#development

bool is_rootless()
{
    static bool gorn;
    if (!gorn) {
        // check

        gorn = true;
    }
}```

bool is_rootless() {
  return access("/var/jb/.procursus_strapped");
}

😄

bloat but sure

it is dumbass

thats a .bss variable

yeah

no shit

and is guaranteed to be 0

or .data one of the two

bool is_rootless()
{
    static bool gorn;
    static bool actual;
    if (!gorn) {
        // check
        actual = access(...);

        gorn = true;
    }

    return actual;
}```

there

pre configured for the skid

i just don't know where id put it

to run once

literally copy that

and rename it how you want

oh shit

static

L

that way you keep the state encapsulated

and you cant overwrite it

bool is_rootless() {
  static bool didRun;
  static bool ret;
  if (!didRun) {
    ret = access("/var/jb/.procursus_strapped", F_OK) == 0;
    didRun = true;
  }
  return ret;
}

set did run at the end and yes

die

gotem

// before
if (access("/usr/lib/libhooker.dylib", F_OK) == 0)

// after
if (access(is_rootless() ? "/usr/lib/libhooker.dylib" : "/var/jb/usr/lib/libhooker.dylib", F_OK) == 0)

would it be like that

yea but reverse it

im slow

LMAO

nah

!is_rootless()

ok

i would also write wrapper functions

get_lib_directory() + "libhooker.dylib" for example

or get_file_from_lib(...)

some bullshit like that

@tepid olive nice

Yet another tweak

idk how C works

TROL

std::string supports that perfectly

access is C

what

this is the worst possible way to detect rootless

yeah

test if you can delete /

nah

just update it to search through every file in teh system

and get the filepath from name

make a NSDictionary

thats some captware

dont use a '

youre not talking about possession

learn ENGLISH

this is real

AEAssessmentIndividualConfiguration isEqual:

https://developer.apple.com/documentation/foundation/filemanager/1416680-iswritablefile

real

just check if you can write to /Applications

setuid(0) problem solved

why not become root

free power

@primal perch ```C
const char *new_path(const char *path) {
// check if rootless
if (access("/var/jb/.procursus_strapped", F_OK) == 0) {
// append /var/jb/ to path
NSString *new_path = [NSString stringWithFormat:@"/var/jb/%s", path];
return [new_path UTF8String];
}
return path;
}

something like that?

use is_rootless in this itself

bool is_rootless() {
    static bool didRun;
    static bool ret;
    if (!didRun) {
        ret = access("/var/jb/.procursus_strapped", F_OK) == 0;
        didRun = true;
    }
    return ret;
}

const char *new_path(const char *path) {
    // check if rootless
    if (is_rootless()) {
        // append /var/jb/ to path
        NSString *new_path = [NSString stringWithFormat:@"/var/jb/%s", path];
        return [new_path UTF8String];
    }
    return path;
}

ya

im strapped daddy

based hayden

as always

for pid in processes {
  setuidpid(pid, 0)
}

Problem solved

oh now you change your mind

cuz daddy hayden said so

capt is a bottom

hes a gamma male

gorn

you won't sleep well you know that right

yeah ill just wait until @lime pivot fixes it

kirb merge my theos PR challenge

failed

@indigo peak https://github.com/opa334/CCSupport/blob/master/Tweak.xm#L8-L36

thats valid

MEOW MEOW MEOW @worn cradle

real ios framework

becoming a jb dev now

fr

smh it does actually useful stuff

@indigo peak how does the valid cmd+c cmd+v going?

https://media.discordapp.net/attachments/688121419980341282/1050704880165191690/ezgif-4-356ae84c4b.gif

not doing anything

im scrolling on my phone now

the io kittens were a trap

COCK

Anybody knows how does iSH keep itself running an background and not get terminated? I remember reading somewhere when iSH just came out it was constantly requesting geo data from ios, but I'm not sure where to find that code and if it still works

CLLocationManager is where you'd want to start looking

you can request coarse location, and never un-request it, so effectively you're asking for continuous background notifications forever

coarse won't drain battery because it's just triangulating based on cell towers and wifi SSIDs near the phone

well, it still has to go and send that data to Apple if it detects a significant change

that's exactly what I was concerned about

thanks

but it's negligible when you're already asking for the CPU and radios to be kept alive I suppose

ok so do i pr cephei rootless
or will you do it

mr upside down

🙃

actually would help if you could since I can't test it currently

sick

@naive kraken would i be able to use you NSString* getRootPath(void) from CCSupport to update libCephei to work rootless

@lime pivot can i use a function from CCSupport of opa334 gives permission

hmm

what does the function do?

should be fine though

basically

you call getRootPath

just if exists /var/jb --> /var/jb else --> /

?

yeah

literally yeah

should be fine

https://github.com/opa334/CCSupport/blob/master/Tweak.xm#L8-L36

since its done by an actual dev the function will be actually good

and not shit

yk

https://fxtwitter.com/opa334dev/status/1600405423604920320

oh shit

im sorry opa

real

real

as always opa beat you to the punch

shut up and give idea

gorn app

it curates the best gay porn

why is that so true

bet

ok whatever we do tho

we need to call it gorn

deadass

True

brb stealing name for my LS tweak

should i just make a header file called getRootPath

getRootPath.h & getRootPath.m

No that’s bloat and will slow down compilation by multiple milliseconds

not funny

only funny when shep says it

it’s only funny when you believe it

real

me downloading a 14GB file in 2 mins

thanks gigabit

is it gorn by any chance

no

macos 12.6 ipsw

🧢

let's do Rootless.h/m

bet

cumless

@lime pivot

/home/fiore/theos/vendor/include/LightMessaging/LightMessaging.h:25:2: error: definition of configuration macro 'ROCKETBOOTSTRAP_LOAD_DYNAMIC' has no effect on the import of 'RocketBootstrap'; pass '-DROCKETBOOTSTRAP_LOAD_DYNAMIC=...' on the command line to configure the module [-Werror,-Wconfig-macros]
#include "../rocketbootstrap/rocketbootstrap.h"

trying to build cephei

oh yeah I guess that's new

yeah so that define will need to be moved to the makefile

in ADDITIONAL_CFLAGS

then remove the #define line wherever it is

ADDITIONAL_CFLAGS += ROCKETBOOTSTRAP_LOAD_DYNAMIC=1?

add -D on the start of that

don't think it needs a value actually

just define it without =1

  "___isOSVersionAtLeast", referenced from:```

pins

true

writing asm today

posix spawn asm patch

all I can say is good luck

it’s so hard

almost done

lmk if you need any help

not with asm though

it didnt work

ok i lied

it works

now my own code doesnt work

wtf

i have no idea why this shit isnt working

// Rootless.m
#include "Rootless.h"

NSString* getRootPath(void) {
  // blah
}

// Rootless.h
NSString* getRootPath(void);

// prefs/SomeController.m
#import "../Rootless.h"

getRootPath();

Undefined symbols for architecture armv7:
  "_getRootPath", referenced from:

like

it should work

ew

copy and paste

¯_(ツ)_/¯

lied again

it doesnt work

bro

im gonna end my life

this is so stupid

why wont it work

it should be tho

https://github.com/evelyneee/ellekit/blob/main/loader/patch.s

Ew

@lime pivot what's your plan for building iphoneos-arm64 debs in theos?

Do you know how you're going to do it, if at all?

honestly, not really…

Is the Architecture field set by theos or by the control file at the root?

control

I'm super undecided on how support for side-by-side arm and arm64 package building should be architected

(if it should even be a Theos feature at all)

because all the templates will have architecture iphoneos-arm in their control, unless you're building for 15+, in which case the control will be a lie and it's actually iphoneos-arm64

make it extern in the header maybe? idk, try putting wrong code into the getRootPath func and check if there is a compiler error, if not then the file isn't being compiled

what

i eat pussy like a starving animal

i cant get __isOSVersionAtLeast to work

wtf

that won't work on linux

only on macOS and latest iOS

or you need to add like compiler-rt or something like that

.

i put the pinned code in a header file but now it says duplicated symbol or something

should stick it in a .m

otherwise it'll indeed be duplicating it for each time it's imported

.

makes sense

i just dont know which one to put it in

.

real

i legit got it to work yesterday

i dont remember which file i put it in tho

😭

Wen eta saily in loader.app 😭

at this rate never

@lime pivot ```SH
==> Linking tool hbprefs (armv7)…
ld: library not found for -lcrt1.3.1.o
clang-10: error: linker command failed with exit code 1 (use -v to see invocation)
make[4]: *** [/home/fiore/theos/makefiles/instance/tool.mk:20: /home/fiore/libcephei/.theos/obj/debug/armv7/hbprefs] Error 1
make[3]: *** [/home/fiore/theos/makefiles/instance/tool.mk:20: /home/fiore/libcephei/.theos/obj/debug/armv7/hbprefs] Error 2
make[3]: *** Waiting for unfinished jobs....
==> Linking tool hbprefs (arm64)…
Undefined symbols for architecture arm64:
"start", referenced from:
implicit entry/start for main executable
ld: symbol(s) not found for architecture arm64

can't even get Cydia 2 in the loader

ugh not again

you'll have to just edit the makefiles to bump the TARGETs to something way higher

it's my fault for making it run on old ass iOSes

waht version do you recc

fianlly

got it to compile

changed it from 5.0 to 6.0

After windows build

Bro really said iOS 5

bro really did, sadly

i tried both ,and nothing changed

like it errored

I mean hey, rootless is my chance

and extern changed nothing

like its being compiled & erroring

whatever

made something up

somehow worked

lmao

ALL THE BREAKING CHANGES TO MY HEARTS CONTENT

Rootless is really our chance to fix everything we hate about the current setup. But no! Xina wants to use saily

indeed, we should've had rootless years ago

@lime pivot id also need to change the shell scripts to account for rootless

ex: ln -s /usr/lib/Cephei

xina prefers Saily because the dev speaks chinese, xina has no problem with supporting other package managers though

I know

I've been talking to him

ah

support other package managers that will break your phone becuase they're made by people that never read docs 💪🏼💪🏼

https://youtube.com/shorts/I_gFzWgC1Ss found @zenith hatch’s channel

???

Jk

Your code would never look that clean

Hey everyone, i have been a bit out of the loop for the past few months.
I am starting to get emails about some of my tweaks from people that use the new iOS 15 jailbreak.
they report that the preferences are not saving correctly. (when they change a value and go back to settings it wont save)
any ideas on what have changed on this new jailbreak? perhaps the location of saved preferences plist files?

where is your hook that's reading the preferences? maybe in a system app?

I am reading the preferences on the Springboard, but it sounds like the preferences file is not saved correctly so that's not the issue

One of the tweaks with this issue is open sourced: https://github.com/gilshahar7/ExactTime

well I'm unsure about the specifics but directly reading a plist has always been discouraged

Ah

I know the issue

I suspect that the issue is with the readPreferenceValue and setPreferenceValue on this file
https://github.com/gilshahar7/ExactTime/blob/master/exacttimeprefs/ExactTimeprefs.mm

In your pref bundle you write to /User/Library

/User has never been guaranteed to exist

And will never exist on iOS 15 due to SSV

So change that to /var/mobile/Library

Awesome, that sounds reasonable. Thank you 🙂

why isn't it using recursion

@grave sparrow tell me whats wrong now

https://github.com/evelyneee/ellekit/blob/main/loader/patch.s

i did more stuff

if that patch actually works it's fine for the first time writing raw assembly, adhering to conventions & proper assembly code-style should be secondary and the next stage in development

(imo)

ah, then rework is needed but I wouldn't necessarily push for the hard reset. correcting the mistakes as the code is now would probably be more fruitful, i'm not too deep into arm64 asm

the x64 bits are ... well they could use some love too

No

I am gonna clean this up after, I know I can’t use those registers

I don’t see why making a string with bytes is bad though?

Read the code

There are hardcoded addresses

Because I am not finished

I know

Stop thinking I’m this stupid

Lmao

The dyld slide doesn’t change so I hardcode it to accelerate development

Not in my experience

No

Yes

The code is right there

I still don’t see what’s wrong dude

Except the calling conv

Which I will fix

It does set the env correctly

Unused

It was used to test string alloc

No

It executes the first instructions before jumping back

Which isn’t a problem

The lr thing is temporary as well

This is a instruction of posix spawn

I can’t omit it

It has to be ran before jumping back

Otherwise it’s skipping 5 instructions

I am 100% sure that part is correct

I do

Dude

Please

What’s wrong with strings made with ascii bytes

Why?

How do you think ascii works

😭

No because that would require doing cursed disassembly to make the compiler work as intended

?

Ok

Wow your knowledge is awesome

this is unnecessary pain

about this

i strongly doubt launchd has a env string set already

like it surely doesn’t

How do i convert epoch time to yyyy:mm:dd hh:mm:ss

Arduino, so basically c++

if it did then that would be after a userspace reboot, and it would be set to something the right path already

capt everything you’re talking about assumes that there is undefined behaviour but this is only one process that runs the same everywhere

there is probably a github gist somewhere

with all the code

I tried using the Time.h Library that the arduino ide should have by default, but "DateTime" was not declared in this scope

Copium

or it might not be updated

if so

im f dead

Poggers

Do I need to fix this "ld: warning: object file /home/me/work/sidestatus/.theos/obj/debug/arm64e/Tweak.xm.a6b474a9.o was built with an incompatible arm64e ABI compiler" if I want my tweak to work on arm64e?

ig it doesnt support the esp8266

Tho im eventually moving to a uno with an eth shield, so maybe thats gonna fix it...?

You’re telling me that I’m supposed to consider that a user will debug launchd?

@grave sparrow I need to intercept xpc messages on iOS, how do I do that?

Apparently I have clang 13?

So am I fine?

PAC sucks

xpc spy

frida-ps -U rebooted my device 💀

how

how

what jailbreak are you using

cause I know Frida just doesn't work on any coolstar jailbreak

checkra1n

I got xpcspy working

wait, how do I use this? 😭

http://newosxbook.com/tools/XPoCe2.html

the discord admin educates the advanced developer

it doesnt work on u0 either for me anymore

frida ios really fell off

I know why it doesn't work on star's

but it was literally built for u0 more than anything so

x86_64 only

It says it installed the hooks into launchd but I'm not seeing anything

@vivid dew hiii pac nerd can you help

how do I sign a pointer to a string on arm64e with raw instructions

depends

what type of signed pointer is the target expecting

schizo

https://cdn.discordapp.com/emojis/1050654079845679185.webp?size=128&quality=lossless

Justin Trudeau

fr

Ok

Idrc

How would I resign the environ pointer

IDK

KDI

I am so tired of PAC why does it exist

security

trolling purposes

https://media.discordapp.net/attachments/688121419980341282/1041581826399010836/scube.gif

userland pac is low key useless

just assume the pointer was never signed in the first place

i mean is it though

it usually isn't

its making whatever ur tryna do extra difficult

https://cdn.discordapp.com/emojis/740294488580292690.gif?size=96&quality=lossless

capt inc writing a whole essay for one post

uhhh, you can start by hooking xpc_pipe_routine() and print the 2nd argument, which is the message to be sent

i’m not really sure about intercepting messages that are received, but you can start by hooking xpc_pipe_receive() and logging that? potentially?

extern int xpc_pipe_simpleroutine(xpc_object_t pipe, xpc_object_t message);

#if __has_feature(objc_arc)
extern int xpc_pipe_routine(xpc_object_t pipe, xpc_object_t message, __strong xpc_object_t *reply);
#else
extern int xpc_pipe_routine(xpc_object_t pipe, xpc_object_t message, xpc_object_t *reply);
#endif

#if __has_feature(objc_arc)
extern int xpc_pipe_receive(mach_port_t port, __strong xpc_object_t *message);
#else
extern int xpc_pipe_receive(mach_port_t port, xpc_object_t *message);
#endif

xpc_pipe_routine sends a message and waits for a reply synchronously. xpc_pipe_simpleroutine is similar, but does not expect a reply & returns immediately

note that xpc_pipe_routine() calls an underlying function: _xpc_pipe_routine() (prefixed underscore).

you may find better luck hooking the underlying function instead, but who knows. note that the underlying function has the message as the 3rd arg instead of the 2nd arg

uhhh, you can start by hooking xpc_pipe_routine() and print the 2nd argument, which is the message to be sent

i’m not really sure about intercepting messages that are received, but you can start by hooking xpc_pipe_receive() and logging that? potentially?

extern int xpc_pipe_simpleroutine(xpc_object_t pipe, xpc_object_t message);

#if has_feature(objc_arc)
extern int xpc_pipe_routine(xpc_object_t pipe, xpc_object_t message, strong xpc_object_t reply);
#else
extern int xpc_pipe_routine(xpc_object_t pipe, xpc_object_t message, xpc_object_treply);
#endif

#if has_feature(objc_arc)
extern int xpc_pipe_receive(mach_port_t port, strong xpc_object_t message);
#else
extern int xpc_pipe_receive(mach_port_t port, xpc_object_tmessage);
#endif

xpc_pipe_routine sends a message and waits for a reply synchronously. xpc_pipe_simpleroutine is similar, but does not expect a reply & returns immediately

note that xpc_pipe_routine() calls an underlying function: _xpc_pipe_routine() (prefixed underscore).

you may find better luck hooking the underlying function instead, but who knows. note that the underlying function has the message as the 3rd arg instead of the 2nd arg

https://www.youtube.com/watch?v=-9qaEobN5-8

#include <stdio.h>
#include <stdlib.h>
#include <xpc/xpc.h>
typedef xpc_object_t xpc_pipe_t;

#include "fishhook.h"

kern_return_t
xpc_pipe_routine(xpc_pipe_t pipe, xpc_object_t request,
    xpc_object_t *reply);

kern_return_t (*old_xpc_pipe_routine)(xpc_pipe_t, xpc_object_t, xpc_object_t*);

kern_return_t
hook_xpc_pipe_routine(xpc_pipe_t pipe, xpc_object_t request,
    xpc_object_t *reply)
{
    kern_return_t ret = old_xpc_pipe_routine(pipe, request, reply);
    char *requeststr = xpc_copy_description(request);
    fprintf(stderr, "REQUEST: %s\n", requeststr);
    free(requeststr);
    char *replystr = xpc_copy_description(*reply);
    fprintf(stderr, "REPLY: %s\n", replystr);
    free(replystr);
    return ret;
}

kern_return_t
xpc_pipe_routine_with_flags(xpc_pipe_t pipe, xpc_object_t request,
    xpc_object_t *reply, uint32_t flags);

kern_return_t (*old_xpc_pipe_routine_with_flags)(xpc_pipe_t, xpc_object_t, xpc_object_t*, uint32_t);

kern_return_t
hook_xpc_pipe_routine_with_flags(xpc_pipe_t pipe, xpc_object_t request,
    xpc_object_t *reply, uint32_t flags)
{
    kern_return_t ret = old_xpc_pipe_routine_with_flags(pipe, request, reply, flags);
    char *requeststr = xpc_copy_description(request);
    fprintf(stderr, "REQUEST: %s\n", requeststr);
    free(requeststr);
    char *replystr = xpc_copy_description(*reply);
    fprintf(stderr, "REPLY: %s\n", replystr);
    free(replystr);
    printf("FLAGS: %i\n", flags);
    return ret;
}

__attribute__((constructor))
static void ctor(void) {
    struct rebinding rebindings[] = {
        {"xpc_pipe_routine_with_flags", hook_xpc_pipe_routine_with_flags, &old_xpc_pipe_routine_with_flags},
        {"xpc_pipe_routine", hook_xpc_pipe_routine, &old_xpc_pipe_routine}
    };
    rebind_symbols(rebindings, 2);
    fprintf(stderr, "Hooked!\n");
}

I figured it out without you

I couldn't get xpcspy to work

did apple start symbolicating ios 16 kcaches or something

cuz the one i just dropped in has almost all the symbols as the ios 14 one

rare based move from apple

it crashes with authentication failure

fishhook

ok now disassemble the function where it crashes and find what instruction is being used to auth the pointer

it shouldn’t actually be crashing though

you can pass a pointer from arm64 processes and it works

what

Ok nvm

Fixed it by stripping

I don't have any hooking lib installed

But it crashes somewhere else

trolling

KERN_INVALID_ADDRESS at 0xf1060001000b0000 -> 0x00000001000b0000 (possible pointer authentication failure)

0x00000001000b0000 is the posix_spawn pointer

What does it mean

you passed a signed pointer where you shouldnt have

It's a function pointer tho

No wait

fr

It's the PC register??

Bro.

Zefram code leak

yes

do i use blraa

second one

authenticate then jump

i'm loading an unsigned pointer in x16

I did that

And it crashed

yes

is the pointer signed or not

can mach_vm_address_t be signed

as in, the address where i've allocated memory

no

so basically i'm jumping to a executable page that i just allocated

should i be signing with the asia key

nooo

if you're in control of the jump like that you don't need to sign anything

yes

if you pass it out to something following normal abi then you need to sign it

And it's a blr

But it dies when I do a ret

I put it back yeah

you need uhh

When I ret in the function where I jumped

retab then

authenticate lr then return

why

No

I removed it

I am just doing retab

With a blr

I pushed it again

https://github.com/evelyneee/ellekit/blob/main/loader/patch.s

wtf

fixed it again

mb

it’s done in the spawn prefix macro

where is it crashing now

xina crashes when anything is reading syslog

shit jb

i don’t need it

why

haven't seen capt like this since the beta alert

1.1.3.6 fixed that for me

ive only used 1.1.3.6

and thats what its crashing on

Real

Console.app was always fine tho

Idk if you have access to that

you buying me a mac

while poking over the cursed changes I reminded myself again that it gladly deletes the dpkg lockfiles

and using force options in dpkg!

the ret makes it go back

and they don't know how a dist repo works!

https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_What_can_be_done_when_the_dpkg_lock_is_held.3F

since it’s blr

Removing the dpkg lock files is never a correct solution

most of the time I've seen people get this is when they have two apt instances running

and newer versions of apt don't lock nearly as much regardless

which, turns out, isn’t supported, and shouldn’t be overridden to make it work!

it’s almost as if the feature exists for a reason, or something like that

@lime pivot im not going to try and get cephei on ios 15 working, that requires a lot of work idk how to do

if you wanna just PR that one thing that’s cool with me

or whatever you got working so far

it changed nothing

nothing works

lmao

idk why

lmao sounds good to me

can we just agree to keep preferences in the /var/jb path instead of whatever is going on now

no /var/mobile whatever please 😭

based

tell that to cfprefsd, lol?

ill tell cfprefsd to get fucked

actually making a cfprefsd hook to save all prefs with a non apple prefix in /var/jb would be very easy

but then again hooking cfprefsd is broken on xina 🙂

also /var/jb/var points back to /var

in an ideal world we'd store prefs in /var/jb/var/mobile/Library/Preferences

idk what Xina is doing, I'm not quite sure he does either

yeah everything should just be whatever the old path was + jb prefix

I mean, he's looking into fixing cfprefsd now just so I can get Crane working so that's something

isn’t ret just mov pc lr

Well it has to trigger the cpu to change pc based on lr too so mov + jump

True

@primal perch whats broken w birdpoop rn

okay

i just don’t get it anymore

there must be a stupid mistake somewhere

the lr triggers a pointer authentication failure

How would I sign my lr

i guess i use the discriminator

no

i mean right now i’m tryna do the direct jump

unsigned address

but it crashes

posix spawn + 20

skipping the first jump to the replacement

it never reached it though, the branch itself crashes the process

the one that jumps back to posix spawn

i am doing br x16 now

that’s the thing it just won’t go back

Okay wait

If I compile for arm64, posix spawn outputs bad address as an error

but it shows that something is wrong with envp

Ok it is fixed

Idk how the fuck

But it is

that's what i did

almost works

Pushed the current thing

Going to bed now

Too bad i guess

I’ll just do malloc memcpy

that’s work for later

the offsets are off for like 1/2 of them

i updated them to what i thought was correct but tested and crashed

didnt test f urther

Nvm I figured it out, my tweak couldn’t find the preference bundle and it causes respring loop on xina

The other error idk

I removed fishhook

#include <stdio.h>
#include <stdlib.h>
#include <xpc/xpc.h>
typedef xpc_object_t xpc_pipe_t;

#define DYLD_INTERPOSE(_replacement,_replacee) \
   __attribute__((used)) static struct{ const void* replacement; const void* replacee; } _interpose_##_replacee \
            __attribute__ ((section ("__DATA,__interpose"))) = { (const void*)(unsigned long)&_replacement, (const void*)(unsigned long)&_replacee };

kern_return_t
xpc_pipe_routine(xpc_pipe_t pipe, xpc_object_t request,
    xpc_object_t *reply);

kern_return_t
hook_xpc_pipe_routine(xpc_pipe_t pipe, xpc_object_t request,
    xpc_object_t *reply)
{
    kern_return_t ret = xpc_pipe_routine(pipe, request, reply);
    char *requeststr = xpc_copy_description(request);
    fprintf(stderr, "\033[32mREQUEST: %s\033[m\n", requeststr);
    free(requeststr);
    char *replystr = xpc_copy_description(*reply);
    fprintf(stderr, "\033[31mREPLY: %s\033[m\n", replystr);
    free(replystr);
    return ret;
}

DYLD_INTERPOSE(hook_xpc_pipe_routine, xpc_pipe_routine);

#ifdef WITH_FLAGS
kern_return_t
xpc_pipe_routine_with_flags(xpc_pipe_t pipe, xpc_object_t request,
    xpc_object_t *reply, uint32_t flags);

kern_return_t
hook_xpc_pipe_routine_with_flags(xpc_pipe_t pipe, xpc_object_t request,
    xpc_object_t *reply, uint32_t flags)
{
    kern_return_t ret = xpc_pipe_routine_with_flags(pipe, request, reply, flags);
    char *requeststr = xpc_copy_description(request);
    fprintf(stderr, "\033[32mREQUEST: %s\033[m\n", requeststr);
    free(requeststr);
    char *replystr = xpc_copy_description(*reply);
    fprintf(stderr, "\033[31mREPLY: %s\033[m\n", replystr);
    free(replystr);
    fprintf(stderr, "\033[32mFLAGS: %i\033[m\n", flags);
    return ret;
}

DYLD_INTERPOSE(hook_xpc_pipe_routine_with_flags, xpc_pipe_routine_with_flags);
#endif

(the _with_flags function is only on iOS 13+ and I needed to run it on iOS 12)

Beat this

(All to the same email)

Same

Maybe github accidentally sent 4 emails to everyone

same content in all 4

is mshookfunction working with xina jailbreak ?

I sill beat you

No, you need to use LibHooker functions

any documentation or example for it ?

I can give you an example

and link the docs

just give me a few

I just got out of bed

xina has both substitute and libhooker for whatever reason

Really?

https://libhooker.com/docs/

so when you use MSHookFunction it calls to substitute and LHHookFunction goes to libhooker

I didnt get mshookmemory to work

Yeah substitute is half broken

no embed, sad

Xina should just drop it and include a substrate libhooker shim

that would be much better

i tried to hook a mangled name class (from ida) but not working with %hookf
apps crashing when launch

i need rootless injector for checkm8 devices

my arm64e is 15.4.1 so not ready yet

#import <libhooker/libhooker.h>

struct LHMemoryPatch patch;
patch.destination = offset;
patch.data = new_memory;
patch.size = sizeof(new_memory);
patch.options = NULL;

LHPatchMemory(&patch, 1);

@naive kraken is this the "best" way to check if the device uses libhooker or should default to substitute

bool hasLibhooker(void) {
    if (access("/.procursus_strapped", F_OK) == 0 || access("/var/jb/.procursus_strapped", F_OK) == 0) {
        return true;
    }
    return false;
}

absolutely not

I just try to dlopen libhooker and dlsym LHHookFunctions

thanks for your effort @indigo peak

and if that exists I use it, and if not I use MSHookFunction

(coolstar doesn't like this, but it seems to work for me so far)

cephei uses this
if (access("/usr/lib/libhooker.dylib", F_OK) == 0)

whats alternative MSFindSymbol in libhooker ?

prob LHFindSymbols

ellekit

no symbol finder tho

symbol finders are largely broken anyways

it works otherwise

MSFindSymbol doesn't work correctly on libhooker for me

lhhookfunctions is more optimized than on libhooker

coolstar apparently doesn't even reuse pages

why not RTLD_NOLOAD

wen eta ellekit xd

wouldnt just dlopen be enough

it's out

https://github.com/evelyneee/ellekit

problem is, you can't link both substrate and libhooker

@marble perch we need a procursus package

pls

So using LHHookFunctions directly will break substrate and substitute

unless you depend on like libhooker compatiblity shim

weak symbols exist

void HookMemory(Class class, SEL selector, uint64_t offset, uint32_t data) {
    void *final_offset = (void *)[class instanceMethodForSelector:selector] + offset;
    
    if (hasLibhooker()) {
        struct LHMemoryPatch patch;
        patch.destination = final_offset;
        patch.data = &data;
        patch.size = sizeof(data);
        patch.options = NULL;

        LHPatchMemory(&patch, 1);
    } else {
        MSHookMemory(final_offset, (const void *)&data, sizeof(data));
    }
}

this seems to work

idk what youre talking about

won't work correctly

If libhooker is not installed, the dylib won't load

you can also use mach apis

(better to not do that)

why

never works correctly

that's what MS and LH do

and on some jailbreaks the memoryhooker functions do way more

signing pages and stuff

Nobody does this

substrate does

Libhooker doesn't and it's fine

i dont get it

only because of the jailbreak supporting it

im checking to see if the file exists

and if not

Huh?

default to substitute

if you call LHHookFunctions directly, this means you link libhooker

What does Taurine do more

Set CS_DEBUGGED for everyone?

does someone here have a substitute device

that can test smth for me

do otool -L on the binary

no need to test anything

if libhooker is in there, it won't load if libhooker is not installed

if you want to make your dylib determine whether to use libhooker or substrate at runtime, you need to stop linking libhooker and use dlopen and dlsym to get the pointer to LHHookFunctions and then call that

but as I said, coolstar does not like this, not entirely sure why

@rpath/libhooker.dylib (compatibility version 0.0.0, current version 0.0.0)

yep

this means when your dylib loads, libhooker gets loaded too

and if libhooker doesn't exist, dyld will refuse to load your dylib

there u go both apis

oh i get it

why are you using lh api tho

idgi

it makes sense now

because xina jb is unfinished and the substrate api is half broken on it

how

because instead of shipping a shim, it ships both libsubstitute and libhooker

what did they do

LMAO

hii

libellekit in /usr/lib

libsubstrate and libhooker symlink (in another package?) possibly?

libinjector in /usr/lib as well

it can't run completely independently sadly

almost done

It implements libsubstrate and libhooker

is the symbol for LHPatchMemory just _LHPatchMemory

when you use dlsym, no _ at the front

besides, yes

I could do the substitute API as well

I just doubt anyone uses it?

don't think any tweak has ever used libsubstitute directly

not even bingners own tweaks lol

sounds good

There's only the Swift API for that

I'm not providing a stable API atm

@naive kraken

bool hasLibhooker() {
    static void (*_LBHookMessage)(Class, SEL, void*, void*);
    if (!_LBHookMessage) {
        void *handle = dlopen("/usr/lib/libsubstrate.dylib", RTLD_LAZY);
        _LBHookMessage = dlsym(handle, "LBHookMessage");
    }
    if (_LBHookMessage) {
        return true;
    }
    return false;
}

i have 0 idea if thats right or not

guess what guys

i got the injector loading

hm

now i have to do little thingies and i can put it in launchd

yeah looks ok

now i need to make it check /usr/lib and or /var/jb/usr/lib

is that work with xina jailbreak ?

it dies on launchd

so fun

oh forgot to lock

int (*__LHHookFunctions)(const struct LHFunctionHook *hooks, int count);

int HCHookFunctions(const struct LHFunctionHook *hooks, int count)
{
    static dispatch_once_t onceToken;
    dispatch_once (&onceToken, ^{
        void* lhImage = dlopen((rootifyCPath("/usr/lib/libhooker.dylib")), RTLD_NOW);
        if(lhImage)
        {
            NSLog(@"picking libhooker");
            // this is illegal according to coolstar but it works
            __LHHookFunctions = (void*)dlsym(lhImage, "LHHookFunctions");
            NSLog(@"__LHHookFunctions = %p", __LHHookFunctions);
        }
        else
        {
            NSLog(@"not picking libhooker");
        }
    });

    // if libhooker is available, use it
    if(__LHHookFunctions)
    {
        return __LHHookFunctions(hooks, count);
    }
    // otherwise, fall back to substrate
    else
    {
        for(int i = 0; i < count; i++)
        {
            struct LHFunctionHook hook = hooks[i];
            MSHookFunction(hook.function, hook.replacement, hook.oldptr);
        }
        return 0;
    }
}

this is what I do

huh

NSString* getRootPath(void)
{
    static NSString* rootPath = nil;

    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^
    {
        NSFileManager* fileManager = [NSFileManager defaultManager];
        NSDictionary* attributes = [fileManager attributesOfItemAtPath:@"/var/jb" error:nil];
        if(attributes)
        {
            NSString* fileType = attributes[NSFileType];
            if([fileType isEqualToString:NSFileTypeSymbolicLink])
            {
                NSString* destination = [fileManager destinationOfSymbolicLinkAtPath:@"/var/jb" error:nil];
                if(![destination isEqualToString:@"/jb"] && ![destination isEqualToString:@"/jb/"])
                {
                    rootPath = destination;
                }
            }
        }
        if(!rootPath)
        {
            rootPath = @"/";
        }
    });

    return rootPath;
}

NSString* rootifyPath(NSString* path)
{
    return [getRootPath() stringByAppendingPathComponent:path];
}

const char* rootifyCPath(const char* cPath)
{
    NSString* path = [NSString stringWithUTF8String:cPath];
    return rootifyPath(path).fileSystemRepresentation;
}

ok uhhhh

how am i supposed to debug now

whats the performance diff between dispatch_once & not using it at all

uh idk

just good practice

just copy all of that tbh

works fine (at least from what I tested)

then just call HCHookFunctions instead of MSHookFunction / LHHookFunctions

Or libiosexec

i can do this just send what i have to do

ok i'll use a vmapple to test

assigning to 'int (*)(const struct LHFunctionHook *, int)' from incompatible type 'void *'

I assume this is because you are using it from objc++

just put a cast there

lol

thanks

@naive kraken Any idea why I can't attach lldb to launchd?

I get attach failed ((os/kern) invalid address)

SIP off, arm64e enabled

uhh

no idea

maybe launchd doesn't like being debugged

Sad

How would I get a backtrace otherwise

@tepid olive you may be able to dtrace it

@naive kraken converted it to hook memory & not hook functions

int HookMemory(const struct LHMemoryPatch *patches, int count)
{
    static dispatch_once_t onceToken;
    dispatch_once (&onceToken, ^{
        void* lhImage = dlopen((rootifyCPath("/usr/lib/libhooker.dylib")), RTLD_NOW);
        if(lhImage) {
            __LHPatchMemory = (void*)dlsym(lhImage, "LHPatchMemory");
        }
    });

    // if libhooker is available, use it
    if(__LHPatchMemory) {
        return __LHPatchMemory(patches, count);
    } else {
        for(int i = 0; i < count; i++)
        {
            struct LHMemoryPatch patch = patches[i];
            MSHookMemory(patch.destination, patch.data, patch.size);
        }
        return 0;
    }
}

right ty

okay i don’t get it anymore

works in every arm64e remote process, but not launchd

i’m so close to having this work

the patch is installed, it just does nothing atm for some reason

is there any way to call native c++ or c function in framework with tweak?

Yeah just put the function definition in a header

function is not in header file. i found it in ida

is the symbol exported

looking like symbol bcs start with _

well, if you are in ida, check the exports tab

the symbol starting with _ is not a good indicator of whether it is exported or not

function looking in export

ok

next, what SDK are you using

ios 11.4

that's your SDK? and not your deployment target?

its my development target

im ios 15.0

what is your SDK

ok

now open $THEOS/sdks/iPhoneOS15.0.sdk/System/Library/(Private)Frameworks/<FrameworkName>.framework/<FrameworkName>.tbd

the framework is target application's framework

oh

ok

in that case, you would want to declare the function in a header somewhere

with ```extern "C" {
// function declaration
}

if not, just extern is fine

@interface SomeFramework:NSObject extern _someHiddenFunction(); @end

is that enough ?

i thought you said this was a c/c++ function

you would just leave it bare
so

// if tweak is Obj-C, and target function is C
// or if tweak is C++ and target function is C++
extern void someFunc();

// if tweak is C++ and target function is C
extern "C" void someFunc2();

then in your constructor, replace %init; with %init(someFunc = MSFindSymbol(NULL, "_someFunc"));

replace MSFindSymbol with whatever hooking API you're using

another example here https://theos.dev/docs/logos-syntax

when i use MSFindSymbol, app is crash

i tried this way

that probably means the framework isn't loaded yet and as such you have a null ptr

hm

maybe you can load the framework first

arent you on xina

this is starting to get out of my wheelhouse though

try using libhooker instead of substitute

thanks for your patience, and helpful supports

im not know how is working libhooker 😄 you tried to teach me but its complicated for me atm

@untold drift why cant you use hookf

char someFunc(int arg1, bool arg2);

%hookf(char, someFunc, int arg1, bool arg2) {
  char orig = %orig;
  // your code
  return orig;
}

tried but crashing.. i think substitute not working well with xina

don't worry nothing works with it really

@naive kraken do you think a wrapper for libhooker and subtrate would be useful

like it has a check for substrate libhooker

for all functions

upcoming xina version will probably fix this issue

besides, yeah I think this could work, but if done it should be done like the following: 2 separate packages, one that has like hookcompat.dylib that links libhooker and the other implements the same functions but links libsubstrate

and then when you have substrate or substitute it installs hookcompat (substrate) and when you have libhooker it installs hookcompat (libhooker)

this is also the only way to support all of this without using dlopen / dlsym

because you could just depend on hookcompat and link that

@grave sparrow u up?

@naive kraken im just doing shit like this

int (*__LBHookMessage)(Class class, SEL selector, void *replacement, void *old_ptr);
int SHHookMessage(Class class, SEL selector, void *replacement, void *old_ptr) {
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        void *lhImage = dlopen(rootifyCString("/usr/lib/libhooker.dylib"), RTLD_LAZY);
        if (lhImage) {
            __LBHookMessage = dlsym(lhImage, "LBHookMessage");
        }
    });

    if (__LBHookMessage) { // if we have libhooker, use it
        return __LBHookMessage(class, selector, replacement, old_ptr);
    } else { // otherwise use substitute
        MSHookMessageEx(class, selector, (IMP)replacement, (IMP *)old_ptr);
        return 0;
    }
}

int (*__LHHookFunctions)(const struct LHFunctionHook *hooks, int count);
int SHHookFunctions(const struct LHFunctionHook *hooks, int count) {
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        void *lhImage = dlopen(rootifyCString("/usr/lib/libhooker.dylib"), RTLD_LAZY);
        if (lhImage) {
            __LHHookFunctions = dlsym(lhImage, "LHHookFunctions");
        }
    });

    if (__LHHookFunctions) {
        return __LHHookFunctions(hooks, count);
    } else {
        for (int i = 0; i < count; i++) {
            struct LHFunctionHook hook = hooks[i];
            MSHookFunction(hook.function, hook.replacement, hook.oldptr);
        }
        return 0;
    }
}

and then just publisdh the .h/m

before publishing this, maybe make sure it works on real libhooker

because I haven't done that yet

smart

dms

@naive kraken it seems to work on reg libhooker

at least LHPatchMemory/MSHookMemory

clarity just tested it on taurine

nice

so i got HookMessage, HookFunctions and HookMemory with the rootless fix

idk what else to do

MSFindSymbol

that one

i think

wait

why are you doing this

xina's substitute is like half broken

so im making wrapper functions that detect libhooker and use that if its present

or substitute if its not present

basically making tweaks that use either one compatible with both libs

Where do i edit the neofetch config on macos ? installed it via brew

How do I set this inside my objective C tweak?

resolved

same as linux

yea

kabylake SMBIOS on skylake

lfg

MSHookIvar<NSInteger>(object, "_orientation") = number;

// or

[self setValue:@(number), forKey:@"_orientation"];

// or

// look for a setter / getter for that and hook that getter/setter
// getter:
-(NSInteger)orientation {
  return number;
}
// setter:
-(void)setOrientation:(NSInteger)arg1 {
  %orig(number);
}

different ways i guess

Thanks Idk wtf I'm doing

any one of those would probably work

i said it earlier + less reading

i like helping people without actually describing what i did

gets the mind going

Yes it has an @tepid olive and a method

ooh

Sorry for ping I guess

its alright, my girlfriend doesnt mind getting pinged

(its funny because shes property)

How do you set a property instead of a method?

bro you think i have a girlfriend

funny guy

self.property = new_property;

Nope

gotta join that

got it

why

drive?

perfect

that answers your question

https://www.spotify.com/
https://www.audible.com/
https://www.youtube.com/
https://music.apple.com/

get that drunk guy back in the server'

im broke stfu

raptor lake >>>

https://tenor.com/view/facts-brother-true-smoke-gif-23157983

so true

https://youtu.be/cEH_ipqHbUw

Hello guys, I don't know why is my code returning this error...

you can't throw a string. it needs to be an Error object

the error message says that

how can I fix this ? I don't care if user get nothing if error

how to throw an error object

@lime pivot

the first bit of this should help explain how error handling works in Swift: https://docs.swift.org/swift-book/LanguageGuide/ErrorHandling.html

well, the whole thing should be worth a read

kirb@chariz.com

well observed, bbaovanc#9999

yes but i've mentionned I want to use string in static

@lime pivot

why?

your question isn't clear, sorry

I just want to remove the throw thats it

not to fix it

but I don't know what to remove

I don't understand. comment it out then?

but the function still needs to return something, of course

either return a String or throw an Error

I'm returning a string

you're not, though

you're throwing one

return image["StatusBarCarrierName"] as! String

right, but the code won't reach that path 100% of the time

wdym

hence why the throw is there, because there is a case where it can fail to find what you need

yes and how can I fix that ?

if you comment out the throw line and try to build, you'll get an error that the function doesn't return a value on all paths

bbaovanc@gentle grove.com

bbaovanc.com

yep

not bouba.com

so, you need to make sure that final line of the func either returns a String, or throws an Error

hope that makes sense?

at the moment what you've got is trying to throw a String, which isn't possible

Ok

I've fixed it

Now it's getting this error @lime pivot

it's hard for me to really give you good advice since I don't know the codebase you're working with. but indeed there is no function like that by default, if you copied that from somewhere, that codebase is defining an extension on UIApplication for that

Any other way to spawn an alert ?

since you're using SwiftUI, there's a proper way to do it with SwiftUI modifiers

like ?

really that code using a custom alert() function is a bit of a cheat, it works but it's not the "best" way to do it

see here: https://developer.apple.com/documentation/swiftui/alert

https://sarunw.com/posts/how-to-present-alert-in-swiftui-ios15/ this has more detail on displaying variables in the alert, like the error message in your case

now it's getting me the error :
Cannot find 'ContentView' in scope

@lime pivot

but yeah it worked

probably have a syntax error in ContentView.swift

here it is, can you check it for me ?

@lime pivot

that's not quite how Alert() works - you need to use it as a modifier on the view, so SwiftUI knows it needs to be displayed

otherwise it's kind of just a statement that does nothing, you create an Alert() but don't do anything with it

definitely would recommend giving this a read, it explains it pretty well

the .alert(…) bit is what you're missing, that attaches the alert to your view, so SwiftUI is aware of it

when your presentAlert state variable becomes true, SwiftUI knows it has to display the alert

.alert("Hit !", isPresented: true, actions: {
                                    // actions
                                }, message: {
                                    Text("Please reboot your device. Made by C22")
                                })
                        } catch {
                            .alert("Title", isPresented: true, actions: {
                                // actions
                            }, message: {
                                Text("Message")
                            })

I get Value of tuple type '()' has no member 'alert'

@lime pivot

for the moment, i'm too lazy to figure out with alert, but i've put a print @lime pivot , however, i still get cannot find contentview in scope

You will want to make an @State var that’s a Boolean for the alerts isPresented value like it’s shown here

https://www.hackingwithswift.com/quick-start/swiftui/how-to-show-an-alert

Then set the variable true/false depending on what your trying to do

If the variable is true then the alert will be presented

Hey devs, how can I make an app restart the device that host it with non sandbox and root entitlements ?

Hey guys doing some SpriteKit but cant figure out why this doesnt work (Trying to move player)

you haven't ran addChild on the scene to add a sprite. The instance is created, but isn't added to the scene

I also suggest you moving the player and move_Right (also rename it to moveRight) to ViewController for them to be instance variables

oh sorry to clarrify that was the ViewController

I see. I don't have much knowledge with SpriteKit, but I do remember at least on iOS there were touchesBegan, ended etc. Try looking for similar methods found on mac?

might sound dumb but idk how to do this

if ran from ViewController, you need to first obtain scene reference (will write how in a moment) and call addChild function

you can create a var scene: GameScene! at the top of ViewController and at the line where there's let sceneNode = scene.rootNode written you can write self.scene = sceneNode

this way the scene will now be set whenever it loads

then in keyDown you can reference it the way I described above

var scene: GameScene!

override func viewDidLoad() {
  ...
  if let sceneNode = scene.rootNode as? GameScene {
    self.scene = sceneNode
  }
}

func keyDown(...) {
   scene.movePlayer() 
}

I made a mistake by the way, you rather have to addChild from the GameScene

you can think of viewcontroller as being completely unrelated to game logic

never write anything inside it to move, add sprites

let me know if something's not clear

I'll be glad to help

ok is codeUnit the correct way to identify what key is pressed, if so is there documentation on what key has wha code?

found this useful struct https://gist.github.com/swillits/df648e87016772c7f7e5dbed2b345066

Thanks Im kind of new to swift do you mind expanding on the addChild

yes

Your scene (GameScene.swift usually contains GameScene in the template) has a function addChild

you can run the function addChild when the scene loads

in didLoad e.g.

addChild(spriteReference)

and then the node i would put in brackets is the just any sprite in the scene or...

https://developer.apple.com/documentation/spritekit/drawing_spritekit_content_in_a_view

I love you Craig but as an Apple SVP I expect you to know your own documentations!!

i know that

im trying to move a sprite after a keypress

@unkempt raft this is where im at still no movement either

Is there a way to enable landscape mode on a portrait mode locked app via Filza?

why i get error: excess elements in scalar initializer

trying to find symbols and hook a function with libhooker.

doesnt any example of libhooker in github. its so hard to understand for me 😦

whats dc trick for show highlight code

anway doenst work xd

```
Code
```

thanks 😄

This

i didnt have this character at my keyboard.

oh, what key board is it

TR qwerty

const struct LHFunctionHook *hooks= {getC2MChecksum,rep_getC2MChecksum,0,options};

Maybe this https://apple.stackexchange.com/a/290304

its windows os

Try it

other than that idk

yeah

copy paste work always xd

Oh

i think there is an error here

symbols looking like an array

why no one share an example of libhooker 😦

thats looking like an array in array

and return error about of that

i will try another way. i want to learn libhooker but its so hard for code. substrate is very easy :d

if not function return type void ? or function has a parameters?

you did very good example. i will play with them all of night 🙂

im very thankful

i have last question about that. we found the symbol's address. but how can i call it ?

void *addressOfNSLog = addresses[0];
addressOfNSLog(); is enough?

typedef const char* (*FunctionType)(const char*);
FunctionType function = (FunctionType)addressOfgetC2MChecksum;
const char* res = function("test");

i tried that but crashing app when launch :d

yes

how can i found ptrauth_key_function_pointer?

ah okay i will try

i tried that but addresses same after authentication

i cant access crash log bcs using windows without type c connection for phone 😦 i looked cr4shed tweak but not working.

still so weird seeing this channel actually used for development

tytyty

worked flawlessly for me on my ipad for a trollstore app, didnt have to resideload it either

Useless but who knows ?
https://github.com/c22dev/TrollstoreDetector