MemRead.h:
30 |
31 | process.h:
32 |
33 | Map.h:
34 |
35 | RunningProces.h:
36 |
37 | Thread.h:
38 |
39 | Write.h:
40 |
--------------------------------------------------------------------------------
/.theos/obj/debug/armv7s/main.mm.08745acd.md:
--------------------------------------------------------------------------------
1 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/.theos/obj/debug/armv7s/main.mm.08745acd.md /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/.theos/obj/debug/armv7s/main.mm.08745acd.o: \
2 | main.mm /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/Prefix.pch \
3 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/NullabilityCompat.h \
4 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSWebKitCompatHacks.h \
5 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/HBLog.h \
6 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/CoreFoundation/CFLogUtilities.h \
7 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSMacros.h \
8 | MemoryCheat.h Comparator.h Util.h MemRead.h process.h Map.h \
9 | RunningProces.h Thread.h Write.h
10 |
11 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/Prefix.pch:
12 |
13 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/NullabilityCompat.h:
14 |
15 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSWebKitCompatHacks.h:
16 |
17 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/HBLog.h:
18 |
19 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/CoreFoundation/CFLogUtilities.h:
20 |
21 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSMacros.h:
22 |
23 | MemoryCheat.h:
24 |
25 | Comparator.h:
26 |
27 | Util.h:
28 |
29 | MemRead.h:
30 |
31 | process.h:
32 |
33 | Map.h:
34 |
35 | RunningProces.h:
36 |
37 | Thread.h:
38 |
39 | Write.h:
40 |
--------------------------------------------------------------------------------
/.theos/obj/debug/arm64/main.mm.26b7b6ff.md:
--------------------------------------------------------------------------------
1 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/.theos/obj/debug/arm64/main.mm.26b7b6ff.md /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/.theos/obj/debug/arm64/main.mm.26b7b6ff.o: \
2 | main.mm /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/Prefix.pch \
3 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/NullabilityCompat.h \
4 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSWebKitCompatHacks.h \
5 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/HBLog.h \
6 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/CoreFoundation/CFLogUtilities.h \
7 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSMacros.h \
8 | MemoryCheat.h Comparator_64.h Util.h MemRead_64.h process.h Map_64.h \
9 | RunningProces.h Thread.h Write.h
10 |
11 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/Prefix.pch:
12 |
13 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/NullabilityCompat.h:
14 |
15 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSWebKitCompatHacks.h:
16 |
17 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/HBLog.h:
18 |
19 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/CoreFoundation/CFLogUtilities.h:
20 |
21 | /Users/jeongyoungmin/PROJECT/Lazenca-A/IOS/theos/include/_Prefix/IOSMacros.h:
22 |
23 | MemoryCheat.h:
24 |
25 | Comparator_64.h:
26 |
27 | Util.h:
28 |
29 | MemRead_64.h:
30 |
31 | process.h:
32 |
33 | Map_64.h:
34 |
35 | RunningProces.h:
36 |
37 | Thread.h:
38 |
39 | Write.h:
40 |
--------------------------------------------------------------------------------
/Thread.h:
--------------------------------------------------------------------------------
1 | #include
2 | static void showThreadList(void) {
3 | char name[256];
4 | mach_msg_type_number_t count;
5 | thread_act_array_t list;
6 |
7 | kern_return_t kret;
8 |
9 | kret = task_threads(target_task, &list, &count);
10 |
11 | if (kret == KERN_SUCCESS) {
12 | for (int i = 0; i < count; ++i) {
13 | pthread_t pt = pthread_from_mach_thread_np(list[i]);
14 | if (pt) {
15 | name[0] = '\0';
16 | int rc = pthread_getname_np(pt, name, sizeof name);
17 | printf("Thread %u: getname returned %d: %s\n", list[i], rc, name);
18 | } else {
19 | printf("Thread %u: no pthread found\n", list[i]);
20 | }
21 | }
22 | }else{
23 | printf("task_threads() failed with message %s!\n",mach_error_string(kret));
24 | }
25 | }
26 |
27 | void suspendThread(thread_t target_thread){
28 | kern_return_t kret;
29 | kret = thread_suspend(target_thread);
30 | if (kret == KERN_SUCCESS) {
31 | printf("thread_suspend() succeed with message %s!\n",mach_error_string(kret));
32 | }else{
33 | printf("task_threads() failed with message %s!\n",mach_error_string(kret));
34 | }
35 | }
36 |
37 | void resumeThread(thread_t target_thread){
38 | kern_return_t kret;
39 | kret = thread_resume(target_thread);
40 | if (kret == KERN_SUCCESS) {
41 | printf("thread_resume() resume with message %s!\n",mach_error_string(kret));
42 | }else{
43 | printf("task_threads() failed with message %s!\n",mach_error_string(kret));
44 | }
45 | }
--------------------------------------------------------------------------------
/__handlers__/libSystem.B.dylib/printf.js:
--------------------------------------------------------------------------------
1 | /*
2 | * Auto-generated by Frida. Please modify to match the signature of printf.
3 | * This stub is currently auto-generated from manpages when available.
4 | *
5 | * For full API reference, see: http://www.frida.re/docs/javascript-api/
6 | */
7 |
8 | {
9 | /**
10 | * Called synchronously when about to call printf.
11 | *
12 | * @this {object} - Object allowing you to store state for use in onLeave.
13 | * @param {function} log - Call this function with a string to be presented to the user.
14 | * @param {array} args - Function arguments represented as an array of NativePointer objects.
15 | * For example use Memory.readUtf8String(args[0]) if the first argument is a pointer to a C string encoded as UTF-8.
16 | * It is also possible to modify arguments by assigning a NativePointer object to an element of this array.
17 | * @param {object} state - Object allowing you to keep state across function calls.
18 | * Only one JavaScript function will execute at a time, so do not worry about race-conditions.
19 | * However, do not use this to store function arguments across onEnter/onLeave, but instead
20 | * use "this" which is an object for keeping state local to an invocation.
21 | */
22 | onEnter: function (log, args, state) {
23 | log("printf(" + "" + ")");
24 | },
25 |
26 | /**
27 | * Called synchronously when about to return from printf.
28 | *
29 | * See onEnter for details.
30 | *
31 | * @this {object} - Object allowing you to access state stored in onEnter.
32 | * @param {function} log - Call this function with a string to be presented to the user.
33 | * @param {NativePointer} retval - Return value represented as a NativePointer object.
34 | * @param {object} state - Object allowing you to keep state across function calls.
35 | */
36 | onLeave: function (log, retval, state) {
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/RunningProces.h:
--------------------------------------------------------------------------------
1 | #import
2 | #import
3 | #import
4 |
5 | void ProcessList();
6 |
7 | @interface RunningProcess : NSObject
8 | - (NSArray *)runningProcesses;
9 | @end
10 |
11 | void ProcessList(){
12 | RunningProcess *runningProc = [[RunningProcess alloc] init];
13 | NSArray *str = [runningProc runningProcesses];
14 | for(int i=0;i<[str count];i++){
15 | NSLog(@"%@",[str objectAtIndex:i]);
16 | }
17 | }
18 |
19 | @implementation RunningProcess
20 | - (NSArray *)runningProcesses {
21 | int mib[4] = {CTL_KERN, KERN_PROC, KERN_PROC_ALL, 0};
22 | size_t miblen = 4;
23 | size_t size = 0;
24 |
25 | int st = sysctl(mib, miblen, NULL, &size, NULL, 0);
26 |
27 | struct kinfo_proc *process = NULL;
28 | struct kinfo_proc *newprocess = NULL;
29 |
30 | do {
31 | size += size / 10;
32 | newprocess = (kinfo_proc * )realloc(process, size);
33 | if (!newprocess){
34 | if (process){
35 | free(process);
36 | }
37 | return nil;
38 | }
39 | process = newprocess;
40 | st = sysctl(mib, miblen, process, &size, NULL, 0);
41 | } while (st == -1 && errno == ENOMEM);
42 |
43 | if (st == 0){
44 | if (size % sizeof(struct kinfo_proc) == 0){
45 | int nprocess = size / sizeof(struct kinfo_proc);
46 | if (nprocess){
47 | NSMutableArray * array = [[NSMutableArray alloc] init];
48 |
49 | for (int i = nprocess - 1; i >= 0; i--){
50 | NSString *processID = [[NSString alloc] initWithFormat:@"%d", process[i].kp_proc.p_pid];
51 | NSString *processName = [[NSString alloc] initWithFormat:@"%s", process[i].kp_proc.p_comm];
52 |
53 | // Create an array of the objects
54 | NSArray *ItemArray = [NSArray arrayWithObjects:processID, processName, nil];
55 |
56 | // Create an array of keys
57 | NSArray *KeyArray = [NSArray arrayWithObjects:@"PID", @"Name", nil];
58 |
59 | // Create the dictionary
60 | NSDictionary *dict = [[NSDictionary alloc] initWithObjects:ItemArray forKeys:KeyArray];
61 |
62 | [processID release];
63 | [processName release];
64 | [array addObject:dict];
65 | [dict release];
66 | }
67 | free(process);
68 | return [array autorelease];
69 | }
70 | }
71 | }
72 | return nil;
73 | }
74 | @end
75 |
76 |
--------------------------------------------------------------------------------
/Comparator_64.h:
--------------------------------------------------------------------------------
1 | #ifdef __LP64__
2 | #import "Util.h"
3 | void NumberComparator(long value) {
4 | if (findDataList.size()) {
5 | for (int i = 0,temp = 0; i < findDataList.size(); i++) {
6 | findInfoStruct = findDataList.at(i);
7 | memInfoStruct = memDataList.at(temp);
8 |
9 | for (; memInfoStruct.address <= findInfoStruct.address; temp++) {
10 | if (memInfoStruct.address == findInfoStruct.address) {
11 | if (value == (memInfoStruct.value & 0x00000000FFFFFFFF)) {
12 | tempInfoStruct.address = memInfoStruct.address;
13 | tempInfoStruct.value = (memInfoStruct.value & 0x00000000FFFFFFFF);
14 | tempDataList.push_back(tempInfoStruct);
15 |
16 | if (i < (findDataList.size()-1)) {
17 | i++;
18 | findInfoStruct = findDataList.at(i);
19 | if (memInfoStruct.address > findInfoStruct.address) {
20 | --i;
21 | findInfoStruct = findDataList.at(i);
22 | }
23 | }
24 | }
25 | }
26 |
27 | if (memInfoStruct.address + 4 == findInfoStruct.address) {
28 | if (value == (memInfoStruct.value >> 32)) {
29 | tempInfoStruct.address = memInfoStruct.address+4;
30 | tempInfoStruct.value = (memInfoStruct.value >> 32);
31 | tempDataList.push_back(tempInfoStruct);
32 | }
33 | }
34 |
35 | memInfoStruct = memDataList.at(temp);
36 | }
37 | temp++;
38 | }
39 | } else {
40 | for (int i = 0; i < memDataList.size(); i++) {
41 | memInfoStruct = memDataList.at(i);
42 |
43 | if (value == (memInfoStruct.value & 0x00000000FFFFFFFF)) {
44 | tempInfoStruct.address = memInfoStruct.address;
45 | tempInfoStruct.value = (memInfoStruct.value & 0x00000000FFFFFFFF);
46 | tempDataList.push_back(tempInfoStruct);
47 | }
48 | if (value == (memInfoStruct.value >> 32)) {
49 | tempInfoStruct.address = (memInfoStruct.address + 4);
50 | tempInfoStruct.value = (memInfoStruct.value >> 32);
51 | tempDataList.push_back(tempInfoStruct);
52 | }
53 | }
54 | }
55 |
56 | findDataList.clear();
57 | findDataList = tempDataList;
58 | tempDataList.clear();
59 | memDataList.clear();
60 | }
61 | #else
62 | #endif
--------------------------------------------------------------------------------
/main.mm:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #import
6 | #import "MemoryCheat.h"
7 | #import "RunningProces.h"
8 | #import "Process.h"
9 | #import "Thread.h"
10 | #import "Write.h"
11 | #import "Util.h"
12 |
13 | #ifdef __LP64__
14 | #import "Map_64.h"
15 | #import "MemRead_64.h"
16 | #else
17 | #import "Map.h"
18 | #import "MemRead.h"
19 | #endif
20 |
21 | int main(int argc, char **argv, char **envp) {
22 | char cmd[BUFSIZE];
23 |
24 | @autoreleasepool {
25 | while (1) {
26 | printf("%s",COMMAND);
27 | scanf("%29[^\n]s",cmd);
28 | getchar();
29 |
30 | char command1[BUFSIZE] = {'\0',};
31 | char command2[BUFSIZE] = {'\0',};
32 | char command3[BUFSIZE] = {'\0',};
33 | sscanf(cmd,"%s%s%s", command1, command2, command3);
34 | printf("%s %s %s\n",command1, command2, command3);
35 |
36 | //Process List Print
37 | if (!strcmp(PROCESS,strupr(command1))) {
38 | ProcessList();
39 | //Process Attach
40 | }else if(!strcmp(ATTACH,strupr(command1))){
41 | //sscanf(command2,"%d",&pid);
42 | pid = atoi(command2);
43 | setPid();
44 | findWriteableRegions();
45 | //Value Search
46 | }else if (!strcmp(SEARCH,strupr(command1))) {
47 | printf("%s, %s\n",strupr(command1),command2);
48 |
49 | long value;
50 | sscanf(command2,"%ld",&value);
51 | SearchProcess(value);
52 | //Pick
53 | }else if (!strcmp(PICK,strupr(command1))) {
54 | printf("%s, %s\n",strupr(command1),command2);
55 |
56 | long value;
57 | sscanf(command2,"%ld",&value);
58 | getValueAddress(value);
59 | //Write
60 | }else if(!strcmp(WRITE,strupr(command1))){
61 | long address, value;
62 | sscanf(command2,"%ld",&address);
63 | sscanf(command3,"%ld",&value);
64 | MemoryWrite(address,value);
65 | //THREAD CONTROL
66 | }else if(!strcmp(CONTROL,strupr(command1))){
67 | thread_t target_thread;
68 | sscanf(command3,"%u",&target_thread);
69 | if(!strcmp(ENABLE,strupr(command2))){
70 | resumeThread(target_thread);
71 | }else if(!strcmp(DISABLE,strupr(command2))){
72 | suspendThread(target_thread);
73 | }
74 | //Find data list
75 | }else if(!strcmp(SHOWLIST,strupr(command1))){
76 | showDataList();
77 | //Thread list
78 | }else if(!strcmp(THREADLIST,strupr(command1))){
79 | showThreadList();
80 | //Clear data list
81 | }else if(!strcmp(CLEAR,strupr(command1))){
82 | MemoryClear();
83 | }else if(!strcmp(EXIT,strupr(command1))){
84 | exit(0);
85 | }
86 | }
87 | }
88 | return 0;
89 | }
--------------------------------------------------------------------------------
/MemRead.h:
--------------------------------------------------------------------------------
1 | #include
2 | #import "Util.h"
3 | #import "process.h"
4 |
5 | void getValueArea(vm_address_t startAddress,vm_address_t endAddress, void* buffer,long number){
6 |
7 | kern_return_t result;
8 |
9 | long readArea = 0;
10 | vm_size_t outsize;
11 |
12 | while(endAddress > startAddress){
13 | if (readArea != (startAddress & 0xFFFFF000)) {
14 | readArea = startAddress & 0xFFFFF000;
15 |
16 | outsize = 0;
17 | result = vm_read_overwrite(target_task, readArea, 4096, (vm_address_t)buffer, &outsize);
18 |
19 | if(!outsize){
20 | printf("stardAddress : %x\n",startAddress);
21 | fprintf(stderr,"vm_read_overwrite failed: %u\n",startAddress & 0xFFFFF000);
22 | }
23 | }
24 |
25 | if (result == KERN_SUCCESS) {
26 | for (int i=0; i<1024; i++) {
27 | memInfoStruct.address = startAddress;
28 | memInfoStruct.value = *(int*)((int)buffer + ((startAddress - (startAddress & 0xFFFFF000)) & 0xFFFFFFFc));
29 | memDataList.push_back(memInfoStruct);
30 | startAddress += 4;
31 | }
32 | }
33 | startAddress += 4;
34 | }
35 | printf("list size : %ld\n",memDataList.size());
36 | }
37 |
38 | void readMemory(long number){
39 | if (attach()) {
40 | void *buffer = malloc(4096);
41 | for(int i = 0;i < regionList.size();i++){
42 | regionStruct = regionList.at(i);
43 | vm_address_t startAddress = regionStruct.startAddr;
44 | vm_address_t endAddress = regionStruct.endAddr;
45 | getValueArea(startAddress,endAddress,buffer,number);
46 | }
47 | free(buffer);
48 |
49 | if(task_resume(target_task)){
50 | printf("Cannot resume task!\n");
51 | }
52 | }else{
53 | printf("attach failed");
54 | }
55 | }
56 |
57 | void reReadMemory(long number){
58 | if (attach()) {
59 | vm_address_t startAddress = 0, endAddress = 0;
60 |
61 | void *buffer = malloc(4096);
62 |
63 | for(int i = 0;i < findDataList.size();i++){
64 | findInfoStruct = findDataList.at(i);
65 | vm_address_t cmp = findInfoStruct.address;
66 | if((startAddress >= cmp) || (cmp >= endAddress)){
67 | startAddress = findInfoStruct.address;
68 | endAddress = findInfoStruct.address + MEMREADSIZE;
69 | getValueArea(startAddress,endAddress,buffer,number);
70 | }
71 | }
72 | free(buffer);
73 |
74 | if(task_resume(target_task)){
75 | printf("Cannot resume task!\n");
76 | }
77 | }else{
78 | printf("attach failed");
79 | }
80 | }
81 |
82 | void getValueAddress(vm_address_t address){
83 | kern_return_t result;
84 | void *buffer;
85 | buffer = malloc(8);
86 | vm_size_t outsize;
87 |
88 | if (attach()) {
89 | result = vm_read_overwrite(target_task, address, 8, (vm_address_t)buffer, &outsize);
90 |
91 | if(!outsize){
92 | printf("stardAddress : %x\n",address);
93 | fprintf(stderr,"vm_read_overwrite failed: %u\n",address & 0xFFFFFFFc);
94 | }
95 |
96 | if (result == KERN_SUCCESS) {
97 | printf("%d\n",*(int*)buffer);
98 | }
99 |
100 | if(task_resume(target_task)){
101 | printf("Cannot resume task!\n");
102 | }
103 | }else{
104 | printf("attach failed");
105 | }
106 | free(buffer);
107 | }
--------------------------------------------------------------------------------
/Util.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 |
5 | /*
6 | * Command Input
7 | */
8 | #define BUFSIZE 30
9 | #define COMMAND "Lazenca A : "
10 |
11 | #define MEMREADSIZE 4096
12 |
13 | /*
14 | * http
15 | */
16 | #define MAX_PATH 260
17 | #define BUFF_MAX 0x2000
18 |
19 | /*
20 | * Command
21 | */
22 | #define SEARCH "SEARCH"
23 | #define FUZZING "FUZZING"
24 | #define WRITE "WRITE"
25 | #define PROCESS "PROCESS"
26 | #define ATTACH "ATTACH"
27 | #define CONTROL "CONTROL"
28 | #define SHOWLIST "SHOWLIST"
29 | #define THREADLIST "THREADLIST"
30 | #define CONTROL "CONTROL"
31 | #define PICK "PICK"
32 | #define CLEAR "CLEAR"
33 | #define ENABLE "ENABLE"
34 | #define DISABLE "DISABLE"
35 | #define EXIT "EXIT"
36 |
37 | /*
38 | * Fuzzing Option
39 | */
40 | #define SMALLER "SMALLER"
41 | #define LAGER "LAGER"
42 | #define EQUAL "EQUAL"
43 | #define NOTEQUAL "NOTEQUAL"
44 |
45 | /*
46 | * Attach
47 | */
48 | pid_t pid;
49 | mach_port_name_t target_task;
50 | mach_port_name_t tmp_target_task;
51 |
52 | #ifdef __LP64__
53 | typedef struct REGION{
54 | vm_address_t startAddr;
55 | vm_address_t endAddr;
56 | vm_size_t size;
57 | }INFOREGION;
58 |
59 | typedef struct ADDRDATAPAIR{
60 | vm_address_t address;
61 | long value;
62 | }INFODATA;
63 |
64 |
65 | std::vector regionList;
66 | INFOREGION regionStruct;
67 |
68 |
69 | std::vector findDataList;
70 | INFODATA findInfoStruct;
71 |
72 |
73 | std::vector tempDataList;
74 | INFODATA tempInfoStruct;
75 |
76 |
77 | std::vector lockDatalist;
78 | INFODATA lockDataStruct;
79 |
80 |
81 | std::vector memDataList;
82 | INFODATA memInfoStruct;
83 |
84 | #else
85 | typedef struct REGION{
86 | vm_address_t startAddr;
87 | vm_address_t endAddr;
88 | vm_size_t size;
89 | }INFOREGION;
90 |
91 | typedef struct{
92 | vm_address_t address;
93 | double value;
94 | }INFODATA;
95 |
96 |
97 | std::vector regionList;
98 | INFOREGION regionStruct;
99 |
100 |
101 | std::vector findDataList;
102 |
103 | std::vector tempDataList;
104 | INFODATA findInfoStruct;
105 |
106 |
107 | std::vector lockDatalist;
108 | INFODATA lockDataStruct;
109 |
110 |
111 | std::vector memDataList;
112 | INFODATA memInfoStruct;
113 | #endif
114 |
115 | long long searchRange = 0x200000000;
116 |
117 | int isCMDRUNNING = 0;
118 |
119 | char errorMsgCmdErr[MAX_PATH] = "Error : input!";
120 |
121 | #include
122 | char *strupr(char*);
123 |
124 | char *strupr(char *s) {
125 | char *p = s;
126 |
127 | while (*p) {
128 | *p = (char) toupper(*p);
129 | p++;
130 | }
131 | return s;
132 | }
133 |
134 | void showDataList(){
135 | if(findDataList.size() != 0){
136 | for (int i = 0; i < findDataList.size(); i++) {
137 |
138 | findInfoStruct = findDataList.at(i);
139 | #ifdef __LP64__
140 | printf("Address : %lx , Address(long) : %lu, Value : %ld\n",findInfoStruct.address,findInfoStruct.address,findInfoStruct.value);
141 | #else
142 | printf("Address : %x , Address(long) : %u, Value : %f\n",findInfoStruct.address,findInfoStruct.address,findInfoStruct.value);
143 | #endif
144 | }
145 | printf("Total Count : %lu\n",findDataList.size());
146 |
147 | }else{
148 | printf("size 0!\n");
149 | }
150 | }
151 |
152 | void MemoryClear(){
153 | findDataList.clear();
154 | memDataList.clear();
155 | lockDatalist.clear();
156 | isCMDRUNNING = 0;
157 | }
158 |
159 | int chkFuzzingCommand(char *s){
160 | if(!strcmp( SMALLER, strupr(s))){
161 | return 1;
162 | }
163 | if(!strcmp( LAGER, strupr(s))){
164 | return 1;
165 | }
166 | if(!strcmp( EQUAL, strupr(s))){
167 | return 1;
168 | }
169 | if(!strcmp( NOTEQUAL, strupr(s))){
170 | return 1;
171 | }
172 | printf("%s\n",errorMsgCmdErr);
173 | return 0;
174 | }
175 |
176 |
--------------------------------------------------------------------------------
/Http.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Host를 이용하여 IP정보 추출
3 | */
4 | int HostToIp(char *host, char *ip, int len)
5 | {
6 | if(host[strlen(host)-1] > 57)
7 | {
8 | struct hostent *hent;
9 | char *pp;
10 |
11 | if((hent = gethostbyname(host)) == NULL)
12 | {
13 | return (-1);
14 | }
15 |
16 | pp = ((char *)*hent->h_addr_list);
17 | strncpy(ip, inet_ntoa(*(struct in_addr *)pp), 32);
18 | }
19 | else
20 | {
21 | strncpy(ip, host, 32);
22 | }
23 |
24 | return 0;
25 | }
26 |
27 | /*
28 | * 타임아웃 설정
29 | */
30 | int connect_timeout(char *host, int port, int timeout)
31 | {
32 | struct sockaddr_in remote;
33 | char ip[32];
34 | int sock = 0;
35 |
36 | do
37 | {
38 | sock = socket(PF_INET, SOCK_STREAM, 0);
39 | if(sock < 0)
40 | {
41 | perror("socket failed");
42 | sock = 0;
43 | break;
44 | }
45 |
46 | struct timeval tv;
47 | tv.tv_sec = 60;
48 | tv.tv_usec = 0;
49 | if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, (char*)&tv, sizeof(struct timeval)) == -1)
50 | {
51 | perror("setsockopt failed");
52 | close(sock);
53 | sock = 0;
54 | break;
55 | }
56 |
57 | if(HostToIp(host, ip, sizeof(ip)) < 0)
58 | {
59 | perror("HostToIp failed");
60 | sock = 0;
61 | break;
62 | }
63 |
64 | remote.sin_family = AF_INET;
65 | remote.sin_addr.s_addr = inet_addr(ip);
66 | remote.sin_port = htons((unsigned short)port);
67 |
68 | int state = connect(sock, (struct sockaddr *)&remote, sizeof(struct sockaddr));
69 | if(state < 0)
70 | {
71 | perror("connect failed");
72 | sock = 0;
73 | }
74 | }
75 | while(0);
76 | return sock;
77 | }
78 |
79 | int HttpGetFile(char *host, int port, char *url)
80 | {
81 | int result = 0;
82 | int sock;
83 |
84 | char buf[BUFF_MAX] = {0};
85 |
86 | FILE *fs;
87 |
88 | unsigned int sent = 0;
89 | int i;
90 |
91 | sock = connect_timeout(host, port, 26);
92 |
93 | sprintf(buf,"GET %s?userid=%s&os=iOS&appname=%s&cmd=%s&subCmd=%s&count=%d&num=%ld&addr=%s&tpid=%d HTTP/1.0\r\nHost: %s\r\n\r\n",url, uuidtosha, appname, cmd, subCmd, count, num, addr, tpid, host);
94 | while (sent < strlen(buf)) {
95 | i = send(sock, buf + sent, strlen(buf) - sent, 0);
96 | if (i < 0) {
97 | perror("connect failed");
98 | result = (-4);
99 | break;
100 | }
101 | sent += i;
102 | }
103 |
104 | if (!result) {
105 |
106 | }
107 |
108 | if(sock)
109 | {
110 | close(sock);
111 | }
112 | count++;
113 | return result;
114 | }
115 |
116 | void setDefaultParameta(){
117 | int cmdBudSize = sizeof(cmd);
118 | int subCmdBufSize = sizeof(subCmd);
119 | int addrBufSize = sizeof(addr);
120 |
121 | memset(cmd,0,cmdBudSize);
122 | strncpy(cmd,"0",1);
123 | memset(subCmd,0,subCmdBufSize);
124 | strncpy(subCmd,"0",1);
125 | memset(addr,0,addrBufSize);
126 | strncpy(addr,"0",1);
127 |
128 | num = 0;
129 | tpid = 0;
130 | }
131 |
132 | //Userid를 서버로 전송하기 위해 Userid를 저장합니다.
133 | void setParametaUserid(char *inUserid){
134 | setDefaultParameta();
135 | strncpy(userid,inUserid,MAX_PATH);
136 | }
137 |
138 | //Appname 을 서버로 전송하기 위해 Attach된 프로세스의 이름을 저장합니다.
139 | void setParametaAppName(){
140 | char cmdLine[256];
141 | char tempPath[256];
142 |
143 | setDefaultParameta();
144 |
145 | sprintf(tempPath, "/proc/%d/cmdline", privatePid);
146 | getCmdLine(tempPath, cmdLine);
147 | strncpy(appname, cmdLine, MAX_PATH);
148 | strncpy(cmd,"ATTACH",MAX_PATH);
149 | }
150 |
151 | //검색하려는 값을 서버로 전송하기 위해 검색 값을 저장합니다.
152 | void setParametaSearch(long value){
153 | setDefaultParameta();
154 |
155 | strncpy(cmd,"SEARCH",MAX_PATH);
156 | num = value;
157 | }
158 |
159 | //검색하려는 값을 서버로 전송하기 위해 검색 값을 저장합니다.
160 | void setParametaFuzzing(char *inFuz){
161 | setDefaultParameta();
162 |
163 | strncpy(cmd,"FUZZING",MAX_PATH);
164 | strncpy(subCmd,inFuz,MAX_PATH);
165 | }
166 |
167 | //변경하려는 값을 서버로 전송하기 위해 변경 값,주소 값을 저장합니다.
168 | void setParametaWrite(char *inAddr, long inValue){
169 | setDefaultParameta();
170 |
171 | strncpy(cmd,"WRITE",MAX_PATH);
172 | strncpy(addr,inAddr,MAX_PATH);
173 | num = inValue;
174 | }
175 |
176 | //Lock설정 주소 값을 서버로 전송하기 위해 주소 값을 저장합니다.
177 | void setParametaLock(char *inCmd,char *inAddr){
178 | setDefaultParameta();
179 |
180 | strncpy(cmd,inCmd,MAX_PATH);
181 | strncpy(addr,inAddr,MAX_PATH);
182 | }
183 |
184 | //Thread Control 값을 서버로 전송하기 위해 Thread id 값을 저장합니다.
185 | void setParametaThreadCtr(char *inThreadCtr,long inTPid){
186 | setDefaultParameta();
187 |
188 | strncpy(cmd,"THREADCTR",MAX_PATH);
189 | strncpy(subCmd,inThreadCtr,MAX_PATH);
190 | tpid = inTPid;
191 | }
192 |
193 | //Processlist 진행여부를 서버로 전송하기 위해 cmd값을 저장합니다.
194 | void setParametaPrintlist(char *content){
195 | setDefaultParameta();
196 |
197 | strncpy(cmd,content,MAX_PATH);
198 | }
199 |
--------------------------------------------------------------------------------
/MemRead_64.h:
--------------------------------------------------------------------------------
1 | #ifdef __LP64__
2 | #include
3 | #import "Util.h"
4 | #import "process.h"
5 |
6 | void getValueArea(vm_address_t startAddress,vm_address_t endAddress, void* buffer,long number,bool check){
7 |
8 | kern_return_t result;
9 |
10 | long readArea = 0;
11 | vm_size_t outsize;
12 |
13 | while(endAddress > startAddress){
14 | if(check){
15 | if (readArea != (startAddress & 0xFFFFFFFFFFFFF000)) {
16 | readArea = startAddress & 0xFFFFFFFFFFFFF000;
17 |
18 | outsize = 0;
19 | result = vm_read_overwrite(target_task, readArea, 4096, (vm_address_t)buffer, &outsize);
20 |
21 | if(!outsize){
22 | printf("stardAddress 64 : %lx, %lx\n",startAddress,endAddress);
23 | fprintf(stderr,"vm_read_overwrite failed: %lu\n",startAddress & 0xFFFFFFFFFFFFF000);
24 | }
25 | }
26 |
27 | if (result == KERN_SUCCESS) {
28 | for (int i=0; i<512; i++) {
29 | memInfoStruct.address = startAddress;
30 | memInfoStruct.value = *(long*)((char*)buffer + ((startAddress - (startAddress & 0xFFFFFFFFFFFFF000)) & 0xFFFFFFFFFFFFFFF8));
31 | memDataList.push_back(memInfoStruct);
32 | startAddress += 8;
33 | }
34 | }else{
35 | startAddress += 8;
36 | }
37 | }else{
38 | if (readArea != startAddress) {
39 | readArea = startAddress;
40 |
41 | outsize = 0;
42 | result = vm_read_overwrite(target_task, readArea, 4096, (vm_address_t)buffer, &outsize);
43 |
44 | if(!outsize){
45 | printf("stardAddress 64 : %lx, %lx\n",startAddress,endAddress);
46 | fprintf(stderr,"vm_read_overwrite failed: %lu\n",startAddress);
47 | }
48 | }
49 |
50 | if (result == KERN_SUCCESS) {
51 | for (int i=0; i<512; i++) {
52 | memInfoStruct.address = startAddress;
53 | memInfoStruct.value = *(long*)((char*)buffer + (startAddress - readArea));
54 | memDataList.push_back(memInfoStruct);
55 | startAddress += 8;
56 | }
57 | }else{
58 | startAddress += 8;
59 | }
60 | }
61 |
62 | }
63 | }
64 |
65 | void readMemory(long number){
66 | if (attach()) {
67 | void *buffer = malloc(4096);
68 |
69 | for(int i = 0;i < regionList.size();i++){
70 | regionStruct = regionList.at(i);
71 |
72 | vm_address_t startAddress = regionStruct.startAddr;
73 | vm_address_t endAddress = regionStruct.endAddr;
74 | getValueArea(startAddress,endAddress,buffer,number,1);
75 |
76 | }
77 | free(buffer);
78 |
79 | if(task_resume(target_task)){
80 | printf("Cannot resume task!\n");
81 | }
82 | }else{
83 | printf("attach failed");
84 | }
85 | }
86 |
87 | void reReadMemory(long number){
88 | if (attach()) {
89 | vm_address_t startAddress = 0, endAddress = 0;
90 |
91 | void *buffer = malloc(4096);
92 |
93 | for(int i = 0;i < findDataList.size();i++){
94 | findInfoStruct = findDataList.at(i);
95 | vm_address_t cmp = findInfoStruct.address;
96 |
97 | if((startAddress >= cmp) || (cmp >= endAddress)){
98 | startAddress = findInfoStruct.address;
99 | endAddress = startAddress + 4096;
100 | getValueArea(startAddress,endAddress,buffer,number,0);
101 | }
102 | }
103 | free(buffer);
104 |
105 | if(task_resume(target_task)){
106 | printf("Cannot resume task!\n");
107 | }
108 | }else{
109 | printf("attach failed");
110 | }
111 | }
112 |
113 | void getValueAddress(vm_address_t address){
114 | kern_return_t result;
115 | void *buffer;
116 | buffer = malloc(8);
117 | vm_size_t outsize;
118 |
119 | if (attach()) {
120 | result = vm_read_overwrite(target_task, address, 8, (vm_address_t)buffer, &outsize);
121 |
122 | if(!outsize){
123 | printf("stardAddress 64 : %lx\n",address);
124 | fprintf(stderr,"vm_read_overwrite failed: %lu\n",address & 0xFFFFFFFFFFFFFFF8);
125 |
126 | }
127 |
128 | if (result == KERN_SUCCESS) {
129 | printf("stardAddress 64 : %lx\n",address);
130 | printf("Address : %lx, int32 Value: %ld\n",address,*(long*)buffer & 0x00000000FFFFFFFF);
131 | printf("Address : %lx, int32 Value: %ld\n",address + 4,*(long*)buffer >> 32);
132 | }
133 |
134 | if(task_resume(target_task)){
135 | printf("Cannot resume task!\n");
136 | }
137 | }else{
138 | printf("attach failed");
139 | }
140 | free(buffer);
141 | }
142 | #else
143 | #endif
--------------------------------------------------------------------------------
/Comparator.h:
--------------------------------------------------------------------------------
1 | #import "Util.h"
2 |
3 | void SmallerComparator() {
4 | if(memDataList.size() == findDataList.size()){
5 | for (int i = 0; i < findDataList.size(); i++) {
6 | findInfoStruct = findDataList.at(i);
7 | memInfoStruct = memDataList.at(i);
8 |
9 | if (memInfoStruct.address == findInfoStruct.address) {
10 | if (findInfoStruct.value > memInfoStruct.value) {
11 | tempDataList.push_back(memInfoStruct);
12 | }
13 | }
14 | }
15 | } else{
16 | int temp = 0;
17 | for(int i = 0; i < findDataList.size();i++){
18 | findInfoStruct = findDataList.at(i);
19 | memInfoStruct = memDataList.at(temp);
20 |
21 | for(;memInfoStruct.address <= findInfoStruct.address;temp++){
22 | memInfoStruct = memDataList.at(temp);
23 |
24 | if (memInfoStruct.address == findInfoStruct.address) {
25 | if (findInfoStruct.value > memInfoStruct.value) {
26 | tempDataList.push_back(memInfoStruct);
27 | }
28 | }
29 | }
30 | }
31 | }
32 |
33 | findDataList.clear();
34 | findDataList = tempDataList;
35 | tempDataList.clear();
36 | memDataList.clear();
37 | }
38 |
39 | void LagerComparator() {
40 | if(memDataList.size() == findDataList.size()){
41 | for (int i = 0; i < findDataList.size(); i++) {
42 | findInfoStruct = findDataList.at(i);
43 | memInfoStruct = memDataList.at(i);
44 |
45 | if (memInfoStruct.address == findInfoStruct.address) {
46 | if (findInfoStruct.value < memInfoStruct.value) {
47 | tempDataList.push_back(memInfoStruct);
48 | }
49 | }
50 | }
51 | } else{
52 | int temp = 0;
53 | for(int i = 0; i < findDataList.size();i++){
54 | findInfoStruct = findDataList.at(i);
55 | memInfoStruct = memDataList.at(temp);
56 |
57 | for(;memInfoStruct.address <= findInfoStruct.address;temp++){
58 | memInfoStruct = memDataList.at(temp);
59 | if (memInfoStruct.address == findInfoStruct.address) {
60 | if (findInfoStruct.value < memInfoStruct.value) {
61 | tempDataList.push_back(memInfoStruct);
62 | }
63 | }
64 | }
65 | }
66 | }
67 |
68 | findDataList.clear();
69 | findDataList = tempDataList;
70 | tempDataList.clear();
71 | memDataList.clear();
72 | }
73 |
74 | void EqualComparator() {
75 | if(memDataList.size() == findDataList.size()){
76 | for (int i = 0; i < findDataList.size(); i++) {
77 | findInfoStruct = findDataList.at(i);
78 | memInfoStruct = memDataList.at(i);
79 |
80 | if (memInfoStruct.address == findInfoStruct.address) {
81 | if (findInfoStruct.value != memInfoStruct.value) {
82 | tempDataList.push_back(memInfoStruct);
83 | }
84 | }
85 | }
86 | } else{
87 | int temp = 0;
88 | for(int i = 0; i < findDataList.size();i++){
89 | findInfoStruct = findDataList.at(i);
90 | memInfoStruct = memDataList.at(temp);
91 |
92 | for(;memInfoStruct.address <= findInfoStruct.address;temp++){
93 | memInfoStruct = memDataList.at(temp);
94 | if (memInfoStruct.address == findInfoStruct.address) {
95 | if (findInfoStruct.value == memInfoStruct.value) {
96 | tempDataList.push_back(memInfoStruct);
97 | }
98 | }
99 | }
100 | }
101 | }
102 |
103 | findDataList.clear();
104 | findDataList = tempDataList;
105 | tempDataList.clear();
106 | memDataList.clear();
107 | }
108 |
109 | void NotEqualComparator() {
110 | if(memDataList.size() == findDataList.size()){
111 | for (int i = 0; i < findDataList.size(); i++) {
112 | findInfoStruct = findDataList.at(i);
113 | memInfoStruct = memDataList.at(i);
114 | if (memInfoStruct.address == findInfoStruct.address) {
115 | if (findInfoStruct.value != memInfoStruct.value) {
116 | tempDataList.push_back(memInfoStruct);
117 | }
118 | }
119 | }
120 | } else{
121 | int temp = 0;
122 | for(int i = 0; i < findDataList.size();i++){
123 | findInfoStruct = findDataList.at(i);
124 | memInfoStruct = memDataList.at(temp);
125 |
126 | for(;memInfoStruct.address <= findInfoStruct.address;temp++){
127 | memInfoStruct = memDataList.at(temp);
128 | if (memInfoStruct.address == findInfoStruct.address) {
129 | if (findInfoStruct.value != memInfoStruct.value) {
130 | tempDataList.push_back(memInfoStruct);
131 | }
132 | }
133 | }
134 | }
135 | }
136 |
137 | findDataList.clear();
138 | findDataList = tempDataList;
139 | tempDataList.clear();
140 | memDataList.clear();
141 | }
142 |
143 | void NumberComparator(long value) {
144 | if (findDataList.size()) {
145 | int temp = 0;
146 | for (int i = 0; i < findDataList.size(); i++) {
147 | findInfoStruct = findDataList.at(i);
148 | memInfoStruct = memDataList.at(temp);
149 |
150 | for (; memInfoStruct.address <= findInfoStruct.address; temp++) {
151 |
152 | if (memInfoStruct.address == findInfoStruct.address) {
153 | if (value == memInfoStruct.value) {
154 | tempDataList.push_back(memInfoStruct);
155 | }
156 | }
157 | memInfoStruct = memDataList.at(temp);
158 | }
159 | temp++;
160 |
161 | }
162 | } else {
163 | for (int i = 0; i < memDataList.size(); i++) {
164 | memInfoStruct = memDataList.at(i);
165 | if (value == memInfoStruct.value) {
166 | tempDataList.push_back(memInfoStruct);
167 | }
168 | }
169 | }
170 |
171 | findDataList.clear();
172 | findDataList = tempDataList;
173 | tempDataList.clear();
174 | memDataList.clear();
175 | }
176 |
177 |
--------------------------------------------------------------------------------