#development

2023-11-28 19:33:08.214493+0300 opainjectTest[1016:157440] [Touch] Current touch count: 1```

how can i disable some strange touch logs

opainjectTest

just add a prefix to YOUR logs and filter by that prefix

Then it’ll only show your logs

(or make a macro to auto add the prefix)

(or use rlog if that still works)

He’s a swift guy

then i wish an unfortunate demise

sorry that was mean

That was mean

what the fuck did i do

https://media.discordapp.net/attachments/1116950308384428082/1172090458764214364/caption.gif?ex=655f0d4d&is=654c984d&hm=047dd616ea829c960f8749174d73ad265d85ce2059dd84287c3450329f333934&

the hell is going on

I have a tweak dylib that straight up just has one hook and only an arm64 slice... why is this failing?

well

symtab not found

thats all

how can it not have a symbol table

how so

oh what

oh

right

void * map = mmap(nil, file_size, PROT_READ, MAP_SHARED, file_descriptor, 0);

I feel like I'm missing some stupid small detail lol

did that, still the same issue

it still points to NULL originally

so idk if thats the issue

did this happened for you or something

Why not just reimplement the Home Screen from scratch

at first it was failing because the tweak had both an arm64 and arm64e slice and I didnt add checking for that yet

but now its arm64 only, I dont see why it should be breaking

frcoal

I just compiled it with make clean do FINALPACKAGE=1

except my dock isn't transparent lol,

then used dpkg-deb -R to take out the .dylib from the deb

you are

that's what I'm thinking

idk whats going on

ok

yeah thats what I was also thinking

one moment

[+] macho_header->magic - 0xbebafeca

the hell

that doesnt seem right

beba feca oooo@oooo

but it only has an arm64 slice

why is it a fat bin

oh

that makes sense ok

👍

so ideally I would:

• check the slices (arm64/arm64e)
• split the dylib into the various relevant slices
• do checking on those

or parse the fat headers

parse the fat headers

yeah prob that

that's probably the better solution

no cheating

fiiiine

what program is this by the way

hex fiend

thanks

the templating isn't as fully featured as 010 editor or imhex though

but

• 010 editor is paid
• imhex looks like shit on hidpi
  • also its very unintuitive imo

uh

view menu

ah

hex fiend is gas

chad software

fr

wish hxd was on mac tho

fun

wonder why its empty

reference: grant_full_disk_access.m

doesn't support FAT

you need to add based on the macho_header

not the map

oh

wait

im dumb

dont I need to sort through __cstring instead of the symbol table

to get all the strings in the bin

currently I'm getting stuff like this but I need the various strings that are inside of the bin

radr://561452

what even is that

weird

https://lists.w3.org/Archives/Public/www-tag/2009Mar/0055.html

yeah but this is radr not rdar

this is the whole tweak by the way

@import UIKit;

%hook CSQuickActionsButton

- (void)setBackgroundColor:(UIColor *)backgroundColor {
        %orig([[NSFileManager defaultManager] fileExistsAtPath:@"/Library/MobileSubstrate/DynamicLibraries" isDirectory:nil] ? [UIColor greenColor] : [UIColor redColor]);
}

%end

notice how I'm specifically not using the macro for rootless

oh wait it is

it does appear to be some kind of apple url

because of this code: https://codecolor.ist/2020/07/01/x-site-escape-part-iii-cve-2020-9860-a-copycat/

huh

odd

http://2lmc.org/spool/id/5090/

can mdc write to sealed partition files?

It can overwrite them

But it reverts after a reboot

alr

ty

anyway back to this - if I want to get the string table, I would need to look at the __cstring section instead of the symbol table, no?

ok im now even more confused

I thought there was a __cstring section under __TEXT?

@grave sparrow

looked for this in mach-o/loader.h and haven't found anything, hm

is it possible to downgrade a Apple Watch

LC_SYMTAB -> stroff + base = string table

i have a series 3

wouldn't this be right though?

unless I'm missing something

does the offset look wrong when you check it?

lets see

[.] string_table_offset 66056

hm

check in hex feind or something, see if the strings start there

ok

xmachoviewer will likely be helpful as well to check it

strings are here

are you able to send the binary your testing with?

sure

I'll send it in DMs

wth

the "String Table" thing in XMachoViewer shows this

basically what I had before

nerds

ok

@grave sparrow bozo

stroff is for strings for the symbol table

you want __cstring @radiant idol

yeah I know

that's what I was thinking originally smh

capt always wasting time

I got the strs lmao

trippy

staturnz helped a bunch as well

thanks to him

capt

I dont need the symbols

I need the strings

yeah but

this is LC_SYMTAB

and

uh

where is __cstring in this program

hold o

n

I mean

I'm trying to run this on a tweak dylib macho

I think it'll be fine

besides, @native orbit did some testing and it looks like almost all relevant strings end up in __cstring anyway

clang moment fr

this is __cstring

I need specifically these

not the symbols

the top one's only there because my %hook gets converted to MSHookMessageEx and then has objc_getClass in it

sucks to suck

are you drunk again

I dont believe you

objective c

more like

objectively

(better)

symoff is specifically for symbol lookup and stuff
__cstring is actual literals

LETS GO

🙏

what are you even trying to do

rootless patcher

what does this entail

i'll copy paste what I said in the theos server

hold on

• unsign the binary
• go through the actual __cstring section in the __TEXT segment in the binary, putting them all into an array, then patching the proper ones
• Then, you would need to make a new section at the end of the mach-o binary (reference here).
• after that, you would need to make all of the references to the relevant strings point to the new strings in the new section.
• resign the binary

so taking a tweak made for root and rootlessing the paths?

or any macho binary, not just a tweak

yes

ahh

makes sense

sounds fun

we'll see how it goes

so kind of like derootifier but binary related?

yeah

ahh nice, that should allow more tweaks to work

there's already patchers that use sed to replace paths within the binaries, but they use symlinks because you cant normally make strings bigger without all of this

some examples could be rootlessJB's patcher and [redacted]

now how do I detect if something is a path

hm

what would be the best way

if (![str isEqualToString:[str lastPathComponent]]) {

would this work(?)

check if file/dir exists at path

thats not a good way

because i'm working with unknown dylibs here

dylibs that arent installed

mhm

so they might be referencing a path that doesnt exist in the filesystem before its installed

for example something like this

the bottom one would not exist if the thing isnt installed

I think something like this is pretty robust

never mind it does not always work

hm

it thinks the bottom one is also a path

which is annoying

hm

if contains (giant whitelist)

dang is there no better way

that sounds horrific

https://tenor.com/view/php-notes-developer-designer-web-developer-gif-27287388

it does

hm

if contains Preferences, DynamicLibraries, MobileSubstrate

yeah but that still wont always work

hmm

oh wtf

what other paths would there be

/usr/lib/sbreload stuff for example

but then that also contains /usr/lib/libobjc.dylib which that one is present on stock ios

hm

hasPrefix:@"/"

frcoal

well actually

well paths definitely cannot contain special characters

so just blacklist that

if ([[str stringByStandardizingPath] hasPrefix:@"/"])

that could work

/When the imposter/ is sus!

but then there are so many exceptions

hmm

lol this actually seems to work

wouldnt a blacklist be better

you’re right

👍

got this so far

C

space either side of * though

🥴

true..

if you're gonna be weird, put it on the left

const char *gorn mfs

not the fucking middle

🤝

legit

fr

I ptu it on the right in objc

it looks weird on the right with c

whatr u trying to do

proper rootless patcher

replacing strings in a macho file

LOL

bro what

???

jut like replacate install_name_tool or some shit

it just does

you are very strange

or you don't use c enough

this is more complicated than that

burfh

i barely ever do

well

change that

technically const char *yorn makes more sense because int *x = 5, *y = 6, *z = 9 is how you declare 3 int pointers on the same line

but i still put char* on the right cuz fuck that

I dont write much C

just let me get away with it

:c

fr

btw this wont work for swift

that's why I'm writing a macho parser and using string rebasing instead of just a script

indeed

arent swift strings also cstrings after they get compiled or whatever

though i normally dont write != NULL

i know

just dont support swift

explicit void parameter is goofy but that's also what the standard calls for

capt writing c standard compliant code??

extremely rare

fr

only valid C syntax fr

its not that shrimple

mines the same except i use newline for functions

swift does funny stuff where they split some strings in half and reverse it and all that good shit

like linux source tree

yes i know

lmfao what

void gorn()
{
    if (x == 3) {
        jews();
    }
}```

google swift string optimizations you'll probably get a better explanation

jews()

(tab indents)

ok thanks

swift = suicide

void joe() {
    std::string str = "stuff";
    if (str != nullptr) {
        blahblah();
    }
}

opinions?

stop

get your c++ outta here

this is a c convo

good

someone please tell me kfd nobetaalert exists

the only thing that scares a apple dev more than c is c++

yes

objcpp

a bit offtopic but I think someone did get basic code exec working in SB with trollstore

that isn't a swift thing

c++ and c compilers also do those optimizations

only two people use objc++

saurik and tihm

where

where?

https://github.com/leminlimez/Helium/blob/c3970df6ad1baa2d806871721f854895d1621235/src/hud/HUDMainApplication.mm#L620

wat

that's adding uiviews to sb

cool

swift strings after 256 bytes it becomes 2+ strings

yeah

interesting

sorry what

why

swift moment

yup

ok no support for swift tweaks then

if they can get it to work tho then great frcoal

lets be real no one using swift tweaks on rootless

yeah true

lets be real no one using swift tweaks

lets be real no one using swift

python tweaks

there's an assembly tweak that someone made

hold on

i had it saved somewhere

https://github.com/qwertyuiop1379/Tweaks/blob/master/fixshitbook/Tweak.S

someone????

you mean capt

wait

that is not capt

surprisingly no

wtf

@grave sparrow found your github alt

sourceulection

bro doesnt know scoob

you spelt it wrrong twice

br

everyone knows scoob

even ik scoob smh

so who gonna make a tweak in scratch

fr

what does it even do

I dont get it

shit easy for me, capt, and scoob

trol

make a tweak in arm64 machine code next

ok you know what I'm sick of all of this blacklist/whitelist stuff

im going to just hardcode replace for now and add that logic later

do it in binary

you wont

what was there to makeup I forgot

nop

sadly

I DO!

drop invite asap

that is done by llvm optimization passes

so other llvm frontends like clang also do this (as long as the current standard library in use supports it, libc++ definitely does)

and gcc probably has it's own version

my point was that it's nothing specific or special about swift

GCC 🔥

thanks ❤️

np

no

i actually like gcc

having options is good

i like gcc but i like clang more

clang clears

@unkempt magnet

Noce!!

for some reason [self setDocPath:[[[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask] lastObject] path]]; would crash

no idea why

so i changed it to [self setDocPath:[NSString stringWithFormat:@"%@/Documents", NSHomeDirectory()]];

and then it worked

¯_(ツ)_/¯

Messing with CAPerfHUD (it doesn't show up on screenshots)

There's two options - Power and Frequency

that just report nothing

I wonder what they're calling that production iOS is ignoring?

apple'd

@unkempt magnet added support to view all past decryption in-app without need for any file managers (tap the file to open share sheet)

im probably going to drop support for netcat sharing

there we go

no more netcat

Is it possible to use Dopamine’s forkfix in permasigned command line tool?
I have a non-jailbreakable device on 16.5, but I want Sileo&Procursus bootstrap to install development packages (clang,lldb,etc). I managed to fastPathSign the whole Procursus bootstrap, but both bash and zsh are not working because of fork() (I can’t live with Filza’s fish)

@indigo peak gj

ty

I'm curious, can I decrypt the shortcuts app, then inject a tweak and sideload it, or does it not work for system apps?

You should be able to

As long as shortcuts is removable

But I haven’t personally tested this

for system apps I guess you can temporarily overwrite the binary

but thats kfd nvm

with the way I’m deciding which apps get displayed and which ones don’t, shortcuts doesn’t show up

I’ll tweak the way the way it chooses which apps it displays later

Just to see if that works

how do i write into a folder which is owned by mobile?

https://vxtwitter.com/tihmstar/status/1729790298312609871?s=46&t=LUSNSGJyUZ15gupblBCd_Q

self awareness

Just however you’d normally write to a gldet

Folder*

no

you need to make every tool a dylib and have every binary just do a dlopen() dlsym() to find the main of that and jump to it

then fork works

only the binary segments get made non executable during fork

https://github.com/jakeajames/dylibify

@naive kraken do you approve of TrollDecrypt UI

(heavily inspired by trollstore ui lmfaoo)

looks ok to me, I guess

do you support library decryption aswell?

can you make trollbitches for the bitchless

wdym

make it add load commands

if you download an unthinned app (via ipatool on a mac and installing it) the libraries will be encrypted aswell

how can I test if it does, do I download through ipa tool, install on my phone and then try to decrypt and then try to install the decrypted ipa?

yeah

but if you didn't implement it, it can't 😛

decrypting libraries (Frameworks) works very well, I just downloaded ipa from iTunes.

you dump it from the apps address space?

@naive kraken it does work, i just took ipatool twitter, sideloadly said it was encrypted, and then when i installed it, it crashed, then decrypted, installed that, sideloadly didnt complain, and app works as per usual

I mean dumping from address space works but there is an issue when you're dealing with a non linked library that's only opened at runtime via dlopen

if that's not dlopened by the time you do the decryption, it won't be included in it

but I don't think that is a big issue

yes

well, then might consider to dlopen with your rop method (opainject)..

yes that might work

When is TrollTroll being released?

real

@naive kraken do I just rename .ipa to .tipa

yes

bet

thanks

I still don’t know what app icon to do

I’m prob gonna leave it

No icon

??

It was released on Monday

StoreStore

how do I construct a nsdictionary to use for ldid -S? i'm assuming it's just key as NSString and value as a bool but idk

like

CLI?

Yes

spawn ldid binary to sign whatever is in my dictionary

it's a plist

so i assume you are calling this from objective-c using NSProcessInfo or whatever

y es

just make a NSDictionary with key value pairs

keys are strings, values depend

some entitlements are arrays

most are booleans

i'm only going to be adding get-task-allow

make sure all types are foundation types

alright then you can do

NSDictionary* entitlements = @{
    @"get-task-allow": [NSNumber numberWithBool:YES]
}``` or something

oh I didn;t know there was numberWithBool as a thing

aight nice

Where do I learn to understand wtf you are talking about? 👀

idk im just bored

@YES enthusiasts

Does it still end up serializing as a boolean

I googled this specifically to make sure it serializes as a boolean

its identical

https://stackoverflow.com/questions/36442401/yes-vs-nsnumber-numberwithboolyes

just not cancer to write

ok bet

🤓

my fav

true enthusiasts

where possible yeah

objc = overhead = slow

@hasty ruin re pr

maybe you can color the status bar

1 enthusiasts

uppercase True tho

Python jumpscare

@grave sparrow we are so fucking back

Kirb's america

facts

any course recommendations to learn obj c and swift

swift - plenty of yt videos
objc - https://github.com/uroboro/Learn-Objective-C-in-24-Days-Clone

aight cool ty

where do u live where u got gas that cheap

I’ll have a look at that tomorrow

@naive kraken Feature idea: Migrate already installed TS apps from coretrust bug 1 to 2

Have an ipad 7, was on 15.3.1 updated to 17.0

apps dont work now bc old bug

nah

just reinstall

fair enough

you should just be able to install without uninstalling it and it will keep data

#development message

utah

Is there anywhere I can read up on the JTag aspect of iDevices?

Nerd

Thats nice and all but click the link

true

@grave sparrow i need icon help

idk what to make the icon for trollstore ipa decrypter

this was my only idea

lmfao

real

no message logger i clip with nvidia geforce experience

i have several pictures of cam

i just want a more 'professional' icon yk

@marble perch this guy put this in a twitter thread for an icon lmao

i still have that trollterm icon somewhere
may or may not use it

Wdym waste?

why was my message deleted

😭

@indigo peak yeah i had another slightly different idea but i gave up

turn the troll the other way around

good point

And make the outline bolder

not really a fan

of this icon

@sonic totem is there a difference between Trollstore's fastpathsign and Choma's ct_bypass test?

No

Aight

thanks

It’s the same file

Anyone knows why this problem only exist in Taurine (iOS 14.3, arm64)? I don't have this issue on unc0ver.

iPhone 16:34:30 SpringBoard[51337](null): Injection failed: 'dlopen(/Library/TweakInject/mytweak.dylib, 9): Library not loaded: /System/Library/Frameworks/AVFAudio.framework/AVFAudio
  Referenced from: /usr/lib/TweakInject/mytweak.dylib

And I'm pretty sure /System/Library/Frameworks/AVFAudio.framework/AVFAudio is incorrect and doesn't exist, instead, it's /System/Library/Frameworks/AVFoundation.framework/Frameworks/AVFAudio.framework/

I think I figured them out, there are differences of the paths on 14.3 vs 14.5 (the frameworks I used to compile) 🤦‍♂️

https://tenor.com/view/obviously-snape-harry-potter-gif-5508473

Thanks for your idea. It seems the simpler solution will be hooking(proxying) fork call in dylib and then fixup memory protections in it.

you cannot fix memory protections

(at least AFAIK)

Is PPL protecting it or something?

no but you need KRW

because you'd have to edit the vm_entry structures

fixing from userland didn't seem possible when I tried

I just do it for fun.
At least I was able to control register to appstore apps, but not system apps (task_for_pid failed)

Maybe so we can debug appstore apps here.

i did not know you could write registers

thats so cool

fastpath signed debugserver. It works halfway. Pages become non-executable after a while.

Here’s another interesting thing: opainject works because of same team ID

hm

So tweak injection to appstore apps possible?

that's so cool

idk how opainject works but thats sick

What’s terminal

AppleInternal one

Oh

appleinternal has its own terminal? wow

plz give me Terminal-999.ipa

yeah

I wonder

Very wondering

lemme just

it would be a shame to inconspicuously slide me that ipa

shall I upload them to archive.org

I got it

that was easy

but yeah tf do I do with it

lmao

I’ll just delete it

WHAT

Wtf I can’t type

We have terminal in filza though..

well

“We have terminal at home”
Terminal at home:

Oh that bug...

Ok it crashed

Whatever

I don’t use them anyways

but AppleInternal’s Terminal has a bug, it may randomly crash between screen rotation

ah

NewTerm>>>

i need meowterm

Okay, I figured out. team id should be match.

you need to override path to shell in settings

Thanks

yeah the dylib needs to be signed with the target apps team id in order for it to work, so one could dynamically grab the team id, and then sign the dylib on device for injection

I tried doing smth like that last year I think

when og trollstore came out

you need the signature

not just the team ID

You could maybe make like a background process that dynamically does that and auto injects

for CT2

And then caches the patched dylib

how are you running a background process on stock

Developer disk image i guess

Wait actually yeah

You can xpc call shit and have msm mount custom ddi

so now you need MDC

yeh to overwrite the cert

Man theres gotta be something broken in installd with slice code verification

can't you just one shot loop through all the user apps and store them that way, then sign them when the app is launched

how are you gonna know when the app is launched

ok true

I like these

do I have permission to use if I credit you

not that much of a fan of 2 and 5, 1 looks a lil weird with the lock behind the text, and I think 4 just looks better with the lock not being transparent

and then also mirror the troll to be facing left instead of right

hook in launchd or springboard

you can't do either

inject to one of those and you can get notified if something is being launched

smarter to just wait for ppl bypass

you can’t

news any?

any news?

any news?

any news?

zeframOS

php

if im wanting to learn ios dev and ios exploit techniques where is a good place to start

ok

are you fluent in assembly

jesus

@opal hazel Hello, can I dm you?

maybe

write me some mips flower boy

lmao

who spent their time on that

hold on

i saw that earlier on twitter

cant find it tho

it was someone thanking opa

Anyone have any good rss for learning objc. I already have a decent base with c++ so I don’t need a from 0 programming tut

@faint stag

i remade the icon

w

do you approve of the remake + me using?

yeah ofc

bro is a hater

have you seen the ones before this?

@faint stag it’s beautiful

I think it’s release time

!!

iOS app décrypter?

yes

Awesome!

Make the troll border thicker

Please

I beg

I agree with Nightwind

and make the binary text contain filtered words

Make it a binary encoding of a nexus code

is MSHookMemory possible by adding a load command for a tweak dylib into a trollstore app?

@indigo peak did you put this dismiss line here

or was it from the other app

wasnt me

because i dont think thats ever needed (?)

ight

I'm assuming you did not do that

oh also its forced portrait on iPad

although if I force it verticle with app pad, it works fine

Oh it crashes when clicking an ipa in the folder menu

https://haste.antti.codes/izarizatas

Congratz to release Trolldecrypt

hi @sonic totem i'm unable to run fastpathsign in my app when i build it from Trollstore src, am i doing something wrong

What command are you running?

spawnRoot(fastPathSignPath, @[@"-i", @"/sbin/launchd", @"-r", @"-o", @"/sbin/launchd"], &stdOut, &stdErr);

I don’t see where frameworks come into that

If you’re only signing launchd

uh huh

It would give you an AMFI error message if something was signed incorrectly

i found a install method

Or in the library not load message it would tell you it has an invalid code signature

My DMs are always open 😛

i probably built it for macOS or something but im not sure how to build it for iphoneos

ill dm you soon im having mixed success

Try building ChOma library

make TARGET=ios

OK

any hints :p

Oh if you’re actually fr please do

I thought you were joking

no im fr

Alright well DM me when you’re ready, if you want to

👍

thanks it was this lol

my bad

Glad it’s fixed

make that me too ive been looking for the past 4 days

i meant as in dm btw

Its using the macos path for that

Framework

It should be /System/Library/Frameworks/Foundation.framework/Foundation

Change the path for it with install_name_tool

i fixed it already thanks

Oh i didnt See above

what have you tried so far for ts17

Looking at new mdc bug a little, dont understand it
Diffing several bins that have cves on ios 16.7+
Fucking around with installd
Etc

i see https://cdn.discordapp.com/emojis/1077203069718245467.webp?size=48&name=prayge&quality=lossless

@tepid olive btw i dmed you

#development message

this image is my anthem

Cause it happened to you

it’s bs

Yea after i saw that message he swnt

Yesterday

Unfortunate

The amount of people claiming to have found an install method. surely someone isn't lying, i hope

Probably all of them are lying

Just for clout

i know, but im hopeful.

i only believe that chinese guy

or japan

i dont have the skills/knowledge about iOS/Darwin to do it myself (only know about building android roms) so i just have to hold out hope lol

everyone else is bs

and a bad bs

The guy who said that he's going to limit app installs / block use outside of japan?

yeah that one’s probably legit ig

Ooo i hope so

this one’s funny bs

just found new install method (real)

I dont know if that ones real either lol

Like why would you post pictures of it and then get angry later on from people asking how you did it lol

You should be expecting that

not surprised

Guys I found an install method: just get BootROM code execution

Easy

The whole locked down thing seemed a bit suspicious to me personally. I guess if its a 'private kernel exploit - opa334', but still

god i hope one day (i know like 99.5% chance its not happening) we get an M1 bootrom exploit. Asahi linux on ipad

It’s probably more worthwhile to try pwning iBoot

Theres mobilestoragemounter thing too but that needs mdc2

Or Security.framework bypass lol

AKA an installd bypass

https://github.com/DanyL/lockdownd_playground/tree/master

I actually looked at that lol

Never tried anything in it tho

It seems stupid question, but curious. Would It work if replace system app with trollstore and install?

What part of it?

brb turning pyimg4 into an img4 fuzzer

i mean with the latest release it does help with im4m fuzzing

CVE-2019-8637 looks cool

definitely seems like sth that could be used as an installation method if it were around in 14.x

https://github.com/DanyL/lockdownd_playground/tree/master/src/tools/launchdown/launchdown-helper
Hm

I wonder if the vuln still exists in installd

damn it

12.4

Might try it anyways

This is the japanese guy claiming to have an install method. Something about a kernel exploit relating to CVE-2023-41993...
https://twitter.com/nr1az/status/1730639873588293772

CVE-2023-41993 allows for arbitrary code execution through webkit
so theoretically if you had a kernel exploit and knew what you were doing, you could run it in a browser

So if they’re not lying, they’ve managed to chain together the WebKit exploit AND the kernel exploit

So basically CVE 2023-41992 x CVE 2023-41993

and 41991 allowing trollstore 2 to work in the first place

So the full spyware chain

Oh cool

Props to them

though this is the tweet right after:

Oh I see

Oh well

we do know that 41993 works at least on 16.6 tho

since it was patched in 16.7

Indeed

For all we know this Twitter dev may just not have been able to get it to work on 16.x

Doesn't mean it won't work

to be fair, the current POC for the exploit is messy lol

well, the original one is

There’s a PoC?

Oh the WebKit one

install trollstore from your browser

that would be crazy

You already can on 14.0-15.4.1

dopamine in your browser would be even more crazy

isn't it -15.6.1

for arm64e

Yes that’s true

And I just updated the TrollStore README to say 15.4.1

Okay fixed

but kfd in a browser sounds like more fun
misakaweb lol

so we currently need either an installd bypass or sandbox escape right

Yeh

A pac bypass or a ppl bypass with no kcalls

For TS?

Oh not for trollstore

I thought he meant a full jailbreak 😅

Srry

If you only had a PAC bypass you’d still need a PPL bypass

Srry English is not my first language

Yes ur correct

yea

Then yeah, installd bypass or kernel exploit

Or a CoW exploit

You might be able to do it with a sandbox escape? But you’d need to be able to edit app containers

yea considering unsandboxing with MDC wasn't good enough i think you need an entitlement

But with MDC you can still install TrollStore

So it’s fine

But an installd bypass would be desired (no offsets needed, much more reliable and allows for TrollHelperOTA)

Honestly though installd isn’t fun to hunt for bugs in

installhaxx was a pretty funny one tho
only verifying one slice and running the other

my poc isn't that good

its horrid

So CVE-2023-41992 is definitely way to give it posix_spawn. If WebKit exploit doesn’t work, it doesn’t matter. Just make a TrollInstaller utilizing the LPE.

wait wtf

why do I only realize now that this isn't the usual kernel bug

like it's prob some sort of logic bug and not a memory corruption

and why is it the only entry that doesn't have the "entry added" thing below it

maybe they modified it?

ah no I think the rest of the entries were really added later after macOS was out

wait is there a writeup on cve-2023-41992 thats public?

Okay so here is my current progress on the Mach-O project (I also have a couple questions).

• I got the C string array and I am currently storing it in an NSMutableArray (this is probably not the best approach, I would love to hear a better approach in doing this)
• I have a segment_command_64 reference to the __LINKEDIT section of the Mach-O and also its offset.

Here is my thought process in how I would go about adding a new __cstring section in the Mach-O:

• Remove the codesign from the binary
• Shift __LINKEDIT by 0x1000 (minimum size for segment_command_64 afaik)
• Make a new segment in the blank space
  - Question: Should the segment name be as short as possible in order to give free space to the stuff that I want to put inside of the segment?
• Question: How would I determine the proper file offset to put it at? Do I just look at the next-to-last segment's ->fileoff + ->filesize?
• Question: Do references to previous segments need to be adjusted in order to account for the new segment at the end of the file (but before __LINKEDIT)? My main concern is that adding a new load_command in reference to the new segment will have to push everything else in the file down. Is that the case?
• Add a new load_command in the __TEXT segment referencing the new segment
• Adjust other load_commands to account for the new segment.
  - Question: Are there any good resources for learning how the various load_commands reference the various segments? I found this which talks briefly about the following: dyld_info_command, symtab_command, dysymtab_command, linkedit_data_command. I also found this, which I have found to be a helpful reference for Mach-O.

Also, would the new strings have to be specifically put into a new section, or can they just lay within the new segment that I make? opa has mentioned at #development message that you would need to make a new "cstring segment," though I'm not sure what exactly that entails. Should I make a new segment and put the new patched strings within that directly or does the segment also have to have a section (let's call it __cstring for simplicity) for the strings to lie there as well?

im not reading allat but i respect you being very explicit in your questioning

lol

thanks

any news?

any news?

In addition, is this also a good resource?
https://github.com/lief-project/LIEF/blob/6ddc7e414585451839f29f3304fa91b4a779159f/src/MachO/Binary.cpp#L1485

does anyone have an iPad that has trollstore installed?

that would be willing to help me debug

oh my god it’s opa

?

Yes

ipad 7 on 17.0

@frail cedar accept friend req

oh my god it’s opa

ok

Currently investigating the load_command structure of the file

@naive kraken do i have permission to bundle LSApplicationProxy+AltList.h/m in TrollDecrypt

its mit

i deadass have 0 idea how licenses work

bro how

NINETY GIGABYTES?!?

the hell did you do lmao

yes

given that you attribute

this project has like 400 files so it make sense tbh lmao

most were open

please build and use this

https://github.com/gdbinit/MachOView

it will help you

esp re

Question: Should the segment name be as short as possible in order to give free space to the stuff that I want to put inside of the segment?
Question: How would I determine the proper file offset to put it at? Do I just look at the next-to-last segment's ->fileoff + ->filesize?

rip

oh thanks

did not know that was a thing

Question: Do references to previous segments need to be adjusted in order to account for the new segment at the end of the file (but before __LINKEDIT)? My main concern is that adding a new load_command in reference to the new segment will have to push everything else in the file down. Is that the case?
well, how much space in the mach-o header do you have

if you don't have enough space, you'll have to make space, which means you have to shift everything under it down

there are definitely some absolute references in the binary

there may also be some relative references

have fun with arm64e

woeisfade

Shift __LINKEDIT by 0x1000 (minimum size for segment_command_64 afaik)
@grave sparrow does __LINKEDIT have to be the last section in the binary

yes

src?

ehm hold on I can find it

i mean it doesn’t have to be, but then dyld will just reject it

and also you won’t be able to codesign

https://alexomara.com/blog/adding-a-segment-to-an-existing-macos-mach-o-binary/

First couple paragraphs

rip

Yeh

ok so yea i guess you have to shift __LINKEDIT

Add a new load_command in the __TEXT segment referencing the new segment
think you mean the mach-o header

Adjust other load_commands to account for the new segment.
yes

don’t you need load commands for every one segment

(It does)

uh

sections go in segments

segments dont go in segment

wat

no

these are all the load commands that are referenced in the bin

yes

every segment (__TEXT, __DATA, etc) has its own LC

yes

if I make my own segment, don’t I also need to add a corresponding LC?

yes

so what was your point lol

maybe I misunderstood

ohhhh

wait

my bad

technically the load commands are located in the range that the __TEXT segment covers, but it's really just part of the mach-o header

i just read over it again

yeah I see what you mean now

mb sorry for the confusion

we’re on the same page though so that’s good

Question: Are there any good resources for learning how the various load_commands reference the various segments? I found this which talks briefly about the following: dyld_info_command, symtab_command, dysymtab_command, linkedit_data_command. I also found this, which I have found to be a helpful reference for Mach-O.

im going to be frank

no

your best resources are going to be xnu and dyld source

occasionally llvm source

rip

Also, would the new strings have to be specifically put into a new section, or can they just lay within the new segment that I make? opa has mentioned at ⁠development⁠ that you would need to make a new "cstring segment," though I'm not sure what exactly that entails. Should I make a new segment and put the new patched strings within that directly or does the segment also have to have a section (let's call it __cstring for simplicity) for the strings to lie there as well?

idk tbh

I had a convo on the Theos server about this and it seems like a segment needs at least one section inside of it

maybe, maybe not

i mean in the strict sense, no, because __LINKEDIT has no sections

Neither does __PAGEZERO

__LINKEDIT is used as space for stuff defined by the other load commands though

__PAGEZERO is special

Yeah

Yeah x2

__PAGEZERO is just to catch null derefs

Yep

i would just make a section for it

given that you already have to add a load command for the segment

Yep I agree

Something like __ROOTLESS_PATCH.__cstring or something

i guess

i still think finding all those references to __cstring is going to be your biggest barrier though

oh yeah def

we’ll see how to fix it when we get there eventually

even if you don't, you should 100% publish what you have

of course

modifying mach-os is annoying enough that any code on it is incredibly useful

you should probably use an existing analysis library or something

idk

i don't think it will ever be 100% perfect

I commented it a lot as well since I barely understood it myself

Oh yeah I’m planning to, but I think writing the things manually at first would help understand the structure

It’s easy to just use premade functions and not actually understand what they’re doing

So yeah

oh i mean specifically for finding cstrings

Ah that

Yeah

because at that point you're going into disasembly

I think there’s a lib for adding segments btw

LIEF or something

https://lief-project.github.io//doc/latest/

seems like you can use r2. i think @faint timber has used this

Ooo thanks

That’s helpful

looks like it

never tried it

most of my low-level Mach-O modification stuff is written in obj-c because i need to run it on iOS

definitely nicer if you can work with ie. python

but alas

all mine is in swift

hey at least you're not writing parsers in tcl

i love hex fiend but man did they pick the wackiest language to use

they just built different

I really don’t like Python lmao

I can genuinely comprehend ObjC easier than any other lang

compiled langs just hit better

Fr

does anyone know where app switcher state is stored in an ios backup

It is

You can do it with Cowabunga Lite custom operations

where is that

/var/mobile/Library/FrontBoard

There’s an application state database

well that was my other question but i meant that i don't see anything about custom operations in cowabunga lite

Oh

It might be in the pre-release version maybe

i do see stuff about custom operations in cowabunga the iOS app

but that's dead now

Yeah

oh it seems to be a patron thing

I think the custom operations are in beta Cowabunga Lite

https://github.com/leminlimez/CowabungaLite/blob/4d9990ddd138483a1ef89a57cf30c195bcfe88db/Cowabunga Lite/Views/Custom Operations/CustomOperationsView.swift

It’s definitely in the OSS code

@wind ravine is this in the public version?

yes

tab is disabled because unfished