├── README.md ├── Kernel64Patcher.c ├── LICENSE └── patchfinder64.c /README.md: -------------------------------------------------------------------------------- 1 | # Kernel64Patcher 2 | A 64 Bit kernel patcher based on xerub's patchfinder64 3 | 4 | ## Compiling 5 | ``` 6 | gcc Kernel64Patcher.c -o Kernel64Patcher 7 | ``` 8 | ## Usage: 9 | ``` 10 | ./Kernel64Patcher kcache.raw kcache.patched -a 11 | ``` 12 | ## Credits/Thanks 13 | * xerub for patchfinder64 14 | * iH8sn0w for code 15 | -------------------------------------------------------------------------------- /Kernel64Patcher.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2020, @Ralph0045 3 | * gcc Kernel64Patcher.c -o Kernel64Patcher 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | #include "patchfinder64.c" 11 | 12 | #define GET_OFFSET(kernel_len, x) (x - (uintptr_t) kernel_buf) 13 | 14 | // iOS 15 "%s: firmware validation failed %d\" @%s:%d SPU Firmware Validation Patch 15 | int get_SPUFirmwareValidation_patch(void *kernel_buf, size_t kernel_len) { 16 | printf("%s: Entering ...\n",__FUNCTION__); 17 | 18 | char rootvpString[43] = "\"%s: firmware validation failed %d\" @%s:%d"; 19 | void* ent_loc = memmem(kernel_buf,kernel_len,rootvpString,42); 20 | if(!ent_loc) { 21 | printf("%s: Could not find \"%%s: firmware validation failed %%d\" @%%s:%%d string\n",__FUNCTION__); 22 | return -1; 23 | } 24 | printf("%s: Found \"%%s: firmware validation failed %%d\" @%%s:%%d\" str loc at %p\n",__FUNCTION__,GET_OFFSET(kernel_len,ent_loc)); 25 | addr_t xref_stuff = xref64(kernel_buf,0,kernel_len,(addr_t)GET_OFFSET(kernel_len, ent_loc)); 26 | if(!xref_stuff) { 27 | printf("%s: Could not find \"%%s: firmware validation failed %%d\" @%%s:%%d xref\n",__FUNCTION__); 28 | return -1; 29 | } 30 | printf("%s: Found \"%%s: firmware validation failed %%d\" @%%s:%%d\" ref at %p\n",__FUNCTION__,(void*)xref_stuff); 31 | addr_t beg_func = bof64(kernel_buf,0,xref_stuff); 32 | if(!beg_func) { 33 | printf("%s: Could not find firmware validation function start\n",__FUNCTION__); 34 | return -1; 35 | } 36 | xref_stuff = xref64code(kernel_buf,0,(addr_t)GET_OFFSET(kernel_len, beg_func), beg_func); 37 | if(!xref_stuff) { 38 | printf("%s: Could not find previous xref\n",__FUNCTION__); 39 | return -1; 40 | } 41 | printf("%s: Found function xref at %p\n",__FUNCTION__,(void*)xref_stuff); 42 | addr_t next_bl = step64_back(kernel_buf, xref_stuff, 100, INSN_CALL); 43 | if(!next_bl) { 44 | printf("%s: Could not find previous bl\n",__FUNCTION__); 45 | return -1; 46 | } 47 | next_bl = step64_back(kernel_buf, (next_bl - 0x4), 100, INSN_CALL); 48 | if(!next_bl) { 49 | printf("%s: Could not find previous bl\n",__FUNCTION__); 50 | return -1; 51 | } 52 | next_bl = step64_back(kernel_buf, (next_bl - 0x4), 100, INSN_CALL); 53 | if(!next_bl) { 54 | printf("%s: Could not find previous bl\n",__FUNCTION__); 55 | return -1; 56 | } 57 | beg_func = bof64(kernel_buf,0,next_bl); 58 | if(!beg_func) { 59 | printf("%s: Could not find start of firmware validation function\n",__FUNCTION__); 60 | return -1; 61 | } 62 | printf("%s: Patching SPU Firmware Validation at %p\n\n", __FUNCTION__,(void*)(beg_func)); 63 | *(uint32_t *) (kernel_buf + beg_func) = 0xD65F03C0; 64 | return 0; 65 | } 66 | 67 | // iOS 15 rootvp not authenticated after mounting Patch 68 | int get_RootVPNotAuthenticatedAfterMounting_patch(void *kernel_buf, size_t kernel_len) { 69 | printf("%s: Entering ...\n",__FUNCTION__); 70 | char rootVPString[40] = "rootvp not authenticated after mounting"; 71 | char md0String[3] = "md0"; 72 | void* ent_loc = memmem(kernel_buf,kernel_len,md0String,3); 73 | if(!ent_loc) { 74 | printf("%s: Could not find \"md0\" string\n",__FUNCTION__); 75 | return -1; 76 | } 77 | printf("%s: Found \"md0\" str loc at %p\n",__FUNCTION__,GET_OFFSET(kernel_len,ent_loc)); 78 | addr_t xref_stuff = xref64(kernel_buf,0,kernel_len,(addr_t)GET_OFFSET(kernel_len, ent_loc)); 79 | if(!xref_stuff) { 80 | printf("%s: Could not find \"md0\" xref\n",__FUNCTION__); 81 | return -1; 82 | } 83 | printf("%s: Found \"md0\" ref at %p\n",__FUNCTION__,(void*)xref_stuff); 84 | addr_t next_bl = step64(kernel_buf, xref_stuff + 0x8, 100, INSN_CALL); 85 | if(!next_bl) { 86 | // Newer devices will fail here, so using another string is required 87 | printf("%s: Failed to use \"md0\", swapping to \"rootvp not authenticated after mounting\"\n",__FUNCTION__); 88 | ent_loc = memmem(kernel_buf,kernel_len,rootVPString,39); 89 | if(!ent_loc) { 90 | printf("%s: Could not find \"rootvp not authenticated after mounting\" string\n",__FUNCTION__); 91 | return -1; 92 | } 93 | printf("%s: Found \"rootvp not authenticated after mounting\" str loc at %p\n",__FUNCTION__,GET_OFFSET(kernel_len,ent_loc)); 94 | xref_stuff = xref64(kernel_buf,0,kernel_len,(addr_t)GET_OFFSET(kernel_len, ent_loc)); 95 | if(!xref_stuff) { 96 | printf("%s: Could not find \"rootvp not authenticated after mounting\" xref\n",__FUNCTION__); 97 | return -1; 98 | } 99 | printf("%s: Found \"rootvp not authenticated after mounting\" str xref at %p\n",__FUNCTION__,(void*)xref_stuff); 100 | addr_t beg_func = bof64(kernel_buf,0,xref_stuff); 101 | if(!beg_func) { 102 | printf("%s: Could not find function start\n",__FUNCTION__); 103 | return -1; 104 | } 105 | beg_func = beg_func + 0xA98; 106 | printf("%s: Found function start at %p\n",__FUNCTION__,(void*)beg_func); 107 | next_bl = step64(kernel_buf, beg_func, 100, INSN_CALL); 108 | if(!next_bl) { 109 | printf("%s: Could not find next bl\n",__FUNCTION__); 110 | return -1; 111 | } 112 | } else { 113 | next_bl = step64(kernel_buf, next_bl + 0x8, 100, INSN_CALL); 114 | if(!next_bl) { 115 | printf("%s: Could not find next bl\n",__FUNCTION__); 116 | return -1; 117 | } 118 | next_bl = step64(kernel_buf, next_bl + 0x8, 100, INSN_CALL); 119 | if(!next_bl) { 120 | printf("%s: Could not find next bl\n",__FUNCTION__); 121 | return -1; 122 | } 123 | next_bl = step64(kernel_buf, next_bl + 0x8, 100, INSN_CALL); 124 | if(!next_bl) { 125 | printf("%s: Could not find next bl\n",__FUNCTION__); 126 | return -1; 127 | } 128 | next_bl = step64(kernel_buf, next_bl + 0x8, 100, INSN_CALL); 129 | if(!next_bl) { 130 | printf("%s: Could not find next bl\n",__FUNCTION__); 131 | return -1; 132 | } 133 | } 134 | printf("%s: Patching ROOTVP at %p\n\n", __FUNCTION__,(void*)(next_bl + 0x4)); 135 | *(uint32_t *) (kernel_buf + next_bl + 0x4) = 0xD503201F; 136 | 137 | return 0; 138 | } 139 | 140 | // iOS 15 AMFI Kernel Patch 141 | int get_AMFIInitializeLocalSigningPublicKey_patch(void* kernel_buf,size_t kernel_len) { 142 | printf("%s: Entering ...\n",__FUNCTION__); 143 | 144 | char AMFIString[52] = "\"AMFI: %s: unable to obtain local signing public key"; 145 | void* ent_loc = memmem(kernel_buf,kernel_len,AMFIString,51); 146 | if(!ent_loc) { 147 | printf("%s: Could not find \"AMFI: %%s: unable to obtain local signing public key\" string\n",__FUNCTION__); 148 | return -1; 149 | } 150 | printf("%s: Found \"AMFI: %%s: unable to obtain local signing public key\" str loc at %p\n",__FUNCTION__,GET_OFFSET(kernel_len,ent_loc)); 151 | addr_t xref_stuff = xref64(kernel_buf,0,kernel_len,(addr_t)GET_OFFSET(kernel_len, ent_loc)); 152 | if(!xref_stuff) { 153 | printf("%s: Could not find \"AMFI: %%s: unable to obtain local signing public key\" xref\n",__FUNCTION__); 154 | return -1; 155 | } 156 | printf("%s: Found \"AMFI: %%s: unable to obtain local signing public key ref at %p\n",__FUNCTION__,(void*)xref_stuff); 157 | 158 | printf("%s: Patching \"Local Signing Public Key\" at %p\n\n", __FUNCTION__,(void*)(xref_stuff + 0x4)); 159 | *(uint32_t *) (kernel_buf + xref_stuff + 0x4) = 0xD503201F; 160 | 161 | return 0; 162 | } 163 | 164 | int get_amfi_out_of_my_way_patch(void* kernel_buf,size_t kernel_len) { 165 | 166 | printf("%s: Entering ...\n",__FUNCTION__); 167 | 168 | void* xnu = memmem(kernel_buf,kernel_len,"root:xnu-",9); 169 | int kernel_vers = atoi(xnu+9); 170 | printf("%s: Kernel-%d inputted\n",__FUNCTION__, kernel_vers); 171 | char amfiString[33] = "entitlements too small"; 172 | int stringLen = 22; 173 | if (kernel_vers >= 7938) { // Using "entitlements too small" fails on iOS 15 Kernels 174 | strncpy(amfiString, "Internal Error: No cdhash found.", 33); 175 | stringLen = 32; 176 | } 177 | void* ent_loc = memmem(kernel_buf,kernel_len,amfiString,stringLen); 178 | if(!ent_loc) { 179 | printf("%s: Could not find %s string\n",__FUNCTION__, amfiString); 180 | return -1; 181 | } 182 | printf("%s: Found %s str loc at %p\n",__FUNCTION__,amfiString,GET_OFFSET(kernel_len,ent_loc)); 183 | addr_t ent_ref = xref64(kernel_buf,0,kernel_len,(addr_t)GET_OFFSET(kernel_len, ent_loc)); 184 | if(!ent_ref) { 185 | printf("%s: Could not find %s xref\n",__FUNCTION__,amfiString); 186 | return -1; 187 | } 188 | printf("%s: Found %s str ref at %p\n",__FUNCTION__,amfiString,(void*)ent_ref); 189 | addr_t next_bl = step64(kernel_buf, ent_ref, 100, INSN_CALL); 190 | if(!next_bl) { 191 | printf("%s: Could not find next bl\n",__FUNCTION__); 192 | return -1; 193 | } 194 | next_bl = step64(kernel_buf, next_bl+0x4, 200, INSN_CALL); 195 | if(!next_bl) { 196 | printf("%s: Could not find next bl\n",__FUNCTION__); 197 | return -1; 198 | } 199 | if(kernel_vers>3789) { 200 | next_bl = step64(kernel_buf, next_bl+0x4, 200, INSN_CALL); 201 | if(!next_bl) { 202 | printf("%s: Could not find next bl\n",__FUNCTION__); 203 | return -1; 204 | } 205 | } 206 | addr_t function = follow_call64(kernel_buf, next_bl); 207 | if(!function) { 208 | printf("%s: Could not find function bl\n",__FUNCTION__); 209 | return -1; 210 | } 211 | printf("%s: Patching AMFI at %p\n",__FUNCTION__,(void*)function); 212 | *(uint32_t *)(kernel_buf + function) = 0x320003E0; 213 | *(uint32_t *)(kernel_buf + function + 0x4) = 0xD65F03C0; 214 | return 0; 215 | } 216 | 217 | int main(int argc, char **argv) { 218 | 219 | printf("%s: Starting...\n", __FUNCTION__); 220 | 221 | FILE* fp = NULL; 222 | 223 | if(argc < 4){ 224 | printf("Usage: %s \n",argv[0]); 225 | printf("\t-a\t\tPatch AMFI\n"); 226 | printf("\t-s\t\tPatch SPUFirmwareValidation (iOS 15 Only)\n"); 227 | printf("\t-r\t\tPatch RootVPNotAuthenticatedAfterMounting (iOS 15 Only)\n"); 228 | printf("\t-p\t\tPatch AMFIInitializeLocalSigningPublicKey (iOS 15 Only)\n"); 229 | return 0; 230 | } 231 | 232 | void* kernel_buf; 233 | size_t kernel_len; 234 | 235 | fp = fopen(argv[1], "rb"); 236 | if(!fp) { 237 | printf("%s: Error opening %s!\n", __FUNCTION__, argv[1]); 238 | return -1; 239 | } 240 | 241 | fseek(fp, 0, SEEK_END); 242 | kernel_len = ftell(fp); 243 | fseek(fp, 0, SEEK_SET); 244 | 245 | kernel_buf = (void*)malloc(kernel_len); 246 | if(!kernel_buf) { 247 | printf("%s: Out of memory!\n", __FUNCTION__); 248 | fclose(fp); 249 | return -1; 250 | } 251 | 252 | fread(kernel_buf, 1, kernel_len, fp); 253 | fclose(fp); 254 | 255 | if(memmem(kernel_buf,kernel_len,"KernelCacheBuilder",18)) { 256 | printf("%s: Detected IMG4/IM4P, you have to unpack and decompress it!\n",__FUNCTION__); 257 | return -1; 258 | } 259 | 260 | if (*(uint32_t*)kernel_buf == 0xbebafeca) { 261 | printf("%s: Detected fat macho kernel\n",__FUNCTION__); 262 | memmove(kernel_buf,kernel_buf+28,kernel_len); 263 | } 264 | 265 | for(int i=0;i 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /patchfinder64.c: -------------------------------------------------------------------------------- 1 | // 2 | // patchfinder64.c 3 | // extra_recipe 4 | // 5 | // Created by xerub on 06/06/2017. 6 | // Copyright © 2017 xerub. All rights reserved. 7 | // 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | typedef unsigned long long addr_t; 14 | 15 | #define IS64(image) (*(uint8_t *)(image) & 1) 16 | 17 | #define MACHO(p) ((*(unsigned int *)(p) & ~1) == 0xfeedface) 18 | 19 | /* generic stuff *************************************************************/ 20 | 21 | #define UCHAR_MAX 255 22 | 23 | static unsigned char * 24 | boyermoore_horspool_memmem(const unsigned char* haystack, size_t hlen, 25 | const unsigned char* needle, size_t nlen) 26 | { 27 | size_t last, scan = 0; 28 | size_t bad_char_skip[UCHAR_MAX + 1]; /* Officially called: 29 | * bad character shift */ 30 | 31 | /* Sanity checks on the parameters */ 32 | if (nlen <= 0 || !haystack || !needle) 33 | return NULL; 34 | 35 | /* ---- Preprocess ---- */ 36 | /* Initialize the table to default value */ 37 | /* When a character is encountered that does not occur 38 | * in the needle, we can safely skip ahead for the whole 39 | * length of the needle. 40 | */ 41 | for (scan = 0; scan <= UCHAR_MAX; scan = scan + 1) 42 | bad_char_skip[scan] = nlen; 43 | 44 | /* C arrays have the first byte at [0], therefore: 45 | * [nlen - 1] is the last byte of the array. */ 46 | last = nlen - 1; 47 | 48 | /* Then populate it with the analysis of the needle */ 49 | for (scan = 0; scan < last; scan = scan + 1) 50 | bad_char_skip[needle[scan]] = last - scan; 51 | 52 | /* ---- Do the matching ---- */ 53 | 54 | /* Search the haystack, while the needle can still be within it. */ 55 | while (hlen >= nlen) 56 | { 57 | /* scan from the end of the needle */ 58 | for (scan = last; haystack[scan] == needle[scan]; scan = scan - 1) 59 | if (scan == 0) /* If the first byte matches, we've found it. */ 60 | return (void *)haystack; 61 | 62 | /* otherwise, we need to skip some bytes and start again. 63 | Note that here we are getting the skip value based on the last byte 64 | of needle, no matter where we didn't match. So if needle is: "abcd" 65 | then we are skipping based on 'd' and that value will be 4, and 66 | for "abcdd" we again skip on 'd' but the value will be only 1. 67 | The alternative of pretending that the mismatched character was 68 | the last character is slower in the normal case (E.g. finding 69 | "abcd" in "...azcd..." gives 4 by using 'd' but only 70 | 4-2==2 using 'z'. */ 71 | hlen -= bad_char_skip[haystack[last]]; 72 | haystack += bad_char_skip[haystack[last]]; 73 | } 74 | 75 | return NULL; 76 | } 77 | 78 | /* disassembler **************************************************************/ 79 | 80 | static int HighestSetBit(int N, uint32_t imm) 81 | { 82 | int i; 83 | for (i = N - 1; i >= 0; i--) { 84 | if (imm & (1 << i)) { 85 | return i; 86 | } 87 | } 88 | return -1; 89 | } 90 | 91 | static uint64_t ZeroExtendOnes(unsigned M, unsigned N) // zero extend M ones to N width 92 | { 93 | (void)N; 94 | return ((uint64_t)1 << M) - 1; 95 | } 96 | 97 | static uint64_t RORZeroExtendOnes(unsigned M, unsigned N, unsigned R) 98 | { 99 | uint64_t val = ZeroExtendOnes(M, N); 100 | if (R == 0) { 101 | return val; 102 | } 103 | return ((val >> R) & (((uint64_t)1 << (N - R)) - 1)) | ((val & (((uint64_t)1 << R) - 1)) << (N - R)); 104 | } 105 | 106 | static uint64_t Replicate(uint64_t val, unsigned bits) 107 | { 108 | uint64_t ret = val; 109 | unsigned shift; 110 | for (shift = bits; shift < 64; shift += bits) { // XXX actually, it is either 32 or 64 111 | ret |= (val << shift); 112 | } 113 | return ret; 114 | } 115 | 116 | static int DecodeBitMasks(unsigned immN, unsigned imms, unsigned immr, int immediate, uint64_t *newval) 117 | { 118 | unsigned levels, S, R, esize; 119 | int len = HighestSetBit(7, (immN << 6) | (~imms & 0x3F)); 120 | if (len < 1) { 121 | return -1; 122 | } 123 | levels = ZeroExtendOnes(len, 6); 124 | if (immediate && (imms & levels) == levels) { 125 | return -1; 126 | } 127 | S = imms & levels; 128 | R = immr & levels; 129 | esize = 1 << len; 130 | *newval = Replicate(RORZeroExtendOnes(S + 1, esize, R), esize); 131 | return 0; 132 | } 133 | 134 | static int DecodeMov(uint32_t opcode, uint64_t total, int first, uint64_t *newval) 135 | { 136 | unsigned o = (opcode >> 29) & 3; 137 | unsigned k = (opcode >> 23) & 0x3F; 138 | unsigned rn, rd; 139 | uint64_t i; 140 | 141 | if (k == 0x24 && o == 1) { // MOV (bitmask imm) <=> ORR (immediate) 142 | unsigned s = (opcode >> 31) & 1; 143 | unsigned N = (opcode >> 22) & 1; 144 | if (s == 0 && N != 0) { 145 | return -1; 146 | } 147 | rn = (opcode >> 5) & 0x1F; 148 | if (rn == 31) { 149 | unsigned imms = (opcode >> 10) & 0x3F; 150 | unsigned immr = (opcode >> 16) & 0x3F; 151 | return DecodeBitMasks(N, imms, immr, 1, newval); 152 | } 153 | } else if (k == 0x25) { // MOVN/MOVZ/MOVK 154 | unsigned s = (opcode >> 31) & 1; 155 | unsigned h = (opcode >> 21) & 3; 156 | if (s == 0 && h > 1) { 157 | return -1; 158 | } 159 | i = (opcode >> 5) & 0xFFFF; 160 | h *= 16; 161 | i <<= h; 162 | if (o == 0) { // MOVN 163 | *newval = ~i; 164 | return 0; 165 | } else if (o == 2) { // MOVZ 166 | *newval = i; 167 | return 0; 168 | } else if (o == 3 && !first) { // MOVK 169 | *newval = (total & ~((uint64_t)0xFFFF << h)) | i; 170 | return 0; 171 | } 172 | } else if ((k | 1) == 0x23 && !first) { // ADD (immediate) 173 | unsigned h = (opcode >> 22) & 3; 174 | if (h > 1) { 175 | return -1; 176 | } 177 | rd = opcode & 0x1F; 178 | rn = (opcode >> 5) & 0x1F; 179 | if (rd != rn) { 180 | return -1; 181 | } 182 | i = (opcode >> 10) & 0xFFF; 183 | h *= 12; 184 | i <<= h; 185 | if (o & 2) { // SUB 186 | *newval = total - i; 187 | return 0; 188 | } else { // ADD 189 | *newval = total + i; 190 | return 0; 191 | } 192 | } 193 | 194 | return -1; 195 | } 196 | 197 | /* patchfinder ***************************************************************/ 198 | 199 | static addr_t 200 | step64(const uint8_t *buf, addr_t start, size_t length, uint32_t what, uint32_t mask) 201 | { 202 | addr_t end = start + length; 203 | while (start < end) { 204 | uint32_t x = *(uint32_t *)(buf + start); 205 | if ((x & mask) == what) { 206 | return start; 207 | } 208 | start += 4; 209 | } 210 | return 0; 211 | } 212 | 213 | static addr_t 214 | step64_back(const uint8_t *buf, addr_t start, size_t length, uint32_t what, uint32_t mask) 215 | { 216 | addr_t end = start - length; 217 | while (start >= end) { 218 | uint32_t x = *(uint32_t *)(buf + start); 219 | if ((x & mask) == what) { 220 | return start; 221 | } 222 | start -= 4; 223 | } 224 | return 0; 225 | } 226 | 227 | static addr_t 228 | bof64(const uint8_t *buf, addr_t start, addr_t where) 229 | { 230 | for (; where >= start; where -= 4) { 231 | uint32_t op = *(uint32_t *)(buf + where); 232 | if ((op & 0xFFC003FF) == 0x910003FD) { 233 | unsigned delta = (op >> 10) & 0xFFF; 234 | //printf("%x: ADD X29, SP, #0x%x\n", where, delta); 235 | if ((delta & 0xF) == 0) { 236 | addr_t prev = where - ((delta >> 4) + 1) * 4; 237 | uint32_t au = *(uint32_t *)(buf + prev); 238 | if ((au & 0xFFC003E0) == 0xA98003E0) { 239 | //printf("%x: STP x, y, [SP,#-imm]!\n", prev); 240 | return prev; 241 | } 242 | // try something else 243 | while (where > start) { 244 | where -= 4; 245 | au = *(uint32_t *)(buf + where); 246 | // SUB SP, SP, #imm 247 | if ((au & 0xFFC003FF) == 0xD10003FF && ((au >> 10) & 0xFFF) == delta + 0x10) { 248 | return where; 249 | } 250 | // STP x, y, [SP,#imm] 251 | if ((au & 0xFFC003E0) != 0xA90003E0) { 252 | where += 4; 253 | break; 254 | } 255 | } 256 | } 257 | } 258 | } 259 | return 0; 260 | } 261 | 262 | static addr_t 263 | xref64(const uint8_t *buf, addr_t start, addr_t end, addr_t what) 264 | { 265 | addr_t i; 266 | uint64_t value[32]; 267 | 268 | memset(value, 0, sizeof(value)); 269 | 270 | end &= ~3; 271 | for (i = start & ~3; i < end; i += 4) { 272 | uint32_t op = *(uint32_t *)(buf + i); 273 | unsigned reg = op & 0x1F; 274 | if ((op & 0x9F000000) == 0x90000000) { 275 | signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8); 276 | //printf("%llx: ADRP X%d, 0x%llx\n", i, reg, ((long long)adr << 1) + (i & ~0xFFF)); 277 | value[reg] = ((long long)adr << 1) + (i & ~0xFFF); 278 | continue; // XXX should not XREF on its own? 279 | /*} else if ((op & 0xFFE0FFE0) == 0xAA0003E0) { 280 | unsigned rd = op & 0x1F; 281 | unsigned rm = (op >> 16) & 0x1F; 282 | //printf("%llx: MOV X%d, X%d\n", i, rd, rm); 283 | value[rd] = value[rm];*/ 284 | } else if ((op & 0xFF000000) == 0x91000000) { 285 | unsigned rn = (op >> 5) & 0x1F; 286 | unsigned shift = (op >> 22) & 3; 287 | unsigned imm = (op >> 10) & 0xFFF; 288 | if (shift == 1) { 289 | imm <<= 12; 290 | } else { 291 | //assert(shift == 0); 292 | if (shift > 1) continue; 293 | } 294 | //printf("%llx: ADD X%d, X%d, 0x%x\n", i, reg, rn, imm); 295 | value[reg] = value[rn] + imm; 296 | } else if ((op & 0xF9C00000) == 0xF9400000) { 297 | unsigned rn = (op >> 5) & 0x1F; 298 | unsigned imm = ((op >> 10) & 0xFFF) << 3; 299 | //printf("%llx: LDR X%d, [X%d, 0x%x]\n", i, reg, rn, imm); 300 | if (!imm) continue; // XXX not counted as true xref 301 | value[reg] = value[rn] + imm; // XXX address, not actual value 302 | /*} else if ((op & 0xF9C00000) == 0xF9000000) { 303 | unsigned rn = (op >> 5) & 0x1F; 304 | unsigned imm = ((op >> 10) & 0xFFF) << 3; 305 | //printf("%llx: STR X%d, [X%d, 0x%x]\n", i, reg, rn, imm); 306 | if (!imm) continue; // XXX not counted as true xref 307 | value[rn] = value[rn] + imm; // XXX address, not actual value*/ 308 | } else if ((op & 0x9F000000) == 0x10000000) { 309 | signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8); 310 | //printf("%llx: ADR X%d, 0x%llx\n", i, reg, ((long long)adr >> 11) + i); 311 | value[reg] = ((long long)adr >> 11) + i; 312 | } else if ((op & 0xFF000000) == 0x58000000) { 313 | unsigned adr = (op & 0xFFFFE0) >> 3; 314 | //printf("%llx: LDR X%d, =0x%llx\n", i, reg, adr + i); 315 | value[reg] = adr + i; // XXX address, not actual value 316 | } 317 | if (value[reg] == what) { 318 | return i; 319 | } 320 | } 321 | return 0; 322 | } 323 | 324 | static addr_t 325 | calc64(const uint8_t *buf, addr_t start, addr_t end, int which) 326 | { 327 | addr_t i; 328 | uint64_t value[32]; 329 | 330 | memset(value, 0, sizeof(value)); 331 | 332 | end &= ~3; 333 | for (i = start & ~3; i < end; i += 4) { 334 | uint32_t op = *(uint32_t *)(buf + i); 335 | unsigned reg = op & 0x1F; 336 | if ((op & 0x9F000000) == 0x90000000) { 337 | signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8); 338 | //printf("%llx: ADRP X%d, 0x%llx\n", i, reg, ((long long)adr << 1) + (i & ~0xFFF)); 339 | value[reg] = ((long long)adr << 1) + (i & ~0xFFF); 340 | /*} else if ((op & 0xFFE0FFE0) == 0xAA0003E0) { 341 | unsigned rd = op & 0x1F; 342 | unsigned rm = (op >> 16) & 0x1F; 343 | //printf("%llx: MOV X%d, X%d\n", i, rd, rm); 344 | value[rd] = value[rm];*/ 345 | } else if ((op & 0xFF000000) == 0x91000000) { 346 | unsigned rn = (op >> 5) & 0x1F; 347 | unsigned shift = (op >> 22) & 3; 348 | unsigned imm = (op >> 10) & 0xFFF; 349 | if (shift == 1) { 350 | imm <<= 12; 351 | } else { 352 | //assert(shift == 0); 353 | if (shift > 1) continue; 354 | } 355 | //printf("%llx: ADD X%d, X%d, 0x%x\n", i, reg, rn, imm); 356 | value[reg] = value[rn] + imm; 357 | } else if ((op & 0xF9C00000) == 0xF9400000) { 358 | unsigned rn = (op >> 5) & 0x1F; 359 | unsigned imm = ((op >> 10) & 0xFFF) << 3; 360 | //printf("%llx: LDR X%d, [X%d, 0x%x]\n", i, reg, rn, imm); 361 | if (!imm) continue; // XXX not counted as true xref 362 | value[reg] = value[rn] + imm; // XXX address, not actual value 363 | } else if ((op & 0xF9C00000) == 0xF9000000) { 364 | unsigned rn = (op >> 5) & 0x1F; 365 | unsigned imm = ((op >> 10) & 0xFFF) << 3; 366 | //printf("%llx: STR X%d, [X%d, 0x%x]\n", i, reg, rn, imm); 367 | if (!imm) continue; // XXX not counted as true xref 368 | value[rn] = value[rn] + imm; // XXX address, not actual value 369 | } else if ((op & 0x9F000000) == 0x10000000) { 370 | signed adr = ((op & 0x60000000) >> 18) | ((op & 0xFFFFE0) << 8); 371 | //printf("%llx: ADR X%d, 0x%llx\n", i, reg, ((long long)adr >> 11) + i); 372 | value[reg] = ((long long)adr >> 11) + i; 373 | } else if ((op & 0xFF000000) == 0x58000000) { 374 | unsigned adr = (op & 0xFFFFE0) >> 3; 375 | //printf("%llx: LDR X%d, =0x%llx\n", i, reg, adr + i); 376 | value[reg] = adr + i; // XXX address, not actual value 377 | } 378 | } 379 | return value[which]; 380 | } 381 | 382 | static addr_t 383 | calc64mov(const uint8_t *buf, addr_t start, addr_t end, int which) 384 | { 385 | addr_t i; 386 | uint64_t value[32]; 387 | 388 | memset(value, 0, sizeof(value)); 389 | 390 | end &= ~3; 391 | for (i = start & ~3; i < end; i += 4) { 392 | uint32_t op = *(uint32_t *)(buf + i); 393 | unsigned reg = op & 0x1F; 394 | uint64_t newval; 395 | int rv = DecodeMov(op, value[reg], 0, &newval); 396 | if (rv == 0) { 397 | if (((op >> 31) & 1) == 0) { 398 | newval &= 0xFFFFFFFF; 399 | } 400 | value[reg] = newval; 401 | } 402 | } 403 | return value[which]; 404 | } 405 | 406 | static addr_t 407 | find_call64(const uint8_t *buf, addr_t start, size_t length) 408 | { 409 | return step64(buf, start, length, 0x94000000, 0xFC000000); 410 | } 411 | 412 | static addr_t 413 | follow_call64(const uint8_t *buf, addr_t call) 414 | { 415 | long long w; 416 | w = *(uint32_t *)(buf + call) & 0x3FFFFFF; 417 | w <<= 64 - 26; 418 | w >>= 64 - 26 - 2; 419 | return call + w; 420 | } 421 | 422 | static addr_t 423 | follow_cbz(const uint8_t *buf, addr_t cbz) 424 | { 425 | return cbz + ((*(int *)(buf + cbz) & 0x3FFFFE0) << 10 >> 13); 426 | } 427 | 428 | static addr_t 429 | xref64code(const uint8_t *buf, addr_t start, addr_t end, addr_t what) 430 | { 431 | addr_t i; 432 | 433 | end &= ~3; 434 | for (i = start & ~3; i < end; i += 4) { 435 | uint32_t op = *(uint32_t *)(buf + i); 436 | if ((op & 0x7C000000) == 0x14000000) { 437 | addr_t where = follow_call64(buf, i); 438 | //printf("%llx: B[L] 0x%llx\n", i + kerndumpbase, kerndumpbase + where); 439 | if (where == what) { 440 | return i; 441 | } 442 | } 443 | } 444 | return 0; 445 | } 446 | 447 | /* kernel iOS10 **************************************************************/ 448 | 449 | #include 450 | #include 451 | #include 452 | #include 453 | #include 454 | //#include "vfs.h" // img4lib 455 | 456 | #ifdef __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__ 457 | #include 458 | size_t kread(uint64_t where, void *p, size_t size); 459 | #endif 460 | 461 | #ifdef VFS_H_included 462 | #define INVALID_HANDLE NULL 463 | static FHANDLE 464 | OPEN(const char *filename, int oflag) 465 | { 466 | ssize_t rv; 467 | char buf[28]; 468 | FHANDLE fd = file_open(filename, oflag); 469 | if (!fd) { 470 | return NULL; 471 | } 472 | rv = fd->read(fd, buf, 4); 473 | fd->lseek(fd, 0, SEEK_SET); 474 | if (rv == 4 && !MACHO(buf)) { 475 | fd = img4_reopen(fd, NULL, 0); 476 | if (!fd) { 477 | return NULL; 478 | } 479 | rv = fd->read(fd, buf, sizeof(buf)); 480 | if (rv == sizeof(buf) && *(uint32_t *)buf == 0xBEBAFECA && __builtin_bswap32(*(uint32_t *)(buf + 4)) > 0) { 481 | return sub_reopen(fd, __builtin_bswap32(*(uint32_t *)(buf + 16)), __builtin_bswap32(*(uint32_t *)(buf + 20))); 482 | } 483 | fd->lseek(fd, 0, SEEK_SET); 484 | } 485 | return fd; 486 | } 487 | #define CLOSE(fd) (fd)->close(fd) 488 | #define READ(fd, buf, sz) (fd)->read(fd, buf, sz) 489 | static ssize_t 490 | PREAD(FHANDLE fd, void *buf, size_t count, off_t offset) 491 | { 492 | ssize_t rv; 493 | //off_t pos = fd->lseek(FHANDLE fd, 0, SEEK_CUR); 494 | fd->lseek(fd, offset, SEEK_SET); 495 | rv = fd->read(fd, buf, count); 496 | //fd->lseek(FHANDLE fd, pos, SEEK_SET); 497 | return rv; 498 | } 499 | #else 500 | #define FHANDLE int 501 | #define INVALID_HANDLE -1 502 | #define OPEN open 503 | #define CLOSE close 504 | #define READ read 505 | #define PREAD pread 506 | #endif 507 | 508 | static uint8_t *kernel = NULL; 509 | static int kernel_version = 0; 510 | static size_t kernel_size = 0; 511 | 512 | static addr_t xnucore_base = 0; 513 | static addr_t xnucore_size = 0; 514 | static addr_t prelink_base = 0; 515 | static addr_t prelink_size = 0; 516 | static addr_t pplcode_base = 0; 517 | static addr_t pplcode_size = 0; 518 | static addr_t cstring_base = 0; 519 | static addr_t cstring_size = 0; 520 | static addr_t pstring_base = 0; 521 | static addr_t pstring_size = 0; 522 | static addr_t kerndumpbase = -1; 523 | static addr_t kernel_entry = 0; 524 | static void *kernel_mh = 0; 525 | static addr_t kernel_delta = 0; 526 | 527 | int 528 | init_kernel(addr_t base, const char *filename) 529 | { 530 | size_t rv; 531 | uint8_t buf[0x4000]; 532 | uint8_t *vstr; 533 | unsigned i, j; 534 | const struct mach_header *hdr = (struct mach_header *)buf; 535 | FHANDLE fd = INVALID_HANDLE; 536 | const uint8_t *q; 537 | addr_t min = -1; 538 | addr_t max = 0; 539 | int is64 = 0; 540 | 541 | if (filename == NULL) { 542 | #ifdef __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__ 543 | rv = kread(base, buf, sizeof(buf)); 544 | if (rv != sizeof(buf) || !MACHO(buf)) { 545 | return -1; 546 | } 547 | #else 548 | (void)base; 549 | return -1; 550 | #endif 551 | } else { 552 | fd = OPEN(filename, O_RDONLY); 553 | if (fd == INVALID_HANDLE) { 554 | return -1; 555 | } 556 | rv = READ(fd, buf, sizeof(buf)); 557 | if (rv != sizeof(buf) || !MACHO(buf)) { 558 | CLOSE(fd); 559 | return -1; 560 | } 561 | } 562 | 563 | if (IS64(buf)) { 564 | is64 = 4; 565 | } 566 | 567 | q = buf + sizeof(struct mach_header) + is64; 568 | for (i = 0; i < hdr->ncmds; i++) { 569 | const struct load_command *cmd = (struct load_command *)q; 570 | if (cmd->cmd == LC_SEGMENT_64 && ((struct segment_command_64 *)q)->vmsize) { 571 | const struct segment_command_64 *seg = (struct segment_command_64 *)q; 572 | if (min > seg->vmaddr) { 573 | min = seg->vmaddr; 574 | } 575 | if (max < seg->vmaddr + seg->vmsize) { 576 | max = seg->vmaddr + seg->vmsize; 577 | } 578 | if (!strcmp(seg->segname, "__TEXT_EXEC")) { 579 | xnucore_base = seg->vmaddr; 580 | xnucore_size = seg->filesize; 581 | } 582 | if (!strcmp(seg->segname, "__PLK_TEXT_EXEC")) { 583 | prelink_base = seg->vmaddr; 584 | prelink_size = seg->filesize; 585 | } 586 | if (!strcmp(seg->segname, "__PPLTEXT")) { 587 | pplcode_base = seg->vmaddr; 588 | pplcode_size = seg->filesize; 589 | } 590 | if (!strcmp(seg->segname, "__TEXT")) { 591 | const struct section_64 *sec = (struct section_64 *)(seg + 1); 592 | for (j = 0; j < seg->nsects; j++) { 593 | if (!strcmp(sec[j].sectname, "__cstring")) { 594 | cstring_base = sec[j].addr; 595 | cstring_size = sec[j].size; 596 | } 597 | } 598 | } 599 | if (!strcmp(seg->segname, "__PRELINK_TEXT")) { 600 | const struct section_64 *sec = (struct section_64 *)(seg + 1); 601 | for (j = 0; j < seg->nsects; j++) { 602 | if (!strcmp(sec[j].sectname, "__text")) { 603 | pstring_base = sec[j].addr; 604 | pstring_size = sec[j].size; 605 | } 606 | } 607 | } 608 | } 609 | if (cmd->cmd == LC_UNIXTHREAD) { 610 | uint32_t *ptr = (uint32_t *)(cmd + 1); 611 | uint32_t flavor = ptr[0]; 612 | struct { 613 | uint64_t x[29]; /* General purpose registers x0-x28 */ 614 | uint64_t fp; /* Frame pointer x29 */ 615 | uint64_t lr; /* Link register x30 */ 616 | uint64_t sp; /* Stack pointer x31 */ 617 | uint64_t pc; /* Program counter */ 618 | uint32_t cpsr; /* Current program status register */ 619 | } *thread = (void *)(ptr + 2); 620 | if (flavor == 6) { 621 | kernel_entry = thread->pc; 622 | } 623 | } 624 | q = q + cmd->cmdsize; 625 | } 626 | 627 | if (pstring_base == 0 && pstring_size == 0) { 628 | pstring_base = cstring_base; 629 | pstring_size = cstring_size; 630 | } 631 | if (prelink_base == 0 && prelink_size == 0) { 632 | prelink_base = xnucore_base; 633 | prelink_size = xnucore_size; 634 | } 635 | 636 | kerndumpbase = min; 637 | xnucore_base -= kerndumpbase; 638 | prelink_base -= kerndumpbase; 639 | pplcode_base -= kerndumpbase; 640 | cstring_base -= kerndumpbase; 641 | pstring_base -= kerndumpbase; 642 | kernel_size = max - min; 643 | 644 | if (filename == NULL) { 645 | #ifdef __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__ 646 | kernel = malloc(kernel_size); 647 | if (!kernel) { 648 | return -1; 649 | } 650 | rv = kread(kerndumpbase, kernel, kernel_size); 651 | if (rv != kernel_size) { 652 | free(kernel); 653 | kernel = NULL; 654 | return -1; 655 | } 656 | 657 | kernel_mh = kernel + base - min; 658 | #endif 659 | } else { 660 | kernel = calloc(1, kernel_size); 661 | if (!kernel) { 662 | CLOSE(fd); 663 | return -1; 664 | } 665 | 666 | q = buf + sizeof(struct mach_header) + is64; 667 | for (i = 0; i < hdr->ncmds; i++) { 668 | const struct load_command *cmd = (struct load_command *)q; 669 | if (cmd->cmd == LC_SEGMENT_64) { 670 | const struct segment_command_64 *seg = (struct segment_command_64 *)q; 671 | size_t sz = PREAD(fd, kernel + seg->vmaddr - min, seg->filesize, seg->fileoff); 672 | if (sz != seg->filesize) { 673 | CLOSE(fd); 674 | free(kernel); 675 | kernel = NULL; 676 | return -1; 677 | } 678 | if (!kernel_mh) { 679 | kernel_mh = kernel + seg->vmaddr - min; 680 | } 681 | if (!strcmp(seg->segname, "__LINKEDIT")) { 682 | kernel_delta = seg->vmaddr - min - seg->fileoff; 683 | } 684 | } 685 | q = q + cmd->cmdsize; 686 | } 687 | 688 | CLOSE(fd); 689 | } 690 | 691 | vstr = boyermoore_horspool_memmem(kernel, kernel_size, (uint8_t *)"Darwin Kernel Version", sizeof("Darwin Kernel Version") - 1); 692 | if (vstr) { 693 | kernel_version = atoi((const char *)vstr + sizeof("Darwin Kernel Version")); 694 | } 695 | 696 | return 0; 697 | } 698 | 699 | void 700 | term_kernel(void) 701 | { 702 | free(kernel); 703 | } 704 | 705 | /* these operate on VA ******************************************************/ 706 | 707 | #define INSN_RETAB 0xD65F0FFF, 0xFFFFFFFF 708 | #define INSN_RET 0xD65F03C0, 0xFFFFFFFF 709 | #define INSN_CALL 0x94000000, 0xFC000000 710 | #define INSN_B 0x14000000, 0xFC000000 711 | #define INSN_CBZ 0x34000000, 0xFC000000 712 | #define INSN_BLR 0xD63F0000, 0xFFFFFC1F 713 | 714 | addr_t 715 | find_register_value(addr_t where, int reg) 716 | { 717 | addr_t val; 718 | addr_t bof = 0; 719 | where -= kerndumpbase; 720 | if (where > xnucore_base) { 721 | bof = bof64(kernel, xnucore_base, where); 722 | if (!bof) { 723 | bof = xnucore_base; 724 | } 725 | } else if (where > prelink_base) { 726 | bof = bof64(kernel, prelink_base, where); 727 | if (!bof) { 728 | bof = prelink_base; 729 | } 730 | } 731 | val = calc64(kernel, bof, where, reg); 732 | if (!val) { 733 | return 0; 734 | } 735 | return val + kerndumpbase; 736 | } 737 | 738 | addr_t 739 | find_reference(addr_t to, int n, int where) 740 | { 741 | addr_t ref, end; 742 | addr_t base = xnucore_base; 743 | addr_t size = xnucore_size; 744 | switch (where) { 745 | case 1: 746 | base = prelink_base; 747 | size = prelink_size; 748 | break; 749 | case 2: 750 | base = pplcode_base; 751 | size = pplcode_size; 752 | break; 753 | } 754 | if (n <= 0) { 755 | n = 1; 756 | } 757 | end = base + size; 758 | to -= kerndumpbase; 759 | do { 760 | ref = xref64(kernel, base, end, to); 761 | if (!ref) { 762 | return 0; 763 | } 764 | base = ref + 4; 765 | } while (--n > 0); 766 | return ref + kerndumpbase; 767 | } 768 | 769 | addr_t 770 | find_strref(const char *string, int n, int where) 771 | { 772 | uint8_t *str; 773 | addr_t base = cstring_base; 774 | addr_t size = cstring_size; 775 | switch (where) { 776 | case 1: 777 | base = pstring_base; 778 | size = pstring_size; 779 | break; 780 | } 781 | str = boyermoore_horspool_memmem(kernel + base, size, (uint8_t *)string, strlen(string)); 782 | if (!str) { 783 | return 0; 784 | } 785 | return find_reference(str - kernel + kerndumpbase, n, where); 786 | } 787 | 788 | addr_t 789 | find_gPhysBase(void) 790 | { 791 | addr_t ret, val; 792 | addr_t ref = find_strref("pmap_alloc_page_for_kern", 1, 0); 793 | if (!ref) { 794 | return 0; 795 | } 796 | ref -= kerndumpbase; 797 | if (kernel_version >= 18) { 798 | // A12 799 | ret = step64(kernel, ref, 384, INSN_RETAB); 800 | if (!ret) { 801 | ret = step64(kernel, ref, 384, INSN_RET); 802 | } 803 | } else { 804 | ret = step64(kernel, ref, 64, INSN_RET); 805 | } 806 | if (!ret) { 807 | // iOS 11 808 | ref = step64(kernel, ref, 1024, INSN_RET); 809 | if (!ref) { 810 | return 0; 811 | } 812 | ret = step64(kernel, ref + 4, 64, INSN_RET); 813 | if (!ret) { 814 | return 0; 815 | } 816 | } 817 | if (kernel_version >= 18) { 818 | val = calc64(kernel, ref, ret, 9); 819 | } else { 820 | val = calc64(kernel, ref, ret, 8); 821 | } 822 | if (!val) { 823 | return 0; 824 | } 825 | return val + kerndumpbase; 826 | } 827 | 828 | addr_t 829 | find_ptov_table(void) 830 | { 831 | addr_t bof, val; 832 | addr_t ref = find_strref("\"ml_static_vtop(): illegal VA:", 1, 0); 833 | if (!ref) { 834 | return 0; 835 | } 836 | ref -= kerndumpbase; 837 | bof = bof64(kernel, xnucore_base, ref); 838 | if (!bof) { 839 | return 0; 840 | } 841 | val = calc64(kernel, bof, bof + 48, 8); 842 | if (!val) { 843 | return 0; 844 | } 845 | return val + kerndumpbase; 846 | } 847 | 848 | addr_t 849 | find_kernel_pmap(void) 850 | { 851 | addr_t call, bof, val; 852 | addr_t ref = find_strref("\"pmap_map_bd\"", 1, 0); 853 | if (!ref) { 854 | return 0; 855 | } 856 | ref -= kerndumpbase; 857 | call = step64_back(kernel, ref, 64, INSN_CALL); 858 | if (!call) { 859 | return 0; 860 | } 861 | bof = bof64(kernel, xnucore_base, call); 862 | if (!bof) { 863 | return 0; 864 | } 865 | if (kernel_version == 18) { 866 | // iOS 12 867 | val = calc64(kernel, bof, call, 8); 868 | } else { 869 | val = calc64(kernel, bof, call, 2); 870 | } 871 | if (!val) { 872 | return 0; 873 | } 874 | return val + kerndumpbase; 875 | } 876 | 877 | addr_t 878 | find_amfiret(void) 879 | { 880 | addr_t ret; 881 | addr_t ref = find_strref("AMFI: hook..execve() killing pid %u: %s\n", 1, 1); 882 | if (!ref) { 883 | return 0; 884 | } 885 | ref -= kerndumpbase; 886 | ret = step64(kernel, ref, 512, INSN_RET); 887 | if (!ret) { 888 | return 0; 889 | } 890 | return ret + kerndumpbase; 891 | } 892 | 893 | addr_t 894 | find_ret_0(void) 895 | { 896 | addr_t off; 897 | uint32_t *k; 898 | k = (uint32_t *)(kernel + xnucore_base); 899 | for (off = 0; off < xnucore_size - 4; off += 4, k++) { 900 | if (k[0] == 0xAA1F03E0 && k[1] == 0xD65F03C0) { 901 | return off + xnucore_base + kerndumpbase; 902 | } 903 | } 904 | k = (uint32_t *)(kernel + prelink_base); 905 | for (off = 0; off < prelink_size - 4; off += 4, k++) { 906 | if (k[0] == 0xAA1F03E0 && k[1] == 0xD65F03C0) { 907 | return off + prelink_base + kerndumpbase; 908 | } 909 | } 910 | return 0; 911 | } 912 | 913 | addr_t 914 | find_amfi_memcmpstub(void) 915 | { 916 | addr_t call, dest, reg; 917 | addr_t ref = find_strref("%s: Possible race detected. Rejecting.", 1, 1); 918 | if (!ref) { 919 | return 0; 920 | } 921 | ref -= kerndumpbase; 922 | call = step64_back(kernel, ref, 64, INSN_CALL); 923 | if (!call) { 924 | return 0; 925 | } 926 | dest = follow_call64(kernel, call); 927 | if (!dest) { 928 | return 0; 929 | } 930 | reg = calc64(kernel, dest, dest + 8, 16); 931 | if (!reg) { 932 | return 0; 933 | } 934 | return reg + kerndumpbase; 935 | } 936 | 937 | addr_t 938 | find_sbops(void) 939 | { 940 | addr_t off, what; 941 | uint8_t *str = boyermoore_horspool_memmem(kernel + pstring_base, pstring_size, (uint8_t *)"Seatbelt sandbox policy", sizeof("Seatbelt sandbox policy") - 1); 942 | if (!str) { 943 | return 0; 944 | } 945 | what = str - kernel + kerndumpbase; 946 | for (off = 0; off < kernel_size - prelink_base; off += 8) { 947 | if (*(uint64_t *)(kernel + prelink_base + off) == what) { 948 | return *(uint64_t *)(kernel + prelink_base + off + 24); 949 | } 950 | } 951 | return 0; 952 | } 953 | 954 | addr_t 955 | find_lwvm_mapio_patch(void) 956 | { 957 | addr_t call, dest, reg; 958 | addr_t ref = find_strref("_mapForIO", 1, 1); 959 | if (!ref) { 960 | return 0; 961 | } 962 | ref -= kerndumpbase; 963 | call = step64(kernel, ref, 64, INSN_CALL); 964 | if (!call) { 965 | return 0; 966 | } 967 | call = step64(kernel, call + 4, 64, INSN_CALL); 968 | if (!call) { 969 | return 0; 970 | } 971 | dest = follow_call64(kernel, call); 972 | if (!dest) { 973 | return 0; 974 | } 975 | reg = calc64(kernel, dest, dest + 8, 16); 976 | if (!reg) { 977 | return 0; 978 | } 979 | return reg + kerndumpbase; 980 | } 981 | 982 | addr_t 983 | find_lwvm_mapio_newj(void) 984 | { 985 | addr_t call; 986 | addr_t ref = find_strref("_mapForIO", 1, 1); 987 | if (!ref) { 988 | return 0; 989 | } 990 | ref -= kerndumpbase; 991 | call = step64(kernel, ref, 64, INSN_CALL); 992 | if (!call) { 993 | return 0; 994 | } 995 | call = step64(kernel, call + 4, 64, INSN_CALL); 996 | if (!call) { 997 | return 0; 998 | } 999 | call = step64(kernel, call + 4, 64, INSN_CALL); 1000 | if (!call) { 1001 | return 0; 1002 | } 1003 | call = step64_back(kernel, call, 64, INSN_B); 1004 | if (!call) { 1005 | return 0; 1006 | } 1007 | return call + 4 + kerndumpbase; 1008 | } 1009 | 1010 | addr_t 1011 | find_cpacr_write(void) 1012 | { 1013 | addr_t off; 1014 | uint32_t *k; 1015 | k = (uint32_t *)(kernel + xnucore_base); 1016 | for (off = 0; off < xnucore_size - 4; off += 4, k++) { 1017 | if (k[0] == 0xd5181040) { 1018 | return off + xnucore_base + kerndumpbase; 1019 | } 1020 | } 1021 | return 0; 1022 | } 1023 | 1024 | addr_t 1025 | find_str(const char *string) 1026 | { 1027 | uint8_t *str = boyermoore_horspool_memmem(kernel, kernel_size, (uint8_t *)string, strlen(string)); 1028 | if (!str) { 1029 | return 0; 1030 | } 1031 | return str - kernel + kerndumpbase; 1032 | } 1033 | 1034 | addr_t 1035 | find_entry(void) 1036 | { 1037 | /* XXX returns an unslid address */ 1038 | return kernel_entry; 1039 | } 1040 | 1041 | const unsigned char * 1042 | find_mh(void) 1043 | { 1044 | return kernel_mh; 1045 | } 1046 | 1047 | addr_t 1048 | find_amfiops(void) 1049 | { 1050 | addr_t off, what; 1051 | uint8_t *str = boyermoore_horspool_memmem(kernel + pstring_base, pstring_size, (uint8_t *)"Apple Mobile File Integrity", sizeof("Apple Mobile File Integrity") - 1); 1052 | if (!str) { 1053 | return 0; 1054 | } 1055 | what = str - kernel + kerndumpbase; 1056 | /* XXX will only work on a dumped kernel */ 1057 | for (off = 0; off < kernel_size - prelink_base; off += 8) { 1058 | if (*(uint64_t *)(kernel + prelink_base + off) == what) { 1059 | return *(uint64_t *)(kernel + prelink_base + off + 0x18); 1060 | } 1061 | } 1062 | return 0; 1063 | } 1064 | 1065 | addr_t 1066 | find_sysbootnonce(void) 1067 | { 1068 | addr_t off, what; 1069 | uint8_t *str = boyermoore_horspool_memmem(kernel + cstring_base, cstring_size, (uint8_t *)"com.apple.System.boot-nonce", sizeof("com.apple.System.boot-nonce") - 1); 1070 | if (!str) { 1071 | return 0; 1072 | } 1073 | what = str - kernel + kerndumpbase; 1074 | for (off = 0; off < kernel_size - xnucore_base; off += 8) { 1075 | if (*(uint64_t *)(kernel + xnucore_base + off) == what) { 1076 | return xnucore_base + off + 8 + 4 + kerndumpbase; 1077 | } 1078 | } 1079 | return 0; 1080 | } 1081 | 1082 | addr_t 1083 | find_trustcache(void) 1084 | { 1085 | addr_t cbz, call, func, val; 1086 | addr_t ref = find_strref("amfi_prevent_old_entitled_platform_binaries", 1, 1); 1087 | if (!ref) { 1088 | // iOS 11 1089 | ref = find_strref("com.apple.MobileFileIntegrity", 0, 1); 1090 | if (!ref) { 1091 | return 0; 1092 | } 1093 | ref -= kerndumpbase; 1094 | call = step64(kernel, ref, 64, INSN_CALL); 1095 | if (!call) { 1096 | return 0; 1097 | } 1098 | call = step64(kernel, call + 4, 64, INSN_CALL); 1099 | goto okay; 1100 | } 1101 | ref -= kerndumpbase; 1102 | cbz = step64(kernel, ref, 32, INSN_CBZ); 1103 | if (!cbz) { 1104 | return 0; 1105 | } 1106 | call = step64(kernel, follow_cbz(kernel, cbz), 4, INSN_CALL); 1107 | okay: 1108 | if (!call) { 1109 | return 0; 1110 | } 1111 | func = follow_call64(kernel, call); 1112 | if (!func) { 1113 | return 0; 1114 | } 1115 | val = calc64(kernel, func, func + 16, 8); 1116 | if (!val) { 1117 | return 0; 1118 | } 1119 | return val + kerndumpbase; 1120 | } 1121 | 1122 | addr_t 1123 | find_amficache(void) 1124 | { 1125 | addr_t cbz, call, func, bof, val; 1126 | addr_t ref = find_strref("amfi_prevent_old_entitled_platform_binaries", 1, 1); 1127 | if (!ref) { 1128 | // iOS 11 1129 | ref = find_strref("com.apple.MobileFileIntegrity", 0, 1); 1130 | if (!ref) { 1131 | return 0; 1132 | } 1133 | ref -= kerndumpbase; 1134 | call = step64(kernel, ref, 64, INSN_CALL); 1135 | if (!call) { 1136 | return 0; 1137 | } 1138 | call = step64(kernel, call + 4, 64, INSN_CALL); 1139 | goto okay; 1140 | } 1141 | ref -= kerndumpbase; 1142 | cbz = step64(kernel, ref, 32, INSN_CBZ); 1143 | if (!cbz) { 1144 | return 0; 1145 | } 1146 | call = step64(kernel, follow_cbz(kernel, cbz), 4, INSN_CALL); 1147 | okay: 1148 | if (!call) { 1149 | return 0; 1150 | } 1151 | func = follow_call64(kernel, call); 1152 | if (!func) { 1153 | return 0; 1154 | } 1155 | bof = bof64(kernel, func - 256, func); 1156 | if (!bof) { 1157 | return 0; 1158 | } 1159 | val = calc64(kernel, bof, func, 9); 1160 | if (!val) { 1161 | return 0; 1162 | } 1163 | return val + kerndumpbase; 1164 | } 1165 | 1166 | addr_t 1167 | find_cache(int dynamic) 1168 | { 1169 | addr_t call; 1170 | addr_t func; 1171 | addr_t val; 1172 | addr_t amfiUC_inTrustCache = find_strref("%s: only allowed process can check the trust cache", 1, 1); // Trying to find AppleMobileFileIntegrityUserClient::isCdhashInTrustCache 1173 | if (!amfiUC_inTrustCache) { 1174 | return 0; 1175 | } 1176 | amfiUC_inTrustCache -= kerndumpbase; 1177 | 1178 | call = step64_back(kernel, amfiUC_inTrustCache, 11 * 4, INSN_CALL); 1179 | if (!call) { 1180 | return 0; 1181 | } 1182 | func = follow_call64(kernel, call); 1183 | 1184 | call = step64(kernel, func, 8 * 4, INSN_CALL); 1185 | if (!call) { 1186 | return 0; 1187 | } 1188 | func = follow_call64(kernel, call); 1189 | 1190 | call = step64(kernel, func, 8 * 4, INSN_CALL); 1191 | if (!call) { 1192 | return 0; 1193 | } 1194 | if (dynamic) { 1195 | // We ignore the above call, as we are looking for the dynamic cache 1196 | call = step64(kernel, call + 4, 8 * 4, INSN_CALL); 1197 | if (!call) { 1198 | return 0; 1199 | } 1200 | func = follow_call64(kernel, call); 1201 | val = calc64(kernel, func, func + 16 * 4, 21); 1202 | } else { 1203 | func = follow_call64(kernel, call); 1204 | val = calc64(kernel, func, func + 12 * 4, 9); 1205 | } 1206 | if (!val) { 1207 | return 0; 1208 | } 1209 | 1210 | return val + kerndumpbase; 1211 | } 1212 | 1213 | addr_t 1214 | find_add_x0_x0_0x40_ret(void) 1215 | { 1216 | // csblob_get_cdhash() 1217 | static const uint8_t insn[] = { 0x00, 0x00, 0x01, 0x91, 0xc0, 0x03, 0x5f, 0xd6 }; // 0x91010000, 0xD65F03C0 1218 | 1219 | uint8_t *str; 1220 | str = boyermoore_horspool_memmem(kernel + xnucore_base, xnucore_size, insn, sizeof(insn)); 1221 | if (str) { 1222 | return str - kernel + kerndumpbase; 1223 | } 1224 | str = boyermoore_horspool_memmem(kernel + prelink_base, prelink_size, insn, sizeof(insn)); 1225 | if (str) { 1226 | return str - kernel + kerndumpbase; 1227 | } 1228 | return 0; 1229 | } 1230 | 1231 | addr_t 1232 | find_vfs_context_current(void) 1233 | { 1234 | addr_t bof, call; 1235 | addr_t ref = find_strref("\"vnode_put(%p): iocount < 1\"", 1, 0); 1236 | if (!ref) { 1237 | return 0; 1238 | } 1239 | ref -= kerndumpbase; 1240 | bof = bof64(kernel, xnucore_base, ref); 1241 | if (!bof) { 1242 | return 0; 1243 | } 1244 | call = find_call64(kernel, bof, 100); 1245 | if (!call) { 1246 | return 0; 1247 | } 1248 | call = follow_call64(kernel, call); 1249 | if (!call) { 1250 | return 0; 1251 | } 1252 | return call + kerndumpbase; 1253 | } 1254 | 1255 | addr_t 1256 | find_vnode_lookup(void) 1257 | { 1258 | addr_t call; 1259 | addr_t ref = find_strref("/private/var/mobile", 1, 0); 1260 | if (!ref) { 1261 | return 0; 1262 | } 1263 | ref -= kerndumpbase; 1264 | call = find_call64(kernel, ref, 100); 1265 | if (!call) { 1266 | return 0; 1267 | } 1268 | call = find_call64(kernel, call + 4, 100); 1269 | if (!call) { 1270 | return 0; 1271 | } 1272 | call = find_call64(kernel, call + 4, 100); 1273 | if (!call) { 1274 | return 0; 1275 | } 1276 | call = follow_call64(kernel, call); 1277 | if (!call) { 1278 | return 0; 1279 | } 1280 | return call + kerndumpbase; 1281 | } 1282 | 1283 | addr_t 1284 | find_vnode_put(void) 1285 | { 1286 | addr_t call, stub, val; 1287 | addr_t ref = find_strref("hfs: set VeryLowDisk: vol:%s, backingstore b_avail:%lld, tag:%d\n", 1, 1); 1288 | if (!ref) { 1289 | return 0; 1290 | } 1291 | ref -= kerndumpbase; 1292 | call = find_call64(kernel, ref, 32); 1293 | if (!call) { 1294 | return 0; 1295 | } 1296 | call = find_call64(kernel, call + 4, 32); 1297 | if (!call) { 1298 | return 0; 1299 | } 1300 | stub = follow_call64(kernel, call); 1301 | val = calc64(kernel, stub, stub + 12, 16); 1302 | if (!val) { 1303 | return 0; 1304 | } 1305 | return *(uint64_t *)(kernel + val); 1306 | } 1307 | 1308 | addr_t 1309 | find_rootvnode(void) 1310 | { 1311 | addr_t blr, val; 1312 | addr_t ref = find_strref("\"bsd_init: cannot find root vnode: %s\"", 1, 0); 1313 | if (!ref) { 1314 | return 0; 1315 | } 1316 | ref -= kerndumpbase; 1317 | blr = step64_back(kernel, ref, 100, INSN_BLR); 1318 | if (!blr) { 1319 | return 0; 1320 | } 1321 | val = calc64(kernel, blr - 16, blr, 1); 1322 | if (!val) { 1323 | return 0; 1324 | } 1325 | #if 0 1326 | assert(calc64(kernel, ref, ref + 16, 0) == val); 1327 | #endif 1328 | return val + kerndumpbase; 1329 | } 1330 | 1331 | addr_t 1332 | find_zone_map_ref(void) 1333 | { 1334 | addr_t bof, val; 1335 | addr_t ref = find_strref("\"Nothing being freed to the zone_map. start = end = %p\\n\"", 1, 0); 1336 | if (!ref) { 1337 | return 0; 1338 | } 1339 | ref -= kerndumpbase; 1340 | bof = bof64(kernel, xnucore_base, ref); 1341 | if (!bof) { 1342 | return 0; 1343 | } 1344 | #if 0 1345 | #define INSN_ADRP 0x90000000, 0x9F000000 1346 | addr_t pos; 1347 | int r = -1, reg = *(uint32_t *)(kernel + ref) & 0x1F; 1348 | for (pos = ref; pos > bof; pos -= 4) { 1349 | pos = step64_back(kernel, pos, pos - bof, INSN_ADRP); 1350 | if (!pos) { 1351 | break; 1352 | } 1353 | r = *(uint32_t *)(kernel + pos) & 0x1F; 1354 | if (r != reg) { 1355 | printf("\t0x%llx\n", pos + kerndumpbase); 1356 | break; 1357 | } 1358 | } 1359 | assert(r != reg && r == 9); 1360 | #endif 1361 | val = calc64(kernel, bof, ref, 9); 1362 | if (!val) { 1363 | return 0; 1364 | } 1365 | return val + kerndumpbase; 1366 | } 1367 | 1368 | addr_t 1369 | find_pmap_initialize_legacy_static_trust_cache_ppl(void) 1370 | { 1371 | addr_t i = 0; 1372 | for (;;) { 1373 | addr_t site, jump, call; 1374 | site = step64(kernel, xnucore_base + i, xnucore_size - i, 0xD28004AF, 0xFFFFFFFF); // MOV X15, #0x25 1375 | if (!site) { 1376 | return 0; 1377 | } 1378 | jump = step64(kernel, site + 4, 4, INSN_B); 1379 | if (jump) { 1380 | call = xref64code(kernel, xnucore_base, xnucore_base + xnucore_size, site); 1381 | if (call) { 1382 | return call + kerndumpbase; 1383 | } 1384 | return site + kerndumpbase; 1385 | } 1386 | i = site - xnucore_base + 4; 1387 | } 1388 | return 0; 1389 | } 1390 | 1391 | addr_t 1392 | find_trust_cache_ppl(void) 1393 | { 1394 | addr_t str, bof, val; 1395 | str = find_strref("\"loadable trust cache buffer too small (%ld) for entries claimed (%d)\"", 1, 2); 1396 | if (!str) { 1397 | return 0; 1398 | } 1399 | str -= kerndumpbase; 1400 | bof = bof64(kernel, pplcode_base, str); 1401 | if (!bof) { 1402 | return 0; 1403 | } 1404 | val = calc64(kernel, bof, str, 8); 1405 | if (!val) { 1406 | return 0; 1407 | } 1408 | return val + kerndumpbase; 1409 | } 1410 | 1411 | /* extra_recipe **************************************************************/ 1412 | 1413 | #define INSN_STR8 0xF9000000 | 8, 0xFFC00000 | 0x1F 1414 | #define INSN_POPS 0xA9407BFD, 0xFFC07FFF 1415 | 1416 | addr_t 1417 | find_AGXCommandQueue_vtable(void) 1418 | { 1419 | addr_t val, str8; 1420 | addr_t ref = find_strref("AGXCommandQueue", 1, 1); 1421 | if (!ref) { 1422 | return 0; 1423 | } 1424 | val = find_register_value(ref, 0); 1425 | if (!val) { 1426 | return 0; 1427 | } 1428 | ref = find_reference(val, 1, 1); 1429 | if (!ref) { 1430 | return 0; 1431 | } 1432 | ref -= kerndumpbase; 1433 | str8 = step64(kernel, ref, 32, INSN_STR8); 1434 | if (!str8) { 1435 | return 0; 1436 | } 1437 | val = calc64(kernel, ref, str8, 8); 1438 | if (!val) { 1439 | return 0; 1440 | } 1441 | return val + kerndumpbase; 1442 | } 1443 | 1444 | addr_t 1445 | find_allproc(void) 1446 | { 1447 | addr_t val; 1448 | addr_t ref = find_strref("shutdownwait", 1, 0); 1449 | if (!ref) { 1450 | return 0; 1451 | } 1452 | ref -= kerndumpbase; 1453 | val = calc64(kernel, ref, ref + 32, 8); 1454 | if (!val) { 1455 | return 0; 1456 | } 1457 | return val + kerndumpbase; 1458 | } 1459 | 1460 | addr_t 1461 | find_call5(void) 1462 | { 1463 | addr_t bof; 1464 | uint8_t gadget[] = { 0x95, 0x5A, 0x40, 0xF9, 0x68, 0x02, 0x40, 0xF9, 0x88, 0x5A, 0x00, 0xF9, 0x60, 0xA2, 0x40, 0xA9 }; 1465 | uint8_t *str = boyermoore_horspool_memmem(kernel + prelink_base, prelink_size, gadget, sizeof(gadget)); 1466 | if (!str) { 1467 | return 0; 1468 | } 1469 | bof = bof64(kernel, prelink_base, str - kernel); 1470 | if (!bof) { 1471 | return 0; 1472 | } 1473 | return bof + kerndumpbase; 1474 | } 1475 | 1476 | addr_t 1477 | find_realhost(addr_t priv) 1478 | { 1479 | addr_t val; 1480 | if (!priv) { 1481 | return 0; 1482 | } 1483 | priv -= kerndumpbase; 1484 | val = calc64(kernel, priv, priv + 12, 0); 1485 | if (!val) { 1486 | return 0; 1487 | } 1488 | return val + kerndumpbase; 1489 | } 1490 | 1491 | #ifdef HAVE_MAIN 1492 | #include 1493 | 1494 | addr_t 1495 | find_symbol(const char *symbol) 1496 | { 1497 | unsigned i; 1498 | const struct mach_header *hdr = kernel_mh; 1499 | const uint8_t *q; 1500 | int is64 = 0; 1501 | 1502 | if (IS64(hdr)) { 1503 | is64 = 4; 1504 | } 1505 | 1506 | /* XXX will only work on a decrypted kernel */ 1507 | if (!kernel_delta) { 1508 | return 0; 1509 | } 1510 | 1511 | /* XXX I should cache these. ohwell... */ 1512 | q = (uint8_t *)(hdr + 1) + is64; 1513 | for (i = 0; i < hdr->ncmds; i++) { 1514 | const struct load_command *cmd = (struct load_command *)q; 1515 | if (cmd->cmd == LC_SYMTAB) { 1516 | const struct symtab_command *sym = (struct symtab_command *)q; 1517 | const char *stroff = (const char *)kernel + sym->stroff + kernel_delta; 1518 | if (is64) { 1519 | uint32_t k; 1520 | const struct nlist_64 *s = (struct nlist_64 *)(kernel + sym->symoff + kernel_delta); 1521 | for (k = 0; k < sym->nsyms; k++) { 1522 | if (s[k].n_type & N_STAB) { 1523 | continue; 1524 | } 1525 | if (s[k].n_value && (s[k].n_type & N_TYPE) != N_INDR) { 1526 | if (!strcmp(symbol, stroff + s[k].n_un.n_strx)) { 1527 | /* XXX this is an unslid address */ 1528 | return s[k].n_value; 1529 | } 1530 | } 1531 | } 1532 | } 1533 | } 1534 | q = q + cmd->cmdsize; 1535 | } 1536 | return 0; 1537 | } 1538 | 1539 | /* test **********************************************************************/ 1540 | 1541 | int 1542 | main(int argc, char **argv) 1543 | { 1544 | int rv; 1545 | addr_t base = 0; 1546 | const addr_t vm_kernel_slide = 0; 1547 | rv = init_kernel(base, (argc > 1) ? argv[1] : "krnl"); 1548 | assert(rv == 0); 1549 | 1550 | addr_t allproc = find_allproc(); 1551 | printf("allproc = 0x%llx\n", allproc); 1552 | addr_t realhost = find_realhost(find_symbol("_host_priv_self") + vm_kernel_slide); 1553 | printf("realhost = 0x%llx\n", realhost - vm_kernel_slide); 1554 | 1555 | addr_t trustcache = find_trustcache(); 1556 | if (!trustcache) { 1557 | trustcache = find_cache(1); 1558 | } 1559 | printf("trustcache = 0x%llx\n", trustcache); 1560 | addr_t amficache = find_amficache(); 1561 | if (!amficache) { 1562 | amficache = find_cache(0); 1563 | } 1564 | printf("amficache = 0x%llx\n", amficache); 1565 | 1566 | printf("trustcache_ppl = func:0x%llx, data:0x%llx\n", find_pmap_initialize_legacy_static_trust_cache_ppl(), find_trust_cache_ppl()); 1567 | 1568 | term_kernel(); 1569 | return 0; 1570 | } 1571 | 1572 | #endif /* HAVE_MAIN */ 1573 | --------------------------------------------------------------------------------