#development

1 messages · Page 45 of 1

ocean raptor
#

The start of my codesigning library

#

Right now I'm just designing the api interface

#

I just added you

lime pivot
ocean raptor
#

I will be providing a ldid calling convention wrapper

lime pivot
#

yessss please

#

that would be amazing

#

apologies in advance for the flag parsing hell you'll need to endure lmao

ocean raptor
#

My goals

#

Going to have support for openssl and libmd (when no p12 is specified)

#

Initially

#

mbedtls and wolfssl can be added later

lime pivot
#

what about CommonCrypto?

#

same way curl supports all of the above, uses CommonCrypto on macOS

rapid lion
#

machsign_set_source_mapping(handle, addr, sz);
machsign_set_flags(handle, MACHSIGN_FLAG_ADHOC);

ocean raptor
#

I could

#

But

#

I was inspired by libcurl's easy api

rapid lion
#

imo there's literally nothing but benefits to the approach i suggested

#

if anything, APIs like that are easier to use because they're more discoverable and easier to document

ocean raptor
#

Good point

#

Also allows C's type system to actually provide a little value

#

Cause vaargs suck

#

You just have to hope that they passed enough args

rapid lion
naive kraken
#

I already have stuff for that in Fugu15 macho.m

copper stream
#

Sorry for OT but this is the most sane thread with most knowledgeable people so I’ll ask here:

Is there a way (maybe some jailbreak tweak?) to make the “nearby” sim-less iPhone be able to MAKE calls? It receives calls just fine but can’t make them

#

Of course I’ve got nearby calls on, logged into same iCloud and on same Wi-Fi, both devices receive the same calls but only the one with a sim can make them

ocean raptor
naive kraken
ocean raptor
#

oh

naive kraken
#

not sure how useful this is though

lime pivot
balmy stream
#

Oppa can support libundirect for Rootless ? Thanks

indigo peak
#

@faint timber i think youre the person here with the most snapchat&jailbreak knowlege, so using mdc, its possible to repoint functions to force for example a return true, i wonder if its possible, if theres for example a method called like +[SCUser hasSnapPlus] if its possible to overwrite that with mdc and without tripping the jailbreak detection

#

do you have any input on this?

faint timber
#

drm is c/c++ so 100% no symbols

there's a different drm for networking vs jailbreak check
i've only dove into networking
networking drm has anti-patch and reads bytes and verifies if they were modified
to be even more hardcore, there are multiple checker functions that run in a thread and I think the checkers may check eachother

I don't remember if jb check has something similar to the network drm but it might?

isn't the bypass opensource now for the old version?

@indigo peak

indigo peak
#

i have 0 idea

#

it was just a spur of the moment thought tbh

#

i mean i was just wondering if repointing the method would trip up some detection

faint timber
#

@indigo peak here

indigo peak
#

i mean, technically it shouldnt

faint timber
#

ok, I helped you, now you help me

does starbucks app have jailbreak detection? or does fugu just break login and account cache?

indigo peak
#

i have ordered starbucks once in my life

#

im assuming its a fugu thing

faint timber
#

do you have a non fugu jb?

indigo peak
#

yes

#

palera1n

faint timber
#

check if you can login on palera1n

indigo peak
#

at what point does it break for you

#

when you enter in the info and press sign in?

faint timber
#

it logs me out every time and sign in returns 403 denied

#

when I reboot Im able to sign in

#

its not ellekits fault since I disabled it, its the systemhook most likely

indigo peak
#

iOS 15.7.3 iPhone 7 palera1n

velvet path
indigo peak
#

rootful

velvet path
#

@faint timber I'm assuming you're using rootless palera1n?

indigo peak
#

fugu

#

not palera1n

velvet path
#

oh I misunderstood

faint timber
#

@velvet path ?

velvet path
faint timber
#

its not systemhook

#

something is breaking

#

its jailbreaks fault

#

not injection related

#

@velvet path very weird

velvet path
faint timber
#

Wait

#

Different 403

#

Correct password is denied

#

Wrong password is failed to validate

#

Wtf

blazing vault
#

I pushed out Badger 1.2.1-1 for rootless and later for rootful - but it still seems like some people are having troubles installing 1.2.1-1 (ex no package found errors)?

#

any idea on what tf the problem is

naive kraken
#

packages that have both rootless and rootful available aren't downloadable on the latest stable sileo atm

blazing vault
naive kraken
faint lionBOT
zenith hatch
#

real

naive kraken
#

Sileo Nightly is probably the better pick

grim sparrow
naive kraken
#

👍

blazing vault
#

hey btw, i know info.plists are signed due to special slots and stuff in apps

#

is the Info.plist signed for a private framework

ocean raptor
#

Can we get a machsign thread trol

hasty ruin
elder scaffold
#

I was using the one that came with pogo, but it felt like a more advanced version

hasty ruin
#

The best one atm is on dhinak’s repo

carmine trout
#

Does anyone know if SSL-pinning-bypass is possible on 15.0.2? SSL-killswitch maybe?

restive ether
restive ether
acoustic imp
#

Can I make a like app/tweak request here?

#

I don’t think it would require a JB

faint timber
unkempt raft
hasty ruin
unkempt raft
#

"change color of time label in status bar"

ocean raptor
#

Calculating cdhash is ridiculously easy

silver rampart
ocean raptor
silver rampart
late ridge
#

bill

acoustic imp
# hasty ruin TweakBounty*

Thought about that but idk, it’s like kinda seems simple and you could like use preexisting stuff, but idk probly not. Also I don’t really have a way to pay.

#

@tepid olive for your screen-shot actions tweak could you add an action to like the done button to delete and copy to clipboard. Like what iOS 16 has?

zenith hatch
ocean raptor
#

machsign is deprecated

#

long live ldid

#

@grave sparrow

#

I got demotivated

hasty ruin
primal perch
#

@hasty ruin @grave sparrow

hasty ruin
native dune
rain falcon
torn oriole
cloud yacht
grim sparrow
primal perch
hasty marsh
silver nexus
unkempt raft
hasty ruin
peak hornet
#

Hey I was wondering if there was any information or research done on how I could inject a dylib that sends UIEvents (touch events) to an app?
I am playing around with this app for locking and unlocking my door. I already figured out the auth process and how get a JWT and send HTTP requests to lock/unlock the door. But I really want to just inject a dylib that makes it so when I open that app with a URL it unlocks the door.

I can add the URL handler and all. But getting it to unlock the door then is where I am stuck. I can get JWTs from the heap but they are 99% too old and need to be refreshed.

Instead of continuing to look for a good way to trigger the JWT refresh I was just thinking it would be great to just send a touch event to the app to trigger the lock/unlock.

And ideas or recommendations plzzzzzzzz!!! Thank you so much

#

If sending fake UIEvents is something that isn't possible/documented by anyone I will just figure out the token refresh part. I am just sure people much smarter than me have figured this out already.

I was thinking about hooking to the UIEvent constructor and trying to figure out how to create my own that way. I was also looking at UIEvents in the heap trying to see if I could just copy the UIEvent and the objects it points to and then write those back to memory (reconstruct a UIEvent with touches) when I want to make my own.
Havent thought about how I get that UIEvent send to the UIView or UIWindow yet..

hasty ruin
peak hornet
#

Wow, thank u so much. I was searching around Github but must have not known what to look for

#

Realllllly appreciate it! @torn oriole ! Thank you!

hasty ruin
#

np glad

peak hornet
#

and a ton of useful stuff, thank u!

cloud yacht
radiant idol
#

which one do you guys think looks better

image.png
#

I've been trying to decide for a while now

#

I can't decide

kindred pivot
#

Right one

#

It looks more like the actual icon

radiant idol
#

alr

wicked summit
#

@peak hornet I highly doubt you need to simulate gesture events

#

Within your dylib, you can directly call whatever method(s) you want

hasty marsh
gentle grove
grim sparrow
#

Let’s get this going again

hasty ruin
rain falcon
timid briar
restive ether
#

fly me to the moon

wicked summit
#

gm

zenith hatch
hasty marsh
tepid olive
unkempt raft
tepid olive
#

zsign on pc?>

#

i mean windows

unkempt raft
#

Wrong channel

tepid olive
#

its related to developement bro

unkempt raft
#

It’s signing

#

Not really

native dune
tepid olive
unkempt raft
radiant idol
# unkempt raft

democracy has decided that it is the right one that looks better

unkempt raft
#

🅱️old

#

Get it

radiant idol
#

hahahahaahahha

#

so funny

unkempt raft
#

Indeed

radiant idol
#

im laughing

#

in case you couldnt tell

flint night
#

Anyone know how to get OpenGL to work in VSC for m2 macs? i can get glfw to render the window but when I try to compile shaders (version 330) I get an error that they ware unsupported, and the only version I have gotten to not throw an error is version 120.

#

I had heard that macs supported up to 4 or something

primal perch
#

did you use the correct hints in glfw to create a gl 3.3 context

flint night
#

Yes

primal perch
#

should be this

glfwWindowHint(GLFW_CONTEXT_VERSION_MAJOR, 3);
glfwWindowHint(GLFW_CONTEXT_VERSION_MINOR, 3);
#

what does this print

printf("%s\n", glGetString(GL_VERSION));
flint night
#

2.1 Metal - 83

primal perch
#

2.1 skulley

flint night
#

My glfw version is also 3.3.8 if that provides any context as well

primal perch
#

also those hints are called before the window creation right

flint night
#

Yes

primal perch
#

ok i have no idea then

flint night
#

Yeah, it was being weird for me 😂 thought I would ask here and see if maybe I had missed something. Oh well I’ll try to figure it out tmr, thanks for your help

primal perch
#

this guys code seems to work for him

#

Renderer: Apple M1
OpenGL version supported: 4.1 Metal - 76.3

#

maybe the #define GL_SILENCE_DEPRECATION

hasty ruin
#

the problem is opengl on macOS

frail cedar
#

Does iOS use powers of 2 or powers of 10 for bytes

primal perch
#

MiB vs MB?

#

depends on the context

#

like every operating system

frail cedar
#

I just went with powers of 2 since it lines up with Xcode

#

never mind i am literally blind

#

or maybe not

#

Using powers of 2, Spartan reports 21.96 free and Xcode reports 21.78

#

using powers of 10, Spartan reports 23.58 free

#

so powers of 2 is closest? or maybe xcode is saying there's a bit less space than there actually is

twilit jungle
zenith hatch
#

@gaunt helm you’ve listened to light it up remix ofc, now try fuse odg if you havent already

gaunt helm
hasty ruin
zenith hatch
#

oh wrong channel

next wadi
grim sparrow
#

GUYS ITS TIME

twilit jungle
hasty ruin
restive ether
hasty ruin
hexed knot
topaz yew
primal perch
grim sparrow
zenith hatch
restive ether
ocean raptor
steady nest
primal perch
peak hornet
# hasty ruin maybe look into https://github.com/xuan32546/IOS13-SimulateTouch

Hey man, thanks so much. I got something working off of https://github.com/lyft/Hammer
Just ripped out the XCTest related code becuase I was having trouble when trying to get the app on my phone using ios-deploy. Is XCTest a framework that is blacklisted or just not allowed to in an IOS app by chance?

It works great though. Took me a little to figure out the coordinate system is actually from the middle of the screen though unlike what apple says in docs for their coordinate system.

I also found some tweaks that do the same stuff. Not sure how I couldn't find this all when I was searching Github

Thanks so much though!

GitHub
GitHub - lyft/Hammer: iOS touch synthesis library

iOS touch synthesis library. Contribute to lyft/Hammer development by creating an account on GitHub.

hasty ruin
#

Glad you got it all working thumbsUpSwag thumbsUpSwag

ocean raptor
#

@grave sparrow I have a proposal

#

I will write all Code directory blob writing code

#

You will write the code to add it into the Mach-o

#

I hate macho parsing

rain falcon
#

@grave sparrow twerk

hasty ruin
rain falcon
#

yes

hasty ruin
primal perch
ocean raptor
grim sparrow
turbid fjord
#

@grave sparrow are you the science guy?

primal perch
marsh gulch
#

Does anyone know what the focus pill on the lockscreen is called?

hasty ruin
marsh gulch
#

Thanks

gentle grove
clear flower
#

Can pay anyone who can help me use the area around the notch on my macbook screen for apps

surreal pelican
gentle grove
acoustic imp
#

also theos just doenst work anymore idk what i did. it just sits at that forever (any common issues?)

image.png
unkempt ore
#

is there a way to write to my tweak preferences (via NSUserDefaults) from e.g. the Photos app? Right now it's getting denied because of missing entitlements (and tbh I never had to work with entitlements so far):

cfprefsd[103]: rejecting write of key(s) from process 14612 (MobileSlideShow) because setting these preferences requires user-preference-write or file-write-data sandbox access

serene hawk
indigo peak
#

prob doing this tweak bounty

image.png
serene hawk
#
  • photos app doesn’t have write permissions ig?
timid furnace
#

@grave sparrow do you know what exactly i need to disable for unrestricted DYLD_INSERT_LIBRARIES?

#

not what i need to patch in dyld

#

just the sip bits i need to disable

naive kraken
#

but I unfortunately haven't found a proper way to support these preferences extensions so check the libSandy readme for workaround

timid furnace
#

yea i figured it out

spice bridge
hasty ruin
#

?

spice bridge
#

flex dead

hasty ruin
marsh gulch
#

So I have a tweak which I want to use for rootless and I obviously have the source code. but when I install it, my preferences look for a library in /usr/lib instead of /var/jb/usr/lib. so if anyone knows a solution for that please let me know

wind ravine
#

do any of the new exploits even allow r/w?

naive kraken
wind ravine
#

oh wait

naive kraken
#

just new vulns / POCs

wind ravine
#

yeah

#

useless

#

i blame geosnow

marsh gulch
#

I’ll try that thanks

#

Do I need to specify that in my main makefile or the one of the preference bundle?

#

Ok

#

idk why but i cant get that to work. so i specify LibGCUniversal_LDFLAGS = -install_name /var/jb/usr/lib/libgcuniversaml.dylib in my makefile but i still run into this issue

#

i think i see my issue

#

libgcuniversaml.dylib doesnt look right

#

ok so i corrected that issue but i still get the error

#

LibGCUniversal_LDFLAGS = -install_name /var/jb/usr/lib/libgcuniversal.dylib @grave sparrow does that look right?

#

but it still deosnt work

serene hawk
marsh gulch
#

well i got installed on fugu15

#

so it should be rootless

#

ohhh

#

i installed it and fixed it using dirtypatch

#

thats why it worked

#

so well yea makes sense to me

#

do we know if the dev will add rootless support

serene hawk
#

i think he said it somewhere yes

marsh gulch
#

well anyways thanks for your help @grave sparrow and thanks for the tipp @serene hawk

acoustic imp
#

@grave sparrow In order to get the new abi to compile things for iOS 15+ (fugu15…) I just need to use new SDK right ? But which and from where

#

Hmm, k, and is there like a common issue when u try to compile sm, like it just sits there

#

Like the cursor jus sits there

gentle grove
timid furnace
#

@grave sparrow so the way i see it there's multiple ways to patch dyld to unrestrict DYLD_INSERT_LIBRARIES

  • patch this->allowEnvVarsPath = (amfiFlags & AMFI_DYLD_OUTPUT_ALLOW_PATH_VARS); in dyld4::ProcessConfig::Security::Security (probably fine)
  • patch dyld4::ProcessConfig::Security::getAMFI and override return value (this would mean i would end up overriding all the other flags too though)
#

or i could also just hook AMFI itself

#

because at the end of the day getAMFI goes to AMFI

#

true

naive kraken
timid furnace
#

the most i've ever done was serial so

#

view logs

#

thats it

#

/dev/console is kernel output

#

true

#

you dont need lldb

#

how are you connecting to mac

#

oh

#

yea you're fucked

#

i thin k

acoustic imp
timid furnace
#

ask in apple-silicon or something one of the m1n1 using nerds have to know this

naive kraken
timid furnace
#

all i know is that serial is initialized extremely early and solely supports PCIe serial ports unless you manage to get UEFI to initialize some other thing as a serial port and expose it to boot.efi

#

and the only Macs with serial ports are Xserves so uh

#

ok what is fwkpfv

#

does this work with thunderbolt

#

look for msgbufp

#

ok

#

if you still want log output

struct  msgbuf {
#define MSG_MAGIC       0x063061
    int             msg_magic;
    int             msg_size;
    int             msg_bufx;               /* write pointer */
    int             msg_bufr;               /* read pointer */
    char    *msg_bufc;              /* buffer */
};

struct msgbuf *msgbufp __attribute__((used)) = &msgbuf;
#

msgbufp->msg_bufc should be the message buffer

timid furnace
#

oh

#

didn't know systemlog existed

#

(i have never actually done kernel debugging)

naive kraken
#

do you not know about platformization???

#

Dylib needs to be in trustcache probably

#

yeah

#

dylib either needs to be in trustcache or you need to set TF_PLATFORM on the dylib vnode

#

yes

#

bro you have physrw

#

and were able to overwrite wx_allowed

#

it's not hard

indigo peak
# 
io_service_t service = IOServiceGetMatchingService(kIOMainPortDefault, IOServiceMatching("AppleM2ScalerCSCDriver"));
io_connect_t conn = 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self_, 0, &conn);

would this IOServiceOpen() call work normally without any of the previous hack code (below) in the new CVE

image.png
#

like is that IOService normally 'off limits' for regular processes

tepid olive
#

it’s just a hdr processor

unkempt ore
serene hawk
# unkempt ore that's one of the features, yes 🙂 why do you ask?

cause i‘m having issues with tcc. i once developed such a tweak for authentication and it was just fucked up. now i‘m having issues again. the tweak works on fugu15 max but crashes on xinaa15. the nsfaceidusagedescription is set via hooking nsbundle and tccd also gets hooked to allow com.apple.mobileslideshow but somehow it works for some and for some others it doesnt

#

wanted to know if you also experienced such crashes / issues

unkempt ore
serene hawk
unkempt ore
# serene hawk doing the same. somehow in some cases tcc grants permission and in some cases it...

the thing is I don't have any devices on a compatible firmware for Fugu or Xina, so palera1n is the only way I can test. But I just noticed that what you described seems to be a FaceID only issue. As there is no way to test FaceID on palera1n devices, I had to rely on TouchID so far and assumed that FaceID would work the same. But after a short read it seems that this might not be the case. Sucks, as I don't have any way to test this :/

serene hawk
unkempt ore
#

Sure, I'll let you know once I have a version ready that works more or less. Care to provide me with the correct hook for NSBundle so I don't have to search for it? 😄

serene hawk
#

sure, check pm

unkempt raft
#

With the latest vulnerability, we can’t control the memory that’s being replaced, correct?

steady nest
#

The question doesn't make sense

unkempt raft
#

What does the vuln allow us to do? Kernel panic through a buffer overflow?

#

I just don’t understand using what techniques it can become a kernel r/w exploit

tiny plume
#

Can device tokens generated by DCDevice be created via API?

steady nest
#

If you're looking for cowabunga on 16.4... Not even close

steady nest
#

On the old days, you'd use regular techniques (heap feng shui, filling the heap with controlled objects and what not) but now mostly everything is PAC'd and you need to use a technique to go around it

unkempt raft
unkempt raft
tepid olive
steady nest
#

those are patched, IOSurface is PAC'd now

#

now - either 15.2 or 15.4, I don't remember, there's a presentation on that

wind ravine
wind ravine
pine holly
#

I am a developer who usually makes jailbreak bypasses. I recently had a customer try to install a tweak that I have given to other customers. This user is on Xina and everytime when he opens the app (Western Union). It hangs and then closes. This doesn’t happen on my phone (14.4.1 u0). I am wondering if there is something developer related I must do or that I am doing wrong. I can share the source if need be. Compiled using 15.4 & 14.3 sdk.

grim sparrow
#

Xina is a fucked can of worms

#

If you share code then maybe someone could spot the issue

#

@pine holly

pine holly
#

That’s the problem

#

%hook JailbreakDetector

+(bool)isJailbroken {
return 0;
}
%end

#

Something this simple shouldn’t hang an app

#

It’s like it can’t init

#

Because it just hangs for 10 seconds then soft crashes with no error or crash

#

Works on a rootful u0 device

#

So I have 0 idea

#

My little understanding of Xina doesn’t contribute to the fact that it doesn’t work but

#

The only other thing I could think is maybe outdated Theos

#

But still doesn’t make sense because Xina still fixes any issue that would have been caused

pine holly
tepid olive
pine holly
#

Same app version

grim sparrow
#

@pine holly this is gonna sound odd but can you share your makefile and control file?

pine holly
#

Gladly

#

TARGET := iphoneclanglatest:7.0

include $(THEOS)/makefiles/common.mk

TWEAK_NAME = WUBypass

WUBypass_FILES = Tweak.x
WUBypass_CFLAGS = -fobjc-arc

include $(THEOS_MAKE_PATH)/tweak.mk

#

Package: com.ios.wubypass
Name: WUBypass
Version: 0.0.1
Architecture: iphoneos-arm
Description: An awesome MobileSubstrate tweak!
Maintainer: ios
Author: ios
Section: Tweaks
Depends: mobilesubstrate (>= 0.9.5000)

grim sparrow
#

what versions is this supposed to support?

pine holly
#

Doesn’t matter, it injects into Wester Union

#

The app

restive ether
#

maintainer: ios

grim sparrow
#

try sticking ARCHS = arm64 at the top of your makefile

#

I wonder if Xina is doing some fuckery and trying to force the arm64e slice in to an arm64 app

restive ether
#

😭

pine holly
#

Chief Queef?

#

And yeah I am @trail sandal

#

Iosrouter

#

#1 tweak developer

#

💀

restive ether
#

no i’m not that guy

pine holly
#

Lies

#

Also shouldn’t I add arm64e

#

@grim sparrow

grim sparrow
#

app store apps are arm64 only

restive ether
#

unless it has preferences doesn’t matter

trail sandal
#

I’m stupid

grim sparrow
#

if youre just touching app store apps you only need arm64

#

on iOS 11+ at least

trail sandal
grim sparrow
#

by default theos does arm64 and arm64e

trail sandal
grim sparrow
#

hence my running theory that it might be a slice problem?

trail sandal
#

I’ll check, I have to send it to costumer to test

#

*customer

trail sandal
#

Alright I compiled and sent

#

I’ll lyk what happens

pine holly
#

@grim sparrow same thing 💀

#

10 second hang then crash

#

No crash log or anything else

grim sparrow
#

Is there anything in Console?

pine holly
#

Thsi is the only thing that would seem concerning

#

That’s what I’m saying this shit makes 0 sense

pine holly
#

Any other suggestions?

#

Maybe I need to update Theos or sum

#

Idek im lost

gentle grove
peak hornet
#

Sorry but I know you guys will know how to do this off the top of your heads.. So I found that I can use https://github.com/lyft/Hammer to send fake touch events to the ios app I am injecting into. To get it to work though I had to rip out all XCTest related code. And I am hoping to get a dylib built that has all that XCTest functionality. The issue is that XCTest has a TON of dynamic dependencies and they tree out even further.. Is the only solution to modify with install_name_tool and put all the full tree of deps in my app?

I cant remember if there was some way to statically link something like XCTest and its deps into a dylib or not

GitHub
GitHub - lyft/Hammer: iOS touch synthesis library

iOS touch synthesis library. Contribute to lyft/Hammer development by creating an account on GitHub.

#

Actually I think I got it figured... Sorry about that

peak hornet
#

Actually, I don’t have this figured out. So I need to link with the XCTest framework. When I goto patch the app using objection it has helpful warnings about all the dependencies from that framework that are missing. Those dependencies have more dependencies.

#

How can I create a library that has all the dependencies I need? Or do I just need to go through the whole tree of dependencies and make sure I have them and update the linked dependency path for each ?

peak hornet
#

Prob just using it wrong

naive kraken
#

theos currently has a bug where libraries cannot link against other rootless libraries

#

besides that you need to compile everything with -install_name @rpath/whatever in LDFLAGS

peak hornet
#

I actually have this stupid complicated setup

#

I am using Frida with a gadget script to add a handler for opening url . Was easy to do in Frida. Then I call class methods on this dylib I inject to do the rich events. The dylib I have been talking about I just am@making with a normal Xcode project

#

Really my question is about how you guys go about making sure I have all the dynamic libraries u need if you include a framework that has a big dependency tree

#

And those frameworks must not be on the phone . Like xctest

#

For ex, and sorry how long this is. But after I inject my dylib and XCTest into the app (install name tool) and put it in the right place. It then wants the deps from XCTest which is this huge list:

Warning: missing file: @rpath/libswiftCoreFoundation.dylib
Warning: missing file: @rpath/libswiftCoreGraphics.dylib
Warning: missing file: @rpath/libswiftCoreImage.dylib
Warning: missing file: @rpath/libswiftDarwin.dylib
Warning: missing file: @rpath/libswiftDispatch.dylib
Warning: missing file: @rpath/libswiftMetal.dylib
Warning: missing file: @rpath/libswiftNetwork.dylib
Warning: missing file: @rpath/libswiftObjectiveC.dylib
Warning: missing file: @rpath/libswiftQuartzCore.dylib
Warning: missing file: @rpath/libswiftUIKit.dylib
Warning: missing file: @rpath/libswiftos.dylib
Warning: missing file: @rpath/libswiftFoundation.dylib
#

And many more:

Warning: Cannot resolve dependency library: /var/folders/cp/r4ygccdx29s9yl7slt4sb67c0000gn/T/kwiksetURLScheme-frida.ipa.ba7e3837-1a60-4794-b308-e54ac931e6ca/Payload/Kwikset.app/Frameworks/libswift_Concurrency.dylib
Warning: missing file: @rpath/XCTestCore.framework/Versions/A/XCTestCore
Warning: missing file: @rpath/XCUnit.framework/Versions/A/XCUnit
Warning: missing file: @rpath/XCUIAutomation.framework/Versions/A/XCUIAutomation
Cannot resolve rpath for: @rpath/XCTestCore.framework/Versions/A/XCTestCore from /var/folders/cp/r4ygccdx29s9yl7slt4sb67c0000gn/T/kwiksetURLScheme-frida.ipa.ba7e3837-1a60-4794-b308-e54ac931e6ca/Payload/Kwikset.app/Frameworks/XCTest.framework/Versions/A/XCTest
Warning: Cannot resolve dependency library: /var/folders/cp/r4ygccdx29s9yl7slt4sb67c0000gn/T/kwiksetURLScheme-frida.ipa.ba7e3837-1a60-4794-b308-e54ac931e6ca/Payload/Kwikset.app/Frameworks/XCTest.framework/Versions/A/XCTest
Cannot resolve rpath for: @rpath/XCUnit.framework/Versions/A/XCUnit from /var/folders/cp/r4ygccdx29s9yl7slt4sb67c0000gn/T/kwiksetURLScheme-frida.ipa.ba7e3837-1a60-4794-b308-e54ac931e6ca/Payload/Kwikset.app/Frameworks/XCTest.framework/Versions/A/XCTest
Warning: Cannot resolve dependency library: /var/folders/cp/r4ygccdx29s9yl7slt4sb67c0000gn/T/kwiksetURLScheme-frida.ipa.ba7e3837-1a60-4794-b308-e54ac931e6ca/Payload/Kwikset.app/Frameworks/XCTest.framework/Versions/A/XCTest
Cannot resolve rpath for: @rpath/XCUIAutomation.framework/Versions/A/XCUIAutomation from /var/folders/cp/r4ygccdx29s9yl7slt4sb67c0000gn/T/kwiksetURLScheme-frida.ipa.ba7e3837-1a60-4794-b308-e54ac931e6ca/Payload/Kwikset.app/Frameworks/XCTest.framework/Versions/A/XCTest
etc...```
primal perch
#

not an expert but i think it’s missing dylibs

peak hornet
#

haha yeah

#

Sorry If I am confusing

#

Im trying to figure out how to deal with the tree of deps that u get with dynamic libraries/frameworks when u bundle something like XCTest with whatever

pine holly
#

Repost because I am desperate for help (and money)

#

I am a developer who usually makes jailbreak bypasses. I recently had a customer try to install a tweak that I have given to other customers. This user is on Xina and everytime when he opens the app (Western Union). It hangs and then closes. This doesn’t happen on my phone (14.4.1 u0). I am wondering if there is something developer related I must do or that I am doing wrong. I can share the source if need be. Compiled using 15.4 & 14.3 sdk.

#

Arch: arm64
Sdk both 14.3 and 15.5 have been tried no difference

ocean raptor
#

Look at syslog

#

Wait this is xina

#

Never mind

#

Give up

faint timber
#

xina = death

#

give up or die young

pine holly
#

fuckkk fr?

#

who woulda thought some easy shit would be complicated

#

well thats life

pine holly
#

Fair but I want money

#

And I actually want to help the person

#

I couldn’t imagine not being able to use my bank

#

Lmfao

faint timber
#

fugu is more stable than xina ever was

#

just switch

pine holly
#

I’m not on Xina

#

Lmfaooo

faint timber
#

yah

#

like

pine holly
#

Cryptic I’m making the twea for someone else

#

I be on Fugu 14

faint timber
#

only supprt fugu

pine holly
#

Been on it since day one

faint timber
#

people gonna flock to fugu

pine holly
#

I mean yeah of course

#

It’s by far better

#

Not an argument

#

This mf still 3 edits behind

#

Give him a few minutes

#

Ily < 3

serene hawk
pine holly
#

None just doesn’t work

pine holly
grim sparrow
primal perch
acoustic imp
late ridge
restive ether
hollow laurel
naive kraken
hollow laurel
#

you mean for linking?

#

I see

naive kraken
#

yes

#

I fixed this but didn't bother making a PR yet

hollow laurel
#

(was wondering why it worked fine for me, but AltList has rpath for both versions, so it doesn't matter)

naive kraken
#

it's only for libraries

hollow laurel
#

oh frameworks are using a different linking command?

#

didn't knew that

hollow laurel
naive kraken
#

tweaks linking it them is fine

hollow laurel
naive kraken
#

hm well maybe it doesn't apply to frameworks then

hollow laurel
hollow laurel
naive kraken
# 
ifeq ($(THEOS_PACKAGE_SCHEME),)
    # ObjC/++ stuff is not here, it's in instance/rules.mk and only added if there are OBJC/OBJCC objects.
    _THEOS_INTERNAL_LDFLAGS = $(if $(_THEOS_TARGET_HAS_LIBRARY_PATH),-L$(THEOS_TARGET_LIBRARY_PATH) )-L$(THEOS_LIBRARY_PATH) $(DEBUGFLAG)
    ifneq ($(THEOS_VENDOR_LIBRARY_PATH),)
        _THEOS_INTERNAL_LDFLAGS += -L$(THEOS_VENDOR_LIBRARY_PATH)
    endif
else
    _THEOS_INTERNAL_LDFLAGS = $(if $(_THEOS_TARGET_HAS_LIBRARY_PATH),-L$(THEOS_TARGET_LIBRARY_PATH) )-L$(THEOS_LIBRARY_PATH)/$(THEOS_TARGET_NAME)/$(or $(THEOS_PACKAGE_SCHEME),rootful) $(DEBUGFLAG)
    _THEOS_INTERNAL_LDFLAGS += \
        -L$(THEOS_VENDOR_LIBRARY_PATH)/$(THEOS_TARGET_NAME)/$(or $(THEOS_PACKAGE_SCHEME),rootful)
endif
hollow laurel
#

👍

hollow laurel
primal perch
#

damn libs

hollow laurel
primal perch
#

its time

hasty ruin
drifting dust
#

how would one go about porting a tweak to rootless?

next wadi
#

but you can update theos and add THEOS_PACKAGE_SCHEME i think

drifting dust
#

If this is a “just use Rust” joke I do not know it

zenith hatch
restive ether
tepid olive
lime pivot
#

heh, that's… an answer I guess

#

you would set THEOS_PACKAGE_SCHEME = rootless in the makefile, then look through the code for any paths to files

#

and change them to have a /var/jb prefix

#

I can see a handful of them in Tweak.xm and Tweak.h, there would be more than this I only looked quickly

next wadi
next wadi
#

but theos is better for certain parts of tweak development like building apps and daemons and stuff

#

luz can't do it yet

lime pivot
#

I'd keep this project using Theos just because the changes you need are minor

#

but definitely consider Luz for new projects

drifting dust
#

maybe also fix up some things in the tweak, haoict seems to have gone inactive

drifting dust
#

oh wait nvm did i misinterpret the error

#

yea i did my bad

drifting dust
#

or does it become /var/jb/var/mobile/Library.... kek

ocean raptor
#

@lime pivot does theos set any variable so I can change my code for rootless using preprocessor?

lime pivot
lime pivot
#

might be useful to use that

ocean raptor
#

I guess I should say, what's the correct way to respring?

#

Rn I'm doing posix_spawn("/usr/bin/sbreload"); and using posix_spawnp won't work cause PATH is not set in settings correctly

restive ether
ocean raptor
restive ether
#

no i’m too busy with your mom

ocean raptor
#

The final consensus was that sbreload is the correct way

restive ether
#

i also didn’t read anything you said

lime pivot
restive ether
timid furnace
timid briar
#

No log is generated but that might be on ellekit’s end(?) idk

ocean raptor
#

Can you give me a symbolicated crash log?

#

Adam gave me a crash log but he doesn't symbolicate it

#

Now that I think about it, I'm pretty sure I fixed it already but it's on my laptop at home

timid briar
#

Ah ok, I’ll try again when you push that one

#

Yea idk I didn’t see a SpringBoard crash log

ocean raptor
timid briar
ocean raptor
#

Really?? It worked for Adam

timid briar
#

That’s really weird

timid briar
#

Maybe uninstalling it removed old files or something

timid furnace
#

@grave sparrow i've decided i'm going to patch getAMFI

#

patching ProcessConfig::Security::Security won't really work the instructions change

#

getAMFI seems stable

#

so i'm just going to make it return whatever it returns | allow_path_vars

#

there's some environment variable check at the end that i can clobber

timid furnace
#

actually idk hooking AMFI seems more stable...

#

you know what, i'll just implement both and see which one works trol

normal tide
#

What is required to adapt a tweak to rootless jailbreaks?

#

it's hard to find any docs on it vs blogs talking about rootless jailbreaks in general

timid furnace
normal tide
#

thanks

timid furnace
#

that page is mostly vague though

#

so if you have any further questions ask

#

at a high level, you need to change paths that reference jailbreak files to the rootless ones, move all of your files into /var/jb, switch the package architecture to arm64 and build

#

theos has macros for the first (rootless.h) and THEOS_PACKAGE_SCHEME=rootless takes care of the second* and third

normal tide
#

I don't have access to the tetherme source anymore, but betting it would work with a resign and new file locations. As long as the couple packages it uses have been updated anyway.

dim coyote
#

Hi, so I'm coding my first tweak for fugu15max but it doesn't seem to display the UIAlertController. Can someone help? Code:

timid furnace
#

stop using piracy repos

dim coyote
#

what does that have to do with my question?

timid furnace
#

nothing

#

i'm still going to tell you to not use piracy repos

dim coyote
#

and I won't listen

#

cause I pay for tweaks

tepid olive
dim coyote
#

I just did not pay for the junipero theme at the time cause I think it didn't support rootless

timid furnace
timid furnace
dim coyote
#

So, what am I doing wrong here?

tepid olive
serene hawk
#

its probably UIAlertAction *defaultAction

timid furnace
# tepid olive ic

and then i'm gonna hook posix_spawn to insert DYLD_INSERT_LIBRARIES

#

doing this from kernelspace is kinda wack bc i would need to figure out a decent way to specific what to inject

#

but its probably a fuckton easier than userspace

timid furnace
#

i don't really want 0xDF

#

i just want current | ALLOW_PATH_VARS

#

why

#

i know

#

i don't need any of the others

#

this is all i can find

image.png
#

ida trashed all of my manual constant > enum

#

thanks bro

restive ether
timid furnace
#

bruh

#

thanks discord

#

i annotated it

#

yea

# 

static unsigned int patched_macos_dyld_policy_env_vars(proc* a1, unsigned int* inFlags) {
    unsigned int ret = FunctionCast(patched_macos_dyld_policy_env_vars, orig_macos_dyld_policy_env_vars)(a1, inFlags);
    return ret | AMFI_DYLD_OUTPUT_ALLOW_PATH_VARS;
}```
#

easy

timid furnace
#

Lilu, yes

#

shame that it does not support ARM64

#

would have been nice

drifting dust
late ridge
#

the problem with that is that the library might still have file paths in it that would need to be modified

drifting dust
#

hmmm you're right

dim coyote
# dim coyote

The issue was that I was building in Ubuntu instead of macos with xcode

drifting dust
#

i guess the library doesnt work then or i install it incorrectly

#

would explain also why the tweak isnt working either, no library -> no tweak. Are there any extra steps, like specifying where to look for EXTRA_FRAMEWORKS?

naive kraken
drifting dust
#

sorry for the noobie questions i have next to no experience in tweak dev

naive kraken
#

not with the framework

#

Check AltList and Choicy source codes

late ridge
drifting dust
late ridge
#

rip

drifting dust
#

as for the pref makefile, well i see the ln -s thing, trying to make it work right now

naive kraken
drifting dust
#

oh

naive kraken
#

you need to change the install path of the framework

#

or change the dependency of your pref bundle via install_name_tool

drifting dust
#

is that not right?

naive kraken
#

@onyx ember can you remove the login from your repo now?

#

oh and also whoever installed it needs to reinstall system-cmds fr

dim coyote
ocean raptor
drifting dust
naive kraken
#

@rpath/SomeFramework.framework/SomeFramework

onyx ember
naive kraken
#

yes…

ocean raptor
#

fugu was broken

onyx ember
#

Also by the way sudo can't login:

IMG_0021.png
#

But su works

ocean raptor
onyx ember
naive kraken
ocean raptor
#

L

naive kraken
#

it prompts for mobile

ocean raptor
#

Anything in syslog

ocean raptor
drifting dust
onyx ember
ocean raptor
naive kraken
#

nothing in syslog

onyx ember
onyx ember
drifting dust
onyx ember
ocean raptor
#

You really f-ed everything up

onyx ember
ocean raptor
#

Nobody is gonna realize that

onyx ember
# ocean raptor *just*

It works even if they don't do anything lol, I don't push things with bugs that break stuff after a update or two.

ocean raptor
#

What

naive kraken
#

you could have just used dpkg replaces correctly, then you wouldn't have needed to rm anything

onyx ember
naive kraken
#

yeah what you should have done was make a custom system-cmds build with your changes

#

but anyways it's too late for that now

onyx ember
ocean raptor
onyx ember
#

It fixed NewTerm, but not MTerminal

IMG_0022.png
ocean raptor
#

Asked

#

Newterm >>>

rotund hull
#

Is it possible to decrypt .ipas on m1?

#

sad

peak quartz
#

maybe SIP related?

dim coyote
blazing vault
#

sorry for the incoming text wall

#

i suck dick at logos

%group unsigncutsInvalidSignature
%hook WFSharedShortcut
-(void)signingStatus {
 return @"APPROVED";
}
%end
%hook WFGalleryWorkflow
-(void)signingStatus {
 return @"APPROVED";
}
%end
%end

%hook WFShortcutSigningContext
%group unsigncutsInvalidSignature
-(BOOL)validateAppleIDCertificatesWithError:(NSError**)arg0 {
 return YES;
}
-(BOOL)validateSigningCertificateChainWithICloudIdentifier:(*id)arg0 error:(NSError**)arg1 {
 return YES;
}
-(BOOL)validateWithSigningMethod:(*NSInteger)arg0 error:(NSError**)arg1 {
 return YES;
}
-(BOOL)validateWithSigningMethod:(*NSInteger)arg0 iCloudIdentifier:(*id)arg1 error:(NSError**)arg2 {
 return YES;
}
%end
%group unsigncutsAllowAnyContact
-(void)validateAppleIDValidationRecordWithCompletion:(void (^)(int, int, int, id))completion {
 //the following is a rebuild / reverse engineered of the actual method WorkflowKit has for this
 //but no longer check if sha256 phone/email hashes match in contact shared importing, just auto run completion block
 //while still respecting isPrivateSharingEnabled, as well as self importing
 SFAppleIDAccount* account = [[[%c(SFAppleIDClient) alloc]init]myAccountWithError:nil];
 if ([[account altDSID]isEqualToString:[[self appleIDValidationRecord]altDSID]]) {
  //the alt dsid matches with users - assume this is user's shortcut, no need for private sharing enabled
  completion(0x1,0x3,0x0,0x0);
 } else if ([%c(WFSharingSettings) isPrivateSharingEnabled]) { //respect privatesharingenabled pref
  completion(0x1, 0x2, 0x0, 0x0);
 } else {
  //Skipping AppleID Validation Record due to Private Sharing Disabled
  //(AKA: Error)
  completion(0x0, 0x2, 0x0, [%c(WFSharingSettings) privateSharingDisabledErrorWithShortcutName:nil]);
 }
}
%end
%end

%ctor {
 preferences = [[HBPreferences alloc] initWithIdentifier:@"cum.0xilis.unsigncutsprefs"];
 if ([preferences boolForKey:@"isUnsigncutsEnabled"]) %init(unsigncuts);
 if ([preferences boolForKey:@"isInvalidSignatureEnabled"]) %init(unsigncutsInvalidSignature);
 if ([preferences boolForKey:@"isAllowAnyContactEnabled"]) %init(unsigncutsAllowAnyContact);
}

im embarrassed to ask this but if i have two groups, one group does messes with three classes, two of them the other group doesn't touch, but the third method is in a class that the other group messes with a method in, how do i handle that without C++ requires a type specifier for all declarations

#

(the unsigncuts group is in the code btw, im just not putting it here since doubt thats the issue)

drifting dust
dim coyote
blazing vault
#

wait

dim coyote
blazing vault
#

omg

#

oh wait that wasnt it aw

#

thought it was

-(void)signingStatus {
#

i changed it to

-(NSString *)signingStatus {
#

and still doesnt work

dim coyote
timid furnace
hasty ruin
ocean raptor
#

Nerd

#

I need to find the address of exec_mach_imgact, how do I find out what instructions I should search for

naive kraken
#

or if it's in the kernel itself and not in kexts you can use KDK dwarf kernels instead of leaked dev kernel, they are fully symbolicated

ocean raptor
#

But when I search the kernel for the strings in it, nothing shows up

#

I'm using r2...

#

Literally any iOS kernel

naive kraken
ocean raptor
#

I thought people like r2?

#

Any

zenith hatch
#

gm

ocean raptor
#

Idiot

naive kraken
ocean raptor
#

Well I don't care about this anyways

#

I'm not at my laptop so I don't have a desktop

#

So I can't exactly use ghidra

naive kraken
#

idk

#

maybe string xrefs are broken

#

or you are indeed searching for strings that are ifdef'ed out

#

in general you need to search for panic strings

#

most other stuff doesn't exist in release kernels

modern herald
#

Hello , I searching for IOS Penetration Testing Couse and Exploit Development

#

Anyone can recommend a course in zeroday hunting and browser exploration

ocean raptor
#

I'm gonna bully you to buy ida for me

#

I have kidnapped your mom

#

If you ever want to see her again, buy me ida

#

I am doing her right now too

#

No balls

#

Guess I'll killing your mom

#

Fine, I'll settle for binja

timid furnace
#

@grave sparrow soooooo i wanted to test the dyld patch/amfi hooking right?

#

i cant

#

you know why>?

#

because apple broke wifi on some ventura version

#

and that was the only version i had on hand

#

so now i have to wait an hour for this stupid mac to update again

#

at least im saving an hour by redirecting the download to my laptop instead of over this crappily cobbled together network

dim coyote
primal perch
#

its buggy even on actual macs on ventura

dim coyote
#

Oh damn

#

Well my hackintosh works perfectly on Ventura atm

#

I updated it today from Monterey

#

I was getting some kernel panics but it was because of airportitlwm, cause I was using the Monterey build

hasty ruin
timid furnace
#

ok finally

#

it updated

grim sparrow
#

@restive ether happy birthday big man

restive ether
radiant idol
#

happy birthday!

restive ether
dim coyote
#

Just made my first tweak boys

radiant idol
#

yooo

#

congrats

dim coyote
#

Thanks, I had to update my hackintosh to macos ventura for this

#

cause my ubuntu on wsl2 didn't work on windows

timid furnace
#

@grave sparrow DYLD_INSERT_LIBRARIES is just stripped on unpatched dyld right

#

i guess yes

#

DYLD_INSERT_LIBRARIES=crack.dylib bash just runs bash on my m2

#

on my test device dyld complains crack doesn't exist

#

so i think it's working

#

ok now what

#

never mind

#

i have sip completely disabled

#

and amfi disabled

#

🤡

#

ok yea it works

#

how the fuck do i do this from kernelspace man

hasty ruin
grim sparrow
restive ether
gentle grove
primal perch
zenith hatch
willow jolt
drifting dust
#

if you want it lmk ill give you the repo

#

sets the region to US, removes ads, bypasses jailbreak detection

willow jolt
#

i need it to change region thats all

willow jolt
drifting dust
#

unless you want a custom version

willow jolt
drifting dust
#

yep

willow jolt
#

great thx

drifting dust
#

np

willow jolt
willow jolt
drifting dust
lime pivot
gentle grove
#

is it not

lime pivot
#

yeah but are you expecting it to somehow be any better if I proxy the requests through my server? people will abuse my proxy instead

gentle grove
#

you can put ratelimits and filtering on your own server

#

and you can ban people

lime pivot
#

true but assuming you notice it before it’s too late

gentle grove
#

ratelimits

lime pivot
#

I thought openai already does have some rate limiting

#

but yeah true you sure can implement more fine grained rate limiting

gentle grove
#

and you can revoke access easily at any time, or swap it out seamlessly

lime pivot
#

boba teaching me the basics of server side dev fr

gentle grove
#

no

lime pivot
#

I’d wonder how many are even on a paid plan anyway tbh

#

aside from peak periods like just after release I’d bet the traffic easily fits in the free plan

gentle grove
lime pivot
#

there is

#

you get about 30 requests per minute or something like that

#

which is still a lot

#

I can’t imagine an app really needing more than that unless it’s starting to pick up some real traction

#

which I mean, if all you’re doing is presenting GPT3 (is 3.5 available to the free tier yet?) in a chatbot interface, I can’t expect it to be that popular

#

it’ll still lack all the specific tweaking ChatGPT has, no app will be as good as using chat.openai.com

gentle grove
lime pivot
#

rather I think it’s tokens per minute I should say, but they also throttle requests to 30 per minute

#

the actual limiting factor would be token count

gentle grove
#

40,000 tokens per minute

lime pivot
#

which is also honestly heaps

gentle grove
#

how many tokens do you get on the free trial

#

i wonder how long it lastsa

lime pivot
#

I had a script feeding responses back into itself that ran for hours without hitting limits, after I figured out a 2 sec sleep between requests

primal perch
primal perch
#

who

ocean raptor
# 
2023-04-14 22:40:12.014 uishoot[453:7275] Could not save pasteboard named com.apple.UIKit.pboard.general. Error: Error Domain=PBErrorDomain Code=11 "The pasteboard name com.apple.UIKit.pboard.general is not valid." UserInfo={NSLocalizedDescription=The pasteboard name com.apple.UIKit.pboard.general is not valid.}
faint timber
ocean raptor
#

The dumb thing is

#

THIS IS HOW THE APPLE DOCS SAY TO USE PASTEBOARD

#

Also, this is the issue affecting a procursus tool, uishoot, not pbcopy which we don't maintain

faint timber
#

its kinda karma that keeps happening, not just with you an me

people keep posting issues, no one cares

only for the person who didn't care then has the same issue later on looool

ocean raptor
#

People constantly blame me for issues in everything

#

Like NewTerm not working? That was a fugu bug, yet I got blamed

faint timber
#

yah life sucks, I reeveluated life choices, I'm trying to do better and not be so rude to people and blame people

#

its a hard habit to break out of

#

hard to get other people to follow suit

#

but...

#

some mf's need a scolding

#

read here

#

hurry tf up ida dyld cache

image.png
#

it doesn't for me

#

@marble perch yah but that's general channel, basically shitposting

#

I basically banned iOS talk from general in my server so I could shitpost uninterupted

faint timber
ocean raptor
#

When did it break? iOS 15 or 16?

faint timber
#

confirmed broken in 15.3 could be earlier

tepid olive
#

ida windows user

cursive rampart
#

are y'all developing some bitches?

#

why

faint timber
#

@ocean raptor entitlements didn't work

there is a seatbelt profile but I can't use that cuz then it wouldn't be able to access libiosexec

tepid olive
#

id let a linux user impress me

ocean raptor
tepid olive
#

some linux users are hot i think

ocean raptor
faint timber
tepid olive
#

@ocean raptor how hot are you

#

on a scale of one to ten

ocean raptor
gentle grove
tepid olive
#

i don’t care let his rizz run

ocean raptor
faint timber
#

NO SEXUAL HARASSMENT IN THE WORK PLACE IM CALLING HR

ocean raptor
tepid olive
#

K

faint timber
#

so yah I just copied the ents from pasted

ocean raptor
cursive rampart
#

ntwerk os beta coming soon

#

(it's a theme)

tepid olive
#

who pinged

faint timber
cursive rampart
#

nvm, it's not coming

ocean raptor
#

I hate that macOS doesn't use entitlements

faint timber
#

why apple gotta make iOS nazi mode

#

I want to sprinkle cyanide in the head apple security guy's lunch

#

allz ims sayin.... pastword protected cfw

#

that way you can't get hacked

#

well thats not a good idea

#

but basically only enable it if find my is disabled

timid furnace
#

capt

#

do you know how syscalls work

#

ok where the fuck is this struct defined

faint timber
#

@ocean raptor macos either uses xpc or appkit calls

timid furnace
#

yes

faint timber
#

if you know you know

#

real chads know arm syscalls

ocean raptor
timid furnace
#

i finally got the definition... by shoving the kernel and the dsym into ida

ocean raptor
faint timber
#

drakes on my server's word filter

ocean raptor
#

L

faint timber
#

mf says it every day

ocean raptor
#

Drake has some good songs

faint timber
#

staff voted to ban it

ocean raptor
#

Passionfruit

ocean raptor
timid furnace
#

same thing for __mac_execve_args

#

how tf does this compile???

faint timber
#

_NSFindPboard @ocean raptor

#

_NSGeneralPboard

ocean raptor
#

the pasteboard is gonna be different

faint timber
#

macos lets see if it works on iOS

ocean raptor
#

Cause one is springboard

#

One is quartz

faint timber
#

oh yah nvm

#

ill try anyway

ocean raptor
#

It is a struct

#

Idiot

timid furnace
#

probably something to do with like syscalls.master then

ocean raptor
#

it's most likely auto generated from syscalls.master, like how other OSes do it

timid furnace
#

i see

#

int posix_spawn(pid_t *pid, const char *path, const struct _posix_spawn_args_desc *adesc, char **argv, char **envp)

#

wait

#

then whats

# 
int
posix_spawn(pid_t * __restrict pid, const char * __restrict path,
    const posix_spawn_file_actions_t *file_actions,
    const posix_spawnattr_t * __restrict attrp,
    char *const argv[__restrict], char *const envp[__restrict])
#

well when im hooking it

timid furnace
timid furnace
#

ok

#

next question

ocean raptor
timid furnace
#

how do i actually modify envp trol

ocean raptor
#

sysproto.h

timid furnace
#

ok but from what i understand, the code copies the array from userspace memory to kernelspace memory

faint timber
#

me waiting for uikitcore to analyze

timid furnace
#

how do i do kernelspace memory -> kernelspace memory, or does it not really matter

#

ok this explains wtf load_init_program_at_path is doing then

#

user_addr_t is pointer to userspace memory right

#

it uses copyin/copyout or whatever

#

idk all i care about is that load_init_program does

vm_map_t map = current_map();
mach_vm_offset_t scratch_addr = 0;
mach_vm_size_t map_page_size = vm_map_page_size(map);

(void) mach_vm_allocate_kernel(map, &scratch_addr, map_page_size, VM_FLAGS_ANYWHERE, VM_KERN_MEMORY_NONE);

// calls load_init_program_at_path

// blah blah uses copyout into scratch_addr and does funny alignment stuff (USER_ADDR_ALIGN)

init_exec_args.fname = argv0;
init_exec_args.argp = scratch_addr;
init_exec_args.envp = USER_ADDR_NULL;
return execve(p, &init_exec_args, retval);
#

which means i can also do this

#

well this is how launchd starts so

#

id say it should work

#

™️

#

cant wait to kernel panic

#

at least i can just hold option and select macOS to recover trolley

#

too late

#

no i mean like

#

it will literally exit because it is too late

#

nah

#

i can just hold down alt to not boot into opencore

#

then i boot into macos

#

done

#

ok yea so i should just be able to like

#

hm

#

im gonna start with just hooking posix_spawn first

#

will slowly build off of it

#

tmrw though im tired

#

im going to fuckin Connecticut tomorrow so

#

albany is mad far

faint timber
#

@ocean raptor need to find out what this does it returns a class

image.png
faint timber
#

now why does it fail from root unsandbox @grave sparrow

#

works on iOS 14

timid furnace
#

@grave sparrow ended up troubleshooting for an hour

#

until i finally realized copyinstr's last argument might not actually be optional

#

gg

#

I would have realized this sooner if I had used the vm

#

Because my vm actually prints the panic string

#

But I wanted fast boots so I was testing on the mbp

tepid olive
#

Can anyone help me? I am trying to run posix_spawn using the AuxiliaryExecute framework and it doesn't work. It should run the shell script that is located in app's bundle with /var/jb/usr/bin/dash and deb path that is entered. I even tested it in a print statement and the whole script string was correct. My code:

import AuxiliaryExecute

struct ContentView: View {
    let scriptPath = Bundle.main.path(forResource: "repack-rootless", ofType: "sh")!
    @State private var debPath = ""
    
    var body: some View {
        TextField("Enter path to deb here", text: $debPath)
        
        Button("Convert deb to rootless") {
            let command = "/var/jb/usr/bin/dash"
            let args = [scriptPath, debPath]
            AuxiliaryExecute.spawn(command: command, args: args)
        }
    }
}

struct ContentView_Previews: PreviewProvider {
    static var previews: some View {
        ContentView()
    }
}

I also tried running it without args and just in one .spawn command but that didnt work either.

#

🤷‍♂️