├── syscall ├── Resources │ ├── LaunchImage.png │ ├── AppIcon29x29.png │ ├── AppIcon29x29@2x.png │ ├── AppIcon29x29@3x.png │ ├── AppIcon40x40.png │ ├── AppIcon40x40@2x.png │ ├── AppIcon40x40@3x.png │ ├── AppIcon50x50.png │ ├── AppIcon50x50@2x.png │ ├── AppIcon57x57.png │ ├── AppIcon57x57@2x.png │ ├── AppIcon57x57@3x.png │ ├── AppIcon60x60.png │ ├── AppIcon60x60@2x.png │ ├── AppIcon60x60@3x.png │ ├── AppIcon72x72.png │ ├── AppIcon72x72@2x.png │ ├── AppIcon76x76.png │ ├── AppIcon76x76@2x.png │ ├── LaunchImage@2x.png │ ├── LaunchImage-700-568h@2x.png │ ├── LaunchImage-800-667h@2x.png │ ├── LaunchImage-700-Landscape~ipad.png │ ├── LaunchImage-700-Portrait~ipad.png │ ├── LaunchImage-700-Landscape@2x~ipad.png │ ├── LaunchImage-700-Portrait@2x~ipad.png │ ├── LaunchImage-800-Landscape-736h@3x.png │ ├── LaunchImage-800-Portrait-736h@3x.png │ └── Info.plist ├── control ├── main.m ├── SCAppDelegate.h ├── SCRootViewController.h ├── Makefile ├── SCAppDelegate.m ├── ent.xml ├── syscall.m └── SCRootViewController.m ├── .gitignore ├── syscallintercept.plist ├── README.md ├── control ├── Makefile ├── LICENSE.md ├── Unused.xm ├── Tweak_w.xm └── Tweak.xm /syscall/Resources/LaunchImage.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon29x29.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon29x29@2x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon29x29@3x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon40x40.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon40x40@2x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon40x40@3x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon50x50.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon50x50@2x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon57x57.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon57x57@2x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon57x57@3x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon60x60.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon60x60@2x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon60x60@3x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon72x72.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon72x72@2x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon76x76.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/AppIcon76x76@2x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/LaunchImage@2x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/LaunchImage-700-568h@2x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/LaunchImage-800-667h@2x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .theos/ 2 | .DS_Store 3 | packages/ 4 | -------------------------------------------------------------------------------- /syscall/Resources/LaunchImage-700-Landscape~ipad.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/LaunchImage-700-Portrait~ipad.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/LaunchImage-700-Landscape@2x~ipad.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/LaunchImage-700-Portrait@2x~ipad.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/LaunchImage-800-Landscape-736h@3x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscall/Resources/LaunchImage-800-Portrait-736h@3x.png: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /syscallintercept.plist: -------------------------------------------------------------------------------- 1 | { Filter = { Bundles = ( "com.lf.syscall" ); }; } 2 | -------------------------------------------------------------------------------- /syscall/control: -------------------------------------------------------------------------------- 1 | Package: com.lf.syscall 2 | Name: syscall 3 | Version: 0.0.1 4 | Architecture: iphoneos-arm 5 | Description: An awesome application! 6 | Maintainer: opa334 7 | Author: opa334 8 | Section: Utilities 9 | -------------------------------------------------------------------------------- /syscall/main.m: -------------------------------------------------------------------------------- 1 | #import "SCAppDelegate.h" 2 | 3 | int main(int argc, char *argv[]) { 4 | @autoreleasepool { 5 | return UIApplicationMain(argc, argv, nil, NSStringFromClass(SCAppDelegate.class)); 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Unfished, has a lot of problems, check out the comments in Tweak.xm for more details. 2 | 3 | Tweak.xm is the latest version. 4 | Tweak_w.xm is an older version. 5 | Unused.xm contains some code that went unused. 6 | 7 | Have fun! -------------------------------------------------------------------------------- /control: -------------------------------------------------------------------------------- 1 | Package: com.opa334.syscallintercept 2 | Name: syscallintercept 3 | Depends: mobilesubstrate 4 | Version: 0.0.1 5 | Architecture: iphoneos-arm 6 | Description: An awesome MobileSubstrate tweak! 7 | Maintainer: opa334 8 | Author: opa334 9 | Section: Tweaks 10 | -------------------------------------------------------------------------------- /syscall/SCAppDelegate.h: -------------------------------------------------------------------------------- 1 | @class SCRootViewController; 2 | 3 | @interface SCAppDelegate : UIResponder 4 | 5 | @property (nonatomic, retain) UIWindow *window; 6 | @property (nonatomic, retain) SCRootViewController *rootViewController; 7 | 8 | @end 9 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | include $(THEOS)/makefiles/common.mk 2 | 3 | export TARGET = iphone:clang:12.1.2:8.0 4 | export ARCHS = arm64 armv7 5 | 6 | TWEAK_NAME = syscallintercept 7 | syscallintercept_CFLAGS = -fobjc-arc 8 | syscallintercept_FILES = Tweak.xm 9 | 10 | include $(THEOS_MAKE_PATH)/tweak.mk 11 | -------------------------------------------------------------------------------- /syscall/SCRootViewController.h: -------------------------------------------------------------------------------- 1 | @interface SCRootViewController : UIViewController 2 | { 3 | UISegmentedControl* _methodPicker; 4 | UISegmentedControl* _syscallPicker; 5 | UILabel* _outputLabel; 6 | UIButton* _goButton; 7 | } 8 | 9 | - (void)goButtonPressed; 10 | - (void)exit_syscall; 11 | - (NSInteger)getpid_syscall; 12 | 13 | @end 14 | -------------------------------------------------------------------------------- /syscall/Makefile: -------------------------------------------------------------------------------- 1 | include $(THEOS)/makefiles/common.mk 2 | 3 | export TARGET = iphone:clang:12.1.2:8.0 4 | export ARCHS = armv7 arm64 5 | 6 | APPLICATION_NAME = syscall 7 | syscall_FILES = main.m SCAppDelegate.m SCRootViewController.m 8 | syscall_FRAMEWORKS = UIKit CoreGraphics 9 | syscall_CODESIGN_FLAGS = -Sent.xml 10 | 11 | include $(THEOS_MAKE_PATH)/application.mk 12 | 13 | after-install:: 14 | install.exec "killall \"syscall\"" || true 15 | -------------------------------------------------------------------------------- /syscall/SCAppDelegate.m: -------------------------------------------------------------------------------- 1 | #import "SCAppDelegate.h" 2 | #import "SCRootViewController.h" 3 | 4 | @implementation SCAppDelegate 5 | 6 | - (void)applicationDidFinishLaunching:(UIApplication *)application { 7 | _window = [[UIWindow alloc] initWithFrame:[UIScreen mainScreen].bounds]; 8 | _rootViewController = [[SCRootViewController alloc] init]; 9 | _window.rootViewController = _rootViewController; 10 | [_window makeKeyAndVisible]; 11 | } 12 | 13 | - (void)dealloc { 14 | [_window release]; 15 | [_rootViewController release]; 16 | [super dealloc]; 17 | } 18 | 19 | @end 20 | -------------------------------------------------------------------------------- /syscall/ent.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | platform-application 6 | 7 | get-task-allow 8 | 9 | task_for_pid-allow 10 | 11 | com.apple.backboardd.debugapplications 12 | 13 | com.apple.springboard.debugapplications 14 | 15 | run-unsigned-code 16 | 17 | com.apple.private.librarian.can-get-application-info 18 | 19 | com.apple.private.skip-library-validation 20 | 21 | com.apple.private.security.no-container 22 | 23 | com.apple.private.mobileinstall.allowedSPI 24 | 25 | Lookup 26 | CopyInstalledAppsForLaunchServices 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Lars Fröder 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /syscall/syscall.m: -------------------------------------------------------------------------------- 1 | - (void)exit_syscall 2 | { 3 | #if __LP64__ //64 Bit 4 | __asm("mov x16, #0x01"); //Systemcall Nummer wird von Register x16 bezogen (EXIT = 0x01) 5 | __asm("mov x0, #0x01"); //Argument 1 (Nummer bei beenden des Programms) 6 | __asm("svc #0x80"); //Aufruf des Systemcalls 7 | #else //32 Bit 8 | __asm("mov r12, #0x01"); //Systemcall Nummer wird von Register r12 bezogen (EXIT = 0x01) 9 | __asm("mov r0, #0x01"); //Argument 1 (Nummer bei beenden des Programms) 10 | __asm("svc #0x80"); //Aufruf des Systemcalls 11 | #endif 12 | } 13 | 14 | - (NSInteger)getpid_syscall 15 | { 16 | NSInteger pid = 0; 17 | 18 | #if __LP64__ //64 Bit 19 | __asm("mov x16, #0x14"); //Systemcall Nummer wird von Register x16 bezogen (GETPID = 0x14) 20 | __asm("svc #0x80"); //Aufruf des Systemcalls (return wert wird in x0 gespeichert) 21 | __asm("mov %0, x0" : "=r"(pid)); //x0 in lokale variable pid kopieren 22 | #else //32 Bit 23 | __asm("mov r12, #0x14"); //Systemcall Nummer wird von Register r12 bezogen (GETPID = 0x14) 24 | __asm("svc #0x80"); //Aufruf des Systemcalls (return wert wird in r0 gespeichert) 25 | __asm("mov %0, r0" : "=r"(pid)); //r0 in lokale variable pid kopieren 26 | #endif 27 | 28 | return pid; 29 | } 30 | -------------------------------------------------------------------------------- /Unused.xm: -------------------------------------------------------------------------------- 1 | /*volatile void test() 2 | { 3 | asm volatile ( "bl %0" : : "g"(syscallIntercept) ); //02 00 00 94 4 | }*/ 5 | 6 | /*void printRightBL() 7 | { 8 | Dl_info info; 9 | if(!dladdr((const void*)test, &info)) 10 | { 11 | NSLog(@"ERROR FINDING POINTER!"); 12 | return; 13 | } 14 | 15 | vm_address_t testAddr = (vm_address_t)info.dli_saddr; 16 | 17 | uint32_t real_bl = read32(mach_task_self(), testAddr); 18 | 19 | NSLog(@"---- REAL BL: %llX", (unsigned long long)real_bl); 20 | 21 | uint32_t fake_bl = bl(testAddr, interceptAddr); 22 | 23 | NSLog(@"---- FAKE BL: %llX", (unsigned long long)fake_bl); 24 | 25 | MSHookMemory((void*)testAddr, &fake_bl, sizeof(fake_bl)); 26 | 27 | uint32_t real_fake_bl = read32(mach_task_self(), testAddr); 28 | 29 | NSLog(@"---- REAL FAKE BL: %llX", (unsigned long long)real_fake_bl); 30 | }*/ 31 | 32 | /*cmd = (typeof(cmd))mh+1; 33 | 34 | for(int cmdI = 0; cmdI < mh->ncmds; cmdI++) 35 | { 36 | 37 | if(cmd->nsects > 0) 38 | { 39 | NSLog(@"- segname = %s, vmaddr = %llX, vmsize = %llX", cmd->segname, (unsigned long long)cmd->vmaddr, (unsigned long long)cmd->vmsize); 40 | 41 | sect = (typeof(sect))cmd+1; 42 | 43 | for(int sectI = 0; sectI < cmd->nsects; sectI++) 44 | { 45 | NSLog(@"-- sectname %s, addr = %llX, offset = %llX, size = %llX", sect->sectname, (unsigned long long)sect->addr, (unsigned long long)sect->offset, (unsigned long long)sect->size); 46 | 47 | sect = sect + 1; 48 | } 49 | 50 | cmd = (typeof(cmd))sect; 51 | } 52 | else 53 | { 54 | cmd = cmd + 1; 55 | } 56 | }*/ 57 | 58 | /*command = (typeof(command))mh+1; 59 | 60 | NSLog(@"mh = %p, command = %p", mh, command); 61 | void* endAddr = (void*)(addr + (void*)mh->sizeofcmds); 62 | 63 | for(int i = 0; i < mh->ncmds && addr < endAddr; i++) 64 | { 65 | NSLog(@"- segname = %s, vmaddr = %llX, vmsize = %llX", commands[i]->segname, (unsigned long long)command->vmaddr, (unsigned long long)command->vmsize); 66 | 67 | for(int s = 0; s < command->nsects; s++) 68 | { 69 | #ifdef __LP64__ 70 | const struct section_64* sect; 71 | #else 72 | const struct section* sect; 73 | #endif 74 | sect = (command + sizeof(command)) + (sizeof(sect) * s); 75 | 76 | NSLog(@"-- sectname %s, addr = %llX, offset = %llX, size = %llX", sect->sectname, (unsigned long long)sect->addr, (unsigned long long)sect->offset, (unsigned long long)sect->size); 77 | } 78 | 79 | //NSLog(@"- addr = %p", addr); 80 | 81 | addr = (void*)(command + command->cmdsize); 82 | }*/ 83 | 84 | /*vm_address_t magicAddr = (vm_address_t)(mh); 85 | 86 | NSLog(@"magicAddr = %llx", (unsigned long long)magicAddr); 87 | 88 | uint32_t magicRead = read32(mach_task_self(), magicAddr); 89 | 90 | NSLog(@"magicRead = %llx", (unsigned long long)magicRead); 91 | 92 | NSLog(@"mh = %p", mh);*/ 93 | -------------------------------------------------------------------------------- /syscall/SCRootViewController.m: -------------------------------------------------------------------------------- 1 | #import "SCRootViewController.h" 2 | 3 | @implementation SCRootViewController 4 | 5 | - (void)viewDidLoad 6 | { 7 | self.view.backgroundColor = [UIColor whiteColor]; 8 | 9 | _methodPicker = [[UISegmentedControl alloc] initWithItems:@[@"Syscall", @"C Funktion"]]; 10 | _methodPicker.selectedSegmentIndex = 0; 11 | _methodPicker.translatesAutoresizingMaskIntoConstraints = NO; 12 | 13 | _syscallPicker = [[UISegmentedControl alloc] initWithItems:@[@"exit", @"getpid"]]; 14 | _syscallPicker.selectedSegmentIndex = 0; 15 | _syscallPicker.translatesAutoresizingMaskIntoConstraints = NO; 16 | 17 | _outputLabel = [[UILabel alloc] init]; 18 | _outputLabel.translatesAutoresizingMaskIntoConstraints = NO; 19 | 20 | _goButton = [UIButton buttonWithType:UIButtonTypeSystem]; 21 | [_goButton addTarget:self action:@selector(goButtonPressed) forControlEvents:UIControlEventTouchUpInside]; 22 | [_goButton setTitle:@"go" forState:UIControlStateNormal]; 23 | _goButton.titleLabel.font = [_goButton.titleLabel.font fontWithSize:24]; 24 | _goButton.translatesAutoresizingMaskIntoConstraints = NO; 25 | 26 | [self.view addSubview:_methodPicker]; 27 | [self.view addSubview:_syscallPicker]; 28 | [self.view addSubview:_outputLabel]; 29 | [self.view addSubview:_goButton]; 30 | 31 | NSDictionary* views = NSDictionaryOfVariableBindings(_methodPicker, _syscallPicker, _outputLabel, _goButton); 32 | 33 | [self.view addConstraints:[NSLayoutConstraint constraintsWithVisualFormat:@"|-[_goButton]-|" options:0 metrics:nil views:views]]; 34 | [self.view addConstraints:[NSLayoutConstraint constraintsWithVisualFormat:@"|-[_methodPicker]-|" options:0 metrics:nil views:views]]; 35 | [self.view addConstraints:[NSLayoutConstraint constraintsWithVisualFormat:@"|-[_syscallPicker]-|" options:0 metrics:nil views:views]]; 36 | [self.view addConstraints:[NSLayoutConstraint constraintsWithVisualFormat:@"|-[_outputLabel]-|" options:0 metrics:nil views:views]]; 37 | 38 | [self.view addConstraints:[NSLayoutConstraint constraintsWithVisualFormat:@"V:|-50-[_outputLabel]-20-[_methodPicker]-20-[_syscallPicker]-20-[_goButton]" options:0 metrics:nil views:views]]; 39 | } 40 | 41 | - (void)goButtonPressed 42 | { 43 | if(_methodPicker.selectedSegmentIndex == 0) 44 | { 45 | if(_syscallPicker.selectedSegmentIndex == 0) 46 | { 47 | [self exit_syscall]; 48 | } 49 | else if(_syscallPicker.selectedSegmentIndex == 1) 50 | { 51 | int pid = [self getpid_syscall]; 52 | 53 | _outputLabel.text = [NSString stringWithFormat:@"PID: %i", pid]; 54 | } 55 | } 56 | else if(_methodPicker.selectedSegmentIndex == 1) 57 | { 58 | if(_syscallPicker.selectedSegmentIndex == 0) 59 | { 60 | exit(1); 61 | } 62 | else if(_syscallPicker.selectedSegmentIndex == 1) 63 | { 64 | int pid = getpid(); 65 | 66 | _outputLabel.text = [NSString stringWithFormat:@"PID: %i", pid]; 67 | } 68 | } 69 | } 70 | 71 | - (void)exit_syscall 72 | { 73 | #if __LP64__ //64 Bit 74 | __asm("mov x16, #0x01");//Systemcall Nummer wird von Register x16 bezogen (EXIT = 0x01) 75 | __asm("mov x0, #0x01"); //Argument 1 (Nummer bei beenden des Programms) 76 | __asm("svc #0x80"); //Aufruf des Systemcalls 77 | #else //32 Bit 78 | __asm("mov r12, #0x01");//Systemcall Nummer wird von Register r12 bezogen (EXIT = 0x01) 79 | __asm("mov r0, #0x01"); //Argument 1 (Nummer bei beenden des Programms) 80 | __asm("svc #0x80"); //Aufruf des Systemcalls 81 | #endif 82 | 83 | NSLog(@"we still running"); 84 | } 85 | 86 | - (NSInteger)getpid_syscall 87 | { 88 | NSInteger pid = 0; 89 | 90 | #if __LP64__ //64 Bit 91 | __asm("mov x16, #0x14");//Systemcall Nummer wird von Register x16 bezogen (GETPID = 0x14) 92 | __asm("svc #0x80"); //Aufruf des Systemcalls (return wert wird in x0 gespeichert) 93 | __asm("mov %0, x0" : "=r" (pid)); //x0 in lokale variable pid kopieren 94 | #else //32 Bit 95 | __asm("mov r12, #0x14");//Systemcall Nummer wird von Register r12 bezogen (GETPID = 0x14) 96 | __asm("svc #0x80"); //Aufruf des Systemcalls (return wert wird in r0 gespeichert) 97 | __asm("mov %0, r0" : "=r" (pid)); //r0 in lokale variable pid kopieren 98 | #endif 99 | 100 | return pid; 101 | } 102 | 103 | @end 104 | -------------------------------------------------------------------------------- /syscall/Resources/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleExecutable 6 | syscall 7 | CFBundleIcons 8 | 9 | CFBundlePrimaryIcon 10 | 11 | CFBundleIconFiles 12 | 13 | AppIcon29x29 14 | AppIcon40x40 15 | AppIcon57x57 16 | AppIcon60x60 17 | 18 | UIPrerenderedIcon 19 | 20 | 21 | 22 | CFBundleIcons~ipad 23 | 24 | CFBundlePrimaryIcon 25 | 26 | CFBundleIconFiles 27 | 28 | AppIcon29x29 29 | AppIcon40x40 30 | AppIcon57x57 31 | AppIcon60x60 32 | AppIcon50x50 33 | AppIcon72x72 34 | AppIcon76x76 35 | 36 | UIPrerenderedIcon 37 | 38 | 39 | 40 | CFBundleIdentifier 41 | com.lf.syscall 42 | CFBundleInfoDictionaryVersion 43 | 6.0 44 | CFBundlePackageType 45 | APPL 46 | CFBundleSignature 47 | ???? 48 | CFBundleSupportedPlatforms 49 | 50 | iPhoneOS 51 | 52 | CFBundleVersion 53 | 1.0 54 | LSRequiresIPhoneOS 55 | 56 | UIDeviceFamily 57 | 58 | 1 59 | 2 60 | 61 | UIRequiredDeviceCapabilities 62 | 63 | armv7 64 | 65 | UILaunchImageFile 66 | LaunchImage 67 | UILaunchImages 68 | 69 | 70 | UILaunchImageMinimumOSVersion 71 | 7.0 72 | UILaunchImageName 73 | LaunchImage 74 | UILaunchImageOrientation 75 | Portrait 76 | UILaunchImageSize 77 | {320, 480} 78 | 79 | 80 | UILaunchImageMinimumOSVersion 81 | 7.0 82 | UILaunchImageName 83 | LaunchImage-700-568h 84 | UILaunchImageOrientation 85 | Portrait 86 | UILaunchImageSize 87 | {320, 568} 88 | 89 | 90 | UILaunchImageMinimumOSVersion 91 | 7.0 92 | UILaunchImageName 93 | LaunchImage-Portrait 94 | UILaunchImageOrientation 95 | Portrait 96 | UILaunchImageSize 97 | {768, 1024} 98 | 99 | 100 | UILaunchImageMinimumOSVersion 101 | 7.0 102 | UILaunchImageName 103 | LaunchImage-Landscape 104 | UILaunchImageOrientation 105 | Landscape 106 | UILaunchImageSize 107 | {768, 1024} 108 | 109 | 110 | UILaunchImageMinimumOSVersion 111 | 8.0 112 | UILaunchImageName 113 | LaunchImage-800-667h 114 | UILaunchImageOrientation 115 | Portrait 116 | UILaunchImageSize 117 | {375, 667} 118 | 119 | 120 | UILaunchImageMinimumOSVersion 121 | 8.0 122 | UILaunchImageName 123 | LaunchImage-800-Portrait-736h 124 | UILaunchImageOrientation 125 | Portrait 126 | UILaunchImageSize 127 | {414, 736} 128 | 129 | 130 | UILaunchImageMinimumOSVersion 131 | 8.0 132 | UILaunchImageName 133 | LaunchImage-800-Landscape-736h 134 | UILaunchImageOrientation 135 | Landscape 136 | UILaunchImageSize 137 | {414, 736} 138 | 139 | 140 | UISupportedInterfaceOrientations 141 | 142 | UIInterfaceOrientationPortrait 143 | UIInterfaceOrientationLandscapeLeft 144 | UIInterfaceOrientationLandscapeRight 145 | 146 | UISupportedInterfaceOrientations~ipad 147 | 148 | UIInterfaceOrientationPortrait 149 | UIInterfaceOrientationPortraitUpsideDown 150 | UIInterfaceOrientationLandscapeLeft 151 | UIInterfaceOrientationLandscapeRight 152 | 153 | 154 | 155 | -------------------------------------------------------------------------------- /Tweak_w.xm: -------------------------------------------------------------------------------- 1 | #include "substrate.h" 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include 11 | 12 | const char* dylibPath; 13 | vm_address_t interceptAddr; 14 | 15 | uint64_t read64(mach_port_name_t target, vm_address_t address); 16 | uint32_t read32(mach_port_name_t target, vm_address_t address); 17 | #ifdef __LP64__ 18 | void parseMachHeaderCommands(const mach_header_64* mh, intptr_t slide); 19 | #else 20 | void parseMachHeaderCommands(const mach_header* mh, intptr_t slide); 21 | #endif 22 | void parseMemory(vm_address_t addr, vm_offset_t length); 23 | void syscallIntercept(); 24 | 25 | uint64_t read64(mach_port_name_t target, vm_address_t address) 26 | { 27 | kern_return_t r; 28 | vm_offset_t data; 29 | mach_msg_type_number_t dataCnt; 30 | 31 | r = vm_read(target, address, sizeof(uint64_t), &data, &dataCnt); 32 | 33 | if(r == KERN_SUCCESS) 34 | { 35 | return *(uint64_t*)data; 36 | } 37 | else 38 | { 39 | return 0; 40 | } 41 | } 42 | 43 | uint32_t read32(mach_port_name_t target, vm_address_t address) 44 | { 45 | kern_return_t r; 46 | vm_offset_t data; 47 | mach_msg_type_number_t dataCnt; 48 | 49 | r = vm_read(target, address, sizeof(uint32_t), &data, &dataCnt); 50 | 51 | if(r == KERN_SUCCESS) 52 | { 53 | return *(uint32_t*)data; 54 | } 55 | else 56 | { 57 | return 0; 58 | } 59 | } 60 | 61 | #ifdef __LP64__ 62 | void parseMachHeaderCommands(const mach_header_64* mh, intptr_t slide) 63 | #else 64 | void parseMachHeaderCommands(const mach_header* mh, intptr_t slide) 65 | #endif 66 | { 67 | #ifdef __LP64__ 68 | const segment_command_64* cmd; 69 | const section_64* sect; 70 | #else 71 | const segment_command* cmd; 72 | const section* sect; 73 | #endif 74 | 75 | NSLog(@"mh = %llX", (unsigned long long)mh); 76 | 77 | uintptr_t addr = (uintptr_t)(mh + 1); 78 | 79 | NSLog(@"addr = %llX, size = %llX", (unsigned long long)addr, (unsigned long long)sizeof(mh)); 80 | 81 | uintptr_t endAddr = addr + mh->sizeofcmds; 82 | 83 | for(int ci = 0; ci < mh->ncmds && addr <= endAddr; ci++) 84 | { 85 | cmd = (typeof(cmd))addr; 86 | 87 | addr = addr + cmd->cmdsize; 88 | 89 | if(cmd->cmd != LC_SEGMENT_64 || strcmp(cmd->segname, "__TEXT")) //We only care about __TEXT segments 90 | { 91 | continue; 92 | } 93 | 94 | parseMemory(cmd->vmaddr + slide, cmd->vmsize); 95 | 96 | NSLog(@"- segname = %s, cmd = %lX, vmaddr = %llX, vmsize = %llX, nsects = %lu, cmdsize = %lu", cmd->segname, (unsigned long)cmd->cmd, (unsigned long long)cmd->vmaddr, (unsigned long long)cmd->vmsize, (unsigned long)cmd->nsects, (unsigned long)cmd->cmdsize); 97 | 98 | if(cmd->nsects > 0) 99 | { 100 | sect = (typeof(sect))((uintptr_t)cmd + sizeof(cmd)); 101 | for(unsigned long si = 0; si < cmd->nsects; si++) 102 | { 103 | sect = sect + 1; 104 | 105 | //addr = addr + sizeof(sect); 106 | 107 | NSLog(@"-- sectname %s, addr = %llX, offset = %llX, size = %llX", sect->sectname, (unsigned long long)sect->addr, (unsigned long long)sect->offset, (unsigned long long)sect->size); 108 | } 109 | } 110 | } 111 | } 112 | 113 | uint32_t b(vm_address_t origin, vm_address_t target) 114 | { 115 | int32_t offset = (target - origin) / 4; 116 | 117 | NSLog(@"b"); 118 | 119 | NSLog(@"origin = %llX | target = %llX", (unsigned long long)origin, (unsigned long long)target); 120 | 121 | NSLog(@"offset = %i", offset); 122 | 123 | if(offset < 0) 124 | { 125 | if((offset & 0b1111110000000000000000000000000) != 0b1111110000000000000000000000000) 126 | { 127 | NSLog(@"ERROR: OFFSET TOO SMALL"); 128 | } 129 | } 130 | else 131 | { 132 | if((offset & 0b1111110000000000000000000000000) != 0) 133 | { 134 | NSLog(@"ERROR: OFFSET TOO BIG"); 135 | } 136 | } 137 | 138 | uint32_t bl = 0b00010100000000000000000000000000 | (offset & 0b00000011111111111111111111111111); 139 | 140 | return bl; 141 | } 142 | 143 | uint32_t bl(vm_address_t origin, vm_address_t target) 144 | { 145 | int32_t offset = (target - origin) / 4; 146 | 147 | NSLog(@"bl"); 148 | 149 | NSLog(@"origin = %llX | target = %llX", (unsigned long long)origin, (unsigned long long)target); 150 | 151 | NSLog(@"offset = %i", offset); 152 | 153 | if(offset < 0) 154 | { 155 | if((offset & 0b1111110000000000000000000000000) != 0b1111110000000000000000000000000) 156 | { 157 | NSLog(@"ERROR: OFFSET TOO SMALL"); 158 | } 159 | } 160 | else 161 | { 162 | if((offset & 0b1111110000000000000000000000000) != 0) 163 | { 164 | NSLog(@"ERROR: OFFSET TOO BIG"); 165 | } 166 | } 167 | 168 | uint32_t bl = 0b10010100000000000000000000000000 | (offset & 0b00000011111111111111111111111111); 169 | 170 | return bl; 171 | } 172 | 173 | /*void volatile test() 174 | { 175 | #ifdef __LP64__ 176 | __asm("mov x30, x18"); //FE 03 12 AA 177 | __asm("mov x18, x30"); //F2 03 1E AA 178 | #endif 179 | }*/ 180 | 181 | vm_address_t create_trampoline(vm_address_t origin) 182 | { 183 | vm_address_t addr = origin; 184 | vm_address_t ret = origin + 4; 185 | 186 | kern_return_t kret = vm_allocate(mach_task_self(), &addr, 16, true); //Allocate next available space 187 | 188 | if(kret != KERN_SUCCESS) 189 | { 190 | NSLog(@"ERROR ALLOCATING"); 191 | return 0; 192 | } 193 | 194 | uint32_t saveX30 = CFSwapInt32(0xFE0312AA); //mov x30, x18 195 | uint32_t interceptCall = bl(addr + 4, interceptAddr); 196 | uint32_t loadX30 = CFSwapInt32(0xF2031EAA); //mov x18, x30 197 | uint32_t jumpBack = b(addr + 12, ret); 198 | 199 | uint32_t trampoline[4] = { saveX30, interceptCall, loadX30, jumpBack }; 200 | 201 | //kret = vm_write(mach_task_self(), addr, (vm_offset_t)trampoline, sizeof(trampoline)); 202 | MSHookMemory((void*)addr, (const void*)trampoline, sizeof(trampoline)); //Needed so the code signature is not broken 203 | 204 | kern_return_t kret2 = vm_protect(mach_task_self(), addr, 16, true, VM_PROT_READ | VM_PROT_EXECUTE); //set max protection 205 | kret = vm_protect(mach_task_self(), addr, 16, false, VM_PROT_READ | VM_PROT_EXECUTE); //set cur protection 206 | 207 | if(kret != KERN_SUCCESS || kret2 != KERN_SUCCESS) 208 | { 209 | NSLog(@"ERROR PROTECTING"); 210 | return 0; 211 | } 212 | 213 | NSLog(@"trampoline created at %llX", (unsigned long long)addr); 214 | 215 | NSLog(@"%X | %X | %X | %X", read32(mach_task_self(),addr), read32(mach_task_self(),addr + 4), read32(mach_task_self(),addr + 8), read32(mach_task_self(),addr + 12)); 216 | 217 | return addr; 218 | } 219 | 220 | void parseMemory(vm_address_t addr, vm_offset_t length) 221 | { 222 | for(vm_address_t curAddr = addr; curAddr <= addr + length; curAddr = curAddr + 4) 223 | { 224 | uint32_t v = read32(mach_task_self(), curAddr); 225 | //NSLog(@"--- %llX = %lX", (unsigned long long)curAddr, (unsigned long)v); 226 | 227 | if(v == 0xD4001001) 228 | { 229 | NSLog(@"syscall at %8lX", (unsigned long)(curAddr)); 230 | 231 | vm_address_t trampoline = create_trampoline(curAddr); 232 | 233 | uint32_t bInstruction = b(curAddr, trampoline); 234 | 235 | MSHookMemory((void*)curAddr, &bInstruction, sizeof(bInstruction)); 236 | 237 | /* 238 | 239 | NSLog(@"syscall at %8lX", (unsigned long)(curAddr)); 240 | 241 | uint32_t blInstruction = bl(curAddr, interceptAddr); 242 | 243 | MSHookMemory((void*)curAddr, &blInstruction, sizeof(blInstruction)); 244 | 245 | */ 246 | 247 | //FF 03 01 D1 //sub pc, pc, 0x40 248 | 249 | 250 | 251 | //MSHookFunction((void*)(curAddr), (void *)syscallIntercept, (void **)&orgSyscall); 252 | 253 | /*uint32_t nop = CFSwapInt32(0xE00300AA); 254 | 255 | MSHookMemory((void*)curAddr, &nop, sizeof(nop));*/ 256 | 257 | uint32_t v2 = read32(mach_task_self(), curAddr); 258 | 259 | NSLog(@"new value = %llX", (unsigned long long)v2); 260 | } 261 | } 262 | } 263 | 264 | void syscallIntercept() 265 | { 266 | //NSLog(@"!!!!!!! shit works!"); 267 | 268 | __asm("svc #0x80"); 269 | 270 | //__asm("svc #0x80"); //syscall 271 | 272 | //NSLog(@"just called svc"); 273 | 274 | /*#ifdef __LP64__ 275 | __asm("mov x0, #0x42"); 276 | #else 277 | exit(42); 278 | #endif*/ 279 | 280 | 281 | 282 | /*NSLog(@"!!!!!!! shit works!"); 283 | //orgSyscall(); 284 | 285 | //volatile asm("bl =0x100967D10"); 286 | 287 | //volatile asm("bl =0xFF09670FF"); 288 | 289 | */ 290 | } 291 | 292 | %ctor 293 | { 294 | Dl_info info; 295 | if(!dladdr((const void*)syscallIntercept, &info)) 296 | { 297 | NSLog(@"ERROR FINDING POINTER!"); 298 | return; 299 | } 300 | 301 | dylibPath = info.dli_fname; 302 | interceptAddr = (vm_address_t)info.dli_saddr; 303 | 304 | NSLog(@"dylib path = %s, saddr = %llX", dylibPath, (unsigned long long)interceptAddr); 305 | 306 | #ifdef __LP64__ 307 | parseMachHeaderCommands((mach_header_64*)_dyld_get_image_header(0), _dyld_get_image_vmaddr_slide(0)); 308 | #else 309 | parseMachHeaderCommands(_dyld_get_image_header(0), _dyld_get_image_vmaddr_slide(0)); 310 | #endif 311 | } 312 | -------------------------------------------------------------------------------- /Tweak.xm: -------------------------------------------------------------------------------- 1 | //I don't know what I did to get MSHookMemory to compile, but I remember getting an updated substrate.h somewhere and linking a newer substrate version 2 | 3 | #include "substrate.h" 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #include 13 | 14 | #include 15 | 16 | const char* dylibPath; 17 | vm_address_t interceptAddr; 18 | 19 | uint64_t read64(mach_port_name_t target, vm_address_t address); 20 | uint32_t read32(mach_port_name_t target, vm_address_t address); 21 | #ifdef __LP64__ 22 | void parseMachHeaderCommands(const mach_header_64* mh, intptr_t slide); 23 | #else 24 | void parseMachHeaderCommands(const mach_header* mh, intptr_t slide); 25 | #endif 26 | void parseMemory(vm_address_t addr, vm_offset_t length); 27 | void syscallIntercept(); 28 | volatile void space(); 29 | 30 | uint64_t read64(mach_port_name_t target, vm_address_t address) 31 | { 32 | kern_return_t r; 33 | vm_offset_t data; 34 | mach_msg_type_number_t dataCnt; 35 | 36 | r = vm_read(target, address, sizeof(uint64_t), &data, &dataCnt); 37 | 38 | if(r == KERN_SUCCESS) 39 | { 40 | return *(uint64_t*)data; 41 | } 42 | else 43 | { 44 | return 0; 45 | } 46 | } 47 | 48 | uint32_t read32(mach_port_name_t target, vm_address_t address) 49 | { 50 | kern_return_t r; 51 | vm_offset_t data; 52 | mach_msg_type_number_t dataCnt; 53 | 54 | r = vm_read(target, address, sizeof(uint32_t), &data, &dataCnt); 55 | 56 | if(r == KERN_SUCCESS) 57 | { 58 | return *(uint32_t*)data; 59 | } 60 | else 61 | { 62 | return 0; 63 | } 64 | } 65 | 66 | #ifdef __LP64__ 67 | void parseMachHeaderCommands(const mach_header_64* mh, intptr_t slide) 68 | #else 69 | void parseMachHeaderCommands(const mach_header* mh, intptr_t slide) 70 | #endif 71 | { 72 | #ifdef __LP64__ 73 | const segment_command_64* cmd; 74 | const section_64* sect; 75 | #else 76 | const segment_command* cmd; 77 | const section* sect; 78 | #endif 79 | 80 | //NSLog(@"mh = %llX", (unsigned long long)mh); 81 | 82 | uintptr_t addr = (uintptr_t)(mh + 1); 83 | 84 | //NSLog(@"addr = %llX, size = %llX", (unsigned long long)addr, (unsigned long long)sizeof(mh)); 85 | 86 | uintptr_t endAddr = addr + mh->sizeofcmds; 87 | 88 | for(int ci = 0; ci < mh->ncmds && addr <= endAddr; ci++) 89 | { 90 | cmd = (typeof(cmd))addr; 91 | 92 | addr = addr + cmd->cmdsize; 93 | 94 | if(cmd->cmd != LC_SEGMENT_64 || strcmp(cmd->segname, "__TEXT")) //We only care about __TEXT segments (do we really?) 95 | { 96 | continue; 97 | } 98 | 99 | parseMemory(cmd->vmaddr + slide, cmd->vmsize); 100 | 101 | //NSLog(@"- segname = %s, cmd = %lX, vmaddr = %llX, vmsize = %llX, nsects = %lu, cmdsize = %lu", cmd->segname, (unsigned long)cmd->cmd, (unsigned long long)cmd->vmaddr, (unsigned long long)cmd->vmsize, (unsigned long)cmd->nsects, (unsigned long)cmd->cmdsize); 102 | 103 | if(cmd->nsects > 0) 104 | { 105 | sect = (typeof(sect))((uintptr_t)cmd + sizeof(cmd)); 106 | for(unsigned long si = 0; si < cmd->nsects; si++) 107 | { 108 | sect = sect + 1; 109 | 110 | //addr = addr + sizeof(sect); 111 | 112 | //NSLog(@"-- sectname %s, addr = %llX, offset = %llX, size = %llX", sect->sectname, (unsigned long long)sect->addr, (unsigned long long)sect->offset, (unsigned long long)sect->size); 113 | } 114 | } 115 | } 116 | } 117 | 118 | //Generates a pc relative "b" instruction based on the origin and the target passed 119 | //The offset between those may not be too big (I think +/- 2^24 at most), else the b instruction cannot be generated 120 | uint32_t b(vm_address_t origin, vm_address_t target) 121 | { 122 | NSLog(@"!b(%llX, %llX)", (unsigned long long)origin, (unsigned long long)target); 123 | 124 | int32_t offset = (target - origin) / 4; 125 | 126 | //NSLog(@"b"); 127 | 128 | //NSLog(@"origin = %llX | target = %llX", (unsigned long long)origin, (unsigned long long)target); 129 | 130 | NSLog(@"offset = %i", offset); 131 | 132 | if(offset < 0) 133 | { 134 | if((offset & 0b1111110000000000000000000000000) != 0b1111110000000000000000000000000) 135 | { 136 | NSLog(@"B ERROR: OFFSET TOO SMALL"); 137 | } 138 | } 139 | else 140 | { 141 | if((offset & 0b1111110000000000000000000000000) != 0) 142 | { 143 | NSLog(@"B ERROR: OFFSET TOO BIG"); 144 | } 145 | } 146 | 147 | uint32_t bl = 0b00010100000000000000000000000000 | (offset & 0b00000011111111111111111111111111); 148 | 149 | return bl; 150 | } 151 | 152 | //Same as above but it generates a "bl" instruction 153 | uint32_t bl(vm_address_t origin, vm_address_t target) 154 | { 155 | NSLog(@"!bl(%llX, %llX)", (unsigned long long)origin, (unsigned long long)target); 156 | int32_t offset = (target - origin) / 4; 157 | 158 | //NSLog(@"bl"); 159 | 160 | //NSLog(@"origin = %llX | target = %llX", (unsigned long long)origin, (unsigned long long)target); 161 | 162 | NSLog(@"offset = %i", offset); 163 | 164 | if(offset < 0) 165 | { 166 | if((offset & 0b1111110000000000000000000000000) != 0b1111110000000000000000000000000) 167 | { 168 | NSLog(@"BL ERROR: OFFSET TOO SMALL"); 169 | } 170 | } 171 | else 172 | { 173 | if((offset & 0b1111110000000000000000000000000) != 0) 174 | { 175 | NSLog(@"BL ERROR: OFFSET TOO BIG"); 176 | } 177 | } 178 | 179 | uint32_t bl = 0b10010100000000000000000000000000 | (offset & 0b00000011111111111111111111111111); 180 | 181 | return bl; 182 | } 183 | 184 | /*void volatile test() 185 | { 186 | #ifdef __LP64__ 187 | __asm("mov x30, x18"); //FE 03 12 AA 188 | __asm("mov x18, x30"); //F2 03 1E AA 189 | #endif 190 | }*/ 191 | 192 | vm_size_t ps; 193 | 194 | uint32_t pageSize() 195 | { 196 | if(ps) 197 | { 198 | return ps; 199 | } 200 | 201 | /*struct utsname u; 202 | uname(&u); 203 | host_page_size(mach_host_self(), &ps); 204 | if (strstr(u.machine, "iPad5,") == u.machine) 205 | { 206 | ps = 4096; // this is 4k but host_page_size lies to us 207 | }*/ 208 | 209 | ps = 128; 210 | 211 | return ps; 212 | } 213 | 214 | vm_address_t memStart; 215 | uint32_t memCurOff = 0; 216 | vm_address_t spaceAddr; 217 | 218 | //An attempt to allocate memory to use as jump destination. Wouldn't work because the offset would be bigger than 2^24 (the max offset for b) 219 | 220 | /*void allocIfNeeded(vm_address_t at, size_t size) 221 | { 222 | NSLog(@"!allocIfNeeded(%llX, %llX)", (unsigned long long)at, (unsigned long long)size);*/ 223 | /*vm_address_t at = 0; 224 | 225 | //NSLog(@"GANG"); 226 | 227 | for(vm_address_t tmpAddr = nearby; tmpAddr > 0; tmpAddr -= pageSize()) 228 | { 229 | //NSLog(@"x"); 230 | #ifdef __LP64__ 231 | vm_region_basic_info_64_t info = NULL; 232 | mach_msg_type_number_t cnt = VM_REGION_BASIC_INFO_COUNT_64; 233 | vm_address_t actAddr = tmpAddr; 234 | vm_size_t size = pageSize(); 235 | //NSLog(@"d"); 236 | kern_return_t ret = vm_region_64(mach_task_self(), &actAddr, &size, VM_REGION_BASIC_INFO, (vm_region_info_64_t)&info, &cnt, NULL); 237 | //NSLog(@"f"); 238 | #else 239 | vm_region_basic_info_t info = NULL; 240 | mach_msg_type_number_t cnt = VM_REGION_BASIC_INFO_COUNT_64; 241 | vm_address_t actAddr = tmpAddr; 242 | vm_size_t size = pageSize(); 243 | kern_return_t ret = vm_region(mach_task_self(), &actAddr, &size, VM_REGION_BASIC_INFO, (vm_region_info_t)&info, &cnt, NULL); 244 | #endif 245 | 246 | if(ret == KERN_INVALID_ADDRESS) 247 | { 248 | //NSLog(@"found %llX", (unsigned long long)at); 249 | at = tmpAddr; 250 | break; 251 | } 252 | }*/ 253 | 254 | //NSLog(@"%llX", (unsigned long long)at); 255 | 256 | /*kern_return_t kret; 257 | vm_address_t addr = at; 258 | 259 | if(((memCurOff + size) >= pageSize()) || memStart == 0) 260 | { 261 | kret = vm_allocate(mach_task_self(), &addr, pageSize(), false); //Allocate next available space 262 | 263 | if(kret != KERN_SUCCESS) 264 | { 265 | NSLog(@"Error allocating space: %i", kret); 266 | } 267 | 268 | kret = vm_protect(mach_task_self(), addr, 16, true, VM_PROT_READ | VM_PROT_EXECUTE); //set max protection 269 | 270 | if(kret != KERN_SUCCESS) 271 | { 272 | //NSLog(@"Error setting max protection: %i", kret); 273 | } 274 | 275 | kret = vm_protect(mach_task_self(), addr, 16, false, VM_PROT_READ | VM_PROT_EXECUTE); //set cur protection 276 | 277 | if(kret != KERN_SUCCESS) 278 | { 279 | //NSLog(@"Error setting current protection: %i", kret); 280 | } 281 | 282 | //NSLog(@"allocated zone at %llX with size %i", (unsigned long long)addr, pageSize()); 283 | 284 | memStart = addr; 285 | memCurOff = 0; 286 | 287 | NSLog(@"allocated at %llX", (unsigned long long)memStart); 288 | } 289 | }*/ 290 | 291 | vm_address_t create_call(vm_address_t origin) 292 | { 293 | NSLog(@"!create_call(%llX)", (unsigned long long)origin); 294 | vm_address_t ret = origin + 4; 295 | 296 | //allocIfNeeded(origin - 1048576, 16); 297 | memStart = spaceAddr; 298 | 299 | vm_address_t addr = (memStart + memCurOff); 300 | 301 | //NSLog(@"!!! %llX = (%llX + %i)", (unsigned long long)addr, (unsigned long long)memStart, memCurOff); 302 | 303 | //The code below works under the assumption that the x30 register is unused, there is probably a better way to do this (maybe saving all registers to the stack?) 304 | 305 | uint32_t saveX30 = CFSwapInt32(0xF2031EAA); //mov x18, x30 306 | //NSLog(@"!!! interceptCall"); 307 | uint32_t interceptCall = bl(addr + 4, interceptAddr); 308 | uint32_t loadX30 = CFSwapInt32(0xFE0312AA); //mov x30, x18 309 | //NSLog(@"!!! jumpBack"); 310 | uint32_t jumpBack = b(addr + 12, ret); 311 | 312 | uint32_t call[4] = { saveX30, interceptCall, loadX30, jumpBack }; 313 | 314 | //kret = vm_write(mach_task_self(), addr, (vm_offset_t)trampoline, sizeof(trampoline)); 315 | MSHookMemory((void*)addr, (const void*)call, sizeof(call)); 316 | 317 | memCurOff += sizeof(call); 318 | 319 | //NSLog(@"call created at %llX", (unsigned long long)addr); 320 | 321 | //NSLog(@"%X | %X | %X | %X", read32(mach_task_self(),addr), read32(mach_task_self(),addr + 4), read32(mach_task_self(),addr + 8), read32(mach_task_self(),addr + 12)); 322 | 323 | return addr; 324 | } 325 | 326 | void parseMemory(vm_address_t addr, vm_offset_t length) 327 | { 328 | for(vm_address_t curAddr = addr; curAddr <= addr + length; curAddr = curAddr + 4) 329 | { 330 | uint32_t v = read32(mach_task_self(), curAddr); 331 | ////NSLog(@"--- %llX = %lX", (unsigned long long)curAddr, (unsigned long)v); 332 | 333 | if(v == 0xD4001001) 334 | { 335 | NSLog(@"syscall at %8lX", (unsigned long)(curAddr)); 336 | 337 | vm_address_t call = create_call(curAddr); 338 | 339 | uint32_t bInstruction = b(curAddr, call); 340 | 341 | MSHookMemory((void*)curAddr, &bInstruction, sizeof(bInstruction)); 342 | 343 | /* 344 | 345 | //NSLog(@"syscall at %8lX", (unsigned long)(curAddr)); 346 | 347 | uint32_t blInstruction = bl(curAddr, interceptAddr); 348 | 349 | MSHookMemory((void*)curAddr, &blInstruction, sizeof(blInstruction)); 350 | 351 | */ 352 | 353 | //FF 03 01 D1 //sub pc, pc, 0x40 354 | 355 | 356 | 357 | //MSHookFunction((void*)(curAddr), (void *)syscallIntercept, (void **)&orgSyscall); 358 | 359 | /*uint32_t nop = CFSwapInt32(0xE00300AA); 360 | 361 | MSHookMemory((void*)curAddr, &nop, sizeof(nop));*/ 362 | 363 | //uint32_t v2 = read32(mach_task_self(), curAddr); 364 | 365 | //NSLog(@"new value = %llX", (unsigned long long)v2); 366 | } 367 | } 368 | } 369 | 370 | //Using anything but direct asm here will probably crash unless all registers are saved before calling this and restored afterwards (currently this isn't the case) 371 | void syscallIntercept() 372 | { 373 | //NSLog(@"!!!!!!! shit works!"); 374 | 375 | #ifdef __LP64__ 376 | __asm("mov x0, #0x539"); 377 | #endif 378 | 379 | __asm("svc #0x80"); //syscall 380 | 381 | //NSLog((@"!!!!!!! shit ends!"); 382 | 383 | ////NSLog(@"just called svc"); 384 | 385 | //#ifdef __LP64__ 386 | //__asm("mov x0, #0x539"); 387 | /*#else 388 | exit(42);*/ 389 | //#endif 390 | 391 | /*//NSLog(@"!!!!!!! shit works!"); 392 | //orgSyscall(); 393 | 394 | //volatile asm("bl =0x100967D10"); 395 | 396 | //volatile asm("bl =0xFF09670FF"); 397 | 398 | */ 399 | } 400 | 401 | %ctor 402 | { 403 | Dl_info info; 404 | if(!dladdr((const void*)syscallIntercept, &info)) 405 | { 406 | //NSLog(@"ERROR FINDING POINTER!"); 407 | return; 408 | } 409 | 410 | dylibPath = info.dli_fname; 411 | interceptAddr = (vm_address_t)info.dli_saddr; 412 | 413 | if(!dladdr((const void*)space, &info)) 414 | { 415 | //NSLog(@"ERROR FINDING POINTER!"); 416 | return; 417 | } 418 | 419 | spaceAddr = (vm_address_t)info.dli_saddr; 420 | 421 | //NSLog(@"dylib path = %s, saddr = %llX", dylibPath, (unsigned long long)interceptAddr); 422 | 423 | //Right now only the first image (the app binary) is parsed, it could be desirable to also parse frameworks and stuff however 424 | 425 | #ifdef __LP64__ 426 | parseMachHeaderCommands((mach_header_64*)_dyld_get_image_header(0), _dyld_get_image_vmaddr_slide(0)); 427 | #else 428 | parseMachHeaderCommands(_dyld_get_image_header(0), _dyld_get_image_vmaddr_slide(0)); 429 | #endif 430 | } 431 | 432 | 433 | //By far not the best solution, but the only thing that I could get working with a low enough offset for the b instruction to work (800 bytes for now) 434 | //This is overwritten at runtime in the create_call function 435 | //In order for this intercept thing to fully work, it would be needed to figure out a way to allocate memory that can be jumped to, then this wouldn't be needed 436 | volatile void space() 437 | { 438 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 439 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 440 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 441 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 442 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 443 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 444 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 445 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 446 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 447 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 448 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 449 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 450 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 451 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 452 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 453 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 454 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 455 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 456 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 457 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 458 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 459 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 460 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 461 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 462 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 463 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 464 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 465 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 466 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 467 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 468 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 469 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 470 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 471 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 472 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 473 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 474 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 475 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 476 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 477 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 478 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 479 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 480 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 481 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 482 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 483 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 484 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 485 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 486 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 487 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 488 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 489 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 490 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 491 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 492 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 493 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 494 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 495 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 496 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 497 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 498 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 499 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 500 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 501 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 502 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 503 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 504 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 505 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 506 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 507 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 508 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 509 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 510 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 511 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 512 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 513 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 514 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 515 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 516 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 517 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 518 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 519 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 520 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 521 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 522 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 523 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 524 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 525 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 526 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 527 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 528 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 529 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 530 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 531 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 532 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 533 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 534 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 535 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 536 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 537 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 538 | __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); __asm("nop"); 539 | } 540 | --------------------------------------------------------------------------------